rack-cloudflare-jwt 0.0.6 → 0.0.7

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/rack/cloudflare_jwt/auth.rb +40 -17
  3. data/lib/rack/cloudflare_jwt/version.rb +1 -1
  4. metadata +16 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b02234c4f02891933a6509fafc629a63caa158f3272881a3342965f4da300511
4
- data.tar.gz: 6d6746b102725c8f48818158d99fc631af3a4420ccdb2ef8cb52adbd1dc7319d
3
+ metadata.gz: 7c4ed6badeecd1b367985b571e0c2d308b1ec1f738f228c1d818ea1d17ef4f05
4
+ data.tar.gz: ac39d8ec47898b8069e538a1b1593faea1f5e8b0f7823a9e8eb75ea7d7add310
5
5
  SHA512:
6
- metadata.gz: 5ea641bd7ea94915e07dfc19d82a1b173872a2b2b09eb6dcefabe2229d09d445caa4c9553f85c359615850cd03849820b09d8ca37ad72a75bc2af897bb4fcb19
7
- data.tar.gz: 2936ec4b34f29bfa86b39cf4fb0360729e4a92706ffb7c7bf730f1b49c0dfc132f24f29335f42e7275c838bfd8674e819a572d6fe430682e89601f290184118d
6
+ metadata.gz: 24184df0dd0e17acc8e6cad290a7b34e40146865c9a377475d135e0ad7046f7b6bea682418a9602e08be89964902ab4cd680be8d49f853b38ef6e3920ad09cee
7
+ data.tar.gz: 196a5aa4ab5ea4370d21a90080493025dc3530cda35b027bdb24a2844ae0dfa3d9f117dc137e011ec65ee0ebc9d3875394286328b708aca2a9c9007ddd88ae4d
data/lib/rack/cloudflare_jwt/auth.rb CHANGED
@@ -11,12 +11,17 @@ module Rack
11
11
  #
12
12
  # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
13
13
  class Auth
14
+ # Custom decode token error.
15
+ class DecodeTokenError < StandardError; end
16
+
14
17
  # Certs path
15
18
  CERTS_PATH = '/cdn-cgi/access/certs'
16
19
  # Default algorithm
17
20
  DEFAULT_ALGORITHM = 'RS256'
18
21
  # CloudFlare JWT header.
19
22
  HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
23
+ # HTTP_HOST header.
24
+ HEADER_HTTP_HOST = 'HTTP_HOST'
20
25
 
21
26
  # Token regex.
22
27
  #
@@ -79,12 +84,14 @@ module Rack
79
84
  # extract the token from header.
80
85
  token = env[HEADER_NAME]
81
86
  decoded_token = public_keys(env).find do |key|
82
- dt = decode_token(token, key.public_key)
83
- break dt if dt
87
+ break decode_token(token, key.public_key)
88
+ rescue DecodeTokenError => e
89
+ logger.info e.message
90
+ nil
84
91
  end
85
92
 
86
93
  if decoded_token
87
- Rails.logger.debug 'CloudFlare JWT token is valid'
94
+ logger.debug 'CloudFlare JWT token is valid'
88
95
 
