zaikio-jwt_auth 0.2.2 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb +2 -2
- data/lib/zaikio/jwt_auth.rb +12 -11
- data/lib/zaikio/jwt_auth/configuration.rb +10 -10
- data/lib/zaikio/jwt_auth/test_helper.rb +1 -1
- data/lib/zaikio/jwt_auth/token_data.rb +4 -0
- data/lib/zaikio/jwt_auth/version.rb +1 -1
- metadata +10 -6
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cf4b231af0a8a9fb3d9c48d577c85d12ef02b2605418b22abf21512f1d714433
|
|
4
|
+
data.tar.gz: 2d106d3d2821edc1d24d96d5e69cda3e3b4e4d04b0f062c26a1d90fd2b223f3f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 325c2144f07a582d0bc3e4f3eeadfd68a1940e5230cefaa3a1b7bd9231b7bb74c86ccc1922f457945e78b05a8286f68b7551851705592e0c3838ebfa06f654a1
|
|
7
|
+
data.tar.gz: 6fc738d1533e5e06a15ebe476acd0a20b166bd08d5065462fdfe012363ae598d258e324806e0e35651f129b0d5dd5d8974ec92bb49b06e644c9bd2fb5f7a1236
|
|
@@ -2,8 +2,8 @@ module Zaikio
|
|
|
2
2
|
module JWTAuth
|
|
3
3
|
class RevokeAccessTokenJob < ApplicationJob
|
|
4
4
|
def perform(event)
|
|
5
|
-
DirectoryCache.update("api/v1/
|
|
6
|
-
data["
|
|
5
|
+
DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
|
|
6
|
+
data["revoked_token_ids"] << event.payload["access_token_id"]
|
|
7
7
|
data
|
|
8
8
|
end
|
|
9
9
|
end
|
data/lib/zaikio/jwt_auth.rb
CHANGED
|
@@ -26,15 +26,16 @@ module Zaikio
|
|
|
26
26
|
end
|
|
27
27
|
|
|
28
28
|
def self.revoked_jwt?(jti)
|
|
29
|
-
|
|
29
|
+
revoked_token_ids.include?(jti)
|
|
30
30
|
end
|
|
31
31
|
|
|
32
|
-
def self.
|
|
32
|
+
def self.revoked_token_ids
|
|
33
33
|
return [] if mocked_jwt_payload
|
|
34
34
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
35
|
+
configuration.revoked_token_ids || DirectoryCache.fetch(
|
|
36
|
+
"api/v1/revoked_access_tokens.json",
|
|
37
|
+
expires_after: 60.minutes
|
|
38
|
+
)["revoked_token_ids"]
|
|
38
39
|
end
|
|
39
40
|
|
|
40
41
|
def self.included(base)
|
|
@@ -70,24 +71,24 @@ module Zaikio
|
|
|
70
71
|
|
|
71
72
|
token_data = TokenData.new(jwt_payload)
|
|
72
73
|
|
|
73
|
-
return if
|
|
74
|
+
return if show_error_if_token_is_revoked(token_data)
|
|
74
75
|
|
|
75
76
|
return if show_error_if_authorize_by_jwt_subject_type_fails(token_data)
|
|
76
77
|
|
|
77
78
|
return if show_error_if_authorize_by_jwt_scopes_fails(token_data)
|
|
78
79
|
|
|
79
|
-
send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth)
|
|
80
|
+
send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth, true)
|
|
80
81
|
rescue JWT::ExpiredSignature
|
|
81
82
|
render_error("jwt_expired") && (return)
|
|
82
83
|
rescue JWT::DecodeError
|
|
83
84
|
render_error("invalid_jwt") && (return)
|
|
84
85
|
end
|
|
85
86
|
|
|
86
|
-
def
|
|
87
|
+
def update_revoked_access_tokens_by_webhook
|
|
87
88
|
return unless params[:name] == "directory.revoked_access_token"
|
|
88
89
|
|
|
89
|
-
DirectoryCache.update("api/v1/
|
|
90
|
-
data["
|
|
90
|
+
DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
|
|
91
|
+
data["revoked_token_ids"] << params[:payload][:access_token_id]
|
|
91
92
|
data
|
|
92
93
|
end
|
|
93
94
|
|
|
@@ -130,7 +131,7 @@ module Zaikio
|
|
|
130
131
|
render_error("unpermitted_subject")
|
|
131
132
|
end
|
|
132
133
|
|
|
133
|
-
def
|
|
134
|
+
def show_error_if_token_is_revoked(token_data)
|
|
134
135
|
return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
|
|
135
136
|
|
|
136
137
|
render_error("invalid_jwt")
|
|
@@ -4,21 +4,21 @@ module Zaikio
|
|
|
4
4
|
module JWTAuth
|
|
5
5
|
class Configuration
|
|
6
6
|
HOSTS = {
|
|
7
|
-
development: "http://
|
|
8
|
-
test: "http://
|
|
9
|
-
staging: "https://
|
|
10
|
-
sandbox: "https://
|
|
11
|
-
production: "https://
|
|
7
|
+
development: "http://hub.zaikio.test",
|
|
8
|
+
test: "http://hub.zaikio.test",
|
|
9
|
+
staging: "https://hub.staging.zaikio.com",
|
|
10
|
+
sandbox: "https://hub.sandbox.zaikio.com",
|
|
11
|
+
production: "https://hub.zaikio.com"
|
|
12
12
|
}.freeze
|
|
13
13
|
|
|
14
14
|
attr_accessor :app_name
|
|
15
15
|
attr_accessor :redis, :host
|
|
16
16
|
attr_reader :environment
|
|
17
|
-
attr_writer :logger, :
|
|
17
|
+
attr_writer :logger, :revoked_token_ids, :keys
|
|
18
18
|
|
|
19
19
|
def initialize
|
|
20
20
|
@environment = :sandbox
|
|
21
|
-
@
|
|
21
|
+
@revoked_token_ids = nil
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
def logger
|
|
@@ -31,11 +31,11 @@ module Zaikio
|
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
def keys
|
|
34
|
-
@keys.is_a?(Proc) ? @keys.call : @keys
|
|
34
|
+
defined?(@keys) && @keys.is_a?(Proc) ? @keys.call : @keys
|
|
35
35
|
end
|
|
36
36
|
|
|
37
|
-
def
|
|
38
|
-
@
|
|
37
|
+
def revoked_token_ids
|
|
38
|
+
@revoked_token_ids.is_a?(Proc) ? @revoked_token_ids.call : @revoked_token_ids
|
|
39
39
|
end
|
|
40
40
|
|
|
41
41
|
private
|
|
@@ -14,7 +14,7 @@ module Zaikio
|
|
|
14
14
|
jti: "unique-access-token-id",
|
|
15
15
|
nbf: Time.now.to_i,
|
|
16
16
|
exp: 1.hour.from_now.to_i,
|
|
17
|
-
jku: "http://
|
|
17
|
+
jku: "http://hub.zaikio.test/api/v1/jwt_public_keys.json",
|
|
18
18
|
scope: []
|
|
19
19
|
}.merge(extra_payload).stringify_keys
|
|
20
20
|
end
|
|
@@ -33,6 +33,10 @@ module Zaikio
|
|
|
33
33
|
@payload["jti"]
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
+
def expires_at
|
|
37
|
+
Time.at(@payload["exp"]).to_datetime
|
|
38
|
+
end
|
|
39
|
+
|
|
36
40
|
# scope_options is an array of objects with:
|
|
37
41
|
# scope, app_name (optional), except/only (array, optional)
|
|
38
42
|
def scope_by_configurations?(scope_configurations, action_name, context)
|
metadata
CHANGED
|
@@ -1,14 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: zaikio-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
7
|
+
- crispymtn
|
|
8
|
+
- Jalyna Schröder
|
|
9
|
+
- Martin Spickermann
|
|
8
10
|
autorequire:
|
|
9
11
|
bindir: bin
|
|
10
12
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
13
|
+
date: 2020-10-15 00:00:00.000000000 Z
|
|
12
14
|
dependencies:
|
|
13
15
|
- !ruby/object:Gem::Dependency
|
|
14
16
|
name: oj
|
|
@@ -30,14 +32,14 @@ dependencies:
|
|
|
30
32
|
requirements:
|
|
31
33
|
- - ">="
|
|
32
34
|
- !ruby/object:Gem::Version
|
|
33
|
-
version:
|
|
35
|
+
version: 5.0.0
|
|
34
36
|
type: :runtime
|
|
35
37
|
prerelease: false
|
|
36
38
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
39
|
requirements:
|
|
38
40
|
- - ">="
|
|
39
41
|
- !ruby/object:Gem::Version
|
|
40
|
-
version:
|
|
42
|
+
version: 5.0.0
|
|
41
43
|
- !ruby/object:Gem::Dependency
|
|
42
44
|
name: jwt
|
|
43
45
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -54,7 +56,9 @@ dependencies:
|
|
|
54
56
|
version: 2.2.1
|
|
55
57
|
description: JWT-Based authentication and authorization with zaikio.
|
|
56
58
|
email:
|
|
59
|
+
- op@crispymtn.com
|
|
57
60
|
- js@crispymtn.com
|
|
61
|
+
- spickermann@gmail.com
|
|
58
62
|
executables: []
|
|
59
63
|
extensions: []
|
|
60
64
|
extra_rdoc_files: []
|
|
@@ -93,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
93
97
|
- !ruby/object:Gem::Version
|
|
94
98
|
version: '0'
|
|
95
99
|
requirements: []
|
|
96
|
-
rubygems_version: 3.
|
|
100
|
+
rubygems_version: 3.0.3
|
|
97
101
|
signing_key:
|
|
98
102
|
specification_version: 4
|
|
99
103
|
summary: JWT-Based authentication and authorization with zaikio
|