RubyGems - silkey-sdk - Versions diffs - 0.0.5 → 0.1.0 - Mend

silkey-sdk 0.0.5 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

checksums.yaml +4 -4
data/.rubocop.yml +1 -1
data/CHANGELOG.md +15 -0
data/DEVELOPMENT.md +1 -0
data/Gemfile.lock +1 -1
data/README.md +25 -13
data/lib/silkey-sdk.rb +3 -4
data/lib/silkey/models/jwt_payload.rb +44 -41
data/lib/silkey/models/settings.rb +34 -0
data/lib/silkey/models/sso_params.rb +42 -0
data/lib/silkey/sdk.rb +48 -136
data/lib/silkey/services/verifier.rb +190 -0
data/lib/silkey/utils.rb +6 -0
data/lib/silkey/version.rb +1 -1
metadata +6 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eeeeebc639645d5bcc3e594cd5c65348b2feecd7036b45d861ba236b33812f49
-  data.tar.gz: 01eaf4cfb5e687676bc423b95d96557aeb770ec242aa9ecb6c22552b46b37ae2
+  metadata.gz: ac39da25efe706b56abfda8f580295dc0d0c7734ce83ccc13130b85cce5a1e22
+  data.tar.gz: 86744220f6d4e5ee274c1c451cc5be9591a60f240a5a2fc871d5fc3794d71988
 SHA512:
-  metadata.gz: a8f1471fdb9264ff918ceb15a4dec2ad794263611a1d814ca107f8f15c0e6e26f392dbc5afa3e0a8f431532f3e019cf784f4aac96998ab3832da1d3325a481e4
-  data.tar.gz: 4658e8d81cc57b104e634c091358519956a6b271af4f36d3a19f811f2fceaa76feacd29917dd5f554d278f2b25f56f5412b7ef6afe5baa652a03c3f25435b94f
+  metadata.gz: b634f6d573b002484a32a02059b730b5cd9184d93de5aaa67d9df981d833269845df561394444d239ea327ac653e68d2ffda4fa36a05e680b73e34d67384a065
+  data.tar.gz: 4024009b029a6d8aa45b7beb9d79a2d61c677d761d94ba79234539dc1aac9fe43e729735bd2df58b86cdfdcb8085c2fbbf70018624fbbb5504d9c85132c0ed22

data/.rubocop.yml CHANGED

@@ -32,7 +32,7 @@ Metrics/BlockLength:
   ExcludedMethods: ['describe', 'context', 'let']
 Layout/LineLength:
-  Max: 100
+  Max: 120
 Metrics/ClassLength:
   Max: 150

data/CHANGELOG.md CHANGED

@@ -4,6 +4,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+## [0.1.0] - 2021-01-03
+### Added
+- additional verification for token:
+    - verify token age
+    - verify sso params
+    - website signature
+- support for migration
+- settings model for jwt and sso params
+### Changed
+- all SSO params have prefix `sso`
+### Removed
+- `refId` is not longer part of token
 ## [0.0.5] - 2020-12-15
 ### Changed
 - add `0x` to signature to be compatible with JS and not throw `signature missing v and recoveryParam` error

data/DEVELOPMENT.md CHANGED

@@ -47,6 +47,7 @@ Silkey::RegistryContract.get_address('Name')
 ```bash
 bundle exec rspec
 bundle exec rubocop --fix
+bundle exec rubocop --auto-correct-all
 ```
 #### Init setup environment

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    silkey-sdk (0.0.5)
+    silkey-sdk (0.1.0)
       activesupport (~> 6.0)
       eth (~> 0.4.12)
       ethereum.rb (~> 2.5)

