nulogy_sso 2.6.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 810c9823ed0e49c273e814699a784e5280d4a52e48c4ccd82dd424cf38ad8912
-  data.tar.gz: c911aaac0f3755c392214ac800210fe65f60841f37a8b13cc9c851206f572fff
+  metadata.gz: 65c090bfda1540bd6e0462e5799cd1214e0c8cdc62d76065870c0d621fef29b9
+  data.tar.gz: 421729a511e2e15ea2755da6aceb9c704a4eadcdbf14e56b4b500f12b5f1d4f8
 SHA512:
-  metadata.gz: e75ece84b7f7b661467c2dd697f8a80ad51efc81f55272c854d8bb934694fe85dc3da3de45d8b7e02dfca0111820af456b907f9eb0409df2da131b080caa6f43
-  data.tar.gz: 44ad58428c6962ff6378e34ea3dc1179427dbd4cb77ce761288624dc5385a7fad1553c25327411619cca9f1d3f68b27b0aa9bee8525635065b67f1a193e0bd00
+  metadata.gz: 9db89629c700a273ab58e966a6043d1b828eb7eff1d26ce2b4a4d66d97b88d9ff1832309eb6a0c5496f2794cf6284b8add09925362384cd8d1e185a38ec9bd96
+  data.tar.gz: c829baf9974ec356a75933bf99e4cc544443188d15cdfe1460c834ce5c1023b63b32141d5d558fd11fc164e59ca897b142c624b77a681f41da9650cbf92cb80b

data/Rakefile

@@ -16,9 +16,6 @@ end
 
 APP_RAKEFILE = File.expand_path("spec/dummy/Rakefile", __dir__)
 load "rails/tasks/engine.rake"
-
-load "rails/tasks/statistics.rake"
-
 require "bundler/gem_tasks"
 
 require 'rspec/core/rake_task'

data/app/controllers/nulogy_sso/authentication_controller.rb

@@ -20,7 +20,7 @@ module NulogySSO
 
       authenticator.validate_token(
         raw_access_token,
-        on_success: method(:on_authentication_success),
+        on_success: ->(_decoded_token) { on_authentication_success(raw_access_token) },
         on_invalid_token: ->(_e) { redirect_to auth0_authorize_path, allow_other_host: true }
       )
     end
@@ -35,7 +35,7 @@ module NulogySSO
 
       authenticator.validate_token(
         raw_access_token,
-        on_success: method(:on_authentication_success),
+        on_success: ->(_decoded_token) { on_authentication_success(raw_access_token) },
         on_invalid_token: ->(e) { sso_error(e) }
       )
     end
@@ -66,8 +66,8 @@ module NulogySSO
       @token_store ||= CookieTokenStore.new(request, response)
     end
 
-    def on_authentication_success(access_token)
-      token_store.store!(access_token)
+    def on_authentication_success(raw_access_token)
+      token_store.store!(raw_access_token)
 
       redirect_to(params["origin"].presence || sso_config.redirect_uri, allow_other_host: true)
     end

data/app/services/nulogy_sso/authenticator.rb

@@ -1,10 +1,54 @@
 # frozen_string_literal: true
 
-require "auth0_rs256_jwt_verifier"
+require "jwt"
+require "net/http"
+require "json"
 
 module NulogySSO
   class Authenticator
-    ACCESS_TOKEN_VERIFIER = Auth0RS256JWTVerifier.new(
+    # Verifier class that uses ruby-jwt for JWT verification with JWKS support
+    class JWTVerifier
+      VerificationResult = Struct.new(:valid?, :payload) do
+        alias_method :valid?, :valid?
+      end
+
+      def initialize(issuer:, audience:, jwks_url:)
+        @issuer = issuer
+        @audience = audience
+        @jwks_url = jwks_url
+      end
+
+      def verify(token)
+        begin
+          jwks = fetch_jwks
+          payload, = JWT.decode(
+            token,
+            nil,
+            true,
+            {
+              jwks: jwks,
+              algorithms: ["RS256"],
+              iss: @issuer,
+              verify_iss: true,
+              aud: @audience,
+              verify_aud: true
+            }
+          )
+          VerificationResult.new(true, payload)
+        rescue JWT::DecodeError, JWT::InvalidIssuerError, JWT::InvalidAudienceError, JWT::ExpiredSignature, JWT::JWKError
+          VerificationResult.new(false, nil)
+        end
+      end
+
+      private
+
+      def fetch_jwks
+        jwks_hash = JSON.parse(Net::HTTP.get(URI(@jwks_url)))
+        JWT::JWK::Set.new(jwks_hash)
+      end
+    end
+
+    ACCESS_TOKEN_VERIFIER = JWTVerifier.new(
       issuer: "#{NulogySSO.sso_config.base_uri}/", # Auth0 requires a backslash on the Issuer
       audience: NulogySSO.sso_config.audience,
       jwks_url: "#{NulogySSO.sso_config.base_uri}/.well-known/jwks.json"
@@ -47,11 +91,12 @@ module NulogySSO
     attr_reader :verifier, :find_user_by_email
 
