warden-jwt_auth 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.codeclimate.yml +17 -0
- data/.gitignore +10 -0
- data/.overcommit.yml +53 -0
- data/.overcommit_gems.rb +15 -0
- data/.reek +0 -0
- data/.rspec +2 -0
- data/.rubocop.yml +10 -0
- data/.travis.yml +21 -0
- data/CODE_OF_CONDUCT.md +49 -0
- data/Dockerfile +8 -0
- data/Gemfile +6 -0
- data/LICENSE.txt +21 -0
- data/README.md +187 -0
- data/Rakefile +8 -0
- data/bin/console +16 -0
- data/bin/setup +8 -0
- data/docker-compose.yml +7 -0
- data/lib/warden/jwt_auth.rb +101 -0
- data/lib/warden/jwt_auth/errors.rb +17 -0
- data/lib/warden/jwt_auth/header_parser.rb +48 -0
- data/lib/warden/jwt_auth/hooks.rb +55 -0
- data/lib/warden/jwt_auth/interfaces.rb +57 -0
- data/lib/warden/jwt_auth/middleware.rb +27 -0
- data/lib/warden/jwt_auth/middleware/revocation_manager.rb +46 -0
- data/lib/warden/jwt_auth/middleware/token_dispatcher.rb +35 -0
- data/lib/warden/jwt_auth/payload_user_helper.rb +39 -0
- data/lib/warden/jwt_auth/strategy.rb +37 -0
- data/lib/warden/jwt_auth/token_decoder.rb +22 -0
- data/lib/warden/jwt_auth/token_encoder.rb +34 -0
- data/lib/warden/jwt_auth/token_revoker.rb +20 -0
- data/lib/warden/jwt_auth/user_decoder.rb +45 -0
- data/lib/warden/jwt_auth/user_encoder.rb +29 -0
- data/lib/warden/jwt_auth/version.rb +7 -0
- data/warden-jwt_auth.gemspec +35 -0
- metadata +233 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 94613bf0dc1c95f06be0cf8c4bc38b0a0f67b45f
|
4
|
+
data.tar.gz: 7872eb474f7ca7b3c4b2c015c3d442aadd16df46
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 8ece658df524ab614cd752b0c0b317221aeffe32600a3a40e5c419ffaf89c510afb7d38fac056264ba96482a78a50369d7e6a163aed697a5db49588188209b7c
|
7
|
+
data.tar.gz: cd03343d7e9f303e3021ddf17601408b92fae71ae0b622ef5b60e0b959c2b132ded512429596ab516c4f3ffd7622d93471d31fc6d26634a95881d1542647894e
|
data/.codeclimate.yml
ADDED
data/.gitignore
ADDED
data/.overcommit.yml
ADDED
@@ -0,0 +1,53 @@
|
|
1
|
+
#
|
2
|
+
# Select version of overcommit and the other tools from Gemfile
|
3
|
+
#
|
4
|
+
gemfile: .overcommit_gems.rb
|
5
|
+
|
6
|
+
#
|
7
|
+
# Hooks that are run against every commit message after a user has written it.
|
8
|
+
#
|
9
|
+
CommitMsg:
|
10
|
+
ALL:
|
11
|
+
required: true
|
12
|
+
exclude: &default_excludes
|
13
|
+
- Gemfile
|
14
|
+
- warden-jwt_auth.gemspec
|
15
|
+
- README.md
|
16
|
+
|
17
|
+
HardTabs:
|
18
|
+
enabled: true
|
19
|
+
|
20
|
+
SingleLineSubject:
|
21
|
+
enabled: true
|
22
|
+
|
23
|
+
#
|
24
|
+
# Hooks that are run after `git commit` is executed, before the commit message
|
25
|
+
# editor is displayed.
|
26
|
+
#
|
27
|
+
PreCommit:
|
28
|
+
ALL:
|
29
|
+
required: true
|
30
|
+
exclude: *default_excludes
|
31
|
+
|
32
|
+
BundleAudit:
|
33
|
+
enabled: true
|
34
|
+
|
35
|
+
BundleCheck:
|
36
|
+
enabled: true
|
37
|
+
|
38
|
+
LocalPathsInGemfile:
|
39
|
+
enabled: true
|
40
|
+
|
41
|
+
ExecutePermissions:
|
42
|
+
enabled: true
|
43
|
+
exclude:
|
44
|
+
- bin/*
|
45
|
+
|
46
|
+
Reek:
|
47
|
+
enabled: true
|
48
|
+
|
49
|
+
RuboCop:
|
50
|
+
enabled: true
|
51
|
+
|
52
|
+
TrailingWhitespace:
|
53
|
+
enabled: true
|
data/.overcommit_gems.rb
ADDED
@@ -0,0 +1,15 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
source 'https://rubygems.org'
|
4
|
+
|
5
|
+
gem 'overcommit', '~> 0.36'
|
6
|
+
|
7
|
+
# Patch-level verification for Bundled apps
|
8
|
+
gem 'bundler-audit', '~> 0.5'
|
9
|
+
|
10
|
+
# Ruby code smell reporter
|
11
|
+
gem 'reek', '~> 4.5'
|
12
|
+
|
13
|
+
# Ruby code style checking
|
14
|
+
gem 'rubocop', '~> 0.43'
|
15
|
+
gem 'rubocop-rspec', '~> 1.7'
|
data/.reek
ADDED
File without changes
|
data/.rspec
ADDED
data/.rubocop.yml
ADDED
data/.travis.yml
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
sudo: false
|
2
|
+
language: ruby
|
3
|
+
rvm:
|
4
|
+
- 2.2.6
|
5
|
+
- 2.3.3
|
6
|
+
- 2.4.0
|
7
|
+
before_install:
|
8
|
+
- gem update --system --no-doc
|
9
|
+
- bundle install --gemfile=.overcommit_gems.rb
|
10
|
+
before_script:
|
11
|
+
- git config --global user.email 'travis@travis.ci'
|
12
|
+
- git config --global user.name 'Travis CI'
|
13
|
+
script:
|
14
|
+
- bundle exec rspec
|
15
|
+
- bundle exec codeclimate-test-reporter
|
16
|
+
- overcommit --sign
|
17
|
+
- overcommit --run
|
18
|
+
addons:
|
19
|
+
code_climate:
|
20
|
+
repo_token:
|
21
|
+
secure: neJ5LVLV6vgeCnerSQjUpLuQDvxEH87iW8swCSWl2hTtPcD/GuwYSeSXnhH72HVHi/9basHHhaYPcE2YeBwBCr39PhiHMNwS5GGGk/RGjKpU/Gt1KXV8KXTbNGT4v+ZMM3cdsdDfe8OnzGguNVsdxseHa3KE2pyuvo2a0swXwKa7BU9VB/3ZoZvvfI3Xr9im4eklWam5yCwVR0FOF7epzmNTKMXcUga2BOc9PV5aVELzLILLCHCJSCupe5Rx8mfcsRoRmZXKduF8Ke3eq8eULvLEo4EGfC107najOqrKt7x8uDVIsuGrP4LUQ4ainmNEb2jIvpjuqAxpusMjhpjCINF1Tn0OXK93OXAp4QKeIYoYEqKtzRxX0TWFNWHB8ombF9HTMF2DmloDZyFRiI40JSMImU0hc4MDxRgiTW5MDWGbohDaJ+9VV6+rIqtlEfLhgj1grFBAroaJce9BB7RQEmfsZPzhC2VXwGxHw/YkJgzBNGq1/9E1DoTY9RPSNTQfSRodhI3XW8LSQSHTBeXZvymVcjeOyYgjzJYviLHR8QS4cXpUALtlFXyaMkPHUBLUn8XsBa5Azfh5y3qPMGiJq1/qaHA4mKj5ls+ngFbzOq82sYGAKgQHj/ZDb+FZMQQanp4jyWADKcpXcmINb9jEQwkU0bjpuhUYtghASxH1Kl8=
|
data/CODE_OF_CONDUCT.md
ADDED
@@ -0,0 +1,49 @@
|
|
1
|
+
# Contributor Code of Conduct
|
2
|
+
|
3
|
+
As contributors and maintainers of this project, and in the interest of
|
4
|
+
fostering an open and welcoming community, we pledge to respect all people who
|
5
|
+
contribute through reporting issues, posting feature requests, updating
|
6
|
+
documentation, submitting pull requests or patches, and other activities.
|
7
|
+
|
8
|
+
We are committed to making participation in this project a harassment-free
|
9
|
+
experience for everyone, regardless of level of experience, gender, gender
|
10
|
+
identity and expression, sexual orientation, disability, personal appearance,
|
11
|
+
body size, race, ethnicity, age, religion, or nationality.
|
12
|
+
|
13
|
+
Examples of unacceptable behavior by participants include:
|
14
|
+
|
15
|
+
* The use of sexualized language or imagery
|
16
|
+
* Personal attacks
|
17
|
+
* Trolling or insulting/derogatory comments
|
18
|
+
* Public or private harassment
|
19
|
+
* Publishing other's private information, such as physical or electronic
|
20
|
+
addresses, without explicit permission
|
21
|
+
* Other unethical or unprofessional conduct
|
22
|
+
|
23
|
+
Project maintainers have the right and responsibility to remove, edit, or
|
24
|
+
reject comments, commits, code, wiki edits, issues, and other contributions
|
25
|
+
that are not aligned to this Code of Conduct, or to ban temporarily or
|
26
|
+
permanently any contributor for other behaviors that they deem inappropriate,
|
27
|
+
threatening, offensive, or harmful.
|
28
|
+
|
29
|
+
By adopting this Code of Conduct, project maintainers commit themselves to
|
30
|
+
fairly and consistently applying these principles to every aspect of managing
|
31
|
+
this project. Project maintainers who do not follow or enforce the Code of
|
32
|
+
Conduct may be permanently removed from the project team.
|
33
|
+
|
34
|
+
This code of conduct applies both within project spaces and in public spaces
|
35
|
+
when an individual is representing the project or its community.
|
36
|
+
|
37
|
+
Instances of abusive, harassing, or otherwise unacceptable behavior may be
|
38
|
+
reported by contacting a project maintainer at marc@lamarciana.com. All
|
39
|
+
complaints will be reviewed and investigated and will result in a response that
|
40
|
+
is deemed necessary and appropriate to the circumstances. Maintainers are
|
41
|
+
obligated to maintain confidentiality with regard to the reporter of an
|
42
|
+
incident.
|
43
|
+
|
44
|
+
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
|
45
|
+
version 1.3.0, available at
|
46
|
+
[http://contributor-covenant.org/version/1/3/0/][version]
|
47
|
+
|
48
|
+
[homepage]: http://contributor-covenant.org
|
49
|
+
[version]: http://contributor-covenant.org/version/1/3/0/
|
data/Dockerfile
ADDED
data/Gemfile
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2016 Marc Busqué
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,187 @@
|
|
1
|
+
# Warden::JWTAuth
|
2
|
+
|
3
|
+
[![Build Status](https://travis-ci.org/waiting-for-dev/warden-jwt_auth.svg?branch=master)](https://travis-ci.org/waiting-for-dev/warden-jwt_auth)
|
4
|
+
[![Code Climate](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/badges/gpa.svg)](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth)
|
5
|
+
[![Test Coverage](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/badges/coverage.svg)](https://codeclimate.com/github/waiting-for-dev/warden-jwt_auth/coverage)
|
6
|
+
|
7
|
+
`warden-jwt_auth` is a [warden](https://github.com/hassox/warden) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
|
8
|
+
|
9
|
+
You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
|
10
|
+
|
11
|
+
- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/)
|
12
|
+
- [JWT Recovation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/)
|
13
|
+
- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage/)
|
14
|
+
- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_for_rack_and_rails)
|
15
|
+
|
16
|
+
If what you need is a JWT authentication library for [devise](https://github.com/plataformatec/devise), better look at [devise-jwt](https://github.com/waiting-for-dev/devise-jwt), which is just a thin layer on top of this gem.
|
17
|
+
|
18
|
+
## Installation
|
19
|
+
|
20
|
+
```ruby
|
21
|
+
gem 'warden-jwt_auth', '~> 0.1.0'
|
22
|
+
```
|
23
|
+
|
24
|
+
And then execute:
|
25
|
+
|
26
|
+
$ bundle
|
27
|
+
|
28
|
+
Or install it yourself as:
|
29
|
+
|
30
|
+
$ gem install warden-jwt_auth
|
31
|
+
|
32
|
+
## Usage
|
33
|
+
|
34
|
+
At its core, this library consists of:
|
35
|
+
|
36
|
+
- A Warden strategy that authenticates a user if a valid JWT token is present in the request headers.
|
37
|
+
- A rack middleware which adds a JWT token to the response headers in configured requests.
|
38
|
+
- A rack middleware which revokes JWT tokens in configured requests.
|
39
|
+
|
40
|
+
As you see, JWT revocation is supported. I wrote [why I think JWT tokens revocation is useful and needed](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
|
41
|
+
|
42
|
+
### Secret key configuration
|
43
|
+
|
44
|
+
First of all, you have to configure the secret key that will be used to sign generated tokens.
|
45
|
+
|
46
|
+
```ruby
|
47
|
+
Warden::JWTAuth.configure do |config|
|
48
|
+
config.secret = ENV['WARDEN_JWT_SECRET_KEY']
|
49
|
+
end
|
50
|
+
```
|
51
|
+
|
52
|
+
**Important:** You are encouraged to use a dedicated secret key, different than others in use in your application. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
|
53
|
+
|
54
|
+
Currently, HS256 algorithm is the one in use.
|
55
|
+
|
56
|
+
### Warden scopes configuration
|
57
|
+
|
58
|
+
You have to map the warden scopes that will be authenticatable through JWT, with the user repositories from where these scope user records can be fetched.
|
59
|
+
|
60
|
+
For instance:
|
61
|
+
|
62
|
+
```ruby
|
63
|
+
config.mappings = { user: UserRepository }
|
64
|
+
```
|
65
|
+
|
66
|
+
For this example, `UserRepository` must implement a method `find_for_jwt_authentication` that takes as argument the `sub` claim in the JWT payload. This method should return a user record from `:user` scope:
|
67
|
+
|
68
|
+
```ruby
|
69
|
+
module UserRepository
|
70
|
+
# @returns User
|
71
|
+
def self.find_for_jwt_authentication(sub)
|
72
|
+
Repo.find_user_by_id(sub)
|
73
|
+
end
|
74
|
+
end
|
75
|
+
```
|
76
|
+
|
77
|
+
User records must implement a `jwt_subject` method returning what should be encoded in the `sub` claim on dispatch time.
|
78
|
+
|
79
|
+
```ruby
|
80
|
+
User = Struct.new(:id, :name)
|
81
|
+
def jwt_subject
|
82
|
+
id
|
83
|
+
end
|
84
|
+
end
|
85
|
+
```
|
86
|
+
|
87
|
+
User records may also implement a `jwt_payload` method, which gives it a chance to add something to the JWT payload:
|
88
|
+
|
89
|
+
```ruby
|
90
|
+
def jwt_payload
|
91
|
+
{ 'foo' => 'bar' }
|
92
|
+
end
|
93
|
+
```
|
94
|
+
|
95
|
+
### Middlewares addition
|
96
|
+
|
97
|
+
You need to add `Warden::JWTAuth::Middleware` to your rack middlewares stack. Actually, it is just a wrapper which adds two middlewares that do the actual job: dispatching tokens and revoking tokens.
|
98
|
+
|
99
|
+
### Token dispatch configuration
|
100
|
+
|
101
|
+
You need to tell which requests will dispatch tokens for the user that has been previously authenticated (usually through some other warden strategy, such as one requiring username and email parameters).
|
102
|
+
|
103
|
+
To configure it, you must provide a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
|
104
|
+
|
105
|
+
For example:
|
106
|
+
|
107
|
+
```ruby
|
108
|
+
config.dispatch_requests = [
|
109
|
+
['POST', %r{^/sign_in$}]
|
110
|
+
]
|
111
|
+
```
|
112
|
+
|
113
|
+
**Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
|
114
|
+
|
115
|
+
Tokens will be returned in the `Authorization` response header, with format `Bearer #{token}`.
|
116
|
+
|
117
|
+
### Requests authentication
|
118
|
+
|
119
|
+
Once you have a valid token, you can authenticate following requests providing the token in the `Authorization` request header, with format `Bearer #{token}`.
|
120
|
+
|
121
|
+
### Revocation configuration
|
122
|
+
|
123
|
+
You need to tell which requests will revoke incoming JWT tokens.
|
124
|
+
|
125
|
+
To configure it, you must provide a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
|
126
|
+
|
127
|
+
For example:
|
128
|
+
|
129
|
+
```ruby
|
130
|
+
config.revocation_requests = [
|
131
|
+
['DELETE', %r{^/sign_out$}]
|
132
|
+
]
|
133
|
+
```
|
134
|
+
|
135
|
+
**Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
|
136
|
+
|
137
|
+
Besides, you need to configure which revocation strategy will be used for each scope.
|
138
|
+
|
139
|
+
```ruby
|
140
|
+
config.revocation_strategies = { user: RevocationStrategy }
|
141
|
+
```
|
142
|
+
|
143
|
+
The implementation of the revocation strategy is also on your side. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
|
144
|
+
|
145
|
+
You can read about which [JWT recovation strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/) can be implement with their pros and cons.
|
146
|
+
|
147
|
+
```ruby
|
148
|
+
module RevocationStrategy
|
149
|
+
def self.jwt_revoked?(payload, user)
|
150
|
+
# Does something to check whether the JWT token is revoked for given user
|
151
|
+
end
|
152
|
+
|
153
|
+
def self.revoke_jwt(payload, user)
|
154
|
+
# Does something to revoke the JWT token for given user
|
155
|
+
end
|
156
|
+
end
|
157
|
+
```
|
158
|
+
|
159
|
+
## Development
|
160
|
+
|
161
|
+
There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
|
162
|
+
|
163
|
+
`docker-compose up -d`
|
164
|
+
|
165
|
+
An then, for example:
|
166
|
+
|
167
|
+
`docker-compose exec app rspec`
|
168
|
+
|
169
|
+
This gem uses [overcommit](https://github.com/brigade/overcommit) to execute some code review engines. If you submit a pull request, it will be executed in the CI process. In order to set it up, you need to do:
|
170
|
+
|
171
|
+
```ruby
|
172
|
+
bundle install --gemfile=.overcommit_gems.rb
|
173
|
+
overcommit --sign
|
174
|
+
overcommit --run # To test if it works
|
175
|
+
```
|
176
|
+
|
177
|
+
## Contributing
|
178
|
+
|
179
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/waiting-for-dev/warden-jwt_auth. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
|
180
|
+
|
181
|
+
## Release Policy
|
182
|
+
|
183
|
+
`warden-jwt_auth` follows the principles of [semantic versioning](http://semver.org/).
|
184
|
+
|
185
|
+
## License
|
186
|
+
|
187
|
+
The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
data/bin/console
ADDED
@@ -0,0 +1,16 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# !/usr/bin/env ruby
|
4
|
+
|
5
|
+
require 'bundler/setup'
|
6
|
+
require 'warden/jwt_auth'
|
7
|
+
|
8
|
+
# You can add fixtures and/or initialization code here to make experimenting
|
9
|
+
# with your gem easier. You can also use a different console, if you like.
|
10
|
+
|
11
|
+
# (If you use this, don't forget to add pry to your Gemfile!)
|
12
|
+
# require "pry"
|
13
|
+
# Pry.start
|
14
|
+
|
15
|
+
require 'irb'
|
16
|
+
IRB.start
|