snuffleupagus 0.0.8 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 108756d43bb84e9a10603bf720ab9a8bb12936fa
-  data.tar.gz: 72f6d67541fda70e9ee8d3c2ea8c09417cf77ed9
+SHA256:
+  metadata.gz: 2dd5c1068aff9a6379b738a87bb637659f4f14cbdf13704a2365358a4125f049
+  data.tar.gz: 86694f423f231e75df38eb99ea6b9a43c7e76156db5aff33fb518442a36064a9
 SHA512:
-  metadata.gz: 8eb8595d52ef88e2dd869347d236bc489c048d9d0fc7ce83b32a77d31b23889b37d6de9cf31a303849b075005f860ae79cf9157071ff9b5f4ce39f59cfa90ada
-  data.tar.gz: 970370c5025c5b119743fd01c31163b9b625dbb329affec325bab414d4170135e4a0835679485a70c86b0681b9b08891f1e5c38d47d38108c492dc54d0d97fb6
+  metadata.gz: b32bc530248c0e899c7cb3b99374ddb884ec2c95e1f638496c0862ea3d5afc12f0b90d5b213270ea941daadd5d66b6779841171f27760c55d4a56c2f578ce97a
+  data.tar.gz: 3ed356ebf8c56829c9a91ed1349739b4c886364b41f5e9a42689205bbd5a586f7dc16a96a3637d14512e6da16d61077b1101ab68fe7a945f6c4ab595634d9ebf

data/.rubocop.yml

@@ -1,3 +1,7 @@
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 2.5
+
 Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'

data/.travis.yml

@@ -1,11 +1,10 @@
 language: ruby
 
 rvm:
-  - 2.1
-  - 2.2
-  - 2.3
-  - 2.4
   - 2.5
+  - 2.6
+  - 2.7
+  - 3.0
 
 install:
   - bundle install --retry=3

data/CHANGELOG.md

@@ -0,0 +1,53 @@
+# Changelog
+
+## Unreleased
+- none
+
+## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
+### Updated
+- Use named parameters when creating and validating tokens
+
+## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
+### Added
+- Add context to the create/check token to avoid replay in different contexts
+
+## [0.0.9](releases/tag/v0.0.9) - 2020-03-01
+### Fixed
+- Address CVE-2020-8130 - rake OS command injection vulnerability
+
+## [0.0.8](releases/tag/v0.0.8) - 2018-03-01
+### Added
+- Rake to gemfile dev dependencies
+
+## [0.0.7](releases/tag/v0.0.7) - 2018-03-01
+### Fixed
+- Fix missing openssl require
+
+## [0.0.6](releases/tag/v0.0.6) - 2018-03-01
+### Fixed
+- Fix Rakefile execute permission
+### Removed
+- gibberish require
+- gemfile.lock file
+
+## [0.0.5](releases/tag/v0.0.5) - 2018-03-01
+### Fixed
+- Rakefile configuration
+
+## [0.0.4](releases/tag/v0.0.4) - 2018-03-01
+### Added
+- Initial Rakefile
+- Rspec and Rubocop
+- Travis CI configuration
+
+## [0.0.3](releases/tag/v0.0.3) - 2018-03-01
+### Removed
+- Dependency on Gibberish gem
+
+## [0.0.2](releases/tag/v0.0.2) - 2014-09-23
+### Updated
+- Token validity to 2 minutes …
+
+## [0.0.1](releases/tag/v0.0.1) - 2014-08-28
+### Added
+- Initial release

data/Gemfile

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 source 'http://rubygems.org'
 gemspec

data/README.md

@@ -5,7 +5,7 @@ A little simple.. auth token generator
 
 Handles basic time-limited authentication token creation / validation
 
-Uses Gibberish::AES with 256 bit CBC encryption
+Uses OpenSSL AES with 256 bit CBC encryption
 
 ![Snuffy](/Snuffy.png "Snuffleupagus")
 
@@ -14,7 +14,7 @@ Uses Gibberish::AES with 256 bit CBC encryption
 Include it in your Gemfile:
 
 ```ruby
-gem 'snuffleupagus', :git => 'git@github.com:TutoringAustralasia/snuffleupagus.git'
+gem 'snuffleupagus'
 ```
 
