rack-jwt 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2cdc1b0bd5715e4d4d5e8cd04822d0e6825b089f
-  data.tar.gz: 2397aac243a1d587e109f46942cecdaaccb9b5cd
+  metadata.gz: 19267b5f494a49fb28e4a58a34a51aed16313480
+  data.tar.gz: 085968e3d783b4e7e1bcc13cf85e0944da44a97e
 SHA512:
-  metadata.gz: 1ccae31dc0d69b94d0da8243276c532b2793dbae1563da3b328a163d9f03f5284abb58f60a193b8e421591ca9f9ff0e2b1b6bac9dcd80a0954525b6ffd25d371
-  data.tar.gz: 03b28fa23d5d00bce804435ff76c6e1dd4f873f6c5d49bf8830ee5295ad747d90e5dbfba7fcb371d34f58968534fb7725e1545272ec82a48f78b582808f62019
+  metadata.gz: 95d36e6594b6cae68ec827bc7b53774814ce42a8a1d551ef99d697c7ed28fce6dfb30ff8a62c0f3644f6070d51b6d22ee6dbb09897366323a4059b7dce696a97
+  data.tar.gz: 9a7b0274512ba049c1a76071c7fb9850e4f36ba5b55d4401054a3206ef095b99c22340d0f12530796e8dea0f6c8f57dfa67539f9a81f10426336e9558c7c5128

data/README.md

@@ -24,16 +24,30 @@ Or install it yourself as:
 
 ## Usage
 
-### sinatra
+`Rack::JWT::Auth` accepts several configuration options:
+
+* `secret` : required : String : A cryptographically secure String that serves as the HMAC SHA-256 secret for the JSON Web Token.
+* `verify` : optional : Boolean : Determines whether JWT will verify tokens when decoded. Default is `true`.
+* `options` : optional : Hash : A hash of options that are passed through to JWT to configure supported claims. See [the ruby-jwt docs](https://github.com/progrium/ruby-jwt#support-for-reserved-claim-names) for the available options. By default only expiration (exp) and Not Before (nbf) claims are verified.
+* `exclude` : optional : Array : An Array of path strings representing paths that should not check for JWT authentication tokens before allowing access.
+
+
+### Sinatra
+
+```
+use Rack::JWT::Auth, secret: 'you_secret_token_goes_here', verify: true, options: {}, exclude: ['/api/docs']
+```
+
+### Cuba
 
 ```
-use Rack::JWT::Auth secret: 'you_secret_token_goes_here', exclude: ['/api/docs']
+Cuba.use Rack::JWT::Auth, secret: 'you_secret_token_goes_here', verify: true, options: {}, exclude: ['/api/docs']
 ```
 
 ### Rails
 
 ```
-Rails.application.config.middleware.use, Rack::JWT::Auth, secret: Rails.application.secrets.secret_key_base, exclude: ['/api/docs']
+Rails.application.config.middleware.use, Rack::JWT::Auth, secret: Rails.application.secrets.secret_key_base, verify: true, options: {}, exclude: ['/api/docs']
 ```
 
 ## Generating tokens

data/lib/rack/jwt/auth.rb

@@ -5,7 +5,9 @@ module Rack
     class Auth
       def initialize(app, opts = {})
         @app      = app
-        @secret   = opts.fetch(:secret)
+        @jwt_secret   = opts.fetch(:secret)
+        @jwt_verify   = opts.fetch(:verify, true)
+        @jwt_options  = opts.fetch(:options, {})
         @exclude  = opts.fetch(:exclude, [])
       end
 
@@ -23,11 +25,11 @@ module Rack
         if valid_header?(env)
           begin
             token = env['HTTP_AUTHORIZATION'].split(' ')[-1]
-            decoded_token = Token.decode(token, @secret)
-            env['jwt.header']  = decoded_token.last
-            env['jwt.payload'] = decoded_token.first
+            decoded_token = Token.decode(token, @jwt_secret, @jwt_verify, @jwt_options)
+            env['jwt.header']  = decoded_token.last unless decoded_token.nil?
+            env['jwt.payload'] = decoded_token.first unless decoded_token.nil?
             @app.call(env)
-          rescue
+          rescue ::JWT::DecodeError
             return_error('Invalid JWT token')
           end
         else

data/lib/rack/jwt/token.rb

@@ -1,15 +1,14 @@
 module Rack
   module JWT
     class Token
+      # TODO : Support all algorithms, not just default 'HS256'
+      # https://github.com/progrium/ruby-jwt#algorithms-and-usage
       def self.encode(payload, secret)
-        ::JWT.encode(payload, secret)
+        ::JWT.encode(payload, secret, 'HS256')
       end
 
