stytch 10.36.0 → 10.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b5375f5cc73fc55e5a1ce59245ccc603c0a1016bd0b66a1345f66ed2cf1932e8
-  data.tar.gz: a0dc5c704106760e2933e5ecef5318f089cb6512833830a1d44daf386857c886
+  metadata.gz: 2636f56ed7d78577fb1ff81133a92fc1c0fb2500696f7921dcff85d6e79d7995
+  data.tar.gz: 932c0aa9dcef45bfb75a82516508bceac612f89a4b4a55e1555103017f80ba55
 SHA512:
-  metadata.gz: d2e8fce4daaeb98021b3acbaa8fb934453c6a90659f25c1ab81568647b8363c1f1af0bfc22cbf6b787f03017094309ffa77d0d7596a7ed5d78ae419abd58a244
-  data.tar.gz: 3463bf3f5bde80a5bccbeffc482af33ed86f9beca239f9e8fe4b038a5380b6e5952e20ffb05316aca7fbc4fb84e602803f5a8559db9e10482385edad570eacff
+  metadata.gz: 988ed498a5b30318230b13dd477125149ce76ca35bedab317843ce4b77f9ed0857d375f165e0268eb5d0877ae9ddda12f2fca221f2d82d95d14bb7dcf9f7e8e8
+  data.tar.gz: fa274f938a19f3f8241288467d7724e1a63a5c43695fdce8ea7626ce38e005ce76b71a7af799028356660728f8510abfb41d46ec31d3f999049adeea9354b852

data/lib/stytch/b2b_client.rb

@@ -23,6 +23,7 @@ require_relative 'b2b_totps'
 require_relative 'connected_apps'
 require_relative 'debug'
 require_relative 'fraud'
+require_relative 'jwks_cache'
 require_relative 'm2m'
 require_relative 'project'
 require_relative 'rbac_local'
@@ -33,7 +34,7 @@ module StytchB2B
 
     attr_reader :connected_app, :debug, :discovery, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
-    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, &block)
+    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, jwks: nil, &block)
       @api_host = api_host(env, project_id)
       @fraud_api_host = fraud_api_host(fraud_env)
       @project_id = project_id
@@ -43,6 +44,8 @@ module StytchB2B
 
       create_connection(&block)
 
+      @jwks_cache = Stytch::JWKSCache.new(@connection, @project_id, jwks)
+
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
 
@@ -50,9 +53,9 @@ module StytchB2B
       @debug = Stytch::Debug.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
-      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @impersonation = StytchB2B::Impersonation.new(@connection)
-      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
+      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client, @jwks_cache)
       @magic_links = StytchB2B::MagicLinks.new(@connection)
       @oauth = StytchB2B::OAuth.new(@connection)
       @otps = StytchB2B::OTPs.new(@connection)
@@ -63,7 +66,7 @@ module StytchB2B
       @recovery_codes = StytchB2B::RecoveryCodes.new(@connection)
       @scim = StytchB2B::SCIM.new(@connection)
       @sso = StytchB2B::SSO.new(@connection)
-      @sessions = StytchB2B::Sessions.new(@connection, @project_id, @policy_cache)
+      @sessions = StytchB2B::Sessions.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @totps = StytchB2B::TOTPs.new(@connection)
     end
 

data/lib/stytch/b2b_idp.rb

@@ -16,24 +16,13 @@ module StytchB2B
     include Stytch::RequestHelper
     attr_reader :oauth
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @oauth = StytchB2B::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
@@ -199,7 +188,7 @@ module StytchB2B
           true,
           {
             algorithms: ['RS256'],
-            jwks: @jwks_loader,
+            jwks: @jwks_cache.loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }

data/lib/stytch/b2b_sessions.rb

@@ -34,23 +34,12 @@ module StytchB2B
 
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # Retrieves all active Sessions for a Member.
@@ -706,7 +695,7 @@ module StytchB2B
 
       begin
         decoded_token = JWT.decode session_jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
 
         session = decoded_token[0]
         iat_time = Time.at(session['iat']).to_datetime

data/lib/stytch/client.rb

@@ -12,6 +12,7 @@ require_relative 'debug'
 require_relative 'fraud'
 require_relative 'idp'
 require_relative 'impersonation'
+require_relative 'jwks_cache'
 require_relative 'm2m'
 require_relative 'magic_links'
 require_relative 'oauth'
@@ -31,7 +32,7 @@ module Stytch
 
     attr_reader :connected_app, :crypto_wallets, :debug, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn
 
-    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, &block)
+    def initialize(project_id:, secret:, env: nil, fraud_env: nil, timeout: nil, jwks: nil, &block)
       @api_host = api_host(env, project_id)
       @fraud_api_host = fraud_api_host(fraud_env)
       @project_id = project_id
@@ -41,6 +42,8 @@ module Stytch
 
       create_connection(&block)
 
+      @jwks_cache = Stytch::JWKSCache.new(@connection, @project_id, jwks)
+
       rbac = Stytch::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
 
