snuffleupagus 0.0.9 → 0.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.rubocop.yml +4 -0
- data/.travis.yml +2 -2
- data/CHANGELOG.md +8 -0
- data/README.md +2 -2
- data/lib/snuffleupagus/auth_token.rb +6 -6
- data/lib/snuffleupagus/version.rb +1 -1
- data/snuffleupagus.gemspec +1 -0
- data/spec/snuffleupagus_spec.rb +22 -7
- metadata +11 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 81c2fe0d377038f07a9bcead3e719634ed5ab03708f32d0e057ad7e79aab2cf7
|
4
|
+
data.tar.gz: 8502a478b9e5eacebf04968d7a7c3205677893264ac8402545c029d7e43c44a2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: efd8380cac1395bb7c8d5c87e76c954ce82d710305095b2300879c6bdc9376d031370ec53566b6dfda0218856d3972c8953b8b0722abcb2748b672cfa89cfb38
|
7
|
+
data.tar.gz: 7ed16f47b22a43b1bfc06716f865f1ea7a9914071f93c27f5ecca7109e63b8fabd5b69c0d4f0256367b1a84bc0d5c9986d872adf1745b50af90783b48966602e
|
data/.rubocop.yml
CHANGED
data/.travis.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -3,6 +3,14 @@
|
|
3
3
|
## Unreleased
|
4
4
|
- none
|
5
5
|
|
6
|
+
## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
|
7
|
+
### Updated
|
8
|
+
- Use named parameters when creating and validating tokens
|
9
|
+
|
10
|
+
## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
|
11
|
+
### Added
|
12
|
+
- Add context to the create/check token to avoid replay in different contexts
|
13
|
+
|
6
14
|
## [0.0.9](releases/tag/v0.0.9) - 2020-03-01
|
7
15
|
### Fixed
|
8
16
|
- Address CVE-2020-8130 - rake OS command injection vulnerability
|
data/README.md
CHANGED
@@ -23,7 +23,7 @@ gem 'snuffleupagus'
|
|
23
23
|
|
24
24
|
```ruby
|
25
25
|
snuffy = Snuffleupagus::AuthToken.new('p4ssw0rd')
|
26
|
-
snuffy.create_token
|
26
|
+
snuffy.create_token context: 'my-context'
|
27
27
|
#=> "53616c7465645f5f25dba4d4a97b238c4560ab46ffdfb77b28ad3e7121ab1917"
|
28
28
|
```
|
29
29
|
|
@@ -31,6 +31,6 @@ snuffy.create_token
|
|
31
31
|
|
32
32
|
```ruby
|
33
33
|
snuffy = Snuffleupagus::AuthToken.new('p4ssw0rd')
|
34
|
-
snuffy.
|
34
|
+
snuffy.token_valid? token: "53616c7465645f5f25dba4d4a97b238c4560ab46ffdfb77b28ad3e7121ab1917", context: 'my-context'
|
35
35
|
#=> true
|
36
36
|
```
|
@@ -24,18 +24,18 @@ module Snuffleupagus
|
|
24
24
|
class AuthToken
|
25
25
|
def initialize(key)
|
26
26
|
@key = key
|
27
|
-
@cipher = OpenSSL::Cipher
|
27
|
+
@cipher = OpenSSL::Cipher.new('aes-256-cbc')
|
28
28
|
end
|
29
29
|
|
30
|
-
def create_token
|
31
|
-
encode encrypt "#{CONSTANT}#{Time.now.to_i}"
|
30
|
+
def create_token(context:)
|
31
|
+
encode encrypt "#{CONSTANT}#{context}#{Time.now.to_i}"
|
32
32
|
end
|
33
33
|
|
34
|
-
def
|
35
|
-
return false unless token
|
34
|
+
def token_valid?(token:, context:)
|
35
|
+
return false unless token.is_a? String
|
36
36
|
|
37
37
|
decoded = decrypt decode token
|
38
|
-
match =
|
38
|
+
match = /\A#{CONSTANT}#{Regexp.escape(context)}([0-9]+)\z/.match decoded
|
39
39
|
return false unless match
|
40
40
|
|
41
41
|
(match[1].to_i - Time.now.to_i).abs < MAX_VALID_TIME_DIFFERENCE
|
data/snuffleupagus.gemspec
CHANGED
@@ -12,6 +12,7 @@ Gem::Specification.new do |s|
|
|
12
12
|
s.description = 'Simple auth token generator/validator'
|
13
13
|
s.summary = "snuffleupagus-#{s.version}"
|
14
14
|
s.required_rubygems_version = '> 1.3.6'
|
15
|
+
s.required_ruby_version = ['>= 2.5.0', '< 3.1.0']
|
15
16
|
|
16
17
|
s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
|
17
18
|
s.add_development_dependency 'rspec', '~> 3'
|
data/spec/snuffleupagus_spec.rb
CHANGED
@@ -7,58 +7,73 @@ describe Snuffleupagus::AuthToken do
|
|
7
7
|
let(:snuffy) { Snuffleupagus::AuthToken.new('sup3r4w3s0m3p4ssw0rd') }
|
8
8
|
|
9
9
|
describe '#create_token' do
|
10
|
-
subject { snuffy.create_token }
|
10
|
+
subject { snuffy.create_token context: 'my-context' }
|
11
11
|
|
12
12
|
it { is_expected.to be_a String }
|
13
|
-
it { expect(subject.length).to eq
|
14
|
-
it { is_expected.to match(/\A[a-f0-9]{
|
13
|
+
it { expect(subject.length).to eq 96 }
|
14
|
+
it { is_expected.to match(/\A[a-f0-9]{96}\z/) }
|
15
15
|
end
|
16
16
|
|
17
|
-
describe '#
|
18
|
-
subject { snuffy.
