RubyGems - warden-jwt_auth - Versions diffs - 0.3.0 → 0.3.1 - Mend

warden-jwt_auth 0.3.0 → 0.3.1

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 48b37f5ba1a7935103634d140ab0c1fbbaea54f3
-  data.tar.gz: 853f242af0f389a92a4f20c66800ed5447708830
+  metadata.gz: a9782cdbdf76a6eb2713519f95119793dfe5a394
+  data.tar.gz: 7440380db752d295344edb0f99f174ecd59b8fe4
 SHA512:
-  metadata.gz: d15c993a973fade506472bd525a886e2be2a2b5b03ca99223711254c3876739e94704b6f8bdd64a7c01832b5d8f96978768f18638b972be1db4027e2c24bde4d
-  data.tar.gz: ffc3fe32c2dd1cc8d4206d031bb57612615a61219f3daa136c3865dca8445bc437da056760299b0ce5988ce15e74155445936385fefce9e3a215a4ef0426c751
+  metadata.gz: b32d3633a45e59021721bcd22ddd4368e54b0a5170273bc70c7a3f9899dd51dce637eac2f0a48946e73f72b06ed4b008c1aa5677d2bb176dfdb55489dc85181e
+  data.tar.gz: f0565c6480919c4b39e44034b8e352b806661f18bc25da17989b0c1e670bda9759a6ea255525d91d4f2085980fc24228131bc9e32edd64b935e249f8cbf505ec

data/CHANGELOG.md CHANGED

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
+## [0.3.1] - 2017-12-11
+### Added
+- Ensure JWT scopes are not fetched from session. Workaround for
+  https://github.com/hassox/warden/pull/118
 ## [0.3.0] - 2017-12-06
 ### Added
 - Add and call hook method `on_jwt_dispatch` on user instance

data/README.md CHANGED

@@ -24,7 +24,7 @@ If what you need is a JWT authentication library for [devise](https://github.com
 ## Installation
 ```ruby
-gem 'warden-jwt_auth', '~> 0.3.0'
+gem 'warden-jwt_auth', '~> 0.3.1'
 ```
 And then execute:
@@ -106,6 +106,7 @@ Just when a token is going to be dispatched to a client, a hook method `on_jwt_d
 def on_jwt_dispatch(token, payload)
   # Do something
 end
+```
 ### Middlewares addition

@@ -18,6 +18,17 @@ module Warden
         new.send(:prepare_token, user, auth, opts)
       end
+      # Sign out a JWT scope if it comes from the session.
+      #
+      # If a user is meant to be authenticated via JWT, then if it is fetched
+      # from the session it must be something not intended to happen and a
+      # security threat.
+      #
+      # Workaround until https://github.com/hassox/warden/pull/118 is fixed
+      def self.after_fetch(_user, auth, opts)
+        new.send(:logout_scope, auth, opts)
+      end
       private
       def prepare_token(user, auth, opts)
@@ -27,6 +38,12 @@ module Warden
         add_token_to_env(user, scope, env)
       end
+      def logout_scope(auth, opts)
+        scope = opts[:scope]
+        return unless jwt_scope?(scope)
+        auth.logout(scope)
+      end
       def token_should_be_added?(scope, env)
         path_info = EnvHelper.path_info(env)
         method = EnvHelper.request_method(env)
@@ -62,3 +79,7 @@ end
 Warden::Manager.after_set_user do |user, auth, opts|
   Warden::JWTAuth::Hooks.after_set_user(user, auth, opts)
 end
+Warden::Manager.after_fetch do |user, auth, opts|
+  Warden::JWTAuth::Hooks.after_fetch(user, auth, opts)
+end

@@ -2,6 +2,6 @@
 module Warden
   module JWTAuth
-    VERSION = '0.3.0'
+    VERSION = '0.3.1'
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: warden-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Marc Busqué
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2017-12-06 00:00:00.000000000 Z
+date: 2017-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dry-configurable