strongmind-auth 1.0.17 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/app/controllers/concerns/jwt_utilities.rb +44 -27
- data/app/controllers/users/sessions_controller.rb +1 -0
- data/config/routes.rb +1 -0
- data/lib/strongmind/auth/version.rb +1 -1
- metadata +2 -30
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0234d7b4cfe4a3a5d738c6ef9af96622f348ca47b39d9b76ff971b6ebc0bfa8f
|
|
4
|
+
data.tar.gz: 8ca75096b6b9ed3082f03e4e6a48f9e98f43366fdfc4fdfce72fe3d69c8e0463
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b8cf1a51d8ebbb13566a382ede82a001284123efc5544d97e71c487efffea08f81bace84f65742eb19f1dbbd7b312187e754dcead6e9e9a5d7f6ee44437285c9
|
|
7
|
+
data.tar.gz: 619659baf8e51ffd5daafcea330840ce240c0b072856978b491d5f43d2f4f2d0161f9bfdfdf0e9de356ec8383440d1216666acf17e5a4c34c9a804bd29a9b0e7
|
|
@@ -4,32 +4,14 @@
|
|
|
4
4
|
module JwtUtilities
|
|
5
5
|
extend ActiveSupport::Concern
|
|
6
6
|
|
|
7
|
-
def jwt_valid?(jwt, condition_key = nil, scopes = [])
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
leeway: 60
|
|
16
|
-
})
|
|
17
|
-
rescue JWT::DecodeError => e
|
|
18
|
-
Rails.logger.error e.message
|
|
19
|
-
return false
|
|
20
|
-
end
|
|
21
|
-
|
|
22
|
-
payload = payload.with_indifferent_access
|
|
23
|
-
|
|
24
|
-
unless !scopes.empty? && payload['scope'].present? && payload['scope'].all? { |elem| scopes.include?(elem) }
|
|
25
|
-
return false
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
return false unless payload['nonce'].nil?
|
|
29
|
-
|
|
30
|
-
return false unless condition_key.nil? || payload['events'].key?(condition_key)
|
|
31
|
-
|
|
32
|
-
true
|
|
7
|
+
def jwt_valid?(jwt, condition_key = nil, scopes = [], attributes = [])
|
|
8
|
+
payload = decode_jwt(jwt)
|
|
9
|
+
return false unless payload
|
|
10
|
+
|
|
11
|
+
scope_valid?(payload,
|
|
12
|
+
scopes) && nonce_valid?(payload) && condition_key_valid?(payload,
|
|
13
|
+
condition_key) && attributes_valid?(payload,
|
|
14
|
+
attributes)
|
|
33
15
|
end
|
|
34
16
|
|
|
35
17
|
def public_key
|
|
@@ -42,6 +24,41 @@ module JwtUtilities
|
|
|
42
24
|
|
|
43
25
|
private
|
|
44
26
|
|
|
27
|
+
def decode_jwt(jwt)
|
|
28
|
+
payload, _header = JWT.decode(jwt, public_key, true, jwt_decode_options)
|
|
29
|
+
payload.with_indifferent_access
|
|
30
|
+
rescue JWT::DecodeError => e
|
|
31
|
+
Rails.logger.error e.message
|
|
32
|
+
nil
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
def jwt_decode_options
|
|
36
|
+
{
|
|
37
|
+
verify_iat: true,
|
|
38
|
+
verify_iss: true,
|
|
39
|
+
verify_aud: true,
|
|
40
|
+
verify_sub: true,
|
|
41
|
+
algorithm: 'RS256',
|
|
42
|
+
leeway: 60
|
|
43
|
+
}
|
|
44
|
+
end
|
|
45
|
+
|
|
46
|
+
def scope_valid?(payload, scopes)
|
|
47
|
+
scopes.empty? || (payload['scope'].present? && scopes.all? { |scope| payload['scope'].include?(scope) })
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def nonce_valid?(payload)
|
|
51
|
+
payload['nonce'].nil?
