rack-json_web_token_auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 32ba799c3c70c2a2d97847f43783f122061ca956
+  data.tar.gz: 48e78024ba8183d174845324994d98e7a7bb2335
+SHA512:
+  metadata.gz: b1c1bfb51899743df81370e00ea4961eb5af410e90a10c9d1ab544547f8601b55a2e9aede318e590edb9033d4d0d8203904d303fa9fe10533641ea091745b848
+  data.tar.gz: 24257ad9bc718101ce0fe7cbb5c5aaf7df7bdbae56106f7800f6f717291884f31ffe6f65126ac339aa4a62b09d20a493cb17c3d9c77a535bd5bbbc443c542ae1

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+e�	~v(LC�6���86M@z�$b�
��mP�$n�N����v��.$`٪�ɩi(e4�����"|��6΂��,��l5bְ�Ǵ�ϽE�B��\C.p�{>�A�]Z/
���]��q,Y�h���D5#��=���GԆP�ǕM�~����yi�>���z�
+*P��m`��W���?���C�ƒO~�۾!*���wm�7������V�3�+�J��й��H�)��M�O���y�X�8���	5[���b�:�袋

data.tar.gz.sig

@@ -0,0 +1 @@
+�1�

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2016 Glenn Rempe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,263 @@
+# Rack::JsonWebTokenAuth
+
+## WARNING
+
+This is pre-release software. It is pretty well tested but has not yet
+been used in production. Your feedback is requested.
+
+## About
+
+`Rack::JsonWebTokenAuth` is a Rack middleware that makes it easy for your
+Rack based application (Sinatra, Rails) to authenticate clients that
+present a valid `Authorization: Bearer token` header with a [JSON Web Token (JWT)](https://jwt.io/).
+
+This middleware was inspired by the similar [eigenbart/rack-jwt](https://github.com/eigenbart/rack-jwt)
+middleware but provides a leaner codebase that relies upon the excellent
+[garyf/jwt_claims](https://github.com/garyf/jwt_claims) and [garyf/json_web_token](https://github.com/garyf/json_web_token) gems to provide
+all JWT token validation. This gem also makes extensive use of the [contracts](https://egonschiele.github.io/contracts.ruby/) gem to enforce strict
+type checking on all inputs and outputs. It is designed to fail-fast on errors and
+reject invalid inputs before even trying to parse them using JWT.
+
+## Installation
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'rack-json_web_token_auth'
+```
+
+And then execute:
+
+```
+$ bundle install
+```
+
+Or install it directly with:
+
+```
+$ gem install rack-json_web_token_auth
+```
+
+## Usage
+
+This Rack middleware is designed to allow adding a simple authentication layer,
+using JSON Web Tokens (JWT), to your Rack based applications. It's easy
+to configure with a simple Ruby DSL.
+
+This middleware is not responsible for creating valid JWT tokens for you. It
+only receives and validates them. If the token provided is valid for a specific
+path the request will be allowed to continue as normal. If the token is invalid,
+or the path requested is not a configured path, a `401 Not Authorized`
+HTTP response will be sent.
+
+For token creation I recommend the
+[garyf/json_web_token](https://github.com/garyf/json_web_token) gem.
+
+### Creating a JWT
+
+Here is an example of creating a JWT with a pretty full set of claims. You may
+not need all of these for your application.
+
+```ruby
+require 'json_web_token'
+
+key = '4a7b98c31c3b6918f916d809443c096d02bf686d6bead5baa4a162642cea98b3'
+
+claims = {
+  name: 'John Doe',
+  iat: Time.now.to_i - 1,
+  nbf: Time.now.to_i - 5,
+  exp: Time.now.to_i + 10,
+  aud: %w(api web),
+  sub: 'my-user-id',
+  jti: 'my-unique-token-id',
+  iss: 'https://my.example.com/'
+}
+
+# generate a signed token
+jwt = JsonWebToken.sign(claims, key: key, alg: 'HS256')
+#=> "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYW1lIjoiSm9obiBEb2UiLCJpYXQiOjE0NzY0MTUwMjUsIm5iZiI6MTQ3NjQxNTAyMSwiZXhwIjoxNDc2NDE1MDM2LCJhdWQiOlsiYXBpIiwid2ViIl0sInN1YiI6Im15LXVzZXItaWQiLCJqdGkiOiJteS11bmlxdWUtdG9rZW4taWQiLCJpc3MiOiJodHRwczovL215LmV4YW1wbGUuY29tLyJ9.-zu-FGfLmwLX69DC2UIsk-8oEGoRSkCOUqbJwcarSm4"
