warden-jwt_auth 0.6.0 → 0.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d51f6ca62ae932ecce00a1302bcf89afa9e39a073d64e2e1ed8573b1f35ac887
-  data.tar.gz: c412529d04dcb06a4360accaff043d5a11948ac6acc621f795b0d53087abe360
+  metadata.gz: d1170f1a68adb34c8769b7c202ba91ca706494562205ef9b8ab56956f0d66393
+  data.tar.gz: 9334625e9e7711c76a90c6d22414871402171e317f9825cc3d6e4d3e5ca486fd
 SHA512:
-  metadata.gz: 917659441336dbdd2f7dce8e4e29ac0ed278e7961ab1c6f209eed25e6e8d613b59154c302fd27695a2432c8cc9aa8bd09eca52958132ba96cb0d3590ee6bafa9
-  data.tar.gz: e7acd7d7922d344056f16fc7412bbf2241780dafb573ba550915de60dc371738d63a70acf363778c7bcd38e6e5e38b78f2eb237c5b3d3448616e90e44dc54b26
+  metadata.gz: 6ab3bbcd295d3206006878d307006a7033be2bfa94237f45e607979b8217d5b84222f076700e1893633b9d716b159d5d576183ca9a261a36c0b76f341c8f1d22
+  data.tar.gz: 95619a1fee6709a8aa7eb883af56abf1e7540acde7b3eb690a7b6da142f203cd41bc222af6cac12937ac18f909a5974437cedf7d76f32262f4f6cca275ada89b

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: waiting-for-dev

data/CHANGELOG.md

@@ -4,7 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [0.6.0] 
+## [0.8.0] - 2023-01-31
+- Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
+- Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
+
+## [0.7.0] - 2022-09-12
+- Support asymmetric algorithms ([40](https://github.com/waiting-for-dev/warden-jwt_auth/issues/40))
+
+## [0.6.0] - 2021-09-21
 - Support ruby 3.0 and deprecate 2.5
 - Fixed dry-configurable compatibility. ([28](https://github.com/waiting-for-dev/warden-jwt_auth/issues/28))
 

data/README.md

@@ -68,6 +68,16 @@ Warden::JWTAuth.configure do |config|
 end
 ```
 
+If the algorithm is asymmetric (e.g. RS256) and necessitates a different decoding secret than the encoding secret, configure the `decoding_secret` setting as well.
+
+```ruby
+Warden::JWTAuth.configure do |config|
+  config.secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PRIVATE_KEY'])
+  config.decoding_secret = OpenSSL::PKey::RSA.new(ENV['WARDEN_JWT_PUBLIC_KEY'])
+  config.algorithm = 'RS256' # or other asymmetric algorithm
+end
+```
+
 ### Warden scopes configuration
 
 You have to map the warden scopes that will be authenticatable through JWT, with the user repositories from where these scope user records can be fetched. If a string is supplied, the user repository will first be looked up as a constant.
@@ -185,6 +195,19 @@ Authentication will be refused if a client requesting to be authenticated throug
 
 **Important:** Be aware that this workflow is not bullet proof. In some scenarios a user can handcraft the request headers, therefore being able to impersonate any client. In such cases you could need something more robust, like an OAuth workflow with client id and client secret.
 
+### Secret rotation
+
+Secret rotation is supported by setting `rotation_secret`. Set the new secret as the `secret` and copy the previous secret to `rotation_secret`
+
+```ruby
+Warden::JWTAuth.configure do |config|
+  config.secret = ENV['WARDEN_JWT_SECRET_KEY']
+  config.rotation_secret = ENV['WARDEN_JWT_SECRET_KEY_ROTATION']
+end
+```
+
+You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
+
 ## Development
 
 There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:

data/lib/warden/jwt_auth/token_decoder.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 
+require 'jwt/error'
+
 module Warden
   module JWTAuth
     # Decodes a JWT into a hash payload into a JWT token
     class TokenDecoder
-      include JWTAuth::Import['secret', 'algorithm']
+      include JWTAuth::Import['decoding_secret', 'rotation_secret', 'algorithm']
 
       # Decodes the payload from a JWT as a hash
       #
@@ -14,6 +16,14 @@ module Warden
       # @param token [String] a JWT
       # @return [Hash] payload decoded from the JWT
       def call(token)
+        decode(token, decoding_secret)
+      rescue JWT::VerificationError
+        decode(token, rotation_secret)
+      end
+
+      private
+
+      def decode(token, secret)
         JWT.decode(token,
                    secret,
                    true,

data/lib/warden/jwt_auth/version.rb

@@ -2,6 +2,6 @@
 
 module Warden
   module JWTAuth
-    VERSION = '0.6.0'
+    VERSION = '0.8.0'
   end
 end

data/lib/warden/jwt_auth.rb

@@ -41,6 +41,12 @@ module Warden
     # The secret used to encode the token
     setting :secret
 
+    # The old secret used for rotation
+    setting :rotation_secret
+
+    # The secret used to decode the token, defaults to `secret` if not provided
+    setting :decoding_secret, constructor: ->(value) { value || config.secret }
+
     # The algorithm used to encode the token
     setting :algorithm, default: 'HS256'
 

data/warden-jwt_auth.gemspec

@@ -20,8 +20,10 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'dry-auto_inject', '~> 0.8'
-  spec.add_dependency 'dry-configurable', '~> 0.13'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+
+  spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
+  spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
   spec.add_dependency 'jwt', '~> 2.1'
   spec.add_dependency 'warden', '~> 1.2'
 

metadata

@@ -1,43 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: warden-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.8.0
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-09-21 00:00:00.000000000 Z
+date: 2023-01-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-auto_inject
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.8'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: dry-configurable
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.13'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0.13'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -201,6 +213,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
+- ".github/FUNDING.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
@@ -237,7 +250,8 @@ files:
 homepage: https://github.com/waiting-for-dev/warden-jwt_auth
 licenses:
 - MIT
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -253,7 +267,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: JWT authentication for Warden.