 ## Basic Usage
@@ -23,7 +23,7 @@ gem 'snuffleupagus', :git => 'git@github.com:TutoringAustralasia/snuffleupagus.g
 
 ```ruby
 snuffy = Snuffleupagus::AuthToken.new('p4ssw0rd')
-snuffy.create_token
+snuffy.create_token context: 'my-context'
 #=> "53616c7465645f5f25dba4d4a97b238c4560ab46ffdfb77b28ad3e7121ab1917"
 ```
 
@@ -31,6 +31,6 @@ snuffy.create_token
 
 ```ruby
 snuffy = Snuffleupagus::AuthToken.new('p4ssw0rd')
-snuffy.check_token("53616c7465645f5f25dba4d4a97b238c4560ab46ffdfb77b28ad3e7121ab1917")
+snuffy.token_valid? token: "53616c7465645f5f25dba4d4a97b238c4560ab46ffdfb77b28ad3e7121ab1917", context: 'my-context'
 #=> true
 ```

data/Rakefile

@@ -1,4 +1,5 @@
 #!/usr/bin/env rake
+# frozen_string_literal: true
 
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'

data/lib/snuffleupagus/auth_token.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'openssl'
 
 module Snuffleupagus
@@ -22,18 +24,20 @@ module Snuffleupagus
   class AuthToken
     def initialize(key)
       @key = key
-      @cipher = OpenSSL::Cipher::AES256.new :CBC
+      @cipher = OpenSSL::Cipher.new('aes-256-cbc')
     end
 
-    def create_token
-      encode encrypt "#{CONSTANT}#{Time.now.to_i}"
+    def create_token(context:)
+      encode encrypt "#{CONSTANT}#{context}#{Time.now.to_i}"
     end
 
-    def check_token(token)
-      return false unless token && token.is_a?(String)
+    def token_valid?(token:, context:)
+      return false unless token.is_a? String
+
       decoded = decrypt decode token
-      match = /^#{CONSTANT}([0-9]+)$/.match decoded
+      match = /\A#{CONSTANT}#{Regexp.escape(context)}([0-9]+)\z/.match decoded
       return false unless match
+
       (match[1].to_i - Time.now.to_i).abs < MAX_VALID_TIME_DIFFERENCE
     rescue StandardError
       false
@@ -41,7 +45,7 @@ module Snuffleupagus
 
     private
 
-    CONSTANT = 'date:'.freeze
+    CONSTANT = 'date:'
     MAX_VALID_TIME_DIFFERENCE = 120 # tokens are only valid for 2 minutes
 
     attr_reader :cipher
@@ -55,6 +59,7 @@ module Snuffleupagus
 
     def decrypt(data)
       raise ArgumentError, 'Data is too short' unless data.length >= 16
+
       salt = data[8..15]
       data = data[16..-1]
       setup_cipher(:decrypt, salt)

data/lib/snuffleupagus/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Snuffleupagus
-  VERSION = '0.0.8'.freeze
+  VERSION = '0.2.1'
 end

data/lib/snuffleupagus.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'snuffleupagus/auth_token'

data/snuffleupagus.gemspec

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require File.expand_path('lib/snuffleupagus/version', File.dirname(__FILE__))
 
 Gem::Specification.new do |s|
@@ -6,12 +8,13 @@ Gem::Specification.new do |s|
   s.platform                  = Gem::Platform::RUBY
   s.authors                   = ['Andrew Bromwich']
   s.email                     = ['abromwich@studiosity.com']
-  s.homepage                  = 'https://studiosity.com'
+  s.homepage                  = 'https://github.com/Studiosity/snuffleupagus'
   s.description               = 'Simple auth token generator/validator'
   s.summary                   = "snuffleupagus-#{s.version}"
   s.required_rubygems_version = '> 1.3.6'
+  s.required_ruby_version     = ['>= 2.5.0', '< 3.1.0']
 
-  s.add_development_dependency 'rake', '>= 10.0'
+  s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   s.add_development_dependency 'rspec', '~> 3'
   s.add_development_dependency 'rubocop', '~> 0.49'
   s.add_development_dependency 'timecop', '~> 0'

data/spec/snuffleupagus_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require './lib/snuffleupagus'
 require 'timecop'
 
