moj-simple-jwt-auth 0.0.1 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bf8744635db729d18bf593eba9663a9ac97aec840d32979b5479c648cedadae3
|
|
4
|
+
data.tar.gz: 30179bd0b458b5d6d7fe549cae2011a411dfbe7817a8eca3f0ec75af4a65a39a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 815cdff869c192660599ca3df0e96fb2703ce5e2d23acf8d7ea3c36e1dd912383a1222da1e7bb7c782861f0bea71e7c4da8fdf5197b0ef9ecba60016633f1f3f
|
|
7
|
+
data.tar.gz: df82ee40efefc2d8a50aff0b632bc9330f8c2f6d6f3d353a4bdee7826beca8c7caaec96b1b24930b70b1eb32986fd661b6306b26d666aceb8be543594b52c6ff
|
data/README.md
CHANGED
|
@@ -36,6 +36,37 @@ For the **producer** side (the API service for instance) you will need to config
|
|
|
36
36
|
|
|
37
37
|
There are several options you can configure, like expiration, leeway, logging, and more. Please refer to the [Configuration class](lib/simple_jwt_auth/configuration.rb) for more details.
|
|
38
38
|
|
|
39
|
+
### Example of token
|
|
40
|
+
|
|
41
|
+
This is a valid format token (might become invalid due to expiration at some point):
|
|
42
|
+
|
|
43
|
+
`eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2ODI1OTMwMzAsImV4cCI6MTY5ODQwNDU1NSwiaXNzIjoiY3JpbWUtYXBwbHkifQ.x2UE5VnwN5mf8elByPBnjiNChvsySqDjiLht6eN3ZPY`
|
|
44
|
+
|
|
45
|
+
It has 3 parts, separated by dots, base64-encoded:
|
|
46
|
+
|
|
47
|
+
1. Header (`eyJhbGciOiJIUzI1NiJ9`), containing the algorithm used. No other details are needed.
|
|
48
|
+
```json
|
|
49
|
+
{
|
|
50
|
+
"alg": "HS256"
|
|
51
|
+
}
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
2. Payload (`eyJpYXQiOjE2ODI1OTMwMzAsImV4cCI6MTY5ODQwNDU1NSwiaXNzIjoiY3JpbWUtYXBwbHkifQ`), with some mandatory details.
|
|
55
|
+
```json
|
|
56
|
+
{
|
|
57
|
+
"iat": 1682593030,
|
|
58
|
+
"exp": 1698404555,
|
|
59
|
+
"iss": "crime-apply"
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
*iat* is the issued at seconds since epoch, *exp* is the expire at seconds since epoch, and finally *iss* is the issuer identifier or the name of the consumer to whom this token belongs.
|
|
63
|
+
|
|
64
|
+
3. Signature (`x2UE5VnwN5mf8elByPBnjiNChvsySqDjiLht6eN3ZPY`)
|
|
65
|
+
|
|
66
|
+
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
|
|
67
|
+
|
|
68
|
+
The token must be included in each request, in an Authorization header (bearer).
|
|
69
|
+
|
|
39
70
|
## Development
|
|
40
71
|
|
|
41
72
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rake` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
|
@@ -2,7 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
module SimpleJwtAuth
|
|
4
4
|
module Errors
|
|
5
|
-
class
|
|
6
|
-
class
|
|
5
|
+
class Forbidden < StandardError; end
|
|
6
|
+
class IssuerError < StandardError; end
|
|
7
|
+
|
|
8
|
+
class UndefinedIssuer < IssuerError; end
|
|
9
|
+
class UnknownIssuer < IssuerError; end
|
|
7
10
|
end
|
|
8
11
|
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module SimpleJwtAuth
|
|
4
|
+
module Middleware
|
|
5
|
+
module Grape
|
|
6
|
+
class Authorisation < ::Grape::Middleware::Base
|
|
7
|
+
def before
|
|
8
|
+
return if test_env? || consumer_authorised?
|
|
9
|
+
|
|
10
|
+
raise SimpleJwtAuth::Errors::Forbidden,
|
|
11
|
+
"access to endpoint forbidden for issuer `#{current_issuer}`"
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
def test_env?
