zaikio-jwt_auth 1.0.1 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4103bf1e59a9fa8a68a868c33d785082993255fe24616a01c1113a5a8026dcfe
-  data.tar.gz: e0be8641749a07f97620c73a56a97211ba51e9fe4f9dc6e1bdbaa5dd0422b0e3
+  metadata.gz: e030f7e4c7f0be8b37a722ff691b7bf1398cd31ca449b41a9923b51f5a008df8
+  data.tar.gz: 13a0d7a174af3ca58772b116e22d2fcc893291d59010ce127df82f1dca77ea5c
 SHA512:
-  metadata.gz: 28c8d6ea0b394450f7ae0027e9388fca1a9bd449213b6825356c65452e8a3efa4ab670802537cf9e08146d8a6980b5cbb22f2efa5cdec4c4b271b4c02b759fcf
-  data.tar.gz: 647aa957f6e7d82ca26b50169fd265b30e144dcef5a26a8273e786c388569ac09babed909a1ddf295255df404f097bc5a867ff5520920d81f37ae4a48a5c60da
+  metadata.gz: c91befdc7f28018a2e19bcafdcbd805ef87467a6fde8fc1b4899b6c6a327a6a89327902f84bdd07f42749c265535cdc3b83bd6289e958fcd2b4d520e46462d94
+  data.tar.gz: aa56620ee2936346ef5b6d73ff0e8189ad8cc46d7ab44ca36783ad744f577513fb4786fa48023f4918491b04f166d9f0db5b66ef8b9f9a7d6ee04a315938bde7

data/README.md

@@ -28,7 +28,9 @@ $ gem install zaikio-jwt_auth
 Zaikio::JWTAuth.configure do |config|
   config.environment = :sandbox # or production
   config.app_name = "test_app" # Your Zaikio App-Name
-  config.redis = Redis.new
+
+  # Enable caching Hub API responses for e.g. revoked tokens
+  config.cache = Rails.cache
 end
 ```
 
@@ -63,6 +65,24 @@ end
 
 By convention, `authorize_by_jwt_scopes` automatically maps all CRUD actions in a controller. Requests for `show` and `index` with a read or read_write scope are allowed. All other actions like `create`, `update` and `destroy` are accepted if the scope is a write or read_write scope. Therefore it is strongly recommended to always create standard Rails resources. If a custom action is required, you will need to authorize yourself using the `after_jwt_auth`.
 
+Both of these behaviours are automatically inherited by child classes, for example:
+
+```ruby
+class API::ChildController < API::ResourcesController
+end
+
+API::ChildController.authorize_by_jwt_subject_type
+#=> "Organization"
+```
+
+You can always override the behaviour in children if needed:
+
+```ruby
+class API::ChildController < API::ResourcesController
+  authorize_by_jwt_subject_type nil
+end
+```
+
 #### Modifying required scopes
 If you nonetheless want to change the required scopes for CRUD routes, you can use the `type` option which accepts the following values: `:read`, `:write`, `:read_write`
 
@@ -165,6 +185,25 @@ rescue JWT::DecodeError, JWT::ExpiredSignature
 end
 ```
 
+### Using a different cache backend
+
+This client supports any implementation of
+[`ActiveSupport::Cache::Store`](https://api.rubyonrails.org/classes/ActiveSupport/Cache/Store.html),
+but you can also write your own client that supports these methods: `#read(key)`,
+`#write(key, value)`, `#delete(key)`
+
+### Pass custom options to JWT auth
+
+In some cases you want to add custom options to the JWT check. For example you want to allow expired JWTs when revoking access tokens.
+
+```rb
+class API::RevokedAccessTokensController < API::ApplicationController
+  def jwt_options
+    { verify_expiration: false }
+  end
+end
+```
+
 ## Contributing
 
 **Make sure you have the dummy app running locally to validate your changes.**

data/lib/zaikio/jwt_auth/configuration.rb

@@ -11,7 +11,7 @@ module Zaikio
         production: "https://hub.zaikio.com"
       }.freeze
 
-      attr_accessor :app_name, :redis, :host
+      attr_accessor :app_name, :cache, :host
       attr_reader :environment
       attr_writer :logger, :revoked_token_ids, :keys
 

data/lib/zaikio/jwt_auth/directory_cache.rb

@@ -16,7 +16,7 @@ module Zaikio
 
       class << self
         def fetch(directory_path, options = {})
-          cache = Zaikio::JWTAuth.configuration.redis.get("zaikio::jwt_auth::#{directory_path}")
+          cache = Zaikio::JWTAuth.configuration.cache.read("zaikio::jwt_auth::#{directory_path}")
 
           json = Oj.load(cache) if cache
 
@@ -31,14 +31,14 @@ module Zaikio
         def update(directory_path, options = {})
           data = fetch(directory_path, options)
           data = yield(data)
-          Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
+          Zaikio::JWTAuth.configuration.cache.write("zaikio::jwt_auth::#{directory_path}", {
             fetched_at: Time.now.to_i,
             data: data
           }.to_json)
         end
 
