rack_jwt_aegis 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0e776985ff922d83b9ac75821698125a565dce342be61bd4bf6012fc97dfd82c
-  data.tar.gz: 7bbb4006689d39ea9ec47ad869b01468bbfbddfb0ecbaa430d28ac96f1fd33b7
+  metadata.gz: 355b1a9e875355d5a3c5c7ca9c83dd24af066e1c69e89c9030fab8bb2c5a3f71
+  data.tar.gz: e151caf3879396e067aaf2c7f5ba0228fece3de07c5bdf41ac3df3e37d271ab9
 SHA512:
-  metadata.gz: 64eb785ccd161bf7f7a7e0ce2b9840007885778b47d35a5528fe586ebcc160aa2f3d356e92868f8931c0789603a78fbc1feef56d6141dbeb322611330404b77a
-  data.tar.gz: 84f45c9c58aed4eadbcfd8a1d78d1a3e0cdd47c9f602ae9047e847738c671c0513dacfc9298207456fa969a44045ec6b8b8ff29fea3e0c29f76357aa4933ddaf
+  metadata.gz: e9709c05464dade807e95a135d6c5fe7d4e301127c4ea23209086298bc3078882cd1c5454262b1bc1759d1b48b27ac7cd630690e735a210f354bbb20fea808e8
+  data.tar.gz: 505983dd1f954880f7ad1a9a6e33beaf3ff83734c5034f90f5515d1ac0d48bac7c6b4e75842aeb7860695bf10efd7aba24c012cafd97b7e1089270d853c0bb23

data/.ruby-version

@@ -0,0 +1 @@
+3.2

data/.yardopts

@@ -1,14 +1,8 @@
---output-dir doc
---readme README.md
---main README.md
---markup=markdown
+--title "RackJwtAegis Rack Middleware API Documentation""
 --protected
---private
---no-private
---title "RackJwtAegis Rack Middleware API Documentation"
---charset utf-8
-lib/**/*.rb
+--markup markdown
+--readme README.md
+'lib/**/*.rb'
 -
-README.md
-LICENSE.txt
-CODE_OF_CONDUCT.md
+--files CHANGELOG.md LICENSE.txt CODE_OF_CONDUCT.md
+

data/CHANGELOG.md

@@ -1,9 +1,94 @@
 # Changelog
 
-All notable changes to this project will be documented in this file.
+## Unreleased
 
-The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
-and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.1.1] - 2026-06-13
+
+### 🚀 Added
+
+#### Method-Aware Skip Routes
+
+- Added `skip_routes` to support request-aware public route matching by path and HTTP verb.
+- Kept `skip_paths` as a backward-compatible alias for all-method skips.
+- Normalizes route rules once at configuration time so middleware checks stay fast per request.
+
+#### Route Skipping Behavior
+
+- Middleware now evaluates `METHOD + path` for skip decisions, so `POST /login` can be public while `GET /login` remains protected.
+- Added support for blank verb lists to mean all methods on a route entry.
+- Updated the Pink House API initializer to use the new `skip_routes` shape.
+
+### 🔧 Fixed
+
+#### Simplified RBAC Cache Strategy
+
+- **Streamlined Configuration**: Removed legacy cache configuration options to eliminate confusion
+  - **Removed**: `cache_store`, `cache_options`, and `cache_write_enabled` (deprecated in favor of dedicated RBAC cache stores)
+  - **Required**: When `rbac_enabled: true`, both `rbac_cache_store` and `permissions_cache_store` must be explicitly configured
+  - **Simplified**: Consistent naming with `rbac_cache_store_options` and `permissions_cache_store_options`
+
+#### Cache Store Validation
+
+- **Mandatory Configuration**: RBAC cache stores are now required when RBAC is enabled
+  - Prevents runtime errors from missing cache configuration
+  - Provides clear error messages during initialization: "rbac_cache_store and permissions_cache_store are required when RBAC is enabled"
+  - Ensures production deployments are properly configured for performance
+
+#### Code Cleanup
+
+- **Removed Complexity**: Eliminated dual cache mode logic and fallback mechanisms
+  - Simplified `RbacManager#setup_cache_adapters` method
+  - Removed conditional cache write logic that added complexity
+  - Cleaner permission checking flow with consistent cache behavior
+
+#### Developer Experience
+
+- **Clear Configuration**: Explicit cache store requirements eliminate guesswork
+- **Better Error Messages**: Configuration validation happens at startup, not at runtime
+- **Consistent Naming**: Standardized cache option parameter names across all adapters
+
+### 🏗️ Technical Details
+
+#### Breaking Changes (Minor - Configuration Only)
+
+- **Removed Configuration Options**:
+  - `cache_store` → Use `rbac_cache_store` and `permissions_cache_store` instead
+  - `cache_options` → Use `rbac_cache_store_options` and `permissions_cache_store_options` instead
+  - `cache_write_enabled` → Cache writing is now always enabled when RBAC is active
+
+#### Migration Guide
+
+**Before (v1.1.0):**
+```ruby
+use RackJwtAegis::Middleware, {
+  jwt_secret: ENV['JWT_SECRET'],
+  rbac_enabled: true,
+  cache_store: :redis,
+  cache_options: { url: ENV['REDIS_URL'] },
+  cache_write_enabled: true
+}
+```
+
+**After (v1.1.1):**
+```ruby
+use RackJwtAegis::Middleware, {
+  jwt_secret: ENV['JWT_SECRET'],
+  rbac_enabled: true,
+  rbac_cache_store: :redis,
+  rbac_cache_store_options: { url: ENV['REDIS_URL'] },
+  permissions_cache_store: :redis,
+  permissions_cache_store_options: { url: ENV['REDIS_URL'] }
+}
+```
+
+#### Benefits
+
+- **🚀 Simpler Configuration**: No more dual cache modes or conditional logic
+- **🛡️ Fail-Fast Validation**: Configuration errors caught at startup
+- **📈 Better Performance**: Dedicated cache stores optimized for their specific use cases
+- **🧹 Cleaner Code**: Reduced complexity in cache management logic
+
+---
 
 ## [1.1.0] - 2025-08-14
 
@@ -71,11 +156,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 #### Developer Experience
 
 - **Better Error Messages**: Clear configuration error descriptions
+
 ```ruby
 # Example error message:
-"RBAC permissions must be a Hash with role-id keys, not Array. 
+"RBAC permissions must be a Hash with role-id keys, not Array.
 Expected format: {\"role-id\": [\"resource:method\", ...]}, but got: Array"
 ```
+
 - **Migration Support**: Catches common mistakes when upgrading cache format
 - **Improved Documentation**: Cleaner YARD output with better Markdown rendering
 