|
17
|
+
describe '#token_valid?' do
|
18
|
+
subject { snuffy.token_valid?(token: token, context: 'my-context') }
|
19
19
|
|
20
20
|
context 'with a valid token' do
|
21
|
-
let(:token) { snuffy.create_token }
|
21
|
+
let(:token) { snuffy.create_token context: 'my-context' }
|
22
|
+
|
22
23
|
it { is_expected.to be_truthy }
|
23
24
|
end
|
24
25
|
|
26
|
+
context 'when the context doesnt match' do
|
27
|
+
let(:token) { snuffy.create_token context: 'another-context' }
|
28
|
+
|
29
|
+
it { is_expected.to be_falsey }
|
30
|
+
end
|
31
|
+
|
25
32
|
context 'with an invalid token' do
|
26
33
|
let(:token) { 'F00B44' }
|
34
|
+
|
27
35
|
it { is_expected.to be_falsey }
|
28
36
|
end
|
29
37
|
|
30
38
|
context 'with an empty token' do
|
31
39
|
let(:token) { '' }
|
40
|
+
|
32
41
|
it { is_expected.to be_falsey }
|
33
42
|
end
|
34
43
|
|
35
44
|
context 'with a nil token' do
|
36
45
|
let(:token) { nil }
|
46
|
+
|
37
47
|
it { is_expected.to be_falsey }
|
38
48
|
end
|
39
49
|
|
40
50
|
context 'testing expired tokens' do
|
41
|
-
let(:token) { snuffy.create_token }
|
51
|
+
let(:token) { snuffy.create_token context: 'my-context' }
|
52
|
+
|
42
53
|
before { token } # pre-load the token
|
43
54
|
after { Timecop.return }
|
44
55
|
|
45
56
|
context 'just inside the time difference (expired token)' do
|
46
57
|
before { Timecop.freeze Time.now - 119 }
|
58
|
+
|
47
59
|
it { is_expected.to be_truthy }
|
48
60
|
end
|
49
61
|
|
50
62
|
context 'just outside the time difference (expired token)' do
|
51
63
|
before { Timecop.freeze Time.now - 120 }
|
64
|
+
|
52
65
|
it { is_expected.to be_falsey }
|
53
66
|
end
|
54
67
|
|
55
68
|
context 'just inside the time difference (future token)' do
|
56
69
|
before { Timecop.freeze Time.now + 119 }
|
70
|
+
|
57
71
|
it { is_expected.to be_truthy }
|
58
72
|
end
|
59
73
|
|
60
74
|
context 'just outside the time difference (future token)' do
|
61
75
|
before { Timecop.freeze Time.now + 120 }
|
76
|
+
|
62
77
|
it { is_expected.to be_falsey }
|
63
78
|
end
|
64
79
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: snuffleupagus
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Bromwich
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2021-12-22 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -95,7 +95,7 @@ files:
|
|
95
95
|
homepage: https://github.com/Studiosity/snuffleupagus
|
96
96
|
licenses: []
|
97
97
|
metadata: {}
|
98
|
-
post_install_message:
|
98
|
+
post_install_message:
|
99
99
|
rdoc_options: []
|
100
100
|
require_paths:
|
101
101
|
- lib
|
@@ -103,15 +103,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
103
103
|
requirements:
|
104
104
|
- - ">="
|
105
105
|
- !ruby/object:Gem::Version
|
106
|
-
version:
|
106
|
+
version: 2.5.0
|
107
|
+
- - "<"
|
108
|
+
- !ruby/object:Gem::Version
|
109
|
+
version: 3.1.0
|
107
110
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
108
111
|
requirements:
|
109
112
|
- - ">"
|
110
113
|
- !ruby/object:Gem::Version
|
111
114
|
version: 1.3.6
|
112
115
|
requirements: []
|
113
|
-
rubygems_version: 3.0.
|
114
|
-
signing_key:
|
116
|
+
rubygems_version: 3.0.9
|
117
|
+
signing_key:
|
115
118
|
specification_version: 4
|
116
|
-
summary: snuffleupagus-0.
|
119
|
+
summary: snuffleupagus-0.2.2
|
117
120
|
test_files: []
|