RubyGems - verikloak-rails - Versions diffs - 0.1.0 → 0.2.0 - Mend

verikloak-rails 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +45 -11
data/README.md +14 -62
data/lib/verikloak/rails/configuration.rb +3 -24
data/lib/verikloak/rails/controller.rb +17 -6
data/lib/verikloak/rails/error_renderer.rb +5 -2
data/lib/verikloak/rails/railtie.rb +4 -9
data/lib/verikloak/rails/version.rb +1 -1
data/lib/verikloak/rails.rb +0 -1
metadata +4 -5
data/lib/verikloak/rails/middleware_integration.rb +0 -107

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d258ce7b00c8aed380623cc36b26669d86cf80c3c06e748bc677c4f8af93a4f1
-  data.tar.gz: 874e2f3c8ed2eb372d7fd4238639f4fc16e9cdd0ee6a3de7dadc57e24bbcf629
+  metadata.gz: dda87b3f2293f4c0cf05710290a503fd5c15712758f685987385d1b0677938cc
+  data.tar.gz: a299ad22f31b4871fde437e026557b106134e32dece4e7cb45be4073d0269a48
 SHA512:
-  metadata.gz: 3e035ee3bfa25ad7c9e9eb36d1279f2ea265445c60270aa2d8a8d3fcce1757cad6003892715a1faaec22cb62148bda295522ba6c12cc3bfa7858f3d2100182eb
-  data.tar.gz: c94c073924c9ed1530978aadd7abd84855e7478350572ab70338b9e8cc0a8dd7b739865517dd488b347d87a23739580b09beee206bc8aeeda4afd40d0e5ab13e
+  metadata.gz: '0149e3053f208dd90c26ec07a960ff14969cdcda74400403f4ab02376110b31624189b6612bf2d6d3d7857c15d1c2b3190da9b472c487d9a3866eaf4de3aa8f7'
+  data.tar.gz: 2fa3507b18f362cb3523332256a0608bd95564e0a0e0dfb4a17b97b9fafbdb1ddad31fa34bbe8788d52546e1f22dd43b97174ce1474c24385838fef743f5b8ae

data/CHANGELOG.md CHANGED Viewed

@@ -7,22 +7,56 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ---
+## [0.2.0] - 2025-09-14
+### Breaking
+- Extracted BFF-related functionality into a separate gem, "verikloak-bff". This gem no longer ships BFF-specific middleware or configuration
+### Removed
+- Middleware `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken`
+- Configuration keys: `config.verikloak.trust_forwarded_access_token`, `config.verikloak.trusted_proxy_subnets`, `config.verikloak.token_header_priority`
+- Corresponding entries in the installer initializer template
+- BFF-related sections in README and related unit/integration specs
+### Migration
+1. Add `gem 'verikloak-bff'` to your application Gemfile and bundle
+2. Create an initializer (e.g., `config/initializers/verikloak_bff.rb`) and configure `Verikloak::BFF` (e.g., `trusted_proxies`, header/claims consistency)
+3. Insert the BFF middleware before the core `Verikloak::Middleware`:
+   ```ruby
+   config.middleware.insert_before Verikloak::Middleware, Verikloak::BFF::HeaderGuard
+   ```
+4. Remove any old `config.verikloak.*` BFF options from your app config; they are no longer used by this gem
+Reference: verikloak-bff https://github.com/taiyaky/verikloak-bff (Rails guide: `docs/rails.md`)
+## [0.1.1] - 2025-09-13
+### Fixed
+- ForwardedAccessToken: fix `ensure_bearer` accepting malformed values (e.g., `BearerXYZ`)
+### Changed
+- Strengthen Bearer scheme normalization to always produce `Bearer <token>`
+  - Detect scheme case-insensitively
+  - Collapse tabs/multiple spaces after the scheme to a single space
+  - Normalize missing-space form `BearerXYZ` to `Bearer XYZ`
+- Add/update middleware specs to cover the above normalization
 ## [0.1.0] - 2025-09-07
 ### Added
-- Initial release of `verikloak-rails` (Rails integration for Verikloak).
-- Railtie auto-wiring via `config.verikloak.*` and installer generator `rails g verikloak:install`.
