rack-json_web_token_auth 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32ba799c3c70c2a2d97847f43783f122061ca956
-  data.tar.gz: 48e78024ba8183d174845324994d98e7a7bb2335
+  metadata.gz: 34e37b26161d949ec37dfa1699ac3c73bd16a6a6
+  data.tar.gz: 9fc1af9868b25087073f995f0dd497bbc936fd5e
 SHA512:
-  metadata.gz: b1c1bfb51899743df81370e00ea4961eb5af410e90a10c9d1ab544547f8601b55a2e9aede318e590edb9033d4d0d8203904d303fa9fe10533641ea091745b848
-  data.tar.gz: 24257ad9bc718101ce0fe7cbb5c5aaf7df7bdbae56106f7800f6f717291884f31ffe6f65126ac339aa4a62b09d20a493cb17c3d9c77a535bd5bbbc443c542ae1
+  metadata.gz: 41429c9b24ab68bcffc806e9c29c4b615a435237540d47e0f28aee7387259ddec92aa0ba68fd850b2f4902d682fb87a4737ec038668190ff9835f096472315f8
+  data.tar.gz: 99d552f23c11e324a3985fbf391aa115d42883257124f55517a887d20e1d71605a7eff24fbad192c83be8960b64740a4aefc6c4aab8d676230c52263acfe0e6f

checksums.yaml.gz.sig

@@ -1,2 +1,3 @@
-e�	~v(LC�6���86M@z�$b�
��mP�$n�N����v��.$`٪�ɩi(e4�����"|��6΂��,��l5bְ�Ǵ�ϽE�B��\C.p�{>�A�]Z/
���]��q,Y�h���D5#��=���GԆP�ǕM�~����yi�>���z�
-*P��m`��W���?���C�ƒO~�۾!*���wm�7������V�3�+�J��й��H�)��M�O���y�X�8���	5[���b�:�袋
+1��F�M��ů�C�pv(�&�e�����\3����H4�-��}>�����	�;�G~����ϱr�v�J�
ֹ�.��q5�:��=�
+�o˘5�B�9�pGPFt�H	2�DX�d���U�
+�	�ʈ���[O%A�lC-FJJE�GQp��0���n�e%$���9�

data/README.md

@@ -115,7 +115,8 @@ gem and the resource path matching code is a direct port from it.
 ```ruby
 require 'rack/json_web_token_auth'
 
-use Rack::JsonWebTokenAuth.new do
+# Sinatra `use` syntax
+use Rack::JsonWebTokenAuth do
 
   # You can define JWT options for all `secured` resources globally
   # or you can specify a hash like this inside each block. If you want to

data/lib/rack/json_web_token_auth.rb

@@ -3,11 +3,14 @@ require 'contracts'
 require 'hashie'
 require 'jwt_claims'
 
+require 'rack/json_web_token_auth/contracts'
 require 'rack/json_web_token_auth/resources'
 require 'rack/json_web_token_auth/resource'
-require 'custom_contracts'
 
 module Rack
+  # Custom error class
+  class TokenError < StandardError; end
+
   # Rack Middleware for JSON Web Token Authentication
   class JsonWebTokenAuth
     include Contracts::Core
@@ -41,28 +44,28 @@ module Rack
       all_resources << resources
     end
 
-    Contract Hash => C::RackResponse
+    Contract Hash => RackResponse
     def call(env)
       begin
         resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
 
-        if resource.public_resource?
+        if resource && resource.public_resource?
           # whitelisted as `unsecured`. skip all token authentication.
           @app.call(env)
         elsif resource.nil?
           # no matching `secured` or `unsecured` resource.
           # fail-safe with 401 unauthorized
-          raise 'No resource for path defined. Deny by default.'
+          raise TokenError, 'No resource for path defined. Deny by default.'