89
96
  env['jwt.payload'] = decoded_token.first
90
97
  env['jwt.header'] = decoded_token.last
@@ -103,30 +110,32 @@ module Rack
103
110
  # {"alg"=>"RS256"} # header
104
111
  # ]
105
112
  #
106
- # @return [Array<Hash>] the token.
113
+ # @return [Array<Hash>] the token or `nil` at error.
114
+ # @raise [DecodeTokenError] if the token is invalid.
115
+ #
107
116
  # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
108
117
  def decode_token(token, secret)
109
118
  Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
110
119
  rescue ::JWT::VerificationError
111
- Rails.logger.info 'Invalid JWT token : Signature Verification Error'
120
+ raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
112
121
  rescue ::JWT::ExpiredSignature
113
- Rails.logger.info 'Invalid JWT token : Expired Signature (exp)'
122
+ raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
114
123
  rescue ::JWT::IncorrectAlgorithm
115
- Rails.logger.info 'Invalid JWT token : Incorrect Key Algorithm'
124
+ raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
116
125
  rescue ::JWT::ImmatureSignature
117
- Rails.logger.info 'Invalid JWT token : Immature Signature (nbf)'
126
+ raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
118
127
  rescue ::JWT::InvalidIssuerError
119
- Rails.logger.info 'Invalid JWT token : Invalid Issuer (iss)'
128
+ raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
120
129
  rescue ::JWT::InvalidIatError
121
- Rails.logger.info 'Invalid JWT token : Invalid Issued At (iat)'
130
+ raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
122
131
  rescue ::JWT::InvalidAudError
123
- Rails.logger.info 'Invalid JWT token : Invalid Audience (aud)'
132
+ raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
124
133
  rescue ::JWT::InvalidSubError
125
- Rails.logger.info 'Invalid JWT token : Invalid Subject (sub)'
134
+ raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
126
135
  rescue ::JWT::InvalidJtiError
127
- Rails.logger.info 'Invalid JWT token : Invalid JWT ID (jti)'
136
+ raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
128
137
  rescue ::JWT::DecodeError
129
- Rails.logger.info 'Invalid JWT token : Decode Error'
138
+ raise DecodeTokenError, 'Invalid JWT token : Decode Error'
130
139
  end
131
140
 
132
141
  # Private: Check if current path is in the include_paths.
@@ -162,8 +171,8 @@ module Rack
162
171
  #
163
172
  # @return [Array<OpenSSL::PKey::RSA>] the public keys.
164
173
  def public_keys(env)
165
- host = env['HTTP_HOST']
166
- keys = Rails.cache.fetch([self.class.name, '#secrets', host]) { fetch_public_keys(host) }
174
+ host = env[HEADER_HTTP_HOST]
175
+ keys = cache.fetch([self.class.name, '#secrets', host]) { fetch_public_keys(host) }
167
176
  keys.map do |jwk_data|
168
177
  ::JWT::JWK.import(jwk_data).keypair
169
178
  end
@@ -176,10 +185,24 @@ module Rack
176
185
  # @return [Array<Hash>] the public keys.
177
186
  def fetch_public_keys(host)
178
187
  json = Net::HTTP.get(host, CERTS_PATH)
179
- json.present? ? MultiJson.load(json, symbolize_keys: true).fetch(:keys) : []
188
+ json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
180
189
  rescue StandardError
181
190
  []
182
191
  end
192
+
193
+ # Private: Get a cache store.
194
+ #
195
+ # @return [ActiveSupport::Cache::Store] the cache store.
196
+ def cache
197
+ Rails.cache
198
+ end
199
+
200
+ # Private: Get a logger.
201
+ #
202
+ # @return [ActiveSupport::Logger] the logger.
203
+ def logger
204
+ Rails.logger
205
+ end
183
206
  end
184
207
  end
185
208
  end
data/lib/rack/cloudflare_jwt/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Rack
4
4
  module CloudflareJwt
5
- VERSION = '0.0.6'
5
+ VERSION = '0.0.7'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-cloudflare-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.6
4
+ version: 0.0.7
5
5
  platform: ruby
6
6
  authors:
7
7
  - Aleksei Vokhmin
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-28 00:00:00.000000000 Z
11
+ date: 2020-02-26 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -94,6 +94,20 @@ dependencies:
94
94
  - - ">="
95
95
  - !ruby/object:Gem::Version
96
96
  version: 0.16.0
97
+ - !ruby/object:Gem::Dependency
98
+ name: webmock
99
+ requirement: !ruby/object:Gem::Requirement
100
+ requirements:
101
+ - - ">="
102
+ - !ruby/object:Gem::Version
103
+ version: 3.8.0
104
+ type: :development
105
+ prerelease: false
106
+ version_requirements: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: 3.8.0
97
111
  - !ruby/object:Gem::Dependency
98
112
  name: jwt
99
113
  requirement: !ruby/object:Gem::Requirement