+- Initial release of `verikloak-rails` (Rails integration for Verikloak)
+- Railtie auto-wiring via `config.verikloak.*` and installer generator `rails g verikloak:install`
 - Controller concern with authentication helpers:
   - `before_action :authenticate_user!`
   - `current_user_claims`, `current_subject`, `current_token`, `authenticated?`, `with_required_audience!`
 - Rack middleware integration:
-  - Auto-inserts `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` and base `Verikloak::Middleware`.
-  - Optional BFF header promotion from `X-Forwarded-Access-Token` to `Authorization`, gated by `trust_forwarded_access_token` and `trusted_proxy_subnets` (never overwrites existing `Authorization`).
-  - Token sourcing priority configurable via `token_header_priority`.
+  - Auto-inserts `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` and base `Verikloak::Middleware`
+  - Optional BFF header promotion from `X-Forwarded-Access-Token` to `Authorization`, gated by `trust_forwarded_access_token` and `trusted_proxy_subnets` (never overwrites existing `Authorization`)
+  - Token sourcing priority configurable via `token_header_priority`
 - Consistent JSON error responses and statuses:
-  - 401/403/503 standardized; `WWW-Authenticate` header on 401.
-  - Optional global 500 JSON via `config.verikloak.render_500_json`.
-- Optional Pundit integration: rescue `Pundit::NotAuthorizedError` to 403 JSON (`config.verikloak.rescue_pundit`).
-- Request logging tags (`:request_id`, `:sub`) via `config.verikloak.logger_tags`.
-- Configurable initializer: `discovery_url`, `audience`, `issuer`, `leeway`, `skip_paths`, `trust_forwarded_access_token`, `trusted_proxy_subnets`, `auto_include_controller`, `error_renderer`, and more.
-- Compatibility: Ruby >= 3.1, Rails 6.1–8.x; depends on `verikloak` >= 0.1.2, < 0.2.
+  - 401/403/503 standardized; `WWW-Authenticate` header on 401
+  - Optional global 500 JSON via `config.verikloak.render_500_json`
+- Optional Pundit integration: rescue `Pundit::NotAuthorizedError` to 403 JSON (`config.verikloak.rescue_pundit`)
+- Request logging tags (`:request_id`, `:sub`) via `config.verikloak.logger_tags`
+- Configurable initializer: `discovery_url`, `audience`, `issuer`, `leeway`, `skip_paths`, `trust_forwarded_access_token`, `trusted_proxy_subnets`, `auto_include_controller`, `error_renderer`, and more
+- Compatibility: Ruby >= 3.1, Rails 6.1–8.x; depends on `verikloak` >= 0.1.2, < 0.2

data/README.md CHANGED Viewed

@@ -82,48 +82,19 @@ end
 ```
 ## Middleware
-### Inserted Middlewares
+### Inserted Middleware
 | Component | Inserted after | Purpose |
 | --- | --- | --- |
-| `Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken` | `Rails::Rack::Logger` | Promote trusted `X-Forwarded-Access-Token` to `Authorization` and, when `Authorization` is empty, set it from a prioritized list of headers |
-| `Verikloak::Middleware` | `ForwardedAccessToken` | Validate Bearer JWT (OIDC discovery + JWKS), set `verikloak.user`/`verikloak.token`, and honor `skip_paths` |
+| `Verikloak::Middleware` | `Rails::Rack::Logger` | Validate Bearer JWT (OIDC discovery + JWKS), set `verikloak.user`/`verikloak.token`, and honor `skip_paths` |
-### Header Sources and Trust
-- Never overwrites an existing `Authorization` header.
-- Considers `X-Forwarded-Access-Token` only when both are true: `config.verikloak.trust_forwarded_access_token` is enabled and the direct peer IP is within `config.verikloak.trusted_proxy_subnets`.
-- `config.verikloak.token_header_priority` decides which env header can seed `Authorization` when it is empty. Note: `HTTP_AUTHORIZATION` is ignored as a source (it is the target header); include other headers if you need additional sources. Forwarded headers are skipped if not trusted.
-- Direct peer detection prefers `REMOTE_ADDR`, falling back to the nearest proxy in `X-Forwarded-For` when needed.
+### BFF Integration
+Support for BFF header handling (e.g., normalizing or enforcing `X-Forwarded-Access-Token`) now lives in a dedicated gem: verikloak-bff.
