traitify 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f9a2fc61b25125bd280cbe82b3c1c0eb5562aca678c09a1852384c221b9cd51f
-  data.tar.gz: 3c4f1593e2ff811e884fd82855e4076c80e720a9da3682fe098747eca200ad05
+  metadata.gz: 1f53da4ace0d1005c2982c0e2681132c21a05e9d9365057eab89e488caf10d4f
+  data.tar.gz: be22aff51d262cc2c685cf51b957547ad5e4d0a4d16c4a15b47db7e3913cd130
 SHA512:
-  metadata.gz: 1912577c0370b0a9aa817cb13ea1c34b865a61532a3648359e58e7a1117bf87b89bc5c016b899db554d70c74a3c0b9038e1f70d586af01021ce6e916d9d043a6
-  data.tar.gz: 72a6ba2691c93b0acb9eb318e52e3389a8b769c4860c09b6de8cf804b9ff63f128e0ea2b8e7c65c7044628d366ccf3c5db5c9493c92bb484642f9e114c51563e
+  metadata.gz: 1ee8e51a6ad407827f7dc68c538278ce1a4f22e1a1891de56e275b8f2267a882c48327055d478b55e9bcc8753498c1ee681b6aff523297bc0c4dd202d13b5288
+  data.tar.gz: '08ffb2eabe9e9c7fc92a12ef81a1a03c71eb1fb83061c98819b1861bed669385f278fb30d4f040a611b65cd9a6499f6ce76dedf6e6d7613a5f4d587a19734a98'

data/Gemfile.lock

@@ -6,115 +6,147 @@ PATH
       faraday (~> 2.5)
       faraday-net_http (~> 3.0)
       faraday-retry (~> 2.2)
+      jwt (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.2)
+    activesupport (7.1.5.2)
       base64
+      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
       mutex_m
+      securerandom (>= 0.3)
       tzinfo (~> 2.0)
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.5)
-    binding_of_caller (1.0.0)
-      debug_inspector (>= 0.0.1)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.4.1)
+    bigdecimal (3.3.0)
+    binding_of_caller (1.0.1)
+      debug_inspector (>= 1.2.0)
     coderay (1.1.3)
-    concurrent-ruby (1.2.2)
-    connection_pool (2.4.1)
-    crack (0.4.5)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
+    crack (1.0.0)
+      bigdecimal
       rexml
-    debug_inspector (1.1.0)
-    diff-lcs (1.5.0)
-    docile (1.4.0)
-    drb (2.2.0)
-      ruby2_keywords
+    debug_inspector (1.2.0)
+    diff-lcs (1.6.2)
+    docile (1.4.1)
+    drb (2.2.3)
     faraday (2.8.1)
       base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
-    faraday-retry (2.2.0)
+    faraday-retry (2.3.2)
       faraday (~> 2.0)
-    hashdiff (1.0.1)
-    i18n (1.14.1)
+    hashdiff (1.2.1)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    method_source (1.0.0)
-    minitest (5.20.0)
-    mutex_m (0.2.0)
-    parallel (1.22.1)
-    parser (3.1.2.1)
+    json (2.15.1)
+    jwt (2.10.2)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
+    method_source (1.1.0)
+    minitest (5.25.5)
+    mutex_m (0.3.0)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
-    pry (0.14.1)
+      racc
+    prism (1.5.1)
+    pry (0.15.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (5.0.0)
-    rack (3.0.7)
+    public_suffix (5.1.1)
+    racc (1.8.1)
+    rack (3.1.17)
     rainbow (3.1.1)
-    rake (13.0.6)
-    regexp_parser (2.5.0)
-    rexml (3.2.5)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rake (13.3.0)
+    regexp_parser (2.11.3)
+    rexml (3.4.4)
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.1)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-support (3.11.0)
-    rubocop (0.93.1)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.6)
+    rubocop (1.81.1)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8)
-      rexml
-      rubocop-ast (>= 0.6.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-airbnb (4.0.0)
-      rubocop (~> 0.93.1)
-      rubocop-performance (~> 1.10.2)
-      rubocop-rails (~> 2.9.1)
-      rubocop-rspec (~> 1.44.1)
-    rubocop-ast (1.21.0)
-      parser (>= 3.1.1.0)
-    rubocop-performance (1.10.2)
-      rubocop (>= 0.90.0, < 2.0)
-      rubocop-ast (>= 0.4.0)
-    rubocop-rails (2.9.1)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-airbnb (8.0.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72)
+      rubocop-capybara (~> 2.22)
+      rubocop-factory_bot (~> 2.27)
+      rubocop-performance (~> 1.24)
+      rubocop-rails (~> 2.30)
+      rubocop-rspec (~> 3.5)
+    rubocop-ast (1.47.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-capybara (2.22.1)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-factory_bot (2.27.1)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-performance (1.26.0)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rails (2.33.4)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 0.90.0, < 2.0)
-    rubocop-rspec (1.44.1)
-      rubocop (~> 0.87)
-      rubocop-ast (>= 0.7.1)
-    rubocop-traitify (1.1.0)
-      rubocop-airbnb (~> 4.0.0)
-    ruby-progressbar (1.11.0)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rspec (3.7.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-traitify (1.3.0)
+      rubocop-airbnb (~> 8.0.0)
+    ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
+    securerandom (0.3.2)
     simplecov (0.21.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (1.8.0)
-    webmock (3.18.1)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -136,4 +168,4 @@ DEPENDENCIES
   webmock (~> 3.18)
 
