usps-jwt_auth 1.1.0 → 1.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: be13d7639636f1abce28a82c032ea04883808bec8bb3925060f3f2071e1bf3ef
-  data.tar.gz: 8486bf2584dbcc901f00e17ef059ec3125db036f76f7c81080d68125177f50b0
+  metadata.gz: 8c900a7d07163d9ac0be04b7c4ae2ef44a60e02fc081ccd6c776bd056445e2e8
+  data.tar.gz: db7b6e04885c6b2ab24e4a6a05af456466e5f33efa39b85e77741523fa95d186
 SHA512:
-  metadata.gz: 2a8d5e69bd26ed1a65da6f4c7beb907aa570e7ae1942c4f256fee3c42e8f39bdcbc938018b626825ac77e5d50a64d6b994534361acfac8fda025c2681f39d4a3
-  data.tar.gz: 5fc08818ac1c3cd4b13b1005f294d6bfd0d3837fc03fd0609c74235cf9de706d5311fc01aaa44cb3cda34edcad22636f56807f6a0ac7d5e7e7b5c79a43048f5f
+  metadata.gz: cf1fb79f6441f3571aacd5e2bd2c888a3125fc52c3c5c9a59f7a78bc7c4d0eacd314973976b12d4abdc3703e4cc2ba4d8083fab2fa2fa3fa48c42ae2fc87e02c
+  data.tar.gz: 96c07d7c4689b3818f8cf4d497bed1b17b77fc46aa584583a663beb5d00609e4c65306fb8c5503a95bb85ba87b1ea1f01e9a6f7d1676cb48e54d6248f1b20bcd

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    usps-jwt_auth (1.1.0)
+    usps-jwt_auth (1.2.1)
       activesupport (~> 8.0)
       colorize (~> 1.1)
       fileutils (~> 1.7)

data/README.md

@@ -39,11 +39,35 @@ Usps::JwtAuth.configure do |config|
   config.issuer_base = 'usps:1'    # ENV['JWT_ISSUER_BASE'] # 'usps:1'
   config.issuers     = ['admin:1'] # ENV['JWT_ISSUERS']     # []
 
+  # Base URL of the shared public-key store (see "Public key resolution").
+  config.public_keys_url = 'https://keys.aws.usps.org' # ENV['JWT_PUBLIC_KEYS_URL'] # nil
+
+  # Optional. Called as `publisher.call(fingerprint, pem)` when an issuer writes a
+  # new public key, so it can be pushed to the shared store. Defaults to nil (no-op).
+  config.publisher = ->(fingerprint, pem) { S3.put("#{fingerprint}.pub", pem) }
+
   config.is_admin = ->(user) { Pundit.policy(user, :admin).admin? }
   config.find_member = ->(certificate) { Members::Member.find(certificate) }
 end
 ```
 
+## Public key resolution
+
+A token names its signing key by an SSH SHA256 fingerprint (the `key` claim),
+which is content-addressed — a fingerprint maps to exactly one key, forever.
+
+When decoding, the gem first looks for `<fingerprint>.pub` under `public_keys_path`
+(the local cache). On a miss, if `public_keys_url` is set, it fetches
+`<public_keys_url>/<fingerprint>.pub` once, **verifies the fetched key reproduces
+the fingerprint** (so the store is an untrusted cache that cannot forge keys),
+caches it under `public_keys_path`, and uses it. With no `public_keys_url` set,
+only locally cached keys are used.
+
+Issuers publish keys to that same store: set `publisher` and the gem pushes each
+newly written public key on encode. Because keys are content-addressed, rotation
+needs no consumer changes — a new key is published and consumers fetch it on first
+sight.
+
 ## Usage
 
 ```ruby

data/lib/usps/jwt_auth/concern.rb

@@ -71,7 +71,9 @@ module Usps
         return if params[:jwt].blank? || @set_new_jwt
 
         store_jwt(params[:jwt])
-        ensure_valid_jwt_has_valid_member!
+        # An unverifiable token (e.g. a key we cannot resolve) clears the jwt and returns
+        # nil; fall through so the visitor is sent to login rather than into the app.
+        return unless ensure_valid_jwt_has_valid_member!
 
         redirect_to_path!
         @set_new_jwt = true
@@ -124,6 +126,12 @@ module Usps
       def ensure_valid_jwt_has_valid_member!
         fetch_jwt
         jwt_user
+      rescue JWT::DecodeError
+        # The token cannot be verified (e.g. an unresolvable key). Drop it and report
+        # "not signed in" so the caller redirects to login — never let this escape as an
+        # unhandled 500, which the error page would re-trigger when it re-authenticates.
+        clear_jwt
+        @current_user = nil
       rescue ActiveRecord::RecordNotFound
         reset_session
         clear_jwt

data/lib/usps/jwt_auth/config.rb

@@ -7,7 +7,8 @@ module Usps
     class Config
       REQUIRED_OPTIONS = %i[audience is_admin find_member].freeze
 