+Note: verikloak-bff's `HeaderGuard` never overwrites an existing `Authorization` header.
-### BFF Header Promotion
-When fronted by a BFF (e.g., oauth2-proxy) that injects `X-Forwarded-Access-Token`, you can promote that header to `Authorization` from trusted sources only.
+- Gem: https://github.com/taiyaky/verikloak-bff
+- Rails guide: `docs/rails.md` in that repository
-Enable promotion and restrict to trusted subnets:
-```ruby
-Rails.application.configure do
-  config.verikloak.trust_forwarded_access_token = true
-  config.verikloak.trusted_proxy_subnets = [
-    '10.0.0.0/8',
-    '192.168.0.0/16'
-  ]
-end
-```
-### Reordering or Disabling (advanced)
-You can adjust the stack in an initializer after the gem loads, for example:
-```ruby
-Rails.application.configure do
-  # Remove header-promotion middleware if you never use BFF tokens
-  config.middleware.delete Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken
-  # Or move the middleware earlier/later if your stack requires it
-  # config.middleware.insert_before SomeOtherMiddleware, Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
-  #   trust_forwarded: Verikloak::Rails.config.trust_forwarded_access_token,
-  #   trusted_proxies: Verikloak::Rails.config.trusted_proxy_subnets,
-  #   header_priority: Verikloak::Rails.config.token_header_priority
-end
-```
+Use verikloak-bff alongside this gem when you front Rails with a BFF/proxy such as oauth2-proxy and need to enforce trusted forwarding and header consistency.
 ## Configuration (initializer)
 ### Keys
@@ -136,13 +107,10 @@ Keys under `config.verikloak`:
 | `issuer` | String | Expected `iss` | `nil` |
 | `leeway` | Integer | Clock skew allowance (seconds) | `60` |
 | `skip_paths` | Array<String> | Paths to skip verification | `['/up','/health','/rails/health']` |
-| `trust_forwarded_access_token` | Boolean | Trust `X-Forwarded-Access-Token` from trusted proxies | `false` |
-| `trusted_proxy_subnets` | Array<String or IPAddr> | Subnets allowed to be treated as trusted | `[]` (treat all as trusted; set explicit ranges in production) |
 | `logger_tags` | Array<Symbol> | Tags to add to Rails logs. Supports `:request_id`, `:sub` | `[:request_id, :sub]` |
 | `error_renderer` | Object responding to `render(controller, error)` | Override error rendering | built-in JSON renderer |
 | `auto_include_controller` | Boolean | Auto-include controller concern | `true` |
 | `render_500_json` | Boolean | Rescue `StandardError` and render JSON 500 | `false` |
-| `token_header_priority` | Array<String> | Env header priority to source bearer token | `['HTTP_X_FORWARDED_ACCESS_TOKEN','HTTP_AUTHORIZATION']` |
 | `rescue_pundit` | Boolean | Rescue `Pundit::NotAuthorizedError` to 403 JSON when Pundit is present | `true` |
 Environment variable examples are in the generated initializer.
@@ -150,7 +118,6 @@ Environment variable examples are in the generated initializer.
 ### Minimum Setup
 - Required: set `discovery_url` to your provider’s OIDC discovery document URL.
 - Recommended: set `audience` (expected `aud`), and `issuer` when known.
-- Optional: enable BFF header promotion only with explicit `trusted_proxy_subnets`.
 ```ruby
 # config/initializers/verikloak.rb
@@ -160,15 +127,12 @@ Rails.application.configure do
   # Optional but recommended when you know it
   # config.verikloak.issuer        = 'https://idp.example.com/realms/myrealm'
-  # Leave header promotion off unless you run a trusted BFF/proxy
-  # config.verikloak.trust_forwarded_access_token = false
-  # config.verikloak.trusted_proxy_subnets = ['10.0.0.0/8']
+  # For BFF/proxy header handling, see verikloak-bff
 end
 ```
 Notes:
-- For array-like values (`audience`, `skip_paths`, `trusted_proxy_subnets`, `token_header_priority`), prefer defining Ruby arrays in the initializer. If passing via ENV, use comma-separated strings and parse in the initializer.
-- Header sourcing/trust behavior is described in “Middleware → Header Sources and Trust”.
+- For array-like values (`audience`, `skip_paths`), prefer defining Ruby arrays in the initializer. If passing via ENV, use comma-separated strings and parse in the initializer.