 BUNDLED WITH
-   2.2.33
+   2.3.16

data/lib/traitify/configuration.rb

@@ -1,15 +1,16 @@
 module Traitify
   module Configuration
     VALID_OPTIONS_KEYS = [
-      :host,
-      :public_key,
-      :secret_key,
-      :version,
       :auto_retry,
       :deck_id,
+      :host,
       :image_pack,
+      :jwt_public_keys,
       :locale_key,
-      :retry_options
+      :public_key,
+      :retry_options,
+      :secret_key,
+      :version
     ].freeze
 
     attr_accessor(*VALID_OPTIONS_KEYS)

data/lib/traitify/error.rb

@@ -37,8 +37,12 @@ module Traitify
   end
 
   class BadRequest < Error; end
+
   class Unauthorized < Error; end
+
   class NotFound < Error; end
+
   class UnprocessableEntity < Error; end
+
   class ServerError < Error; end
 end

data/lib/traitify/version.rb

@@ -1,3 +1,3 @@
 module Traitify
-  VERSION = "2.1.0".freeze
+  VERSION = "2.1.1".freeze
 end

data/lib/traitify.rb

@@ -1,5 +1,8 @@
 require "active_support"
 require "active_support/core_ext/object/deep_dup"
+require "ostruct"
+require "jwt"
+require "openssl"
 require "traitify/configuration"
 require "traitify/client"
 require "traitify/data"
@@ -33,9 +36,64 @@ module Traitify
       case level
       when :debug
         logger.debug message
+      when :warn
+        logger.warn message
+      when :error
+        logger.error message
       else
         logger.info message
       end
     end
+
+    def valid_jwt_token?(token)
+      algorithm = "RS256"
+      return false unless jwt_public_keys && jwt_public_keys.any?
+
+      public_keys = jwt_public_keys.map { |key| OpenSSL::PKey::RSA.new(key) }
+
+      public_keys.each do |public_key|
+        decoded_token = JWT.decode(token, public_key, true, {
+          algorithm: algorithm,
+          iss: "Traitify by Paradox",
+          verify_iss: true,
+          verify_iat: true,
+          verify_nbf: true,
+          verify_jti: true
+        })
+
+        payload = decoded_token[0]
+        validate_claims(payload)
+        return true
+      rescue JWT::ExpiredSignature, JWT::DecodeError, JWT::VerificationError => e
+        log(:warn, "[JWT] #{e.class.name}: #{e.message}")
+        next
+      rescue => e
+        log(:error, "[JWT] Unexpected error: #{e.class} - #{e.message}")
+        next
+      end
+
+      false
+    end
+
+    private
+
+    def validate_claims(payload)
+      current_time = Time.now.to_i
+
+      iat_value = payload["iat"] || payload[:iat]
+      if iat_value && iat_value > current_time
+        raise JWT::InvalidIatError.new("Token issued in the future")
+      end
+
+      nbf_value = payload["nbf"] || payload[:nbf]
+      if nbf_value && nbf_value > current_time
+        raise JWT::DecodeError.new("Token not yet valid")
+      end
+
+      jti_value = payload["jti"] || payload[:jti]
+      if jti_value.nil? || jti_value.empty?
+        raise JWT::DecodeError.new("Missing JWT ID (jti)")
+      end
+    end
   end
 end

