moj-simple-jwt-auth 0.0.1 → 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bf8744635db729d18bf593eba9663a9ac97aec840d32979b5479c648cedadae3
|
|
4
|
+
data.tar.gz: 30179bd0b458b5d6d7fe549cae2011a411dfbe7817a8eca3f0ec75af4a65a39a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 815cdff869c192660599ca3df0e96fb2703ce5e2d23acf8d7ea3c36e1dd912383a1222da1e7bb7c782861f0bea71e7c4da8fdf5197b0ef9ecba60016633f1f3f
|
|
7
|
+
data.tar.gz: df82ee40efefc2d8a50aff0b632bc9330f8c2f6d6f3d353a4bdee7826beca8c7caaec96b1b24930b70b1eb32986fd661b6306b26d666aceb8be543594b52c6ff
|
data/README.md
CHANGED
|
@@ -36,6 +36,37 @@ For the **producer** side (the API service for instance) you will need to config
|
|
|
36
36
|
|
|
37
37
|
There are several options you can configure, like expiration, leeway, logging, and more. Please refer to the [Configuration class](lib/simple_jwt_auth/configuration.rb) for more details.
|
|
38
38
|
|
|
39
|
+
### Example of token
|
|
40
|
+
|
|
41
|
+
This is a valid format token (might become invalid due to expiration at some point):
|
|
42
|
+
|
|
43
|
+
`eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2ODI1OTMwMzAsImV4cCI6MTY5ODQwNDU1NSwiaXNzIjoiY3JpbWUtYXBwbHkifQ.x2UE5VnwN5mf8elByPBnjiNChvsySqDjiLht6eN3ZPY`
|
|
44
|
+
|
|
45
|
+
It has 3 parts, separated by dots, base64-encoded:
|
|
46
|
+
|
|
47
|
+
1. Header (`eyJhbGciOiJIUzI1NiJ9`), containing the algorithm used. No other details are needed.
|
|
48
|
+
```json
|
|
49
|
+
{
|
|
50
|
+
"alg": "HS256"
|
|
51
|
+
}
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
2. Payload (`eyJpYXQiOjE2ODI1OTMwMzAsImV4cCI6MTY5ODQwNDU1NSwiaXNzIjoiY3JpbWUtYXBwbHkifQ`), with some mandatory details.
|
|
55
|
+
```json
|
|
56
|
+
{
|
|
57
|
+
"iat": 1682593030,
|
|
58
|
+
"exp": 1698404555,
|
|
59
|
+
"iss": "crime-apply"
|
|
60
|
+
}
|
|
61
|
+
```
|
|
62
|
+
*iat* is the issued at seconds since epoch, *exp* is the expire at seconds since epoch, and finally *iss* is the issuer identifier or the name of the consumer to whom this token belongs.
|
|
63
|
+
|
|
64
|
+
3. Signature (`x2UE5VnwN5mf8elByPBnjiNChvsySqDjiLht6eN3ZPY`)
|
|
65
|
+
|
|
66
|
+
To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
|
|
67
|
+
|
|
68
|
+
The token must be included in each request, in an Authorization header (bearer).
|
|
69
|
+
|
|
39
70
|
## Development
|
|
40
71
|
|
|
41
72
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rake` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
|
@@ -2,7 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
module SimpleJwtAuth
|
|
4
4
|
module Errors
|
|
5
|
-
class
|
|
6
|
-
class
|
|
5
|
+
class Forbidden < StandardError; end
|
|
6
|
+
class IssuerError < StandardError; end
|
|
7
|
+
|
|
8
|
+
class UndefinedIssuer < IssuerError; end
|
|
9
|
+
class UnknownIssuer < IssuerError; end
|
|
7
10
|
end
|
|
8
11
|
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module SimpleJwtAuth
|
|
4
|
+
module Middleware
|
|
5
|
+
module Grape
|
|
6
|
+
class Authorisation < ::Grape::Middleware::Base
|
|
7
|
+
def before
|
|
8
|
+
return if test_env? || consumer_authorised?
|
|
9
|
+
|
|
10
|
+
raise SimpleJwtAuth::Errors::Forbidden,
|
|
11
|
+
"access to endpoint forbidden for issuer `#{current_issuer}`"
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
private
|
|
15
|
+
|
|
16
|
+
def test_env?