data/README.md CHANGED

@@ -27,31 +27,43 @@ end
 #### Making request
-| Parameter        | Required  | Type     | Desc
-| ---------------- |:---------:| -------- | -----
-| signature        | yes       | string   | Domain owner signature
-| ssoTimestamp     | yes       | number   | Time of signing SSO request
-| redirectUrl      | yes       | string   | Where to redirect user with token after sign in
-| cancelUrl        | yes       | string   | Where to redirect user on error
-| redirectMethod   | no        | GET/POST | How to redirect user after sign in, default is POST
-| refId            | no        | string   | It will be return with user token, you may use it to identify request
-| scope            | no        | string   | Scope of data to return in a token payload: `id` (default) returns only user address, `email` returns address + email
+| Parameter         | Required  | Type     | Desc
+| ----------------- |:---------:| -------- | -----
+| ssoSignature      | yes       | string   | Domain owner signature
+| ssoTimestamp      | yes       | number   | Time of signing SSO request
+| ssoRedirectUrl    | yes       | string   | Where to redirect user with token after sign in
+| ssoCancelUrl      | yes       | string   | Where to redirect user on error
+| ssoRedirectMethod | no        | GET/POST | How to redirect user after sign in, default is POST
+| ssoRefId          | no        | string   | Any value, you may use it to identify request
+| ssoScope          | no        | string   | Scope of data to return in a token payload: `id` (default) returns only user address, `email` returns address + email
 ```rb
-params = { redirectUrl: 'https://your-website', refId: '12ab' }
+params = { ssoRedirectUrl: 'https://your-website', ssoRefId: '12ab' }
 sso_params = Silkey::SDK.generate_sso_request_params(private_key, params)
 ```
 #### On request callback page
-`token` - get if from request params (it can be send via POST or GET, based on `redirectMethod`)
+Callback will be done via POST (default) or GET, based on `ssoRedirectMethod`.
+Callback params contains:
+- sso parameters that were used to make SSO call
+- `token`.
+`token` - get if from request params
+`ssoRequestParams` - get if from request params (it can be send via POST or GET, based on `ssoRedirectMethod`)
 ```rb
-silkey_public_key = Silkey::SDK.fetch_silkey_public_key
-Silkey::SDK.token_payload_verifier(token, silkey_public_key)
+silkey_eth_address = Silkey::SDK.fetch_silkey_eth_address
+Silkey::SDK.token_payload_verifier(token, silkey_eth_address)
 ```
+## Recommendations and Migration
+See [recommendation and migration](https://github.com/Silkey-Team/silkey-sdk#recommendations) sections on main SDK package.
 ## License
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/lib/silkey-sdk.rb CHANGED

@@ -1,14 +1,10 @@
 require 'eth'
 require 'ethereum.rb'
-# require 'json'
 require 'jwt'
 require 'logger'
 require 'pry'
-#require 'active_support'
-#require 'active_support/core_ext/module'
 require 'virtus_convert'
 require 'virtus'
-# require 'retriable'
 require 'silkey'
 require_relative 'silkey/contract'
@@ -16,7 +12,10 @@ require_relative 'silkey/configuration'
 require_relative 'silkey/factories/client_factory'
 require_relative 'silkey/factories/contract_factory'
 require_relative 'silkey/models/jwt_payload'
+require_relative 'silkey/models/settings'
+require_relative 'silkey/models/sso_params'
 require_relative 'silkey/services/logger_service'
+require_relative 'silkey/services/verifier'
 require_relative 'silkey/sdk'
 require_relative 'silkey/utils'