|
|
17
|
+
env['rack.test'] == true
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def consumer_authorised?
|
|
21
|
+
route_authorised_consumers.include?(current_issuer) ||
|
|
22
|
+
route_authorised_consumers.include?('*')
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def route_authorised_consumers
|
|
26
|
+
context.route.settings.fetch(:authorised_consumers, [])
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def current_issuer
|
|
30
|
+
env.fetch(Jwt::ENV_PAYLOAD_KEY, {})['iss']
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
@@ -7,6 +7,7 @@ module SimpleJwtAuth
|
|
|
7
7
|
ENV_AUTH_KEY = 'HTTP_AUTHORIZATION'
|
|
8
8
|
ENV_PAYLOAD_KEY = 'grape_jwt.payload'
|
|
9
9
|
|
|
10
|
+
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
10
11
|
def call(env)
|
|
11
12
|
return app.call(env) if test_env?(env)
|
|
12
13
|
|
|
@@ -19,12 +20,18 @@ module SimpleJwtAuth
|
|
|
19
20
|
logger.debug "Authorized request, JWT payload: #{payload}"
|
|
20
21
|
|
|
21
22
|
app.call(env)
|
|
23
|
+
rescue SimpleJwtAuth::Errors::Forbidden => e
|
|
24
|
+
logger.warn "JWT issuer forbidden: #{e.message}"
|
|
25
|
+
rack_response(403, e.message)
|
|
26
|
+
rescue SimpleJwtAuth::Errors::IssuerError => e
|
|
27
|
+
logger.warn "JWT issuer error: #{e.message}"
|
|
28
|
+
rack_response(400, e.message)
|
|
22
29
|
rescue JWT::DecodeError => e
|
|
23
30
|
logger.warn "Unauthorized request, JWT error: #{e.message}"
|
|
24
|
-
|
|
25
|
-
[401, { 'Content-Type' => 'application/json' }, [{ status: 401, error: e.message }.to_json]]
|
|
31
|
+
rack_response(401, e.message)
|
|
26
32
|
end
|
|
27
33
|
end
|
|
34
|
+
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
|
28
35
|
|
|
29
36
|
private
|
|
30
37
|
|
|
@@ -32,6 +39,10 @@ module SimpleJwtAuth
|
|
|
32
39
|
env['rack.test'] == true
|
|
33
40
|
end
|
|
34
41
|
|
|
42
|
+
def rack_response(http_code, error_msg)
|
|
43
|
+
[http_code, { 'Content-Type' => 'application/json' }, [{ error: error_msg }.to_json]]
|
|
44
|
+
end
|
|
45
|
+
|
|
35
46
|
def logger
|
|
36
47
|
SimpleJwtAuth.configuration.logger
|
|
37
48
|
end
|
data/lib/simple_jwt_auth.rb
CHANGED
|
@@ -17,6 +17,7 @@ require_relative 'simple_jwt_auth/decode'
|
|
|
17
17
|
# Middleware helpers
|
|
18
18
|
require_relative 'simple_jwt_auth/middleware/faraday/jwt' if defined?(Faraday)
|
|
19
19
|
require_relative 'simple_jwt_auth/middleware/grape/jwt' if defined?(Grape)
|
|
20
|
+
require_relative 'simple_jwt_auth/middleware/grape/authorisation' if defined?(Grape)
|
|
20
21
|
|
|
21
22
|
module SimpleJwtAuth
|
|
22
23
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: moj-simple-jwt-auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jesus Laiz
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-04-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: json
|
|
@@ -62,6 +62,7 @@ files:
|
|
|
62
62
|
- lib/simple_jwt_auth/encode.rb
|
|
63
63
|
- lib/simple_jwt_auth/errors.rb
|
|
64
64
|
- lib/simple_jwt_auth/middleware/faraday/jwt.rb
|
|
65
|
+
- lib/simple_jwt_auth/middleware/grape/authorisation.rb
|
|
65
66
|
- lib/simple_jwt_auth/middleware/grape/jwt.rb
|
|
66
67
|
- lib/simple_jwt_auth/secrets.rb
|
|
67
68
|
- lib/simple_jwt_auth/traits/configurable.rb
|