snuffleupagus 0.0.9 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/.rubocop.yml +4 -0
  3. data/.travis.yml +1 -2
  4. data/CHANGELOG.md +4 -0
  5. data/lib/snuffleupagus/auth_token.rb +6 -6
  6. data/lib/snuffleupagus/version.rb +1 -1
  7. data/snuffleupagus.gemspec +1 -0
  8. data/spec/snuffleupagus_spec.rb +22 -7
  9. metadata +7 -4
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: c1c6a2515a503d2226e53e92350f9c156a81afc58614a68f17247693285406d8
4
- data.tar.gz: 40111852cdb8cfd511accf2713981abf912004bb0db43f3e44a4954c7a8f8303
3
+ metadata.gz: a5c80cc86ec5c07d58eb1fa6287556951aece8f295df96637b68158ccd2f45c4
4
+ data.tar.gz: 73727b009732dd19becd8b9de8445e1479d3e41613256965d18c468bf3d11328
5
5
  SHA512:
6
- metadata.gz: 397d54ee616139744d8802a38fc7e32cc7ad937eb32a011fd3d9dc5bb70126673dbc678e0b10b753dc9240c0f9e260806f450d1fdbafc981210f5d9abebf9e9f
7
- data.tar.gz: e824f45b6b6e912dafd8a881ddbd2e915586033000c6f82f363aa78a8cd8d5faad83d0ae4299a9dfc2de8a3a46c7c696ced05c27b21aa0954c37942f3f7a57cd
6
+ metadata.gz: e415b78f8922d193d697206295901e9e17324c480c29451ebd4c5f9b891ab368bda214c4dd3be01cf3c2fe2226cdcad2506f6859f13f6a85f77b4ebf865e5098
7
+ data.tar.gz: c78c98c4e9e3f35dec5226e633ea305ee630ab2bb46a3ca237bec82f8ae056cb345c11628aa65010ab73a9a715747962213b6a6453e523e741cb1d8a1c3a4ab0
data/.rubocop.yml CHANGED
@@ -1,3 +1,7 @@
1
+ AllCops:
2
+ NewCops: enable
3
+ TargetRubyVersion: 2.5
4
+
1
5
  Metrics/BlockLength:
2
6
  Exclude:
3
7
  - 'spec/**/*'
data/.travis.yml CHANGED
@@ -1,10 +1,9 @@
1
1
  language: ruby
2
2
 
3
3
  rvm:
4
- - 2.3
5
- - 2.4
6
4
  - 2.5
7
5
  - 2.6
6
+ - 2.7
8
7
 
9
8
  install:
10
9
  - bundle install --retry=3
data/CHANGELOG.md CHANGED
@@ -3,6 +3,10 @@
3
3
  ## Unreleased
4
4
  - none
5
5
 
6
+ ## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
7
+ ### Added
8
+ - Add context to the create/check token to avoid replay in different contexts
9
+
6
10
  ## [0.0.9](releases/tag/v0.0.9) - 2020-03-01
7
11
  ### Fixed
8
12
  - Address CVE-2020-8130 - rake OS command injection vulnerability
data/lib/snuffleupagus/auth_token.rb CHANGED
@@ -24,18 +24,18 @@ module Snuffleupagus
24
24
  class AuthToken
25
25
  def initialize(key)
26
26
  @key = key
27
- @cipher = OpenSSL::Cipher::AES256.new :CBC
27
+ @cipher = OpenSSL::Cipher.new('aes-256-cbc')
28
28
  end
29
29
 
30
- def create_token
31
- encode encrypt "#{CONSTANT}#{Time.now.to_i}"
30
+ def create_token(context)
31
+ encode encrypt "#{CONSTANT}#{context}#{Time.now.to_i}"
32
32
  end
33
33
 
34
- def check_token(token)
35
- return false unless token&.is_a?(String)
34
+ def token_valid?(token, context)
35
+ return false unless token.is_a? String
36
36
 
37
37
  decoded = decrypt decode token
38
- match = /^#{CONSTANT}([0-9]+)$/.match decoded
38
+ match = /\A#{CONSTANT}#{Regexp.escape(context)}([0-9]+)\z/.match decoded
39
39
  return false unless match
40
40
 
41
41
  (match[1].to_i - Time.now.to_i).abs < MAX_VALID_TIME_DIFFERENCE
data/lib/snuffleupagus/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Snuffleupagus
4
- VERSION = '0.0.9'
4
+ VERSION = '0.1.1'
5
5
  end
data/snuffleupagus.gemspec CHANGED
@@ -12,6 +12,7 @@ Gem::Specification.new do |s|
12
12
  s.description = 'Simple auth token generator/validator'
13
13
  s.summary = "snuffleupagus-#{s.version}"
14
14
  s.required_rubygems_version = '> 1.3.6'
15
+ s.required_ruby_version = ['>= 2.5.0', '< 2.8.0']
15
16
 
16
17
  s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
17
18
  s.add_development_dependency 'rspec', '~> 3'
data/spec/snuffleupagus_spec.rb CHANGED
@@ -7,58 +7,73 @@ describe Snuffleupagus::AuthToken do
7
7
  let(:snuffy) { Snuffleupagus::AuthToken.new('sup3r4w3s0m3p4ssw0rd') }
8
8
 
9
9
  describe '#create_token' do
10
- subject { snuffy.create_token }
10
+ subject { snuffy.create_token 'my-context' }
11
11
 
12
12
  it { is_expected.to be_a String }
13
- it { expect(subject.length).to eq 64 }
14
- it { is_expected.to match(/\A[a-f0-9]{64}\z/) }
13
+ it { expect(subject.length).to eq 96 }
14
+ it { is_expected.to match(/\A[a-f0-9]{96}\z/) }
15
15
  end
16
16
 
17
- describe '#check_token' do
18
- subject { snuffy.check_token(token) }
17
+ describe '#token_valid?' do
18
+ subject { snuffy.token_valid?(token, 'my-context') }
19
19
 
20
20
  context 'with a valid token' do
21
- let(:token) { snuffy.create_token }
21
+ let(:token) { snuffy.create_token 'my-context' }
22
+
22
23
  it { is_expected.to be_truthy }
23
24
  end
24
25
 
26
+ context 'when the context doesnt match' do
27
+ let(:token) { snuffy.create_token 'another-context' }
28
+
29
+ it { is_expected.to be_falsey }
30
+ end
31
+
25
32
  context 'with an invalid token' do
26
33
  let(:token) { 'F00B44' }
34
+
27
35
  it { is_expected.to be_falsey }
28
36
  end
29
37
 
30
38
  context 'with an empty token' do
31
39
  let(:token) { '' }
40
+
32
41
  it { is_expected.to be_falsey }
33
42
  end
34
43
 
35
44
  context 'with a nil token' do
36
45
  let(:token) { nil }
46
+
37
47
  it { is_expected.to be_falsey }
38
48
  end
39
49
 
40
50
  context 'testing expired tokens' do
41
- let(:token) { snuffy.create_token }
51
+ let(:token) { snuffy.create_token 'my-context' }
52
+
42
53
  before { token } # pre-load the token
43
54
  after { Timecop.return }
44
55
 
45
56
  context 'just inside the time difference (expired token)' do
46
57
  before { Timecop.freeze Time.now - 119 }
58
+
47
59
  it { is_expected.to be_truthy }
48
60
  end
49
61
 
50
62
  context 'just outside the time difference (expired token)' do
51
63
  before { Timecop.freeze Time.now - 120 }
64
+
52
65
  it { is_expected.to be_falsey }
53
66
  end
54
67
 
55
68
  context 'just inside the time difference (future token)' do
56
69
  before { Timecop.freeze Time.now + 119 }
70
+
57
71
  it { is_expected.to be_truthy }
58
72
  end
59
73
 
60
74
  context 'just outside the time difference (future token)' do
61
75
  before { Timecop.freeze Time.now + 120 }
76
+
62
77
  it { is_expected.to be_falsey }
63
78
  end
64
79
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: snuffleupagus
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.9
4
+ version: 0.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Bromwich
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-01 00:00:00.000000000 Z
11
+ date: 2020-10-21 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -103,7 +103,10 @@ required_ruby_version: !ruby/object:Gem::Requirement
103
103
  requirements:
104
104
  - - ">="
105
105
  - !ruby/object:Gem::Version
106
- version: '0'
106
+ version: 2.5.0
107
+ - - "<"
108
+ - !ruby/object:Gem::Version
109
+ version: 2.8.0
107
110
  required_rubygems_version: !ruby/object:Gem::Requirement
108
111
  requirements:
109
112
  - - ">"
@@ -113,5 +116,5 @@ requirements: []
113
116
  rubygems_version: 3.0.6
114
117
  signing_key:
115
118
  specification_version: 4
116
- summary: snuffleupagus-0.0.9
119
+ summary: snuffleupagus-0.1.1
117
120
  test_files: []