data/lib/silkey/models/jwt_payload.rb CHANGED

@@ -2,28 +2,36 @@
 module Silkey
   module Models
+    ##
+    # Generates message to sign based on plain object data (keys => values)
+    #
+    # @param email [string] verified email of the user
+    #   IMPORTANT: if email in user profile is different, you should always update it with this one.
+    #
+    # @param scope [string]
+    # @param address [string] ID of the user, this is also valid ethereum address, use this to identify user
+    # @param userSignature [string] proof that request came from the user
+    # @param userSignatureTimestamp [number] time when signature was crated
+    # @param silkeySignature [string] proof that Silkey verified the email
+    # @param silkeySignatureTimestamp [number] time when signature was crated
+    # @param migration [boolean] true if user started migration to Silkey
+    #
     class JwtPayload
       include Virtus.model
-      SCOPE_DIVIDER = ','
       # rubocop:disable Style/HashSyntax
-      attribute :address, String, :writer => :private
       attribute :email, String, :writer => :private
+      attribute :_scope, {}, :writer => :private, :reader => :private
+      attribute :address, String, :writer => :private
       attribute :silkey_signature, String, :writer => :private
-      attribute :silkey_signature_timestamp, Integer
+      attribute :silkey_signature_timestamp, Integer, :default => 0
       attribute :user_signature, String, :writer => :private
-      attribute :user_signature_timestamp, Integer
-      attribute :ref_id, String, :writer => :private
-      attribute :_scope, {}, :writer => :private, :reader => :private
+      attribute :user_signature_timestamp, Integer, :default => 0
+      attribute :migration, Boolean, :writer => :private, :default => false
       # rubocop:enable Style/HashSyntax
       def scope
-        _scope.keys.sort.join(SCOPE_DIVIDER)
-      end
-      def scope_divider
-        SCOPE_DIVIDER
+        _scope.keys.sort.join(Silkey::Settings.SCOPE_DIVIDER)
       end
       # rubocop:disable Naming/AccessorMethodName
@@ -46,8 +54,8 @@ module Silkey
         self
       end
-      def set_ref_id(ref_id)
-        self.ref_id = ref_id
+      def set_migrations(migrating)
+        self.migration = migrating
         self
       end
@@ -70,17 +78,22 @@ module Silkey
       end
       # rubocop:enable Naming/AccessorMethodName
+      # rubocop:disable Metrics/AbcSize
+      #
       ##
       #  Creates message that's need to be sign by user
       def message_to_sign_by_user
-        if !Silkey::Utils.empty?(address) && Silkey::Utils.empty?(user_signature_timestamp)
-          self.user_signature_timestamp = Silkey::Utils.current_timestamp
-        end
-        return pack_payload_to_hex if Silkey::Utils.empty?(user_signature_timestamp)
-        "#{pack_payload_to_hex}#{Silkey::Utils.int_to_hex(user_signature_timestamp.to_s)}"
+        data = {
+          address: Silkey::Utils.strings_to_hex(['address']) + Silkey::Utils.remove0x(address).downcase,
+          migration: Silkey::Utils.strings_to_hex(['migration']) + (migration ? '01' : '00'),
+          scope: Silkey::Utils.strings_to_hex(['scope', scope]),
+          userSignatureTimestamp: Silkey::Utils.strings_to_hex(['userSignatureTimestamp']) +
+                                  Silkey::Utils.int_to_hex(user_signature_timestamp)
+        }
+        data.keys.sort.map { |k| data[k] }.join('')
       end
+      # rubocop:enable Metrics/AbcSize
       def message_to_sign_by_silkey
         return '' if Silkey::Utils.empty?(email)
@@ -89,33 +102,28 @@ module Silkey
           self.silkey_signature_timestamp = Silkey::Utils.current_timestamp
         end
-        str_hex = [
-          'email', email,
-          'silkeySignatureTimestamp'
-        ].map { |str| str.to_s.unpack('H*') }.join('')
-        "#{str_hex}#{Silkey::Utils.int_to_hex(silkey_signature_timestamp.to_s)}"
+        "#{email.to_s.unpack('H*')[0]}#{Silkey::Utils.int_to_hex(silkey_signature_timestamp)}"
       end
       def validate
         raise "address is invalid: #{address}" unless Silkey::Utils.ethereum_address?(address)
-        unless Silkey::Utils.signature?(user_signature)
-          raise "user_signature is invalid: #{user_signature}"
-        end
+        raise "user_signature is invalid: #{user_signature}" unless Silkey::Utils.signature?(user_signature)
-        raise 'user_signature_timestamp is empty' if Silkey::Utils.empty?(user_signature_timestamp)
+        raise 'user_signature_timestamp is invalid' unless Silkey::Utils.timestamp?(user_signature_timestamp)
         return self if Silkey::Utils.empty?(scope) || scope == 'id'
         validate_scope_email
       end
-      def import(hash)
-        hash.each do |k, v|
+      def import(data = {})
+        return data if data.is_a?(Silkey::Models::JwtPayload)
+        data.each do |k, v|
           var = k.to_s.underscore
-          if k == 'scope'
+          if var == 'scope'
             set_scope(v)
           else
             instance_variable_set("@#{var}", v)
@@ -132,7 +140,6 @@ module Silkey
         adr_hex = Silkey::Utils.remove0x(address).downcase
         str2_hex = [
-          'refId', ref_id.to_s,
           'scope', scope,
           'userSignatureTimestamp'
         ].map { |str| str.to_s.unpack('H*') }.join('')
@@ -143,13 +150,9 @@ module Silkey
       def validate_scope_email
         raise 'email is empty' if Silkey::Utils.empty?(email)
-        unless Silkey::Utils.signature?(silkey_signature)
-          raise "silkey_signature is invalid: #{silkey_signature}"
-        end
+        raise "silkey_signature is invalid: #{silkey_signature}" unless Silkey::Utils.signature?(silkey_signature)
-        if Silkey::Utils.empty?(silkey_signature_timestamp)
-          raise 'silkey_signature_timestamp is empty'
-        end
+        raise 'silkey_signature_timestamp is invalid' unless Silkey::Utils.timestamp?(silkey_signature_timestamp)
         self
       end