         else
           # a `secured` resource, validate the token to see if authenticated
 
           # Test that `env` has a well formed Authorization header
-          unless Contract.valid?(env, C::RackRequestHttpAuth)
-            raise 'malformed Authorization header or token'
+          unless Contract.valid?(env, RackRequestHttpAuth)
+            raise TokenError, 'malformed Authorization header or token'
           end
 
           # Extract the token from the 'Authorization: Bearer token' string
-          token = C::BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
+          token = BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
 
           # Verify the token and its claims are valid
           jwt_opts = resource.opts[:jwt]
@@ -77,25 +80,32 @@ module Rack
             env[ENV_KEY] = Hashie.stringify_keys(jwt[:ok])
           elsif Contract.valid?(jwt, C::HashOf[error: C::ArrayOf[Symbol]])
             # a list of any registered claims that fail validation, if the JWT MAC is verified
-            raise "invalid JWT claims : #{jwt[:error].sort.join(', ')}"
+            raise TokenError, "invalid JWT claims : #{jwt[:error].sort.join(', ')}"
           elsif Contract.valid?(jwt, C::HashOf[error: 'invalid JWT'])
             # the JWT MAC is not verified
-            raise 'invalid JWT'
+            raise TokenError, 'invalid JWT'
           elsif Contract.valid?(jwt, C::HashOf[error: 'invalid input'])
             # otherwise
-            raise 'invalid JWT input'
+            raise TokenError, 'invalid JWT input'
           else
-            raise 'unhandled JWT error'
+            raise TokenError, 'unhandled JWT error'
           end
 
           @app.call(env)
         end
-      rescue StandardError => e
+      rescue TokenError => e
         body = e.message.nil? ? 'Unauthorized' : "Unauthorized : #{e.message}"
         headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
                     'Content-Type' => 'text/plain',
                     'Content-Length' => body.bytesize.to_s }
         [401, headers, [body]]
+      rescue StandardError => e
+        # puts e.message
+        body = 'Unauthorized'
+        headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
+                    'Content-Type' => 'text/plain',
+                    'Content-Length' => body.bytesize.to_s }
+        [401, headers, [body]]
       end
     end
 

data/lib/rack/json_web_token_auth/contracts.rb

@@ -0,0 +1,95 @@
+module Rack
+  class JsonWebTokenAuth
+    include Contracts::Core
+    C = Contracts
+
+    # Custom Contracts
+    # See : https://egonschiele.github.io/contracts.ruby/
+
+    # The last segment gets dropped for 'none' algorithm since there is no
+    # signature so both of these patterns are valid. All character chunks
+    # are base64url format and periods.
+    #   Bearer abc123.abc123.abc123
+    #   Bearer abc123.abc123.
+    BEARER_TOKEN_REGEX = %r{
+      ^Bearer\s{1}(       # starts with Bearer and a single space
+      [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+      [a-zA-Z0-9\-\_]*    # 0 or more chars, no trailing chars
+      )$
+    }x
+
+    class RackRequestHttpAuth
+      def self.valid?(val)
+        Contract.valid?(val, ({ 'HTTP_AUTHORIZATION' => BEARER_TOKEN_REGEX }))
+      end
+
+      def self.to_s
+        'A Rack request with JWT auth header'
+      end
+    end
+
+    class RackResponse
+      def self.valid?(val)
+        Contract.valid?(val, [C::Int, Hash, C::Any])
+      end
+
+      def self.to_s
+        'A Rack response'
+      end
+    end
+
+    class Key
+      def self.valid?(val)
+        return false if val.is_a?(String) && val.strip.empty?
+        C::Or[String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC].valid?(val)
+      end
+
+      def self.to_s
+        'A JWT secret string or signature key'
+      end
+    end
+
+    class Algorithm
+      def self.valid?(val)
+        C::Enum['none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'].valid?(val)
+      end
+
+      def self.to_s
+        'A valid JWT token signature algorithm, or none'
+      end
+    end
+
+    class DecodedToken
+      def self.valid?(val)
+        C::ArrayOf[Hash].valid?(val) &&
+          C::DecodedTokenClaims.valid?(val[0]) &&
+          C::DecodedTokenHeader.valid?(val[1])
+      end
+
+      def self.to_s
+        'A valid Array of decoded token claims and header Hashes'
+      end
+    end
+
+    class DecodedTokenClaims
+      def self.valid?(val)
+        C::HashOf[C::Or[String, Symbol] => C::Maybe[C::Or[String, C::Num, C::Bool, C::ArrayOf[C::Any], Hash]]].valid?(val)
+      end
+
+      def self.to_s
+        'A valid decoded token payload attribute'
+      end
+    end
+
+    class DecodedTokenHeader
+      def self.valid?(val)
+        C::HashOf[C::Enum['typ', 'alg'] => C::Or['JWT', C::TokenAlgorithm]].valid?(val)
+      end
+
+      def self.to_s
+        'A valid decoded token header attribute'
+      end
+    end
+  end
+end

data/lib/rack/json_web_token_auth/resource.rb

@@ -1,5 +1,3 @@
-require 'custom_contracts'
-
 module Rack
   class JsonWebTokenAuth
     class Resource
@@ -8,7 +6,7 @@ module Rack
 
       attr_accessor :public_resource, :path, :pattern, :opts
 
-      Contract C::Bool, C::ResourcePath, Hash => C::Any
+      Contract C::Bool, String, Hash => C::Any
       def initialize(public_resource, path, opts = {})
         @public_resource = public_resource
         @path = path
@@ -23,13 +21,13 @@ module Rack
         else
           # secured resources must have a :jwt hash with a :key
           unless Contract.valid?(@opts, ({ jwt: { key: nil, alg: 'none' } })) ||
-                 Contract.valid?(@opts, ({ jwt: { key: C::Key } }))
+                 Contract.valid?(@opts, ({ jwt: { key: Key } }))
             raise 'invalid or missing jwt options for secured resource'
           end
         end
       end
 
-      Contract C::ResourcePath => C::Maybe[Fixnum]
+      Contract String => C::Maybe[Fixnum]
       def matches_path?(path)
         pattern =~ path
       end
@@ -41,7 +39,7 @@ module Rack
 
       protected
 
-      Contract C::ResourcePath => Regexp
+      Contract String => Regexp
       def compile(path)
         if path.respond_to? :to_str
           special_chars = %w{. + ( )}

data/lib/rack/json_web_token_auth/resources.rb

@@ -1,4 +1,3 @@
-require 'custom_contracts'
 require 'rack/json_web_token_auth/resource'
 
 module Rack

data/lib/rack/json_web_token_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class JsonWebTokenAuth
-    VERSION = '0.1.0'.freeze
+    VERSION = '0.1.1'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-json_web_token_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Glenn Rempe
@@ -196,8 +196,8 @@ extra_rdoc_files: []
 files:
 - LICENSE.txt
 - README.md
-- lib/custom_contracts.rb
 - lib/rack/json_web_token_auth.rb
+- lib/rack/json_web_token_auth/contracts.rb
 - lib/rack/json_web_token_auth/resource.rb
 - lib/rack/json_web_token_auth/resources.rb
 - lib/rack/json_web_token_auth/version.rb

data/lib/custom_contracts.rb

@@ -1,135 +0,0 @@
-module Contracts
-  C = Contracts
-
-  # Custom Contracts
-  # See : https://egonschiele.github.io/contracts.ruby/
-
-  # The last segment gets dropped for 'none' algorithm since there is no
-  # signature so both of these patterns are valid. All character chunks
-  # are base64url format and periods.