@@ -96,6 +183,7 @@ Expected format: {\"role-id\": [\"resource:method\", ...]}, but got: Array"
 #### Updating RBAC Cache Format
 
 **Before (v1.0.x):**
+
 ```ruby
 Rails.cache.write("permissions", {
   'last_update' => Time.now.to_i,
@@ -107,6 +195,7 @@ Rails.cache.write("permissions", {
 ```
 
 **After (v1.1.0+):**
+
 ```ruby
 Rails.cache.write("permissions", {
   'last_update' => Time.now.to_i,
@@ -294,8 +383,8 @@ use RackJwtAegis::Middleware, {
   pathname_slug_pattern: /^\/api\/v1\/([^\/]+)\//,
   rbac_enabled: true,
   rbac_cache_store: :redis,
-  permission_cache_store: :memory,
-  user_permissions_ttl: 300,
+  permissions_cache_store: :memory,
+  cached_permissions_ttl: 300,
   cache_write_enabled: true,
   skip_paths: [/^\/health/, /^\/metrics/, /^\/api\/public/],
   custom_payload_validation: ->(payload) { payload['active'] == true },
@@ -369,6 +458,7 @@ This 1.0.0 release represents a production-ready JWT authentication middleware w
 
 **Deprecations**: None (initial release).
 
+[1.1.1]: https://github.com/kanutocd/rack_jwt_aegis/releases/tag/v1.1.1
 [1.1.0]: https://github.com/kanutocd/rack_jwt_aegis/releases/tag/v1.1.0
 [1.0.2]: https://github.com/kanutocd/rack_jwt_aegis/releases/tag/v1.0.2
 [1.0.1]: https://github.com/kanutocd/rack_jwt_aegis/releases/tag/v1.0.1

data/README.md

@@ -3,7 +3,7 @@
 [![Gem Version](https://badge.fury.io/rb/rack_jwt_aegis.svg)](https://badge.fury.io/rb/rack_jwt_aegis)
 [![CI](https://github.com/kanutocd/rack_jwt_aegis/workflows/CI/badge.svg)](https://github.com/kanutocd/rack_jwt_aegis/actions)
 [![Coverage Status](https://codecov.io/gh/kanutocd/rack_jwt_aegis/branch/main/graph/badge.svg)](https://codecov.io/gh/kanutocd/rack_jwt_aegis)
-[![Ruby Version](https://img.shields.io/badge/ruby-%3E%3D%203.1.0-ruby.svg)](https://www.ruby-lang.org/en/)
+[![Ruby Version](https://img.shields.io/badge/ruby-%3E%3D%203.2.0-ruby.svg)](https://www.ruby-lang.org/en/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 JWT authentication and authorization middleware for hierarchical multi-tenant Rack applications with 2-level tenant support.
@@ -147,28 +147,24 @@ RackJwtAegis::Middleware.new(app, {
   pathname_slug_pattern: /^\/api\/v1\/([^\/]+)\//,  # Default pattern
 
   # RBAC Configuration
-  rbac_enabled: true,               # Default: false
-  rbac_cache_store: :redis,         # Required when RBAC enabled
-  rbac_cache_options: { url: ENV['REDIS_URL'] },
-  user_permissions_ttl: 3600,       # Default: 1800 (30 minutes) - TTL for cached user permissions
-
-  # Cache Store Configuration (choose one approach)
-  # Option 1: Shared cache for both RBAC and permissions
-  cache_store: :memory,             # :memory, :redis, :memcached, :solid_cache
-  cache_options: { url: ENV['REDIS_URL'] },
-
-  # Option 2: Separate cache stores for RBAC and permissions
-  rbac_cache_store: :redis,         # For RBAC permissions data
-  rbac_cache_options: { url: ENV['REDIS_URL'] },
-  permission_cache_store: :memory,  # For cached user permissions
-  permission_cache_options: {},
+  rbac_enabled: true,                 # Default: false
+  rbac_cache_store: :redis,           # Required when RBAC enabled. Default: :memory
+  rbac_cache_store_options: { url: ENV['REDIS_URL'] }, # Cache Store specific options. Default: {}
+
+  cached_permissions_ttl: 3600,            # Default: 1800 (30 minutes) - TTL for cached user permissions
+  permissions_cache_store: :solid_cache,   # Required when RBAC enabled. Default: :memory
+  permissions_cache_store_options: {},     # Cache Store specific options. Default: {}
+
+  # Or can also be the same Redis instance
+  # permissions_cache_store: :redis,   # Required when RBAC enabled. Default: :memory
+  # permissions_cache_store_options: { url: ENV['REDIS_URL'] },
 
   # Response Customization
   unauthorized_response: { error: 'Authentication required' },
   forbidden_response: { error: 'Access denied' },
 
   # Debugging
-  debug_mode: Rails.env.development?  # Default: false
+  debug_mode: Rails.env.development?  # Default: when in Rails, Rails.env.development? otherwise false
 })
 ```
 
@@ -404,18 +400,19 @@ All role values are normalized to strings internally for consistent matching aga
 
 ```ruby
 # Memory cache (development/testing)
-config.cache_store = :memory
+config.rbac_cache_store = :memory         # Default. When in Rails, it will default to Rails.application.config.cache_store
+config.permissions_cache_store = :memory  # Default. When in Rails, it will default to Rails.application.config.cache_store
 
 # Redis cache
-config.cache_store = :redis
-config.cache_options = { url: ENV['REDIS_URL'] }
+config.rbac_cache_store = :redis
+config.rbac_cache_store_options = { url: ENV['REDIS_URL'] }
 
 # Memcached cache
-config.cache_store = :memcached
-config.cache_options = { servers: ['localhost:11211'] }
+config.rbac_cache_store = :memcached
+config.rbac_cache_store_options = { servers: ['localhost:11211'] }
 
 # Solid Cache (Rails 8+)
-config.cache_store = :solid_cache
+config.rbac_cache_store = :solid_cache
 ```
 
 #### Separate Cache Stores
@@ -425,11 +422,11 @@ You can configure separate cache stores for RBAC permissions data and cached use
 ```ruby
 # Use Redis for RBAC data (shared across instances)
 config.rbac_cache_store = :redis
-config.rbac_cache_options = { url: ENV['REDIS_URL'] }
+config.rbac_cache_store_options = { url: ENV['REDIS_URL'] }
 
 # Use memory for user permission cache (faster local access)
-config.permission_cache_store = :memory
-config.permission_cache_options = {}
+config.permissions_cache_store = :memory
+config.permissions_cache_store_options = {}
 ```
 
