rack-json_web_token_auth 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 34e37b26161d949ec37dfa1699ac3c73bd16a6a6
-  data.tar.gz: 9fc1af9868b25087073f995f0dd497bbc936fd5e
+  metadata.gz: 7ae3fd49effa85dae53d4098b01beabf1245a418
+  data.tar.gz: cf8334ffaef3a34d486e32de2716ceadec47c010
 SHA512:
-  metadata.gz: 41429c9b24ab68bcffc806e9c29c4b615a435237540d47e0f28aee7387259ddec92aa0ba68fd850b2f4902d682fb87a4737ec038668190ff9835f096472315f8
-  data.tar.gz: 99d552f23c11e324a3985fbf391aa115d42883257124f55517a887d20e1d71605a7eff24fbad192c83be8960b64740a4aefc6c4aab8d676230c52263acfe0e6f
+  metadata.gz: f6a071a87d21bc42583a465759c8568242a8af10f45eb1bd77c0a75e4e9f11c5570349a2a5bc4376d3dd8c807a3d38bcf4506df67a66ea69cdd15493cb797029
+  data.tar.gz: a8c0137beaa370ec6fe38969ef1a5919a13a87be8adec836ca6e3a613342c797e2140e6cd0f059339f9b72e89cc46219986169ace4866a61d04364294760feaf

data/README.md

@@ -1,5 +1,8 @@
 # Rack::JsonWebTokenAuth
 
+[![Build Status](https://travis-ci.org/grempe/rack-json_web_token_auth.svg?branch=master)](https://travis-ci.org/grempe/rack-json_web_token_auth)
+[![Code Climate](https://codeclimate.com/github/grempe/rack-json_web_token_auth/badges/gpa.svg)](https://codeclimate.com/github/grempe/rack-json_web_token_auth)
+
 ## WARNING
 
 This is pre-release software. It is pretty well tested but has not yet
@@ -104,18 +107,25 @@ incoming tokens. The available claims are processed by the [garyf/jwt_claims](ht
 claims can be found in the README for that project. At a minimum a `:key` must
 be provided except if the `none` algorithm is being used (probably not recommended).
 
+For `secured` resources you can optionally also pass in a `:methods` option,
+which specifies an array of HTTP methods that are allowed for the specified `resource`.
+One or more of `[:any, :get, :head, :post, :put, :patch, :delete, :options]`
+can be provided. If the `:any` option is desired it must be the only option provided.
+
 Configuration directives are processed in the order that you provide and requests
-match against the first path match.  For this reason you should probably put your
+match against the **first path match**.  For this reason you should probably put your
 `unsecured` resources first and order all resources from most specific to least
-specific.
+specific. If multiple resources with the same path are configured, but with different
+options, only the first resource matched will be used to test the request, all
+others will be ignored.
 
 The DSL was heavily inspired by the [rack-cors](https://github.com/cyu/rack-cors)
-gem and the resource path matching code is a direct port from it.
+gem.
 
 ```ruby
 require 'rack/json_web_token_auth'
 
-# Sinatra `use` syntax
+# Sinatra style Rack middleware `use` syntax
 use Rack::JsonWebTokenAuth do
 
   # You can define JWT options for all `secured` resources globally
@@ -170,6 +180,35 @@ use Rack::JsonWebTokenAuth do
     resource '/another/path', jwt: {key: 'a long random key', alg: 'HS512'}
   end
 
+  # You can get very granular by specifying that a resource can only be accessed
+  # when requested with certain HTTP methods. The default for any resource is
+  # to allow HTTP `GET` requests only. You need to pass in a :methods array if
+  # you want to expose additional methods.
+  #
+  # The available choices are:
+  #   [:any, :get, :head, :post, :put, :patch, :delete, :options]
+  #
+  # If you try to specify :methods on an `unsecured` resource it will throw
+  # an exception.
+  secured do
+    # GET only
+    resource '/http_get_only', jwt: jwt_opts, methods: [:get]
+
+    # GET or POST
+    resource '/http_post_or_get', jwt: jwt_opts, methods: [:get, :post]
+
+    # ANY HTTP method allowed
+    resource '/http_any', jwt: jwt_opts, methods: [:any]
+
+    # ANY HTTP method allowed (alternate)
+    # This is the same as [:any]
+    resource '/http_any_manual', jwt: jwt_opts, methods: [:get, :head, :post, :put, :patch, :delete, :options]
+
+    # IGNORED! This resource path was already defined above!
+    # Even though it has different methods allowed it will be ignored.
+    resource '/http_post_or_get', jwt: jwt_opts, methods: [:post]
+  end
+
   # You can have more than one `unsecured` or `secured` block if you like.
   unsecured do
     # WARNING : this resource will never be used since it is masked

data/lib/rack/json_web_token_auth.rb

@@ -3,30 +3,28 @@ require 'contracts'
 require 'hashie'
 require 'jwt_claims'
 
+require 'rack/json_web_token_auth/exceptions'
 require 'rack/json_web_token_auth/contracts'
 require 'rack/json_web_token_auth/resources'
 require 'rack/json_web_token_auth/resource'
 
 module Rack
-  # Custom error class
-  class TokenError < StandardError; end
-
   # Rack Middleware for JSON Web Token Authentication
   class JsonWebTokenAuth
     include Contracts::Core
-    C = Contracts
+    include Contracts::Builtin
 
     ENV_KEY = 'jwt.claims'.freeze
     PATH_INFO_HEADER_KEY = 'PATH_INFO'.freeze
 
-    Contract C::Any, Proc => C::Any
+    Contract Any, Proc => Any
     def initialize(app, &block)
       @app = app
       # execute the block methods provided in the context of this class
       instance_eval(&block)
     end
 
-    Contract Proc => C::ArrayOf[Resources]
+    Contract Proc => ArrayOf[Resources]
     def secured(&block)
       resources = Resources.new(public_resource: false)
       # execute the methods in the 'secured' block in the context of
@@ -35,7 +33,7 @@ module Rack
       all_resources << resources
     end
 
-    Contract Proc => C::ArrayOf[Resources]
+    Contract Proc => ArrayOf[Resources]
     def unsecured(&block)
       resources = Resources.new(public_resource: true)
       # execute the methods in the 'unsecured' block in the context of
@@ -46,82 +44,88 @@ module Rack
 
     Contract Hash => RackResponse
     def call(env)
-      begin
-        resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
-
-        if resource && resource.public_resource?
-          # whitelisted as `unsecured`. skip all token authentication.
-          @app.call(env)
-        elsif resource.nil?
-          # no matching `secured` or `unsecured` resource.
-          # fail-safe with 401 unauthorized
-          raise TokenError, 'No resource for path defined. Deny by default.'
-        else
-          # a `secured` resource, validate the token to see if authenticated
-
-          # Test that `env` has a well formed Authorization header
-          unless Contract.valid?(env, RackRequestHttpAuth)
-            raise TokenError, 'malformed Authorization header or token'
-          end
-
-          # Extract the token from the 'Authorization: Bearer token' string
-          token = BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
-
-          # Verify the token and its claims are valid
-          jwt_opts = resource.opts[:jwt]
-          jwt = ::JwtClaims.verify(token, jwt_opts)
-
-          # JwtClaims.verify returns a JWT claims set hash, if the
-          # JWT Message Authentication Code (MAC), or signature,
-          # are verified and the registered claims are also verified.
-          if Contract.valid?(jwt, C::HashOf[ok: C::HashOf[Symbol => C::Any]])
-            # Authenticated! Pass all claims into the app env for app use
-            # with the hash keys converted to strings to match Rack env.
-            env[ENV_KEY] = Hashie.stringify_keys(jwt[:ok])
-          elsif Contract.valid?(jwt, C::HashOf[error: C::ArrayOf[Symbol]])
-            # a list of any registered claims that fail validation, if the JWT MAC is verified
-            raise TokenError, "invalid JWT claims : #{jwt[:error].sort.join(', ')}"
-          elsif Contract.valid?(jwt, C::HashOf[error: 'invalid JWT'])
-            # the JWT MAC is not verified
-            raise TokenError, 'invalid JWT'
-          elsif Contract.valid?(jwt, C::HashOf[error: 'invalid input'])
-            # otherwise
-            raise TokenError, 'invalid JWT input'
-          else
-            raise TokenError, 'unhandled JWT error'
-          end
-
-          @app.call(env)
+      resource = resource_for_path(env[PATH_INFO_HEADER_KEY])
+
+      # no matching `secured` or `unsecured` resource.
