warden-jwt_auth 0.6.0 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d51f6ca62ae932ecce00a1302bcf89afa9e39a073d64e2e1ed8573b1f35ac887
4
- data.tar.gz: c412529d04dcb06a4360accaff043d5a11948ac6acc621f795b0d53087abe360
3
+ metadata.gz: d1170f1a68adb34c8769b7c202ba91ca706494562205ef9b8ab56956f0d66393
4
+ data.tar.gz: 9334625e9e7711c76a90c6d22414871402171e317f9825cc3d6e4d3e5ca486fd
5
5
  SHA512:
6
- metadata.gz: 917659441336dbdd2f7dce8e4e29ac0ed278e7961ab1c6f209eed25e6e8d613b59154c302fd27695a2432c8cc9aa8bd09eca52958132ba96cb0d3590ee6bafa9
7
- data.tar.gz: e7acd7d7922d344056f16fc7412bbf2241780dafb573ba550915de60dc371738d63a70acf363778c7bcd38e6e5e38b78f2eb237c5b3d3448616e90e44dc54b26
6
+ metadata.gz: 6ab3bbcd295d3206006878d307006a7033be2bfa94237f45e607979b8217d5b84222f076700e1893633b9d716b159d5d576183ca9a261a36c0b76f341c8f1d22
7
+ data.tar.gz: 95619a1fee6709a8aa7eb883af56abf1e7540acde7b3eb690a7b6da142f203cd41bc222af6cac12937ac18f909a5974437cedf7d76f32262f4f6cca275ada89b
@@ -0,0 +1 @@
1
+ github: waiting-for-dev
data/CHANGELOG.md CHANGED
@@ -4,7 +4,14 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
- ## [0.6.0]
7
+ ## [0.8.0] - 2023-01-31
8
+ - Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
9
+ - Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
10
+
11
+ ## [0.7.0] - 2022-09-12
12
+ - Support asymmetric algorithms ([40](https://github.com/waiting-for-dev/warden-jwt_auth/issues/40))
13
+
14
+ ## [0.6.0] - 2021-09-21
8
15
  - Support ruby 3.0 and deprecate 2.5
9
16
  - Fixed dry-configurable compatibility. ([28](https://github.com/waiting-for-dev/warden-jwt_auth/issues/28))
10
17
 
data/README.md CHANGED
@@ -68,6 +68,16 @@ Warden::JWTAuth.configure do |config|
68
68
  end
69
69
  ```
70
70
 
71
+ If the algorithm is asymmetric (e.g. RS256) and necessitates a different decoding secret than the encoding secret, configure the `decoding_secret` setting as well.
72
+
73
+ ```ruby
74
+ Warden::JWTAuth.configure do |config|
75
+ config.secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PRIVATE_KEY'])
76
+ config.decoding_secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PUBLIC_KEY'])
77
+ config.algorithm = 'RS256' # or other asymmetric algorithm
78
+ end
79
+ ```
80
+
71
81
  ### Warden scopes configuration
72
82
 
73
83
  You have to map the warden scopes that will be authenticatable through JWT, with the user repositories from where these scope user records can be fetched. If a string is supplied, the user repository will first be looked up as a constant.
@@ -185,6 +195,19 @@ Authentication will be refused if a client requesting to be authenticated throug
185
195
 
186
196
  **Important:** Be aware that this workflow is not bullet proof. In some scenarios a user can handcraft the request headers, therefore being able to impersonate any client. In such cases you could need something more robust, like an OAuth workflow with client id and client secret.