+```
+
+### Submitting a JWT
+
+Your client of choice needs to submit an [Authorization Bearer](http://self-issued.info/docs/draft-ietf-oauth-v2-bearer.html) request header.
+
+How you do this is client specific and left as an exercise for the reader.
+
+```
+'Authorization' => "Bearer #{jwt}"
+```
+
+### Server Config
+
+This middleware should be inserted as early as possible into your middleware
+stack.
+
+Configuring the Rack middleware to accept JWT tokens on your server is just a
+matter of adding the middleware and configuring which paths are to be considered
+public and `unsecured` (no JWT needed), and which require a valid token
+to continue. These are private `secured` paths.
+
+For each `secured` resource you must also provide the JWT config needed to validate
+incoming tokens. The available claims are processed by the [garyf/jwt_claims](https://github.com/garyf/jwt_claims) gem and more info about
+claims can be found in the README for that project. At a minimum a `:key` must
+be provided except if the `none` algorithm is being used (probably not recommended).
+
+Configuration directives are processed in the order that you provide and requests
+match against the first path match.  For this reason you should probably put your
+`unsecured` resources first and order all resources from most specific to least
+specific.
+
+The DSL was heavily inspired by the [rack-cors](https://github.com/cyu/rack-cors)
+gem and the resource path matching code is a direct port from it.
+
+```ruby
+require 'rack/json_web_token_auth'
+
+use Rack::JsonWebTokenAuth.new do
+
+  # You can define JWT options for all `secured` resources globally
+  # or you can specify a hash like this inside each block. If you want to
+  # get really granular this config can even be different per `secure` resource.
+  jwt_opts = {
+    key: '4a7b98c31c3b6918f916d809443c096d02bf686d6bead5baa4a162642cea98b3',
+    alg: 'HS256',
+    aud: 'api',
+    sub: 'my-user-id',
+    jti: 'my-unique-token-id',
+    iss: 'https://my.example.com/',
+    leeway_seconds: 30
+  }
+
+  # Resources defined in this block are whitelisted and
+  # require no token for requests to the configured
+  # resource path. You should probably define your unsecured
+  # paths first. Resources in this block will raise an exception
+  # if provided with the :jwt options hash.
+  unsecured do
+    resource '/users/registration'
+    resource '/users/login'
+  end
+
+  # Resources defined in this block require a valid JWT token
+  # for access. Each resource takes a path and a Hash of options.
+  # The only option supported at the moment is `jwt`. The `:jwt` Hash
+  # key should be set to a Hash and only a `:key` must be defined
+  # which is a random key of sufficient strength.
+  #
+  # Additional JWT claims can also be provided in this hash as shown in
+  # this example.
+  #
+  # Resources defined in this block will raise an exception if they
+  # are not provided with the `:jwt` options hash and a valid `:key`
+  # (unless using the 'none' algorithm).
+  secured do
+    # a resource can start with a slash and match an exact path
+    resource '/private', jwt: jwt_opts
+
+    # or it can contain a wildcard '*'. The entire path
+    # can even be specified with '*' if you wanted to
+    # match all paths.
+    resource '/private/*/wildcard', jwt: jwt_opts
+
+    # Every resource can be configured with its own
+    # JWT keys and all other valid JWT claim options.
+    # For example you could require one token config for
+    # login and registration, and on successful login mint