+      # fail-safe with 401 unauthorized
+      if resource.nil?
+        raise TokenError, 'No resource for path defined. Deny by default.'
+      end
+
+      if resource.public_resource?
+        # whitelisted as `unsecured`. skip all token authentication.
+        @app.call(env)
+      else
+        # HTTP method not permitted
+        if resource.invalid_http_method?(env['REQUEST_METHOD'])
+          raise HttpMethodError, 'HTTP request method denied'
         end
-      rescue TokenError => e
-        body = e.message.nil? ? 'Unauthorized' : "Unauthorized : #{e.message}"
-        headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
-                    'Content-Type' => 'text/plain',
-                    'Content-Length' => body.bytesize.to_s }
-        [401, headers, [body]]
-      rescue StandardError => e
-        # puts e.message
-        body = 'Unauthorized'
-        headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
-                    'Content-Type' => 'text/plain',
-                    'Content-Length' => body.bytesize.to_s }
-        [401, headers, [body]]
+
+        # Test that `env` has a well formed Authorization header
+        unless Contract.valid?(env, RackRequestHttpAuth)
+          raise TokenError, 'malformed Authorization header or token'
+        end
+
+        # Extract the token from the 'Authorization: Bearer token' string
+        token = BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
+
+        # Verify the token and its claims are valid
+        jwt_opts = resource.opts[:jwt]
+        jwt = ::JwtClaims.verify(token, jwt_opts)
+        handle_token(env, jwt)
+
+        @app.call(env)
       end
+    rescue TokenError => e
+      return_401(e.message)
+    rescue StandardError
+      return_401
     end
 
-    Contract C::None => C::Or[C::ArrayOf[Resources], []]
+    Contract None => Or[ArrayOf[Resources], []]
     def all_resources
       @all_resources ||= []
     end
 
-    Contract String => C::Maybe[Resource]
+    Contract String => Maybe[Resource]
     def resource_for_path(path_info)
       all_resources.each do |r|
-        if found = r.resource_for_path(path_info)
-          return found
-        end
+        found = r.resource_for_path(path_info)
+        return found unless found.nil?
       end
       nil
     end
+
+    Contract String => RackResponse
+    def return_401(msg = nil)
+      body = msg.nil? ? 'Unauthorized' : "Unauthorized : #{msg}"
+      headers = { 'WWW-Authenticate' => 'Bearer error="invalid_token"',
+                  'Content-Type' => 'text/plain',
+                  'Content-Length' => body.bytesize.to_s }
+      [401, headers, [body]]
+    end
+
+    # JwtClaims.verify returns a JWT claims set hash, if the
+    # JWT Message Authentication Code (MAC), or signature,
+    # are verified and the registered claims are also verified.
+    Contract Hash, Hash => Hash
+    def handle_token(env, jwt)
+      if Contract.valid?(jwt, HashOf[ok: HashOf[Symbol => Any]])
+        # Authenticated! Pass all claims into the app env for app use
+        # with the hash keys converted to strings to match Rack env.
+        env[ENV_KEY] = Hashie.stringify_keys(jwt[:ok])
+      elsif Contract.valid?(jwt, HashOf[error: ArrayOf[Symbol]])
+        # a list of any registered claims that fail validation, if the JWT MAC is verified
+        raise TokenError, "invalid JWT claims : #{jwt[:error].sort.join(', ')}"
+      elsif Contract.valid?(jwt, HashOf[error: 'invalid JWT'])
+        # the JWT MAC is not verified
+        raise TokenError, 'invalid JWT'
+      elsif Contract.valid?(jwt, HashOf[error: 'invalid input'])
+        # otherwise
+        raise TokenError, 'invalid JWT input'
+      else
+        raise TokenError, 'unhandled JWT error'
+      end
+    end
   end
 end

data/lib/rack/json_web_token_auth/contracts.rb

@@ -1,8 +1,5 @@
 module Rack
   class JsonWebTokenAuth
-    include Contracts::Core
-    C = Contracts
-
     # Custom Contracts
     # See : https://egonschiele.github.io/contracts.ruby/
 
@@ -19,76 +16,55 @@ module Rack
       )$
     }x
 
-    class RackRequestHttpAuth
-      def self.valid?(val)
-        Contract.valid?(val, ({ 'HTTP_AUTHORIZATION' => BEARER_TOKEN_REGEX }))
-      end
-
-      def self.to_s
-        'A Rack request with JWT auth header'
-      end
-    end
-
-    class RackResponse
+    # These are Symbols and include the special :any value
+    class ResourceHttpMethods
       def self.valid?(val)
-        Contract.valid?(val, [C::Int, Hash, C::Any])
+        Contract.valid?(val, Contracts::ArrayOf[Contracts::Enum[:any, :get, :head, :post, :put, :patch, :delete, :options]])
       end
 
       def self.to_s
-        'A Rack response'
+        'An array of allowed HTTP methods for initializing a Resource'
       end
     end
 
-    class Key
+    class HttpMethods
       def self.valid?(val)
-        return false if val.is_a?(String) && val.strip.empty?