 ## RBAC Cache Format
@@ -506,7 +503,7 @@ When RBAC is enabled, the middleware expects permissions to be stored in the cac
      "12345:acme-group.localhost.local/api/v1/company/sales/invoices:post": 1640995200
    }
    ```
-   TTL configurable via `user_permissions_ttl` option (default: 30 minutes)
+   TTL configurable via `cached_permissions_ttl` option (default: 30 minutes)
 
 ### Cache Invalidation Strategy
 

data/lib/rack_jwt_aegis/cache_adapter.rb

@@ -4,13 +4,13 @@ module RackJwtAegis
   class CacheAdapter
     def self.build(store_type, options = {})
       case store_type
-      when :memory
+      when :memory, :memory_store
         MemoryAdapter.new(options)
-      when :redis
+      when :redis, :redis_cache_store
         RedisAdapter.new(options)
-      when :memcached
+      when :memcached, :mem_cache_store
         MemcachedAdapter.new(options)
-      when :solid_cache
+      when :solid_cache, :solid_cache_store
         SolidCacheAdapter.new(options)
       else
         raise ConfigurationError, "Unsupported cache store: #{store_type}"

data/lib/rack_jwt_aegis/circuit_breaker.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'ratomic'
+
+module RackJwtAegis
+  class CircuitBreaker
+    STATE_FAILURE_COUNT = 'failure_count'
+    STATE_OPENED_AT = 'opened_at'
+
+    def initialize(failure_threshold:, cooldown_seconds:)
+      @failure_threshold = failure_threshold.to_i
+      @cooldown_seconds = cooldown_seconds.to_i
+      @state = Ratomic::Map.new
+      reset
+    end
+
+    def allow_request?
+      return true unless open?
+      return false unless cooldown_elapsed?
+
+      reset
+      true
+    end
+
+    def record_success
+      reset
+    end
+
+    def record_failure
+      failures = @state.increment(STATE_FAILURE_COUNT)
+      @state[STATE_OPENED_AT] = Time.now.to_f if failures >= @failure_threshold
+      failures
+    end
+
+    def open?
+      !@state[STATE_OPENED_AT].nil?
+    end
+
+    private
+
+    def reset
+      @state[STATE_FAILURE_COUNT] = 0
+      @state.delete(STATE_OPENED_AT)
+    end
+
+    def cooldown_elapsed?
+      opened_at = @state[STATE_OPENED_AT]
+      opened_at && (Time.now.to_f - opened_at) >= @cooldown_seconds
+    end
+  end
+end

data/lib/rack_jwt_aegis/configuration.rb

@@ -19,8 +19,6 @@ module RackJwtAegis
   #     validate_subdomain: true,
   #     validate_pathname_slug: true,
   #     rbac_enabled: true,
-  #     cache_store: :redis,
-  #     cache_write_enabled: true,
   #     skip_paths: ['/health', '/api/public/*'],
   #     debug_mode: Rails.env.development?
   #   )
@@ -53,10 +51,30 @@ module RackJwtAegis
     # @return [Boolean] true if tenant id validation is enabled
     attr_accessor :validate_tenant_id
 
+    # Whether authenticated requests must include all identity/tenant headers
+    # @return [Boolean] true if strict authenticated request headers are required
+    attr_accessor :require_authentication_headers
+
+    # Whether JWTs must include expiration-related claims
+    # @return [Boolean] true if exp and iat claims are required
+    attr_accessor :require_expiration_claims
+
     # Whether RBAC (Role-Based Access Control) is enabled
     # @return [Boolean] true if RBAC is enabled
     attr_accessor :rbac_enabled
 
+    # Whether unexpected errors should trip a fail-fast circuit breaker
+    # @return [Boolean] true if circuit breaker is enabled
+    attr_accessor :circuit_breaker_enabled
+
+    # Number of unexpected failures before the circuit opens
+    # @return [Integer] failure threshold
+    attr_accessor :circuit_breaker_failure_threshold
+
+    # Seconds to fail fast before allowing another request attempt
+    # @return [Integer] cooldown seconds
+    attr_accessor :circuit_breaker_cooldown_seconds
+
     # @!endgroup
 
     # @!group Multi-tenant Settings
@@ -65,6 +83,14 @@ module RackJwtAegis
     # @return [String] the tenant ID header name (default: 'X-Tenant-Id')
     attr_accessor :tenant_id_header_name
 
+    # The HTTP header name containing the tenant slug
+    # @return [String] the tenant slug header name
+    attr_accessor :tenant_slug_header_name
+
+    # The HTTP header name containing the user ID
+    # @return [String] the user ID header name
+    attr_accessor :user_id_header_name
+
     # The regular expression pattern to extract pathname slugs
     # @return [Regexp] the pathname slug pattern (default: /^\/api\/v1\/([^\/]+)\//)
     attr_accessor :pathname_slug_pattern
@@ -79,47 +105,35 @@ module RackJwtAegis
 
     # @!group Path Management
 
-    # Array of paths that should skip JWT authentication
-    # @return [Array<String, Regexp>] paths to skip authentication for
+    # Array of routes that should skip JWT authentication
+    # @return [Array<String, Regexp, Hash>] routes to skip authentication for
     # @example
     #   ['/health', '/api/public', /^\/assets/]
-    attr_accessor :skip_paths
+    #   [{ path: '/api/v1/sessions', verbs: [:post] }]
+    attr_reader :skip_paths, :skip_routes
 
     # @!endgroup
 
     # @!group Cache Configuration
-
-    # The primary cache store adapter type
-    # @return [Symbol] the cache store type (:memory, :redis, :memcached, :solid_cache)
-    attr_accessor :cache_store
-
-    # Options passed to the cache store adapter
-    # @return [Hash] cache store configuration options
-    attr_accessor :cache_options
-
-    # Whether the middleware can write to cache stores
-    # @return [Boolean] true if cache writing is enabled
-    attr_accessor :cache_write_enabled
-
     # The RBAC cache store adapter type (separate from main cache)
     # @return [Symbol] the RBAC cache store type
     attr_accessor :rbac_cache_store
 
     # Options for the RBAC cache store
     # @return [Hash] RBAC cache configuration options
-    attr_accessor :rbac_cache_options
+    attr_accessor :rbac_cache_store_options
 
     # The permission cache store adapter type
     # @return [Symbol] the permission cache store type
-    attr_accessor :permission_cache_store
+    attr_accessor :permissions_cache_store
 
     # Options for the permission cache store
     # @return [Hash] permission cache configuration options
-    attr_accessor :permission_cache_options
+    attr_accessor :permissions_cache_store_options
 