-  #   Bearer abc123.abc123.abc123
-  #   Bearer abc123.abc123.
-  BEARER_TOKEN_REGEX = %r{
-    ^Bearer\s{1}(       # starts with Bearer and a single space
-    [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-    [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
-    [a-zA-Z0-9\-\_]*    # 0 or more chars, no trailing chars
-    )$
-  }x
-
-  class RackRequestHttpAuth
-    def self.valid?(val)
-      Contract.valid?(val, ({ 'HTTP_AUTHORIZATION' => BEARER_TOKEN_REGEX }))
-    end
-
-    def self.to_s
-      'A Rack request with JWT auth header'
-    end
-  end
-
-  class RackResponse
-    def self.valid?(val)
-      Contract.valid?(val, [C::Int, Hash, C::Any])
-    end
-
-    def self.to_s
-      'A Rack response'
-    end
-  end
-
-  class Key
-    def self.valid?(val)
-      return false if val.is_a?(String) && val.strip.empty?
-      C::Or[String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC].valid?(val)
-    end
-
-    def self.to_s
-      'A JWT secret string or signature key'
-    end
-  end
-
-  class Algorithm
-    def self.valid?(val)
-      C::Enum['none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'].valid?(val)
-    end
-
-    def self.to_s
-      'A valid JWT token signature algorithm, or none'
-    end
-  end
-
-  class VerifierOptions
-    def self.valid?(val)
-      C::KeywordArgs[
-        key: C::Optional[C::Key],
-        alg: C::Optional[C::Algorithm],
-        iat: C::Optional[C::Int],
-        nbf: C::Optional[C::Int],
-        exp: C::Optional[C::Int],
-        iss: C::Optional[String],
-        jti: C::Optional[String],
-        aud: C::Optional[C::Or[String, C::ArrayOf[String], Symbol, C::ArrayOf[Symbol]]],
-        sub: C::Optional[String],
-        leeway_seconds: C::Optional[C::Int]
-      ].valid?(val)
-    end
-
-    def self.to_s
-      'A Hash of token verifier options'
-    end
-  end
-
-  # abc123.abc123.abc123    (w/ signature)
-  # abc123.abc123.          ('none')
-  class EncodedToken
-    def self.valid?(val)
-      val =~ /\A([a-zA-Z0-9\-\_]+\.[a-zA-Z0-9\-\_]+\.[a-zA-Z0-9\-\_]*)\z/
-    end
-
-    def self.to_s
-      'A valid encoded token'
-    end
-  end
-
-  class DecodedToken
-    def self.valid?(val)
-      C::ArrayOf[Hash].valid?(val) &&
-        C::DecodedTokenClaims.valid?(val[0]) &&
-        C::DecodedTokenHeader.valid?(val[1])
-    end
-
-    def self.to_s
-      'A valid Array of decoded token claims and header Hashes'
-    end
-  end
-
-  class DecodedTokenClaims
-    def self.valid?(val)
-      C::HashOf[C::Or[String, Symbol] => C::Maybe[C::Or[String, C::Num, C::Bool, C::ArrayOf[C::Any], Hash]]].valid?(val)
-    end
-
-    def self.to_s
-      'A valid decoded token payload attribute'
-    end
-  end
-
-  class DecodedTokenHeader
-    def self.valid?(val)
-      C::HashOf[C::Enum['typ', 'alg'] => C::Or['JWT', C::TokenAlgorithm]].valid?(val)
-    end
-
-    def self.to_s
-      'A valid decoded token header attribute'
-    end
-  end
-
-  class ResourcePath
-    def self.valid?(val)
-      C::Or[String, Regexp]
-    end
-
-    def self.to_s
-      'A valid resource path string or regex'
-    end
-  end
-end