-        C::Or[String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC].valid?(val)
+        Contract.valid?(val, Contracts::Enum['GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'])
       end
 
       def self.to_s
-        'A JWT secret string or signature key'
+        'An array of allowed HTTP methods'
       end
     end
 
-    class Algorithm
-      def self.valid?(val)
-        C::Enum['none', 'HS256', 'HS384', 'HS512', 'RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512'].valid?(val)
-      end
-
-      def self.to_s
-        'A valid JWT token signature algorithm, or none'
-      end
-    end
-
-    class DecodedToken
+    class RackRequestHttpAuth
       def self.valid?(val)
-        C::ArrayOf[Hash].valid?(val) &&
-          C::DecodedTokenClaims.valid?(val[0]) &&
-          C::DecodedTokenHeader.valid?(val[1])
+        Contract.valid?(val, ({ 'HTTP_AUTHORIZATION' => BEARER_TOKEN_REGEX }))
       end
 
       def self.to_s
-        'A valid Array of decoded token claims and header Hashes'
+        'A Rack request with JWT auth header'
       end
     end
 
-    class DecodedTokenClaims
+    class RackResponse
       def self.valid?(val)
-        C::HashOf[C::Or[String, Symbol] => C::Maybe[C::Or[String, C::Num, C::Bool, C::ArrayOf[C::Any], Hash]]].valid?(val)
+        Contract.valid?(val, [Contracts::Int, Hash, Contracts::Any])
       end
 
       def self.to_s
-        'A valid decoded token payload attribute'
+        'A Rack response'
       end
     end
 
-    class DecodedTokenHeader
+    class Key
       def self.valid?(val)
-        C::HashOf[C::Enum['typ', 'alg'] => C::Or['JWT', C::TokenAlgorithm]].valid?(val)
+        return false if val.is_a?(String) && val.strip.empty?
+        Contracts::Or[String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC].valid?(val)
       end
 
       def self.to_s
-        'A valid decoded token header attribute'
+        'A JWT secret string or signature key'
       end
     end
   end

data/lib/rack/json_web_token_auth/exceptions.rb

@@ -0,0 +1,6 @@
+module Rack
+  class JsonWebTokenAuth
+    class TokenError < StandardError; end
+    class HttpMethodError < StandardError; end
+  end
+end

data/lib/rack/json_web_token_auth/resource.rb

@@ -2,11 +2,11 @@ module Rack
   class JsonWebTokenAuth
     class Resource
       include Contracts::Core
-      C = Contracts
+      include Contracts::Builtin
 
-      attr_accessor :public_resource, :path, :pattern, :opts
+      attr_reader :public_resource, :path, :pattern, :methods, :opts
 
-      Contract C::Bool, String, Hash => C::Any
+      Contract Bool, String, ({ jwt: Maybe[Hash], methods: Maybe[ResourceHttpMethods] }) => Any
       def initialize(public_resource, path, opts = {})
         @public_resource = public_resource
         @path = path
@@ -14,9 +14,14 @@ module Rack
         @opts = opts
 
         if public_resource
-          # unsecured resources should not have any jwt options defined
+          # unsecured resources should not have a :jwt option defined
           if @opts.key?(:jwt)
-            raise 'unexpected jwt options provided for unsecured resource'
+            raise 'unexpected :jwt option provided for unsecured resource'
+          end
+
+          # unsecured resources should not have a :methods option defined
+          if @opts.key?(:methods)
+            raise 'unexpected :methods option provided for unsecured resource'
           end
         else
           # secured resources must have a :jwt hash with a :key
@@ -24,42 +29,55 @@ module Rack
                  Contract.valid?(@opts, ({ jwt: { key: Key } }))
             raise 'invalid or missing jwt options for secured resource'
           end
+
+          # Don't allow providing other HTTP methods with :any
+          if opts[:methods] && opts[:methods].include?(:any) && opts[:methods].size > 1
+            raise 'unexpected additional methods provided with :any'
+          end
+
+          @methods = if opts[:methods].nil?