+    # another flavor of token for all other app API access.
+    resource '/another/path', jwt: {key: 'a long random key', alg: 'HS512'}
+  end
+
+  # You can have more than one `unsecured` or `secured` block if you like.
+  unsecured do
+    # WARNING : this resource will never be used since it is masked
+    # by another resource higher in the stack with the same '/private' path.
+    resource '/private'
+  end
+
+  # Requests to any resource path not explictly marked as 'secured' or
+  # `unsecured` above will fail-safe and return a 401 status.
+  # e.g. /path/to/somewhere/else
+end
+```
+
+## Development
+
+After checking out the repo, run `bundle install` to install dependencies. Then,
+run `bundle exec rake` to run the specs.
+
+To install this gem onto your local machine, run `bundle exec rake install`.
+
+### Installation Security : Signed Ruby Gem
+
+This gem is cryptographically signed. To be sure the gem you install hasn’t
+been tampered with you can install it using the following method:
+
+Add my public key (if you haven’t already) as a trusted certificate
+
+```
+# Caveat: Gem certificates are trusted globally, such that adding a
+# cert.pem for one gem automatically trusts all gems signed by that cert.
+gem cert --add <(curl -Ls https://raw.github.com/grempe/rack-json_web_token_auth/master/certs/gem-public_cert_grempe_2026.pem)
+```
+
+To install, it is possible to specify either `HighSecurity` or `MediumSecurity`
+mode. Since this gem depends on one or more gems that are not cryptographically
+signed you will likely need to use `MediumSecurity`. You should receive a warning
+if any signed gem does not match its signature.
+
+```
+# All signed dependent gems must be verified.
+gem install rack-json_web_token_auth -P MediumSecurity
+```
+
+You can [learn more about security and signed Ruby Gems](http://guides.rubygems.org/security/).
+
+### Installation Security : Signed Git Commits
+
+Most, if not all, of the commits and tags to this repository are
+signed with my PGP/GPG code signing key. I have uploaded my code signing public
+keys to GitHub and you can now verify those signatures with the GitHub UI.
+See [this list of commits](https://github.com/grempe/rack-json_web_token_auth/commits/master)
+and look for the `Verified` tag next to each commit. You can click on that tag
+for additional information.
+
+You can also clone the repository and verify the signatures locally using your
+own GnuPG installation. You can find my certificates and read about how to conduct
+this verification at [https://www.rempe.us/keys/](https://www.rempe.us/keys/).
+
+### Contributing
+
+Bug reports and pull requests are welcome on GitHub
+at [https://github.com/grempe/rack-json_web_token_auth](https://github.com/grempe/rack-json_web_token_auth). This project is intended to be a safe, welcoming space for collaboration, and
+contributors are expected to adhere to the
+[Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Legal
+
+### Copyright
+
+(c) 2016 Glenn Rempe <[glenn@rempe.us](mailto:glenn@rempe.us)> ([https://www.rempe.us/](https://www.rempe.us/))
+
+### License
+
+The gem is available as open source under the terms of
+the [MIT License](http://opensource.org/licenses/MIT).
+
+### Warranty
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+either express or implied. See the LICENSE.txt file for the
+specific language governing permissions and limitations under
+the License.
+
+## Thank You!
+
+Thanks to Gary Fleshman ([@garyf](https://github.com/garyf)) for
+his very well written implementation of JWT and for accepting my patches.
+
+And of course thanks to Mr. Eigenbart ([@eigenbart](https://github.com/eigenbart))
+for the inspiration.