         def reset(directory_path)
-          Zaikio::JWTAuth.configuration.redis.del("zaikio::jwt_auth::#{directory_path}")
+          Zaikio::JWTAuth.configuration.cache.delete("zaikio::jwt_auth::#{directory_path}")
         end
 
         private
@@ -49,28 +49,34 @@ module Zaikio
 
         def reload_or_enqueue(directory_path)
           data = fetch_from_directory(directory_path)
-          Zaikio::JWTAuth.configuration.redis.set("zaikio::jwt_auth::#{directory_path}", {
+          Zaikio::JWTAuth.configuration.cache.write("zaikio::jwt_auth::#{directory_path}", {
             fetched_at: Time.now.to_i,
             data: data
           }.to_json)
 
           data
         rescue Errno::ECONNREFUSED, Net::ReadTimeout, BadResponseError
-          Zaikio::JWTAuth.configuration.logger.info("Error updating DirectoryCache(#{directory_path}), enqueueing job to update")
+          Zaikio::JWTAuth.configuration.logger
+                         .info("Error updating DirectoryCache(#{directory_path}), enqueueing job to update")
           UpdateJob.set(wait: 10.seconds).perform_later(directory_path)
           nil
         end
 
         def fetch_from_directory(directory_path)
-          uri = URI("#{Zaikio::JWTAuth.configuration.host}/#{directory_path}")
-          http = Net::HTTP.new(uri.host, uri.port)
-          http.use_ssl = uri.scheme == "https"
-          response = http.request(Net::HTTP::Get.new(uri.request_uri))
+          response = make_http_request(directory_path)
+
           raise BadResponseError unless (200..299).cover?(response.code.to_i)
           raise BadResponseError unless response["content-type"].to_s.include?("application/json")
 
           Oj.load(response.body)
         end
+
+        def make_http_request(directory_path)
+          uri = URI("#{Zaikio::JWTAuth.configuration.host}/#{directory_path}")
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = uri.scheme == "https"
+          http.request(Net::HTTP::Get.new(uri.request_uri))
+        end
       end
     end
   end

data/lib/zaikio/jwt_auth/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "1.0.1".freeze
+    VERSION = "2.1.0".freeze
   end
 end

data/lib/zaikio/jwt_auth.rb

@@ -45,7 +45,7 @@ module Zaikio
     end
 
     def self.mocked_jwt_payload
-      @mocked_jwt_payload
+      instance_variable_defined?(:@mocked_jwt_payload) && @mocked_jwt_payload
     end
 
     def self.mocked_jwt_payload=(payload)
@@ -54,21 +54,27 @@ module Zaikio
 
     HEADER_FORMAT = /\ABearer (.+)\z/.freeze
 
-    def self.extract(authorization_header_string)
+    def self.extract(authorization_header_string, **options)
       return TokenData.new(Zaikio::JWTAuth.mocked_jwt_payload) if Zaikio::JWTAuth.mocked_jwt_payload
 
       return if authorization_header_string.blank?
 
       return unless (token = authorization_header_string[HEADER_FORMAT, 1])
 
-      payload, = JWT.decode(token, nil, true, algorithms: ["RS256"], jwks: JWK.loader)
+      options.reverse_merge!(algorithms: ["RS256"], jwks: JWK.loader)
+
+      payload, = JWT.decode(token, nil, true, **options)
 
       TokenData.new(payload)
     end
 
     module ClassMethods
-      def authorize_by_jwt_subject_type(type = nil)
-        @authorize_by_jwt_subject_type ||= type
+      def authorize_by_jwt_subject_type(type = :_not_given_)
+        if type != :_not_given_
+          @authorize_by_jwt_subject_type = type
+        elsif instance_variable_defined?(:@authorize_by_jwt_subject_type)
+          @authorize_by_jwt_subject_type
+        end
       end
 
       def authorize_by_jwt_scopes(scopes = nil, options = {})
@@ -78,11 +84,18 @@ module Zaikio
 
         @authorize_by_jwt_scopes
       end
+
+      def inherited(child)
+        super(child)
+
+        child.instance_variable_set(:@authorize_by_jwt_subject_type, @authorize_by_jwt_subject_type)
+        child.instance_variable_set(:@authorize_by_jwt_scopes, @authorize_by_jwt_scopes)
+      end
     end
 
     module InstanceMethods
       def authenticate_by_jwt
-        token_data = Zaikio::JWTAuth.extract(request.headers["Authorization"])
+        token_data = Zaikio::JWTAuth.extract(request.headers["Authorization"], **jwt_options)
         return render_error("no_jwt_passed", status: :unauthorized) unless token_data
 
         return if show_error_if_token_is_revoked(token_data)
@@ -139,6 +152,10 @@ module Zaikio
       def render_error(error, status: :forbidden)
         render(status: status, json: { "errors" => [error] })
       end
+
+      def jwt_options
+        {}
+      end
     end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 2.1.0
 platform: ruby
 authors:
 - crispymtn
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-28 00:00:00.000000000 Z
+date: 2022-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob
@@ -113,7 +113,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.3.11
 signing_key: 
 specification_version: 4
 summary: JWT-Based authentication and authorization with zaikio