rack-jwt-auth 1.1.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6aa0be491cb28e8fd5bb3d60392ee8321f547d24
-  data.tar.gz: 6326d7334e6419b94c26d3a8982ed0029395b73b
+  metadata.gz: 5ee21c6c6d0ef268e67ba2506cde5efbacf6d03b
+  data.tar.gz: c76f6563a3a8e902496c5f755229ce66c258a25d
 SHA512:
-  metadata.gz: a0ba6157ff1649cc3d652b48f5556b870e719d22894fb2a34e6c18d75fd056d6ac290ab0c4769c2501a7b6b5213811d33ab131eeaece467b73a9041e29ca2718
-  data.tar.gz: 6337f181f9fe2d58b3b23a0aacc8ad5db3747a03b0aabea2dbb05a923b2f92befb386f4bb182468ad58df373327617daa052ac1a89d0fadf22f8fe6ba4bc31c9
+  metadata.gz: 4c5b06936e30e0a9a766d140abe1b2a493f0b527e90c5b2011c9997981e7a3b57b0ff7ac5f8329acc2e73960c013c93809b3f8328ea1e14a269c2b91eac9c05c
+  data.tar.gz: 4fd9a4cc92905e6060f9d73cca50acf5979eeda77ede053acf43e78bbece7d80e1cc1cdf9051a4a3f1dd6f914b461d95cfaa7653d00efb3a4dece63b04b24351

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+# Change Log
+
+## [2.0.0]
+### Changed
+- compatibility with JWT library version 2.0. This library covers an important security vulnerability, 
+see here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries. The middleware now requires 
+algorithm parameter to be used when decoding incoming tokens. See spec/authenticate_options_spec.rb for examples. 

data/lib/rack/jwt/auth/auth_token.rb

@@ -6,7 +6,7 @@ module Rack
 
         # Note: this method is only used by specs
         def self.issue_token(payload, secret)
-          JWT.encode(payload, secret)
+          JWT.encode(payload, secret, 'HS256')
         end
 
         def self.valid?(token, secret, opts = {})

data/lib/rack/jwt/auth/authenticate.rb

@@ -23,6 +23,10 @@ module Rack
 
           raise 'Secret must be provided' if opts[:secret].nil?
 
+          # @see https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
+          # @see https://github.com/jwt/ruby-jwt/pull/184
+          raise 'Algorithm must be provided for security reason' if opts[:algorithm].nil?
+
           @secret = opts[:secret]
 
           @authenticated_routes   = compile_paths(opts[:only])

data/lib/rack/jwt/auth/version.rb

@@ -1,7 +1,7 @@
 module Rack
   module Jwt
     module Auth
-      VERSION = "1.1.1"
+      VERSION = "2.0.0"
     end
   end
 end

data/rack-jwt-auth.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "jwt", ">= 1.5.2"
+  spec.add_dependency "jwt", "~> 2.0"
 
   spec.add_development_dependency "bundler",   "~> 1.3"
   spec.add_development_dependency "rake",      "~> 10.3"

data/spec/auth_token_spec.rb

@@ -19,7 +19,7 @@ describe Rack::Jwt::Auth::AuthToken do
 
     it 'checks if the provided token is valid' do
       token   = subject.issue_token(data, secret)
-      payload = subject.valid?(token, secret)
+      payload = subject.valid?(token, secret, { algorithm: 'HS256'})
 
       meta, data = payload
 

data/spec/authenticate_options_spec.rb

@@ -3,30 +3,36 @@ require 'spec_helper'
 describe Rack::Jwt::Auth::Authenticate do
   include Rack::Test::Methods
 
-  let(:issuer) { Rack::Jwt::Auth::AuthToken }
+  let(:issuer) {Rack::Jwt::Auth::AuthToken}
 
   context "Except routes" do
 
     let(:app) do
-      main_app = lambda { |env| [200, env, ['Hello']] }
-      Rack::Jwt::Auth::Authenticate.new(main_app, {except: ['/not_authenticated', '/not_authenticated/*'], secret: 'supertestsecret'})
+      main_app = lambda {|env| [200, env, ['Hello']]}
+      Rack::Jwt::Auth::Authenticate.new(
+        main_app,
+        {
+          except: ['/not_authenticated', '/not_authenticated/*'],
+          secret: 'supertestsecret',
+          algorithm: 'HS256'
+        })
     end
 