data/lib/silkey/models/settings.rb ADDED

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+module Silkey # :nodoc: all
+  class Settings
+    # rubocop:disable Naming/MethodName
+    class << self
+      attr_accessor :SSO_PARAMS
+      attr_accessor :JWT
+      attr_accessor :MESSAGE_TO_SIGN_GLUE
+      attr_accessor :SCOPE_DIVIDER
+      attr_accessor :SILKEY_REGISTERED_BY_NAME
+    end
+    # rubocop:enable Naming/MethodName
+    self.SSO_PARAMS = {
+      required: %w(ssoSignature ssoRedirectUrl ssoCancelUrl ssoTimestamp),
+      optional: %w(ssoRefId ssoScope ssoRedirectMethod),
+      prefix: 'sso'
+    }
+    self.JWT = {
+      id: {
+        required: %w(address)
+      },
+      email: {
+        required: %w(address email)
+      }
+    }
+    self.MESSAGE_TO_SIGN_GLUE = '::'
+    self.SCOPE_DIVIDER = ','
+    self.SILKEY_REGISTERED_BY_NAME = 'Hades'
+  end
+end

data/lib/silkey/models/sso_params.rb ADDED

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+module Silkey
+  module Models
+    class SSOParams
+      attr_accessor :params
+      def initialize(params = {})
+        @params = params
+      end
+      def sign(private_key)
+        params[:ssoTimestamp] = Utils.current_timestamp unless Utils.timestamp?(params[:ssoTimestamp])
+        params[:ssoSignature] = Silkey::Utils.sign_message(private_key, SDK.message_to_sign(params))
+        self
+      end
+      def required_present?
+        Silkey::Settings.SSO_PARAMS[:required].all? do |k|
+          if Silkey::Utils.empty?(params[k.to_sym])
+            Silkey::LoggerService.warn(
+              "Missing #{k}. This parameters are required for Silkey SSO: " +
+                Silkey::Settings.SSO_PARAMS[:required].join(', ')
+            )
+            return false
+          end
+          true
+        end
+      end
+      def validate
+        raise 'Missing required params' unless required_present?
+        self
+      end
+    end
+  end
+end

