strongmind-auth 1.0.16 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +1 -1
- data/app/controllers/concerns/jwt_utilities.rb +43 -26
- data/app/controllers/concerns/strong_mind_nav.rb +2 -2
- data/app/views/logins/index.html.erb +2 -7
- data/config/routes.rb +1 -0
- data/lib/strongmind/auth/engine.rb +5 -0
- data/lib/strongmind/auth/version.rb +1 -1
- data/lib/strongmind/common_nav_fetcher.rb +3 -0
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1526ec8b78d6caea36cd40f7c943b5e376a4da4fcb0a5f37a4a3222d658e612f
|
|
4
|
+
data.tar.gz: f8bd96c7bb4d8658961224bf6c5ed9f1b9c2f9afd789d683e95afd3817a93864
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 06353b6d2d5f5d8554af61ba484e97ad6bc2b287a0d44a0e26f447a26df6e6c2de095b991f9b8002aaf676e3b6f080c1e095b1890ec2559f19bbbcb8292cb6d2
|
|
7
|
+
data.tar.gz: b37c854e2fc115f6a802b5dee2fcc6d45393951a4ad6891f78efa80bb3e24aa7e4e5ab08c86ad7baa4b28c67e12db3eabad4a84d84f15ab312b4a07ecdd9b290
|
data/Rakefile
CHANGED
|
@@ -4,32 +4,14 @@
|
|
|
4
4
|
module JwtUtilities
|
|
5
5
|
extend ActiveSupport::Concern
|
|
6
6
|
|
|
7
|
-
def jwt_valid?(jwt, condition_key = nil, scopes = [])
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
leeway: 60
|
|
16
|
-
})
|
|
17
|
-
rescue JWT::DecodeError => e
|
|
18
|
-
Rails.logger.error e.message
|
|
19
|
-
return false
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
payload = payload.with_indifferent_access
|
|
23
|
-
|
|
24
|
-
unless !scopes.empty? && payload['scope'].present? && payload['scope'].all? { |elem| scopes.include?(elem) }
|
|
25
|
-
return false
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
return false unless payload['nonce'].nil?
|
|
29
|
-
|
|
30
|
-
return false unless condition_key.nil? || payload['events'].key?(condition_key)
|
|
31
|
-
|
|
32
|
-
true
|
|
7
|
+
def jwt_valid?(jwt, condition_key = nil, scopes = [], attributes = [])
|
|
8
|
+
payload = decode_jwt(jwt)
|
|
9
|
+
return false unless payload
|
|
10
|
+
|
|
11
|
+
scope_valid?(payload,
|
|
12
|
+
scopes) && nonce_valid?(payload) && condition_key_valid?(payload,
|
|
13
|
+
condition_key) && attributes_valid?(payload,
|
|
14
|
+
attributes)
|
|
33
15
|
end
|
|
34
16
|
|
|
35
17
|
def public_key
|
|
@@ -42,6 +24,41 @@ module JwtUtilities
|
|
|
42
24
|
|
|
43
25
|
private
|
|
44
26
|
|
|
27
|
+
def decode_jwt(jwt)
|
|
28
|
+
payload, _header = JWT.decode(jwt, public_key, true, jwt_decode_options)
|
|
29
|
+
payload.with_indifferent_access
|
|
30
|
+
rescue JWT::DecodeError => e
|
|
31
|
+
Rails.logger.error e.message
|
|
32
|
+
nil
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def jwt_decode_options
|
|
36
|
+
{
|
|
37
|
+
verify_iat: true,
|
|
38
|
+
verify_iss: true,
|
|
39
|
+
verify_aud: true,
|
|
40
|
+
verify_sub: true,
|
|
41
|
+
algorithm: 'RS256',
|
|
42
|
+
leeway: 60
|
|
43
|
+
}
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def scope_valid?(payload, scopes)
|
|
47
|
+
scopes.empty? || (payload['scope'].present? && scopes.all? { |scope| payload['scope'].include?(scope) })
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def nonce_valid?(payload)
|
|
51
|
+
payload['nonce'].nil?
