rack-cloudflare-jwt 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 240d66a2a123b06cf3625765ce2d7b4772c2a46f059fd62decc90acd4d9e68bc
-  data.tar.gz: 9bf13c926defed079e9266752c64ab3b38d004e3665252b3dd7a663db77ae66c
+  metadata.gz: 55cdfb2ba442bac6516a587a070c304d1a4ecab379cbb24a231fd80ddebf6e51
+  data.tar.gz: 96e59628339f522d60626d4e82635b2ea864c4d732835e6c20b58fcc6d7c12eb
 SHA512:
-  metadata.gz: 735971f62a1c16c83d6591baa3d60c052107ef61076850a0598c2456c386aec32c62b79927e15560f2d9f47ef17f991ff084ee6bb27284ab17195e6fcd805148
-  data.tar.gz: c3f15c032fa1715e728e6e0337ddfae61165a8bda598cc69f077b5f87f71e93d2e24b249ae79ac197361a533ac730cf8b1c0823f2f1b00e794b15b3d1180c41d
+  metadata.gz: 636a1384bb904479c1fb7e126c919488a307af159651dc5b509ab39012fa01bb4d54af1fd50a3a1e4541e1a40c4be2810e3fda7c47e802774f4c37e101d4e113
+  data.tar.gz: d42e6f7ec8d19d16281b9df23daedc13116e8cec2fcd61f94324529197d3b13142d8e3662f3d393fe25924f848c65a5793d1a9eb67dd3391f811558ca7aa11a8

data/README.md

@@ -38,11 +38,22 @@ $ gem install rack-cloudflare-jwt
 
 * `Hash` value : `String` : A Application Audience (AUD) Tag.
 
+Also, you should provide a Team Domain.
 
 ### Rails
 
 ```ruby
-Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, '/my-path' => 'xxx.yyy.zzz'
+Rails.application.config.middleware.use Rack::CloudflareJwt::Auth, 'my-team-domain.cloudflareaccess.com',
+                                                                   '/my-path-1' => 'aaa.bbb.ccc'
+                                                                   '/my-path-2' => 'xxx.yyy.zzz',
+```
+
+# Releasing
+
+```
+gem signin
+
+
 ```
 
 ## Contributing

data/lib/rack/cloudflare_jwt/auth.rb

@@ -5,235 +5,229 @@ require 'multi_json'
 require 'net/http'
 require 'rack/jwt'
 
-module Rack::CloudflareJwt
-  # Authentication middleware
-  #
-  # @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
-  class Auth
-    # Custom decode token error.
-    class DecodeTokenError < StandardError; end
-
-    # Certs path
-    CERTS_PATH = '/cdn-cgi/access/certs'
-    # Default algorithm
-    DEFAULT_ALGORITHM = 'RS256'
-    # CloudFlare JWT header.
-    HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
-    # HTTP_HOST header.
-    HEADER_HTTP_HOST = 'HTTP_HOST'
-    # Key for get current path.
-    PATH_INFO = 'PATH_INFO'
-
-    # Token regex.
-    #
-    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-    TOKEN_REGEX = /
-      ^(
-      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
-      [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
-      [a-zA-Z0-9\-_]+    # 1 or more chars, no trailing chars
-      )$
-    /x.freeze
-
-    attr_reader :policies
-
-    # Initializes middleware
-    #
-    # @example Initialize middleware in Rails
-    #   config.middleware.use(
-    #     Rack::CloudflareJwt::Auth,
-    #     '/admin'   => <cloudflare-aud-1>,
-    #     '/manager' => <cloudflare-aud-2>,
-    #   )
-    #
-    # @param policies [Hash<String, String>] the policies with paths and AUDs.
-    def initialize(app, policies = {})
-      @app      = app
-      @policies = policies
-
-      check_policy_auds!
-      check_paths_type!
-    end
+# Authentication middleware
+#
+# @see https://developers.cloudflare.com/access/setting-up-access/validate-jwt-tokens/
+class Rack::CloudflareJwt::Auth
+  # Custom decode token error.
+  class DecodeTokenError < StandardError; end
+
+  # Certs path
+  CERTS_PATH = '/cdn-cgi/access/certs'
+  # Default algorithm
+  DEFAULT_ALGORITHM = 'RS256'
+  # CloudFlare JWT header.
+  HEADER_NAME = 'HTTP_CF_ACCESS_JWT_ASSERTION'
+  # Key for get current path.
+  PATH_INFO = 'PATH_INFO'
+
+  # Token regex.
+  #
+  # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+  TOKEN_REGEX = /
+    ^(
+    [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+    [a-zA-Z0-9\-_]+\.  # 1 or more chars followed by a single period
+    [a-zA-Z0-9\-_]+    # 1 or more chars, no trailing chars
+    )$
+  /x.freeze
+
+  attr_reader :policies, :team_domain
+
+  # Initializes middleware
+  #
+  # @example Initialize middleware in Rails
+  #   config.middleware.use(
+  #     Rack::CloudflareJwt::Auth,
+  #     ENV['RACK_CLOUDFLARE_JWT_TEAM_DOMAIN'],
+  #     '/admin'   => <cloudflare-aud-1>,
+  #     '/manager' => <cloudflare-aud-2>,
+  #   )
+  #
+  # @param team_domain [String] the Team Domain (e.g. 'test.cloudflareaccess.com').
+  # @param policies [Hash<String, String>] the policies with paths and AUDs.
+  def initialize(app, team_domain, policies = {})
+    @app         = app
+    @team_domain = team_domain
+    @policies    = policies
+
+    check_policy_auds!
+    check_paths_type!
+  end
 
