zaikio-jwt_auth 0.1.2 → 0.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +37 -4
- data/lib/zaikio/jwt_auth.rb +16 -6
- data/lib/zaikio/jwt_auth/directory_cache.rb +13 -0
- data/lib/zaikio/jwt_auth/token_data.rb +3 -2
- data/lib/zaikio/jwt_auth/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3e888abf5976a9f6837a1723da1f586f317add69e45caa8527c68c086e1f4c40
|
|
4
|
+
data.tar.gz: 3ccd16afb7cdc1e808b01dab786cf24cdab31e2eff44bffaa695a0c8231afad5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 36540e2d6588c39f994e4ae5dc62c2bb274d505feb32404f3d0dd7568c57f665024ed164686bc3056c5f236b4471f271917d2f42090d62a3685952010bf27ba9
|
|
7
|
+
data.tar.gz: 13447cfaf7386af9cbbfe83f54ccb0ffed13e310c9dd7fab94705ee1b321bf3d82daeb40a4ba9bb273dc313e355aaf822b33f702e5386674c5ce223cd629155f
|
data/README.md
CHANGED
|
@@ -6,7 +6,7 @@ Gem for JWT-Based authentication and authorization with zaikio.
|
|
|
6
6
|
|
|
7
7
|
## Installation
|
|
8
8
|
|
|
9
|
-
Add this line to your application's Gemfile:
|
|
9
|
+
1. Add this line to your application's Gemfile:
|
|
10
10
|
|
|
11
11
|
```ruby
|
|
12
12
|
gem 'zaikio-jwt_auth'
|
|
@@ -22,7 +22,7 @@ Or install it yourself as:
|
|
|
22
22
|
$ gem install zaikio-jwt_auth
|
|
23
23
|
```
|
|
24
24
|
|
|
25
|
-
Configure the gem:
|
|
25
|
+
2. Configure the gem:
|
|
26
26
|
|
|
27
27
|
```rb
|
|
28
28
|
# config/initializers/zaikio_jwt_auth.rb
|
|
@@ -34,7 +34,7 @@ Zaikio::JWTAuth.configure do |config|
|
|
|
34
34
|
end
|
|
35
35
|
```
|
|
36
36
|
|
|
37
|
-
Extend your API application controller:
|
|
37
|
+
3. Extend your API application controller:
|
|
38
38
|
|
|
39
39
|
```rb
|
|
40
40
|
class API::ApplicationController < ActionController::Base
|
|
@@ -49,7 +49,40 @@ class API::ApplicationController < ActionController::Base
|
|
|
49
49
|
end
|
|
50
50
|
```
|
|
51
51
|
|
|
52
|
-
|
|
52
|
+
4. Update Revoked Access Tokens by Webhook
|
|
53
|
+
|
|
54
|
+
```rb
|
|
55
|
+
# ENV['ZAIKIO_SHARED_SECRET'] needs to be defined first, you can find it on your
|
|
56
|
+
# app details page in zaikio. Fore more help read:
|
|
57
|
+
# https://docs.zaikio.com/guide/loom/receiving-events.html
|
|
58
|
+
class WebhooksController < ActionController::Base
|
|
59
|
+
include Zaikio::JWTAuth
|
|
60
|
+
|
|
61
|
+
before_action :verify_signature
|
|
62
|
+
before_action :update_blacklisted_access_tokens_by_webhook
|
|
63
|
+
|
|
64
|
+
def create
|
|
65
|
+
case params[:name]
|
|
66
|
+
# Manage other events
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
private
|
|
71
|
+
|
|
72
|
+
def verify_signature
|
|
73
|
+
# Read More: https://docs.zaikio.com/guide/loom/receiving-events.html
|
|
74
|
+
unless ActiveSupport::SecurityUtils.secure_compare(
|
|
75
|
+
OpenSSL::HMAC.hexdigest("SHA256", "shared-secret", request.body.read),
|
|
76
|
+
request.headers["X-Loom-Signature"]
|
|
77
|
+
)
|
|
78
|
+
render status: :unauthorized, json: { errors: ["invalid_signature"] }
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
|
|
85
|
+
5. Add more restrictions to your resources:
|
|
53
86
|
|
|
54
87
|
```rb
|
|
55
88
|
class API::ResourcesController < API::ApplicationController
|
data/lib/zaikio/jwt_auth.rb
CHANGED
|
@@ -27,8 +27,8 @@ module Zaikio
|
|
|
27
27
|
@authorize_by_jwt_subject_type ||= type
|
|
28
28
|
end
|
|
29
29
|
|
|
30
|
-
def authorize_by_jwt_scopes(scopes = nil)
|
|
31
|
-
@authorize_by_jwt_scopes ||= scopes
|
|
30
|
+
def authorize_by_jwt_scopes(scopes = nil, options = {})
|
|
31
|
+
@authorize_by_jwt_scopes ||= options.merge(scopes: scopes)
|
|
32
32
|
end
|
|
33
33
|
end
|
|
34
34
|
|
|
@@ -51,6 +51,17 @@ module Zaikio
|
|
|
51
51
|
render_error("invalid_jwt") && (return)
|
|
52
52
|
end
|
|
53
53
|
|
|
54
|
+
def update_blacklisted_access_tokens_by_webhook
|
|
55
|
+
return unless params[:name] == "directory.revoked_access_token"
|
|
56
|
+
|
|
57
|
+
DirectoryCache.update("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes) do |data|
|
|
58
|
+
data["blacklisted_token_ids"] << params[:payload][:access_token_id]
|
|
59
|
+
data
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
render json: { received: true }
|
|
63
|
+
end
|
|
64
|
+
|
|
54
65
|
private
|
|
55
66
|
|
|
56
67
|
def jwt_from_auth_header
|
|
@@ -65,9 +76,8 @@ module Zaikio
|
|
|
65
76
|
end
|
|
66
77
|
|
|
67
78
|
def show_error_if_authorize_by_jwt_scopes_fails(token_data)
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
end
|
|
79
|
+
scope_data = self.class.authorize_by_jwt_scopes
|
|
80
|
+
return if !scope_data[:scopes] || token_data.scope?(scope_data[:scopes], action_name, scope_data[:app_name])
|
|
71
81
|
|
|
72
82
|
render_error("unpermitted_scope")
|
|
73
83
|
end
|
|
@@ -92,7 +102,7 @@ module Zaikio
|
|
|
92
102
|
return Zaikio::JWTAuth.configuration.blacklisted_token_ids
|
|
93
103
|
end
|
|
94
104
|
|
|
95
|
-
DirectoryCache.fetch("api/v1/blacklisted_token_ids.json", expires_after:
|
|
105
|
+
DirectoryCache.fetch("api/v1/blacklisted_token_ids.json", expires_after: 60.minutes)["blacklisted_token_ids"]
|
|
96
106
|
end
|
|
97
107
|
|
|
98
108
|
def render_error(error, status: :forbidden)
|
|
@@ -18,6 +18,19 @@ module Zaikio
|
|
|
18
18
|
json["data"]
|
|
19
19
|
end
|
|
20
20
|
|
|
21
|
+
def update(directory_path, options = {})
|
|
22
|
+
data = fetch(directory_path, options)
|
|
23
|
+
data = yield(data)
|
|
24
|
+
Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
|
|
25
|
+
fetched_at: Time.now.to_i,
|
|
26
|
+
data: data
|
|
27
|
+
}.to_json)
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
def reset(directory_path)
|
|
31
|
+
Zaikio::JWTAuth.configuration.redis.del("zaikio::jwt_auth::#{directory_path}")
|
|
32
|
+
end
|
|
33
|
+
|
|
21
34
|
private
|
|
22
35
|
|
|
23
36
|
def cache_expired?(json, expires_after)
|
|
@@ -33,11 +33,12 @@ module Zaikio
|
|
|
33
33
|
@payload["jti"]
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
-
def scope?(allowed_scopes, action_name)
|
|
36
|
+
def scope?(allowed_scopes, action_name, app_name = nil)
|
|
37
|
+
app_name ||= Zaikio::JWTAuth.configuration.app_name
|
|
37
38
|
Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
|
|
38
39
|
scope.any? do |s|
|
|
39
40
|
parts = s.split(".")
|
|
40
|
-
parts[0] ==
|
|
41
|
+
parts[0] == app_name &&
|
|
41
42
|
parts[1] == allowed_scope &&
|
|
42
43
|
action_in_permission?(action_name, parts[2])
|
|
43
44
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: zaikio-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Crispy Mountain GmbH
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-02-03 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: oj
|