rack-jwt-verifier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e35869423f2fe2b5072d382a8c3404d899f4d1eb67ca2ac8026b341d6f055b52
+  data.tar.gz: 2367980ac3f213c2340ffd7af9158a16262c69d73e09a75762c593017ac3df2e
+SHA512:
+  metadata.gz: b2c4f85b03428e8ff39073083dda5090101dfbbd2e1c8dec51a0c89e08ca6efffea64802042ddbee7f29f6ff5372f12b6c1ec1417498fd08890aedb7e876fbc7
+  data.tar.gz: 4a5d3e3e6f4e4039ed0622644dda9e2db72f83d57a645f38e9eee2893fa68cfbac6f6656a82390399ee7c68570e790e5757b4c56a1bef85643230303a5b39c8e

data/.rspec_status

@@ -0,0 +1,26 @@
+example_id                                           | status | run_time        |
+---------------------------------------------------- | ------ | --------------- |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:1:1]   | passed | 0.06296 seconds |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:2:1]   | passed | 0.05566 seconds |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:2:2]   | passed | 0.03186 seconds |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:3:1:1] | passed | 0.04063 seconds |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:3:2:1] | passed | 0.06923 seconds |
+./spec/rack_jwt_verifier/jwt_helper_spec.rb[1:3:3:1] | passed | 0.03564 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:1:1]   | passed | 0.02249 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:2:1:1] | passed | 0.05022 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:2:1:2] | passed | 0.02597 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:2:2:1] | passed | 0.02197 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:2:3:1] | passed | 0.03074 seconds |
+./spec/rack_jwt_verifier/middleware_spec.rb[1:2:4:1] | passed | 0.02496 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:1:1]     | passed | 0.01668 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:1:2]     | passed | 0.00633 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:1:3]     | passed | 0.05474 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:1:4]     | passed | 0.04057 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:2:1]     | passed | 0.03279 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:2:2]     | passed | 0.04898 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:2:3:1]   | passed | 0.03709 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:2:3:2]   | passed | 0.01822 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:3:1]     | passed | 0.01993 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:3:2]     | passed | 0.01473 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:3:3]     | passed | 0.03322 seconds |
+./spec/rack_jwt_verifier/verifier_spec.rb[1:3:4]     | passed | 0.01368 seconds |

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in rack_jwt_verifier.gemspec
+gemspec
+
+# Dependencies for development and testing
+group :development, :test do
+  gem "rack"
+  gem "rspec", "~> 3.12"
+  gem "rack-test"
+  gem "webmock", "~> 3.14" # Added for mocking network requests in Verifier
+end

data/Gemfile.lock

@@ -0,0 +1,63 @@
+PATH
+  remote: .
+  specs:
+    rack-jwt-verifier (0.1.0)
+      jwt (~> 2.8)
+      rack (>= 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    base64 (0.2.0)
+    bigdecimal (3.1.8)
+    crack (1.0.0)
+      bigdecimal
+      rexml
+    diff-lcs (1.6.2)
+    hashdiff (1.1.0)
+    jwt (2.8.2)
+      base64
+    public_suffix (5.1.1)
+    rack (3.2.3)
+    rack-test (2.2.0)
+      rack (>= 1.3)
+    rake (13.2.1)
+    rexml (3.3.2)
+      strscan
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    strscan (3.1.0)
+    timecop (0.9.10)
+    webmock (3.23.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  rack
+  rack-jwt-verifier!
+  rack-test
+  rake (~> 13.0)
+  rspec (~> 3.12)
+  timecop (~> 0.9)
+  webmock (~> 3.14)
+
+BUNDLED WITH
+   2.4.22