 ### Full Example (selected options)
 ```ruby
@@ -179,16 +143,8 @@ Rails.application.configure do
   config.verikloak.leeway        = Integer(ENV.fetch('VERIKLOAK_LEEWAY', '60'))
   config.verikloak.skip_paths    = %w[/up /health /rails/health]
-  # Enable BFF header promotion only from trusted subnets
-  config.verikloak.trust_forwarded_access_token = ENV.fetch('VERIKLOAK_TRUST_FWD_TOKEN', 'false') == 'true'
-  config.verikloak.trusted_proxy_subnets = [
-    '10.0.0.0/8', # internal LB
-    # '192.168.0.0/16'
-  ]
   config.verikloak.logger_tags = %i[request_id sub]
   config.verikloak.render_500_json = ENV.fetch('VERIKLOAK_RENDER_500', 'false') == 'true'
-  config.verikloak.token_header_priority = %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION]
   # Optional Pundit rescue (403 JSON)
   config.verikloak.rescue_pundit = ENV.fetch('VERIKLOAK_RESCUE_PUNDIT', 'true') == 'true'
@@ -203,14 +159,9 @@ end
 | `audience` | `VERIKLOAK_AUDIENCE` |
 | `issuer` | `VERIKLOAK_ISSUER` |
 | `leeway` | `VERIKLOAK_LEEWAY` |
-| `trust_forwarded_access_token` | `VERIKLOAK_TRUST_FWD_TOKEN` |
 | `render_500_json` | `VERIKLOAK_RENDER_500` |
 | `rescue_pundit` | `VERIKLOAK_RESCUE_PUNDIT` |
-### Notes
-- Default for `trust_forwarded_access_token` is secure (`false`). Set `trusted_proxy_subnets` before enabling.
-- The middleware never overwrites an existing `Authorization` header.
-- If `trusted_proxy_subnets` is empty, all peers are treated as trusted. In production, set explicit subnets or keep `trust_forwarded_access_token` disabled.
 ## Errors
 This gem standardizes JSON error responses and HTTP statuses. See [ERRORS.md](ERRORS.md) for details and examples.
@@ -220,7 +171,7 @@ This gem standardizes JSON error responses and HTTP statuses. See [ERRORS.md](ER
 | --- | --- | --- | --- | --- |
 | 401 Unauthorized | `invalid_token`, `unauthorized` | Missing/invalid Bearer token; failed signature/expiry/issuer/audience checks | `WWW-Authenticate: Bearer` with optional `error` and `error_description` | `{ "error": "invalid_token", "message": "token expired" }` |
 | 403 Forbidden | `forbidden` | Audience check failure via `with_required_audience!`; optionally `Pundit::NotAuthorizedError` when rescue is enabled | — | `{ "error": "forbidden", "message": "Required audience not satisfied" }` |
-| 503 Service Unavailable | `jwks_fetch_failed`, `jwks_parse_failed`, `discovery_metadata_fetch_failed`, `discovery_metadata_invalid` | Upstream metadata/JWKS issues | — | `{ "error": "jwks_fetch_failed", "message": "..." }` |
+| 503 Service Unavailable | `jwks_fetch_failed`, `jwks_parse_failed`, `discovery_metadata_fetch_failed`, `discovery_metadata_invalid`, `invalid_discovery_url`, `discovery_redirect_error` | Upstream metadata/JWKS issues | — | `{ "error": "jwks_fetch_failed", "message": "..." }` |
 ### Customize
 Customize rendering by assigning `config.verikloak.error_renderer`.
@@ -261,8 +212,8 @@ Note: Always sanitize values placed into `WWW-Authenticate` header parameters to
 class CompactErrorRenderer
   private
   def sanitize_quoted(val)
-    # Escape quotes/backslashes and strip CR/LF
-    val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]/, ' ')
+    # Escape quotes/backslashes and strip CR/LF (collapse runs to a single space)
+    val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
   end
 end
 ```
@@ -338,5 +289,6 @@ See [CHANGELOG.md](CHANGELOG.md) for release history.