     def decoded_validated_access_token(raw_access_token)
-      if raw_access_token.present? && verifier.verify(raw_access_token).valid?
-        return JSON::JWT.decode(raw_access_token, :skip_verification)
-      end
+      return nil unless raw_access_token.present?
+
+      verification_result = verifier.verify(raw_access_token)
+      return nil unless verification_result.valid?
 
-      nil
+      verification_result.payload
     end
 
     def fetch_user(access_token)

data/lib/nulogy_sso/test_utilities/auth0_mock.rb

@@ -9,8 +9,8 @@ module NulogySSO
     class Auth0Mock
       def initialize(
         engine_path: "/nulogy_sso",
-        mockserver_host: ENV.fetch("NULOGY_SSO_MOCKSERVER_HOST"),
-        mockserver_port: ENV.fetch("NULOGY_SSO_MOCKSERVER_PORT")
+        mockserver_host: ENV.fetch("NULOGY_SSO_MOCKSERVER_HOST", "localhost"),
+        mockserver_port: ENV.fetch("NULOGY_SSO_MOCKSERVER_PORT", "1080").to_i
       )
         @jwt_test_helper = NulogySSO::TestUtilities::JwtTestHelper.new
         @engine_path = engine_path

data/lib/nulogy_sso/test_utilities/jwt_test_helper.rb

@@ -1,12 +1,13 @@
 # frozen_string_literal: true
 
-require "json/jwt"
+require "jwt"
+require "base64"
 
 module NulogySSO
   module TestUtilities
 
     # Test utilities that revolve around the JWT (JSON Web Token) protocool.
-    # This class is mostly a helpful wrapper around this gem: https://github.com/nov/json-jwt
+    # This class uses ruby-jwt (https://github.com/jwt/ruby-jwt) for JWT operations
     class JwtTestHelper
       def initialize
         @private_key = OpenSSL::PKey::RSA.new(
@@ -26,26 +27,39 @@ module NulogySSO
           "exp" => (Time.now + 1.day).to_i
         }.merge(overrides)
 
-        jwt = JSON::JWT.new(claim)
-        jwt.header[:kid] = jwk["kid"]
-        jwt = jwt.sign(private_key, :RS256)
-        jwt.to_s
+        # Get the kid from the JWK
+        jwk_hash = jwk.export
+        kid = jwk_hash[:kid] || jwk_hash["kid"]
+
+        JWT.encode(claim, private_key, "RS256", { kid: kid })
       end
 
       def jwk
-        base_jwk_params = public_key.to_jwk.to_h
-        JSON::JWK.new(
-          base_jwk_params.merge(
-            x5t: base_jwk_params["kid"],
+        # Create JWK from public key
+        base_jwk = JWT::JWK.new(public_key)
+        base_jwk_hash = base_jwk.export
+        kid = base_jwk_hash[:kid] || base_jwk_hash["kid"]
+
+        # Create JWK with additional parameters for Auth0 compatibility
+        JWT::JWK.new(
+          public_key,
+          {
+            kid: kid,
             alg: "RS256",
             use: "sig",
+            x5t: kid,
             x5c: [certificate_der]
-          )
+          }
         )
       end
 
       def jwks_json
-        JSON::JWK::Set.new(jwk).to_json
+        # Export the single JWK and wrap it in a keys array for JWKS format
+        jwk_hash = jwk.export
+        # Convert symbol keys to strings for JSON serialization if needed
+        jwk_hash = jwk_hash.transform_keys(&:to_s) if jwk_hash.is_a?(Hash) && jwk_hash.keys.first.is_a?(Symbol)
+
+        { keys: [jwk_hash] }.to_json
       end
 
       private

data/lib/nulogy_sso/version.rb

@@ -1,3 +1,3 @@
 module NulogySSO
-  VERSION = "2.6.0"
+  VERSION = "3.0.0"
 end