@@ -5,58 +7,73 @@ describe Snuffleupagus::AuthToken do
   let(:snuffy) { Snuffleupagus::AuthToken.new('sup3r4w3s0m3p4ssw0rd') }
 
   describe '#create_token' do
-    subject { snuffy.create_token }
+    subject { snuffy.create_token context: 'my-context' }
 
     it { is_expected.to be_a String }
-    it { expect(subject.length).to eq 64 }
-    it { is_expected.to match(/\A[a-f0-9]{64}\z/) }
+    it { expect(subject.length).to eq 96 }
+    it { is_expected.to match(/\A[a-f0-9]{96}\z/) }
   end
 
-  describe '#check_token' do
-    subject { snuffy.check_token(token) }
+  describe '#token_valid?' do
+    subject { snuffy.token_valid?(token: token, context: 'my-context') }
 
     context 'with a valid token' do
-      let(:token) { snuffy.create_token }
+      let(:token) { snuffy.create_token context: 'my-context' }
+
       it { is_expected.to be_truthy }
     end
 
+    context 'when the context doesnt match' do
+      let(:token) { snuffy.create_token context: 'another-context' }
+
+      it { is_expected.to be_falsey }
+    end
+
     context 'with an invalid token' do
       let(:token) { 'F00B44' }
+
       it { is_expected.to be_falsey }
     end
 
     context 'with an empty token' do
       let(:token) { '' }
+
       it { is_expected.to be_falsey }
     end
 
     context 'with a nil token' do
       let(:token) { nil }
+
       it { is_expected.to be_falsey }
     end
 
     context 'testing expired tokens' do
-      let(:token) { snuffy.create_token }
+      let(:token) { snuffy.create_token context: 'my-context' }
+
       before { token } # pre-load the token
       after { Timecop.return }
 
       context 'just inside the time difference (expired token)' do
         before { Timecop.freeze Time.now - 119 }
+
         it { is_expected.to be_truthy }
       end
 
       context 'just outside the time difference (expired token)' do
         before { Timecop.freeze Time.now - 120 }
+
         it { is_expected.to be_falsey }
       end
 
       context 'just inside the time difference (future token)' do
         before { Timecop.freeze Time.now + 119 }
+
         it { is_expected.to be_truthy }
       end
 
       context 'just outside the time difference (future token)' do
         before { Timecop.freeze Time.now + 120 }
+
         it { is_expected.to be_falsey }
       end
     end

metadata

@@ -1,29 +1,35 @@
 --- !ruby/object:Gem::Specification
 name: snuffleupagus
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.2.1
 platform: ruby
 authors:
 - Andrew Bromwich
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-03-01 00:00:00.000000000 Z
+date: 2021-12-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -76,8 +82,8 @@ files:
 - ".gitignore"
 - ".rubocop.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
-- Gemfile.lock
 - README.md
 - Rakefile
 - Snuffy.png
@@ -86,10 +92,10 @@ files:
 - lib/snuffleupagus/version.rb
 - snuffleupagus.gemspec
 - spec/snuffleupagus_spec.rb
-homepage: https://studiosity.com
+homepage: https://github.com/Studiosity/snuffleupagus
 licenses: []
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -97,16 +103,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.0
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: 3.1.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">"
     - !ruby/object:Gem::Version
       version: 1.3.6
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.14
-signing_key: 
+rubygems_version: 3.0.9
+signing_key:
 specification_version: 4
-summary: snuffleupagus-0.0.8
+summary: snuffleupagus-0.2.1
 test_files: []

data/Gemfile.lock

@@ -1,50 +0,0 @@
-PATH
-  remote: .
-  specs:
-    snuffleupagus (0.0.6)
-
-GEM
-  remote: http://rubygems.org/
-  specs:
-    ast (2.4.0)
-    diff-lcs (1.3)
-    parallel (1.12.1)
-    parser (2.5.0.2)
-      ast (~> 2.4.0)
-    powerpack (0.1.1)
-    rainbow (3.0.0)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
-      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.1)
-    rubocop (0.52.1)
-      parallel (~> 1.10)
-      parser (>= 2.4.0.2, < 3.0)
-      powerpack (~> 0.1)
-      rainbow (>= 2.2.2, < 4.0)
-      ruby-progressbar (~> 1.7)
-      unicode-display_width (~> 1.0, >= 1.0.1)
-    ruby-progressbar (1.9.0)
-    timecop (0.9.1)
-    unicode-display_width (1.3.0)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  rspec (~> 3)
-  rubocop (~> 0.49)
-  snuffleupagus!
-  timecop (~> 0)
-
-BUNDLED WITH
-   1.16.1