     # Time-to-live for user permissions cache in seconds
     # @return [Integer] TTL in seconds (default: 1800 - 30 minutes)
-    attr_accessor :user_permissions_ttl
+    attr_accessor :cached_permissions_ttl
 
     # @!endgroup
 
@@ -168,11 +182,13 @@ module RackJwtAegis
     # @option options [String] :tenant_id_header_name ('X-Tenant-Id') tenant ID header name
     # @option options [Regexp] :pathname_slug_pattern default pattern for pathname slugs
     # @option options [Hash] :payload_mapping mapping of JWT claim names
-    # @option options [Array<String, Regexp>] :skip_paths ([]) paths to skip authentication
-    # @option options [Symbol] :cache_store cache adapter type
-    # @option options [Hash] :cache_options cache configuration options
-    # @option options [Boolean] :cache_write_enabled (false) enable cache writing
-    # @option options [Integer] :user_permissions_ttl (1800) user permissions cache TTL in seconds
+    # @option options [Array<String, Regexp>] :skip_paths ([]) legacy paths to skip authentication
+    # @option options [Array<String, Regexp, Hash>] :skip_routes ([]) routes to skip authentication
+    # @option options [Symbol] :rbac_cache_store cache adapter type
+    # @option options [Hash] :rbac_cache_store_options cache configuration options
+    # @option options [Symbol] :permissions_cache_store cache adapter type
+    # @option options [Hash] :permissions_cache_store_options cache configuration options
+    # @option options [Integer] :cached_permissions_ttl (1800) user permissions cache TTL in seconds
     # @option options [Boolean] :debug_mode (false) enable debug logging
     # @raise [ConfigurationError] if jwt_secret is missing or configuration is invalid
     def initialize(options = {})
@@ -196,6 +212,12 @@ module RackJwtAegis
       config_boolean?(rbac_enabled)
     end
 
+    # Check if circuit breaker is enabled
+    # @return [Boolean] true if circuit breaker is enabled
+    def circuit_breaker_enabled?
+      config_boolean?(circuit_breaker_enabled)
+    end
+
     # Check if subdomain validation is enabled
     # @return [Boolean] true if subdomain validation is enabled
     def validate_subdomain?
@@ -214,33 +236,50 @@ module RackJwtAegis
       config_boolean?(validate_tenant_id)
     end
 
+    # Check if strict authenticated request headers are required
+    # @return [Boolean] true if required auth headers are enabled
+    def require_authentication_headers?
+      config_boolean?(require_authentication_headers)
+    end
+
+    # Check if exp and iat claims are required
+    # @return [Boolean] true if expiration claims are required
+    def require_expiration_claims?
+      config_boolean?(require_expiration_claims)
+    end
+
     # Check if debug mode is enabled
     # @return [Boolean] true if debug mode is enabled
     def debug_mode?
       config_boolean?(debug_mode)
     end
 
-    # Check if cache write access is enabled
-    # @return [Boolean] true if cache writing is enabled
-    def cache_write_enabled?
-      config_boolean?(cache_write_enabled)
+    def skip_paths=(value)
+      @skip_paths = value
+      @normalized_skip_routes = nil
+    end
+
+    def skip_routes=(value)
+      @skip_routes = value
+      @normalized_skip_routes = nil
     end
 
     # Check if the given path should skip JWT authentication
     # @param path [String] the request path to check
-    # @return [Boolean] true if the path should be skipped
+    # @return [Boolean] true if the path should be skipped for any method
     def skip_path?(path)
-      return false if skip_paths.nil? || skip_paths.empty?
-
-      skip_paths.any? do |skip_path|
-        case skip_path
-        when String
-          path == skip_path
-        when Regexp
-          skip_path.match?(path)
-        else
-          false
-        end
+      skip_request?(path)
+    end
+
+    # Check if the given request should skip JWT authentication
+    # @param path [String] the request path to check
+    # @param request_method [String, nil] the HTTP method to check
+    # @return [Boolean] true if the route should be skipped
+    def skip_request?(path, request_method = nil)
+      return false if normalized_skip_routes.empty?
+
+      normalized_skip_routes.any? do |skip_route|
+        route_matches?(skip_route, path, request_method)
       end
     end
 
@@ -272,22 +311,39 @@ module RackJwtAegis
       @validate_subdomain = false
       @validate_pathname_slug = false
       @validate_tenant_id = false
-      @rbac_enabled = false
+      @require_authentication_headers = false
+      @require_expiration_claims = false
       @tenant_id_header_name = 'X-Tenant-Id'
+      @tenant_slug_header_name = 'X-Tenant-Slug'
+      @user_id_header_name = 'X-User-Id'
       @pathname_slug_pattern = %r{^/api/v1/([^/]+)/}
       @skip_paths = []
-      @cache_write_enabled = false
-      @user_permissions_ttl = 1800 # 30 minutes default
-      @debug_mode = false
+      @skip_routes = []
       @payload_mapping = {
         user_id: :user_id,
         tenant_id: :tenant_id,
+        tenant_slug: :subdomain,
         subdomain: :subdomain,
         pathname_slugs: :pathname_slugs,
         role_ids: :role_ids,
       }
       @unauthorized_response = { error: 'Authentication required' }
       @forbidden_response = { error: 'Access denied' }
+      @rbac_enabled = false
+      @circuit_breaker_enabled = false
+      @circuit_breaker_failure_threshold = 5
+      @circuit_breaker_cooldown_seconds = 30
+      @cached_permissions_ttl = 1800 # 30 minutes default
+      @rbac_cache_store = if Object.const_defined?(:Rails) && Rails.const_defined?(:Application)
+                            @debug_mode = Rails.env.development?
+                            Rails.application.config.cache_store
+                          else
+                            @debug_mode = false
+                            :memory
+                          end
+      @permissions_cache_store = @rbac_cache_store
+      @rbac_cache_store_options = {}
+      @permissions_cache_store_options = {}
     end
 
     def validate!
@@ -295,6 +351,8 @@ module RackJwtAegis
       validate_payload_mapping!
       validate_cache_settings!
       validate_multi_tenant_settings!
+      validate_authentication_header_settings!
+      validate_circuit_breaker_settings!
     end
 
     def validate_jwt_settings!
@@ -325,27 +383,10 @@ module RackJwtAegis
     end
 
     def validate_cache_settings!
-      return unless rbac_enabled?
-
-      # Validate cache store configuration
-      if cache_store && !cache_write_enabled?
-        # Zero trust mode - separate caches required
-        if rbac_cache_store.nil?
-          raise ConfigurationError, 'rbac_cache_store is required when cache_write_enabled is false'
-        end
-
-        if permission_cache_store.nil?
-          @permission_cache_store = :memory # Default fallback
-        end
-      elsif cache_store.nil? && rbac_cache_store.nil?
-        # Both cache stores are missing - at least one is required for RBAC
-        raise ConfigurationError, 'cache_store or rbac_cache_store is required when RBAC is enabled'
-      end
-
-      # Set default fallback for permission_cache_store when rbac_cache_store is provided
-      return unless !rbac_cache_store.nil? && permission_cache_store.nil?
+      return unless rbac_enabled? && (rbac_cache_store.nil? || permissions_cache_store.nil?)
 
