warden-jwt_auth 0.8.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d1170f1a68adb34c8769b7c202ba91ca706494562205ef9b8ab56956f0d66393
4
- data.tar.gz: 9334625e9e7711c76a90c6d22414871402171e317f9825cc3d6e4d3e5ca486fd
3
+ metadata.gz: 639d91603d4e369d3d94c0dadc24816c08019ebdfef3c093fc9b8cd79a5d6bd3
4
+ data.tar.gz: 39f9a053ed2af021eed742b94aa3e2360481c5120d8690085d40773470ec21e2
5
5
  SHA512:
6
- metadata.gz: 6ab3bbcd295d3206006878d307006a7033be2bfa94237f45e607979b8217d5b84222f076700e1893633b9d716b159d5d576183ca9a261a36c0b76f341c8f1d22
7
- data.tar.gz: 95619a1fee6709a8aa7eb883af56abf1e7540acde7b3eb690a7b6da142f203cd41bc222af6cac12937ac18f909a5974437cedf7d76f32262f4f6cca275ada89b
6
+ metadata.gz: 727924aa4f6c6a993548c397e108bdb43b281047928aeaf8dcbe0a291784aa4bc4e2f25804b36a7d5549cb858e3006ba7997b0ec6d3dc762196586fe282aeedb
7
+ data.tar.gz: 9152d951c19f477c23cde9e0e1b5437f8b33821e39825e355a1edfedf14ce3f7b14ea5798e0b1ae23ffb274892c58287dbdab1d06f38c49393f23a9007006f53
data/CHANGELOG.md CHANGED
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
+ ## [0.8.0] - 2024-06-28
8
+ - Add support for issue claim ([56](https://github.com/waiting-for-dev/warden-jwt_auth/pull/56))
9
+
7
10
  ## [0.8.0] - 2023-01-31
8
11
  - Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
9
12
  - Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
data/README.md CHANGED
@@ -182,7 +182,7 @@ module RevocationStrategy
182
182
  def self.jwt_revoked?(payload, user)
183
183
  # Does something to check whether the JWT token is revoked for given user
184
184
  end
185
-
185
+
186
186
  def self.revoke_jwt(payload, user)
187
187
  # Does something to revoke the JWT token for given user
188
188
  end
@@ -208,6 +208,17 @@ end
208
208
 
209
209
  You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
210
210
 
211
+ ### Multiple issuers
212
+
213
+ When your application handles JWT tokens from multiple sources (e.g. webhooks authenticated via provider JTW tokens) you can configure this gem to use the [issuer claim](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1) to only handle tokens it has issued.
214
+
215
+ ```ruby
216
+ Warden::JWTAuth.configure do |config|
217
+ config.secret = ENV['WARDEN_JWT_SECRET_KEY']
218
+ config.issuer = 'http://my-application.com'
219
+ end
220
+ ```
221
+
211
222
  ## Development
212
223
 
213
224
  There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
@@ -29,6 +29,14 @@ module Warden
29
29
  payload['aud'] == aud
30
30
  end
31
31
 
32
+ # Returns whether given issuer matches with the one encoded in the payload
33
+ # @param payload [Hash] JWT payload
34
+ # @param issuer [String] The issuer to match
35
+ # @return [Boolean]
36
+ def self.issuer_matches?(payload, issuer)
37
+ payload['iss'] == issuer.to_s
38
+ end
39
+
32
40
  # Returns the payload to encode for a given user in a scope
33
41
  #
34
42
  # @param user [Interfaces::User] an user, whatever it is
@@ -8,7 +8,7 @@ module Warden
8
8
  # `Authorization` request header
9
9
  class Strategy < Warden::Strategies::Base
10
10
  def valid?
11
- !token.nil?
11
+ token_exists? && issuer_claim_valid?
12
12
  end
13
13
 
14
14
  def store?
@@ -25,6 +25,20 @@ module Warden
25
25
 
26
26
  private
27
27
 
28
+ def issuer_claim_valid?
29
+ configured_issuer = Warden::JWTAuth.config.issuer
30
+ return true if configured_issuer.nil?
31
+
32
+ payload = TokenDecoder.new.call(token)
33
+ PayloadUserHelper.issuer_matches?(payload, configured_issuer)
34
+ rescue JWT::DecodeError
35
+ true
36
+ end
37
+
38
+ def token_exists?
39
+ !token.nil?
40
+ end
41
+
28
42
  def token
29
43
  @token ||= HeaderParser.from_env(env)
30
44
  end
@@ -7,7 +7,7 @@ module Warden
7
7
  # Encodes a payload into a JWT token, adding some configurable
8
8
  # claims
9
9
  class TokenEncoder
10
- include JWTAuth::Import['secret', 'algorithm', 'expiration_time']
10
+ include JWTAuth::Import['secret', 'algorithm', 'expiration_time', 'issuer']
11
11
 
12
12
  # Encodes a payload into a JWT
13
13
  #
@@ -24,6 +24,7 @@ module Warden
24
24
  now = Time.now.to_i
25
25
  payload['iat'] ||= now
26
26
  payload['exp'] ||= now + expiration_time
27
+ payload['iss'] ||= issuer if issuer
27
28
  payload['jti'] ||= SecureRandom.uuid
28
29
  payload
29
30
  end
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Warden
4
4
  module JWTAuth
5
- VERSION = '0.8.0'
5
+ VERSION = '0.9.0'
6
6
  end
7
7
  end
@@ -53,6 +53,13 @@ module Warden
53
53
  # Expiration time for tokens
54
54
  setting :expiration_time, default: 3600
55
55
 
56
+ # The issuer claims associated with the tokens
57
+ #
58
+ # Will be used to only apply the warden strategy when the issuer matches.
59
+ # This allows for multiple token issuers being used.
60
+ # @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
61
+ setting :issuer, default: nil
62
+
56
63
  # Request header which value will be encoded as `aud` claim in JWT. If
57
64
  # the header is not present `aud` will be `nil`.
58
65
  setting :aud_header, default: 'JWT_AUD'
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: warden-jwt_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.8.0
4
+ version: 0.9.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marc Busqué
8
- autorequire:
8
+ autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2023-01-31 00:00:00.000000000 Z
11
+ date: 2024-06-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dry-auto_inject
@@ -252,7 +252,7 @@ licenses:
252
252
  - MIT
253
253
  metadata:
254
254
  rubygems_mfa_required: 'true'
255
- post_install_message:
255
+ post_install_message:
256
256
  rdoc_options: []
257
257
  require_paths:
258
258
  - lib
@@ -267,8 +267,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
267
267
  - !ruby/object:Gem::Version
268
268
  version: '0'
269
269
  requirements: []
270
- rubygems_version: 3.0.3.1
271
- signing_key:
270
+ rubygems_version: 3.5.9
271
+ signing_key:
272
272
  specification_version: 4
273
273
  summary: JWT authentication for Warden.
274
274
  test_files: []