warden-jwt_auth 0.1.0

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/docker-compose.yml

@@ -0,0 +1,7 @@
+version: '2'
+services:
+  app:
+    build: .
+    command: tail -f Gemfile
+    volumes:
+      - .:/app

data/lib/warden/jwt_auth.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+require 'dry/configurable'
+require 'dry/auto_inject'
+require 'jwt'
+require 'warden'
+
+module Warden
+  # JWT authentication plugin for warden.
+  #
+  # It consists of a strategy which tries to authenticate an user decoding a
+  # token present in the `Authentication` header (as `Bearer %token%`).
+  # From it, it takes the `sub` claim and provides it to a configured repository
+  # of users for the current scope.
+  #
+  # It also consists of two rack middlewares which perform two actions for
+  # configured request paths: dispatching a token for a signed in user and
+  # revoking an incoming token.
+  module JWTAuth
+    extend Dry::Configurable
+
+    # The secret used to encode the token
+    setting :secret
+
+    # Expiration time for tokens
+    setting :expiration_time, 3600
+
+    # A hash of warden scopes as keys and user repositories as values.
+    #
+    # @see Interfaces::UserRepository
+    # @see Interfaces::User
+    setting(:mappings, {}) do |value|
+      Hash[
+        value.each_pair do |scope, mapping|
+          [scope.to_sym, mapping]
+        end
+      ]
+    end
+
+    # Array of tuples [request_method, request_path_regex] to match request
+    # verbs and paths where a JWT token should be added to the `Authorization`
+    # response header
+    #
+    # @example
+    #  [
+    #    ['POST', %r{^/sign_in$}]
+    #  ]
+    setting(:dispatch_requests, []) do |value|
+      value.map do |tuple|
+        method, path = tuple
+        [method.to_s.upcase, path]
+      end
+    end
+
+    # Array of tuples [request_method, request_path_regex] to match request
+    # verbs and paths where incoming JWT token should be be revoked
+    #
+    # @example
+    #  [
+    #    ['DELETE', %r{^/sign_out$}]
+    #  ]
+    setting :revocation_requests, [] do |value|
+      value.map do |tuple|
+        method, path = tuple
+        [method.to_s.upcase, path]
+      end
+    end
+
+    # Hash with scopes as keys and values with the strategy to revoke tokens for
+    # that scope
+    #
+    # @example
+    #  {
+    #    user: UserRevocationStrategy
+    #  }
+    #
+    # @see Interfaces::RevocationStrategy
+    setting(:revocation_strategies, {}) do |value|
+      Hash[
+        value.each_pair do |scope, strategy|
+          [scope.to_sym, strategy]
+        end
+      ]
+    end
+
+    Import = Dry::AutoInject(config)
+  end
+end
+
+require 'warden/jwt_auth/version'
+require 'warden/jwt_auth/header_parser'
+require 'warden/jwt_auth/payload_user_helper'
+require 'warden/jwt_auth/user_encoder'
+require 'warden/jwt_auth/user_decoder'
+require 'warden/jwt_auth/token_encoder'
+require 'warden/jwt_auth/token_decoder'
+require 'warden/jwt_auth/token_revoker'
+require 'warden/jwt_auth/hooks'
+require 'warden/jwt_auth/strategy'
+require 'warden/jwt_auth/middleware'
+require 'warden/jwt_auth/interfaces'

