rack-cloudflare-jwt 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -1
- data/lib/rack/cloudflare_jwt/auth.rb +17 -21
- data/lib/rack/cloudflare_jwt/version.rb +1 -1
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9cfffcc56a02828c0ab0aea34ce64dd64e7fa09b9c564cc2146f7a54f01ff189
|
4
|
+
data.tar.gz: 55b46d11820643dead91670a3c23aaa25d0d80526844ecdcadb38c2ec5110465
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 637d37665fa3e39c8d65649ad3fde2bee0cd84a3bf1d3e8974e2abb49c2e3d051785f63dee1bc5ac914e601076e0cf14b6a0c04a359b675f7b3e8cd1cae7c294
|
7
|
+
data.tar.gz: 8879652a99cf5639b2ad6543524ea4ff28f7ce92be470a4d6594f9554751b10f6e3079262532d2b9a7948cb277a7f33d6e06171f4e147d8898f24eeec0a079e8
|
data/README.md
CHANGED
@@ -38,11 +38,14 @@ $ gem install rack-cloudflare-jwt
|
|
38
38
|
|
39
39
|
* `Hash` value : `String` : A Application Audience (AUD) Tag.
|
40
40
|
|
41
|
+
Also, you should provide a Team Domain.
|
41
42
|
|
42
43
|
### Rails
|
43
44
|
|
44
45
|
```ruby
|
45
|
-
Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, '
|
46
|
+
Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, 'my-team-domain.cloudflareaccess.com',
|
47
|
+
'/my-path-1' => 'aaa.bbb.ccc'
|
48
|
+
'/my-path-2' => 'xxx.yyy.zzz',
|
46
49
|
```
|
47
50
|
|
48
51
|
## Contributing
|
@@ -19,8 +19,6 @@ module Rack::CloudflareJwt
|
|
19
19
|
DEFAULT_ALGORITHM = 'RS256'
|
20
20
|
# CloudFlare JWT header.
|
21
21
|
HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
|
22
|
-
# HTTP_HOST header.
|
23
|
-
HEADER_HTTP_HOST = 'HTTP_HOST'
|
24
22
|
# Key for get current path.
|
25
23
|
PATH_INFO = 'PATH_INFO'
|
26
24
|
|
@@ -35,21 +33,24 @@ module Rack::CloudflareJwt
|
|
35
33
|
)$
|
36
34
|
/x.freeze
|
37
35
|
|
38
|
-
attr_reader :policies
|
36
|
+
attr_reader :policies, :team_domain
|
39
37
|
|
40
38
|
# Initializes middleware
|
41
39
|
#
|
42
40
|
# @example Initialize middleware in Rails
|
43
41
|
# config.middleware.use(
|
44
42
|
# Rack::CloudflareJwt::Auth,
|
43
|
+
# ENV['RACK_CLOUDFLARE_JWT_TEAM_DOMAIN'],
|
45
44
|
# '/admin' => <cloudflare-aud-1>,
|
46
45
|
# '/manager' => <cloudflare-aud-2>,
|
47
46
|
# )
|
48
47
|
#
|
48
|
+
# @param team_domain [String] the Team Domain (e.g. 'test.cloudflareaccess.com').
|
49
49
|
# @param policies [Hash<String, String>] the policies with paths and AUDs.
|
50
|
-
def initialize(app, policies = {})
|
51
|
-
@app
|
52
|
-
@
|
50
|
+
def initialize(app, team_domain, policies = {})
|
51
|
+
@app = app
|
52
|
+
@team_domain = team_domain
|
53
|
+
@policies = policies
|
53
54
|
|
54
55
|
check_policy_auds!
|
55
56
|
check_paths_type!
|
@@ -95,7 +96,7 @@ module Rack::CloudflareJwt
|
|
95
96
|
# extract the token from header.
|
96
97
|
token = env[HEADER_NAME]
|
97
98
|
policy_aud = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
|
98
|
-
decoded_token = public_keys
|
99
|
+
decoded_token = public_keys.find do |key|
|
99
100
|
break decode_token(token, key.public_key, policy_aud)
|
100
101
|
rescue DecodeTokenError => e
|
101
102
|
logger.info e.message
|
@@ -186,20 +187,17 @@ module Rack::CloudflareJwt
|
|
186
187
|
# Private: Get public keys.
|
187
188
|
#
|
188
189
|
# @return [Array<OpenSSL::PKey::RSA>] the public keys.
|
189
|
-
def public_keys
|
190
|
-
|
191
|
-
fetch_public_keys_cached(host).map do |jwk_data|
|
190
|
+
def public_keys
|
191
|
+
fetch_public_keys_cached.map do |jwk_data|
|
192
192
|
::JWT::JWK.import(jwk_data).keypair
|
193
193
|
end
|
194
194
|
end
|
195
195
|
|
196
196
|
# Private: Fetch public keys.
|
197
197
|
#
|
198
|
-
# @param host [String] The host.
|
199
|
-
#
|
200
198
|
# @return [Array<Hash>] the public keys.
|
201
|
-
def fetch_public_keys
|
202
|
-
json = Net::HTTP.get(
|
199
|
+
def fetch_public_keys
|
200
|
+
json = Net::HTTP.get(team_domain, CERTS_PATH)
|
203
201
|
json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
|
204
202
|
rescue StandardError
|
205
203
|
[]
|
@@ -209,19 +207,17 @@ module Rack::CloudflareJwt
|
|
209
207
|
#
|
210
208
|
# Store a keys in the cache only 10 minutes.
|
211
209
|
#
|
212
|
-
# @param host [String] The host.
|
213
|
-
#
|
214
210
|
# @return [Array<Hash>] the public keys.
|
215
|
-
def fetch_public_keys_cached
|
216
|
-
key = [self.class.name, '#secrets'
|
211
|
+
def fetch_public_keys_cached
|
212
|
+
key = [self.class.name, '#secrets'].join('_')
|
217
213
|
|
218
214
|
if defined? Rails
|
219
|
-
Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys
|
215
|
+
Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys }
|
220
216
|
elsif defined? Padrino
|
221
217
|
keys = Padrino.cache[key]
|
222
|
-
keys || Padrino.cache.store(key, fetch_public_keys
|
218
|
+
keys || Padrino.cache.store(key, fetch_public_keys, expires: 600)
|
223
219
|
else
|
224
|
-
fetch_public_keys
|
220
|
+
fetch_public_keys
|
225
221
|
end
|
226
222
|
end
|
227
223
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cloudflare-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Aleksei Vokhmin
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -211,7 +211,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
211
211
|
- !ruby/object:Gem::Version
|
212
212
|
version: '0'
|
213
213
|
requirements: []
|
214
|
-
rubygems_version: 3.0.
|
214
|
+
rubygems_version: 3.0.1
|
215
215
|
signing_key:
|
216
216
|
specification_version: 4
|
217
217
|
summary: Rack middleware that provides authentication based on CloudFlare JSON Web
|