RubyGems - verikloak-bff - Versions diffs - 0.1.0 → 0.1.1 - Mend

verikloak-bff 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -0
data/README.md +2 -2
data/lib/verikloak/bff/configuration.rb +1 -2
data/lib/verikloak/bff/consistency_checks.rb +4 -5
data/lib/verikloak/bff/constants.rb +9 -0
data/lib/verikloak/bff/forwarded_token.rb +10 -2
data/lib/verikloak/bff/header_guard.rb +16 -14
data/lib/verikloak/bff/proxy_trust.rb +2 -2
data/lib/verikloak/bff/version.rb +1 -1
metadata +11 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3034b92c69f7147be681038b8f91a5a0c4ec1d577144a4372cad33b6645adb3a
-  data.tar.gz: a52b1ccc320fee7d5526f612fa509218a5b2232ce678d6d6e03a42d5c0122df0
+  metadata.gz: 19452cfc021fd5ffde923f55f294aafb99c4b80506047d0ef195233d019c5adb
+  data.tar.gz: 3211ddb4779f6bbe1b079f6c83b018bb5b7b881bb267d253f94ffaaa20006711
 SHA512:
-  metadata.gz: a9e31d538da66f06b1f18412b41520a3c1a5f0f5e3adf88af19f4aa68451420717002c11dc639a2f1dbc9441b64b68b74de2729d2ef8a5af805d862b7568dd75
-  data.tar.gz: cb2f118b465d7cb4a64f0aa9eb77cb81ec0bd5a82ae2b33c1e9992b1b518e5690dee84f7c5ae69189b83e0394de784d559c57daef41154c24f396390cb0d8bab
+  metadata.gz: '0890fcfe4ac2af3ce8bdbc34ee0753744a3a56459a90da3441247a7d36779b28db68ae7998b349968f5ecfd937121d3fad96e2f21a092662da2cbedeb61a358c'
+  data.tar.gz: 7a4e7888b2f2caafc0bd1345760d3ef5e049f860cc9f36dba028c2a2afebaf8625719b6b0dbad9f7a21c01db957368b5d10d73c3533f19ce8fdc9acb4513e3f0

data/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ---
+## [0.1.1] - 2025-09-15
+### Changed
+- Centralize `MAX_TOKEN_BYTES` in `Verikloak::BFF::Constants` and refactor usages in `HeaderGuard` and `ConsistencyChecks` to avoid duplication.
+### Fixed
+- Preserve full token content when forwarded header includes control characters (e.g., `Bearer tok\r\nmal`) by adjusting Bearer parsing in `ForwardedToken.normalize_forwarded`; combined with existing sanitization, Authorization now normalizes to `Bearer tokmal`.
+### Tests
+- Add boundary tests for token size limits in `ConsistencyChecks` and `HeaderGuard`.
 ## [0.1.0] - 2025-09-14
 ### Added

data/README.md CHANGED Viewed

@@ -42,7 +42,7 @@ See `examples/rack.ru` for a tiny Rack app demo.
 | Key                          | Type                                 | Default      | Description |
 |----------------------------- |--------------------------------------|--------------|-------------|
-| `trusted_proxies`            | Array[String/Regexp/Proc]            | `[]`         | Allowlist for proxy peers (by IP/CIDR/regex/proc). |
+| `trusted_proxies`            | Array[String/Regexp/Proc]            | *(required)* | Allowlist for proxy peers (by IP/CIDR/regex/proc). |
 | `prefer_forwarded`           | Boolean                              | `true`       | Prefer `X-Forwarded-Access-Token` over `Authorization`. |
 | `require_forwarded_header`   | Boolean                              | `false`      | Reject when no `X-Forwarded-Access-Token` (blocks direct access). |
 | `enforce_header_consistency` | Boolean                              | `true`       | If both headers exist, require identical token values. |
@@ -52,7 +52,7 @@ See `examples/rack.ru` for a tiny Rack app demo.
 | `peer_preference`            | Symbol (`:remote_then_xff`/`:xff_only`) | `:remote_then_xff` | Whether to prefer `REMOTE_ADDR` before falling back to XFF. |
 | `clock_skew_leeway`          | Integer (seconds)                    | `30`         | Reserved for small exp/nbf skew handled by core verifier. |
 | `logger`                     | `Logger` or `nil`                    | `nil`        | Logger for audit tags (`rid`, `sub`, `kid`, `iss/aud`). |
-| `token_header_priority`      | Array[String]                        | see code     | When Authorization is empty and no token chosen, seed it from these env headers in order. `HTTP_AUTHORIZATION` is ignored as a source; forwarded header is considered only from trusted peers. |
+| `token_header_priority`      | Array[String]                        | `['HTTP_X_FORWARDED_ACCESS_TOKEN']` | When Authorization is empty and no token chosen, seed it from these env headers in order. `HTTP_AUTHORIZATION` is ignored as a source; forwarded header is considered only from trusted peers. |
 | `forwarded_header_name`      | String                               | `HTTP_X_FORWARDED_ACCESS_TOKEN` | Env key for forwarded access token. |
 | `auth_request_headers`       | Hash                                 | see code     | Mapping for `X-Auth-Request-*` env keys: `{ email, user, groups }`. |