@@ -48,16 +51,16 @@ module Stytch
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @debug = Stytch::Debug.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
-      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
+      @idp = Stytch::IDP.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @impersonation = Stytch::Impersonation.new(@connection)
-      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
+      @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client, @jwks_cache)
       @magic_links = Stytch::MagicLinks.new(@connection)
       @oauth = Stytch::OAuth.new(@connection)
       @otps = Stytch::OTPs.new(@connection)
       @passwords = Stytch::Passwords.new(@connection)
       @project = Stytch::Project.new(@connection)
       @rbac = Stytch::RBAC.new(@connection)
-      @sessions = Stytch::Sessions.new(@connection, @project_id, @policy_cache)
+      @sessions = Stytch::Sessions.new(@connection, @project_id, @jwks_cache, @policy_cache)
       @totps = Stytch::TOTPs.new(@connection)
       @users = Stytch::Users.new(@connection)
       @webauthn = Stytch::WebAuthn.new(@connection)

data/lib/stytch/idp.rb

@@ -16,24 +16,13 @@ module Stytch
     include Stytch::RequestHelper
     attr_reader :oauth
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @oauth = Stytch::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
@@ -188,7 +177,7 @@ module Stytch
           true,
           {
             algorithms: ['RS256'],
-            jwks: @jwks_loader,
+            jwks: @jwks_cache.loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }

data/lib/stytch/jwks_cache.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative 'request_helper'
+
+module Stytch
+  # JWKSCache handles caching and refreshing of JSON Web Key Sets (JWKS)
+  # for JWT signature verification. It can be initialized with pre-cached
+  # keys or will fetch them on-demand from the Stytch API.
+  class JWKSCache
+    include Stytch::RequestHelper
+
+    CACHE_EXPIRY_SECONDS = 300 # 5 minutes
+
+    def initialize(connection, project_id, jwks = nil)
+      @connection = connection
+      @project_id = project_id
+      @cache_last_update = 0
+
+      # If jwks are provided during initialization, use them directly
+      return unless jwks
+
+      @cached_keys = { keys: jwks }
+      @cache_last_update = Time.now.to_i
+    end
+
+    # Returns a lambda suitable for use with JWT.decode
+    def loader
+      lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - CACHE_EXPIRY_SECONDS
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
+    end
+
+    # Fetches JWKS from the Stytch API
+    def get_jwks(project_id:)
+      request_with_query_params(
+        @connection,
+        '/v1/sessions/jwks/%<project_id>s',
+        {
+          project_id: project_id
+        }
+      )
+    end
+  end
+end

data/lib/stytch/m2m.rb

@@ -13,24 +13,13 @@ module Stytch
     include Stytch::RequestHelper
     attr_reader :clients
 
-    def initialize(connection, project_id, is_b2b_client)
+    def initialize(connection, project_id, is_b2b_client, jwks_cache)
       @connection = connection
 
       @clients = Stytch::M2M::Clients.new(@connection)
       @project_id = project_id
-      @cache_last_update = 0
+      @jwks_cache = jwks_cache
       @is_b2b_client = is_b2b_client
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
     end
 
     # MANUAL(M2M::get_jwks)(SERVICE_METHOD)
@@ -190,7 +179,7 @@ module Stytch
 
       begin
         decoded_token = JWT.decode jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
         decoded_token[0]
       rescue JWT::InvalidIssuerError
         raise JWTInvalidIssuerError

data/lib/stytch/sessions.rb

@@ -15,23 +15,12 @@ module Stytch
   class Sessions
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id, policy_cache)
+    def initialize(connection, project_id, jwks_cache, policy_cache)
       @connection = connection
 
       @policy_cache = policy_cache
       @project_id = project_id
-      @cache_last_update = 0
-      @jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        @cached_keys ||= begin
-          @cache_last_update = Time.now.to_i
-          keys = []
-          get_jwks(project_id: @project_id)['keys'].each do |r|
-            keys << r
-          end
-          { keys: keys }
-        end
-      end
+      @jwks_cache = jwks_cache
     end
 
     # List all active Sessions for a given `user_id`. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
@@ -514,7 +503,7 @@ module Stytch
 
       begin
         decoded_token = JWT.decode session_jwt, nil, true,
-                                   { jwks: @jwks_loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
+                                   { jwks: @jwks_cache.loader, iss: valid_issuers, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
 
         session = decoded_token[0]
         iat_time = Time.at(session['iat']).to_datetime

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.36.0'
+  VERSION = '10.37.0'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.36.0
+  version: 10.37.0
 platform: ruby
 authors:
 - stytch
@@ -147,6 +147,7 @@ files:
 - lib/stytch/fraud.rb
 - lib/stytch/idp.rb
 - lib/stytch/impersonation.rb
+- lib/stytch/jwks_cache.rb
 - lib/stytch/m2m.rb
 - lib/stytch/magic_links.rb
 - lib/stytch/method_options.rb