prx_auth 1.3.0 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/prx_auth/version.rb +1 -1
- data/lib/rack/prx_auth.rb +6 -1
- data/test/rack/prx_auth_test.rb +43 -7
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 484555dc0ba3038bdb9f54088103d9804b3698928ddbf0798b908228839922d5
|
4
|
+
data.tar.gz: fdc9960d949845ad438b6c72fb289edae431c4c844236d16d7d3a95ada7e5b38
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 1cb94e1c232b0cac735a152bb436f77171f27eb73da09a1ae72e8de2672a29e6931b352794ece9f90b650475f4598f3f7ccf72f4f600385e033f56d562ae962c
|
7
|
+
data.tar.gz: d5f53932546a43ce99700739c9af7ecb59d5fb6dd78ef579975f80539a382af4009cb3f2658e1d9eade4e414905708ea0966ff63a9f90863cafc971c7b19bdd9
|
data/lib/prx_auth/version.rb
CHANGED
data/lib/rack/prx_auth.rb
CHANGED
@@ -53,7 +53,12 @@ module Rack
|
|
53
53
|
end
|
54
54
|
|
55
55
|
def expired?(claims)
|
56
|
-
Time.now.to_i
|
56
|
+
now = Time.now.to_i - 30 # 30 second clock jitter allowance
|
57
|
+
if claims['iat'] <= claims['exp']
|
58
|
+
now > claims['exp']
|
59
|
+
else
|
60
|
+
now > (claims['iat'] + claims['exp'])
|
61
|
+
end
|
57
62
|
end
|
58
63
|
|
59
64
|
def should_validate_token?(claims)
|
data/test/rack/prx_auth_test.rb
CHANGED
@@ -5,7 +5,9 @@ describe Rack::PrxAuth do
|
|
5
5
|
let(:prxauth) { Rack::PrxAuth.new(app) }
|
6
6
|
let(:fake_token) { 'afawefawefawefawegstgnsrtiohnlijblublwjnvrtoign'}
|
7
7
|
let(:env) { {'HTTP_AUTHORIZATION' => 'Bearer ' + fake_token } }
|
8
|
-
let(:
|
8
|
+
let(:iat) { Time.now.to_i }
|
9
|
+
let(:exp) { 3600 }
|
10
|
+
let(:claims) { {'sub'=>3, 'exp'=>exp, 'iat'=>iat, 'token_type'=>'bearer', 'scope'=>nil, 'iss'=>'id.prx.org'} }
|
9
11
|
|
10
12
|
describe '#call' do
|
11
13
|
it 'does nothing if there is no authorization header' do
|
@@ -59,15 +61,49 @@ describe Rack::PrxAuth do
|
|
59
61
|
end
|
60
62
|
end
|
61
63
|
|
62
|
-
describe '#
|
63
|
-
it 'returns true if token is expired' do
|
64
|
-
claims['iat'] = Time.now.to_i - 4000
|
64
|
+
describe '#expired?' do
|
65
65
|
|
66
|
-
|
66
|
+
def expired?(claims)
|
67
|
+
prxauth.send(:expired?, claims)
|
67
68
|
end
|
68
69
|
|
69
|
-
|
70
|
-
|
70
|
+
describe 'with a malformed exp' do
|
71
|
+
let(:iat) { Time.now.to_i }
|
72
|
+
let(:exp) { 3600 }
|
73
|
+
|
74
|
+
it 'is expired if iat + exp are in the past' do
|
75
|
+
claims['iat'] -= 3631
|
76
|
+
|
77
|
+
assert expired?(claims)
|
78
|
+
end
|
79
|
+
|
80
|
+
it 'is not expired if iat + exp are in the future' do
|
81
|
+
claims['iat'] = Time.now.to_i - 3599
|
82
|
+
|
83
|
+
refute expired?(claims)
|
84
|
+
end
|
85
|
+
|
86
|
+
it 'allows a 30s clock jitter' do
|
87
|
+
claims['iat'] = Time.now.to_i - 3629
|
88
|
+
|
89
|
+
refute expired?(claims)
|
90
|
+
end
|
91
|
+
end
|
92
|
+
|
93
|
+
describe 'with a corrected exp' do
|
94
|
+
let(:iat) { Time.now.to_i - 3600 }
|
95
|
+
let(:exp) { Time.now.to_i + 1 }
|
96
|
+
|
97
|
+
it 'is not expired if exp is in the future' do
|
98
|
+
refute expired?(claims)
|
99
|
+
end
|
100
|
+
|
101
|
+
it 'is expired if exp is in the past (with 30s jitter grace)' do
|
102
|
+
claims['exp'] = Time.now.to_i - 31
|
103
|
+
assert expired?(claims)
|
104
|
+
claims['exp'] = Time.now.to_i - 29
|
105
|
+
refute expired?(claims)
|
106
|
+
end
|
71
107
|
end
|
72
108
|
end
|
73
109
|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: prx_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eve Asher
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2020-08
|
12
|
+
date: 2020-09-08 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|