zaikio-jwt_auth 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +18 -3
  3. data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb +2 -2
  4. data/config/initializers/inflections.rb +1 -1
  5. data/lib/zaikio/jwt_auth.rb +12 -11
  6. data/lib/zaikio/jwt_auth/configuration.rb +5 -5
  7. data/lib/zaikio/jwt_auth/test_helper.rb +1 -1
  8. data/lib/zaikio/jwt_auth/version.rb +1 -1
  9. metadata +10 -6
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 025f45746c3a1a8f50fe821e580f5b41e3ae0126bf450a785488941200e2b0bf
4
- data.tar.gz: 0ded26e92d822a537c8238f01f13ae3a51f3fc6e2e48863b88455ec25d26dd7b
3
+ metadata.gz: 5e75e96ec3854a6fcaad1f5d4dcc01f92ba444741c34af7de567427cfeec6159
4
+ data.tar.gz: 9250c75142635ac6eb4a8f31f7c5b16c541493cf660bf99da268f5233ddb4485
5
5
  SHA512:
6
- metadata.gz: 819316b9aa09aa764ce734b1f177da3aeb108c9b5b7e0cfb3426aac674dbc13115df3767d2cf933321241c88ff0721caecebef4eb7be630d04882e2a7c91eac2
7
- data.tar.gz: 762dd6bb4b7e0abd44cc4333d6c5799ed2802d893875cab1808f690f46f10a6a3844fbe8a1c26004895846375be4832ad4afd218cf84ebf9eb79abe993a9714b
6
+ metadata.gz: b6c823c6798566123fcf7fc20b1c40e98bc1acf00314b91e1d6b8d8b645716b347bad5179f58e002484c95945fdcafcc4a30a3f7ffe9843ca46e2ca35583d91d
7
+ data.tar.gz: 9c9ebfb94fb8b9c2f62f42a9e2bafad58918830f20463dab24dd209cf7a9a33a270f0a52b8f2ac8d2339bc71097736ada9766baadd840d671231ddbefa2a7d60
data/README.md CHANGED
@@ -61,6 +61,8 @@ class API::ResourcesController < API::ApplicationController
61
61
  end
62
62
  ```
63
63
 
64
+ By convention, `authorize_by_jwt_scopes` automatically maps all CRUD actions in a controller. Requests for `show` and `index` with a read or read_write scope are allowed. All other actions like `create`, `update` and `destroy` are accepted if the scope is a write or read_write scope. Therefore it is strongly recommended to always create standard Rails resources. If a custom action is required, you will need to authorize yourself using the `after_jwt_auth`.
65
+
64
66
  ### 6. Optionally, if you are using SSO: Check revoked tokens
65
67
 
66
68
  Additionally, the API provides a method called `revoked_jwt?` which expects the `jti` of the JWT.
@@ -73,10 +75,23 @@ Zaikio::JWTAuth.revoked_jwt?('jti-of-token') # returns true if token was revoked
73
75
 
74
76
  ```rb
75
77
  # in your test_helper.rb
76
- include Zaikio::JWTAuth::TestHelper
78
+ class ActiveSupport::TestCase
79
+ # ...
80
+ include Zaikio::JWTAuth::TestHelper
81
+ # ...
82
+ end
83
+
84
+ # in your integration tests you can use:
85
+ class ResourcesControllerTest < ActionDispatch::IntegrationTest
86
+ def setup
87
+ mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
88
+ end
77
89
 
78
- # in your tests you can use:
79
- mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
90
+ test "do a request with a mocked jwt" do
91
+ get resources_path
92
+ # test the actual business logic
93
+ end
94
+ end
80
95
  ```
81
96
 
82
97
  ## Advanced
data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb CHANGED
@@ -2,8 +2,8 @@ module Zaikio
2
2
  module JWTAuth
3
3
  class RevokeAccessTokenJob < ApplicationJob
4
4
  def perform(event)
5
- DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
6
- data["blacklisted_token_ids"] << event.payload["access_token_id"]
5
+ DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
6
+ data["revoked_token_ids"] << event.payload["access_token_id"]
7
7
  data
8
8
  end
9
9
  end
data/config/initializers/inflections.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  ActiveSupport::Inflector.inflections(:en) do |inflect|
2
- inflect.acronym 'JWT'
2
+ inflect.acronym "JWT"
3
3
  end
data/lib/zaikio/jwt_auth.rb CHANGED
@@ -26,15 +26,16 @@ module Zaikio
26
26
  end
27
27
 
28
28
  def self.revoked_jwt?(jti)
29
- blacklisted_token_ids.include?(jti)
29
+ revoked_token_ids.include?(jti)
30
30
  end
31
31
 
32
- def self.blacklisted_token_ids
32
+ def self.revoked_token_ids
33
33
  return [] if mocked_jwt_payload
34
34
 
35
- return configuration.blacklisted_token_ids if configuration.blacklisted_token_ids
36
-
37
- DirectoryCache.fetch("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes)["blacklisted_token_ids"]
35
+ configuration.revoked_token_ids || DirectoryCache.fetch(
36
+ "api/v1/revoked_access_tokens.json",
37
+ expires_after: 60.minutes
38
+ )["revoked_token_ids"]
38
39
  end
39
40
 
40
41
  def self.included(base)
@@ -70,24 +71,24 @@ module Zaikio
70
71
 
71
72
  token_data = TokenData.new(jwt_payload)
72
73
 
73
- return if show_error_if_token_is_blacklisted(token_data)
74
+ return if show_error_if_token_is_revoked(token_data)
74
75
 
75
76
  return if show_error_if_authorize_by_jwt_subject_type_fails(token_data)
76
77
 
77
78
  return if show_error_if_authorize_by_jwt_scopes_fails(token_data)
78
79
 
79
- send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth)
80
+ send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth, true)
80
81
  rescue JWT::ExpiredSignature
81
82
  render_error("jwt_expired") && (return)
82
83
  rescue JWT::DecodeError
83
84
  render_error("invalid_jwt") && (return)
84
85
  end
85
86
 
86
- def update_blacklisted_access_tokens_by_webhook
87
+ def update_revoked_access_tokens_by_webhook
87
88
  return unless params[:name] == "directory.revoked_access_token"
88
89
 
89
- DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
90
- data["blacklisted_token_ids"] << params[:payload][:access_token_id]
90
+ DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
91
+ data["revoked_token_ids"] << params[:payload][:access_token_id]
91
92
  data
92
93
  end
93
94
 
@@ -130,7 +131,7 @@ module Zaikio
130
131
  render_error("unpermitted_subject")
131
132
  end
132
133
 
133
- def show_error_if_token_is_blacklisted(token_data)
134
+ def show_error_if_token_is_revoked(token_data)
134
135
  return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
135
136
 
136
137
  render_error("invalid_jwt")
data/lib/zaikio/jwt_auth/configuration.rb CHANGED
@@ -14,11 +14,11 @@ module Zaikio
14
14
  attr_accessor :app_name
15
15
  attr_accessor :redis, :host
16
16
  attr_reader :environment
17
- attr_writer :logger, :blacklisted_token_ids, :keys
17
+ attr_writer :logger, :revoked_token_ids, :keys
18
18
 
19
19
  def initialize
20
20
  @environment = :sandbox
21
- @blacklisted_token_ids = nil
21
+ @revoked_token_ids = nil
22
22
  end
23
23
 
24
24
  def logger
@@ -31,11 +31,11 @@ module Zaikio
31
31
  end
32
32
 
33
33
  def keys
34
- @keys.is_a?(Proc) ? @keys.call : @keys
34
+ defined?(@keys) && @keys.is_a?(Proc) ? @keys.call : @keys
35
35
  end
36
36
 
37
- def blacklisted_token_ids
38
- @blacklisted_token_ids.is_a?(Proc) ? @blacklisted_token_ids.call : @blacklisted_token_ids
37
+ def revoked_token_ids
38
+ @revoked_token_ids.is_a?(Proc) ? @revoked_token_ids.call : @revoked_token_ids
39
39
  end
40
40
 
41
41
  private
data/lib/zaikio/jwt_auth/test_helper.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Zaikio
2
2
  module JWTAuth
3
3
  module TestHelper
4
- def after_setup
4
+ def after_teardown
5
5
  Zaikio::JWTAuth.mocked_jwt_payload = nil
6
6
  super
7
7
  end
data/lib/zaikio/jwt_auth/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Zaikio
2
2
  module JWTAuth
3
- VERSION = "0.2.1".freeze
3
+ VERSION = "0.3.0".freeze
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,16 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: zaikio-jwt_auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.1
4
+ version: 0.3.0
5
5
  platform: ruby
6
6
  authors:
7
- - Crispy Mountain GmbH
7
+ - crispymtn
8
+ - Jalyna Schröder
9
+ - Martin Spickermann
8
10
  autorequire:
9
11
  bindir: bin
10
12
  cert_chain: []
11
- date: 2020-04-02 00:00:00.000000000 Z
13
+ date: 2020-06-09 00:00:00.000000000 Z
12
14
  dependencies:
13
15
  - !ruby/object:Gem::Dependency
14
16
  name: oj
@@ -30,14 +32,14 @@ dependencies:
30
32
  requirements:
31
33
  - - ">="
32
34
  - !ruby/object:Gem::Version
33
- version: 6.0.2.2
35
+ version: 5.0.0
34
36
  type: :runtime
35
37
  prerelease: false
36
38
  version_requirements: !ruby/object:Gem::Requirement
37
39
  requirements:
38
40
  - - ">="
39
41
  - !ruby/object:Gem::Version
40
- version: 6.0.2.2
42
+ version: 5.0.0
41
43
  - !ruby/object:Gem::Dependency
42
44
  name: jwt
43
45
  requirement: !ruby/object:Gem::Requirement
@@ -54,7 +56,9 @@ dependencies:
54
56
  version: 2.2.1
55
57
  description: JWT-Based authentication and authorization with zaikio.
56
58
  email:
59
+ - op@crispymtn.com
57
60
  - js@crispymtn.com
61
+ - spickermann@gmail.com
58
62
  executables: []
59
63
  extensions: []
60
64
  extra_rdoc_files: []
@@ -93,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
93
97
  - !ruby/object:Gem::Version
94
98
  version: '0'
95
99
  requirements: []
96
- rubygems_version: 3.1.2
100
+ rubygems_version: 3.0.3
97
101
  signing_key:
98
102
  specification_version: 4
99
103
  summary: JWT-Based authentication and authorization with zaikio