warden-jwt_auth 0.1.0

data/lib/warden/jwt_auth/strategy.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'warden'
+
+module Warden
+  module JWTAuth
+    # Warden strategy to authenticate an user through a JWT token in the
+    # `Authorization` request header
+    # :reek:PrimmaDonnaMethod
+    class Strategy < Warden::Strategies::Base
+      attr_reader :token
+
+      def valid?
+        !token.nil?
+      end
+
+      def store?
+        false
+      end
+
+      def authenticate!
+        user = UserDecoder.new.call(token, scope)
+        success!(user)
+      rescue JWT::DecodeError
+        fail!
+      end
+
+      private
+
+      def token
+        @token ||= HeaderParser.from_env(env)
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:jwt, Warden::JWTAuth::Strategy)

data/lib/warden/jwt_auth/token_decoder.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Decodes a JWT into a hash payload into a JWT token
+    class TokenDecoder
+      include JWTAuth::Import['secret']
+
+      # Decodes the payload from a JWT as a hash
+      #
+      # @param token [String] a JWT
+      # @return [Hash] payload decoded from the JWT
+      def call(token)
+        JWT.decode(token,
+                   secret,
+                   true,
+                   algorithm: TokenEncoder::ALG,
+                   verify_jti: true)[0]
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/token_encoder.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Encodes a payload into a JWT token, adding some configurable
+    # claims
+    class TokenEncoder
+      include JWTAuth::Import['secret', 'expiration_time']
+
+      # Algorithm used to encode
+      ALG = 'HS256'
+
+      # Encodes a payload into a JWT
+      #
+      # @param payload [Hash] what has to be encoded
+      # @return [String] JWT
+      def call(payload)
+        payload_to_encode = merge_with_default_claims(payload)
+        JWT.encode(payload_to_encode, secret, ALG)
+      end
+
+      private
+
+      #:reek:FeatureEnvy
+      def merge_with_default_claims(payload)
+        now = Time.now.to_i
+        payload['iat']  ||= now
+        payload['exp']  ||= now + expiration_time
+        payload['jti']  ||= SecureRandom.uuid
+        payload
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/token_revoker.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    # Revokes a JWT using configured revocation strategy
+    class TokenRevoker
+      include JWTAuth::Import['revocation_strategies']
+
+      # Revokes the JWT token
+      #
+      # @param token [String] a JWT
+      def call(token)
+        payload = TokenDecoder.new.call(token)
+        scope = payload['scp'].to_sym
+        user = PayloadUserHelper.find_user(payload)
+        revocation_strategies[scope].revoke_jwt(payload, user)
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/user_decoder.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'warden/jwt_auth/errors'
+
+module Warden
+  module JWTAuth
+    # Layer above token decoding which directly decodes a user from a JWT
+    class UserDecoder
+      include JWTAuth::Import['revocation_strategies']
+
+      attr_reader :helper
+
+      def initialize(*args)
+        super
+        @helper = PayloadUserHelper
+      end
+
+      # Returns the user that is encoded in a JWT. The scope is used to choose
+      # the user repository to which send `#find_for_jwt_authentication(sub)`
+      # with decoded `sub` claim.
+      #
+      # @param token [String] a JWT
+      # @param scope [Symbol] Warden scope
+      # @return [Interfaces::User] an user, whatever it is
+      # @raise [Errors::RevokedToken] when token has been revoked for the
+      # encoded user
+      # @raise [Errors::WrongScope] when encoded scope does not match with scope
+      # argument
+      def call(token, scope)
+        payload = TokenDecoder.new.call(token)
+        raise Errors::WrongScope unless helper.scope_matches?(payload, scope)
+        user = helper.find_user(payload)
+        raise Errors::RevokedToken if revoked?(payload, user, scope)
+        user
+      end
+
+      private
+
+      def revoked?(payload, user, scope)
+        strategy = revocation_strategies[scope]
+        strategy.jwt_revoked?(payload, user)
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/user_encoder.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'warden/jwt_auth/errors'
+
+module Warden
+  module JWTAuth
+    # Layer above token encoding which directly encodes a user to a JWT
+    class UserEncoder
+      attr_reader :helper
+
+      def initialize
+        @helper = PayloadUserHelper
+      end
+
+      # Encodes a user for given scope into a JWT. Payload generated includes a
+      # `sub` claim which is build calling `jwt_subject` in `user`, and a custom
+      # `scp` claim which value is `scope` as a string. The result of
+      # calling `jwt_payload` in user is also merged into the payload.
+      #
+      # @param user [Interfaces::User] an user, whatever it is
+      # @param scope [Symbol] Warden scope
+      # @return [String] encoded JWT
+      def call(user, scope)
+        payload = helper.payload_for_user(user, scope)
+        TokenEncoder.new.call(payload)
+      end
+    end
+  end
+end