-      attr_accessor :key_size, :algorithm, :issuer_base, :issuers, :audience, :is_admin, :find_member
+      attr_accessor :key_size, :algorithm, :issuer_base, :issuers, :audience, :is_admin, :find_member,
+                    :public_keys_url, :publisher
       attr_reader :environment
 
       def initialize
@@ -19,6 +20,11 @@ module Usps
         @issuer_base = ENV.fetch('JWT_ISSUER_BASE', 'usps:1')
         @issuers = ENV.fetch('JWT_ISSUERS', [])
         @audience = ENV.fetch('JWT_AUDIENCE', nil)
+        # Base URL of the shared public-key store (CloudFront). Consumers fetch
+        # "<public_keys_url>/<fingerprint>.pub" on a local cache miss. nil disables fetching.
+        # `publisher` (defaults to nil) is an optional callable invoked as
+        # publisher.call(fingerprint, pem) when an issuer writes a new public key.
+        @public_keys_url = ENV.fetch('JWT_PUBLIC_KEYS_URL', nil)
 
         yield self if block_given? # Also support setting options on initialize
       end

data/lib/usps/jwt_auth/decode.rb

@@ -1,10 +1,18 @@
 # frozen_string_literal: true
 
+require 'net/http'
+require 'uri'
+require 'fileutils'
+
 module Usps
   module JwtAuth
     # Decode and validate data from a JWT
     #
     class Decode
+      # Keep a slow or unreachable store from tying up the caller (e.g. a web worker).
+      OPEN_TIMEOUT = 2
+      READ_TIMEOUT = 2
+
       def self.decode(token, audience: [], issuer: nil)
         new.decode(token, audience: audience, issuer: issuer)
       end
@@ -32,12 +40,69 @@ module Usps
 
     private
 
+      # Resolve the public key the token names by its fingerprint. Fast path is the local
+      # cache; on a miss we fetch it once from the shared store and cache it permanently
+      # (a fingerprint maps to one key forever). The store is treated as untrusted — see
+      # cache_verified_key — so a tampered key can never be trusted.
       def public_key(token)
-        OpenSSL::PKey::RSA.new(File.read("#{JwtAuth.config.public_keys_path}/#{fingerprint(token)}.pub"))
+        fingerprint = fingerprint(token)
+        OpenSSL::PKey::RSA.new(File.read(cache_path(fingerprint)))
       rescue Errno::ENOENT
-        # No public key matches the token's fingerprint (e.g. a stale token after key rotation),
-        # so the token cannot be verified and is treated as invalid.
-        raise JWT::VerificationError, 'No public key for token fingerprint'
+        fetch_public_key(fingerprint)
+      end
+
+      def cache_path(fingerprint)
+        "#{JwtAuth.config.public_keys_path}/#{fingerprint}.pub"
+      end
+
+      # Fetch the named key from the shared store, verify it, and cache it locally.
+      def fetch_public_key(fingerprint)
+        url = JwtAuth.config.public_keys_url
+        # No store configured, so a missing local key cannot be resolved (e.g. a stale token
+        # after rotation): the token cannot be verified and is treated as invalid.
+        raise JWT::VerificationError, 'No public key for token fingerprint' unless url
+
+        pem = http_get("#{url}/#{fingerprint}.pub")
+        cache_verified_key(fingerprint, pem)
+      rescue JWT::VerificationError
+        raise
+      rescue StandardError => e
+        raise JWT::VerificationError, "Could not fetch public key for token fingerprint: #{e.message}"
+      end
+
+      # Trust nothing the store returns until the key reproduces the fingerprint the token
+      # names. Without this check a compromised store/CDN could serve an attacker key under a
+      # known fingerprint and forge valid tokens. Only verified keys are written to the cache.
+      def cache_verified_key(fingerprint, pem)
+        key = OpenSSL::PKey::RSA.new(pem)
+        unless Fingerprint.for(key.public_key) == fingerprint
+          raise JWT::VerificationError, 'Fetched public key does not match token fingerprint'
+        end
+
+        cache_key(fingerprint, pem)
+        key
+      end
+
+      # Persist the verified key so the next decode skips the fetch — but best-effort: an
+      # unwritable cache dir (e.g. a read-only or wrong-owner deploy) must NOT fail a token
+      # we have already fetched and verified. On a write error we just refetch next time.
+      def cache_key(fingerprint, pem)
+        path = cache_path(fingerprint)
+        FileUtils.mkdir_p(File.dirname(path))
+        File.write(path, pem)
+      rescue SystemCallError
+        nil
+      end
+
+      def http_get(url)
+        uri = URI.parse(url)
+        response = Net::HTTP.start(
+          uri.host, uri.port,
+          use_ssl: uri.scheme == 'https', open_timeout: OPEN_TIMEOUT, read_timeout: READ_TIMEOUT
+        ) { |http| http.get(uri.request_uri) }
+        raise "HTTP #{response.code} for #{url}" unless response.is_a?(Net::HTTPSuccess)
+
+        response.body
       end
 
       def fingerprint(token)

data/lib/usps/jwt_auth/encode.rb

@@ -30,34 +30,14 @@ module Usps
         @public_key ||= private_key.public_key
       end
 
