zaikio-jwt_auth 2.1.1 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f9c9c81be4267790236a02e7b3ffe5b6f7e1aa8ac13196e421b6140cb109081
-  data.tar.gz: 9081893a8669d3729bba2ccc7f8bc03eeb71ca371c637fddfc6d245d1ad0cfd1
+  metadata.gz: 69257f2c9dcf661babfc6b5600c0b4b724c32b4e92ffb6743e47a560e020a81c
+  data.tar.gz: 0b61afe2f4587ba84ac3e922bcb67024b8ec9f53b69cdbf155c17b4c556388d6
 SHA512:
-  metadata.gz: 4c57d8b69bf85297feaf2486fe809de05c2cc2a2deed4a1123b9a27a4503b39d71182ff8cf8f2550e9ee9105729957e8d3395ec223ad146fa258c08132da0b31
-  data.tar.gz: dabda6c4b3aa7ed7c1ffe41b0e14d40994db16918c85a9e86535fb7deb369af37226752b5e74ff925cb3e31d2919336066b9f1d626a3619c0dbfefe967d602ab
+  metadata.gz: 7717ef3559a647592cca0568e09531fdd8854c61d2dcdfb64077faec8bf0bd31e3dc87336b62dd0fa6b6673cbc6de4dfc5fb94d3371e2c9598e295d18e4d8578
+  data.tar.gz: 82094718a024d29a023220560517c77d59bc29b7d4dc293419b23ee9204bd936f6d14e76c4b2698c95a71ca0f72bddbb6bc2387d70b801f85da86b2ad2b86b5f

data/README.md

@@ -134,6 +134,27 @@ class ResourcesControllerTest < ActionDispatch::IntegrationTest
 end
 ```
 
+### 8. Setup rack-attack for throttling
+
+This gem ships with a rack middleware that should be used to throttle requests by app and/or subject. You can use the middleware with [rack-attack](https://github.com/rack/rack-attack) as described here:
+
+```rb
+# config/initializers/rack_attack.rb
+
+MyApp::Application.config.middleware.insert_before Rack::Attack, Zaikio::JWTAuth::RackMiddleware
+
+class Rack::Attack
+  Rack::Attack.throttled_response_retry_after_header = true
+
+  throttle("zaikio/by_app_sub", limit: 600, period: 1.minute) do |request|
+    next unless request.path.start_with?("/api/")
+    next unless request.env[Zaikio::JWTAuth::RackMiddleware::SUBJECT] # does not use zaikio JWT
+
+    "#{request.env[Zaikio::JWTAuth::RackMiddleware::AUDIENCE]}/#{request.env[Zaikio::JWTAuth::RackMiddleware::SUBJECT]}"
+  end
+end
+```
+
 ## Advanced
 
 ### `only` and `except`

data/lib/zaikio/jwt_auth/directory_cache.rb

@@ -15,17 +15,29 @@ module Zaikio
       BadResponseError = Class.new(StandardError)
 
       class << self
+        # Retrieve some data from the Hub, reachable at `directory_path`. Attempts to
+        # retrieve data from a cache first (usually Redis, if configured). Caching can be
+        # skipped by setting an `:invalidate` option, or if the cached data is stale it
+        # will be refetched from the Hub anyway. Please note that this method can return
+        # `nil` if there is no cache available and the Hub is giving error responses or
+        # failures.
