zaikio-jwt_auth 2.2.0 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 10365dcb96c417de5f8226e97fc835334e5b6ed92868fead27d443565013c7d3
-  data.tar.gz: 5c66b0a5359ab1db156861650ccb142ec1e5572074000fb8c0c4c1740ccc833c
+  metadata.gz: 3f46dba4c35870df1d25710905ff3451588f23f1fa8d02e304d9555c6816319c
+  data.tar.gz: 42124c9514465ee6bd6a7a069402730cd0049ec6c9be2fea0e6348107176be6b
 SHA512:
-  metadata.gz: b52f0baddf61c6d418b0b82a1e003a82fde64484182485662111ec52a8d37275886db7c282ab9ab7d211888eb64c760d2541662905200e80f016c13dcb04566a
-  data.tar.gz: 815b388a900b8b3f6d10a46f9a0968f6c51c7227fe232ef44ecb2509f4c23d9dbea34482de4f9229af6de455e98bf3d31529ab86618d30685dcfcae2e4cc6881
+  metadata.gz: '018c6eb5215993e066d7f4b080250df0f1e02788675c86ce6da62d75a378c7f96e0d63b7b94cd81dea5ecc01d7c0fda8775691fb90ca05ab250708e0dbb3a4ba'
+  data.tar.gz: 0cfdfc49f7c07fb39c076b693371bff9cc444e3a39aeb740bb281208cb9acf9651e84ad77662bd871399cda5b2d2666a515b0c86b39bec5f75bc06b1184427c9

data/lib/zaikio/jwt_auth/directory_cache.rb

@@ -15,17 +15,29 @@ module Zaikio
       BadResponseError = Class.new(StandardError)
 
       class << self
+        # Retrieve some data from the Hub, reachable at `directory_path`. Attempts to
+        # retrieve data from a cache first (usually Redis, if configured). Caching can be
+        # skipped by setting an `:invalidate` option, or if the cached data is stale it
+        # will be refetched from the Hub anyway. Please note that this method can return
+        # `nil` if there is no cache available and the Hub is giving error responses or
+        # failures.
+        #
+        # @example Fetching revoked access token information
+        #
+        #   DirectoryCache.fetch("api/v1/revoked_access_tokens.json")
+        #
+        # @returns Hash (in the happy path)
+        # @returns nil (if the cache is unavailable and the API is down)
         def fetch(directory_path, options = {})
           cache = Zaikio::JWTAuth.configuration.cache.read("zaikio::jwt_auth::#{directory_path}")
 
-          json = Oj.load(cache) if cache
+          return reload_or_enqueue(directory_path) unless cache
 
-          if !cache || options[:invalidate] || cache_expired?(json, options[:expires_after])
-            new_values = reload_or_enqueue(directory_path)
-            return new_values || json["data"]
-          end
+          json = Oj.load(cache)
 
-          json["data"]
+          if options[:invalidate] || cache_expired?(json, options[:expires_after])
+            reload_or_enqueue(directory_path)
+          end || json["data"]
         end
 
         def update(directory_path, options = {})
@@ -58,7 +70,7 @@ module Zaikio
         rescue Errno::ECONNREFUSED, Net::ReadTimeout, BadResponseError
           Zaikio::JWTAuth.configuration.logger
                          .info("Error updating DirectoryCache(#{directory_path}), enqueueing job to update")
-          UpdateJob.set(wait: 10.seconds).perform_later(directory_path)
+          UpdateJob.perform_later(directory_path)
           nil
         end
 

data/lib/zaikio/jwt_auth/jwk.rb

@@ -30,7 +30,7 @@ module Zaikio
         def keys
           return Zaikio::JWTAuth.configuration.keys if Zaikio::JWTAuth.configuration.keys
 
-          fetch_from_cache["keys"]
+          fetch_from_cache.fetch("keys")
         end
 
         def fetch_from_cache(options = {})

data/lib/zaikio/jwt_auth/token_data.rb

@@ -47,36 +47,15 @@ module Zaikio
 
       # scope_options is an array of objects with:
       # scope, app_name (optional), except/only (array, optional), type (read, write, readwrite)
-      def scope_by_configurations?(scope_configurations, action_name, context) # rubocop:disable Metrics/AbcSize
-        configuration = scope_configurations.find do |scope_configuration|
-          action_matches = action_matches_config?(scope_configuration, action_name)
-
-          if action_matches && scope_configuration[:if] && !context.instance_exec(&scope_configuration[:if])
-            false
-          elsif action_matches && scope_configuration[:unless] && context.instance_exec(&scope_configuration[:unless])
-            false
-          else
-            action_matches
-          end
-        end
-
+      def scope_by_configurations?(configuration, action_name)
         return true unless configuration
 
         scope?(configuration[:scopes], action_name, app_name: configuration[:app_name], type: configuration[:type])
       end
 
-      def action_matches_config?(scope_configuration, action_name)
-        if scope_configuration[:only]
-          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
-        elsif scope_configuration[:except]
-          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
-        else
-          true
-        end
-      end
-
-      def scope?(allowed_scopes, action_name, app_name: nil, type: nil)
+      def scope?(allowed_scopes, action_name, app_name: nil, type: nil, scope: nil) # rubocop:disable Metrics/AbcSize
         app_name ||= Zaikio::JWTAuth.configuration.app_name
+        scope ||= self.scope
         Array(allowed_scopes).map(&:to_s).any? do |allowed_scope|
           scope.any? do |s|
             parts = s.split(".")

data/lib/zaikio/jwt_auth/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module JWTAuth
-    VERSION = "2.2.0".freeze
+    VERSION = "2.4.0".freeze
   end
 end

data/lib/zaikio/jwt_auth.rb

@@ -12,6 +12,8 @@ require "zaikio/jwt_auth/test_helper"
 
 module Zaikio
   module JWTAuth
+    DOCS_LINK = "For more information check our docs: https://docs.zaikio.com/guide/oauth/scopes.html".freeze
+
     class << self
       attr_accessor :configuration
     end
@@ -34,10 +36,14 @@ module Zaikio
     def self.revoked_token_ids
       return [] if mocked_jwt_payload
 
-      configuration.revoked_token_ids || DirectoryCache.fetch(
+      return configuration.revoked_token_ids if configuration.revoked_token_ids
+
+      result = DirectoryCache.fetch(
         "api/v1/revoked_access_tokens.json",
         expires_after: 60.minutes
-      )["revoked_token_ids"]
+      ) || {}
+
+      result.fetch("revoked_token_ids", [])
     end
 
     def self.included(base)
@@ -125,14 +131,61 @@ module Zaikio
 
       private
 
+      def find_scope_configuration(scope_configurations)
+        scope_configurations.find do |scope_configuration|
+          action_matches = action_matches_config?(scope_configuration)
+
+          if action_matches && scope_configuration[:if] && !instance_exec(&scope_configuration[:if])
+            false
+          elsif action_matches && scope_configuration[:unless] && instance_exec(&scope_configuration[:unless])
+            false
+          else
+            action_matches
+          end
+        end
+      end
+
+      def action_matches_config?(scope_configuration)
+        if scope_configuration[:only]
+          Array(scope_configuration[:only]).any? { |a| a.to_s == action_name }
+        elsif scope_configuration[:except]
+          Array(scope_configuration[:except]).none? { |a| a.to_s == action_name }
+        else
+          true
+        end
+      end
+
+      def required_scopes(token_data, configuration)
+        Array(configuration[:scopes]).flat_map do |allowed_scope|
+          %i[r w rw].filter_map do |type|
+            app_name = configuration[:app_name] || Zaikio::JWTAuth.configuration.app_name
+            full_scope = "#{app_name}.#{allowed_scope}.#{type}"
+            if token_data.scope?([allowed_scope], action_name, app_name: app_name, type: configuration[:type],
+                                                               scope: [full_scope])
+              full_scope
+            end
+          end
+        end
+      end
+
       def show_error_if_authorize_by_jwt_scopes_fails(token_data)
+        configuration = find_scope_configuration(self.class.authorize_by_jwt_scopes)
+
         return if token_data.scope_by_configurations?(
-          self.class.authorize_by_jwt_scopes,
-          action_name,
-          self
+          configuration,
+          action_name
         )
 
-        render_error("unpermitted_scope")
+        details = nil
+
+        if configuration
+          required_scopes = required_scopes(token_data, configuration)
+
+          details = "This endpoint requires one of the following scopes: #{required_scopes.join(', ')} but your " \
+          "access token only includes the following scopes: #{token_data.scope.join(', ')} - #{DOCS_LINK}"
+        end
+
+        render_error(["unpermitted_scope", details])
       end
 
       def show_error_if_authorize_by_jwt_subject_type_fails(token_data)
@@ -141,7 +194,8 @@ module Zaikio
           return
         end
 
-        render_error("unpermitted_subject")
+        render_error(["unpermitted_subject", "Expected Subject Type: #{self.class.authorize_by_jwt_subject_type} | "\
+        "Subject type from Access Token: #{token_data.subject_type} - #{DOCS_LINK}"])
       end
 
       def show_error_if_token_is_revoked(token_data)
@@ -151,7 +205,7 @@ module Zaikio
       end
 
       def render_error(error, status: :forbidden)
-        render(status: status, json: { "errors" => [error] })
+        render(status: status, json: { "errors" => Array(error).compact })
       end
 
       def jwt_options

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-jwt_auth
 version: !ruby/object:Gem::Version
-  version: 2.2.0
+  version: 2.4.0
 platform: ruby
 authors:
 - crispymtn
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-09-28 00:00:00.000000000 Z
+date: 2023-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activejob