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def condition_key_valid?(payload, condition_key)
|
|
55
|
+
condition_key.nil? || payload['events'].to_h.key?(condition_key)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def attributes_valid?(payload, attributes)
|
|
59
|
+
attributes.empty? || attributes.all? { |attribute| payload.include?(attribute) }
|
|
60
|
+
end
|
|
61
|
+
|
|
45
62
|
def fetch_user_token_info
|
|
46
63
|
user_jwt(session)
|
|
47
64
|
end
|
|
@@ -14,8 +14,8 @@ module StrongMindNav
|
|
|
14
14
|
rescue Strongmind::Exceptions::TokenNotFoundError, Strongmind::Exceptions::UserNotFoundError => e
|
|
15
15
|
Sentry.capture_exception(e)
|
|
16
16
|
Rails.logger.error(e)
|
|
17
|
-
flash[:alert] = e.inspect if Rails.env.development?
|
|
18
|
-
@stop_redirect = true if Rails.env.development?
|
|
17
|
+
flash[:alert] = e.inspect if Rails.env.development? || Rails.env.test?
|
|
18
|
+
@stop_redirect = true if Rails.env.development? || Rails.env.test?
|
|
19
19
|
render 'logins/index'
|
|
20
20
|
rescue Exception => e
|
|
21
21
|
Sentry.capture_exception(e)
|
|
@@ -16,16 +16,11 @@
|
|
|
16
16
|
</style>
|
|
17
17
|
<%= button_to 'Sign in with StrongMind', '/users/auth/strongmind', style: 'display:none' %>
|
|
18
18
|
<script type="text/javascript">
|
|
19
|
-
function submitForm() {
|
|
20
|
-
document.forms[0].submit();
|
|
21
|
-
}
|
|
22
|
-
|
|
23
19
|
// Submit the form on load
|
|
24
20
|
window.addEventListener("load", (event) => {
|
|
25
|
-
<%
|
|
26
|
-
|
|
21
|
+
<% unless @stop_redirect %>
|
|
22
|
+
document.forms[0].submit();
|
|
27
23
|
<% end %>
|
|
28
|
-
submitForm();
|
|
29
24
|
});
|
|
30
25
|
|
|
31
26
|
</script>
|
data/config/routes.rb
CHANGED
|
@@ -9,6 +9,7 @@ Rails.application.routes.draw do
|
|
|
9
9
|
|
|
10
10
|
devise_scope :user do
|
|
11
11
|
get 'users/sign_out', to: 'users/sessions#initiate_backchannel_logout'
|
|
12
|
+
post 'users/endsession', to: 'users/sessions#endsession'
|
|
12
13
|
|
|
13
14
|
unauthenticated do
|
|
14
15
|
root 'logins#index', as: :unauthenticated_root
|
|
@@ -12,6 +12,9 @@ module Strongmind
|
|
|
12
12
|
def initialize(user, request)
|
|
13
13
|
raise Strongmind::Exceptions::UserNotFoundError, 'User not found' unless user.present?
|
|
14
14
|
raise ArgumentError, 'Request not found' unless request.present?
|
|
15
|
+
raise ArgumentError, 'Identity base URL not found at IDENTITY_BASE_URL in environment' unless ENV['IDENTITY_BASE_URL'].present?
|
|
16
|
+
raise ArgumentError, 'Identity client ID not found at IDENTITY_CLIENT_ID in environment' unless ENV['IDENTITY_CLIENT_ID'].present?
|
|
17
|
+
raise ArgumentError, 'Identity client secret not found at IDENTITY_CLIENT_SECRET in environment' unless ENV['IDENTITY_CLIENT_SECRET'].present?
|
|
15
18
|
|
|
16
19
|
@user = user
|
|
17
20
|
@request = request
|