warden-jwt_auth 0.8.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d1170f1a68adb34c8769b7c202ba91ca706494562205ef9b8ab56956f0d66393
-  data.tar.gz: 9334625e9e7711c76a90c6d22414871402171e317f9825cc3d6e4d3e5ca486fd
+  metadata.gz: 8cdd3cda879ac9ddadab8420efc9be8bd619ab77542fb77c4b2f6e12c3712da8
+  data.tar.gz: 3d7d716491fc3884503addf8de20efda5a58a005db6eee3b992c9ccde5b4338c
 SHA512:
-  metadata.gz: 6ab3bbcd295d3206006878d307006a7033be2bfa94237f45e607979b8217d5b84222f076700e1893633b9d716b159d5d576183ca9a261a36c0b76f341c8f1d22
-  data.tar.gz: 95619a1fee6709a8aa7eb883af56abf1e7540acde7b3eb690a7b6da142f203cd41bc222af6cac12937ac18f909a5974437cedf7d76f32262f4f6cca275ada89b
+  metadata.gz: f90a107cc3cd30099f1505a15c93e1c4bb8b30df2bbcd069bea112a424cf2ca1e3a37b46da76a78fb48c6a4dc2e313ad03f3511981839bb141e4ae43199c622a
+  data.tar.gz: 2594477d2bef3bf246f9c5da680278ec7f5f1c178bb4f7e431a28cf4feb352e043fa096132050f4211886bb5ec08e27c5ef88aeea5101304e00a59f58e900a53

data/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI 
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.1', '3.2', '3.3', '3.4', ruby-head]
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rspec

data/.github/workflows/lint.yml

@@ -0,0 +1,17 @@
+name: Lint
+
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7 
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rubocop

data/CHANGELOG.md

@@ -4,6 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.12.0] - 2024-09-14
+- Support jwt v3 ([65](https://github.com/waiting-for-dev/warden-jwt_auth/pull/65))
+
+## [0.11.0] - 2024-12-20
+- Prevent strategy from running when the current path matches a dispatch request ([60](https://github.com/waiting-for-dev/warden-jwt_auth/pull/60))
+
+## [0.10.1] - 2024-12-15
+- Fix version mismatch
+
+## [0.8.0] - 2024-06-28
+- Add support for issue claim ([56](https://github.com/waiting-for-dev/warden-jwt_auth/pull/56))
+
 ## [0.8.0] - 2023-01-31
 - Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
 - Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))

data/README.md

@@ -145,7 +145,7 @@ config.dispatch_requests = [
 
 **Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
 
-Tokens will be returned in the `Authorization` response header, with format `Bearer #{token}`.
+Tokens will be returned in the `Authorization` response header (configurable via `config.token_header`), with format `Bearer #{token}`.
 
 ### Requests authentication
 
@@ -175,14 +175,14 @@ config.revocation_strategies = { user: RevocationStrategy }
 
 The implementation of the revocation strategy is also on your side. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
 