-      @permission_cache_store = :memory # Default fallback
+      raise ConfigurationError,
+            'rbac_cache_store and permissions_cache_store are required when RBAC is enabled'
     end
 
     def validate_multi_tenant_settings!
@@ -367,5 +408,101 @@ module RackJwtAegis
       error_msg << 'pathname_slug_pattern is required' if pathname_slug_pattern.to_s.empty?
       raise ConfigurationError, "#{error_msg.join(' and ')} when validate_pathname_slug is true" if error_msg.any?
     end
+
+    def normalized_skip_routes
+      @normalized_skip_routes ||= normalize_skip_routes
+    end
+
+    def normalize_skip_routes
+      normalize_skip_route_entries(skip_paths) + normalize_skip_route_entries(skip_routes)
+    end
+
+    def normalize_skip_route_entries(entries)
+      Array(entries).each_with_object([]) do |entry, normalized|
+        case entry
+        when String, Regexp
+          normalized << { path: entry, methods: nil }
+        when Hash
+          path = entry.key?(:path) ? entry[:path] : entry['path']
+          next if path.nil?
+
+          verbs = if entry.key?(:verbs)
+                    entry[:verbs]
+                  elsif entry.key?('verbs')
+                    entry['verbs']
+                  elsif entry.key?(:verb)
+                    entry[:verb]
+                  elsif entry.key?('verb')
+                    entry['verb']
+                  elsif entry.key?(:methods)
+                    entry[:methods]
+                  elsif entry.key?('methods')
+                    entry['methods']
+                  end
+
+          normalized << { path: path, verbs: normalize_skip_verbs(verbs) }
+        end
+      end
+    end
+
+    def normalize_skip_verbs(verbs)
+      return nil if verbs.nil?
+      return nil if verbs.respond_to?(:empty?) && verbs.empty?
+      return nil if verbs.is_a?(String) && verbs.strip.empty?
+
+      normalized = Array(verbs).flatten.compact.map do |verb|
+        verb.to_s.strip.upcase
+      end.reject(&:empty?)
+
+      normalized.empty? ? nil : normalized.uniq
+    end
+
+    def route_matches?(skip_route, path, request_method)
+      path_matches = case skip_route[:path]
+                     when String
+                       skip_route[:path] == path
+                     when Regexp
+                       skip_route[:path].match?(path)
+                     else
+                       false
+                     end
+
+      return false unless path_matches
+
+      verbs = skip_route[:verbs]
+      return true if verbs.nil?
+
+      return false if request_method.nil?
+
+      verbs.include?(request_method.to_s.upcase)
+    end
+
+    def validate_authentication_header_settings!
+      return unless require_authentication_headers?
+
+      error_msg = []
+      error_msg << 'payload_mapping must include :user_id' unless payload_mapping.key?(:user_id)
+      error_msg << 'payload_mapping must include :tenant_id' unless payload_mapping.key?(:tenant_id)
+      error_msg << 'payload_mapping must include :tenant_slug' unless payload_mapping.key?(:tenant_slug)
+      error_msg << 'tenant_id_header_name is required' if tenant_id_header_name.to_s.strip.empty?
+      error_msg << 'tenant_slug_header_name is required' if tenant_slug_header_name.to_s.strip.empty?
+      error_msg << 'user_id_header_name is required' if user_id_header_name.to_s.strip.empty?
+      return unless error_msg.any?
+
+      raise ConfigurationError,
+            "#{error_msg.join(' and ')} when require_authentication_headers is true"
+    end
+
+    def validate_circuit_breaker_settings!
+      return unless circuit_breaker_enabled?
+
+      if circuit_breaker_failure_threshold.to_i <= 0
+        raise ConfigurationError, 'circuit_breaker_failure_threshold must be greater than 0'
+      end
+
+      return if circuit_breaker_cooldown_seconds.to_i >= 0
+
+      raise ConfigurationError, 'circuit_breaker_cooldown_seconds must be greater than or equal to 0'
+    end
   end
 end

data/lib/rack_jwt_aegis/jwt_validator.rb

@@ -101,7 +101,10 @@ module RackJwtAegis
       required_claims << @config.payload_key(:subdomain) if @config.validate_subdomain?
       required_claims << @config.payload_key(:tenant_id) if @config.validate_tenant_id?
       required_claims << @config.payload_key(:pathname_slugs) if @config.validate_pathname_slug?
+      required_claims << @config.payload_key(:tenant_id) if @config.require_authentication_headers?
+      required_claims << @config.payload_key(:tenant_slug) if @config.require_authentication_headers?
       required_claims << @config.payload_key(:role_ids) if @config.rbac_enabled?
+      required_claims += [:exp, :iat] if @config.require_expiration_claims?
 
       missing_claims = required_claims.select { |claim| payload[claim.to_s].to_s.empty? }
       return if missing_claims.empty?
@@ -128,6 +131,25 @@ module RackJwtAegis
         end
       end
 
+      if @config.require_authentication_headers?
+        tenant_id = payload[@config.payload_key(:tenant_id).to_s]
+        if tenant_id.to_s.empty? || (!tenant_id.is_a?(Numeric) && !tenant_id.is_a?(String))
+          raise AuthenticationError, 'Invalid tenant_id format in JWT payload'
+        end
+
+        tenant_slug = payload[@config.payload_key(:tenant_slug).to_s]
+        if tenant_slug.to_s.empty? || !tenant_slug.is_a?(String)
+          raise AuthenticationError, 'Invalid tenant_slug format in JWT payload'
+        end
+      end
+
+      if @config.require_expiration_claims?
+        ['exp', 'iat'].each do |claim|
+          value = payload[claim]
+          raise AuthenticationError, "Invalid #{claim} format in JWT payload" unless value.is_a?(Numeric)
+        end
+      end
+
       # Company group domain should be string (if present)
       if @config.validate_subdomain?
         subdomain = payload[@config.payload_key(:subdomain).to_s]

data/lib/rack_jwt_aegis/middleware.rb

@@ -24,7 +24,7 @@ module RackJwtAegis
   #     validate_subdomain: true,
   #     rbac_enabled: true,
   #     cache_store: :redis,
-  #     skip_paths: ['/health', '/api/public/*']
+  #     skip_routes: [{ path: '/health' }, { path: '/api/v1/sessions', verbs: [:post] }]
   #   }
   class Middleware
     include DebugLogger
@@ -43,6 +43,7 @@ module RackJwtAegis
       @rbac_manager = RbacManager.new(@config) if @config.rbac_enabled?
       @response_builder = ResponseBuilder.new(@config)
       @request_context = RequestContext.new(@config)
+      @circuit_breaker = build_circuit_breaker
 
       debug_log("Middleware initialized with features: #{enabled_features}")
     end
@@ -58,10 +59,15 @@ module RackJwtAegis
 
       debug_log("Processing request: #{request.request_method} #{request.path}")
 