data/lib/verikloak/bff/configuration.rb CHANGED Viewed

@@ -53,10 +53,9 @@ module Verikloak
           groups: 'HTTP_X_AUTH_REQUEST_GROUPS'
         }
         # When Authorization is empty and no chosen token exists, try these env headers (in order)
-        # to seed Authorization, similar to verikloak-rails behavior. HTTP_AUTHORIZATION is ignored as a source.
+        # to seed Authorization, similar to verikloak-rails behavior. HTTP_AUTHORIZATION is always ignored as a source.
         @token_header_priority = %w[
           HTTP_X_FORWARDED_ACCESS_TOKEN
-          HTTP_AUTHORIZATION
         ]
       end
     end

data/lib/verikloak/bff/consistency_checks.rb CHANGED Viewed

@@ -7,6 +7,7 @@
 require 'json'
 require 'jwt' # used only to parse segments safely without verify
+require 'verikloak/bff/constants'
 module Verikloak
   module BFF
@@ -19,14 +20,12 @@ module Verikloak
       #
       # @param token [String, nil]
       # @return [Hash] claims or empty hash on error
       def decode_claims(token)
         return {} unless token
+        return {} if token.bytesize > Constants::MAX_TOKEN_BYTES
-        parts = token.split('.')
-        return {} unless parts.size >= 2
-        payload = JWT::Base64.url_decode(parts[1])
-        JSON.parse(payload)
+        JWT.decode(token, nil, false).first
       rescue StandardError
         {}
       end

data/lib/verikloak/bff/constants.rb ADDED Viewed

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+module Verikloak
+  module BFF
+    module Constants
+      MAX_TOKEN_BYTES = 4096
+    end
+  end
+end

data/lib/verikloak/bff/forwarded_token.rb CHANGED Viewed

@@ -45,7 +45,7 @@ module Verikloak
         return nil unless raw
         token = raw.to_s.strip
-        return ::Regexp.last_match(1) if token =~ /^Bearer\s+(.+)$/i
+        token = token.sub(/^Bearer\s+/i, '') if token =~ /^Bearer\s+/i
         token.empty? ? nil : token
       end
@@ -57,7 +57,7 @@ module Verikloak
       # @param token [String]
       # @return [String]
       def ensure_bearer(token)
-        s = token.to_s.strip
+        s = sanitize(token)
         # Case-insensitive 'Bearer' with spaces/tabs after
         if s =~ /\ABearer[ \t]+/i
           rest = s.sub(/\ABearer[ \t]+/i, '')
@@ -86,6 +86,14 @@ module Verikloak
         env[AUTH_HEADER] = ensure_bearer(token)
       end
+      # Remove CRLF and other control characters to prevent header injection.
+      #
+      # @param token [String]
+      # @return [String]
+      def sanitize(token)
+        token.to_s.gsub(/[[:cntrl:]]/, '').strip
+      end
       # Remove potentially forged X-Auth-Request-* headers before passing
       # downstream when not emitted by a trusted proxy.
       #