data/lib/silkey/sdk.rb CHANGED

@@ -3,6 +3,8 @@
 module Silkey
   class SDK
     class << self
+      SSO_PARAMS_PREFIX = 'sso'
       ##
       # Generates message to sign based on plain object data (keys => values)
       #
@@ -12,20 +14,22 @@ module Silkey
       #
       # @example:
       #
-      #   Silkey::SDK.message_to_sign({ redirectUrl: 'http://silkey.io', refId: 1 });
+      #   Silkey::SDK.message_to_sign({ ssoRedirectUrl: 'http://silkey.io', ssoCancelUrl: 'http://silkey.io/fail' });
       #
       # returns
       #
-      #   'redirectUrl=http://silkey.io::refId=1'
+      #   'ssoRedirectUrl=http://silkey.io::ssoCancelUrl=http://silkey.io/fail'
       #
       def message_to_sign(to_sign = {})
         msg = []
         to_sign.keys.sort.each do |k|
-          msg.push("#{k}=#{to_sign[k]}") unless to_sign[k].nil?
+          if 'ssoSignature'.to_sym != k && k[0..SSO_PARAMS_PREFIX.length - 1] == SSO_PARAMS_PREFIX && !to_sign[k].nil?
+            msg.push("#{k}=#{to_sign[k]}")
+          end
         end
-        msg.join('&')
+        msg.join(Silkey::Settings.MESSAGE_TO_SIGN_GLUE)
       end
       ##
@@ -33,12 +37,11 @@ module Silkey
       #
       # @param private_key [string] secret private key of domain owner
       #
-      # @param result [Hash] Hash object with parameters:
-      #   - redirectUrl*,
-      #   - cancelUrl*,
-      #   - redirectMethod,
-      #   - refId,
-      #   - scope,
+      # @param data_to_sign [Hash] Hash object with parameters:
+      #   - ssoRedirectUrl*,
+      #   - ssoCancelUrl*,
+      #   - ssoRedirectMethod,
+      #   - ssoScope,
       #   - ssoTimestamp
       #   marked with * are required by Silkey
       #
@@ -48,25 +51,13 @@ module Silkey
       #
       # @example
       #
-      #   data = { redirectUrl: 'https://your-website', refId: '12ab' }
+      #   data = { ssoRedirectUrl: 'https://your-website', ssoRefId: '12ab' }
       #   Silkey::SDK.generate_sso_request_params(private_key, data)
       #
       def generate_sso_request_params(private_key, data_to_sign)
-        result = data_to_sign.clone
         raise '`private_key` is empty' if Silkey::Utils.empty?(private_key)
-        assert_required_soo_params(result)
-        if Silkey::Utils.empty?(result[:ssoTimestamp])
-          result[:ssoTimestamp] = Silkey::Utils.current_timestamp
-        end
-        result[:scope] = 'id' if Silkey::Utils.empty?(result[:scope])
-        message = message_to_sign(result)
-        result[:signature] = Silkey::Utils.sign_message(private_key, message)
-        result
+        Silkey::Models::SSOParams.new(data_to_sign.clone).sign(private_key).validate.params
       end
       ##
@@ -76,7 +67,13 @@ module Silkey
       #
       # @param token [string] JWT token returned by Silkey
       #
-      # @param silkey_public_key [string] public ethereum address of Silkey
+      # @param callback_params [string] params used to do SSO call
+      #
+      # @param website_eth_address [string] public ethereum address of website owner
+      #
+      # @param silkey_eth_address [string] public ethereum address of Silkey
+      #
+      # @param expiration_time [number] expiration time of token in seconds
       #
       # @return [JwtPayload|null] null when signature(s) are invalid, otherwise token payload
       #
@@ -87,19 +84,33 @@ module Silkey
       #   Silkey::SDK.token_payload_verifier(
       #     'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG'\
       #     '9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c',
-      #     Silkey::SDK.fetch_silkey_public_key
+      #     {ssoSignature: '...', ...},
+      #     website_eth_address,
+      #     Silkey::SDK.fetch_silkey_eth_address
       #   )
       #
-      def token_payload_verifier(token, silkey_public_key = nil)
+      def token_payload_verifier(token,
+                                 callback_params,
+                                 website_eth_address,
+                                 silkey_eth_address = nil,
+                                 expiration_time = 30)
         payload = token_payload(token)
-        if silkey_signature_valid?(payload, silkey_public_key) != false &&
-           user_signature_valid?(payload) != false
-          return Silkey::Models::JwtPayload.new.import(payload)
-        end
+        return nil unless Verifier.valid_age?(payload, expiration_time)
-        nil
-      rescue # rubocop:disable Style/RescueStandardError
+        return nil if Silkey::Verifier.user_signature_valid?(payload) == false
+        return nil if Silkey::Verifier.silkey_signature_valid?(payload, silkey_eth_address) == false