data/spec/spec_helper.rb

@@ -1,6 +1,7 @@
 require "active_support"
 require "active_support/core_ext/object/conversions"
 require "active_support/core_ext/object/json"
+require "active_support/core_ext/numeric/time"
 require "webmock/rspec"
 require "pry"
 require "simplecov"

data/spec/traitify_spec.rb

@@ -0,0 +1,242 @@
+require "spec_helper"
+
+describe Traitify do
+  describe ".valid_jwt_token?" do
+    let(:private_key){ OpenSSL::PKey::RSA.new(2048) }
+    let(:public_key){ private_key.public_key }
+    let(:valid_payload) do
+      {
+        iss: "Traitify by Paradox",
+        iat: Time.now.to_i,
+        nbf: Time.now.to_i,
+        jti: "unique-token-id"
+      }
+    end
+
+    before do
+      Traitify.jwt_public_keys = [public_key.to_pem]
+    end
+
+    after do
+      Traitify.jwt_public_keys = nil
+    end
+
+    context "with valid token" do
+      let(:valid_token) do
+        JWT.encode(valid_payload, private_key, "RS256")
+      end
+
+      it "returns true" do
+        expect(Traitify.valid_jwt_token?(valid_token)).to be true
+      end
+    end
+
+    context "with invalid signature" do
+      let(:invalid_token) do
+        other_private_key = OpenSSL::PKey::RSA.new(2048)
+        JWT.encode(valid_payload, other_private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(invalid_token)).to be false
+      end
+    end
+
+    context "with malformed token" do
+      let(:malformed_token){ "not.a.valid.jwt" }
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(malformed_token)).to be false
+      end
+    end
+
+    context "with expired token" do
+      let(:expired_payload) do
+        valid_payload.merge(iat: 1.hour.ago.to_i, exp: 1.hour.ago.to_i)
+      end
+      let(:expired_token) do
+        JWT.encode(expired_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(expired_token)).to be false
+      end
+    end
+
+    context "with wrong issuer" do
+      let(:wrong_issuer_payload) do
+        valid_payload.merge(iss: "Wrong Issuer")
+      end
+      let(:wrong_issuer_token) do
+        JWT.encode(wrong_issuer_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(wrong_issuer_token)).to be false
+      end
+    end
+
+    context "with multiple public keys" do
+      let(:legacy_private_key){ OpenSSL::PKey::RSA.new(2048) }
+      let(:legacy_public_key){ legacy_private_key.public_key }
+
+      before do
+        Traitify.jwt_public_keys = [public_key.to_pem, legacy_public_key.to_pem]
+      end
+
+      context "when token is signed with current key" do
+        let(:current_token) do
+          JWT.encode(valid_payload, private_key, "RS256")
+        end
+
+        it "returns true" do
+          expect(Traitify.valid_jwt_token?(current_token)).to be true
+        end
+      end
+
+      context "when token is signed with legacy key" do
+        let(:legacy_token) do
+          JWT.encode(valid_payload, legacy_private_key, "RS256")
+        end
+
+        it "returns true" do
+          expect(Traitify.valid_jwt_token?(legacy_token)).to be true
+        end
+      end
+    end
+
+    context "with future iat" do
+      let(:future_iat_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i + 100,
+          nbf: Time.now.to_i - 50,
+          jti: "unique-token-id"
+        }
+      end
+      let(:future_iat_token) do
+        JWT.encode(future_iat_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(future_iat_token)).to be false
+      end
+    end
+
+    context "with future nbf" do
+      let(:future_nbf_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i - 100,
+          nbf: Time.now.to_i + 50,
+          jti: "unique-token-id"
+        }
+      end
+      let(:future_nbf_token) do
+        JWT.encode(future_nbf_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(future_nbf_token)).to be false
+      end
+    end
+
+    context "with missing jti" do
+      let(:missing_jti_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i - 100,
+          nbf: Time.now.to_i - 50
+        }
+      end
+      let(:missing_jti_token) do
+        JWT.encode(missing_jti_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(missing_jti_token)).to be false
+      end
+    end
+
+    context "with blank jti" do
+      let(:blank_jti_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i - 100,
+          nbf: Time.now.to_i - 50,
+          jti: ""
+        }
+      end
+      let(:blank_jti_token) do
+        JWT.encode(blank_jti_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(blank_jti_token)).to be false
+      end
+    end
+
+    context "with nil jti" do
+      let(:nil_jti_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i - 100,
+          nbf: Time.now.to_i - 50,
+          jti: nil
+        }
+      end
+      let(:nil_jti_token) do
+        JWT.encode(nil_jti_payload, private_key, "RS256")
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?(nil_jti_token)).to be false
+      end
+    end
+
+    context "with missing iat" do
+      let(:missing_iat_payload) do
+        {
+          iss: "Traitify by Paradox",
+          nbf: Time.now.to_i - 50,
+          jti: "unique-token-id"
+        }
+      end
+      let(:missing_iat_token) do
+        JWT.encode(missing_iat_payload, private_key, "RS256")
+      end
+
+      it "returns true" do
+        expect(Traitify.valid_jwt_token?(missing_iat_token)).to be true
+      end
+    end
+
+    context "with missing nbf" do
+      let(:missing_nbf_payload) do
+        {
+          iss: "Traitify by Paradox",
+          iat: Time.now.to_i - 100,
+          jti: "unique-token-id"
+        }
+      end
+      let(:missing_nbf_token) do
+        JWT.encode(missing_nbf_payload, private_key, "RS256")
+      end
+
+      it "returns true" do
+        expect(Traitify.valid_jwt_token?(missing_nbf_token)).to be true
+      end
+    end
+
+    context "when no public keys are configured" do
+      before do
+        Traitify.jwt_public_keys = nil
+      end
+
+      it "returns false" do
+        expect(Traitify.valid_jwt_token?("any.token")).to be false
+      end
+    end
+  end
+end
+