data/lib/warden/jwt_auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Warden
+  module JWTAuth
+    VERSION = '0.1.0'
+  end
+end

data/warden-jwt_auth.gemspec

@@ -0,0 +1,35 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'warden/jwt_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "warden-jwt_auth"
+  spec.version       = Warden::JWTAuth::VERSION
+  spec.authors       = ["Marc Busqué"]
+  spec.email         = ["marc@lamarciana.com"]
+
+  spec.summary       = %q{JWT authentication for Warden.}
+  spec.description   = %q{JWT authentication for Warden, ORM agnostic and accepting the implementation of token revocation strategies.}
+  spec.homepage      = "https://github.com/waiting-for-dev/warden-jwt_auth"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency 'dry-configurable', '~> 0.5'
+  spec.add_dependency 'dry-auto_inject', '~> 0.4'
+  spec.add_dependency 'jwt', '~> 1.5'
+  spec.add_dependency 'warden', '~> 1.2'
+
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rack-test", "~> 0.6"
+  spec.add_development_dependency "pry-byebug", "~> 3.4"
+  # Test reporting
+  spec.add_development_dependency 'simplecov', '~> 0.13'
+  spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
+end

metadata

@@ -0,0 +1,233 @@
+--- !ruby/object:Gem::Specification
+name: warden-jwt_auth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Marc Busqué
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2017-01-26 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-configurable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.5'
+- !ruby/object:Gem::Dependency
+  name: dry-auto_inject
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.4'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.13'
+- !ruby/object:Gem::Dependency
+  name: codeclimate-test-reporter
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: JWT authentication for Warden, ORM agnostic and accepting the implementation
+  of token revocation strategies.
+email:
+- marc@lamarciana.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".codeclimate.yml"
+- ".gitignore"
+- ".overcommit.yml"
+- ".overcommit_gems.rb"
+- ".reek"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CODE_OF_CONDUCT.md
+- Dockerfile
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- docker-compose.yml
+- lib/warden/jwt_auth.rb
+- lib/warden/jwt_auth/errors.rb
+- lib/warden/jwt_auth/header_parser.rb
+- lib/warden/jwt_auth/hooks.rb
+- lib/warden/jwt_auth/interfaces.rb
+- lib/warden/jwt_auth/middleware.rb
+- lib/warden/jwt_auth/middleware/revocation_manager.rb
+- lib/warden/jwt_auth/middleware/token_dispatcher.rb
+- lib/warden/jwt_auth/payload_user_helper.rb
+- lib/warden/jwt_auth/strategy.rb
+- lib/warden/jwt_auth/token_decoder.rb
+- lib/warden/jwt_auth/token_encoder.rb
+- lib/warden/jwt_auth/token_revoker.rb
+- lib/warden/jwt_auth/user_decoder.rb
+- lib/warden/jwt_auth/user_encoder.rb
+- lib/warden/jwt_auth/version.rb
+- warden-jwt_auth.gemspec
+homepage: https://github.com/waiting-for-dev/warden-jwt_auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: JWT authentication for Warden.
+test_files: []