usps-jwt_auth 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/lib/usps/jwt_auth/concern.rb +9 -1
- data/lib/usps/jwt_auth/decode.rb +18 -2
- data/lib/usps/jwt_auth/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8c900a7d07163d9ac0be04b7c4ae2ef44a60e02fc081ccd6c776bd056445e2e8
|
|
4
|
+
data.tar.gz: db7b6e04885c6b2ab24e4a6a05af456466e5f33efa39b85e77741523fa95d186
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cf1fb79f6441f3571aacd5e2bd2c888a3125fc52c3c5c9a59f7a78bc7c4d0eacd314973976b12d4abdc3703e4cc2ba4d8083fab2fa2fa3fa48c42ae2fc87e02c
|
|
7
|
+
data.tar.gz: 96c07d7c4689b3818f8cf4d497bed1b17b77fc46aa584583a663beb5d00609e4c65306fb8c5503a95bb85ba87b1ea1f01e9a6f7d1676cb48e54d6248f1b20bcd
|
data/Gemfile.lock
CHANGED
|
@@ -71,7 +71,9 @@ module Usps
|
|
|
71
71
|
return if params[:jwt].blank? || @set_new_jwt
|
|
72
72
|
|
|
73
73
|
store_jwt(params[:jwt])
|
|
74
|
-
|
|
74
|
+
# An unverifiable token (e.g. a key we cannot resolve) clears the jwt and returns
|
|
75
|
+
# nil; fall through so the visitor is sent to login rather than into the app.
|
|
76
|
+
return unless ensure_valid_jwt_has_valid_member!
|
|
75
77
|
|
|
76
78
|
redirect_to_path!
|
|
77
79
|
@set_new_jwt = true
|
|
@@ -124,6 +126,12 @@ module Usps
|
|
|
124
126
|
def ensure_valid_jwt_has_valid_member!
|
|
125
127
|
fetch_jwt
|
|
126
128
|
jwt_user
|
|
129
|
+
rescue JWT::DecodeError
|
|
130
|
+
# The token cannot be verified (e.g. an unresolvable key). Drop it and report
|
|
131
|
+
# "not signed in" so the caller redirects to login — never let this escape as an
|
|
132
|
+
# unhandled 500, which the error page would re-trigger when it re-authenticates.
|
|
133
|
+
clear_jwt
|
|
134
|
+
@current_user = nil
|
|
127
135
|
rescue ActiveRecord::RecordNotFound
|
|
128
136
|
reset_session
|
|
129
137
|
clear_jwt
|
data/lib/usps/jwt_auth/decode.rb
CHANGED
|
@@ -9,6 +9,10 @@ module Usps
|
|
|
9
9
|
# Decode and validate data from a JWT
|
|
10
10
|
#
|
|
11
11
|
class Decode
|
|
12
|
+
# Keep a slow or unreachable store from tying up the caller (e.g. a web worker).
|
|
13
|
+
OPEN_TIMEOUT = 2
|
|
14
|
+
READ_TIMEOUT = 2
|
|
15
|
+
|
|
12
16
|
def self.decode(token, audience: [], issuer: nil)
|
|
13
17
|
new.decode(token, audience: audience, issuer: issuer)
|
|
14
18
|
end
|
|
@@ -75,15 +79,27 @@ module Usps
|
|
|
75
79
|
raise JWT::VerificationError, 'Fetched public key does not match token fingerprint'
|
|
76
80
|
end
|
|
77
81
|
|
|
82
|
+
cache_key(fingerprint, pem)
|
|
83
|
+
key
|
|
84
|
+
end
|
|
85
|
+
|
|
86
|
+
# Persist the verified key so the next decode skips the fetch — but best-effort: an
|
|
87
|
+
# unwritable cache dir (e.g. a read-only or wrong-owner deploy) must NOT fail a token
|
|
88
|
+
# we have already fetched and verified. On a write error we just refetch next time.
|
|
89
|
+
def cache_key(fingerprint, pem)
|
|
78
90
|
path = cache_path(fingerprint)
|
|
79
91
|
FileUtils.mkdir_p(File.dirname(path))
|
|
80
92
|
File.write(path, pem)
|
|
81
|
-
|
|
93
|
+
rescue SystemCallError
|
|
94
|
+
nil
|
|
82
95
|
end
|
|
83
96
|
|
|
84
97
|
def http_get(url)
|
|
85
98
|
uri = URI.parse(url)
|
|
86
|
-
response = Net::HTTP.
|
|
99
|
+
response = Net::HTTP.start(
|
|
100
|
+
uri.host, uri.port,
|
|
101
|
+
use_ssl: uri.scheme == 'https', open_timeout: OPEN_TIMEOUT, read_timeout: READ_TIMEOUT
|
|
102
|
+
) { |http| http.get(uri.request_uri) }
|
|
87
103
|
raise "HTTP #{response.code} for #{url}" unless response.is_a?(Net::HTTPSuccess)
|
|
88
104
|
|
|
89
105
|
response.body
|