data/LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Daniele Frisanco
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,136 @@
+RackJwtVerifier
+===============
+
+A robust and production-ready Rack middleware for authenticating requests using JSON Web Tokens (JWT) signed by an external Single Sign-On (SSO) provider.
+
+This gem handles the cryptographic verification, caching of public keys, and integration into any Rack application (including Ruby on Rails).
+
+Features
+--------
+
+*   **Cryptographic Verification:** Verifies the JWT signature using the `RS256` algorithm and public keys fetched from a remote URL.
+    
+*   **Flexible Caching:** Uses a configurable cache store for public keys, defaulting to in-memory caching but easily upgradable to **Redis** or **Memcached** for multi-process environments.
+    
+*   **Claim Validation:** Enforces standard JWT claims, including expiration (`exp`) and not-before (`nbf`).
+    
+*   **Rack Middleware:** Protects application routes by halting unauthorized requests with a `401 Unauthorized` response.
+    
+
+Installation
+------------
+
+Add this line to your application's `Gemfile`:
+
+```ruby
+gem 'rack_jwt_verifier'
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+Usage and Integration
+---------------------
+
+### 1\. Basic Setup (In-Memory Caching)
+
+The simplest way to integrate is by providing the URL where your SSO provider exposes its public key (usually a PEM-encoded RSA key). The public key will be cached in memory for **5 minutes** per worker process.
+
+**In `config/application.rb` (for Rails) or `config.ru` (for generic Rack):**
+
+```ruby
+# Requires `rack_jwt_verifier` implicitly in Rails, or explicitly in config.ru
+# Replace the URL with your actual SSO Public Key endpoint
+PUBLIC_KEY_URL = "https://sso.example.com/api/v1/public_key"
+Rails.application.config.middleware.use RackJwtVerifier::Middleware,
+                                        public_key_url: PUBLIC_KEY_URL
+```
+### 2\. Production Setup with Redis Caching
+
+For horizontally scaled applications (e.g., using Puma or multiple Docker containers), the default in-memory cache is inefficient. To prevent a "cache stampede" where all workers simultaneously fetch the key, you must use a distributed cache like Redis.
+
+**Prerequisites:** You need a Redis client library installed (e.g., `redis-rails` or `connection\_pool`).
+
+#### Example: Using Redis as the Cache Store
+
+The `RackJwtVerifier` expects a cache object that responds to the standard Ruby cache interface: `#read(key)` and `#write(key, value, expires\_in: ttl)`.
+
+**Example using `ActiveSupport::Cache::RedisCacheStore` (Common in Rails apps):**
+
+```ruby
+# In config/initializers/rack_jwt_verifier.rb
+
+# 1. Configure your Redis cache client
+# This example assumes you have Redis configured via Rails:
+REDIS_CACHE_CLIENT = ActiveSupport::Cache.lookup_store(:redis_cache_store, {
+    url: ENV.fetch("REDIS_URL", "redis://localhost:6379/1"),
+    reconnect_attempts: 1  })
+# 2. Configure the Verifier with the Redis client
+Rails.application.config.middleware.use RackJwtVerifier::Middleware,
+  public_key_url: ENV.fetch("SSO_PUBLIC_KEY_URL"),
+  cache_store: REDIS_CACHE_CLIENT
+```
+
+By passing the Redis cache client via the `cache\_store` option, all your application workers will share a single cache, ensuring the public key is fetched from the network only once every 5 minutes (or whatever TTL is configured internally).
+
+### 3\. Customizing JWT Decoding
+
+You can pass a `:decode\_options` hash to the middleware to override the default settings for the JWT gem.
+
+| Option | Default Value | Purpose | 
+| -- | -- | -- | 
+| `:leeway` | `60` seconds | Sets clock skew tolerance for `exp` and `nbf` checks. Set to `0` for strict timing. | 
+| `:algorithm` | `"RS256"` | The expected signing algorithm. | 
+| `:iss` | (None) | **RECOMMENDED**: Set this to enforce a specific issuer claim. | 
+| `:aud` | (None) | **RECOMMENDED**: Set this to enforce an audience claim. | 
+
+**Example: Strict Expiration and Issuer Check:**
+
+```ruby
+Rails.application.config.middleware.use RackJwtVerifier::Middleware,
+  public_key_url: ENV.fetch("SSO_PUBLIC_KEY_URL"),
+  decode_options: {
+    # No clock skew tolerance
+    leeway: 0,
+    # Ensure the token was issued by our expected SSO provider
+    iss: "[https://my-sso.com/token-service](https://my-sso.com/token-service)"
+  }
+```
+
+How it Works
+------------
+
+1.  **Request Flow:** On every incoming HTTP request, the middleware intercepts the call.
+    
+2.  **Token Extraction:** It looks for a token in the `Authorization: Bearer <token>` header.
+    
+3.  **Key Retrieval:** The Verifier attempts to read the public key PEM string from the configured `cache\_store` (Redis or In-Memory).
+    *   If the key is present, it's used immediately.
+    *   If the key is missing or expired, a network request is made to the `public\_key\_url`, and the key is written back to the cache for 5 minutes.
+        
+4.  **Verification:** The public key is used to cryptographically verify the JWT's signature and validate its claims (`exp`, `nbf`, `iss`, etc.).
+    
+5.  **Authorization:**
+    *   If verification succeeds, the request passes to your application.
+    *   If verification fails (e.g., token expired, bad signature, or missing token), the request is halted, and a `401 Unauthorized` response is immediately returned.
+        
+
+Development
+-----------
+
+The testing setup uses RSpec, WebMock for network request mocking, and Timecop for robust time-dependent testing (like expiration checks).
+
+To run the full suite:
+
+```bash
+$ bundle install
+$ bundle exec rspec
+```
+
+License
+-------
+
+The gem is available as open source under the terms of the [MIT License](https://www.google.com/search?q=LICENSE.txt).