-      def self.decode(token, secret)
-        ::JWT.decode(token, secret)
-      rescue
-        # It will raise an error if it is not a valid token due to any reason
-        nil
+      def self.decode(token, secret, verify, options)
+        ::JWT.decode(token, secret, verify, options)
       end
     end
   end

data/lib/rack/jwt/version.rb

@@ -1,5 +1,5 @@
 module Rack
-  module Jwt
-    VERSION = "0.1.1"
+  module JWT
+    VERSION = "0.2.0"
   end
 end

data/rack-jwt.gemspec

@@ -5,7 +5,7 @@ require 'rack/jwt/version'
 
 Gem::Specification.new do |spec|
   spec.name          = "rack-jwt"
-  spec.version       = Rack::Jwt::VERSION
+  spec.version       = Rack::JWT::VERSION
   spec.authors       = ["Mr. Eigenbart"]
   spec.email         = ["eigenbart@gmail.com"]
   spec.summary       = %q{Rack middleware that provides authentication based on JSON Web Tokens.}
@@ -25,5 +25,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rspec',     '~> 3.2.0'
 
   spec.add_runtime_dependency 'rack', '>= 1.6.0'
-  spec.add_runtime_dependency 'jwt', '~> 1.2.1'
+  spec.add_runtime_dependency 'jwt', '~> 1.5.0'
 end

data/spec/auth_spec.rb

@@ -3,16 +3,18 @@ require 'spec_helper'
 describe Rack::JWT::Auth do
   include Rack::Test::Methods
 
-  let(:issuer) { Rack::JWT::Token }
-  let(:secret) { 'foo' }
-  let(:body)   {{ 'foo' => 'bar' }}
+  let(:issuer)  { Rack::JWT::Token }
+  let(:secret)  { 'foo' }
+  let(:verify)  { true }
+  let(:options) { {} }
+  let(:body)    {{ 'foo' => 'bar' }}
 
   let(:app) do
     main_app = lambda { |env| [200, env, [body.to_json]] }
     Rack::JWT::Auth.new(main_app, { secret: secret })
   end
 
-  before do
+  def perform_request
     get('/', {}, headers)
   end
 
@@ -29,6 +31,8 @@ describe Rack::JWT::Auth do
 
     subject { JSON.parse(last_response.body) }
 
+    before { perform_request }
+
     it 'returns 401 status code' do
       expect(last_response.status).to eq(401)
     end
@@ -38,12 +42,14 @@ describe Rack::JWT::Auth do
     end
   end
 
-  context 'when authorzation header does not contain the schema' do
+  context 'when authorization header does not contain the schema' do
     let(:token) { issuer.encode({ iss: 1 }, secret) }
     let(:headers) {{ 'HTTP_AUTHORIZATION' => token }}
 
     subject { JSON.parse(last_response.body) }
 
+    before { perform_request }
+
     it 'returns 401 status code' do
       expect(last_response.status).to eq(401)
     end
@@ -59,6 +65,8 @@ describe Rack::JWT::Auth do
 
     subject { JSON.parse(last_response.body) }
 
+    before { perform_request }
+
     it 'returns 401 status code' do
       expect(last_response.status).to eq(401)
     end
@@ -74,6 +82,8 @@ describe Rack::JWT::Auth do
 
     subject { JSON.parse(last_response.body) }
 
+    before { perform_request }
+
     it 'returns 401 status code' do
       expect(last_response.status).to eq(401)
     end
@@ -83,12 +93,31 @@ describe Rack::JWT::Auth do
     end
   end
 
