zaikio-jwt_auth 0.1.4 → 0.1.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +18 -0
- data/lib/zaikio/jwt_auth.rb +26 -10
- data/lib/zaikio/jwt_auth/test_helper.rb +23 -0
- data/lib/zaikio/jwt_auth/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: '0559a98a2221978a8a5c35e6968d667d9c17287b1421500ae0062bad169c0ece'
|
4
|
+
data.tar.gz: be9a95f5684dd8329f1b5446400ad8704f46422a364de01675538f3001c0bf59
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d4f1a51bed19e09d9ca09eb873377639f6f197f289742d74e17a6d6fba3e130608547530ca65daa6ab40c3faad4a00a8b695582fee084d78b8e96e897165301f
|
7
|
+
data.tar.gz: bf0eab6e6761239b33ae00d565ffc0b884fd70ddea3d589a91a0a1c7b2bf124e955048e8a5eebfbc7e42d1b37ed41fd96b0d6139b5f19ce5b60358bf69525612
|
data/README.md
CHANGED
@@ -92,3 +92,21 @@ class API::ResourcesController < API::ApplicationController
|
|
92
92
|
authorize_by_jwt_scopes 'resources'
|
93
93
|
end
|
94
94
|
```
|
95
|
+
|
96
|
+
6. Optionally, if you are using SSO: Check revoked tokens
|
97
|
+
|
98
|
+
Additionally, the API provides a method called `revoked_jwt?` which expects the `jti` of the JWT.
|
99
|
+
|
100
|
+
```rb
|
101
|
+
Zaikio::JWTAuth.revoked_jwt?('jti-of-token') # returns true if token was revoked
|
102
|
+
```
|
103
|
+
|
104
|
+
7. Optionally, use the test helper module to mock JWTs in your minitests
|
105
|
+
|
106
|
+
```rb
|
107
|
+
# in your test_helper.rb
|
108
|
+
include Zaikio::JWTAuth::TestHelper
|
109
|
+
|
110
|
+
# in your tests you can use:
|
111
|
+
mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
|
112
|
+
```
|
data/lib/zaikio/jwt_auth.rb
CHANGED
@@ -5,6 +5,7 @@ require "zaikio/jwt_auth/configuration"
|
|
5
5
|
require "zaikio/jwt_auth/directory_cache"
|
6
6
|
require "zaikio/jwt_auth/jwk"
|
7
7
|
require "zaikio/jwt_auth/token_data"
|
8
|
+
require "zaikio/jwt_auth/test_helper"
|
8
9
|
|
9
10
|
module Zaikio
|
10
11
|
module JWTAuth
|
@@ -17,11 +18,31 @@ module Zaikio
|
|
17
18
|
yield(configuration)
|
18
19
|
end
|
19
20
|
|
21
|
+
def self.revoked_jwt?(jti)
|
22
|
+
blacklisted_token_ids.include?(jti)
|
23
|
+
end
|
24
|
+
|
25
|
+
def self.blacklisted_token_ids
|
26
|
+
return [] if mocked_jwt_payload
|
27
|
+
|
28
|
+
return configuration.blacklisted_token_ids if configuration.blacklisted_token_ids
|
29
|
+
|
30
|
+
DirectoryCache.fetch("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes)["blacklisted_token_ids"]
|
31
|
+
end
|
32
|
+
|
20
33
|
def self.included(base)
|
21
34
|
base.send :include, InstanceMethods
|
22
35
|
base.send :extend, ClassMethods
|
23
36
|
end
|
24
37
|
|
38
|
+
def self.mocked_jwt_payload
|
39
|
+
@mocked_jwt_payload
|
40
|
+
end
|
41
|
+
|
42
|
+
def self.mocked_jwt_payload=(payload)
|
43
|
+
@mocked_jwt_payload = payload
|
44
|
+
end
|
45
|
+
|
25
46
|
module ClassMethods
|
26
47
|
def authorize_by_jwt_subject_type(type = nil)
|
27
48
|
@authorize_by_jwt_subject_type ||= type
|
@@ -65,11 +86,15 @@ module Zaikio
|
|
65
86
|
private
|
66
87
|
|
67
88
|
def jwt_from_auth_header
|
89
|
+
return true if Zaikio::JWTAuth.mocked_jwt_payload
|
90
|
+
|
68
91
|
auth_header = request.headers["Authorization"]
|
69
92
|
auth_header.split("Bearer ").last if /Bearer/.match?(auth_header)
|
70
93
|
end
|
71
94
|
|
72
95
|
def jwt_payload
|
96
|
+
return Zaikio::JWTAuth.mocked_jwt_payload if Zaikio::JWTAuth.mocked_jwt_payload
|
97
|
+
|
73
98
|
payload, = JWT.decode(jwt_from_auth_header, nil, true, algorithms: ["RS256"], jwks: JWK.loader)
|
74
99
|
|
75
100
|
payload
|
@@ -92,20 +117,11 @@ module Zaikio
|
|
92
117
|
end
|
93
118
|
|
94
119
|
def show_error_if_token_is_blacklisted(token_data)
|
95
|
-
return unless
|
120
|
+
return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
|
96
121
|
|
97
122
|
render_error("invalid_jwt")
|
98
123
|
end
|
99
124
|
|
100
|
-
def blacklisted_token_ids
|
101
|
-
if Zaikio::JWTAuth.configuration.blacklisted_token_ids
|
102
|
-
return Zaikio::JWTAuth.configuration.blacklisted_token_ids
|
103
|
-
end
|
104
|
-
|
105
|
-
DirectoryCache.fetch("api/v1/blacklisted_access_tokens.json",
|
106
|
-
expires_after: 60.minutes)["blacklisted_token_ids"]
|
107
|
-
end
|
108
|
-
|
109
125
|
def render_error(error, status: :forbidden)
|
110
126
|
render(status: status, json: { "errors" => [error] })
|
111
127
|
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
module Zaikio
|
2
|
+
module JWTAuth
|
3
|
+
module TestHelper
|
4
|
+
def after_setup
|
5
|
+
Zaikio::JWTAuth.mocked_jwt_payload = nil
|
6
|
+
super
|
7
|
+
end
|
8
|
+
|
9
|
+
def mock_jwt(extra_payload)
|
10
|
+
Zaikio::JWTAuth.mocked_jwt_payload = {
|
11
|
+
iss: "ZAI",
|
12
|
+
sub: nil,
|
13
|
+
aud: %w[test_app],
|
14
|
+
jti: "unique-access-token-id",
|
15
|
+
nbf: Time.now.to_i,
|
16
|
+
exp: 1.hour.from_now.to_i,
|
17
|
+
jku: "http://directory.zaikio.test/api/v1/jwt_public_keys.json",
|
18
|
+
scope: []
|
19
|
+
}.merge(extra_payload).stringify_keys
|
20
|
+
end
|
21
|
+
end
|
22
|
+
end
|
23
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: zaikio-jwt_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1.
|
4
|
+
version: 0.1.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Crispy Mountain GmbH
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-02-
|
11
|
+
date: 2020-02-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: oj
|
@@ -68,6 +68,7 @@ files:
|
|
68
68
|
- lib/zaikio/jwt_auth/directory_cache.rb
|
69
69
|
- lib/zaikio/jwt_auth/jwk.rb
|
70
70
|
- lib/zaikio/jwt_auth/railtie.rb
|
71
|
+
- lib/zaikio/jwt_auth/test_helper.rb
|
71
72
|
- lib/zaikio/jwt_auth/token_data.rb
|
72
73
|
- lib/zaikio/jwt_auth/version.rb
|
73
74
|
homepage: https://www.zaikio.com/
|