data/lib/rack_jwt_verifier/in_process_cache.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module RackJwtVerifier
+  # A simple, thread-safe, in-memory cache implementation designed to mimic
+  # a real cache store (like Rails.cache or Redis) but without external dependencies.
+  # This is the default cache store used if the user doesn't configure one.
+  class InProcessCache
+    # The cache lifespan in seconds (5 minutes)
+    DEFAULT_EXPIRY = 300
+
+    def initialize
+      @store = {}
+      @lock = Mutex.new # Ensure thread safety for multi-threaded environments
+    end
+
+    # Reads the value for a given key. Automatically checks for expiry.
+    # @param key [String] The cache key.
+    # @return [Object, nil] The cached value or nil if expired or not found.
+    def read(key)
+      @lock.synchronize do
+        entry = @store[key]
+        return nil unless entry
+
+        value, expires_at = entry
+        
+        # Check if the entry is expired
+        return nil if Time.now.to_i >= expires_at
+        
+        value
+      end
+    end
+
+    # Writes a value to the cache with an optional expiration time.
+    # @param key [String] The cache key.
+    # @param value [Object] The value to store.
+    # @param options [Hash] Options, expecting :expires_in (seconds).
+    # @return [Object] The stored value.
+    def write(key, value, options = {})
+      @lock.synchronize do
+        expiry = options[:expires_in] || DEFAULT_EXPIRY
+        expires_at = Time.now.to_i + expiry
+        @store[key] = [value, expires_at]
+        value
+      end
+    end
+
+    # Deletes an entry from the cache.
+    # @param key [String] The cache key.
+    # @return [Object, nil] The deleted entry value or nil.
+    def delete(key)
+      @lock.synchronize do
+        @store.delete(key)
+      end
+    end
+  end
+end

data/lib/rack_jwt_verifier/jwt_helper.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'openssl'
+
+# A helper class for handling JWT creation and verification using RSA keys (RS256).
+# This is typically used by the application or a separate service to *create* tokens.
+module RackJwtVerifier
+  class JwtHelper
+    # The private_key must be an OpenSSL::PKey::RSA object (or similar).
+    attr_reader :private_key, :public_key
+
+    # Initializes the helper with the RSA Private Key used for signing.
+    #
+    # @param private_key_pem [String] The PEM string of the RSA Private Key.
+    def initialize(private_key_pem)
+      # !! IMPORTANT !!
+      # This key signs the tokens.
+      @private_key = OpenSSL::PKey::RSA.new(private_key_pem)
+      @public_key = @private_key.public_key
+    end
+
+    # Encodes a payload into a JWT.
+    #
+    # @param payload [Hash] The data to be encoded in the JWT (e.g., user ID, roles).
+    # @param expires_in [Integer] Time in seconds until the token expires (default: 1 hour).
+    # @return [String] The signed JWT string.
+    def encode(payload, expires_in = 3600)
+      # Set standard expiration time (exp) and issued-at time (iat) claims
+      time = Time.now.to_i
+      payload_with_claims = payload.merge({
+        iat: time,
+        exp: time + expires_in
+      })
+
+      JWT.encode(payload_with_claims, @private_key, 'RS256')
+    end
+
+    # Decodes and verifies a JWT using the public key.
+    #
+    # NOTE: This method is used primarily for self-testing in the application
+    # but the primary verification logic for the middleware is in the Verifier class.
+    #
+    # @param token [String] The JWT string to decode.
+    # @return [Hash] The decoded payload if verification is successful.
+    # @raise [JWT::VerificationError, JWT::DecodeError] If the token is invalid or expired.
+    def decode(token)
+      # Decodes using the public key, performs signature verification (true),
+      # and restricts the algorithm to 'RS256'.
+      decoded = JWT.decode(token, @public_key, true, { algorithm: 'RS256' })
+      # Returns only the payload (the first element of the array).
+      decoded.first
+    end
+  end
+end