+  context 'when token signature is invalid and JWT verify option is false' do
+    let(:app) do
+      main_app = lambda { |env| [200, env, [body.to_json]] }
+      Rack::JWT::Auth.new(main_app, { secret: secret, verify: false })
+    end
+    let(:token) { issuer.encode({ iss: 1 }, 'invalid secret') }
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
+
+    before { perform_request }
+
+    subject { JSON.parse(last_response.body) }
+
+    it 'returns 200 status code' do
+      expect(last_response.status).to eq(200)
+    end
+  end
+
   context 'when token is valid' do
     let(:token) { issuer.encode({ iss: 1 }, secret) }
     let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
 
     subject { JSON.parse(last_response.body) }
 
+    before { perform_request }
+
     it 'returns 200 status code' do
       expect(last_response.status).to eq(200)
     end
@@ -108,4 +137,107 @@ describe Rack::JWT::Auth do
       expect(header['typ']).to eq('JWT')
     end
   end
+
+  context 'when token is valid but app raises an error unrelated to JWT' do
+    let(:token) { issuer.encode({ iss: 1 }, secret) }
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
+
+    let(:app) do
+      main_app = lambda { |env| raise 'BOOM!' }
+      Rack::JWT::Auth.new(main_app, { secret: secret })
+    end
+
+    it 'bubbles up the exception' do
+      expect { perform_request }.to raise_error('BOOM!')
+    end
+  end
+
+  # Test the pass-through of the options Hash to JWT using Issued At (iat) claim to test..
+  ###
+
+  context 'when token is valid and an invalid Issued At (iat) claim is provided JWT should ignore bad iat by default' do
+    let(:token) { issuer.encode({ iss: 1, iat: Time.now.to_i + 1000000 }, secret) }
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
+
+    before { perform_request }
+
+    subject { JSON.parse(last_response.body) }
+
+    it 'returns 200 status code' do
+      expect(last_response.status).to eq(200)
+    end
+
+    it 'process the request' do
+      expect(subject).to eq(body)
+    end
+
+    it 'adds the token payload to the request' do
+      payload = last_response.header['jwt.payload']
+      expect(payload['iss']).to eq(1)
+    end
+
+    it 'adds the token header to the request' do
+      header = last_response.header['jwt.header']
+      expect(header['alg']).to eq('HS256')
+      expect(header['typ']).to eq('JWT')
+    end
+  end
+
+  context 'when token is valid and an invalid Issued At (iat) claim is provided and iat verification option is enabled' do
+    # The token was issued at an insane time in the future.
+    let(:iat) { Time.now.to_i + 1000000 }
+    let(:app) do
+      main_app = lambda { |env| [200, env, [body.to_json]] }
+      Rack::JWT::Auth.new(main_app, { secret: secret, options: { :verify_iat => true } })
+    end
+    let(:token) { issuer.encode({ iss: 1, iat: iat }, secret) }
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
+
+    before { perform_request }
+
+    subject { JSON.parse(last_response.body) }
+
+    it 'returns 401 status code' do
+      expect(last_response.status).to eq(401)
+    end
+
+    it 'returns an error message' do
+      expect(subject['error']).to eq('Invalid JWT token')
+    end
+  end
+
+  context 'when token is valid and a valid Issued At (iat) claim is provided and iat verification option is enabled' do
+    # The token was issued at a sane Time.now
+    let(:iat) { Time.now.to_i }
+    let(:app) do
+      main_app = lambda { |env| [200, env, [body.to_json]] }
+      Rack::JWT::Auth.new(main_app, { secret: secret, options: { :verify_iat => true } })
+    end
+    let(:token) { issuer.encode({ iss: 1, iat: iat }, secret) }
+    let(:headers) {{ 'HTTP_AUTHORIZATION' => "Bearer #{token}" }}
+
+    before { perform_request }
+
+    subject { JSON.parse(last_response.body) }
+
+    it 'returns 200 status code' do
+      expect(last_response.status).to eq(200)
+    end
+
+    it 'process the request' do
+      expect(subject).to eq(body)
+    end
+
+    it 'adds the token payload to the request' do
+      payload = last_response.header['jwt.payload']
+      expect(payload['iss']).to eq(1)
+    end
+
+    it 'adds the token header to the request' do
+      header = last_response.header['jwt.header']
+      expect(header['alg']).to eq('HS256')
+      expect(header['typ']).to eq('JWT')
+    end
+  end
+
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack-jwt
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Mr. Eigenbart
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-02-07 00:00:00.000000000 Z
+date: 2015-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: 1.5.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.2.1
+        version: 1.5.0
 description: Rack middleware that provides authentication based on JSON Web Tokens.
 email:
 - eigenbart@gmail.com