RubyGems - zaikio-jwt_auth - Versions diffs - 2.2.0 → 2.3.0 - Mend

zaikio-jwt_auth 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/zaikio/jwt_auth/directory_cache.rb +18 -6
data/lib/zaikio/jwt_auth/jwk.rb +1 -1
data/lib/zaikio/jwt_auth/token_data.rb +3 -24
data/lib/zaikio/jwt_auth/version.rb +1 -1
data/lib/zaikio/jwt_auth.rb +62 -8
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10365dcb96c417de5f8226e97fc835334e5b6ed92868fead27d443565013c7d3
-  data.tar.gz: 5c66b0a5359ab1db156861650ccb142ec1e5572074000fb8c0c4c1740ccc833c
+  metadata.gz: 69257f2c9dcf661babfc6b5600c0b4b724c32b4e92ffb6743e47a560e020a81c
+  data.tar.gz: 0b61afe2f4587ba84ac3e922bcb67024b8ec9f53b69cdbf155c17b4c556388d6
 SHA512:
-  metadata.gz: b52f0baddf61c6d418b0b82a1e003a82fde64484182485662111ec52a8d37275886db7c282ab9ab7d211888eb64c760d2541662905200e80f016c13dcb04566a
-  data.tar.gz: 815b388a900b8b3f6d10a46f9a0968f6c51c7227fe232ef44ecb2509f4c23d9dbea34482de4f9229af6de455e98bf3d31529ab86618d30685dcfcae2e4cc6881
+  metadata.gz: 7717ef3559a647592cca0568e09531fdd8854c61d2dcdfb64077faec8bf0bd31e3dc87336b62dd0fa6b6673cbc6de4dfc5fb94d3371e2c9598e295d18e4d8578
+  data.tar.gz: 82094718a024d29a023220560517c77d59bc29b7d4dc293419b23ee9204bd936f6d14e76c4b2698c95a71ca0f72bddbb6bc2387d70b801f85da86b2ad2b86b5f

data/lib/zaikio/jwt_auth/directory_cache.rb CHANGED Viewed

@@ -15,17 +15,29 @@ module Zaikio
       BadResponseError = Class.new(StandardError)
       class << self
+        # Retrieve some data from the Hub, reachable at `directory_path`. Attempts to
+        # retrieve data from a cache first (usually Redis, if configured). Caching can be
+        # skipped by setting an `:invalidate` option, or if the cached data is stale it
+        # will be refetched from the Hub anyway. Please note that this method can return
+        # `nil` if there is no cache available and the Hub is giving error responses or
+        # failures.
+        #
+        # @example Fetching revoked access token information
+        #
+        #   DirectoryCache.fetch("api/v1/revoked_access_tokens.json")
+        #
+        # @returns Hash (in the happy path)
+        # @returns nil (if the cache is unavailable and the API is down)
         def fetch(directory_path, options = {})
           cache = Zaikio::JWTAuth.configuration.cache.read("zaikio::jwt_auth::#{directory_path}")
-          json = Oj.load(cache) if cache
+          return reload_or_enqueue(directory_path) unless cache
-          if !cache || options[:invalidate] || cache_expired?(json, options[:expires_after])
-            new_values = reload_or_enqueue(directory_path)
-            return new_values || json["data"]
-          end
+          json = Oj.load(cache)
-          json["data"]
+          if options[:invalidate] || cache_expired?(json, options[:expires_after])
+            reload_or_enqueue(directory_path)
+          end || json["data"]
         end
         def update(directory_path, options = {})

data/lib/zaikio/jwt_auth/jwk.rb CHANGED Viewed

@@ -30,7 +30,7 @@ module Zaikio
         def keys
           return Zaikio::JWTAuth.configuration.keys if Zaikio::JWTAuth.configuration.keys
-          fetch_from_cache["keys"]
+          fetch_from_cache.fetch("keys")
         end
         def fetch_from_cache(options = {})