     it 'returns 200 ok if the request is for a route that is not authenticated' do
       get('/not_authenticated')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other/test')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
     end
 
     it 'returns 401 ok if the request is for a route that is authenticated' do
@@ -45,25 +51,27 @@ describe Rack::Jwt::Auth::Authenticate do
   context "Only routes" do
 
     let(:app) do
-      main_app = lambda { |env| [200, env, ['Hello']] }
-      Rack::Jwt::Auth::Authenticate.new(main_app, {only: ['/authenticated', '/authenticated/*'], secret: 'supertestsecret'})
+      main_app = lambda {|env| [200, env, ['Hello']]}
+      Rack::Jwt::Auth::Authenticate.new(main_app, {
+        only: ['/authenticated', '/authenticated/*'], secret: 'supertestsecret', algorithm: 'HS256'
+      })
     end
 
     it 'returns 200 ok if the request is for a route that is not authenticated' do
       get('/not_authenticated')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other/test')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
     end
 
     it 'returns 401 ok if the request is for a route that is authenticated' do
@@ -82,25 +90,26 @@ describe Rack::Jwt::Auth::Authenticate do
   context "Only with except routes" do
 
     let(:app) do
-      main_app = lambda { |env| [200, env, ['Hello']] }
-      Rack::Jwt::Auth::Authenticate.new(main_app, {only: ['/authenticated', '/authenticated/*'], secret: 'supertestsecret'})
+      main_app = lambda {|env| [200, env, ['Hello']]}
+      Rack::Jwt::Auth::Authenticate.new(main_app, {only: ['/authenticated', '/authenticated/*'], secret: 'supertestsecret',
+                                                   algorithm: 'HS256'})
     end
 
     it 'returns 200 ok if the request is for a route that is not authenticated' do
       get('/not_authenticated')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
 
       get('/not_authenticated/other/test')
 
       expect(last_response.status).to eql(200)
-      expect(last_response.body).to   eql('Hello')
+      expect(last_response.body).to eql('Hello')
     end
 
     it 'returns 401 ok if the request is for a route that is authenticated' do
@@ -117,10 +126,10 @@ describe Rack::Jwt::Auth::Authenticate do
   end
 
   context "with options for decode" do
-    let(:secret) { 'supertestsecret' }
+    let(:secret) {'supertestsecret'}
     let(:app) do
-      main_app = lambda { |env| [200, env, ['Hello']] }
-      described_class.new(main_app, { secret: secret, algorithm: 'RS256' })
+      main_app = lambda {|env| [200, env, ['Hello']]}
+      described_class.new(main_app, {secret: secret, algorithm: 'RS256'})
     end
 
     it 'calls AuthToken.valid? with decode options' do
@@ -129,7 +138,7 @@ describe Rack::Jwt::Auth::Authenticate do
       get('/', {}, {'HTTP_AUTHORIZATION' => "Bearer #{token}"})
 
       expect(Rack::Jwt::Auth::AuthToken).to have_received(:valid?)
-          .with(token, secret, { algorithm: 'RS256' })
+                                              .with(token, secret, {algorithm: 'RS256'})
     end
   end
 

data/spec/authenticate_spec.rb

@@ -7,7 +7,7 @@ describe Rack::Jwt::Auth::Authenticate do
 
   let(:app) do
     main_app = lambda { |env| [200, env, ['Hello']] }
-    Rack::Jwt::Auth::Authenticate.new(main_app, {secret: 'supertestsecret'})
+    Rack::Jwt::Auth::Authenticate.new(main_app, {secret: 'supertestsecret', algorithm: 'HS256'})
   end
 
   it 'raises an exception if no secret if provided' do

metadata

@@ -1,83 +1,83 @@
 --- !ruby/object:Gem::Specification
 name: rack-jwt-auth
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 2.0.0
 platform: ruby
 authors:
 - João Almeida
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-01-26 00:00:00.000000000 Z
+date: 2017-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.5.2
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '10.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '0.6'
 description: Rack jwt auth middleware
@@ -87,7 +87,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
+- ".gitignore"
+- CHANGELOG.md
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -111,17 +112,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Rack jwt auth middleware