warden-jwt_auth 0.8.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +12 -1
- data/lib/warden/jwt_auth/payload_user_helper.rb +8 -0
- data/lib/warden/jwt_auth/strategy.rb +15 -1
- data/lib/warden/jwt_auth/token_encoder.rb +2 -1
- data/lib/warden/jwt_auth/version.rb +1 -1
- data/lib/warden/jwt_auth.rb +7 -0
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 639d91603d4e369d3d94c0dadc24816c08019ebdfef3c093fc9b8cd79a5d6bd3
|
|
4
|
+
data.tar.gz: 39f9a053ed2af021eed742b94aa3e2360481c5120d8690085d40773470ec21e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 727924aa4f6c6a993548c397e108bdb43b281047928aeaf8dcbe0a291784aa4bc4e2f25804b36a7d5549cb858e3006ba7997b0ec6d3dc762196586fe282aeedb
|
|
7
|
+
data.tar.gz: 9152d951c19f477c23cde9e0e1b5437f8b33821e39825e355a1edfedf14ce3f7b14ea5798e0b1ae23ffb274892c58287dbdab1d06f38c49393f23a9007006f53
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.8.0] - 2024-06-28
|
|
8
|
+
- Add support for issue claim ([56](https://github.com/waiting-for-dev/warden-jwt_auth/pull/56))
|
|
9
|
+
|
|
7
10
|
## [0.8.0] - 2023-01-31
|
|
8
11
|
- Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
|
|
9
12
|
- Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
|
data/README.md
CHANGED
|
@@ -182,7 +182,7 @@ module RevocationStrategy
|
|
|
182
182
|
def self.jwt_revoked?(payload, user)
|
|
183
183
|
# Does something to check whether the JWT token is revoked for given user
|
|
184
184
|
end
|
|
185
|
-
|
|
185
|
+
|
|
186
186
|
def self.revoke_jwt(payload, user)
|
|
187
187
|
# Does something to revoke the JWT token for given user
|
|
188
188
|
end
|
|
@@ -208,6 +208,17 @@ end
|
|
|
208
208
|
|
|
209
209
|
You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
|
|
210
210
|
|
|
211
|
+
### Multiple issuers
|
|
212
|
+
|
|
213
|
+
When your application handles JWT tokens from multiple sources (e.g. webhooks authenticated via provider JTW tokens) you can configure this gem to use the [issuer claim](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) to only handle tokens it has issued.
|
|
214
|
+
|
|
215
|
+
```ruby
|
|
216
|
+
Warden::JWTAuth.configure do |config|
|
|
217
|
+
config.secret = ENV['WARDEN_JWT_SECRET_KEY']
|
|
218
|
+
config.issuer = 'http://my-application.com'
|
|
219
|
+
end
|
|
220
|
+
```
|
|
221
|
+
|
|
211
222
|
## Development
|
|
212
223
|
|
|
213
224
|
There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
|
|
@@ -29,6 +29,14 @@ module Warden
|
|
|
29
29
|
payload['aud'] == aud
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
+
# Returns whether given issuer matches with the one encoded in the payload
|
|
33
|
+
# @param payload [Hash] JWT payload
|
|
34
|
+
# @param issuer [String] The issuer to match
|
|
35
|
+
# @return [Boolean]
|
|
36
|
+
def self.issuer_matches?(payload, issuer)
|
|
37
|
+
payload['iss'] == issuer.to_s
|
|
38
|
+
end
|
|
39
|
+
|
|
32
40
|
# Returns the payload to encode for a given user in a scope
|
|
33
41
|
#
|
|
34
42
|
# @param user [Interfaces::User] an user, whatever it is
|
|
@@ -8,7 +8,7 @@ module Warden
|
|
|
8
8
|
# `Authorization` request header
|
|
9
9
|
class Strategy < Warden::Strategies::Base
|
|
10
10
|
def valid?
|
|
11
|
-
|
|
11
|
+
token_exists? && issuer_claim_valid?
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def store?
|
|
@@ -25,6 +25,20 @@ module Warden
|
|
|
25
25
|
|
|
26
26
|
private
|
|
27
27
|
|
|
28
|
+
def issuer_claim_valid?
|
|
29
|
+
configured_issuer = Warden::JWTAuth.config.issuer
|
|
30
|
+
return true if configured_issuer.nil?
|
|
31
|
+
|
|
32
|
+
payload = TokenDecoder.new.call(token)
|
|
33
|
+
PayloadUserHelper.issuer_matches?(payload, configured_issuer)
|
|
34
|
+
rescue JWT::DecodeError
|
|
35
|
+
true
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def token_exists?
|
|
39
|
+
!token.nil?
|
|
40
|
+
end
|
|
41
|
+
|
|
28
42
|
def token
|
|
29
43
|
@token ||= HeaderParser.from_env(env)
|
|
30
44
|
end
|
|
@@ -7,7 +7,7 @@ module Warden
|
|
|
7
7
|
# Encodes a payload into a JWT token, adding some configurable
|
|
8
8
|
# claims
|
|
9
9
|
class TokenEncoder
|
|
10
|
-
include JWTAuth::Import['secret', 'algorithm', 'expiration_time']
|
|
10
|
+
include JWTAuth::Import['secret', 'algorithm', 'expiration_time', 'issuer']
|
|
11
11
|
|
|
12
12
|
# Encodes a payload into a JWT
|
|
13
13
|
#
|
|
@@ -24,6 +24,7 @@ module Warden
|
|
|
24
24
|
now = Time.now.to_i
|
|
25
25
|
payload['iat'] ||= now
|
|
26
26
|
payload['exp'] ||= now + expiration_time
|
|
27
|
+
payload['iss'] ||= issuer if issuer
|
|
27
28
|
payload['jti'] ||= SecureRandom.uuid
|
|
28
29
|
payload
|
|
29
30
|
end
|
data/lib/warden/jwt_auth.rb
CHANGED
|
@@ -53,6 +53,13 @@ module Warden
|
|
|
53
53
|
# Expiration time for tokens
|
|
54
54
|
setting :expiration_time, default: 3600
|
|
55
55
|
|
|
56
|
+
# The issuer claims associated with the tokens
|
|
57
|
+
#
|
|
58
|
+
# Will be used to only apply the warden strategy when the issuer matches.
|
|
59
|
+
# This allows for multiple token issuers being used.
|
|
60
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
|
|
61
|
+
setting :issuer, default: nil
|
|
62
|
+
|
|
56
63
|
# Request header which value will be encoded as `aud` claim in JWT. If
|
|
57
64
|
# the header is not present `aud` will be `nil`.
|
|
58
65
|
setting :aud_header, default: 'JWT_AUD'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-06-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dry-auto_inject
|
|
@@ -252,7 +252,7 @@ licenses:
|
|
|
252
252
|
- MIT
|
|
253
253
|
metadata:
|
|
254
254
|
rubygems_mfa_required: 'true'
|
|
255
|
-
post_install_message:
|
|
255
|
+
post_install_message:
|
|
256
256
|
rdoc_options: []
|
|
257
257
|
require_paths:
|
|
258
258
|
- lib
|
|
@@ -267,8 +267,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
267
267
|
- !ruby/object:Gem::Version
|
|
268
268
|
version: '0'
|
|
269
269
|
requirements: []
|
|
270
|
-
rubygems_version: 3.
|
|
271
|
-
signing_key:
|
|
270
|
+
rubygems_version: 3.5.9
|
|
271
|
+
signing_key:
|
|
272
272
|
specification_version: 4
|
|
273
273
|
summary: JWT authentication for Warden.
|
|
274
274
|
test_files: []
|