data/lib/verikloak/bff/header_guard.rb CHANGED Viewed

@@ -11,13 +11,16 @@
 # headers against JWT claims, and normalizes the request into
 # `HTTP_AUTHORIZATION: Bearer <token>` for the downstream verifier.
 require 'rack'
+require 'rack/utils'
 require 'json'
 require 'jwt'
+require 'digest'
 require 'verikloak/bff/configuration'
 require 'verikloak/bff/errors'
 require 'verikloak/bff/proxy_trust'
 require 'verikloak/bff/forwarded_token'
 require 'verikloak/bff/consistency_checks'
+require 'verikloak/bff/constants'
 module Verikloak
   module BFF
@@ -38,6 +41,10 @@ module Verikloak
         combined.merge!(opts) if opts.is_a?(Hash)
         combined.merge!(opts_kw) if opts_kw && !opts_kw.empty?
         apply_overrides!(combined)
+        return unless @config.trusted_proxies.nil? || @config.trusted_proxies.empty?
+        raise ArgumentError, 'trusted_proxies must be configured'
       end
       # Process a Rack request.
@@ -121,21 +128,13 @@ module Verikloak
       #
       # @param token [String]
       # @return [Array(Hash, Hash)] [payload, header]
       def decode_unverified(token)
-        parts = token.to_s.split('.')
-        return [{}, {}] unless parts.size >= 2
+        return [{}, {}] if token.nil? || token.bytesize > Constants::MAX_TOKEN_BYTES
-        payload = begin
-          JSON.parse(::JWT::Base64.url_decode(parts[1]))
-        rescue StandardError
-          {}
-        end
-        header = begin
-          JSON.parse(::JWT::Base64.url_decode(parts[0]))
-        rescue StandardError
-          {}
-        end
-        [payload, header]
+        JWT.decode(token, nil, false)
+      rescue StandardError
+        [{}, {}]
       end
       # Extract request id for logging from common headers.
@@ -203,7 +202,10 @@ module Verikloak
       def enforce_header_consistency!(env, auth_token, fwd_token)
         return unless @config.enforce_header_consistency
         return unless auth_token && fwd_token
-        return if auth_token == fwd_token
+        digest_a = ::Digest::SHA256.hexdigest(auth_token)
+        digest_b = ::Digest::SHA256.hexdigest(fwd_token)
+        return if Rack::Utils.secure_compare(digest_a, digest_b)
         log_event(env, :mismatch, reason: 'authorization_vs_forwarded')
         raise HeaderMismatchError

data/lib/verikloak/bff/proxy_trust.rb CHANGED Viewed

@@ -23,7 +23,7 @@ module Verikloak
       # @example CIDR + Regex allowlist
       #   ProxyTrust.trusted?(env, ["10.0.0.0/8", /^192\.168\./], :rightmost)
       def trusted?(env, trusted, strategy = :rightmost)
-        return true if trusted.nil? || trusted.empty?
+        return false if trusted.nil? || trusted.empty?
         # Rails-aligned: prefer REMOTE_ADDR; fallback to nearest XFF entry
         remote = (env['REMOTE_ADDR'] || '').to_s.strip
@@ -108,7 +108,7 @@ module Verikloak
       # @param trusted [Array<String, Regexp, Proc>, nil]
       # @return [Boolean]
       def self.from_trusted_proxy?(env, trusted)
-        return true if trusted.nil? || trusted.empty?
+        return false if trusted.nil? || trusted.empty?
         ip = (env['REMOTE_ADDR'] || '').to_s.strip
         ip = env['HTTP_X_FORWARDED_FOR'].to_s.split(',').last.to_s.strip if ip.empty? && env['HTTP_X_FORWARDED_FOR']

data/lib/verikloak/bff/version.rb CHANGED Viewed

@@ -5,6 +5,6 @@
 # @return [String]
 module Verikloak
   module BFF
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-bff
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - taiyaky
@@ -13,16 +13,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -76,6 +82,7 @@ files:
 - lib/verikloak/bff.rb
 - lib/verikloak/bff/configuration.rb
 - lib/verikloak/bff/consistency_checks.rb
+- lib/verikloak/bff/constants.rb
 - lib/verikloak/bff/errors.rb
 - lib/verikloak/bff/forwarded_token.rb
 - lib/verikloak/bff/header_guard.rb
@@ -88,7 +95,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-bff
   changelog_uri: https://github.com/taiyaky/verikloak-bff/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-bff/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.1.0
+  documentation_uri: https://rubydoc.info/gems/verikloak-bff/0.1.1
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: