snuffleupagus 0.0.9 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1c6a2515a503d2226e53e92350f9c156a81afc58614a68f17247693285406d8
-  data.tar.gz: 40111852cdb8cfd511accf2713981abf912004bb0db43f3e44a4954c7a8f8303
+  metadata.gz: a5c80cc86ec5c07d58eb1fa6287556951aece8f295df96637b68158ccd2f45c4
+  data.tar.gz: 73727b009732dd19becd8b9de8445e1479d3e41613256965d18c468bf3d11328
 SHA512:
-  metadata.gz: 397d54ee616139744d8802a38fc7e32cc7ad937eb32a011fd3d9dc5bb70126673dbc678e0b10b753dc9240c0f9e260806f450d1fdbafc981210f5d9abebf9e9f
-  data.tar.gz: e824f45b6b6e912dafd8a881ddbd2e915586033000c6f82f363aa78a8cd8d5faad83d0ae4299a9dfc2de8a3a46c7c696ced05c27b21aa0954c37942f3f7a57cd
+  metadata.gz: e415b78f8922d193d697206295901e9e17324c480c29451ebd4c5f9b891ab368bda214c4dd3be01cf3c2fe2226cdcad2506f6859f13f6a85f77b4ebf865e5098
+  data.tar.gz: c78c98c4e9e3f35dec5226e633ea305ee630ab2bb46a3ca237bec82f8ae056cb345c11628aa65010ab73a9a715747962213b6a6453e523e741cb1d8a1c3a4ab0

data/.rubocop.yml

@@ -1,3 +1,7 @@
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 2.5
+
 Metrics/BlockLength:
   Exclude:
     - 'spec/**/*'

data/.travis.yml

@@ -1,10 +1,9 @@
 language: ruby
 
 rvm:
-  - 2.3
-  - 2.4
   - 2.5
   - 2.6
+  - 2.7
 
 install:
   - bundle install --retry=3

data/CHANGELOG.md

@@ -3,6 +3,10 @@
 ## Unreleased
 - none
 
+## [0.1.1](releases/tag/v0.1.1) - 2020-10-21
+### Added
+- Add context to the create/check token to avoid replay in different contexts
+
 ## [0.0.9](releases/tag/v0.0.9) - 2020-03-01
 ### Fixed
 - Address CVE-2020-8130 - rake OS command injection vulnerability

data/lib/snuffleupagus/auth_token.rb

@@ -24,18 +24,18 @@ module Snuffleupagus
   class AuthToken
     def initialize(key)
       @key = key
-      @cipher = OpenSSL::Cipher::AES256.new :CBC
+      @cipher = OpenSSL::Cipher.new('aes-256-cbc')
     end
 
-    def create_token
-      encode encrypt "#{CONSTANT}#{Time.now.to_i}"
+    def create_token(context)
+      encode encrypt "#{CONSTANT}#{context}#{Time.now.to_i}"
     end
 
-    def check_token(token)
-      return false unless token&.is_a?(String)
+    def token_valid?(token, context)
+      return false unless token.is_a? String
 
       decoded = decrypt decode token
-      match = /^#{CONSTANT}([0-9]+)$/.match decoded
+      match = /\A#{CONSTANT}#{Regexp.escape(context)}([0-9]+)\z/.match decoded
       return false unless match
 
       (match[1].to_i - Time.now.to_i).abs < MAX_VALID_TIME_DIFFERENCE

data/lib/snuffleupagus/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Snuffleupagus
-  VERSION = '0.0.9'
+  VERSION = '0.1.1'
 end

data/snuffleupagus.gemspec

@@ -12,6 +12,7 @@ Gem::Specification.new do |s|
   s.description               = 'Simple auth token generator/validator'
   s.summary                   = "snuffleupagus-#{s.version}"
   s.required_rubygems_version = '> 1.3.6'
+  s.required_ruby_version     = ['>= 2.5.0', '< 2.8.0']
 
   s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   s.add_development_dependency 'rspec', '~> 3'

data/spec/snuffleupagus_spec.rb

@@ -7,58 +7,73 @@ describe Snuffleupagus::AuthToken do
   let(:snuffy) { Snuffleupagus::AuthToken.new('sup3r4w3s0m3p4ssw0rd') }
 
   describe '#create_token' do
-    subject { snuffy.create_token }
+    subject { snuffy.create_token 'my-context' }
 
     it { is_expected.to be_a String }
-    it { expect(subject.length).to eq 64 }
-    it { is_expected.to match(/\A[a-f0-9]{64}\z/) }
+    it { expect(subject.length).to eq 96 }
+    it { is_expected.to match(/\A[a-f0-9]{96}\z/) }
   end
 
-  describe '#check_token' do
-    subject { snuffy.check_token(token) }
+  describe '#token_valid?' do
+    subject { snuffy.token_valid?(token, 'my-context') }
 
     context 'with a valid token' do
-      let(:token) { snuffy.create_token }
+      let(:token) { snuffy.create_token 'my-context' }
+
       it { is_expected.to be_truthy }
     end
 
+    context 'when the context doesnt match' do
+      let(:token) { snuffy.create_token 'another-context' }
+
+      it { is_expected.to be_falsey }
+    end
+
     context 'with an invalid token' do
       let(:token) { 'F00B44' }
+
       it { is_expected.to be_falsey }
     end
 
     context 'with an empty token' do
       let(:token) { '' }
+
       it { is_expected.to be_falsey }
     end
 
     context 'with a nil token' do
       let(:token) { nil }
+
       it { is_expected.to be_falsey }
     end
 
     context 'testing expired tokens' do
-      let(:token) { snuffy.create_token }
+      let(:token) { snuffy.create_token 'my-context' }
+
       before { token } # pre-load the token
       after { Timecop.return }
 
       context 'just inside the time difference (expired token)' do
         before { Timecop.freeze Time.now - 119 }
+
         it { is_expected.to be_truthy }
       end
 
       context 'just outside the time difference (expired token)' do
         before { Timecop.freeze Time.now - 120 }
+
         it { is_expected.to be_falsey }
       end
 
       context 'just inside the time difference (future token)' do
         before { Timecop.freeze Time.now + 119 }
+
         it { is_expected.to be_truthy }
       end
 
       context 'just outside the time difference (future token)' do
         before { Timecop.freeze Time.now + 120 }
+
         it { is_expected.to be_falsey }
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: snuffleupagus
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.1.1
 platform: ruby
 authors:
 - Andrew Bromwich
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-01 00:00:00.000000000 Z
+date: 2020-10-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -103,7 +103,10 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.5.0
+  - - "<"
+    - !ruby/object:Gem::Version
+      version: 2.8.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">"
@@ -113,5 +116,5 @@ requirements: []
 rubygems_version: 3.0.6
 signing_key: 
 specification_version: 4
-summary: snuffleupagus-0.0.9
+summary: snuffleupagus-0.1.1
 test_files: []