data/lib/custom_contracts.rb

@@ -0,0 +1,135 @@
+module Contracts
+  C = Contracts
+
+  # Custom Contracts
+  # See : https://egonschiele.github.io/contracts.ruby/
+
+  # The last segment gets dropped for 'none' algorithm since there is no
+  # signature so both of these patterns are valid. All character chunks
+  # are base64url format and periods.
+  #   Bearer abc123.abc123.abc123
+  #   Bearer abc123.abc123.
+  BEARER_TOKEN_REGEX = %r{
+    ^Bearer\s{1}(       # starts with Bearer and a single space
+    [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+    [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+    [a-zA-Z0-9\-\_]*    # 0 or more chars, no trailing chars
+    )$
+  }x
+
+  class RackRequestHttpAuth
+    def self.valid?(val)
+      Contract.valid?(val, ({ 'HTTP_AUTHORIZATION' => BEARER_TOKEN_REGEX }))
+    end
+
+    def self.to_s
+      'A Rack request with JWT auth header'
+    end
+  end
+
+  class RackResponse
+    def self.valid?(val)
+      Contract.valid?(val, [C::Int, Hash, C::Any])
+    end
+
+    def self.to_s
+      'A Rack response'
+    end
+  end
+
+  class Key
+    def self.valid?(val)
+      return false if val.is_a?(String) && val.strip.empty?
+      C::Or[String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC].valid?(val)
+    end
+
+    def self.to_s
+      'A JWT secret string or signature key'
+    end
+  end
+
+  class Algorithm
+    def self.valid?(val)
+      C::Enum['none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'].valid?(val)
+    end
+
+    def self.to_s
+      'A valid JWT token signature algorithm, or none'
+    end
+  end
+
+  class VerifierOptions
+    def self.valid?(val)
+      C::KeywordArgs[
+        key: C::Optional[C::Key],
+        alg: C::Optional[C::Algorithm],
+        iat: C::Optional[C::Int],
+        nbf: C::Optional[C::Int],
+        exp: C::Optional[C::Int],
+        iss: C::Optional[String],
+        jti: C::Optional[String],
+        aud: C::Optional[C::Or[String, C::ArrayOf[String], Symbol, C::ArrayOf[Symbol]]],
+        sub: C::Optional[String],
+        leeway_seconds: C::Optional[C::Int]
+      ].valid?(val)
+    end
+
+    def self.to_s
+      'A Hash of token verifier options'
+    end
+  end
+
+  # abc123.abc123.abc123    (w/ signature)
+  # abc123.abc123.          ('none')
+  class EncodedToken
+    def self.valid?(val)
+      val =~ /\A([a-zA-Z0-9\-\_]+\.[a-zA-Z0-9\-\_]+\.[a-zA-Z0-9\-\_]*)\z/
+    end
+
+    def self.to_s
+      'A valid encoded token'
+    end
+  end
+
+  class DecodedToken
+    def self.valid?(val)
+      C::ArrayOf[Hash].valid?(val) &&
+        C::DecodedTokenClaims.valid?(val[0]) &&
+        C::DecodedTokenHeader.valid?(val[1])
+    end
+
+    def self.to_s
+      'A valid Array of decoded token claims and header Hashes'
+    end
+  end
+
+  class DecodedTokenClaims
+    def self.valid?(val)
+      C::HashOf[C::Or[String, Symbol] => C::Maybe[C::Or[String, C::Num, C::Bool, C::ArrayOf[C::Any], Hash]]].valid?(val)
+    end
+
+    def self.to_s
+      'A valid decoded token payload attribute'
+    end
+  end
+
+  class DecodedTokenHeader
+    def self.valid?(val)
+      C::HashOf[C::Enum['typ', 'alg'] => C::Or['JWT', C::TokenAlgorithm]].valid?(val)
+    end
+
+    def self.to_s
+      'A valid decoded token header attribute'
+    end
+  end
+
+  class ResourcePath
+    def self.valid?(val)
+      C::Or[String, Regexp]
+    end
+
+    def self.to_s
+      'A valid resource path string or regex'
+    end
+  end
+end