data/lib/rack_jwt_verifier/middleware.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "rack_jwt_verifier/verifier"
+
+module RackJwtVerifier
+  # The primary middleware class responsible for intercepting requests,
+  # extracting the JWT, verifying it, and injecting the user's details
+  # into the Rack environment.
+  class Middleware
+    # The default key in the Rack environment used to store the verified JWT payload.
+    # This can be accessed by downstream applications (e.g., Rails controllers)
+    # to retrieve the authenticated user's details.
+    RACK_ENV_PAYLOAD_KEY = "rack_jwt_verifier.payload".freeze
+
+    def initialize(app, options = {})
+      @app = app
+      @options = options
+      
+      # The Verifier instance is initialized with options (like public_key_url)
+      # and is responsible for all crypto and key management.
+      @verifier = Verifier.new(options)
+    end
+
+    def call(env)
+      token = extract_token(env)
+      
+      # If no token is found, we immediately pass the request down the stack
+      # and the application is responsible for handling the unauthenticated state.
+      return @app.call(env) unless token
+
+      begin
+        # Use the Verifier to handle the complex crypto and validation logic
+        payload = @verifier.verify(token)
+        
+        # On successful verification, store the payload in the Rack environment
+        env[RACK_ENV_PAYLOAD_KEY] = payload
+        
+        @app.call(env)
+      rescue JWT::DecodeError => e
+        # If verification fails (invalid signature, expired, invalid claim),
+        # log the error and return an unauthenticated response.
+        warn "JWT Verification Failed: #{e.message}"
+        
+        # Return a 401 Unauthorized response
+        unauthorized_response
+      end
+    end
+
+    private
+
+    # Extracts the JWT from the standard Authorization header format: "Bearer <token>"
+    def extract_token(env)
+      # Rack converts HTTP_AUTHORIZATION header to ENV['HTTP_AUTHORIZATION']
+      auth_header = env["HTTP_AUTHORIZATION"]
+      
+      return nil unless auth_header
+      
+      scheme, token = auth_header.split(" ", 2)
+      
+      # Only process if the scheme is "Bearer" and a token is present
+      (scheme == "Bearer") ? token : nil
+    end
+
+    # Standard 401 Unauthorized Rack response
+    def unauthorized_response
+      # Status, Headers, Body (Array of strings)
+      [401, { "Content-Type" => "text/plain", "WWW-Authenticate" => "Bearer error=\"invalid_token\"" }, ["Unauthorized: Invalid or expired JWT."]]
+    end
+  end
+end