data/traitify.gemspec

@@ -22,13 +22,14 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency "faraday", "~> 2.5"
   spec.add_runtime_dependency "faraday-net_http", "~> 3.0"
   spec.add_runtime_dependency "faraday-retry", "~> 2.2"
+  spec.add_runtime_dependency "jwt", "~> 2.0"
 
   spec.add_development_dependency "binding_of_caller", "~> 1.0"
   spec.add_development_dependency "bundler", "~> 2.2"
   spec.add_development_dependency "pry", "~> 0.14"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.11"
-  spec.add_development_dependency "rubocop-traitify", "~> 1.10"
+  spec.add_development_dependency "rubocop-traitify", "~> 1.2"
   spec.add_development_dependency "simplecov", "~> 0.21.2"
   spec.add_development_dependency "webmock", "~> 3.18"
 end

metadata

@@ -1,16 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: traitify
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Tom Prats
 - Eric Fleming
 - Carson Wright
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-01-18 00:00:00.000000000 Z
+date: 2026-01-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -74,6 +74,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: binding_of_caller
   requirement: !ruby/object:Gem::Requirement
@@ -150,14 +164,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.2'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.10'
+        version: '1.2'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -255,12 +269,13 @@ files:
 - spec/traitify/error_spec.rb
 - spec/traitify/response_spec.rb
 - spec/traitify/version_spec.rb
+- spec/traitify_spec.rb
 - traitify.gemspec
 homepage: https://www.traitify.com
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -276,7 +291,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.4
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Traitify Gem
 test_files:
@@ -321,3 +336,4 @@ test_files:
 - spec/traitify/error_spec.rb
 - spec/traitify/response_spec.rb
 - spec/traitify/version_spec.rb
+- spec/traitify_spec.rb