 ## References
 - verikloak-rails (this gem): https://rubygems.org/gems/verikloak-rails
+- verikloak-bff: https://rubygems.org/gems/verikloak-bff
 - Verikloak (base gem): https://github.com/taiyaky/verikloak
 - Verikloak on RubyGems: https://rubygems.org/gems/verikloak

data/lib/verikloak/rails/configuration.rb CHANGED Viewed

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
-require 'ipaddr'
 module Verikloak
   module Rails
     # Configuration for verikloak-rails.
@@ -25,12 +23,6 @@ module Verikloak
     # @!attribute [rw] skip_paths
     #   Paths to skip verification.
     #   @return [Array<String>]
-    # @!attribute [rw] trust_forwarded_access_token
-    #   Whether to trust `X-Forwarded-Access-Token` from trusted proxies.
-    #   @return [Boolean]
-    # @!attribute [r] trusted_proxy_subnets
-    #   Trusted proxy subnets.
-    #   @return [Array<IPAddr>]
     # @!attribute [rw] logger_tags
     #   Log tags to include (supports :request_id, :sub).
     #   @return [Array<Symbol>]
@@ -43,14 +35,10 @@ module Verikloak
     # @!attribute [rw] render_500_json
     #   Rescue StandardError and render a JSON 500 response.
     #   @return [Boolean]
-    # @!attribute [rw] token_header_priority
-    #   Env header keys in priority order for sourcing bearer token.
-    #   @return [Array<String>]
     class Configuration
-      attr_accessor :discovery_url, :audience, :issuer, :leeway, :skip_paths, :trust_forwarded_access_token,
-                    :logger_tags, :error_renderer, :auto_include_controller, :render_500_json, :token_header_priority,
-                    :rescue_pundit
-      attr_reader   :trusted_proxy_subnets
+      attr_accessor :discovery_url, :audience, :issuer, :leeway, :skip_paths,
+                    :logger_tags, :error_renderer, :auto_include_controller,
+                    :render_500_json, :rescue_pundit
       def initialize
         @discovery_url = nil
@@ -58,22 +46,13 @@ module Verikloak
         @issuer        = nil
         @leeway        = 60
         @skip_paths    = ['/up', '/health', '/rails/health']
-        @trust_forwarded_access_token = false
-        @trusted_proxy_subnets = []
         @logger_tags    = %i[request_id sub]
         @error_renderer = Verikloak::Rails::ErrorRenderer.new
         @auto_include_controller = true
         @render_500_json = false
-        @token_header_priority = %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION]
         @rescue_pundit = true
       end
-      # Assign trusted proxy subnets.
-      # @param list [Array<String, IPAddr>, String, IPAddr] one or more CIDRs or IPAddr instances
-      def trusted_proxy_subnets=(list)
-        @trusted_proxy_subnets = Array(list).map { |e| e.is_a?(IPAddr) ? e : IPAddr.new(e) }
-      end
       # Options forwarded to the base Verikloak Rack middleware.
       # @return [Hash]
       # @example

data/lib/verikloak/rails/controller.rb CHANGED Viewed

@@ -99,18 +99,29 @@ module Verikloak
       # @yieldreturn [Object] result of the block
       # @return [Object]
       def _verikloak_tag_logs(&)
-        tags = []
-        if Verikloak::Rails.config.logger_tags.include?(:request_id)
-          rid = request.request_id || request.headers['X-Request-Id']
-          tags << "req:#{rid}" if rid
-        end
-        tags << "sub:#{current_subject}" if Verikloak::Rails.config.logger_tags.include?(:sub) && current_subject
+        tags = _verikloak_build_log_tags
         if ::Rails.logger.respond_to?(:tagged) && tags.any?
           ::Rails.logger.tagged(*tags, &)
         else
           yield
         end
       end
+      # Build log tags from request context with minimal branching and safe values.
+      # @return [Array<String>]
+      def _verikloak_build_log_tags
+        tags = []
+        if Verikloak::Rails.config.logger_tags.include?(:request_id)
+          rid = request.request_id || request.headers['X-Request-Id']
+          rid = rid.to_s.gsub(/[\r\n]+/, ' ')
+          tags << "req:#{rid}" unless rid.empty?