-    # Public: Call a middleware.
-    def call(env)
-      if !path_matches?(env)
-        @app.call(env)
-      elsif missing_auth_header?(env)
-        return_error('Missing Authorization header')
-      elsif invalid_auth_header?(env)
-        return_error('Invalid Authorization header format')
-      else
-        verify_token(env)
-      end
+  # Public: Call a middleware.
+  def call(env)
+    if !path_matches?(env)
+      @app.call(env)
+    elsif missing_auth_header?(env)
+      return_error('Missing Authorization header')
+    elsif invalid_auth_header?(env)
+      return_error('Invalid Authorization header format')
+    else
+      verify_token(env)
     end
+  end
 
-    private
+  private
 
-    # Private: Check policy auds.
-    def check_policy_auds!
-      raise ArgumentError, 'policies cannot be nil/empty' if policies.values.empty?
+  # Private: Check policy auds.
+  def check_policy_auds!
+    raise ArgumentError, 'policies cannot be nil/empty' if policies.values.empty?
 
-      policies.each_value do |policy_aud|
-        next unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
+    policies.each_value do |policy_aud|
+      next unless !policy_aud.is_a?(String) || policy_aud.strip.empty?
 
-        raise ArgumentError, 'policy AUD argument cannot be nil/empty'
-      end
+      raise ArgumentError, 'policy AUD argument cannot be nil/empty'
     end
+  end
 
-    # Private: Check paths type.
-    def check_paths_type!
-      policies.each_key do |path|
-        raise ArgumentError, 'each key element must be a String' unless path.is_a?(String)
-        raise ArgumentError, 'each key element must not be empty' if path.empty?
-        raise ArgumentError, 'each key element must start with a /' unless path.start_with?('/')
-      end
+  # Private: Check paths type.
+  def check_paths_type!
+    policies.each_key do |path|
+      raise ArgumentError, 'each key element must be a String' unless path.is_a?(String)
+      raise ArgumentError, 'each key element must not be empty' if path.empty?
+      raise ArgumentError, 'each key element must start with a /' unless path.start_with?('/')
     end
+  end
 
-    # Private: Verify a token.
-    def verify_token(env)
-      # extract the token from header.
-      token         = env[HEADER_NAME]
-      policy_aud    = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
-      decoded_token = public_keys(env).find do |key|
-        break decode_token(token, key.public_key, policy_aud)
-      rescue DecodeTokenError => e
-        logger.info e.message
-        nil
-      end
-
-      if decoded_token
-        logger.debug 'CloudFlare JWT token is valid'
-
-        env['jwt.payload'] = decoded_token.first
-        env['jwt.header']  = decoded_token.last
-        @app.call(env)
-      else
-        return_error('Invalid token')
-      end
+  # Private: Verify a token.
+  def verify_token(env)
+    # extract the token from header.
+    token         = env[HEADER_NAME]
+    policy_aud    = policies.find { |path, _aud| env[PATH_INFO].start_with?(path) }&.last
+    decoded_token = public_keys.find do |key|
+      break decode_token(token, key.public_key, policy_aud)
+    rescue DecodeTokenError => e
+      logger.info e.message
+      nil
     end
 