|
|
17
|
+
env['rack.test'] == true
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def consumer_authorised?
|
|
21
|
+
route_authorised_consumers.include?(current_issuer) ||
|
|
22
|
+
route_authorised_consumers.include?('*')
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
def route_authorised_consumers
|
|
26
|
+
context.route.settings.fetch(:authorised_consumers, [])
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def current_issuer
|
|
30
|
+
env.fetch(Jwt::ENV_PAYLOAD_KEY, {})['iss']
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
@@ -7,6 +7,7 @@ module SimpleJwtAuth
|
|
|
7
7
|
ENV_AUTH_KEY = 'HTTP_AUTHORIZATION'
|
|
8
8
|
ENV_PAYLOAD_KEY = 'grape_jwt.payload'
|
|
9
9
|
|
|
10
|
+
# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
|
|
10
11
|
def call(env)
|
|
11
12
|
return app.call(env) if test_env?(env)
|
|
12
13
|
|
|
@@ -19,12 +20,18 @@ module SimpleJwtAuth
|
|
|
19
20
|
logger.debug "Authorized request, JWT payload: #{payload}"
|
|
20
21
|
|
|
21
22
|
app.call(env)
|
|
23
|
+
rescue SimpleJwtAuth::Errors::Forbidden => e
|
|
24
|
+
logger.warn "JWT issuer forbidden: #{e.message}"
|
|
25
|
+
rack_response(403, e.message)
|
|
26
|
+
rescue SimpleJwtAuth::Errors::IssuerError => e
|
|
27
|
+
logger.warn "JWT issuer error: #{e.message}"
|
|
28
|
+
rack_response(400, e.message)
|
|
22
29
|
rescue JWT::DecodeError => e
|
|
23
30
|
logger.warn "Unauthorized request, JWT error: #{e.message}"
|
|
24
|
-
|
|
25
|
-
[401, { 'Content-Type' => 'application/json' }, [{ status: 401, error: e.message }.to_json]]
|
|
31
|
+
rack_response(401, e.message)
|
|
26
32
|
end
|
|
27
33
|
end
|
|
34
|
+
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength
|
|
28
35
|
|
|
29
36
|
private
|
|
30
37
|
|
|
@@ -32,6 +39,10 @@ module SimpleJwtAuth
|
|
|
32
39
|
env['rack.test'] == true
|
|
33
40
|
end
|
|
34
41
|
|
|
42
|
+
def rack_response(http_code, error_msg)
|
|
43
|
+
[http_code, { 'Content-Type' => 'application/json' }, [{ error: error_msg }.to_json]]
|
|
44
|
+
end
|
|
45
|
+
|
|
35
46
|
def logger
|
|
36
47
|
SimpleJwtAuth.configuration.logger
|
|
37
48
|
end
|
data/lib/simple_jwt_auth.rb
CHANGED
|
@@ -17,6 +17,7 @@ require_relative 'simple_jwt_auth/decode'
|
|
|
17
17
|
# Middleware helpers
|
|
18
18
|
require_relative 'simple_jwt_auth/middleware/faraday/jwt' if defined?(Faraday)
|
|
19
19
|
require_relative 'simple_jwt_auth/middleware/grape/jwt' if defined?(Grape)
|
|
20
|
+
require_relative 'simple_jwt_auth/middleware/grape/authorisation' if defined?(Grape)
|
|
20
21
|
|
|
21
22
|
module SimpleJwtAuth
|
|
22
23
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: moj-simple-jwt-auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0
|
|
4
|
+
version: 0.1.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jesus Laiz
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-04-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: json
|
|
@@ -62,6 +62,7 @@ files:
|
|
|
62
62
|
- lib/simple_jwt_auth/encode.rb
|
|
63
63
|
- lib/simple_jwt_auth/errors.rb
|
|
64
64
|
- lib/simple_jwt_auth/middleware/faraday/jwt.rb
|
|
65
|
+
- lib/simple_jwt_auth/middleware/grape/authorisation.rb
|
|
65
66
|
- lib/simple_jwt_auth/middleware/grape/jwt.rb
|
|
66
67
|
- lib/simple_jwt_auth/secrets.rb
|
|
67
68
|
- lib/simple_jwt_auth/traits/configurable.rb
|