data/lib/warden/jwt_auth/errors.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    module Errors
+      # Error raised when trying to decode a token that has been revoked for an
+      # user
+      class RevokedToken < JWT::DecodeError
+      end
+
+      # Error raised when trying to decode a token for an scope that doesn't
+      # match the one encoded in the payload
+      class WrongScope < JWT::DecodeError
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/header_parser.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Helpers to parse token from a request and to a response
+    module HeaderParser
+      # Method for `Authorization` header. Token is present in request/response
+      # headers as `Bearer %token%`
+      METHOD = 'Bearer'
+
+      # Parses the token from a rack request
+      #
+      # @param env [Hash] rack env hash
+      # @return [String] JWT token
+      # @return [nil] if token is not present
+      def self.from_env(env)
+        auth = env['HTTP_AUTHORIZATION']
+        return nil unless auth
+        method, token = auth.split
+        method == METHOD ? token : nil
+      end
+
+      # Returns a copy of `env` with token added to the `HTTP_AUTHORIZATION`
+      # header. Be aware than `env` is not modified in place.
+      #
+      # @param env [Hash] rack env hash
+      # @param token [String] JWT token
+      # @return [Hash] modified rack env
+      def self.to_env(env, token)
+        env = env.dup
+        env['HTTP_AUTHORIZATION'] = "#{METHOD} #{token}"
+        env
+      end
+
+      # Returns a copy of headers with token added in the `Authorization` key.
+      # Be aware that headers is not modified in place
+      #
+      # @param headers [Hash] rack hash response headers
+      # @param token [String] JWT token
+      # @return [Hash] response headers with the token added
+      def self.to_headers(headers, token)
+        headers = headers.dup
+        headers['Authorization'] = "#{METHOD} #{token}"
+        headers
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/hooks.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Warden hooks
+    class Hooks
+      include JWTAuth::Import['mappings', 'dispatch_requests']
+
+      # `env` key where JWT is added
+      PREPARED_TOKEN_ENV_KEY = 'warden-jwt_auth.token'
+
+      # Adds a token for the signed in user to the request `env` if current path
+      # and verb match with configuration. This will be picked up later on by a
+      # rack middleware which will add it to the response headers.
+      #
+      # @see https://github.com/hassox/warden/wiki/Callbacks
+      def self.after_set_user(user, auth, opts)
+        new.send(:prepare_token, user, auth, opts)
+      end
+
+      private
+
+      def prepare_token(user, auth, opts)
+        env = auth.env
+        scope = opts[:scope]
+        return unless token_should_be_added?(scope, env)
+        token = UserEncoder.new.call(user, scope)
+        env[PREPARED_TOKEN_ENV_KEY] = token
+      end
+
+      def token_should_be_added?(scope, env)
+        jwt_scope?(scope) && request_matches?(env)
+      end
+
+      def jwt_scope?(scope)
+        jwt_scopes = mappings.keys
+        jwt_scopes.include?(scope)
+      end
+
+      # :reek:FeatureEnvy
+      def request_matches?(env)
+        dispatch_requests.each do |tuple|
+          method, path = tuple
+          return true if env['PATH_INFO'].match(path) &&
+                         env['REQUEST_METHOD'] == method
+        end
+        false
+      end
+    end
+  end
+end
+
+Warden::Manager.after_set_user do |user, auth, opts|
+  Warden::JWTAuth::Hooks.after_set_user(user, auth, opts)
+end