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
def condition_key_valid?(payload, condition_key)
|
|
55
|
+
condition_key.nil? || payload['events'].to_h.key?(condition_key)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
def attributes_valid?(payload, attributes)
|
|
59
|
+
attributes.empty? || attributes.all? { |attribute| payload.include?(attribute) }
|
|
60
|
+
end
|
|
61
|
+
|
|
45
62
|
def fetch_user_token_info
|
|
46
63
|
user_jwt(session)
|
|
47
64
|
end
|
|
@@ -72,7 +89,7 @@ module JwtUtilities
|
|
|
72
89
|
def validate_tokens(tokens)
|
|
73
90
|
return unless tokens[:error] == 'invalid_grant' || !tokens[:refresh_token]
|
|
74
91
|
|
|
75
|
-
raise Strongmind::Exceptions::
|
|
92
|
+
raise Strongmind::Exceptions::RefreshTokenExpiredError, tokens[:error]
|
|
76
93
|
end
|
|
77
94
|
|
|
78
95
|
def generate_tokens(session_data)
|
|
@@ -18,6 +18,7 @@ module Users
|
|
|
18
18
|
|
|
19
19
|
def endsession
|
|
20
20
|
headers = { 'Cache-Control' => 'no-store' }
|
|
21
|
+
Rails.logger.info("endsession called with params: #{params}")
|
|
21
22
|
if jwt_valid?(params[:logout_token], 'http://schemas.openid.net/event/backchannel-logout')
|
|
22
23
|
payload, _header = JWT.decode(params[:logout_token], nil, false)
|
|
23
24
|
user_identity = payload['sub']
|
data/config/routes.rb
CHANGED
|
@@ -9,6 +9,7 @@ Rails.application.routes.draw do
|
|
|
9
9
|
|
|
10
10
|
devise_scope :user do
|
|
11
11
|
get 'users/sign_out', to: 'users/sessions#initiate_backchannel_logout'
|
|
12
|
+
post 'users/endsession', to: 'users/sessions#endsession'
|
|
12
13
|
|
|
13
14
|
unauthenticated do
|
|
14
15
|
root 'logins#index', as: :unauthenticated_root
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: strongmind-auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Team Belding
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-03-
|
|
11
|
+
date: 2024-03-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rails
|
|
@@ -94,34 +94,6 @@ dependencies:
|
|
|
94
94
|
- - ">="
|
|
95
95
|
- !ruby/object:Gem::Version
|
|
96
96
|
version: '0'
|
|
97
|
-
- !ruby/object:Gem::Dependency
|
|
98
|
-
name: rspec-rails
|
|
99
|
-
requirement: !ruby/object:Gem::Requirement
|
|
100
|
-
requirements:
|
|
101
|
-
- - ">="
|
|
102
|
-
- !ruby/object:Gem::Version
|
|
103
|
-
version: '0'
|
|
104
|
-
type: :development
|
|
105
|
-
prerelease: false
|
|
106
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
107
|
-
requirements:
|
|
108
|
-
- - ">="
|
|
109
|
-
- !ruby/object:Gem::Version
|
|
110
|
-
version: '0'
|
|
111
|
-
- !ruby/object:Gem::Dependency
|
|
112
|
-
name: factory_bot_rails
|
|
113
|
-
requirement: !ruby/object:Gem::Requirement
|
|
114
|
-
requirements:
|
|
115
|
-
- - ">="
|
|
116
|
-
- !ruby/object:Gem::Version
|
|
117
|
-
version: '0'
|
|
118
|
-
type: :development
|
|
119
|
-
prerelease: false
|
|
120
|
-
version_requirements: !ruby/object:Gem::Requirement
|
|
121
|
-
requirements:
|
|
122
|
-
- - ">="
|
|
123
|
-
- !ruby/object:Gem::Version
|
|
124
|
-
version: '0'
|
|
125
97
|
description: Ruby gem for StrongMind authentication in a strongmind app
|
|
126
98
|
email:
|
|
127
99
|
- teambelding@strongmind.com
|