-      # Step 1: Check if path should be skipped
-      if @config.skip_path?(request.path)
-        debug_log("Skipping authentication for path: #{request.path}")
-        return @app.call(env)
+      unless circuit_allows_request?
+        debug_log('Circuit breaker open; failing fast')
+        return @response_builder.error_response('Circuit breaker open', 503)
+      end
+
+      # Step 1: Check if route should be skipped
+      if @config.skip_request?(request.path, request.request_method)
+        debug_log("Skipping authentication for route: #{request.request_method} #{request.path}")
+        return call_app(env)
       end
 
       begin
@@ -101,7 +107,7 @@ module RackJwtAegis
         debug_log('Request context set successfully')
 
         # Continue to application
-        @app.call(env)
+        call_app(env)
       rescue AuthenticationError => e
         debug_log("Authentication failed: #{e.message}")
         @response_builder.unauthorized_response(e.message)
@@ -109,6 +115,7 @@ module RackJwtAegis
         debug_log("Authorization failed: #{e.message}")
         @response_builder.forbidden_response(e.message)
       rescue StandardError => e
+        record_circuit_failure
         debug_log("Unexpected error: #{e.message}")
         if @config.debug_mode?
           @response_builder.error_response("Internal error: #{e.message}", 500)
@@ -144,7 +151,31 @@ module RackJwtAegis
     #
     # @return [Boolean] true if subdomain or pathname slug validation is enabled
     def multi_tenant_enabled?
-      @config.validate_tenant_id? || @config.validate_subdomain? || @config.validate_pathname_slug?
+      @config.validate_tenant_id? || @config.validate_subdomain? || @config.validate_pathname_slug? ||
+        @config.require_authentication_headers?
+    end
+
+    def build_circuit_breaker
+      return nil unless @config.circuit_breaker_enabled?
+
+      CircuitBreaker.new(
+        failure_threshold: @config.circuit_breaker_failure_threshold,
+        cooldown_seconds: @config.circuit_breaker_cooldown_seconds,
+      )
+    end
+
+    def circuit_allows_request?
+      @circuit_breaker.nil? || @circuit_breaker.allow_request?
+    end
+
+    def call_app(env)
+      response = @app.call(env)
+      @circuit_breaker&.record_success
+      response
+    end
+
+    def record_circuit_failure
+      @circuit_breaker&.record_failure
     end
 
     # Generate a string describing enabled features for logging
@@ -155,6 +186,8 @@ module RackJwtAegis
       features << 'TenantId' if @config.validate_tenant_id?
       features << 'Subdomain' if @config.validate_subdomain?
       features << 'PathnameSlug' if @config.validate_pathname_slug?
+      features << 'StrictHeaders' if @config.require_authentication_headers?
+      features << 'CircuitBreaker' if @config.circuit_breaker_enabled?
       features << 'RBAC' if @config.rbac_enabled?
       features.join(', ')
     end

data/lib/rack_jwt_aegis/multi_tenant_validator.rb

@@ -33,6 +33,7 @@ module RackJwtAegis
     # @param payload [Hash] the JWT payload containing tenant information
     # @raise [AuthorizationError] if tenant validation fails
     def validate(request, payload)
+      validate_authentication_headers(request, payload)
       validate_subdomain(request, payload)
       validate_pathname_slug(request, payload)
       validate_tenant_id_header(request, payload)
@@ -40,6 +41,34 @@ module RackJwtAegis
 
     private
 
+    def validate_authentication_headers(request, payload)
+      return unless @config.require_authentication_headers?
+
+      validate_header_claim_match(
+        request,
+        payload,
+        header_name: @config.tenant_id_header_name,
+        claim_name: @config.payload_key(:tenant_id),
+        label: 'tenant id',
+      )
+
+      validate_header_claim_match(
+        request,
+        payload,
+        header_name: @config.tenant_slug_header_name,
+        claim_name: @config.payload_key(:tenant_slug),
+        label: 'tenant slug',
+      )
+
+      validate_header_claim_match(
+        request,
+        payload,
+        header_name: @config.user_id_header_name,
+        claim_name: @config.payload_key(:user_id),
+        label: 'user id',
+      )
+    end
+
     # Level 1 Multi-Tenant: Top-level tenant (Company-Group) validation via subdomain
     def validate_subdomain(request, payload)
       return unless @config.validate_subdomain?
@@ -75,14 +104,15 @@ module RackJwtAegis
       accessible_slugs = payload[@config.payload_key(:pathname_slugs).to_s]
 
       if accessible_slugs.nil? || !accessible_slugs.is_a?(Array) || accessible_slugs.empty?
-        raise AuthorizationError, 'JWT payload missing or invalid pathname_slugs for company access validation'
+        raise AuthorizationError, 'JWT payload missing or invalid pathname_slugs for pathname slug access validation'
       end
 
       # Check if requested company slug is in user's accessible list
       return if accessible_slugs.map(&:downcase).include?(pathname_slug)
 
+      # TODO: make this error configurable as well
       raise AuthorizationError,
-            "Company access denied: '#{pathname_slug}' not in accessible companies #{accessible_slugs}"
+            "Pathname slug access denied: '#{pathname_slug}' not in accessible pathname slugs #{accessible_slugs}"
     end
 
     # Company Group header validation (additional security layer)
@@ -101,6 +131,23 @@ module RackJwtAegis
             "Tenant id header mismatch: header '#{header_value}' does not match JWT '#{jwt_claim}'"
     end
 