+                       [:get]
+                     elsif opts[:methods] == [:any]
+                       [:get, :head, :post, :put, :patch, :delete, :options]
+                     else
+                       opts[:methods]
+                     end.map { |e| e.to_s }
         end
       end
 
-      Contract String => C::Maybe[Fixnum]
+      Contract String => Maybe[Integer]
       def matches_path?(path)
         pattern =~ path
       end
 
-      Contract C::None => C::Bool
+      Contract None => Bool
       def public_resource?
         public_resource
       end
 
+      Contract HttpMethods => Bool
+      def invalid_http_method?(request_method)
+        request_method.nil? || !methods.include?(request_method.downcase)
+      end
+
       protected
 
       Contract String => Regexp
       def compile(path)
-        if path.respond_to? :to_str
-          special_chars = %w{. + ( )}
-          pattern =
-            path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
-              case match
-              when "*"
-                "(.*?)"
-              when *special_chars
-                Regexp.escape(match)
-              else
-                "([^/?&#]+)"
-              end
-            end
-          /^#{pattern}$/
-        elsif path.respond_to? :match
-          path
-        else
-          raise TypeError, path
+        special_chars = %w{. + ( )}
+
+        pattern = path.gsub(/([\*#{special_chars.join}])/) do |match|
+          case match
+          when '*'
+            '(.*?)'
+          when *special_chars
+            Regexp.escape(match)
+          else
+            '([^/?&#]+)'
+          end
         end
+
+        /^#{pattern}$/
       end
     end
   end

data/lib/rack/json_web_token_auth/resources.rb

@@ -4,25 +4,25 @@ module Rack
   class JsonWebTokenAuth
     class Resources
       include Contracts::Core
-      C = Contracts
+      include Contracts::Builtin
 
-      Contract C::KeywordArgs[public_resource: C::Bool] => C::Any
+      Contract KeywordArgs[public_resource: Bool] => Any
       def initialize(public_resource: false)
         @resources = []
         @public_resource = public_resource
       end
 
-      Contract C::None => C::Bool
+      Contract None => Bool
       def public_resource?
         @public_resource
       end
 
-      Contract String, C::Maybe[Hash] => C::ArrayOf[Resource]
+      Contract String, Maybe[Hash] => ArrayOf[Resource]
       def resource(path, opts = {})
         @resources << Resource.new(public_resource?, path, opts)
       end
 
-      Contract String => C::Maybe[Resource]
+      Contract String => Maybe[Resource]
       def resource_for_path(path)
         # return first match
         @resources.detect { |r| r.matches_path?(path) }

data/lib/rack/json_web_token_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class JsonWebTokenAuth
-    VERSION = '0.1.1'.freeze
+    VERSION = '0.2.0'.freeze
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-json_web_token_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Glenn Rempe
@@ -30,7 +30,7 @@ cert_chain:
   vprF5QiDz8HshVP9DjJT2I1wyGyvxEdU3cTRo0upMP/VZLcgyBVFy90N2XYWWk2D
   GIxGSw==
   -----END CERTIFICATE-----
-date: 2016-10-14 00:00:00.000000000 Z
+date: 2016-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: contracts
@@ -198,6 +198,7 @@ files:
 - README.md
 - lib/rack/json_web_token_auth.rb
 - lib/rack/json_web_token_auth/contracts.rb
+- lib/rack/json_web_token_auth/exceptions.rb
 - lib/rack/json_web_token_auth/resource.rb
 - lib/rack/json_web_token_auth/resources.rb
 - lib/rack/json_web_token_auth/version.rb