data/lib/warden/jwt_auth/interfaces.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Interfaces expected to be implemented in applications working with this
+    # gem
+    module Interfaces
+      # Repository that returns [User]
+      class UserRepository
+        # Finds and returns an [User]
+        #
+        # @param _sub [BasicObject] JWT sub claim
+        # @return [User]
+        def find_for_jwt_authentication(_sub)
+          raise NotImplementedError
+        end
+      end
+
+      # An user
+      class User
+        # What will be encoded as `sub` claim
+        #
+        # @return [BasicObject] `sub` claim
+        def jwt_subject
+          raise NotImplementedError
+        end
+
+        # Allows adding extra claims to be encoded within the payload
+        #
+        # @return [Hash] claims to be merged with defaults
+        def jwt_payload
+          {}
+        end
+      end
+
+      # Strategy to manage JWT revocation
+      class RevocationStrategy
+        # Does something to revoke a JWT payload
+        #
+        # @param _payload [Hash]
+        # @param _user [User]
+        def revoke_jwt(_payload, _user)
+          raise NotImplementedError
+        end
+
+        # Returns whether a JWT payload is revoked
+        #
+        # @param _payload [Hash]
+        # @param _user [User]
+        # @return [Boolean]
+        def jwt_revoked?(_payload, _user)
+          raise NotImplementedError
+        end
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/middleware.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'warden/jwt_auth/middleware/token_dispatcher'
+require 'warden/jwt_auth/middleware/revocation_manager'
+
+module Warden
+  module JWTAuth
+    # Simple rack middleware which is just a wrapper for other middlewares which
+    # actually perform some work.
+    class Middleware
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      # :reek:FeatureEnvy
+      def call(env)
+        builder = Rack::Builder.new
+        builder.use(RevocationManager)
+        builder.use(TokenDispatcher)
+        builder.run(app)
+        builder.call(env)
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/middleware/revocation_manager.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    class Middleware
+      # Revokes a token if it path and method match with configured
+      class RevocationManager < Middleware
+        # Debugging key added to `env`
+        ENV_KEY = 'warden-jwt_auth.revocation_manager'
+
+        attr_reader :app, :config
+
+        def initialize(app)
+          @app = app
+          @config = JWTAuth.config
+        end
+
+        def call(env)
+          env[ENV_KEY] = true
+          response = app.call(env)
+          revoke_token(env)
+          response
+        end
+
+        private
+
+        def revoke_token(env)
+          token = HeaderParser.from_env(env)
+          return unless token && token_should_be_revoked?(env)
+          TokenRevoker.new.call(token)
+        end
+
+        # :reek:FeatureEnvy
+        def token_should_be_revoked?(env)
+          revocation_requests = config.revocation_requests
+          revocation_requests.each do |tuple|
+            method, path = tuple
+            return true if env['PATH_INFO'].match(path) &&
+                           env['REQUEST_METHOD'] == method
+          end
+          false
+        end
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/middleware/token_dispatcher.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    class Middleware
+      # Dispatches a token (adds it to `Authorization` response header) if it
+      # has been added to the request `env` by [Hooks]
+      class TokenDispatcher < Middleware
+        # Debugging key added to `env`
+        ENV_KEY = 'warden-jwt_auth.token_dispatcher'
+
+        attr_reader :app
+
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          env[ENV_KEY] = true
+          status, headers, response = app.call(env)
+          headers = headers_with_token(env, headers)
+          [status, headers, response]
+        end
+
+        private
+
+        # :reek:UtilityFunction
+        def headers_with_token(env, headers)
+          token = env[Hooks::PREPARED_TOKEN_ENV_KEY]
+          token ? HeaderParser.to_headers(headers, token) : headers
+        end
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/payload_user_helper.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Helper functions to deal with user info present in a decode payload
+    module PayloadUserHelper
+      # Returns user encoded in given payload
+      #
+      # @param payload [Hash] JWT payload
+      # @return [Interfaces::User] an user, whatever it is
+      def self.find_user(payload)
+        config = JWTAuth.config
+        scope = payload['scp'].to_sym
+        user_repo = config.mappings[scope]
+        user_repo.find_for_jwt_authentication(payload['sub'])
+      end
+
+      # Returns whether given scope matches with the one encoded in the payload
+      # @param payload [Hash] JWT payload
+      # @return [Boolean]
+      def self.scope_matches?(payload, scope)
+        payload['scp'] == scope.to_s
+      end
+
+      # Returns the payload to encode for a given user in a scope
+      #
+      # @param user [Interfaces::User] an user, whatever it is
+      # @param scope [Symbol] A Warden scope
+      # @return [Hash] payload to encode
+      # :reek:ManualDispatch
+      def self.payload_for_user(user, scope)
+        sub = user.jwt_subject
+        payload = { 'sub' => sub, 'scp' => scope.to_s }
+        return payload unless user.respond_to?(:jwt_payload)
+        user.jwt_payload.merge(payload)
+      end
+    end
+  end
+end