187
197
 
198
+ ### Secret rotation
199
+
200
+ Secret rotation is supported by setting `rotation_secret`. Set the new secret as the `secret` and copy the previous secret to `rotation_secret`
201
+
202
+ ```ruby
203
+ Warden::JWTAuth.configure do |config|
204
+ config.secret = ENV['WARDEN_JWT_SECRET_KEY']
205
+ config.rotation_secret = ENV['WARDEN_JWT_SECRET_KEY_ROTATION']
206
+ end
207
+ ```
208
+
209
+ You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
210
+
188
211
  ## Development
189
212
 
190
213
  There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
@@ -1,10 +1,12 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require 'jwt/error'
4
+
3
5
  module Warden
4
6
  module JWTAuth
5
7
  # Decodes a JWT into a hash payload into a JWT token
6
8
  class TokenDecoder
7
- include JWTAuth::Import['secret', 'algorithm']
9
+ include JWTAuth::Import['decoding_secret', 'rotation_secret', 'algorithm']
8
10
 
9
11
  # Decodes the payload from a JWT as a hash
10
12
  #
@@ -14,6 +16,14 @@ module Warden
14
16
  # @param token [String] a JWT
15
17
  # @return [Hash] payload decoded from the JWT
16
18
  def call(token)
19
+ decode(token, decoding_secret)
20
+ rescue JWT::VerificationError
21
+ decode(token, rotation_secret)
22
+ end
23
+
24
+ private
25
+
26
+ def decode(token, secret)
17
27
  JWT.decode(token,
18
28
  secret,
19
29
  true,
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Warden
4
4
  module JWTAuth
5
- VERSION = '0.6.0'
5
+ VERSION = '0.8.0'
6
6
  end
7
7
  end
@@ -41,6 +41,12 @@ module Warden
41
41
  # The secret used to encode the token
42
42
  setting :secret
43
43
 
44
+ # The old secret used for rotation
45
+ setting :rotation_secret
46
+
47
+ # The secret used to decode the token, defaults to `secret` if not provided
48
+ setting :decoding_secret, constructor: ->(value) { value || config.secret }
49
+
44
50
  # The algorithm used to encode the token
45
51
  setting :algorithm, default: 'HS256'
46
52
 
@@ -20,8 +20,10 @@ Gem::Specification.new do |spec|
20
20
  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
21
21
  spec.require_paths = ['lib']
22
22
 
23
- spec.add_dependency 'dry-auto_inject', '~> 0.8'
24
- spec.add_dependency 'dry-configurable', '~> 0.13'
23
+ spec.metadata['rubygems_mfa_required'] = 'true'
24
+
25
+ spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
26
+ spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
25
27
  spec.add_dependency 'jwt', '~> 2.1'
26
28
  spec.add_dependency 'warden', '~> 1.2'
27
29
 
metadata CHANGED
@@ -1,43 +1,55 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: warden-jwt_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marc Busqué
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-09-21 00:00:00.000000000 Z
11
+ date: 2023-01-31 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dry-auto_inject
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '0.8'
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '2'
20
23
  type: :runtime
21
24
  prerelease: false
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
25
28
  - !ruby/object:Gem::Version
26
29
  version: '0.8'
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '2'
27
33
  - !ruby/object:Gem::Dependency
28
34
  name: dry-configurable
29
35
  requirement: !ruby/object:Gem::Requirement
30
36
  requirements:
31
- - - "~>"
37
+ - - ">="
32
38
  - !ruby/object:Gem::Version
33
39
  version: '0.13'
40
+ - - "<"
41
+ - !ruby/object:Gem::Version
42
+ version: '2'
34
43
  type: :runtime
35
44
  prerelease: false
36
45
  version_requirements: !ruby/object:Gem::Requirement
37
46
  requirements:
38
- - - "~>"
47
+ - - ">="
39
48
  - !ruby/object:Gem::Version
40
49
  version: '0.13'
50
+ - - "<"
51
+ - !ruby/object:Gem::Version
52
+ version: '2'
41
53
  - !ruby/object:Gem::Dependency
42
54
  name: jwt
43
55
  requirement: !ruby/object:Gem::Requirement
@@ -201,6 +213,7 @@ extensions: []
201
213
  extra_rdoc_files: []
202
214
  files:
203
215
  - ".codeclimate.yml"
216
+ - ".github/FUNDING.yml"
204
217
  - ".gitignore"
205
218
  - ".rspec"
206
219
  - ".rubocop.yml"
@@ -237,7 +250,8 @@ files:
237
250
  homepage: https://github.com/waiting-for-dev/warden-jwt_auth
238
251
  licenses:
239
252
  - MIT
240
- metadata: {}
253
+ metadata:
254
+ rubygems_mfa_required: 'true'
241
255
  post_install_message:
242
256
  rdoc_options: []
243
257
  require_paths:
@@ -253,7 +267,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
253
267
  - !ruby/object:Gem::Version
254
268
  version: '0'
255
269
  requirements: []
256
- rubygems_version: 3.1.2
270
+ rubygems_version: 3.0.3.1
257
271
  signing_key:
258
272
  specification_version: 4
259
273
  summary: JWT authentication for Warden.