+    def validate_header_claim_match(request, payload, header_name:, claim_name:, label:)
+      header_value = header_value(request, header_name)
+      raise AuthorizationError, "Required authentication header missing: #{header_name}" if header_value.empty?
+
+      jwt_claim = payload[claim_name.to_s].to_s.strip.downcase
+      raise AuthorizationError, "JWT payload missing #{claim_name} for #{label} header validation" if jwt_claim.empty?
+
+      return if header_value.eql?(jwt_claim)
+
+      raise AuthorizationError,
+            "#{label.capitalize} header mismatch: header '#{header_value}' does not match JWT '#{jwt_claim}'"
+    end
+
+    def header_value(request, header_name)
+      request.get_header("HTTP_#{header_name.upcase.tr('-', '_')}").to_s.strip.downcase
+    end
+
     def extract_subdomain(host)
       return nil if host.nil? || host.empty?
 

data/lib/rack_jwt_aegis/rbac_manager.rb

@@ -17,8 +17,6 @@ module RackJwtAegis
   class RbacManager
     include DebugLogger
 
-    CACHE_TTL = 300 # 5 minutes default cache TTL
-
     # Initialize the RBAC manager
     #
     # @param config [Configuration] the configuration instance
@@ -38,21 +36,12 @@ module RackJwtAegis
 
       # Build permission key
       permission_key = build_permission_key(user_id, request)
-
-      # Check cached permission first (if middleware can write to cache)
-      if @permission_cache && @config.cache_write_enabled?
-        cached_permission = check_cached_permission(permission_key)
-        return if cached_permission == true
-
-        raise AuthorizationError, 'Access denied - cached permission' if cached_permission == false
-      end
+      return if check_cached_permission(permission_key) == true
 
       # Permission not cached or cache miss - check RBAC store
       has_permission = check_rbac_permission(user_id, request)
-
       # Cache the result if middleware has write access
       cache_permission_result(permission_key, has_permission)
-
       return if has_permission
 
       raise AuthorizationError, 'Access denied - insufficient permissions'
@@ -61,25 +50,15 @@ module RackJwtAegis
     private
 
     def setup_cache_adapters
-      if @config.cache_write_enabled? && @config.cache_store
-        # Shared cache mode - both RBAC and permission cache use same store
-        @rbac_cache = CacheAdapter.build(@config.cache_store, @config.cache_options || {})
-        @permission_cache = @rbac_cache
-      else
-        # Separate cache mode - different stores for RBAC and permissions
-        if @config.rbac_cache_store
-          @rbac_cache = CacheAdapter.build(@config.rbac_cache_store, @config.rbac_cache_options || {})
-        end
+      return unless @config.rbac_enabled
 
-        if @config.permission_cache_store
-          @permission_cache = CacheAdapter.build(@config.permission_cache_store, @config.permission_cache_options || {})
-        end
+      begin
+        @rbac_cache = CacheAdapter.build(@config.rbac_cache_store, @config.rbac_cache_store_options || {})
+        @permissions_cache = CacheAdapter.build(@config.permissions_cache_store,
+                                                @config.permissions_cache_store_options || {})
+      rescue ConfigurationError
+        raise ConfigurationError, 'RBAC cache store not configured'
       end
-
-      # Ensure we have at least RBAC cache for permission lookups
-      return if @rbac_cache
-
-      raise ConfigurationError, 'RBAC cache store not configured'
     end
 
     def build_permission_key(user_id, request)
@@ -87,11 +66,11 @@ module RackJwtAegis
     end
 
     def check_cached_permission(permission_key)
-      return nil unless @permission_cache
+      return nil unless @permissions_cache
 
       begin
         # Get the cached user permissions
-        user_permissions = @permission_cache.read('user_permissions')
+        user_permissions = @permissions_cache.read('user_permissions')
         return nil if user_permissions.nil? || !user_permissions.is_a?(Hash)
 
         # First check: If RBAC permissions were updated recently, nuke ALL cached permissions
@@ -100,7 +79,7 @@ module RackJwtAegis
           rbac_update_age = Time.now.to_i - rbac_last_update
 
           # If RBAC was updated within the TTL period, all cached permissions are invalid
-          if rbac_update_age <= @config.user_permissions_ttl
+          if rbac_update_age <= @config.cached_permissions_ttl
             nuke_user_permissions_cache("RBAC permissions updated recently (#{rbac_update_age}s ago, within TTL)")
             return nil
           end
@@ -113,10 +92,10 @@ module RackJwtAegis
         permission_age = Time.now.to_i - cached_timestamp
 
         # Second check: TTL expiration
-        if permission_age > @config.user_permissions_ttl
+        if permission_age > @config.cached_permissions_ttl
           # This specific permission expired due to TTL
           remove_stale_permission(permission_key,
-                                  "TTL expired (#{permission_age}s > #{@config.user_permissions_ttl}s)")
+                                  "TTL expired (#{permission_age}s > #{@config.cached_permissions_ttl}s)")
           return nil
         end
 
@@ -148,20 +127,20 @@ module RackJwtAegis
     end
 
     def cache_permission_result(permission_key, has_permission)
-      return unless @permission_cache
+      return unless @permissions_cache
       return unless has_permission # Only cache positive permissions
 
       begin
         current_time = Time.now.to_i
 
         # Get existing user permissions cache or create new one
-        user_permissions = @permission_cache.read('user_permissions') || {}
+        user_permissions = @permissions_cache.read('user_permissions') || {}
 
         # Store permission with new format: {"user_id:full_url:method" => timestamp}
         user_permissions[permission_key] = current_time
 
         # Write back to cache
-        @permission_cache.write('user_permissions', user_permissions, expires_in: CACHE_TTL)
+        @permissions_cache.write('user_permissions', user_permissions, expires_in: @config.cached_permissions_ttl)
 
         debug_log("Cached permission: #{permission_key} => #{current_time}")
       rescue CacheError => e
@@ -191,9 +170,7 @@ module RackJwtAegis
         next unless matched_permission
 
         # Cache this specific permission match for faster future lookups
-        if @permission_cache && @config.cache_write_enabled?
-          cache_permission_match(user_id, request, role_id, matched_permission)
-        end
+        cache_matched_permission(user_id, request)
         return true
       end
 
@@ -219,10 +196,10 @@ module RackJwtAegis
 
     # Remove a specific stale permission
     def remove_stale_permission(permission_key, reason)
-      return unless @permission_cache
+      return unless @permissions_cache
 
       begin
-        user_permissions = @permission_cache.read('user_permissions')
+        user_permissions = @permissions_cache.read('user_permissions')
         return unless user_permissions.is_a?(Hash)
 