data/lib/rack/json_web_token_auth.rb

@@ -0,0 +1,117 @@
+require 'json'
+require 'contracts'
+require 'hashie'
+require 'jwt_claims'
+
+require 'rack/json_web_token_auth/resources'
+require 'rack/json_web_token_auth/resource'
+require 'custom_contracts'
+
+module Rack
+  # Rack Middleware for JSON Web Token Authentication
+  class JsonWebTokenAuth
+    include Contracts::Core
+    C = Contracts
+
+    ENV_KEY = 'jwt.claims'.freeze
+    PATH_INFO_HEADER_KEY = 'PATH_INFO'.freeze
+
+    Contract C::Any, Proc => C::Any
+    def initialize(app, &block)
+      @app = app
+      # execute the block methods provided in the context of this class
+      instance_eval(&block)
+    end
+
+    Contract Proc => C::ArrayOf[Resources]
+    def secured(&block)
+      resources = Resources.new(public_resource: false)
+      # execute the methods in the 'secured' block in the context of
+      # a new Resources object
+      resources.instance_eval(&block)
+      all_resources << resources
+    end
+
+    Contract Proc => C::ArrayOf[Resources]
+    def unsecured(&block)
+      resources = Resources.new(public_resource: true)
+      # execute the methods in the 'unsecured' block in the context of
+      # a new Resources object
+      resources.instance_eval(&block)
+      all_resources << resources
+    end
+
+    Contract Hash => C::RackResponse
+    def call(env)
+      begin
+        resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+
+        if resource.public_resource?
+          # whitelisted as `unsecured`. skip all token authentication.
+          @app.call(env)
+        elsif resource.nil?
+          # no matching `secured` or `unsecured` resource.
+          # fail-safe with 401 unauthorized
+          raise 'No resource for path defined. Deny by default.'
+        else
+          # a `secured` resource, validate the token to see if authenticated
+
+          # Test that `env` has a well formed Authorization header
+          unless Contract.valid?(env, C::RackRequestHttpAuth)
+            raise 'malformed Authorization header or token'
+          end
+
+          # Extract the token from the 'Authorization: Bearer token' string
+          token = C::BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
+
+          # Verify the token and its claims are valid
+          jwt_opts = resource.opts[:jwt]
+          jwt = ::JwtClaims.verify(token, jwt_opts)
+
+          # JwtClaims.verify returns a JWT claims set hash, if the
+          # JWT Message Authentication Code (MAC), or signature,
+          # are verified and the registered claims are also verified.
+          if Contract.valid?(jwt, C::HashOf[ok: C::HashOf[Symbol => C::Any]])
+            # Authenticated! Pass all claims into the app env for app use
+            # with the hash keys converted to strings to match Rack env.
+            env[ENV_KEY] = Hashie.stringify_keys(jwt[:ok])
+          elsif Contract.valid?(jwt, C::HashOf[error: C::ArrayOf[Symbol]])
+            # a list of any registered claims that fail validation, if the JWT MAC is verified
+            raise "invalid JWT claims : #{jwt[:error].sort.join(', ')}"
+          elsif Contract.valid?(jwt, C::HashOf[error: 'invalid JWT'])
+            # the JWT MAC is not verified
+            raise 'invalid JWT'
+          elsif Contract.valid?(jwt, C::HashOf[error: 'invalid input'])
+            # otherwise
+            raise 'invalid JWT input'
+          else
+            raise 'unhandled JWT error'
+          end
+
+          @app.call(env)
+        end
+      rescue StandardError => e
+        body = e.message.nil? ? 'Unauthorized' : "Unauthorized : #{e.message}"
+        headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
+                    'Content-Type' => 'text/plain',
+                    'Content-Length' => body.bytesize.to_s }
+        [401, headers, [body]]
+      end
+    end
+
+    Contract C::None => C::Or[C::ArrayOf[Resources], []]
+    def all_resources
+      @all_resources ||= []
+    end
+
+    Contract String => C::Maybe[Resource]
+    def resource_for_path(path_info)
+      all_resources.each do |r|
+        if found = r.resource_for_path(path_info)
+          return found
+        end
+      end
+      nil
+    end
+  end
+end

data/lib/rack/json_web_token_auth/resource.rb

@@ -0,0 +1,68 @@
+require 'custom_contracts'
+
+module Rack
+  class JsonWebTokenAuth
+    class Resource
+      include Contracts::Core
+      C = Contracts
+
+      attr_accessor :public_resource, :path, :pattern, :opts
+
+      Contract C::Bool, C::ResourcePath, Hash => C::Any
+      def initialize(public_resource, path, opts = {})
+        @public_resource = public_resource
+        @path = path
+        @pattern = compile(path)
+        @opts = opts
+
+        if public_resource
+          # unsecured resources should not have any jwt options defined
+          if @opts.key?(:jwt)
+            raise 'unexpected jwt options provided for unsecured resource'
+          end
+        else
+          # secured resources must have a :jwt hash with a :key
+          unless Contract.valid?(@opts, ({ jwt: { key: nil, alg: 'none' } })) ||
+                 Contract.valid?(@opts, ({ jwt: { key: C::Key } }))
+            raise 'invalid or missing jwt options for secured resource'
+          end
+        end
+      end
+
+      Contract C::ResourcePath => C::Maybe[Fixnum]
+      def matches_path?(path)
+        pattern =~ path
+      end
+
+      Contract C::None => C::Bool
+      def public_resource?
+        public_resource
+      end
+
+      protected
+
+      Contract C::ResourcePath => Regexp
+      def compile(path)
+        if path.respond_to? :to_str
+          special_chars = %w{. + ( )}
+          pattern =
+            path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
+              case match
+              when "*"
+                "(.*?)"
+              when *special_chars
+                Regexp.escape(match)
+              else
+                "([^/?&#]+)"
+              end
+            end
+          /^#{pattern}$/
+        elsif path.respond_to? :match
+          path
+        else
+          raise TypeError, path
+        end
+      end
+    end
+  end
+end

