usps-support 0.2.37 → 0.2.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/config/routes.rb +7 -0
- data/lib/usps/support/engine.rb +1 -0
- data/lib/usps/support/sidekiq_auth.rb +83 -0
- data/lib/usps/support/version.rb +1 -1
- metadata +2 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6deaa8a3f89d025d0ae50d5d2d04b9167c352cfc01bab8bd10e31ede841bfc70
|
|
4
|
+
data.tar.gz: 8778454efe042569391298d76e752fce21f957754d367e284439634a74e2fce4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fb518162fa4730a79a96d9ad517f6a923d444db44a29f1ab834644c91937abc68070dd51bb86e93214d3684b7342c29aa09e6e52c82a314723a9b2ff44e0a170
|
|
7
|
+
data.tar.gz: 327b03a16b1738f6a70cc86c9dc35f10b730b9bf3a6ee89661ac1f84ff81f93117025ef5a842b5c1f7839660da20c4b85c7a143d76b1e6afe272ed65c90b5bcc
|
data/config/routes.rb
CHANGED
|
@@ -1,4 +1,11 @@
|
|
|
1
1
|
Usps::Support::Engine.routes.draw do
|
|
2
|
+
if defined?(Sidekiq::Web)
|
|
3
|
+
unless Sidekiq::Web.middlewares.any? { it.first == Usps::Support::SidekiqAuth }
|
|
4
|
+
Sidekiq::Web.use(Usps::Support::SidekiqAuth)
|
|
5
|
+
end
|
|
6
|
+
mount Sidekiq::Web => '/sidekiq'
|
|
7
|
+
end
|
|
8
|
+
|
|
2
9
|
resource :admin, only: [], controller: 'usps/support/admins' do
|
|
3
10
|
collection do
|
|
4
11
|
post :impersonate
|
data/lib/usps/support/engine.rb
CHANGED
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cgi'
|
|
4
|
+
|
|
5
|
+
module Usps::Support
|
|
6
|
+
# Rack middleware that gates Sidekiq::Web (or any inner Rack app) behind the
|
|
7
|
+
# same JWT/admin authentication used by the host app's controllers.
|
|
8
|
+
#
|
|
9
|
+
# Routes-level constraints can only return true/false, so an expired session
|
|
10
|
+
# at /sidekiq used to silently 404 — the controller refresh flow never ran.
|
|
11
|
+
# Running this as middleware lets us issue a 302 to the login refresh URL the
|
|
12
|
+
# same way `Usps::JwtAuth::Concern#redirect_to_login` does.
|
|
13
|
+
#
|
|
14
|
+
# Usage in an engine route file:
|
|
15
|
+
#
|
|
16
|
+
# if defined?(::Sidekiq::Web)
|
|
17
|
+
# ::Sidekiq::Web.use(Usps::Support::SidekiqAuth)
|
|
18
|
+
# mount ::Sidekiq::Web => '/sidekiq'
|
|
19
|
+
# end
|
|
20
|
+
#
|
|
21
|
+
class SidekiqAuth
|
|
22
|
+
LOGIN_URL = 'https://www.usps.org/jwt/'
|
|
23
|
+
|
|
24
|
+
def initialize(app)
|
|
25
|
+
@app = app
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def call(env)
|
|
29
|
+
request = ActionDispatch::Request.new(env)
|
|
30
|
+
member = decode_member(request)
|
|
31
|
+
return forbidden unless member && Usps::JwtAuth.config.is_admin.call(member)
|
|
32
|
+
|
|
33
|
+
@app.call(env)
|
|
34
|
+
rescue JWT::DecodeError
|
|
35
|
+
clear_jwt(request)
|
|
36
|
+
redirect_to_login(request)
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
private
|
|
40
|
+
|
|
41
|
+
def decode_member(request)
|
|
42
|
+
data = Usps::JwtAuth.decode(
|
|
43
|
+
fetch_jwt(request),
|
|
44
|
+
audience: [Usps::JwtAuth.config.audience],
|
|
45
|
+
issuer: Regexp.union(Usps::JwtAuth.config.issuers)
|
|
46
|
+
)
|
|
47
|
+
Usps::JwtAuth.config.find_member.call(data['certificate'])
|
|
48
|
+
rescue ActiveRecord::RecordNotFound
|
|
49
|
+
nil
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def fetch_jwt(request)
|
|
53
|
+
request.session[:jwt] || request.cookie_jar[:jwt]
|
|
54
|
+
end
|
|
55
|
+
|
|
56
|
+
def clear_jwt(request)
|
|
57
|
+
request.session[:jwt] = nil
|
|
58
|
+
request.cookie_jar.delete(:jwt, domain: cookie_domain)
|
|
59
|
+
end
|
|
60
|
+
|
|
61
|
+
def cookie_domain
|
|
62
|
+
Usps::JwtAuth.config.environment.production? ? '.aws.usps.org' : 'localhost'
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
def redirect_to_login(request)
|
|
66
|
+
url = login_url_base
|
|
67
|
+
url = "#{url}&path=#{CGI.escape(request.fullpath)}"
|
|
68
|
+
[302, { 'Location' => url, 'Content-Type' => 'text/html' }, []]
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
def login_url_base
|
|
72
|
+
if Usps::JwtAuth.config.environment.development?
|
|
73
|
+
"#{LOGIN_URL}?local&port=#{ENV.fetch('PORT', '3000')}"
|
|
74
|
+
else
|
|
75
|
+
"#{LOGIN_URL}?application=#{Usps::JwtAuth.config.audience}"
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def forbidden
|
|
80
|
+
[403, { 'Content-Type' => 'text/plain' }, ['Forbidden']]
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
data/lib/usps/support/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: usps-support
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.38
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Julian Fiander
|
|
@@ -121,6 +121,7 @@ files:
|
|
|
121
121
|
- lib/usps/support/models/hq/squadrons/website.rb
|
|
122
122
|
- lib/usps/support/models/toast.rb
|
|
123
123
|
- lib/usps/support/railtie.rb
|
|
124
|
+
- lib/usps/support/sidekiq_auth.rb
|
|
124
125
|
- lib/usps/support/version.rb
|
|
125
126
|
homepage: https://github.com/unitedstatespowersquadrons/usps-support
|
|
126
127
|
licenses: []
|