-      # OpenSSH-style SHA256 key fingerprint: base64url(SHA256(ssh-rsa wire blob)),
-      # i.e. the value `ssh-keygen -lf` prints as `SHA256:...`. This matches the key
-      # filenames and `key` claim that the consuming apps already recognize.
+      # The OpenSSH-style SHA256 fingerprint of this key — see Fingerprint. Stamped onto
+      # the token's `key` claim so consumers can resolve and verify the matching public key.
       def fingerprint
-        digest = OpenSSL::Digest::SHA256.digest(ssh_public_blob)
-        [digest].pack('m0').tr('+/', '-_').delete('=')
+        Fingerprint.for(public_key)
       end
 
     private
 
-      # Public key in the OpenSSH wire format: string('ssh-rsa') + mpint(e) + mpint(n).
-      def ssh_public_blob
-        ssh_string('ssh-rsa') + ssh_mpint(public_key.e) + ssh_mpint(public_key.n)
-      end
-
-      # SSH "string": 4-byte big-endian length prefix followed by the bytes.
-      def ssh_string(bytes)
-        [bytes.bytesize].pack('N') + bytes.b
-      end
-
-      # SSH "mpint": a length-prefixed big-endian integer; a leading zero byte is
-      # prepended when the high bit is set so the value stays non-negative.
-      def ssh_mpint(num)
-        bytes = num.to_s(2)
-        bytes = "\x00".b + bytes if bytes.bytes.first && bytes.bytes.first >= 0x80
-        ssh_string(bytes)
-      end
-
       def expires_at
         ::Time.now.to_i + @expiration_time
       end
@@ -94,6 +74,14 @@ module Usps
 
         File.open(path, 'w+') { |f| f.puts(public_key) }
         ::FileUtils.chmod(0o644, path)
+        publish_public_key
+      end
+
+      # Push the freshly written public key to the shared store, if a publisher is wired
+      # in, so consumers can resolve this fingerprint without a manual sync. Re-publishing
+      # an existing fingerprint is a harmless no-op for the store.
+      def publish_public_key
+        JwtAuth.config.publisher&.call(fingerprint, public_key.to_pem)
       end
 
       def generate_private_key

data/lib/usps/jwt_auth/fingerprint.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Usps
+  module JwtAuth
+    # OpenSSH-style SHA256 key fingerprint: base64url(SHA256(ssh-rsa wire blob)),
+    # i.e. the value `ssh-keygen -lf` prints as `SHA256:...`. This is the identifier
+    # used for key filenames and the JWT `key` claim, and it is content-addressed: a
+    # given fingerprint maps to exactly one public key, forever. Encode stamps it onto
+    # tokens; Decode uses it to verify a fetched key really is the key the token names.
+    module Fingerprint
+      class << self
+        def for(public_key)
+          digest = OpenSSL::Digest::SHA256.digest(ssh_public_blob(public_key))
+          [digest].pack('m0').tr('+/', '-_').delete('=')
+        end
+
+      private
+
+        # Public key in the OpenSSH wire format: string('ssh-rsa') + mpint(e) + mpint(n).
+        def ssh_public_blob(public_key)
+          ssh_string('ssh-rsa') + ssh_mpint(public_key.e) + ssh_mpint(public_key.n)
+        end
+
+        # SSH "string": 4-byte big-endian length prefix followed by the bytes.
+        def ssh_string(bytes)
+          [bytes.bytesize].pack('N') + bytes.b
+        end
+
+        # SSH "mpint": a length-prefixed big-endian integer; a leading zero byte is
+        # prepended when the high bit is set so the value stays non-negative.
+        def ssh_mpint(num)
+          bytes = num.to_s(2)
+          bytes = "\x00".b + bytes if bytes.bytes.first && bytes.bytes.first >= 0x80
+          ssh_string(bytes)
+        end
+      end
+    end
+  end
+end

data/lib/usps/jwt_auth/version.rb

@@ -2,6 +2,6 @@
 
 module Usps
   module JwtAuth
-    VERSION = '1.1.0'
+    VERSION = '1.2.1'
   end
 end

data/lib/usps/jwt_auth.rb

@@ -33,6 +33,7 @@ end
 # Internal requires
 require_relative 'jwt_auth/version'
 require_relative 'jwt_auth/config'
+require_relative 'jwt_auth/fingerprint'
 require_relative 'jwt_auth/encode'
 require_relative 'jwt_auth/decode'
 require_relative 'jwt_auth/incorrect_login'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: usps-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - Julian Fiander
@@ -86,6 +86,7 @@ files:
 - lib/usps/jwt_auth/config.rb
 - lib/usps/jwt_auth/decode.rb
 - lib/usps/jwt_auth/encode.rb
+- lib/usps/jwt_auth/fingerprint.rb
 - lib/usps/jwt_auth/incorrect_login.rb
 - lib/usps/jwt_auth/railtie.rb
 - lib/usps/jwt_auth/version.rb