-You can read about which [JWT recovation strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/) can be implement with their pros and cons.
+You can read about which [JWT recovation strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies) can be implement with their pros and cons.
 
 ```ruby
 module RevocationStrategy
   def self.jwt_revoked?(payload, user)
     # Does something to check whether the JWT token is revoked for given user
   end
-  
+
   def self.revoke_jwt(payload, user)
     # Does something to revoke the JWT token for given user
   end
@@ -208,6 +208,17 @@ end
 
 You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
 
+### Multiple issuers
+
+When your application handles JWT tokens from multiple sources (e.g. webhooks authenticated via provider JTW tokens) you can configure this gem to use the [issuer claim](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) to only handle tokens it has issued.
+
+```ruby
+Warden::JWTAuth.configure do |config|
+  config.secret = ENV['WARDEN_JWT_SECRET_KEY']
+  config.issuer = 'http://my-application.com'
+end
+```
+
 ## Development
 
 There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:

data/lib/warden/jwt_auth/env_helper.rb

@@ -25,16 +25,17 @@ module Warden
         env['REQUEST_METHOD']
       end
 
-      # Returns HTTP_AUTHORIZATION environment variable
+      # Returns header configured through `token_header` option
       #
       # @param env [Hash] Rack env
       # @return [String]
       def self.authorization_header(env)
-        env['HTTP_AUTHORIZATION']
+        header_env_name = env_name(JWTAuth.config.token_header)
+        env[header_env_name]
       end
 
-      # Returns a copy of `env` with value added to the `HTTP_AUTHORIZATION`
-      # environment variable.
+      # Returns a copy of `env` with value added to the environment variable
+      # configured through `token_header` option
       #
       # Be aware than `env` is not modified in place and still an updated copy
       # is returned.
@@ -44,7 +45,8 @@ module Warden
       # @return [Hash] modified rack env
       def self.set_authorization_header(env, value)
         env = env.dup
-        env['HTTP_AUTHORIZATION'] = value
+        header_env_name = env_name(JWTAuth.config.token_header)
+        env[header_env_name] = value
         env
       end
 
@@ -53,8 +55,16 @@ module Warden
       # @param env [Hash] Rack env
       # @return [String]
       def self.aud_header(env)
-        env_name = ('HTTP_' + JWTAuth.config.aud_header.upcase).tr('-', '_')
-        env[env_name]
+        header_env_name = env_name(JWTAuth.config.aud_header)
+        env[header_env_name]
+      end
+
+      # Returns the ENV name for a given header
+      #
+      # @param header [String] Header name
+      # @return [String]
+      def self.env_name(header)
+        ('HTTP_' + header.upcase).tr('-', '_')
       end
     end
   end

data/lib/warden/jwt_auth/header_parser.rb

@@ -21,8 +21,8 @@ module Warden
         method == METHOD ? token : nil
       end
 
-      # Returns a copy of `env` with token added to the `HTTP_AUTHORIZATION`
-      # header. Be aware than `env` is not modified in place.
+      # Returns a copy of `env` with token added to the header configured through
+      # `token_header` option. Be aware than `env` is not modified in place.
       #
       # @param env [Hash] rack env hash
       # @param token [String] JWT token
@@ -39,7 +39,7 @@ module Warden
       # @return [Hash] response headers with the token added
       def self.to_headers(headers, token)
         headers = headers.dup
-        headers['Authorization'] = "#{METHOD} #{token}"
+        headers[JWTAuth.config.token_header] = "#{METHOD} #{token}"
         headers
       end
     end

data/lib/warden/jwt_auth/hooks.rb

@@ -47,8 +47,7 @@ module Warden
       end
 
       def request_matches?(path_info, method)
-        dispatch_requests.each do |tuple|
-          dispatch_method, dispatch_path = tuple
+        dispatch_requests.each do |(dispatch_method, dispatch_path)|
           return true if path_info.match(dispatch_path) &&
                          method == dispatch_method
         end

data/lib/warden/jwt_auth/payload_user_helper.rb

@@ -29,6 +29,14 @@ module Warden
         payload['aud'] == aud
       end
 
+      # Returns whether given issuer matches with the one encoded in the payload
+      # @param payload [Hash] JWT payload
+      # @param issuer [String] The issuer to match
+      # @return [Boolean]
+      def self.issuer_matches?(payload, issuer)
+        payload['iss'] == issuer.to_s
+      end
+
       # Returns the payload to encode for a given user in a scope
       #
       # @param user [Interfaces::User] an user, whatever it is

data/lib/warden/jwt_auth/strategy.rb

@@ -7,8 +7,10 @@ module Warden
     # Warden strategy to authenticate an user through a JWT token in the
     # `Authorization` request header
     class Strategy < Warden::Strategies::Base
+      include JWTAuth::Import['dispatch_requests']
+
       def valid?
-        !token.nil?
+        token_exists? && issuer_claim_valid? && !path_is_dispatch_request_path?
       end
 
       def store?
@@ -25,6 +27,28 @@ module Warden
 
       private
 
+      def path_is_dispatch_request_path?
+        current_path = EnvHelper.path_info(env)
+        request_method = EnvHelper.request_method(env)
+        dispatch_requests.any? do |(dispatch_method, dispatch_path)|
+          request_method == dispatch_method && current_path.match(dispatch_path)
+        end
+      end
+
+      def issuer_claim_valid?
+        configured_issuer = Warden::JWTAuth.config.issuer
+        return true if configured_issuer.nil?
+
+        payload = TokenDecoder.new.call(token)
+        PayloadUserHelper.issuer_matches?(payload, configured_issuer)
+      rescue JWT::DecodeError
+        true
+      end
+
+      def token_exists?
+        !token.nil?
+      end
+
       def token
         @token ||= HeaderParser.from_env(env)
       end

data/lib/warden/jwt_auth/token_encoder.rb

@@ -7,7 +7,7 @@ module Warden
     # Encodes a payload into a JWT token, adding some configurable
     # claims
     class TokenEncoder
-      include JWTAuth::Import['secret', 'algorithm', 'expiration_time']
+      include JWTAuth::Import['secret', 'algorithm', 'expiration_time', 'issuer']
 
       # Encodes a payload into a JWT
       #
@@ -24,6 +24,7 @@ module Warden
         now = Time.now.to_i
         payload['iat'] ||= now
         payload['exp'] ||= now + expiration_time
+        payload['iss'] ||= issuer if issuer
         payload['jti'] ||= SecureRandom.uuid
         payload
       end

data/lib/warden/jwt_auth/version.rb

@@ -2,6 +2,6 @@
 
 module Warden
   module JWTAuth
-    VERSION = '0.8.0'
+    VERSION = '0.12.0'
   end
 end

data/lib/warden/jwt_auth.rb

@@ -19,6 +19,8 @@ module Warden
   module JWTAuth
     extend Dry::Configurable
 
+    module_function
+
     def symbolize_keys(hash)
       hash.transform_keys(&:to_sym)
     end
@@ -36,8 +38,6 @@ module Warden
       end
     end
 
-    module_function :constantize_values, :symbolize_keys, :upcase_first_items
-
     # The secret used to encode the token
     setting :secret
 
@@ -53,6 +53,16 @@ module Warden
     # Expiration time for tokens
     setting :expiration_time, default: 3600
 
+    # Request header that will be used for receiving and returning the token.
+    setting :token_header, default: 'Authorization'
+
+    # The issuer claims associated with the tokens
+    #
+    # Will be used to only apply the warden strategy when the issuer matches.
+    # This allows for multiple token issuers being used.
+    # @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+    setting :issuer, default: nil
+
     # Request header which value will be encoded as `aud` claim in JWT. If
     # the header is not present `aud` will be `nil`.
     setting :aud_header, default: 'JWT_AUD'

data/warden-jwt_auth.gemspec

@@ -24,7 +24,7 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
   spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
-  spec.add_dependency 'jwt', '~> 2.1'
+  spec.add_dependency 'jwt', '>= 2.1', '< 4'
   spec.add_dependency 'warden', '~> 1.2'
 
   spec.add_development_dependency 'bundler'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: warden-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Marc Busqué
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2025-09-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-auto_inject
@@ -54,16 +54,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: warden
   requirement: !ruby/object:Gem::Requirement
@@ -214,10 +220,11 @@ extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
 - ".github/FUNDING.yml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/lint.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Dockerfile
@@ -252,7 +259,7 @@ licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -267,8 +274,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: JWT authentication for Warden.
 test_files: []

data/.travis.yml

@@ -1,21 +0,0 @@
-language: ruby
-cache: bundler
-rvm:
-  - 2.6
-  - 2.7
-  - 3.0
-  - ruby-head
-before_install:
-  - gem update --system --no-doc
-  - gem install bundler
-script:
-  - bundle exec rspec
-  - bundle exec rubocop
-  - bundle exec codeclimate-test-reporter
-jobs:
-  allow_failures:
-    - rvm: ruby-head
-addons:
-  code_climate:
-    repo_token:
-      secure: neJ5LVLV6vgeCnerSQjUpLuQDvxEH87iW8swCSWl2hTtPcD/GuwYSeSXnhH72HVHi/9basHHhaYPcE2YeBwBCr39PhiHMNwS5GGGk/RGjKpU/Gt1KXV8KXTbNGT4v+ZMM3cdsdDfe8OnzGguNVsdxseHa3KE2pyuvo2a0swXwKa7BU9VB/3ZoZvvfI3Xr9im4eklWam5yCwVR0FOF7epzmNTKMXcUga2BOc9PV5aVELzLILLCHCJSCupe5Rx8mfcsRoRmZXKduF8Ke3eq8eULvLEo4EGfC107najOqrKt7x8uDVIsuGrP4LUQ4ainmNEb2jIvpjuqAxpusMjhpjCINF1Tn0OXK93OXAp4QKeIYoYEqKtzRxX0TWFNWHB8ombF9HTMF2DmloDZyFRiI40JSMImU0hc4MDxRgiTW5MDWGbohDaJ+9VV6+rIqtlEfLhgj1grFBAroaJce9BB7RQEmfsZPzhC2VXwGxHw/YkJgzBNGq1/9E1DoTY9RPSNTQfSRodhI3XW8LSQSHTBeXZvymVcjeOyYgjzJYviLHR8QS4cXpUALtlFXyaMkPHUBLUn8XsBa5Azfh5y3qPMGiJq1/qaHA4mKj5ls+ngFbzOq82sYGAKgQHj/ZDb+FZMQQanp4jyWADKcpXcmINb9jEQwkU0bjpuhUYtghASxH1Kl8=