warden-jwt_auth 0.7.0 → 0.8.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d1d3eebd02efa288aa59f731fc3650a0c1deefe2922f35a606ce53f0fd16d0be
4
- data.tar.gz: 8bdab56cf91544de74393491d842c34208b6028000c07a2187caf93f09887093
3
+ metadata.gz: d1170f1a68adb34c8769b7c202ba91ca706494562205ef9b8ab56956f0d66393
4
+ data.tar.gz: 9334625e9e7711c76a90c6d22414871402171e317f9825cc3d6e4d3e5ca486fd
5
5
  SHA512:
6
- metadata.gz: 8949c3f273247d3fbbf6bc034952d50ab58be7214c411fa6144ea190485b3c3963dac7f024ef9462b08f6240c64b7c9e11cade4d3ddb655419ce0c0cd88e1075
7
- data.tar.gz: 05076d7b6e458c914cd974c8310820e80a5f0832e19e7b82303a6d75dd9e04a403b2fc19bc925d954d08229cafd6ac1a7d31316977bc08803f80981723dbca8c
6
+ metadata.gz: 6ab3bbcd295d3206006878d307006a7033be2bfa94237f45e607979b8217d5b84222f076700e1893633b9d716b159d5d576183ca9a261a36c0b76f341c8f1d22
7
+ data.tar.gz: 95619a1fee6709a8aa7eb883af56abf1e7540acde7b3eb690a7b6da142f203cd41bc222af6cac12937ac18f909a5974437cedf7d76f32262f4f6cca275ada89b
data/CHANGELOG.md CHANGED
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
+ ## [0.8.0] - 2023-01-31
8
+ - Add support for secret rotation ([49](https://github.com/waiting-for-dev/warden-jwt_auth/pull/49))
9
+ - Support dry-* v1 ([52](https://github.com/waiting-for-dev/warden-jwt_auth/pull/52))
10
+
7
11
  ## [0.7.0] - 2022-09-12
8
12
  - Support asymmetric algorithms ([40](https://github.com/waiting-for-dev/warden-jwt_auth/issues/40))
9
13
 
data/README.md CHANGED
@@ -195,6 +195,19 @@ Authentication will be refused if a client requesting to be authenticated throug
195
195
 
196
196
  **Important:** Be aware that this workflow is not bullet proof. In some scenarios a user can handcraft the request headers, therefore being able to impersonate any client. In such cases you could need something more robust, like an OAuth workflow with client id and client secret.
197
197
 
198
+ ### Secret rotation
199
+
200
+ Secret rotation is supported by setting `rotation_secret`. Set the new secret as the `secret` and copy the previous secret to `rotation_secret`
201
+
202
+ ```ruby
203
+ Warden::JWTAuth.configure do |config|
204
+ config.secret = ENV['WARDEN_JWT_SECRET_KEY']
205
+ config.rotation_secret = ENV['WARDEN_JWT_SECRET_KEY_ROTATION']
206
+ end
207
+ ```
208
+
209
+ You can remove the `rotation_secret` when you are condifent that large enough user base has the fetched the token encrypted with the new secret.
210
+
198
211
  ## Development
199
212
 
200
213
  There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
@@ -1,10 +1,12 @@
1
1
  # frozen_string_literal: true
2
2
 
3
+ require 'jwt/error'
4
+
3
5
  module Warden
4
6
  module JWTAuth
5
7
  # Decodes a JWT into a hash payload into a JWT token
6
8
  class TokenDecoder
7
- include JWTAuth::Import['decoding_secret', 'algorithm']
9
+ include JWTAuth::Import['decoding_secret', 'rotation_secret', 'algorithm']
8
10
 
9
11
  # Decodes the payload from a JWT as a hash
10
12
  #
@@ -14,8 +16,16 @@ module Warden
14
16
  # @param token [String] a JWT
15
17
  # @return [Hash] payload decoded from the JWT
16
18
  def call(token)
19
+ decode(token, decoding_secret)
20
+ rescue JWT::VerificationError
21
+ decode(token, rotation_secret)
22
+ end
23
+
24
+ private
25
+
26
+ def decode(token, secret)
17
27
  JWT.decode(token,
18
- decoding_secret,
28
+ secret,
19
29
  true,
20
30
  algorithm: algorithm,
21
31
  verify_jti: true)[0]
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Warden
4
4
  module JWTAuth
5
- VERSION = '0.7.0'
5
+ VERSION = '0.8.0'
6
6
  end
7
7
  end
@@ -41,6 +41,9 @@ module Warden
41
41
  # The secret used to encode the token
42
42
  setting :secret
43
43
 
44
+ # The old secret used for rotation
45
+ setting :rotation_secret
46
+
44
47
  # The secret used to decode the token, defaults to `secret` if not provided
45
48
  setting :decoding_secret, constructor: ->(value) { value || config.secret }
46
49
 
@@ -22,8 +22,8 @@ Gem::Specification.new do |spec|
22
22
 
23
23
  spec.metadata['rubygems_mfa_required'] = 'true'
24
24
 
25
- spec.add_dependency 'dry-auto_inject', '~> 0.8'
26
- spec.add_dependency 'dry-configurable', '~> 0.13'
25
+ spec.add_dependency 'dry-auto_inject', '>= 0.8', '< 2'
26
+ spec.add_dependency 'dry-configurable', '>= 0.13', '< 2'
27
27
  spec.add_dependency 'jwt', '~> 2.1'
28
28
  spec.add_dependency 'warden', '~> 1.2'
29
29
 
metadata CHANGED
@@ -1,43 +1,55 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: warden-jwt_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.7.0
4
+ version: 0.8.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marc Busqué
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2022-09-12 00:00:00.000000000 Z
11
+ date: 2023-01-31 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: dry-auto_inject
15
15
  requirement: !ruby/object:Gem::Requirement
16
16
  requirements:
17
- - - "~>"
17
+ - - ">="
18
18
  - !ruby/object:Gem::Version
19
19
  version: '0.8'
20
+ - - "<"
21
+ - !ruby/object:Gem::Version
22
+ version: '2'
20
23
  type: :runtime
21
24
  prerelease: false
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
25
28
  - !ruby/object:Gem::Version
26
29
  version: '0.8'
30
+ - - "<"
31
+ - !ruby/object:Gem::Version
32
+ version: '2'
27
33
  - !ruby/object:Gem::Dependency
28
34
  name: dry-configurable
29
35
  requirement: !ruby/object:Gem::Requirement
30
36
  requirements:
31
- - - "~>"
37
+ - - ">="
32
38
  - !ruby/object:Gem::Version
33
39
  version: '0.13'
40
+ - - "<"
41
+ - !ruby/object:Gem::Version
42
+ version: '2'
34
43
  type: :runtime
35
44
  prerelease: false
36
45
  version_requirements: !ruby/object:Gem::Requirement
37
46
  requirements:
38
- - - "~>"
47
+ - - ">="
39
48
  - !ruby/object:Gem::Version
40
49
  version: '0.13'
50
+ - - "<"
51
+ - !ruby/object:Gem::Version
52
+ version: '2'
41
53
  - !ruby/object:Gem::Dependency
42
54
  name: jwt
43
55
  requirement: !ruby/object:Gem::Requirement