RubyGems - usps-jwt_auth - Versions diffs - 1.2.0 → 1.2.2 - Mend

usps-jwt_auth 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/Gemfile.lock +1 -1
data/lib/usps/jwt_auth/concern.rb +15 -2
data/lib/usps/jwt_auth/decode.rb +18 -2
data/lib/usps/jwt_auth/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a248993ec7c0ad7e97d4bfcb7e89302f3366f7c3fd95c122f71d116f9c541bcf
-  data.tar.gz: ef4e072d124dd0f398fbb80202523c3a99b5a25220c48dfeaf27c8a732800259
+  metadata.gz: 17662af2194b354229fdc800d007e1121fb3a34dbb65bcf1a8e1df2ec0011087
+  data.tar.gz: 7a2017a06711cb9a4714b111a4a2ee85ca3ede7c7e9d0d851e098d1dd83fa302
 SHA512:
-  metadata.gz: f38759de429b850a32caa02b412fbbc644dca520f74422bef274fe30dc0f709b272057b81aaf411afce3a7c979bc550e1bb1531dbd228f0185fb6e12bff6ea73
-  data.tar.gz: 57c98a347480941fbf0f7c88a27252228eb0198d91ffb11f7259b5abf5dfb79f50b4c6db7113dbbe5fe5748ffa7a90a4fdc172268123741d6b27faec0023124c
+  metadata.gz: 33b3ce36812329c3d25a890fd1c5d0c8b591671fef159fd602276b5217f238c021e65c60512e1ea75dc5addc07d6b1f56b0b6c2329c027cfe79362f9752752c4
+  data.tar.gz: e7e2aed19988c5148ad9550e20b94e018ac1fad129704badbce18a35f027d9c5da231b1570d7eb9821d08838921af238fed223cdd7412b72e5f2b9dab69a7f41

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    usps-jwt_auth (1.2.0)
+    usps-jwt_auth (1.2.2)
       activesupport (~> 8.0)
       colorize (~> 1.1)
       fileutils (~> 1.7)

data/lib/usps/jwt_auth/concern.rb CHANGED Viewed

@@ -64,14 +64,21 @@ module Usps
       end
       def jwt_user
-        @jwt_user ||= JwtAuth.config.find_member.call(jwt['certificate']) if fetch_jwt
+        return unless fetch_jwt
+        # A blank certificate claim is malformed and must never resolve to a member
+        # (e.g. a stray blank-certificate row would otherwise authenticate as that record).
+        return if jwt['certificate'].blank?
+        @jwt_user ||= JwtAuth.config.find_member.call(jwt['certificate'])
       end
       def set_new_jwt
         return if params[:jwt].blank? || @set_new_jwt
         store_jwt(params[:jwt])
-        ensure_valid_jwt_has_valid_member!
+        # An unverifiable token (e.g. a key we cannot resolve) clears the jwt and returns
+        # nil; fall through so the visitor is sent to login rather than into the app.
+        return unless ensure_valid_jwt_has_valid_member!
         redirect_to_path!
         @set_new_jwt = true
@@ -124,6 +131,12 @@ module Usps
       def ensure_valid_jwt_has_valid_member!
         fetch_jwt
         jwt_user
+      rescue JWT::DecodeError
+        # The token cannot be verified (e.g. an unresolvable key). Drop it and report
+        # "not signed in" so the caller redirects to login — never let this escape as an
+        # unhandled 500, which the error page would re-trigger when it re-authenticates.
+        clear_jwt
+        @current_user = nil
       rescue ActiveRecord::RecordNotFound
         reset_session
         clear_jwt

data/lib/usps/jwt_auth/decode.rb CHANGED Viewed

@@ -9,6 +9,10 @@ module Usps
     # Decode and validate data from a JWT
     #
     class Decode
+      # Keep a slow or unreachable store from tying up the caller (e.g. a web worker).
+      OPEN_TIMEOUT = 2
+      READ_TIMEOUT = 2
       def self.decode(token, audience: [], issuer: nil)
         new.decode(token, audience: audience, issuer: issuer)
       end
@@ -75,15 +79,27 @@ module Usps
           raise JWT::VerificationError, 'Fetched public key does not match token fingerprint'
         end
+        cache_key(fingerprint, pem)
+        key
+      end
+      # Persist the verified key so the next decode skips the fetch — but best-effort: an
+      # unwritable cache dir (e.g. a read-only or wrong-owner deploy) must NOT fail a token
+      # we have already fetched and verified. On a write error we just refetch next time.
+      def cache_key(fingerprint, pem)
         path = cache_path(fingerprint)
         FileUtils.mkdir_p(File.dirname(path))
         File.write(path, pem)
-        key
+      rescue SystemCallError
+        nil
       end
       def http_get(url)
         uri = URI.parse(url)
-        response = Net::HTTP.get_response(uri)
+        response = Net::HTTP.start(
+          uri.host, uri.port,
+          use_ssl: uri.scheme == 'https', open_timeout: OPEN_TIMEOUT, read_timeout: READ_TIMEOUT
+        ) { |http| http.get(uri.request_uri) }
         raise "HTTP #{response.code} for #{url}" unless response.is_a?(Net::HTTPSuccess)
         response.body

data/lib/usps/jwt_auth/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Usps
   module JwtAuth
-    VERSION = '1.2.0'
+    VERSION = '1.2.2'
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: usps-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.2.2
 platform: ruby
 authors:
 - Julian Fiander