warden-jwt_auth 0.8.0 → 0.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +12 -1
- data/lib/warden/jwt_auth/payload_user_helper.rb +8 -0
- data/lib/warden/jwt_auth/strategy.rb +15 -1
- data/lib/warden/jwt_auth/token_encoder.rb +2 -1
- data/lib/warden/jwt_auth/version.rb +1 -1
- data/lib/warden/jwt_auth.rb +7 -0
- metadata +6 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 639d91603d4e369d3d94c0dadc24816c08019ebdfef3c093fc9b8cd79a5d6bd3
|
|
4
|
+
data.tar.gz: 39f9a053ed2af021eed742b94aa3e2360481c5120d8690085d40773470ec21e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 727924aa4f6c6a993548c397e108bdb43b281047928aeaf8dcbe0a291784aa4bc4e2f25804b36a7d5549cb858e3006ba7997b0ec6d3dc762196586fe282aeedb
|
|
7
|
+
data.tar.gz: 9152d951c19f477c23cde9e0e1b5437f8b33821e39825e355a1edfedf14ce3f7b14ea5798e0b1ae23ffb274892c58287dbdab1d06f38c49393f23a9007006f53
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.8.0] - 2024-06-28
|
|
8
|
+
- Add support for issue claim ([56](https://github.com/waiting-for-dev/warden-jwt_auth/pull/56))
|
|
9
|
+
|
|
7
10
|
## [0.8.0] - 2023-01-31
|
|
8
11
|
- Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
|
|
9
12
|
- Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
|
data/README.md
CHANGED
|
@@ -182,7 +182,7 @@ module RevocationStrategy
|
|
|
182
182
|
def self.jwt_revoked?(payload, user)
|
|
183
183
|
# Does something to check whether the JWT token is revoked for given user
|
|
184
184
|
end
|
|
185
|
-
|
|
185
|
+
|
|
186
186
|
def self.revoke_jwt(payload, user)
|
|
187
187
|
# Does something to revoke the JWT token for given user
|
|
188
188
|
end
|
|
@@ -208,6 +208,17 @@ end
|
|
|
208
208
|
|
|
209
209
|
You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
|
|
210
210
|
|
|
211
|
+
### Multiple issuers
|
|
212
|
+
|
|
213
|
+
When your application handles JWT tokens from multiple sources (e.g. webhooks authenticated via provider JTW tokens) you can configure this gem to use the [issuer claim](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) to only handle tokens it has issued.
|
|
214
|
+
|
|
215
|
+
```ruby
|
|
216
|
+
Warden::JWTAuth.configure do |config|
|
|
217
|
+
config.secret = ENV['WARDEN_JWT_SECRET_KEY']
|
|
218
|
+
config.issuer = 'http://my-application.com'
|
|
219
|
+
end
|
|
220
|
+
```
|
|
221
|
+
|
|
211
222
|
## Development
|
|
212
223
|
|
|
213
224
|
There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
|
|
@@ -29,6 +29,14 @@ module Warden
|
|
|
29
29
|
payload['aud'] == aud
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
+
# Returns whether given issuer matches with the one encoded in the payload
|
|
33
|
+
# @param payload [Hash] JWT payload
|
|
34
|
+
# @param issuer [String] The issuer to match
|
|
35
|
+
# @return [Boolean]
|
|
36
|
+
def self.issuer_matches?(payload, issuer)
|
|
37
|
+
payload['iss'] == issuer.to_s
|
|
38
|
+
end
|
|
39
|
+
|
|
32
40
|
# Returns the payload to encode for a given user in a scope
|
|
33
41
|
#
|
|
34
42
|
# @param user [Interfaces::User] an user, whatever it is
|
|
@@ -8,7 +8,7 @@ module Warden
|
|
|
8
8
|
# `Authorization` request header
|
|
9
9
|
class Strategy < Warden::Strategies::Base
|
|
10
10
|
def valid?
|
|
11
|
-
|
|
11
|
+
token_exists? && issuer_claim_valid?
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def store?
|
|
@@ -25,6 +25,20 @@ module Warden
|
|
|
25
25
|
|
|
26
26
|
private
|
|
27
27
|
|
|
28
|
+
def issuer_claim_valid?
|
|
29
|
+
configured_issuer = Warden::JWTAuth.config.issuer
|
|
30
|
+
return true if configured_issuer.nil?
|
|
31
|
+
|
|
32
|
+
payload = TokenDecoder.new.call(token)
|
|
33
|
+
PayloadUserHelper.issuer_matches?(payload, configured_issuer)
|
|
34
|
+
rescue JWT::DecodeError
|
|
35
|
+
true
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def token_exists?
|
|
39
|
+
!token.nil?
|
|
40
|
+
end
|
|
41
|
+
|
|
28
42
|
def token
|
|
29
43
|
@token ||= HeaderParser.from_env(env)
|
|
30
44
|
end
|
|
@@ -7,7 +7,7 @@ module Warden
|
|
|
7
7
|
# Encodes a payload into a JWT token, adding some configurable
|
|
8
8
|
# claims
|
|
9
9
|
class TokenEncoder
|
|
10
|
-
include JWTAuth::Import['secret', 'algorithm', 'expiration_time']
|
|
10
|
+
include JWTAuth::Import['secret', 'algorithm', 'expiration_time', 'issuer']
|
|
11
11
|
|
|
12
12
|
# Encodes a payload into a JWT
|
|
13
13
|
#
|
|
@@ -24,6 +24,7 @@ module Warden
|
|
|
24
24
|
now = Time.now.to_i
|
|
25
25
|
payload['iat'] ||= now
|
|
26
26
|
payload['exp'] ||= now + expiration_time
|
|
27
|
+
payload['iss'] ||= issuer if issuer
|
|
27
28
|
payload['jti'] ||= SecureRandom.uuid
|
|
28
29
|
payload
|
|
29
30
|
end
|
data/lib/warden/jwt_auth.rb
CHANGED
|
@@ -53,6 +53,13 @@ module Warden
|
|
|
53
53
|
# Expiration time for tokens
|
|
54
54
|
setting :expiration_time, default: 3600
|
|
55
55
|
|
|
56
|
+
# The issuer claims associated with the tokens
|
|
57
|
+
#
|
|
58
|
+
# Will be used to only apply the warden strategy when the issuer matches.
|
|
59
|
+
# This allows for multiple token issuers being used.
|
|
60
|
+
# @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
|
|
61
|
+
setting :issuer, default: nil
|
|
62
|
+
|
|
56
63
|
# Request header which value will be encoded as `aud` claim in JWT. If
|
|
57
64
|
# the header is not present `aud` will be `nil`.
|
|
58
65
|
setting :aud_header, default: 'JWT_AUD'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.9.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-06-28 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dry-auto_inject
|
|
@@ -252,7 +252,7 @@ licenses:
|
|
|
252
252
|
- MIT
|
|
253
253
|
metadata:
|
|
254
254
|
rubygems_mfa_required: 'true'
|
|
255
|
-
post_install_message:
|
|
255
|
+
post_install_message:
|
|
256
256
|
rdoc_options: []
|
|
257
257
|
require_paths:
|
|
258
258
|
- lib
|
|
@@ -267,8 +267,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
267
267
|
- !ruby/object:Gem::Version
|
|
268
268
|
version: '0'
|
|
269
269
|
requirements: []
|
|
270
|
-
rubygems_version: 3.
|
|
271
|
-
signing_key:
|
|
270
|
+
rubygems_version: 3.5.9
|
|
271
|
+
signing_key:
|
|
272
272
|
specification_version: 4
|
|
273
273
|
summary: JWT authentication for Warden.
|
|
274
274
|
test_files: []
|