zaikio-jwt_auth 0.2.3 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb +2 -2
- data/lib/zaikio/jwt_auth.rb +13 -11
- data/lib/zaikio/jwt_auth/configuration.rb +12 -13
- data/lib/zaikio/jwt_auth/test_helper.rb +1 -1
- data/lib/zaikio/jwt_auth/token_data.rb +5 -1
- data/lib/zaikio/jwt_auth/version.rb +1 -1
- metadata +9 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0ed1625f0c3baa4a4ffaa294a558f4da335e647708aabe66e8a51924bbbd02d5
|
|
4
|
+
data.tar.gz: 4f5495c0aa6bda2d70cdbf560c3db957ffe65d8017d49d97dcc9c8139b6a69d0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 77d5cfcc03cd050812d8b01b0e6d8d0954198bb6a002f86c46fb304c515bb54f9661535d0d7d6ed5b67ebcc552cb4d1a61affb40959e57c576f5b602cb74c980
|
|
7
|
+
data.tar.gz: 30d094c7015d1c73f059282277ba528994db14f4b67525f05265240cd9bc7986a958b13e9cb34765b3e1e36b4c96d7f60dc349b04580bbf7ef56ebd7db48a2ee
|
|
@@ -2,8 +2,8 @@ module Zaikio
|
|
|
2
2
|
module JWTAuth
|
|
3
3
|
class RevokeAccessTokenJob < ApplicationJob
|
|
4
4
|
def perform(event)
|
|
5
|
-
DirectoryCache.update("api/v1/
|
|
6
|
-
data["
|
|
5
|
+
DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
|
|
6
|
+
data["revoked_token_ids"] << event.payload["access_token_id"]
|
|
7
7
|
data
|
|
8
8
|
end
|
|
9
9
|
end
|
data/lib/zaikio/jwt_auth.rb
CHANGED
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require "jwt"
|
|
2
2
|
require "oj"
|
|
3
|
+
require "active_support/core_ext/integer/time"
|
|
3
4
|
require "zaikio/jwt_auth/railtie"
|
|
4
5
|
require "zaikio/jwt_auth/configuration"
|
|
5
6
|
require "zaikio/jwt_auth/directory_cache"
|
|
@@ -26,15 +27,16 @@ module Zaikio
|
|
|
26
27
|
end
|
|
27
28
|
|
|
28
29
|
def self.revoked_jwt?(jti)
|
|
29
|
-
|
|
30
|
+
revoked_token_ids.include?(jti)
|
|
30
31
|
end
|
|
31
32
|
|
|
32
|
-
def self.
|
|
33
|
+
def self.revoked_token_ids
|
|
33
34
|
return [] if mocked_jwt_payload
|
|
34
35
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
36
|
+
configuration.revoked_token_ids || DirectoryCache.fetch(
|
|
37
|
+
"api/v1/revoked_access_tokens.json",
|
|
38
|
+
expires_after: 60.minutes
|
|
39
|
+
)["revoked_token_ids"]
|
|
38
40
|
end
|
|
39
41
|
|
|
40
42
|
def self.included(base)
|
|
@@ -70,24 +72,24 @@ module Zaikio
|
|
|
70
72
|
|
|
71
73
|
token_data = TokenData.new(jwt_payload)
|
|
72
74
|
|
|
73
|
-
return if
|
|
75
|
+
return if show_error_if_token_is_revoked(token_data)
|
|
74
76
|
|
|
75
77
|
return if show_error_if_authorize_by_jwt_subject_type_fails(token_data)
|
|
76
78
|
|
|
77
79
|
return if show_error_if_authorize_by_jwt_scopes_fails(token_data)
|
|
78
80
|
|
|
79
|
-
send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth)
|
|
81
|
+
send(:after_jwt_auth, token_data) if respond_to?(:after_jwt_auth, true)
|
|
80
82
|
rescue JWT::ExpiredSignature
|
|
81
83
|
render_error("jwt_expired") && (return)
|
|
82
84
|
rescue JWT::DecodeError
|
|
83
85
|
render_error("invalid_jwt") && (return)
|
|
84
86
|
end
|
|
85
87
|
|
|
86
|
-
def
|
|
88
|
+
def update_revoked_access_tokens_by_webhook
|
|
87
89
|
return unless params[:name] == "directory.revoked_access_token"
|
|
88
90
|
|
|
89
|
-
DirectoryCache.update("api/v1/
|
|
90
|
-
data["
|
|
91
|
+
DirectoryCache.update("api/v1/revoked_access_tokens.json", expires_after: 60.minutes) do |data|
|
|
92
|
+
data["revoked_token_ids"] << params[:payload][:access_token_id]
|
|
91
93
|
data
|
|
92
94
|
end
|
|
93
95
|
|
|
@@ -130,7 +132,7 @@ module Zaikio
|
|
|
130
132
|
render_error("unpermitted_subject")
|
|
131
133
|
end
|
|
132
134
|
|
|
133
|
-
def
|
|
135
|
+
def show_error_if_token_is_revoked(token_data)
|
|
134
136
|
return unless Zaikio::JWTAuth.revoked_jwt?(token_data.jti)
|
|
135
137
|
|
|
136
138
|
render_error("invalid_jwt")
|
|
@@ -4,25 +4,24 @@ module Zaikio
|
|
|
4
4
|
module JWTAuth
|
|
5
5
|
class Configuration
|
|
6
6
|
HOSTS = {
|
|
7
|
-
development: "http://
|
|
8
|
-
test: "http://
|
|
9
|
-
staging: "https://
|
|
10
|
-
sandbox: "https://
|
|
11
|
-
production: "https://
|
|
7
|
+
development: "http://hub.zaikio.test",
|
|
8
|
+
test: "http://hub.zaikio.test",
|
|
9
|
+
staging: "https://hub.staging.zaikio.com",
|
|
10
|
+
sandbox: "https://hub.sandbox.zaikio.com",
|
|
11
|
+
production: "https://hub.zaikio.com"
|
|
12
12
|
}.freeze
|
|
13
13
|
|
|
14
|
-
attr_accessor :app_name
|
|
15
|
-
attr_accessor :redis, :host
|
|
14
|
+
attr_accessor :app_name, :redis, :host
|
|
16
15
|
attr_reader :environment
|
|
17
|
-
attr_writer :logger, :
|
|
16
|
+
attr_writer :logger, :revoked_token_ids, :keys
|
|
18
17
|
|
|
19
18
|
def initialize
|
|
20
19
|
@environment = :sandbox
|
|
21
|
-
@
|
|
20
|
+
@revoked_token_ids = nil
|
|
22
21
|
end
|
|
23
22
|
|
|
24
23
|
def logger
|
|
25
|
-
@logger ||= Logger.new(
|
|
24
|
+
@logger ||= Logger.new($stdout)
|
|
26
25
|
end
|
|
27
26
|
|
|
28
27
|
def environment=(env)
|
|
@@ -31,11 +30,11 @@ module Zaikio
|
|
|
31
30
|
end
|
|
32
31
|
|
|
33
32
|
def keys
|
|
34
|
-
@keys.is_a?(Proc) ? @keys.call : @keys
|
|
33
|
+
defined?(@keys) && @keys.is_a?(Proc) ? @keys.call : @keys
|
|
35
34
|
end
|
|
36
35
|
|
|
37
|
-
def
|
|
38
|
-
@
|
|
36
|
+
def revoked_token_ids
|
|
37
|
+
@revoked_token_ids.is_a?(Proc) ? @revoked_token_ids.call : @revoked_token_ids
|
|
39
38
|
end
|
|
40
39
|
|
|
41
40
|
private
|
|
@@ -14,7 +14,7 @@ module Zaikio
|
|
|
14
14
|
jti: "unique-access-token-id",
|
|
15
15
|
nbf: Time.now.to_i,
|
|
16
16
|
exp: 1.hour.from_now.to_i,
|
|
17
|
-
jku: "http://
|
|
17
|
+
jku: "http://hub.zaikio.test/api/v1/jwt_public_keys.json",
|
|
18
18
|
scope: []
|
|
19
19
|
}.merge(extra_payload).stringify_keys
|
|
20
20
|
end
|
|
@@ -2,7 +2,7 @@ module Zaikio
|
|
|
2
2
|
module JWTAuth
|
|
3
3
|
class TokenData
|
|
4
4
|
def self.subject_format
|
|
5
|
-
%r{^((\w+)/((\w|-)+)
|
|
5
|
+
%r{^((\w+)/((\w|-)+)>)?(\w+)/((\w|-)+)$}
|
|
6
6
|
end
|
|
7
7
|
|
|
8
8
|
def self.actions_by_permission
|
|
@@ -33,6 +33,10 @@ module Zaikio
|
|
|
33
33
|
@payload["jti"]
|
|
34
34
|
end
|
|
35
35
|
|
|
36
|
+
def expires_at
|
|
37
|
+
Time.zone.at(@payload["exp"]).to_datetime
|
|
38
|
+
end
|
|
39
|
+
|
|
36
40
|
# scope_options is an array of objects with:
|
|
37
41
|
# scope, app_name (optional), except/only (array, optional)
|
|
38
42
|
def scope_by_configurations?(scope_configurations, action_name, context)
|
metadata
CHANGED
|
@@ -1,14 +1,16 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: zaikio-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
|
-
-
|
|
7
|
+
- crispymtn
|
|
8
|
+
- Jalyna Schröder
|
|
9
|
+
- Martin Spickermann
|
|
8
10
|
autorequire:
|
|
9
11
|
bindir: bin
|
|
10
12
|
cert_chain: []
|
|
11
|
-
date:
|
|
13
|
+
date: 2021-01-06 00:00:00.000000000 Z
|
|
12
14
|
dependencies:
|
|
13
15
|
- !ruby/object:Gem::Dependency
|
|
14
16
|
name: oj
|
|
@@ -54,7 +56,9 @@ dependencies:
|
|
|
54
56
|
version: 2.2.1
|
|
55
57
|
description: JWT-Based authentication and authorization with zaikio.
|
|
56
58
|
email:
|
|
59
|
+
- op@crispymtn.com
|
|
57
60
|
- js@crispymtn.com
|
|
61
|
+
- spickermann@gmail.com
|
|
58
62
|
executables: []
|
|
59
63
|
extensions: []
|
|
60
64
|
extra_rdoc_files: []
|
|
@@ -86,14 +90,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
86
90
|
requirements:
|
|
87
91
|
- - ">="
|
|
88
92
|
- !ruby/object:Gem::Version
|
|
89
|
-
version:
|
|
93
|
+
version: 2.6.5
|
|
90
94
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
91
95
|
requirements:
|
|
92
96
|
- - ">="
|
|
93
97
|
- !ruby/object:Gem::Version
|
|
94
98
|
version: '0'
|
|
95
99
|
requirements: []
|
|
96
|
-
rubygems_version: 3.
|
|
100
|
+
rubygems_version: 3.0.3
|
|
97
101
|
signing_key:
|
|
98
102
|
specification_version: 4
|
|
99
103
|
summary: JWT-Based authentication and authorization with zaikio
|