data/lib/rack/json_web_token_auth/resources.rb

@@ -0,0 +1,33 @@
+require 'custom_contracts'
+require 'rack/json_web_token_auth/resource'
+
+module Rack
+  class JsonWebTokenAuth
+    class Resources
+      include Contracts::Core
+      C = Contracts
+
+      Contract C::KeywordArgs[public_resource: C::Bool] => C::Any
+      def initialize(public_resource: false)
+        @resources = []
+        @public_resource = public_resource
+      end
+
+      Contract C::None => C::Bool
+      def public_resource?
+        @public_resource
+      end
+
+      Contract String, C::Maybe[Hash] => C::ArrayOf[Resource]
+      def resource(path, opts = {})
+        @resources << Resource.new(public_resource?, path, opts)
+      end
+
+      Contract String => C::Maybe[Resource]
+      def resource_for_path(path)
+        # return first match
+        @resources.detect { |r| r.matches_path?(path) }
+      end
+    end
+  end
+end

data/lib/rack/json_web_token_auth/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class JsonWebTokenAuth
+    VERSION = '0.1.0'.freeze
+  end
+end

metadata

@@ -0,0 +1,228 @@
+--- !ruby/object:Gem::Specification
+name: rack-json_web_token_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Glenn Rempe
+autorequire: 
+bindir: bin
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIDYDCCAkigAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQ4wDAYDVQQDDAVnbGVu
+  bjEVMBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwHhcN
+  MTYxMDEzMDEzMjM5WhcNMjYxMDExMDEzMjM5WjA7MQ4wDAYDVQQDDAVnbGVubjEV
+  MBMGCgmSJomT8ixkARkWBXJlbXBlMRIwEAYKCZImiZPyLGQBGRYCdXMwggEiMA0G
+  CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrEuLEy11cjgMC4+ldcgLzBrGcfWWg
+  nUhdCRn3Arzo2EV1d4V4h6VOHmk4o7kumBeajUMMZ0+xKtu8euRCnbDnlxowfJvT
+  S0nzsOt1dm++INeKMpZU84LuH7BbAlyL+B//l1YkI33gsbA8wm06+vV8tUEBuQch
+  vBU2xrCyS2+0LQTCaCS+VvHbV97hzIwSIgUFJuFjrcnnpV8Qt1R0Bi8pzDk+2jyN
+  AgxaWa41UHn70O0gFRRDGXacRpvy3HRSJrvlHPPAC02CjhKjsOLjZowaHxCv9XIJ
+  tCQnVEOUUo9+owG2Gna4k4DMLIjiGChHNFXtO8WyuksukVqcsdc9kvdzAgMBAAGj
+  bzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQWBBR68/Ook0uwfe6t
+  FbLHXIReYQ2VpzAZBgNVHREEEjAQgQ5nbGVubkByZW1wZS51czAZBgNVHRIEEjAQ
+  gQ5nbGVubkByZW1wZS51czANBgkqhkiG9w0BAQUFAAOCAQEAI27KUzTE9BoD2irI
+  CkMVPC0YS6iANrzQy3zIJI4yLKEZmI1jDE+W2APL11Woo5+sttgqY7148W84ZWdK
+  mD9ueqH5hPC8NOd3wYXVMNwmyLhnyh80cOzGeurW1SJ0VV3BqSKEE8q4EFjCzUK9
+  Oq8dW9i9Bxn8qgcOSFTYITJZ/mNyy2shHs5gg0MIz0uOsKaHqrrMseVfG7ZoTgV1
+  kkyRaYAHI1MSDNGFNwgURPQsgnxQrX8YG48q0ypFC1gOl/l6D0e/oF4SKMS156uc
+  vprF5QiDz8HshVP9DjJT2I1wyGyvxEdU3cTRo0upMP/VZLcgyBVFy90N2XYWWk2D
+  GIxGSw==
+  -----END CERTIFICATE-----
+date: 2016-10-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: contracts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: hashie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: json_web_token
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.3.2
+- !ruby/object:Gem::Dependency
+  name: jwt_claims
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '11.3'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.12'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.41'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.41'
+- !ruby/object:Gem::Dependency
+  name: wwtd
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+description: Rack middleware for authentication using JSON Web Tokens using the jwt_claims
+  and json_web_token gems.
+email:
+- glenn@rempe.us
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- lib/custom_contracts.rb
+- lib/rack/json_web_token_auth.rb
+- lib/rack/json_web_token_auth/resource.rb
+- lib/rack/json_web_token_auth/resources.rb
+- lib/rack/json_web_token_auth/version.rb
+homepage: https://github.com/grempe/rack-json_web_token_auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.2.5
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Rack middleware for authentication using JSON Web Tokens
+test_files: []