warden-jwt_auth 0.3.2 → 0.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +1 -1
- data/lib/warden/jwt_auth/env_helper.rb +10 -0
- data/lib/warden/jwt_auth/hooks.rb +7 -4
- data/lib/warden/jwt_auth/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 707c2b046b0c4685a5c98b18456c305c1fafd23b
|
|
4
|
+
data.tar.gz: 82f98685925f55704ec296b24c0bfe08636951b4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bb23f8f0bca81024fdab60bceaeb5235eb06da768641ff212d84aadb8b9aa557adf6c70f5fa3ed53ccb43eb0287da33b1a5edfbb3282d46b9c3f7a5707e194e1
|
|
7
|
+
data.tar.gz: 2035526baabad186a0bb3aadb09ab3379ca0fab48a341b14071de57e5c9a794981596887d3a006376530e7bc861d743d5dd8f5119bd6a93587051367305582b7
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.3.3] - 2017-12-31
|
|
8
|
+
### Fixed
|
|
9
|
+
- Check it is not a html request when disallowing fetching from session
|
|
10
|
+
|
|
7
11
|
## [0.3.2] - 2017-12-23
|
|
8
12
|
### Fixed
|
|
9
13
|
- Do not couple `aud_header` env value to the setting
|
data/README.md
CHANGED
|
@@ -56,6 +56,16 @@ module Warden
|
|
|
56
56
|
env_name = ('HTTP_' + JWTAuth.config.aud_header.upcase).tr('-', '_')
|
|
57
57
|
env[env_name]
|
|
58
58
|
end
|
|
59
|
+
|
|
60
|
+
# Returns whether `text/html` is within `Accept` header values
|
|
61
|
+
#
|
|
62
|
+
# @param env [Hash] Rack env
|
|
63
|
+
# @return [Boolean]
|
|
64
|
+
def self.html_request?(env)
|
|
65
|
+
accept = env['HTTP_ACCEPT']
|
|
66
|
+
return false unless accept
|
|
67
|
+
accept.include?('text/html')
|
|
68
|
+
end
|
|
59
69
|
end
|
|
60
70
|
end
|
|
61
71
|
end
|
|
@@ -18,11 +18,12 @@ module Warden
|
|
|
18
18
|
new.send(:prepare_token, user, auth, opts)
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
-
# Sign out a JWT scope if it comes from the session
|
|
21
|
+
# Sign out a JWT scope if it comes from the session unless it is an HTML
|
|
22
|
+
# request
|
|
22
23
|
#
|
|
23
24
|
# If a user is meant to be authenticated via JWT, then if it is fetched
|
|
24
|
-
# from the session it must be something not intended
|
|
25
|
-
# security threat.
|
|
25
|
+
# from the session during an API request it must be something not intended
|
|
26
|
+
# to happen and a security threat.
|
|
26
27
|
#
|
|
27
28
|
# Workaround until https://github.com/hassox/warden/pull/118 is fixed
|
|
28
29
|
def self.after_fetch(_user, auth, opts)
|
|
@@ -38,9 +39,11 @@ module Warden
|
|
|
38
39
|
add_token_to_env(user, scope, env)
|
|
39
40
|
end
|
|
40
41
|
|
|
42
|
+
# :reek:FeatureEnvy
|
|
41
43
|
def logout_scope(auth, opts)
|
|
44
|
+
env = auth.env
|
|
42
45
|
scope = opts[:scope]
|
|
43
|
-
return
|
|
46
|
+
return if !jwt_scope?(scope) || EnvHelper.html_request?(env)
|
|
44
47
|
auth.logout(scope)
|
|
45
48
|
end
|
|
46
49
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: warden-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-12-
|
|
11
|
+
date: 2017-12-31 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dry-configurable
|