+        #
+        # @example Fetching revoked access token information
+        #
+        #   DirectoryCache.fetch("api/v1/revoked_access_tokens.json")
+        #
+        # @returns Hash (in the happy path)
+        # @returns nil (if the cache is unavailable and the API is down)
         def fetch(directory_path, options = {})
           cache = Zaikio::JWTAuth.configuration.cache.read("zaikio::jwt_auth::#{directory_path}")
 
-          json = Oj.load(cache) if cache
+          return reload_or_enqueue(directory_path) unless cache
 
-          if !cache || options[:invalidate] || cache_expired?(json, options[:expires_after])
-            new_values = reload_or_enqueue(directory_path)
-            return new_values || json["data"]
-          end
+          json = Oj.load(cache)
 
-          json["data"]
+          if options[:invalidate] || cache_expired?(json, options[:expires_after])
+            reload_or_enqueue(directory_path)
+          end || json["data"]
         end
 
         def update(directory_path, options = {})

data/lib/zaikio/jwt_auth/jwk.rb

@@ -30,7 +30,7 @@ module Zaikio
         def keys
           return Zaikio::JWTAuth.configuration.keys if Zaikio::JWTAuth.configuration.keys
 
-          fetch_from_cache["keys"]
+          fetch_from_cache.fetch("keys")
         end
 
         def fetch_from_cache(options = {})

data/lib/zaikio/jwt_auth/rack_middleware.rb

@@ -0,0 +1,27 @@
+module Zaikio
+  module JWTAuth
+    class RackMiddleware
+      AUDIENCE = "zaikio.jwt.audience".freeze
+      SUBJECT  = "zaikio.jwt.subject".freeze
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        token_data = begin
+          Zaikio::JWTAuth.extract(env["HTTP_AUTHORIZATION"])
+        rescue JWT::ExpiredSignature, JWT::DecodeError
+          nil
+        end
+
+        if token_data
+          env[AUDIENCE] = token_data.audience || :personal_token
+          env[SUBJECT] = token_data.subject
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/zaikio/jwt_auth/token_data.rb

@@ -47,36 +47,15 @@ module Zaikio
 
       # scope_options is an array of objects with:
       # scope, app_name (optional), except/only (array, optional), type (read, write, readwrite)
-      def scope_by_configurations?(scope_configurations, action_name, context) # rubocop:disable Metrics/AbcSize
-        configuration = scope_configurations.find do |scope_configuration|
-          action_matches = action_matches_config?(scope_configuration, action_name)
-
-          if action_matches && scope_configuration[:if] && !context.instance_exec(&scope_configuration[:if])
-            false
-          elsif action_matches && scope_configuration[:unless] && context.instance_exec(&scope_configuration[:unless])
-            false
-          else
-            action_matches
-          end
-        end
-
+      def scope_by_configurations?(configuration, action_name)
         return true unless configuration
 
         scope?(configuration[:scopes], action_name, app_name: configuration[:app_name], type: configuration[:type])
       end
 
-      def action_matches_config?(scope_configuration, action_name)
-        if scope_configuration[:only]
-          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
-        elsif scope_configuration[:except]
-          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
-        else
-          true
-        end
-      end
-
-      def scope?(allowed_scopes, action_name, app_name: nil, type: nil)
+      def scope?(allowed_scopes, action_name, app_name: nil, type: nil, scope: nil) # rubocop:disable Metrics/AbcSize
         app_name ||= Zaikio::JWTAuth.configuration.app_name
+        scope ||= self.scope
         Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
           scope.any? do |s|
             parts = s.split(".")
@@ -95,6 +74,10 @@ module Zaikio
         subject_match[5]
       end
 
+      def subject
+        "#{subject_type}/#{subject_id}"
+      end
+
       def on_behalf_of_id
         subject_match[3]
       end

data/lib/zaikio/jwt_auth/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "2.1.1".freeze
+    VERSION = "2.3.0".freeze
   end
 end

data/lib/zaikio/jwt_auth.rb

@@ -6,11 +6,14 @@ require "zaikio/jwt_auth/configuration"
 require "zaikio/jwt_auth/directory_cache"
 require "zaikio/jwt_auth/jwk"
 require "zaikio/jwt_auth/token_data"
+require "zaikio/jwt_auth/rack_middleware"
 require "zaikio/jwt_auth/engine"
 require "zaikio/jwt_auth/test_helper"
 
 module Zaikio
   module JWTAuth
+    DOCS_LINK = "For more information check our docs: https://docs.zaikio.com/guide/oauth/scopes.html".freeze
+
     class << self
       attr_accessor :configuration
     end
@@ -33,10 +36,14 @@ module Zaikio
     def self.revoked_token_ids
       return [] if mocked_jwt_payload
 
-      configuration.revoked_token_ids || DirectoryCache.fetch(
+      return configuration.revoked_token_ids if configuration.revoked_token_ids
+
+      result = DirectoryCache.fetch(
         "api/v1/revoked_access_tokens.json",
         expires_after: 60.minutes
-      )["revoked_token_ids"]
+      ) || {}
+
+      result.fetch("revoked_token_ids", [])
     end
 
     def self.included(base)
@@ -124,14 +131,61 @@ module Zaikio
 
       private
 
+      def find_scope_configuration(scope_configurations)
+        scope_configurations.find do |scope_configuration|
+          action_matches = action_matches_config?(scope_configuration)
+
+          if action_matches && scope_configuration[:if] && !instance_exec(&scope_configuration[:if])
+            false
+          elsif action_matches && scope_configuration[:unless] && instance_exec(&scope_configuration[:unless])
+            false
+          else
+            action_matches
+          end
+        end
+      end
+
+      def action_matches_config?(scope_configuration)
+        if scope_configuration[:only]
+          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
+        elsif scope_configuration[:except]
+          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
+        else
+          true
+        end
+      end
+
+      def required_scopes(token_data, configuration)
+        Array(configuration[:scopes]).flat_map do |allowed_scope|
+          %i[r w rw].filter_map do |type|
+            app_name = configuration[:app_name] || Zaikio::JWTAuth.configuration.app_name
+            full_scope = "#{app_name}.#{allowed_scope}.#{type}"
+            if token_data.scope?([allowed_scope], action_name, app_name: app_name, type: configuration[:type],
+                                                               scope: [full_scope])
+              full_scope
+            end
+          end
+        end
+      end
+
       def show_error_if_authorize_by_jwt_scopes_fails(token_data)
+        configuration = find_scope_configuration(self.class.authorize_by_jwt_scopes)
+
         return if token_data.scope_by_configurations?(
-          self.class.authorize_by_jwt_scopes,
-          action_name,
-          self
+          configuration,
+          action_name
         )
 
-        render_error("unpermitted_scope")
+        details = nil
+
+        if configuration
+          required_scopes = required_scopes(token_data, configuration)
+
+          details = "This endpoint requires one of the following scopes: #{required_scopes.join(', ')} but your " \
+          "access token only includes the following scopes: #{token_data.scope.join(', ')} - #{DOCS_LINK}"
+        end
+
+        render_error(["unpermitted_scope", details])
       end
 
       def show_error_if_authorize_by_jwt_subject_type_fails(token_data)
@@ -140,7 +194,8 @@ module Zaikio
           return
         end
 
-        render_error("unpermitted_subject")
+        render_error(["unpermitted_subject", "Expected Subject Type: #{self.class.authorize_by_jwt_subject_type} | "\
+        "Subject type from Access Token: #{token_data.subject_type} - #{DOCS_LINK}"])
       end
 
       def show_error_if_token_is_revoked(token_data)
@@ -150,7 +205,7 @@ module Zaikio
       end
 
       def render_error(error, status: :forbidden)
-        render(status: status, json: { "errors" => [error] })
+        render(status: status, json: { "errors" => Array(error).compact })
       end
 
       def jwt_options

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 2.1.1
+  version: 2.3.0
 platform: ruby
 authors:
 - crispymtn
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-06 00:00:00.000000000 Z
+date: 2023-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob
@@ -88,6 +88,7 @@ files:
 - lib/zaikio/jwt_auth/directory_cache.rb
 - lib/zaikio/jwt_auth/engine.rb
 - lib/zaikio/jwt_auth/jwk.rb
+- lib/zaikio/jwt_auth/rack_middleware.rb
 - lib/zaikio/jwt_auth/railtie.rb
 - lib/zaikio/jwt_auth/test_helper.rb
 - lib/zaikio/jwt_auth/token_data.rb