warden-jwt_auth 0.3.2 → 0.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +1 -1
- data/lib/warden/jwt_auth/env_helper.rb +10 -0
- data/lib/warden/jwt_auth/hooks.rb +7 -4
- data/lib/warden/jwt_auth/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 707c2b046b0c4685a5c98b18456c305c1fafd23b
|
|
4
|
+
data.tar.gz: 82f98685925f55704ec296b24c0bfe08636951b4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bb23f8f0bca81024fdab60bceaeb5235eb06da768641ff212d84aadb8b9aa557adf6c70f5fa3ed53ccb43eb0287da33b1a5edfbb3282d46b9c3f7a5707e194e1
|
|
7
|
+
data.tar.gz: 2035526baabad186a0bb3aadb09ab3379ca0fab48a341b14071de57e5c9a794981596887d3a006376530e7bc861d743d5dd8f5119bd6a93587051367305582b7
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.3.3] - 2017-12-31
|
|
8
|
+
### Fixed
|
|
9
|
+
- Check it is not a html request when disallowing fetching from session
|
|
10
|
+
|
|
7
11
|
## [0.3.2] - 2017-12-23
|
|
8
12
|
### Fixed
|
|
9
13
|
- Do not couple `aud_header` env value to the setting
|
data/README.md
CHANGED
|
@@ -56,6 +56,16 @@ module Warden
|
|
|
56
56
|
env_name = ('HTTP_' + JWTAuth.config.aud_header.upcase).tr('-', '_')
|
|
57
57
|
env[env_name]
|
|
58
58
|
end
|
|
59
|
+
|
|
60
|
+
# Returns whether `text/html` is within `Accept` header values
|
|
61
|
+
#
|
|
62
|
+
# @param env [Hash] Rack env
|
|
63
|
+
# @return [Boolean]
|
|
64
|
+
def self.html_request?(env)
|
|
65
|
+
accept = env['HTTP_ACCEPT']
|
|
66
|
+
return false unless accept
|
|
67
|
+
accept.include?('text/html')
|
|
68
|
+
end
|
|
59
69
|
end
|
|
60
70
|
end
|
|
61
71
|
end
|
|
@@ -18,11 +18,12 @@ module Warden
|
|
|
18
18
|
new.send(:prepare_token, user, auth, opts)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
# Sign out a JWT scope if it comes from the session
|
|
21
|
+
# Sign out a JWT scope if it comes from the session unless it is an HTML
|
|
22
|
+
# request
|
|
22
23
|
#
|
|
23
24
|
# If a user is meant to be authenticated via JWT, then if it is fetched
|
|
24
|
-
# from the session it must be something not intended
|
|
25
|
-
# security threat.
|
|
25
|
+
# from the session during an API request it must be something not intended
|
|
26
|
+
# to happen and a security threat.
|
|
26
27
|
#
|
|
27
28
|
# Workaround until https://github.com/hassox/warden/pull/118 is fixed
|
|
28
29
|
def self.after_fetch(_user, auth, opts)
|
|
@@ -38,9 +39,11 @@ module Warden
|
|
|
38
39
|
add_token_to_env(user, scope, env)
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
# :reek:FeatureEnvy
|
|
41
43
|
def logout_scope(auth, opts)
|
|
44
|
+
env = auth.env
|
|
42
45
|
scope = opts[:scope]
|
|
43
|
-
return
|
|
46
|
+
return if !jwt_scope?(scope) || EnvHelper.html_request?(env)
|
|
44
47
|
auth.logout(scope)
|
|
45
48
|
end
|
|
46
49
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-12-
|
|
11
|
+
date: 2017-12-31 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dry-configurable
|