data/lib/zaikio/jwt_auth/token_data.rb CHANGED Viewed

@@ -47,36 +47,15 @@ module Zaikio
       # scope_options is an array of objects with:
       # scope, app_name (optional), except/only (array, optional), type (read, write, readwrite)
-      def scope_by_configurations?(scope_configurations, action_name, context) # rubocop:disable Metrics/AbcSize
-        configuration = scope_configurations.find do |scope_configuration|
-          action_matches = action_matches_config?(scope_configuration, action_name)
-          if action_matches && scope_configuration[:if] && !context.instance_exec(&scope_configuration[:if])
-            false
-          elsif action_matches && scope_configuration[:unless] && context.instance_exec(&scope_configuration[:unless])
-            false
-          else
-            action_matches
-          end
-        end
+      def scope_by_configurations?(configuration, action_name)
         return true unless configuration
         scope?(configuration[:scopes], action_name, app_name: configuration[:app_name], type: configuration[:type])
       end
-      def action_matches_config?(scope_configuration, action_name)
-        if scope_configuration[:only]
-          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
-        elsif scope_configuration[:except]
-          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
-        else
-          true
-        end
-      end
-      def scope?(allowed_scopes, action_name, app_name: nil, type: nil)
+      def scope?(allowed_scopes, action_name, app_name: nil, type: nil, scope: nil) # rubocop:disable Metrics/AbcSize
         app_name ||= Zaikio::JWTAuth.configuration.app_name
+        scope ||= self.scope
         Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
           scope.any? do |s|
             parts = s.split(".")

data/lib/zaikio/jwt_auth/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "2.2.0".freeze
+    VERSION = "2.3.0".freeze
   end
 end

data/lib/zaikio/jwt_auth.rb CHANGED Viewed

@@ -12,6 +12,8 @@ require "zaikio/jwt_auth/test_helper"
 module Zaikio
   module JWTAuth
+    DOCS_LINK = "For more information check our docs: https://docs.zaikio.com/guide/oauth/scopes.html".freeze
     class << self
       attr_accessor :configuration
     end
@@ -34,10 +36,14 @@ module Zaikio
     def self.revoked_token_ids
       return [] if mocked_jwt_payload
-      configuration.revoked_token_ids || DirectoryCache.fetch(
+      return configuration.revoked_token_ids if configuration.revoked_token_ids
+      result = DirectoryCache.fetch(
         "api/v1/revoked_access_tokens.json",
         expires_after: 60.minutes
-      )["revoked_token_ids"]
+      ) || {}
+      result.fetch("revoked_token_ids", [])
     end
     def self.included(base)
@@ -125,14 +131,61 @@ module Zaikio
       private
+      def find_scope_configuration(scope_configurations)
+        scope_configurations.find do |scope_configuration|
+          action_matches = action_matches_config?(scope_configuration)
+          if action_matches && scope_configuration[:if] && !instance_exec(&scope_configuration[:if])
+            false
+          elsif action_matches && scope_configuration[:unless] && instance_exec(&scope_configuration[:unless])
+            false
+          else
+            action_matches
+          end
+        end
+      end
+      def action_matches_config?(scope_configuration)
+        if scope_configuration[:only]
+          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
+        elsif scope_configuration[:except]
+          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
+        else
+          true
+        end
+      end
+      def required_scopes(token_data, configuration)
+        Array(configuration[:scopes]).flat_map do |allowed_scope|
+          %i[r w rw].filter_map do |type|
+            app_name = configuration[:app_name] || Zaikio::JWTAuth.configuration.app_name
+            full_scope = "#{app_name}.#{allowed_scope}.#{type}"
+            if token_data.scope?([allowed_scope], action_name, app_name: app_name, type: configuration[:type],
+                                                               scope: [full_scope])
+              full_scope
+            end
+          end
+        end
+      end
       def show_error_if_authorize_by_jwt_scopes_fails(token_data)
+        configuration = find_scope_configuration(self.class.authorize_by_jwt_scopes)
         return if token_data.scope_by_configurations?(
-          self.class.authorize_by_jwt_scopes,
-          action_name,
-          self
+          configuration,
+          action_name
         )
-        render_error("unpermitted_scope")
+        details = nil
+        if configuration
+          required_scopes = required_scopes(token_data, configuration)
+          details = "This endpoint requires one of the following scopes: #{required_scopes.join(', ')} but your " \
+          "access token only includes the following scopes: #{token_data.scope.join(', ')} - #{DOCS_LINK}"
+        end
+        render_error(["unpermitted_scope", details])
       end
       def show_error_if_authorize_by_jwt_subject_type_fails(token_data)
@@ -141,7 +194,8 @@ module Zaikio
           return
         end
-        render_error("unpermitted_subject")
+        render_error(["unpermitted_subject", "Expected Subject Type: #{self.class.authorize_by_jwt_subject_type} | "\
+        "Subject type from Access Token: #{token_data.subject_type} - #{DOCS_LINK}"])
       end
       def show_error_if_token_is_revoked(token_data)
@@ -151,7 +205,7 @@ module Zaikio
       end
       def render_error(error, status: :forbidden)
-        render(status: status, json: { "errors" => [error] })
+        render(status: status, json: { "errors" => Array(error).compact })
       end
       def jwt_options

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors:
 - crispymtn
@@ -10,7 +10,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-28 00:00:00.000000000 Z
+date: 2023-02-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob