warden-auth0 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 6535f50d8f192c86cebdd135e411c1e7d28f54c2681a4a3993b730dfaed368b5
+  data.tar.gz: 0df77297cee513a2eb030e6456f5c4b38b7a3780c8e34682e5dea388f7c50303
+SHA512:
+  metadata.gz: 4438b8d430ce357ce55bf6b9088ba27a38e00f7d9232e615fd71cda465e77aef224bea62679211edbf4f0bb99d3ab4ea354be9bf5c1ce46798dbfbbee18bbe60
+  data.tar.gz: 9c2b3dcb75741bab6732faf2d5876b2d07b8e42978f4baa7e5e478ecc23f019f8e78dce919d4d04b5a09e2b82364710dd188a0960c6eb6e8abaa285730efd017

data/.codeclimate.yml

@@ -0,0 +1,17 @@
+engines:
+  duplication:
+    enabled: true
+    config:
+      languages:
+      - ruby
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+ratings:
+  paths:
+  - "**.rb"
+exclude_paths:
+  - spec/
+  - Gemfile
+  - warden-jwt_auth.gemspec

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: waiting-for-dev

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.overcommit_gems.rb.lock

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/.rubocop.yml

@@ -0,0 +1,51 @@
+require: rubocop-rspec
+AllCops:
+  TargetRubyVersion: 2.7
+  Exclude:
+    - Gemfile
+    - warden-jwt_auth.gemspec
+    - spec/support/shared_contexts/*rb
+    - vendor/**/*
+RSpec/NestedGroups:
+  Max: 3
+RSpec/MessageExpectation:
+  EnforcedStyle: 'expect'
+Metrics/BlockLength:
+  Exclude:
+    - "spec/**/*.rb"
+Style/SafeNavigation:
+  Enabled: false
+Layout/EmptyLinesAroundAttributeAccessor:
+  Enabled: true
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+Lint/RaiseException:
+  Enabled: true
+Lint/StructNewOverride:
+  Enabled: true
+Style/AccessorGrouping:
+  Enabled: true
+Style/BisectedAttrAccessor:
+  Enabled: true
+Style/ExponentialNotation:
+  Enabled: true
+Style/HashEachMethods:
+  Enabled: true
+Style/HashTransformKeys:
+  Enabled: true
+Style/HashTransformValues:
+  Enabled: true
+Style/RedundantAssignment:
+  Enabled: true
+Style/RedundantFetchBlock:
+  Enabled: true
+Style/RedundantRegexpCharacterClass:
+  Enabled: true
+Style/RedundantRegexpEscape:
+  Enabled: true
+Style/SlicingWithRange:
+  Enabled: true

data/.travis.yml

@@ -0,0 +1,21 @@
+language: ruby
+cache: bundler
+rvm:
+  - 2.6
+  - 2.7
+  - 3.0
+  - ruby-head
+before_install:
+  - gem update --system --no-doc
+  - gem install bundler
+script:
+  - bundle exec rspec
+  - bundle exec rubocop
+  - bundle exec codeclimate-test-reporter
+jobs:
+  allow_failures:
+    - rvm: ruby-head
+addons:
+  code_climate:
+    repo_token:
+      secure: neJ5LVLV6vgeCnerSQjUpLuQDvxEH87iW8swCSWl2hTtPcD/GuwYSeSXnhH72HVHi/9basHHhaYPcE2YeBwBCr39PhiHMNwS5GGGk/RGjKpU/Gt1KXV8KXTbNGT4v+ZMM3cdsdDfe8OnzGguNVsdxseHa3KE2pyuvo2a0swXwKa7BU9VB/3ZoZvvfI3Xr9im4eklWam5yCwVR0FOF7epzmNTKMXcUga2BOc9PV5aVELzLILLCHCJSCupe5Rx8mfcsRoRmZXKduF8Ke3eq8eULvLEo4EGfC107najOqrKt7x8uDVIsuGrP4LUQ4ainmNEb2jIvpjuqAxpusMjhpjCINF1Tn0OXK93OXAp4QKeIYoYEqKtzRxX0TWFNWHB8ombF9HTMF2DmloDZyFRiI40JSMImU0hc4MDxRgiTW5MDWGbohDaJ+9VV6+rIqtlEfLhgj1grFBAroaJce9BB7RQEmfsZPzhC2VXwGxHw/YkJgzBNGq1/9E1DoTY9RPSNTQfSRodhI3XW8LSQSHTBeXZvymVcjeOyYgjzJYviLHR8QS4cXpUALtlFXyaMkPHUBLUn8XsBa5Azfh5y3qPMGiJq1/qaHA4mKj5ls+ngFbzOq82sYGAKgQHj/ZDb+FZMQQanp4jyWADKcpXcmINb9jEQwkU0bjpuhUYtghASxH1Kl8=

data/CHANGELOG.md

@@ -0,0 +1,97 @@
+# Change Log
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/) 
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [0.8.0] - 2024-06-28
+- Add support for issue claim ([56](https://github.com/waiting-for-dev/warden-jwt_auth/pull/56))
+
+## [0.8.0] - 2023-01-31
+- Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
+- Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
+
+## [0.7.0] - 2022-09-12
+- Support asymmetric algorithms ([40](https://github.com/waiting-for-dev/warden-jwt_auth/issues/40))
+
+## [0.6.0] - 2021-09-21
+- Support ruby 3.0 and deprecate 2.5
+- Fixed dry-configurable compatibility. ([28](https://github.com/waiting-for-dev/warden-jwt_auth/issues/28))
+
+## [0.5.0] 
+### Fixed
+- Fixed dry-configurable compatibility. ([28](https://github.com/waiting-for-dev/warden-jwt_auth/issues/28))
+
+## [0.4.2] - 2020-03-19
+### Fixed
+- Lock dry-configurable dependency to fix upstream regression. ([21](https://github.com/waiting-for-dev/warden-jwt_auth/issues/21))
+- Fix ruby 2.7 warnings (@trevorrjohn [23](https://github.com/waiting-for-dev/warden-jwt_auth/pull/23) )
+
+## [0.4.1] - 2020-02-23
+### Fixed
+- Upgrade dry-configurable dependency to fix upstream bug preventing
+  warden-jwt_auth to be loaded ([21](https://github.com/waiting-for-dev/warden-jwt_auth/issues/21)).
+
+## [0.4.0] - 2019-08-01
+### Added
+- Allow configuration of the signing algorithm ([19](https://github.com/waiting-for-dev/warden-jwt_auth/pull/19)].
+
+## [0.3.6] - 2019-03-29
+### Fixed
+- Update depencies.
+
+## [0.3.5] - 2018-01-30
+### Fixed
+- Do not disallow fetching JWT scopes from session
+
+## [0.3.4] - 2018-01-09
+### Fixed
+- Do not log out from session for standard AJAX requests
+
+## [0.3.3] - 2017-12-31
+### Fixed
+- Check it is not a html request when disallowing fetching from session
+
+## [0.3.2] - 2017-12-23
+### Fixed
+- Do not couple `aud_header` env value to the setting
+
+## [0.3.1] - 2017-12-11
+### Added
+- Ensure JWT scopes are not fetched from session. Workaround for
+  https://github.com/hassox/warden/pull/118
+
+## [0.3.0] - 2017-12-06
+### Added
+- Add and call hook method `on_jwt_dispatch` on user instance
+- Encode and validate an `aud` claim from the request headers
+
+## [0.2.1] - 2017-12-04
+### Added
+- Allow configuring classes as strings
+
+### Fixed
+- Take `PATH_INFO` as an empty string when it is not present
+
+## [0.2.0] - 2017-11-23
+### Added
+- `fail!` with message
+
+### Fixed
+- Unauthorize when fetched user is nil
+
+## [0.1.4] - 2017-11-21
+### Fixed
+- Update `jwt` dependency
+
+## [0.1.3] - 2017-04-15
+### Fixed
+- Coerce `sub` to string to conform with JWT specification
+
+## [0.1.2] - 2017-04-13
+### Fixed
+- Ignore expired tokens on revocation instead of fail
+
+## [0.1.1] - 2017-02-28
+### Fixed
+- Explicit require of `securerandom` standard library

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,49 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of
+fostering an open and welcoming community, we pledge to respect all people who
+contribute through reporting issues, posting feature requests, updating
+documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free
+experience for everyone, regardless of level of experience, gender, gender
+identity and expression, sexual orientation, disability, personal appearance,
+body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic
+  addresses, without explicit permission
+* Other unethical or unprofessional conduct
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+By adopting this Code of Conduct, project maintainers commit themselves to
+fairly and consistently applying these principles to every aspect of managing
+this project. Project maintainers who do not follow or enforce the Code of
+Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting a project maintainer at marc@lamarciana.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. Maintainers are
+obligated to maintain confidentiality with regard to the reporter of an
+incident.
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 1.3.0, available at
+[http://contributor-covenant.org/version/1/3/0/][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/3/0/

data/Dockerfile

@@ -0,0 +1,5 @@
+FROM ruby:3.0.0
+ENV APP_USER warden_jwt_auth_user
+RUN useradd -ms /bin/bash $APP_USER
+USER $APP_USER
+WORKDIR /home/$APP_USER/app

data/Gemfile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in warden-jwt_auth.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Marc Busqué
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,242 @@
+# Warden::Auth0
+
+[![Gem Version](https://badge.fury.io/rb/warden-jwt_auth.svg)](https://badge.fury.io/rb/warden-jwt_auth)
+[![Build Status](https://travis-ci.org/waiting-for-dev/warden-jwt_auth.svg?branch=master)](https://travis-ci.org/waiting-for-dev/warden-jwt_auth)
+[![Code Climate](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/badges/gpa.svg)](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth)
+[![Test Coverage](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/badges/coverage.svg)](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/coverage)
+
+`warden-jwt_auth` is a [warden](https://github.com/hassox/warden) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
+
+This gem is just a replacement for cookies when these can't be used. As
+cookies, a token expired with `warden-jwt_auth` will mandatorily have an
+expiration time. If you need that your users never sign out, you will be better
+off with a solution using refresh tokens, like some implementation of OAuth2.
+
+You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
+
+- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation)
+- [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies)
+- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage)
+- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails)
+
+If what you need is a JWT authentication library for [devise](https://github.com/plataformatec/devise), better look at [devise-jwt](https://github.com/waiting-for-dev/devise-jwt), which is just a thin layer on top of this gem.
+
+## Installation
+
+```ruby
+gem 'warden-jwt_auth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install warden-jwt_auth
+
+## Usage
+
+You can look at this gem's wiki to see some [example applications](https://github.com/waiting-for-dev/warden-jwt_auth/wiki). Please, add yours if you think it can help somebody.
+
+At its core, this library consists of:
+
+- A Warden strategy that authenticates a user if a valid JWT token is present in the request headers.
+- A rack middleware which adds a JWT token to the response headers in configured requests.
+- A rack middleware which revokes JWT tokens in configured requests.
+
+As you see, JWT revocation is supported. I wrote [why I think JWT tokens revocation is useful and needed](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
+
+### Secret key configuration
+
+First of all, you have to configure the secret key that will be used to sign generated tokens.
+
+```ruby
+Warden::Auth0.configure do |config|
+  config.secret = ENV['WARDEN_JWT_SECRET_KEY']
+end
+```
+
+**Important:** You are encouraged to use a dedicated secret key, different than others in use in your application. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+
+Currently, HS256 algorithm is the default.
+Configure the matching secret and algorithm name to use a different one (e.g. RS256) (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported)
+```ruby
+Warden::Auth0.configure do |config|
+  config.secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_SECRET_KEY'])
+  config.algorithm = ENV['WARDEN_JWT_ALGORITHM']
+end
+```
+
+If the algorithm is asymmetric (e.g. RS256) and necessitates a different decoding secret than the encoding secret, configure the `decoding_secret` setting as well.
+
+```ruby
+Warden::Auth0.configure do |config|
+  config.secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PRIVATE_KEY'])
+  config.decoding_secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PUBLIC_KEY'])
+  config.algorithm = 'RS256' # or other asymmetric algorithm
+end
+```
+
+### Warden scopes configuration
+
+You have to map the warden scopes that will be authenticatable through JWT, with the user repositories from where these scope user records can be fetched. If a string is supplied, the user repository will first be looked up as a constant.
+
+For instance:
+
+```ruby
+config.mappings = { user: UserRepository }
+```
+
+For this example, `UserRepository` must implement a method `find_for_jwt_authentication` that takes as argument the `sub` claim in the JWT payload. This method should return a user record from `:user` scope:
+
+```ruby
+module UserRepository
+  # @returns User
+  def self.find_for_jwt_authentication(sub)
+    Repo.find_user_by_id(sub)
+  end
+end
+```
+
+User records must implement a `jwt_subject` method returning what should be encoded in the `sub` claim on dispatch time. Be aware that what is returned must be coercible to string in order to conform with [RFC7519 standard for `sub` claim](https://tools.ietf.org/html/rfc7519#section-4.1.2).
+
+```ruby
+User = Struct.new(:id, :name)
+  def jwt_subject
+    id
+  end
+end
+```
+
+User records may also implement a `jwt_payload` method, which gives it a chance to add something to the JWT payload:
+
+```ruby
+def jwt_payload
+  { 'foo' => 'bar' }
+end
+```
+
+Just when a token is going to be dispatched to a client, a hook method `on_jwt_dispatch` is invoked, only when it exist, on the user record. This method takes the `token` and the `payload` as arguments.
+
+```ruby
+def on_jwt_dispatch(token, payload)
+  # Do something
+end
+```
+
+### Middlewares addition
+
+You need to add `Warden::Auth0::Middleware` to your rack middlewares stack. Actually, it is just a wrapper which adds two middlewares that do the actual job: dispatching tokens and revoking tokens.
+
+### Token dispatch configuration
+
+You need to tell which requests will dispatch tokens for the user that has been previously authenticated (usually through some other warden strategy, such as one requiring username and email parameters).
+
+To configure it, you must provide a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
+
+For example:
+
+```ruby
+config.dispatch_requests = [
+                             ['POST', %r{^/sign_in$}]
+                           ]
+```
+
+**Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
+
+Tokens will be returned in the `Authorization` response header (configurable via `config.token_header`), with format `Bearer #{token}`.
+
+### Requests authentication
+
+Once you have a valid token, you can authenticate following requests providing the token in the `Authorization` request header, with format `Bearer #{token}`.
+
+### Revocation configuration
+
+You need to tell which requests will revoke incoming JWT tokens.
+
+To configure it, you must provide a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
+
+For example:
+
+```ruby
+config.revocation_requests = [
+                               ['DELETE', %r{^/sign_out$}]
+                             ]
+```
+
+**Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
+
+Besides, you need to configure which revocation strategy will be used for each scope. If a string is supplied, the revocation strategy will first be looked up as a constant.
+
+```ruby
+config.revocation_strategies = { user: RevocationStrategy }
+```
+
+The implementation of the revocation strategy is also on your side. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
+
+You can read about which [JWT recovation strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/) can be implement with their pros and cons.
+
+```ruby
+module RevocationStrategy
+  def self.jwt_revoked?(payload, user)
+    # Does something to check whether the JWT token is revoked for given user
+  end
+
+  def self.revoke_jwt(payload, user)
+    # Does something to revoke the JWT token for given user
+  end
+end
+```
+
+### Requesting client validation
+
+Authentication will be refused if a client requesting to be authenticated through a token is not the same to which it was originally issued. To do so, the content of the header `JWT_AUD` (configurable via `config.aud_header`) is stored as `aud` claim. If you don't want to differentiate between clients, you don't need to provide that header.
+
+**Important:** Be aware that this workflow is not bullet proof. In some scenarios a user can handcraft the request headers, therefore being able to impersonate any client. In such cases you could need something more robust, like an OAuth workflow with client id and client secret.
+
+### Secret rotation
+
+Secret rotation is supported by setting `rotation_secret`. Set the new secret as the `secret` and copy the previous secret to `rotation_secret`
+
+```ruby
+Warden::Auth0.configure do |config|
+  config.secret = ENV['WARDEN_JWT_SECRET_KEY']
+  config.rotation_secret = ENV['WARDEN_JWT_SECRET_KEY_ROTATION']
+end
+```
+
+You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
+
+### Multiple issuers
+
+When your application handles JWT tokens from multiple sources (e.g. webhooks authenticated via provider JTW tokens) you can configure this gem to use the [issuer claim](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) to only handle tokens it has issued.
+
+```ruby
+Warden::Auth0.configure do |config|
+  config.secret = ENV['WARDEN_JWT_SECRET_KEY']
+  config.issuer = 'http://my-application.com'
+end
+```
+
+## Development
+
+There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
+
+`docker-compose up -d`
+
+An then, for example:
+
+`docker-compose exec app rspec`
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/waiting-for-dev/warden-jwt_auth. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## Release Policy
+
+`warden-jwt_auth` follows the principles of [semantic versioning](http://semver.org/).
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+# !/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'warden/jwt_auth'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/docker-compose.yml

@@ -0,0 +1,12 @@
+version: '2'
+services:
+  app:
+    build: .
+    image: warden_jwt_auth
+    command: bash -c "bundle && tail -f Gemfile"
+    volumes:
+      - .:/home/warden_jwt_auth_user/app
+    tty: true
+    stdin_open: true
+    tmpfs:
+      - /tmp

data/issue_template.md

@@ -0,0 +1,25 @@
+Please, for a bug report fill in the following template. Before that, make sure to read the whole [README](https://github.com/waiting-for-dev/warden-jwt_auth/blob/master/README.md).
+
+Feature requests and questions about `warden-jwt_auth` are also accepted.
+
+## Expected behavior
+
+## Actual behavior
+
+## Steps to Reproduce the Problem
+
+1.
+2.
+3.
+
+## Debugging information
+
+Provide following information. Please, format pasted output as code. Feel free to remove the secret key value.
+
+- Version of `warden-jwt_auth` in use
+- Output of `Warden::Auth0.config`
+- If your issue is related with not getting a JWT from the server:
+  - Involved request path, method and request headers
+  - Response headers for that request
+- If your issue is related with not being able to revoke a JWT:
+  - Involved request path, method and request headers

data/lib/warden/auth0/env_helper.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Warden
+  module Auth0
+    # Helper functions to centralize working with rack env.
+    #
+    # It follows
+    # [rack](http://www.rubydoc.info/github/rack/rack/file/SPEC#The_Environment)
+    # and [PEP 333](https://www.python.org/dev/peps/pep-0333/#environ-variables)
+    # conventions.
+    module EnvHelper
+      # Returns PATH_INFO environment variable
+      #
+      # @param env [Hash] Rack env
+      # @return [String]
+      def self.path_info(env)
+        env['PATH_INFO'] || ''
+      end
+
+      # Returns REQUEST_METHOD environment variable
+      #
+      # @param env [Hash] Rack env
+      # @return [String]
+      def self.request_method(env)
+        env['REQUEST_METHOD']
+      end
+
+      # Returns header configured through `token_header` option
+      #
+      # @param env [Hash] Rack env
+      # @return [String]
+      def self.authorization_header(env)
+        header_env_name = env_name(Auth0.config.token_header)
+        env[header_env_name]
+      end
+
+      # Returns a copy of `env` with value added to the environment variable
+      # configured through `token_header` option
+      #
+      # Be aware than `env` is not modified in place and still an updated copy
+      # is returned.
+      #
+      # @param env [Hash] Rack env
+      # @param value [String]
+      # @return [Hash] modified rack env
+      def self.set_authorization_header(env, value)
+        env = env.dup
+        header_env_name = env_name(Auth0.config.token_header)
+        env[header_env_name] = value
+        env
+      end
+
+      # Returns the ENV name for a given header
+      #
+      # @param header [String] Header name
+      # @return [String]
+      def self.env_name(header)
+        ('HTTP_' + header.upcase).tr('-', '_')
+      end
+    end
+  end
+end

data/lib/warden/auth0/errors.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Warden
+  module Auth0
+    module Errors
+      # Error raised when trying to decode a token that has been revoked for an
+      # user
+      class RevokedToken < JWT::DecodeError
+      end
+
+      # Error raised when no issuer has been configured
+      class NoConfiguredIssuer < JWT::DecodeError
+      end
+
+      # Error raised when no aud has been configured
+      class NoConfiguredAud < JWT::DecodeError
+      end
+
+      # Error raised when the user decoded from a token is nil
+      class NilUser < JWT::DecodeError
+      end
+
+      # Error raised when trying to decode a token whose "issuer" does not match the expected one
+      class WrongIssuer < JWT::DecodeError
+      end
+
+      # Error raised when trying to decode a token for an scope that doesn't
+      # match the one encoded in the payload
+      class WrongScope < JWT::DecodeError
+      end
+
+      # Error raised when trying to decode a token which `aud` claim does not
+      # match with the expected one
+      class WrongAud < JWT::DecodeError
+      end
+    end
+  end
+end

data/lib/warden/auth0/header_parser.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Warden
+  module Auth0
+    # Helpers to parse token from a request and to a response
+    module HeaderParser
+      # Method for `Authorization` header. Token is present in request/response
+      # headers as `Bearer %token%`
+      METHOD = 'Bearer'
+
+      # Parses the token from a rack request
+      #
+      # @param env [Hash] rack env hash
+      # @return [String] JWT token
+      # @return [nil] if token is not present
+      def self.from_env(env)
+        auth = EnvHelper.authorization_header(env)
+        return nil unless auth
+
+        method, token = auth.split
+        method == METHOD ? token : nil
+      end
+
+      # Returns a copy of `env` with token added to the header configured through
+      # `token_header` option. Be aware than `env` is not modified in place.
+      #
+      # @param env [Hash] rack env hash
+      # @param token [String] JWT token
+      # @return [Hash] modified rack env
+      def self.to_env(env, token)
+        EnvHelper.set_authorization_header(env, "#{METHOD} #{token}")
+      end
+
+      # Returns a copy of headers with token added in the `Authorization` key.
+      # Be aware that headers is not modified in place
+      #
+      # @param headers [Hash] rack hash response headers
+      # @param token [String] JWT token
+      # @return [Hash] response headers with the token added
+      def self.to_headers(headers, token)
+        headers = headers.dup
+        headers[Auth0.config.token_header] = "#{METHOD} #{token}"
+        headers
+      end
+    end
+  end
+end

data/lib/warden/auth0/strategy.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'warden'
+
+module Warden
+  module Auth0
+    # Warden strategy to authenticate a user through a JWT token in the
+    # `Authorization` request header
+    class Strategy < Warden::Strategies::Base
+      def valid?
+        token_exists? && issuer_claim_valid? && aud_claim_valid?
+      end
+
+      def store?
+        false
+      end
+
+      def authenticate!
+        raise Errors::WrongIssuer, 'wrong issuer' unless issuer_claim_valid?
+
+        raise Errors::WrongAud, 'wrong audience' unless aud_claim_valid?
+
+        user = Warden::Auth0.config.user_resolver.call(decoded_token)
+
+        raise Warden::Auth0::Errors::NilUser, 'nil user' unless user
+
+        success!(user)
+      rescue JWT::DecodeError => e
+        puts "Failing to authenticate with #{e.message}"
+        fail!(e.message)
+      end
+
+      private
+
+      def issuer_claim_valid?
+        issuer = configured_issuer
+        issuer_matches?(decoded_token, issuer)
+      rescue JWT::DecodeError
+        false
+      end
+
+      def aud_claim_valid?
+        aud = configured_aud
+        aud_matches?(decoded_token, aud)
+      rescue JWT::DecodeError
+        false
+      end
+
+      def decoded_token
+        TokenDecoder.new.call(token)
+      end
+
+      def configured_aud
+        configured_aud = Warden::Auth0.config.aud
+        raise Errors::NoConfiguredAud if configured_aud.nil?
+
+        configured_aud
+      end
+
+      def configured_issuer
+        configured_issuer = Warden::Auth0.config.issuer
+        raise Errors::NoConfiguredIssuer if configured_issuer.nil?
+
+        configured_issuer
+      end
+
+      def token_exists?
+        !token.nil?
+      end
+
+      def issuer_matches?(payload, issuer)
+        payload['iss'] == issuer.to_s
+      end
+
+      def aud_matches?(payload, aud)
+        return true if payload['aud'] == aud.to_s
+
+        payload['aud'].is_a?(Array) && payload['aud'].include?(aud)
+      end
+
+      def token
+        @token ||= HeaderParser.from_env(env)
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:auth0, Warden::Auth0::Strategy)

data/lib/warden/auth0/token_decoder.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'jwt/error'
+
+module Warden
+  module Auth0
+    # Decodes a JWT into a hash payload into a JWT token
+    class TokenDecoder
+      include Auth0::Import['decoding_secret', 'algorithm']
+
+      # Decodes the payload from a JWT as a hash
+      #
+      # @see JWT.decode for all the exceptions than can be raised when given
+      # token is invalid
+      #
+      # @param token [String] a JWT
+      # @return [Hash] payload decoded from the JWT
+      def call(token)
+        decode(token, decoding_secret)
+      end
+
+      private
+
+      def decode(token, secret)
+        JWT.decode(token,
+                   secret,
+                   true,
+                   algorithm: algorithm,
+                   verify_jti: true)[0]
+      end
+    end
+  end
+end

data/lib/warden/auth0/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Warden
+  module Auth0
+    VERSION = '0.1.0'
+  end
+end

data/lib/warden/auth0.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'dry/configurable'
+require 'dry/auto_inject'
+require 'jwt'
+require 'warden'
+
+module Warden
+  # Auth0 authentication plugin for warden.
+  #
+  # It consists of a strategy which tries to authenticate an user decoding a
+  # token present in the `Authentication` header (as `Bearer %token%`).
+  module Auth0
+    extend Dry::Configurable
+
+    def symbolize_keys(hash)
+      hash.transform_keys(&:to_sym)
+    end
+
+    def upcase_first_items(array)
+      array.map do |tuple|
+        method, path = tuple
+        [method.to_s.upcase, path]
+      end
+    end
+
+    def constantize_values(hash)
+      hash.transform_values do |value|
+        value.is_a?(String) ? Object.const_get(value) : value
+      end
+    end
+
+    module_function :constantize_values, :symbolize_keys, :upcase_first_items
+
+    # The secret used to decode the token, defaults to `secret` if not provided
+    setting :decoding_secret, constructor: ->(value) { value || config.secret }
+
+    # Request header that will be used for receiving and returning the token.
+    setting :token_header, default: 'Authorization'
+
+    # The algorithm used to encode the token
+    setting :algorithm
+
+    # The issuer claims associated with the tokens
+    #
+    # Will be used to only apply the warden strategy when the issuer matches.
+    # This allows for multiple token issuers being used.
+    # @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+    setting :issuer, default: nil
+
+    # The aud claims associated with the tokens
+    #
+    # Will be used to only apply the warden strategy when the audience matches.
+    setting :aud, default: nil
+
+    # This is a method that takes in the payload sub and should return a User
+    setting :user_resolver
+
+    Import = Dry::AutoInject(config)
+  end
+end
+
+require 'warden/auth0/version'
+require 'warden/auth0/errors'
+require 'warden/auth0/header_parser'
+require 'warden/auth0/env_helper'
+require 'warden/auth0/token_decoder'
+require 'warden/auth0/strategy'

data/warden-auth0.gemspec

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'warden/auth0/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'warden-auth0'
+  spec.version       = Warden::Auth0::VERSION
+  spec.authors       = ['1KOMMA5º']
+
+  spec.summary       = 'Auth0 authentication for Warden.'
+  spec.description   = 'Auth0 authentication for Warden, ORM agnostic and accepting the implementation of token revocation strategies.'
+  spec.homepage      = 'https://github.com/sarakola/warden-jwt_auth'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
+  spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
+  spec.add_dependency 'jwt', '~> 2.1'
+  spec.add_dependency 'warden', '~> 1.2'
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'pry-byebug', '~> 3.7'
+  spec.add_development_dependency 'rack-test', '~> 1.1'
+  spec.add_development_dependency 'rake', '~> 12.3'
+  spec.add_development_dependency 'rspec', '~> 3.8'
+  # Cops
+  spec.add_development_dependency 'rubocop', '~> 0.87'
+  spec.add_development_dependency 'rubocop-rspec', '~> 1.42'
+  # Test reporting
+  spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
+  spec.add_development_dependency 'simplecov', '0.17'
+end

metadata

@@ -0,0 +1,263 @@
+--- !ruby/object:Gem::Specification
+name: warden-auth0
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- 1KOMMA5º
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-09-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-auto_inject
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: dry-configurable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.13'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0.13'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.7'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.8'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.87'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.87'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.42'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.42'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '0.17'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: '0.17'
+description: Auth0 authentication for Warden, ORM agnostic and accepting the implementation
+  of token revocation strategies.
+email:
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".codeclimate.yml"
+- ".github/FUNDING.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Dockerfile
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- docker-compose.yml
+- issue_template.md
+- lib/warden/auth0.rb
+- lib/warden/auth0/env_helper.rb
+- lib/warden/auth0/errors.rb
+- lib/warden/auth0/header_parser.rb
+- lib/warden/auth0/strategy.rb
+- lib/warden/auth0/token_decoder.rb
+- lib/warden/auth0/version.rb
+- warden-auth0.gemspec
+homepage: https://github.com/sarakola/warden-jwt_auth
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.19
+signing_key:
+specification_version: 4
+summary: Auth0 authentication for Warden.
+test_files: []