-    # Private: Decode a token.
-    #
-    # @param token [String] the token.
-    # @param secret [String] the public key.
-    # @param policy_aud [String] the CloudFlare AUD.
-    #
-    # @example
-    #
-    #   [
-    #     {"data"=>"test"}, # payload
-    #     {"alg"=>"RS256"} # header
-    #   ]
-    #
-    # @return [Array<Hash>] the token or `nil` at error.
-    # @raise [DecodeTokenError] if the token is invalid.
-    #
-    # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
-    def decode_token(token, secret, policy_aud)
-      Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
-    rescue ::JWT::VerificationError
-      raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
-    rescue ::JWT::ExpiredSignature
-      raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
-    rescue ::JWT::IncorrectAlgorithm
-      raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
-    rescue ::JWT::ImmatureSignature
-      raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
-    rescue ::JWT::InvalidIssuerError
-      raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
-    rescue ::JWT::InvalidIatError
-      raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
-    rescue ::JWT::InvalidAudError
-      raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
-    rescue ::JWT::InvalidSubError
-      raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
-    rescue ::JWT::InvalidJtiError
-      raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
-    rescue ::JWT::DecodeError
-      raise DecodeTokenError, 'Invalid JWT token : Decode Error'
-    end
+    if decoded_token
+      logger.debug 'CloudFlare JWT token is valid'
 
-    # Private: Check if current path is in the policies.
-    #
-    # @return [Boolean] true if it is, false otherwise.
-    def path_matches?(env)
-      policies.empty? || policies.keys.any? { |ex| env[PATH_INFO].start_with?(ex) }
+      env['jwt.payload'] = decoded_token.first
+      env['jwt.header']  = decoded_token.last
+      @app.call(env)
+    else
+      return_error('Invalid token')
     end
+  end
 
-    # Private: Check if auth header is invalid.
-    #
-    # @return [Boolean] true if it is, false otherwise.
-    def invalid_auth_header?(env)
-      env[HEADER_NAME] !~ TOKEN_REGEX
-    end
+  # Private: Decode a token.
+  #
+  # @param token [String] the token.
+  # @param secret [String] the public key.
+  # @param policy_aud [String] the CloudFlare AUD.
+  #
+  # @example
+  #
+  #   [
+  #     {"data"=>"test"}, # payload
+  #     {"alg"=>"RS256"} # header
+  #   ]
+  #
+  # @return [Array<Hash>] the token or `nil` at error.
+  # @raise [DecodeTokenError] if the token is invalid.
+  #
+  # @see https://github.com/jwt/ruby-jwt/tree/v2.2.1#algorithms-and-usage
+  def decode_token(token, secret, policy_aud)
+    Rack::JWT::Token.decode(token, secret, true, aud: policy_aud, verify_aud: true, algorithm: DEFAULT_ALGORITHM)
+  rescue ::JWT::VerificationError
+    raise DecodeTokenError, 'Invalid JWT token : Signature Verification Error'
+  rescue ::JWT::ExpiredSignature
+    raise DecodeTokenError, 'Invalid JWT token : Expired Signature (exp)'
+  rescue ::JWT::IncorrectAlgorithm
+    raise DecodeTokenError, 'Invalid JWT token : Incorrect Key Algorithm'
+  rescue ::JWT::ImmatureSignature
+    raise DecodeTokenError, 'Invalid JWT token : Immature Signature (nbf)'
+  rescue ::JWT::InvalidIssuerError
+    raise DecodeTokenError, 'Invalid JWT token : Invalid Issuer (iss)'
+  rescue ::JWT::InvalidIatError
+    raise DecodeTokenError, 'Invalid JWT token : Invalid Issued At (iat)'
+  rescue ::JWT::InvalidAudError
+    raise DecodeTokenError, 'Invalid JWT token : Invalid Audience (aud)'
+  rescue ::JWT::InvalidSubError
+    raise DecodeTokenError, 'Invalid JWT token : Invalid Subject (sub)'
+  rescue ::JWT::InvalidJtiError
+    raise DecodeTokenError, 'Invalid JWT token : Invalid JWT ID (jti)'
+  rescue ::JWT::DecodeError
+    raise DecodeTokenError, 'Invalid JWT token : Decode Error'
+  end
 
-    # Private: Check if no auth header.
-    #
-    # @return [Boolean] true if it is, false otherwise.
-    def missing_auth_header?(env)
-      env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
-    end
+  # Private: Check if current path is in the policies.
+  #
+  # @return [Boolean] true if it is, false otherwise.
+  def path_matches?(env)
+    policies.empty? || policies.keys.any? { |ex| env[PATH_INFO].start_with?(ex) }
+  end
 