+        return nil if Silkey::Verifier.website_signature_valid?(callback_params, website_eth_address) == false
+        jwt_payload = Silkey::Models::JwtPayload.new.import(payload)
+        Silkey::Verifier.require_params_for_scope(jwt_payload.scope, jwt_payload.attributes)
+        jwt_payload
+      rescue StandardError => e
+        logger.warn(e.full_message)
         nil
       end
@@ -109,121 +120,22 @@ module Silkey
       #
       # @see List of Silkey contracts addresses: https://github.com/Silkey-Team/silkey-sdk#silkey-sdk
       #
-      def fetch_silkey_public_key
-        public_key = Silkey::RegistryContract.get_address('Hades')
+      def fetch_silkey_eth_address
+        silkey_address = Silkey::RegistryContract.get_address(Silkey::Settings.SILKEY_REGISTERED_BY_NAME)
-        raise "Invalid public key: #{public_key}" unless Silkey::Utils.ethereum_address?(public_key)
+        raise "Invalid silkey address: #{silkey_address}" unless Silkey::Utils.ethereum_address?(silkey_address)
-        public_key
+        silkey_address
       end
       private
-      def assert_required_soo_params(params)
-        raise '`redirectUrl` is empty' if Silkey::Utils.empty?(params[:redirectUrl])
-        raise '`cancelUrl` is empty' if Silkey::Utils.empty?(params[:cancelUrl])
-      end
       def token_payload(token)
         # Set password to nil and validation to false otherwise this won't work
         decoded = JWT.decode token, nil, false
         decoded[0]
       end
-      def can_validate_user_signature?(jwt_payload)
-        if Silkey::Utils.empty?(jwt_payload.address)
-          logger.warn('Verification failed, missing user address')
-          return false
-        end
-        if Silkey::Utils.empty?(jwt_payload.user_signature)
-          logger.warn('Verification failed, missing user signature')
-          return false
-        end
-        if Silkey::Utils.empty?(jwt_payload.user_signature_timestamp)
-          logger.warn('Verification failed, missing user signature timestamp ')
-          return false
-        end
-        true
-      end
-      def user_signature_valid?(payload)
-        jwt_payload = Silkey::Models::JwtPayload.new.import(payload)
-        return false unless can_validate_user_signature?(jwt_payload)
-        signer = Silkey::Utils
-                 .verify_message(jwt_payload.message_to_sign_by_user, jwt_payload.user_signature)
-        success = signer == jwt_payload.address
-        unless success
-          logger.warn("user_signature_valid?: expect #{signer} to be equal #{jwt_payload.address}")
-        end
-        success
-      rescue StandardError => e
-        logger.error(e)
-        false
-      end
-      def cant_validate_silky_signature?(jwt_payload)
-        empty_email = Silkey::Utils.empty?(jwt_payload.email)
-        empty_sig = Silkey::Utils.empty?(jwt_payload.silkey_signature)
-        empty_email && empty_sig
-      end
-      def silkey_sig_check_requirements?(jwt_payload)
-        empty_email = Silkey::Utils.empty?(jwt_payload.email)
-        empty_sig = Silkey::Utils.empty?(jwt_payload.silkey_signature)
-        if empty_email ^ empty_sig
-          logger.warn('Verification failed, missing silkey signature or email')
-          return false
-        end
-        if Silkey::Utils.empty?(jwt_payload.silkey_signature_timestamp)
-          logger.warn('Verification failed, missing silkey signature timestamp')
-          return false
-        end
-        true
-      end
-      def silkey_signature_valid?(payload, silkey_public_key)
-        jwt_payload = Silkey::Models::JwtPayload.new.import(payload)
-        return nil if cant_validate_silky_signature?(jwt_payload)
-        return false unless silkey_sig_check_requirements?(jwt_payload)
-        signer = Silkey::Utils.verify_message(
-          jwt_payload.message_to_sign_by_silkey, jwt_payload.silkey_signature
-        )
-        if Silkey::Utils.empty?(silkey_public_key)
-          logger.warn('You are using verification without checking silkey signature. '\
-                      'We strongly recommended to turn on full verification. '\
-                      'This option can be deprecated in the future')
-          return true
-        end
-        success = signer == silkey_public_key
-        unless success
-          logger.warn("silkey_signature_valid?: expect #{signer} to be equal #{silkey_public_key}")
-        end
-        success
-      rescue StandardError => e
-        logger.error(e)
-        false
-      end
       def logger
         Silkey::LoggerService
       end