+        end
+        if Verikloak::Rails.config.logger_tags.include?(:sub)
+          sub = current_subject
+          tags << "sub:#{sub}" if sub
+        end
+        tags
+      end
     end
   end
 end

data/lib/verikloak/rails/error_renderer.rb CHANGED Viewed

@@ -14,7 +14,10 @@ module Verikloak
         'jwks_fetch_failed' => 503,
         'jwks_parse_failed' => 503,
         'discovery_metadata_fetch_failed' => 503,
-        'discovery_metadata_invalid' => 503
+        'discovery_metadata_invalid' => 503,
+        # Additional infrastructure/configuration errors from core
+        'invalid_discovery_url' => 503,
+        'discovery_redirect_error' => 503
       }.freeze
       # Render an error as JSON, adding `WWW-Authenticate` when appropriate.
@@ -77,7 +80,7 @@ module Verikloak
       # @param val [String]
       # @return [String]
       def sanitize_quoted(val)
-        val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]/, ' ')
+        val.to_s.gsub(/(["\\])/) { |m| "\\#{m}" }.gsub(/[\r\n]+/, ' ')
       end
     end
   end

data/lib/verikloak/rails/railtie.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Verikloak
     # Hooks verikloak-rails into a Rails application lifecycle.
     #
     # - Applies configuration from `config.verikloak`
-    # - Inserts middleware (`ForwardedAccessToken`, then `Verikloak::Middleware`)
+    # - Inserts base `Verikloak::Middleware`
     # - Auto-includes controller concern when enabled
     class Railtie < ::Rails::Railtie
       config.verikloak = ActiveSupport::OrderedOptions.new
@@ -18,18 +18,13 @@ module Verikloak
       initializer 'verikloak.configure' do |app|
         Verikloak::Rails.configure do |c|
           rails_cfg = app.config.verikloak
-          %i[discovery_url audience issuer leeway skip_paths trust_forwarded_access_token
-             trusted_proxy_subnets logger_tags error_renderer auto_include_controller
-             render_500_json token_header_priority rescue_pundit].each do |key|
+          %i[discovery_url audience issuer leeway skip_paths
+             logger_tags error_renderer auto_include_controller
+             render_500_json rescue_pundit].each do |key|
             c.send("#{key}=", rails_cfg[key]) if rails_cfg.key?(key)
           end
         end
         app.middleware.insert_after ::Rails::Rack::Logger,
-                                    Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
-                                    trust_forwarded: Verikloak::Rails.config.trust_forwarded_access_token,
-                                    trusted_proxies: Verikloak::Rails.config.trusted_proxy_subnets,
-                                    header_priority: Verikloak::Rails.config.token_header_priority
-        app.middleware.insert_after Verikloak::Rails::MiddlewareIntegration::ForwardedAccessToken,
                                     ::Verikloak::Middleware,
                                     **Verikloak::Rails.config.middleware_options
       end

data/lib/verikloak/rails/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Verikloak
   module Rails
-    VERSION = '0.1.0'
+    VERSION = '0.2.0'
   end
 end

data/lib/verikloak/rails.rb CHANGED Viewed

@@ -4,7 +4,6 @@ require 'verikloak/rails/version'
 require 'verikloak/rails/configuration'
 require 'verikloak/rails/error_renderer'
 require 'verikloak/rails/controller'
-require 'verikloak/rails/middleware_integration'
 require 'verikloak/rails/railtie'
 module Verikloak

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-rails
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - taiyaky
@@ -49,8 +49,8 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '0.2'
-description: 'Rails integration for Verikloak: auto middleware, helpers, JSON errors,
-  BFF header support.'
+description: 'Rails integration for Verikloak: auto middleware, helpers, and standardized
+  JSON errors.'
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -64,7 +64,6 @@ files:
 - lib/verikloak/rails/configuration.rb
 - lib/verikloak/rails/controller.rb
 - lib/verikloak/rails/error_renderer.rb
-- lib/verikloak/rails/middleware_integration.rb
 - lib/verikloak/rails/railtie.rb
 - lib/verikloak/rails/version.rb
 homepage: https://github.com/taiyaky/verikloak-rails
@@ -74,7 +73,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-rails
   changelog_uri: https://github.com/taiyaky/verikloak-rails/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-rails/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.1.0
+  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.2.0
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:

data/lib/verikloak/rails/middleware_integration.rb DELETED Viewed

@@ -1,107 +0,0 @@
-# frozen_string_literal: true
-require 'ipaddr'
-module Verikloak
-  module Rails
-    # Internal namespace for Rack middleware glue.
-    module MiddlewareIntegration
-      # Promotes forwarded access tokens to Authorization when trusted.
-      #
-      # - Optionally trusts `X-Forwarded-Access-Token` from configured subnets
-      # - Never overwrites an existing `Authorization` header
-      # - Can derive the token from a prioritized list of headers
-      class ForwardedAccessToken
-        # Initialize the middleware.
-        #
-        # @param app [#call] next Rack app
-        # @param trust_forwarded [Boolean] whether to trust forwarded access tokens
-        # @param trusted_proxies [Array<IPAddr>, Array<String>] subnets considered trusted
-        # @param header_priority [Array<String>] env header keys to search, in order
-        def initialize(app, trust_forwarded:, trusted_proxies:,
-                       header_priority: %w[HTTP_X_FORWARDED_ACCESS_TOKEN HTTP_AUTHORIZATION])
-          @app = app
-          @trust_forwarded = trust_forwarded
-          @trusted_proxies = Array(trusted_proxies)
-          @header_priority = header_priority
-        end
-        # Rack entry point: possibly promote a token and pass to the next app.
-        #
-        # @param env [Hash] Rack environment
-        # @return [Array(Integer, Hash, #each)] Rack response triple from downstream app
-        # @example Promote forwarded token
-        #   env = { 'REMOTE_ADDR' => '10.0.0.1', 'HTTP_X_FORWARDED_ACCESS_TOKEN' => 'abc' }
-        #   status, headers, body = middleware.call(env)
-        def call(env)
-          promote_forwarded_if_trusted(env)
-          first = resolve_first_token_header(env)
-          set_authorization_from(env, first) if first
-          @app.call(env)
-        end
-        private
-        # Promote X-Forwarded-Access-Token to Authorization when trusted.
-        # @param env [Hash]
-        # @return [void]
-        def promote_forwarded_if_trusted(env)
-          return unless @trust_forwarded && from_trusted_proxy?(env)
-          forwarded = env['HTTP_X_FORWARDED_ACCESS_TOKEN']
-          return if forwarded.to_s.empty?
-          return unless env['HTTP_AUTHORIZATION'].to_s.empty?
-          env['HTTP_AUTHORIZATION'] = ensure_bearer(forwarded)
-        end
-        # Resolve the first header key from which to source a bearer token.
-        # Respects trust policy for forwarded tokens and never returns
-        # 'HTTP_AUTHORIZATION'.
-        #
-        # @param env [Hash]
-        # @return [String, nil]
-        def resolve_first_token_header(env)
-          candidates = @header_priority.dup
-          candidates -= ['HTTP_X_FORWARDED_ACCESS_TOKEN'] unless @trust_forwarded && from_trusted_proxy?(env)
-          candidates.find { |k| (val = env[k]) && !val.to_s.empty? && k != 'HTTP_AUTHORIZATION' }
-        end
-        # Set Authorization header from the given env header key.
-        # @param env [Hash]
-        # @param header_key [String]
-        # @return [void]
-        def set_authorization_from(env, header_key)
-          token = env[header_key]
-          env['HTTP_AUTHORIZATION'] ||= ensure_bearer(token)
-        end
-        # Ensure the token string is prefixed with 'Bearer '.
-        # @param token [String]
-        # @return [String]
-        def ensure_bearer(token)
-          token.start_with?('Bearer') ? token : "Bearer #{token}"
-        end
-        # Whether the request originates from a trusted proxy subnet.
-        # @param env [Hash]
-        # @return [Boolean]
-        def from_trusted_proxy?(env)
-          return true if @trusted_proxies.empty?
-          # Prefer REMOTE_ADDR (direct peer). Fallback to the nearest proxy from X-Forwarded-For if present.
-          ip = (env['REMOTE_ADDR'] || '').to_s.strip
-          ip = env['HTTP_X_FORWARDED_FOR'].to_s.split(',').last.to_s.strip if ip.empty? && env['HTTP_X_FORWARDED_FOR']
-          return false if ip.empty?
-          begin
-            req_ip = IPAddr.new(ip)
-            @trusted_proxies.any? { |subnet| subnet.include?(req_ip) }
-          rescue IPAddr::InvalidAddressError
-            false
-          end
-        end
-      end
-    end
-  end
-end