-    # Private: Return an error.
-    def return_error(message)
-      body    = { error: message }.to_json
-      headers = { 'Content-Type' => 'application/json' }
+  # Private: Check if auth header is invalid.
+  #
+  # @return [Boolean] true if it is, false otherwise.
+  def invalid_auth_header?(env)
+    env[HEADER_NAME] !~ TOKEN_REGEX
+  end
 
-      [403, headers, [body]]
-    end
+  # Private: Check if no auth header.
+  #
+  # @return [Boolean] true if it is, false otherwise.
+  def missing_auth_header?(env)
+    env[HEADER_NAME].nil? || env[HEADER_NAME].strip.empty?
+  end
 
-    # Private: Get public keys.
-    #
-    # @return [Array<OpenSSL::PKey::RSA>] the public keys.
-    def public_keys(env)
-      host = env[HEADER_HTTP_HOST]
-      fetch_public_keys_cached(host).map do |jwk_data|
-        ::JWT::JWK.import(jwk_data).keypair
-      end
-    end
+  # Private: Return an error.
+  def return_error(message)
+    body    = { error: message }.to_json
+    headers = { 'Content-Type' => 'application/json' }
+
+    [403, headers, [body]]
+  end
 
-    # Private: Fetch public keys.
-    #
-    # @param host [String] The host.
-    #
-    # @return [Array<Hash>] the public keys.
-    def fetch_public_keys(host)
-      json = Net::HTTP.get(host, CERTS_PATH)
-      json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
-    rescue StandardError
-      []
+  # Private: Get public keys.
+  #
+  # @return [Array<OpenSSL::PKey::RSA>] the public keys.
+  def public_keys
+    fetch_public_keys_cached.map do |jwk_data|
+      ::JWT::JWK.import(jwk_data).keypair
     end
+  end
+
+  # Private: Fetch public keys.
+  #
+  # @return [Array<Hash>] the public keys.
+  def fetch_public_keys
+    json = Net::HTTP.get(team_domain, CERTS_PATH)
+    json.empty? ? [] : MultiJson.load(json, symbolize_keys: true).fetch(:keys)
+  rescue StandardError
+    []
+  end
 
-    # Private: Get cached public keys.
-    #
-    # Store a keys in the cache only 10 minutes.
-    #
-    # @param host [String] The host.
-    #
-    # @return [Array<Hash>] the public keys.
-    def fetch_public_keys_cached(host)
-      key = [self.class.name, '#secrets', host].join('_')
-
-      if defined? Rails
-        Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys(host) }
-      elsif defined? Padrino
-        keys = Padrino.cache[key]
-        keys || Padrino.cache.store(key, fetch_public_keys(host), expires: 600)
-      else
-        fetch_public_keys(host)
-      end
+  # Private: Get cached public keys.
+  #
+  # Store a keys in the cache only 10 minutes.
+  #
+  # @return [Array<Hash>] the public keys.
+  def fetch_public_keys_cached
+    key = [self.class.name, '#secrets'].join('_')
+
+    if defined? Rails
+      Rails.cache.fetch(key, expires_in: 600) { fetch_public_keys }
+    elsif defined? Padrino
+      keys = Padrino.cache[key]
+      keys || Padrino.cache.store(key, fetch_public_keys, expires: 600)
+    else
+      fetch_public_keys
     end
+  end
 
-    # Private: Get a logger.
-    #
-    # @return [ActiveSupport::Logger] the logger.
-    def logger
-      if defined? Rails
-        Rails.logger
-      elsif defined? Padrino
-        Padrino.logger
-      end
+  # Private: Get a logger.
+  #
+  # @return [ActiveSupport::Logger] the logger.
+  def logger
+    if defined? Rails
+      Rails.logger
+    elsif defined? Padrino
+      Padrino.logger
     end
   end
 end

data/lib/rack/cloudflare_jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Rack # rubocop:disable Style/ClassAndModuleChildren
   module CloudflareJwt
-    VERSION = '0.1.0'
+    VERSION = '0.3.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-cloudflare-jwt
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Aleksei Vokhmin
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-10 00:00:00.000000000 Z
+date: 2023-06-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -126,16 +126,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.2'
+    - - "<"
       - !ruby/object:Gem::Version
-        version: 2.2.0
+        version: '2.7'
 - !ruby/object:Gem::Dependency
   name: multi_json
   requirement: !ruby/object:Gem::Requirement
@@ -195,7 +201,8 @@ files:
 homepage: https://github.com/Shuttlerock/rack-cloudflare-jwt
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -211,7 +218,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Rack middleware that provides authentication based on CloudFlare JSON Web