data/lib/silkey/services/verifier.rb ADDED

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+module Silkey # :nodoc: all
+  class Verifier
+    class << self
+      def require_params_for_scope(scope, data)
+        scope_arr = scope_to_arr(scope)
+        scope_arr.each do |scope_key|
+          raise "scope `#{scope_key}` is not supported" unless Silkey::Settings.JWT.key?(scope_key.to_sym)
+          Silkey::Settings.JWT[scope_key.to_sym][:required].each do |item|
+            if Silkey::Utils.empty?(data[item.to_sym])
+              raise "`#{item}` parameter is required for selected scope: #{scope_key}"
+            end
+          end
+        end
+      end
+      def valid_age?(jwt_payload, expiration_time)
+        if expiration_time <= 0
+          logger.warn("You set token expiration time to #{expiration_time}. " \
+                       'That mean token age will not be verified. ' \
+                       'We strongly recommended to set expiration time between 5s - 60s for security reasons.')
+          return true
+        end
+        if expiration_time > 100
+          logger.warn("You set token expiration time to #{expiration_time}. " \
+                       'We strongly recommended to set expiration time between 5s - 30s for security reasons.')
+        end
+        age = Silkey::Utils.current_timestamp - jwt_payload.user_signature_timestamp
+        if age > expiration_time
+          logger.warn("token expired, expected age #{expiration_time}s but got #{age}s")
+          return false
+        end
+        if expiration_time.negative?
+          logger.warn('token from the future... https://www.youtube.com/watch?v=FWG3Dfss3Jc')
+          return false
+        end
+        true
+      end
+      ##
+      #
+      # @param sso_params [Hash|Silkey::Models::SSOParams.params] hash object
+      #
+      # @param website_owner_address [string]
+      #
+      # @return [boolean]
+      #
+      def website_signature_valid?(sso_params, website_owner_address)
+        if Silkey::Utils.empty?(sso_params[:ssoSignature])
+          Silkey::LoggerService.warn('ssoSignature is empty')
+          return false
+        end
+        message = Silkey::SDK.message_to_sign(sso_params)
+        signer = Silkey::Utils.verify_message(message, sso_params[:ssoSignature])
+        success = signer == website_owner_address
+        logger.warn("website_signature_valid?: expect #{signer} to be equal #{website_owner_address}") unless success
+        success
+      rescue StandardError => e
+        logger.error(e)
+        false
+      end
+      def user_signature_valid?(payload)
+        jwt_payload = Silkey::Models::JwtPayload.new.import(payload)
+        return false unless can_validate_user_signature?(jwt_payload)
+        signer = Silkey::Utils
+                 .verify_message(jwt_payload.message_to_sign_by_user, jwt_payload.user_signature)
+        success = signer == jwt_payload.address
+        logger.warn("user_signature_valid?: expect #{signer} to be equal #{jwt_payload.address}") unless success
+        success
+      rescue StandardError => e
+        logger.error(e)
+        false
+      end
+      # rubocop:disable Metrics/AbcSize
+      def silkey_signature_valid?(payload, silkey_public_key = nil)
+        jwt_payload = Silkey::Models::JwtPayload.new.import(payload)
+        return nil if cant_validate_silky_signature?(jwt_payload)
+        return false unless silkey_sig_check_requirements?(jwt_payload)
+        signer = Silkey::Utils.verify_message(
+          jwt_payload.message_to_sign_by_silkey, jwt_payload.silkey_signature
+        )
+        if Silkey::Utils.empty?(silkey_public_key)
+          logger.warn('You are using verification without checking silkey signature. '\
+                      'We strongly recommended to turn on full verification. '\
+                      'This option can be deprecated in the future')
+          return true
+        end
+        success = signer.downcase == silkey_public_key.downcase
+        logger.warn("silkey_signature_valid?: expect #{signer} to be equal #{silkey_public_key}") unless success
+        success
+      rescue StandardError => e
+        logger.error(e)
+        false
+      end
+      # rubocop:enable Metrics/AbcSize
+      private
+      def scope_to_arr(scope)
+        raise 'scope is empty' if scope.empty?
+        return scope unless scope.is_a?(String)
+        arr = scope.split(Silkey::Settings.SCOPE_DIVIDER).reduce([]) do |acc, v|
+          return acc if v.empty?
+          acc.push(v)
+        end
+        raise 'scope is empty' if arr.empty?
+        arr
+      end
+      def can_validate_user_signature?(jwt_payload)
+        if Silkey::Utils.empty?(jwt_payload.address)
+          logger.warn('Verification failed, missing user address')
+          return false
+        end
+        if Silkey::Utils.empty?(jwt_payload.user_signature)
+          logger.warn('Verification failed, missing user signature')
+          return false
+        end
+        if Silkey::Utils.empty?(jwt_payload.user_signature_timestamp)
+          logger.warn('Verification failed, missing user signature timestamp ')
+          return false
+        end
+        true
+      end
+      def cant_validate_silky_signature?(jwt_payload)
+        empty_email = Silkey::Utils.empty?(jwt_payload.email)
+        empty_sig = Silkey::Utils.empty?(jwt_payload.silkey_signature)
+        empty_email && empty_sig
+      end
+      def silkey_sig_check_requirements?(jwt_payload)
+        empty_email = Silkey::Utils.empty?(jwt_payload.email)
+        empty_sig = Silkey::Utils.empty?(jwt_payload.silkey_signature)
+        if empty_email ^ empty_sig
+          logger.warn('Verification failed, missing silkey signature or email')
+          return false
+        end
+        if Silkey::Utils.empty?(jwt_payload.silkey_signature_timestamp)
+          logger.warn('Verification failed, missing silkey signature timestamp')
+          return false
+        end
+        true
+      end
+      def logger
+        Silkey::LoggerService
+      end
+    end
+  end
+end