         # Remove the specific permission key
@@ -230,11 +207,11 @@ module RackJwtAegis
 
         # If no permissions remain, remove the entire cache
         if user_permissions.empty?
-          @permission_cache.delete('user_permissions')
+          @permissions_cache.delete('user_permissions')
           debug_log("Removed last permission, cleared entire cache: #{reason}")
         else
           # Update the cache with the modified permissions
-          @permission_cache.write('user_permissions', user_permissions, expires_in: CACHE_TTL)
+          @permissions_cache.write('user_permissions', user_permissions, expires_in: @config.cached_permissions_ttl)
           debug_log("Removed stale permission #{permission_key}: #{reason}")
         end
       rescue CacheError => e
@@ -244,10 +221,10 @@ module RackJwtAegis
 
     # Nuke (delete) the entire user permissions cache
     def nuke_user_permissions_cache(reason)
-      return unless @permission_cache
+      return unless @permissions_cache
 
       begin
-        @permission_cache.delete('user_permissions')
+        @permissions_cache.delete('user_permissions')
         debug_log("Nuked user permissions cache: #{reason}")
       rescue CacheError => e
         debug_log("RbacManager cache nuke error: #{e.message}", :warn)
@@ -290,27 +267,18 @@ module RackJwtAegis
 
     # Cache the specific permission match for faster future lookups
     # Format: {"user_id:full_url:method" => timestamp}
-    def cache_permission_match(user_id, request, _role_id, _matched_permission)
-      return unless @permission_cache
+    def cache_matched_permission(user_id, request)
+      return unless @permissions_cache
 
       begin
         current_time = Time.now.to_i
-
-        # Build the permission key in new format
-        host = request.host || 'localhost'
-        full_url = "#{host}#{request.path}"
-        method = request.request_method.downcase
-        permission_key = "#{user_id}:#{full_url}:#{method}"
-
+        permission_key = "#{user_id}:#{request.host}#{request.path}:#{request.request_method.downcase}"
         # Get existing user permissions cache or create new one
-        user_permissions = @permission_cache.read('user_permissions') || {}
-
+        user_permissions = @permissions_cache.read('user_permissions') || {}
         # Store permission with new format
         user_permissions[permission_key] = current_time
-
         # Write back to cache
-        @permission_cache.write('user_permissions', user_permissions, expires_in: CACHE_TTL)
-
+        @permissions_cache.write('user_permissions', user_permissions, expires_in: @config.cached_permissions_ttl)
         debug_log("Cached user permission: #{permission_key} => #{current_time}")
       rescue CacheError => e
         # Log cache error but don't fail the request

data/lib/rack_jwt_aegis/request_context.rb

@@ -24,6 +24,7 @@ module RackJwtAegis
     USER_ID_KEY = 'rack_jwt_aegis.user_id'
     TENANT_ID_KEY = 'rack_jwt_aegis.tenant_id'
     SUBDOMAIN_KEY = 'rack_jwt_aegis.subdomain'
+    TENANT_SLUG_KEY = SUBDOMAIN_KEY
     PATHNAME_SLUGS_KEY = 'rack_jwt_aegis.pathname_slugs'
     AUTHENTICATED_KEY = 'rack_jwt_aegis.authenticated'
 
@@ -84,6 +85,10 @@ module RackJwtAegis
       env[TENANT_ID_KEY]
     end
 
+    def self.tenant_slug(env)
+      env[TENANT_SLUG_KEY]
+    end
+
     def self.subdomain(env)
       env[SUBDOMAIN_KEY]
     end
@@ -100,6 +105,10 @@ module RackJwtAegis
       tenant_id(request.env)
     end
 
+    def self.current_tenant_slug(request)
+      tenant_slug(request.env)
+    end
+
     def self.has_pathname_slug_access?(env, pathname_slug)
       pathname_slugs(env).include?(pathname_slug)
     end
@@ -112,7 +121,11 @@ module RackJwtAegis
 
     def set_tenant_context(env, payload)
       # Set multi-tenant information
-      env[TENANT_ID_KEY] = payload[@config.payload_key(:tenant_id).to_s] if @config.validate_tenant_id?
+      if @config.validate_tenant_id? || @config.require_authentication_headers?
+        env[TENANT_ID_KEY] =
+          payload[@config.payload_key(:tenant_id).to_s]
+      end
+      env[SUBDOMAIN_KEY] = payload[@config.payload_key(:tenant_slug).to_s] if @config.require_authentication_headers?
       env[SUBDOMAIN_KEY] = payload[@config.payload_key(:subdomain).to_s] if @config.validate_subdomain?
       return unless @config.validate_pathname_slug? || @config.payload_mapping.key?(:pathname_slugs)
 

data/lib/rack_jwt_aegis/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module RackJwtAegis
-  VERSION = '1.1.0'
+  VERSION = '1.1.1'
 end

data/lib/rack_jwt_aegis.rb

@@ -3,6 +3,7 @@
 require_relative 'rack_jwt_aegis/version'
 require_relative 'rack_jwt_aegis/configuration'
 require_relative 'rack_jwt_aegis/debug_logger'
+require_relative 'rack_jwt_aegis/circuit_breaker'
 require_relative 'rack_jwt_aegis/middleware'
 require_relative 'rack_jwt_aegis/jwt_validator'
 require_relative 'rack_jwt_aegis/multi_tenant_validator'
@@ -23,7 +24,7 @@ require_relative 'rack_jwt_aegis/response_builder'
 # - RBAC with flexible permission caching
 # - Multiple cache adapter support (Memory, Redis, Memcached, SolidCache)
 # - Request context management
-# - Configurable skip paths and custom validators
+# - Configurable skip routes and custom validators
 #
 # @example Basic usage
 #   use RackJwtAegis::Middleware, jwt_secret: ENV['JWT_SECRET']
@@ -34,8 +35,6 @@ require_relative 'rack_jwt_aegis/response_builder'
 #     validate_subdomain: true,
 #     validate_pathname_slug: true,
 #     rbac_enabled: true,
-#     cache_store: :redis,
-#     cache_write_enabled: true
 #   }
 module RackJwtAegis
   # Base error class for all RackJwtAegis exceptions

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack_jwt_aegis
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Ken C. Demanawa
@@ -43,6 +43,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: ratomic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.4.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.4.1
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.5'
 description: |-
   JWT authentication and authorization midleware with multi-tenant suport,\
    company validation, and subdomain isolation.
@@ -54,6 +74,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".rubocop.yml"
+- ".ruby-version"
 - ".yardopts"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
@@ -66,6 +87,7 @@ files:
 - exe/rack_jwt_aegis
 - lib/rack_jwt_aegis.rb
 - lib/rack_jwt_aegis/cache_adapter.rb
+- lib/rack_jwt_aegis/circuit_breaker.rb
 - lib/rack_jwt_aegis/configuration.rb
 - lib/rack_jwt_aegis/debug_logger.rb
 - lib/rack_jwt_aegis/jwt_validator.rb