data/lib/rack_jwt_verifier/verifier.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "jwt"
+require "net/http"
+require "json"
+
+module RackJwtVerifier
+  # This class handles the cryptographic heavy lifting: fetching and caching
+  # public keys from the SSO provider, and performing the actual JWT decoding
+  # and signature verification.
+  class Verifier
+    # Error raised if we fail to fetch keys from the remote URL
+    class KeyFetchError < StandardError; end
+    
+    # The cache key used to store the public key PEM string
+    PUBLIC_KEY_CACHE_KEY = 'rack_jwt_verifier:public_key'.freeze
+    # The TTL for the cache (5 minutes, must match the default in InProcessCache)
+    CACHE_TTL_SECONDS = 300
+
+    # Default options for JWT decoding to ensure strict security compliance
+    DEFAULT_DECODE_OPTIONS = {
+      algorithm: "RS256", # Must match your SSO provider's algorithm
+      # THIS MUST BE TRUE: Ensures the 'exp' claim is checked during decoding
+      verify_expiration: true,
+      verify_not_before: true,
+      leeway: 60, # Allow a 60-second clock skew for "exp" and "nbf" claims
+      # 'iss' validation will be added later when we configure the Verifier.
+      # verify_iss: true
+    }.freeze
+
+    # @param options [Hash] Configuration options.
+    # @option options [String] :public_key_url The URL to fetch the public key.
+    # @option options [Object] :cache_store Optional custom cache object (must respond to #read and #write).
+    # @option options [Hash] :decode_options Custom options for JWT.decode.
+    def initialize(options = {})
+      @public_key_url = options.fetch(:public_key_url)
+      
+      # Inject cache store, defaulting to the simple InProcessCache.
+      # This allows users to pass in a Redis/Memcached client that responds to #read and #write.
+      @cache = options.fetch(:cache_store, InProcessCache.new)
+      
+      # Merge default options over any user-provided options
+      @decode_options = DEFAULT_DECODE_OPTIONS.merge(options.fetch(:decode_options, {}))
+    end
+
+    # Decodes and verifies the JWT.
+    # @param token [String] The JWT string from the Authorization header.
+    # @return [Hash] The decoded payload (the user claims).
+    # @raise [JWT::DecodeError] If the token is invalid, expired, or signature fails.
+    def verify(token)
+      # 1. Fetch the key from cache or network
+      key = fetch_public_key
+
+      # 2. Perform the cryptographic verification and claim validation
+      # The `true` is required to enable verification checks.
+      payload, _header = JWT.decode(token, key, true, @decode_options)
+      
+      # For standard usage, we only need the payload hash
+      payload
+    end
+
+    private
+
+    # Handles fetching the public key from the remote URL, using the injected cache.
+    def fetch_public_key
+      # 1. Try to read the PEM string from the cache
+      cached_pem = @cache.read(PUBLIC_KEY_CACHE_KEY)
+      
+      if cached_pem
+        # Found in cache, convert PEM to OpenSSL object and return
+        return OpenSSL::PKey::RSA.new(cached_pem)
+      end
+
+      # 2. Key is missing or expired, fetch it from the network
+      uri = URI(@public_key_url)
+      response = Net::HTTP.get_response(uri)
+
+      unless response.is_a?(Net::HTTPSuccess)
+        raise KeyFetchError, "Failed to fetch public key from #{@public_key_url}: #{response.code}"
+      end
+
+      # 3. Process response
+      public_key_pem = response.body
+      
+      # 4. Cache the new key PEM string
+      @cache.write(PUBLIC_KEY_CACHE_KEY, public_key_pem, expires_in: CACHE_TTL_SECONDS)
+      
+      # 5. Return the OpenSSL object for verification
+      OpenSSL::PKey::RSA.new(public_key_pem)
+
+    rescue KeyFetchError
+      # Re-raise explicit KeyFetchError for easier debugging/rescue in middleware
+      raise
+    rescue StandardError => e
+      # Catch all other network/parsing/OpenSSL errors
+      raise KeyFetchError, "Error processing public key: #{e.message}"
+    end
+  end
+end

data/lib/rack_jwt_verifier/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RackJwtVerifier
+  VERSION = "0.1.0"
+end

data/lib/rack_jwt_verifier.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+# This file serves as the main entry point for the rack_jwt_verifier gem.
+# When a user calls `require 'rack_jwt_verifier'`, this file is loaded.
+
+require_relative "rack_jwt_verifier/version"
+
+# Require core component files so they are available under the RackJwtVerifier module.
+# IMPORTANT: These paths rely on you moving `jwt_helper.rb` into the
+# `lib/rack_jwt_verifier/` directory.
+require_relative "rack_jwt_verifier/jwt_helper"
+require_relative "rack_jwt_verifier/verifier"
+require_relative "rack_jwt_verifier/middleware"
+require_relative "rack_jwt_verifier/in_process_cache"
+
+
+# The main namespace module for the gem. All classes (JwtHelper, Verifier,
+# Middleware) are now accessible via RackJwtVerifier::ClassName.
+module RackJwtVerifier
+end

metadata

@@ -0,0 +1,174 @@
+--- !ruby/object:Gem::Specification
+name: rack-jwt-verifier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Daniele Frisanco
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2025-10-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Verifies JWT signature, validates claims (expiration, issuer), and handles
+  public key retrieval to ensure requests are securely authenticated by an external
+  SSO provider.
+email:
+- daniele.frisanco@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec_status"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.md
+- README.md
+- lib/rack_jwt_verifier.rb
+- lib/rack_jwt_verifier/in_process_cache.rb
+- lib/rack_jwt_verifier/jwt_helper.rb
+- lib/rack_jwt_verifier/middleware.rb
+- lib/rack_jwt_verifier/verifier.rb
+- lib/rack_jwt_verifier/version.rb
+homepage: https://github.com/danielefrisanco/rack_jwt_verifier
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/danielefrisanco/rack_jwt_verifier
+  source_code_uri: https://github.com/danielefrisanco/rack_jwt_verifier
+  changelog_uri: https://github.com/danielefrisanco/rack_jwt_verifier/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.6.6
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.2.3
+signing_key: 
+specification_version: 4
+summary: A Rack middleware for authenticating requests using JWTs (JSON Web Tokens)
+  and injecting user data into the Rack environment.
+test_files: []