data/lib/silkey/utils.rb CHANGED

@@ -53,6 +53,12 @@ module Silkey
         Time.now.getutc.to_i
       end
+      def timestamp?(tmstp)
+        return false if tmstp.nil?
+        tmstp.positive? && tmstp.to_s(10).length == 10
+      end
       def int_to_hex(int)
         return '' if empty?(int)

data/lib/silkey/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Silkey
-  VERSION = '0.0.5'
+  VERSION = '0.1.0'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: silkey-sdk
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.1.0
 platform: ruby
 authors:
 - silkey.io
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-12-15 00:00:00.000000000 Z
+date: 2021-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -254,9 +254,12 @@ files:
 - lib/silkey/factories/client_factory.rb
 - lib/silkey/factories/contract_factory.rb
 - lib/silkey/models/jwt_payload.rb
+- lib/silkey/models/settings.rb
+- lib/silkey/models/sso_params.rb
 - lib/silkey/registry_contract/registry_contract.rb
 - lib/silkey/sdk.rb
 - lib/silkey/services/logger_service.rb
+- lib/silkey/services/verifier.rb
 - lib/silkey/utils.rb
 - lib/silkey/version.rb
 - lib/silkey_sdk.rb
@@ -267,7 +270,7 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/Silkey-Team/ruby-sdk/issues
   changelog_uri: https://github.com/Silkey-Team/ruby-sdk/blob/master/CHANGELOG.md
-  documentation_uri: https://www.rubydoc.info/gems/silkey-sdk/0.0.5
+  documentation_uri: https://www.rubydoc.info/gems/silkey-sdk/0.1.0
   homepage_uri: https://silkey.io
   source_code_uri: https://github.com/Silkey-Team/ruby-sdk
 post_install_message: