zaikio-jwt_auth 0.1.7 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +33 -40
- data/app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb +12 -0
- data/lib/zaikio/jwt_auth.rb +7 -0
- data/lib/zaikio/jwt_auth/configuration.rb +1 -0
- data/lib/zaikio/jwt_auth/engine.rb +9 -0
- data/lib/zaikio/jwt_auth/version.rb +1 -1
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 608b4341e5cb5797a302e65439882e050044fd2676b0fc01f7931783529ee032
|
|
4
|
+
data.tar.gz: 1dcaeb58daa1f352c352b8a3e65bab7e46618c4dba30f64af2141c25bb1f2dee
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2289f1f2fc4ddc1a84070f6df75ebbfb143b4b0634ff8a64d3c54cfa5fb2741de8734aaa398989fd9fb63a43dde8ccb4849fa497eee8f6e3a1897acd5fde4dcf
|
|
7
|
+
data.tar.gz: 4b935055a6461f2f2e22dec109634e41b40222773fb363811e76d29327eea22d81210a470e6d9865092473d114c1c21646a99bcbb0942cdc4e39229f7f4e8291
|
data/README.md
CHANGED
|
@@ -2,11 +2,9 @@
|
|
|
2
2
|
|
|
3
3
|
Gem for JWT-Based authentication and authorization with zaikio.
|
|
4
4
|
|
|
5
|
-
## Usage
|
|
6
|
-
|
|
7
5
|
## Installation
|
|
8
6
|
|
|
9
|
-
1. Add this line to your application's Gemfile:
|
|
7
|
+
### 1. Add this line to your application's Gemfile:
|
|
10
8
|
|
|
11
9
|
```ruby
|
|
12
10
|
gem 'zaikio-jwt_auth'
|
|
@@ -22,7 +20,7 @@ Or install it yourself as:
|
|
|
22
20
|
$ gem install zaikio-jwt_auth
|
|
23
21
|
```
|
|
24
22
|
|
|
25
|
-
2. Configure the gem:
|
|
23
|
+
### 2. Configure the gem:
|
|
26
24
|
|
|
27
25
|
```rb
|
|
28
26
|
# config/initializers/zaikio_jwt_auth.rb
|
|
@@ -34,7 +32,7 @@ Zaikio::JWTAuth.configure do |config|
|
|
|
34
32
|
end
|
|
35
33
|
```
|
|
36
34
|
|
|
37
|
-
3. Extend your API application controller:
|
|
35
|
+
### 3. Extend your API application controller:
|
|
38
36
|
|
|
39
37
|
```rb
|
|
40
38
|
class API::ApplicationController < ActionController::Base
|
|
@@ -49,42 +47,12 @@ class API::ApplicationController < ActionController::Base
|
|
|
49
47
|
end
|
|
50
48
|
```
|
|
51
49
|
|
|
52
|
-
4. Update Revoked Access Tokens by Webhook
|
|
53
|
-
|
|
54
|
-
```rb
|
|
55
|
-
# ENV['ZAIKIO_SHARED_SECRET'] needs to be defined first, you can find it on your
|
|
56
|
-
# app details page in zaikio. Fore more help read:
|
|
57
|
-
# https://docs.zaikio.com/guide/loom/receiving-events.html
|
|
58
|
-
class WebhooksController < ActionController::Base
|
|
59
|
-
include Zaikio::JWTAuth
|
|
60
|
-
|
|
61
|
-
before_action :verify_signature
|
|
62
|
-
before_action :update_blacklisted_access_tokens_by_webhook
|
|
50
|
+
### 4. Update Revoked Access Tokens by Webhook
|
|
63
51
|
|
|
64
|
-
|
|
65
|
-
case params[:name]
|
|
66
|
-
# Manage other events
|
|
67
|
-
end
|
|
52
|
+
This gem automatically registers a webhook, if you have properly setup [Zaikio::Webhooks](https://github.com/crispymtn/zaikio-webhooks).
|
|
68
53
|
|
|
69
|
-
render json: { received: true }
|
|
70
|
-
end
|
|
71
54
|
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
def verify_signature
|
|
75
|
-
# Read More: https://docs.zaikio.com/guide/loom/receiving-events.html
|
|
76
|
-
unless ActiveSupport::SecurityUtils.secure_compare(
|
|
77
|
-
OpenSSL::HMAC.hexdigest("SHA256", "shared-secret", request.body.read),
|
|
78
|
-
request.headers["X-Loom-Signature"]
|
|
79
|
-
)
|
|
80
|
-
render json: { received: true }
|
|
81
|
-
end
|
|
82
|
-
end
|
|
83
|
-
end
|
|
84
|
-
```
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
5. Add more restrictions to your resources:
|
|
55
|
+
### 5. Add more restrictions to your resources:
|
|
88
56
|
|
|
89
57
|
```rb
|
|
90
58
|
class API::ResourcesController < API::ApplicationController
|
|
@@ -93,7 +61,7 @@ class API::ResourcesController < API::ApplicationController
|
|
|
93
61
|
end
|
|
94
62
|
```
|
|
95
63
|
|
|
96
|
-
6. Optionally, if you are using SSO: Check revoked tokens
|
|
64
|
+
### 6. Optionally, if you are using SSO: Check revoked tokens
|
|
97
65
|
|
|
98
66
|
Additionally, the API provides a method called `revoked_jwt?` which expects the `jti` of the JWT.
|
|
99
67
|
|
|
@@ -101,7 +69,7 @@ Additionally, the API provides a method called `revoked_jwt?` which expects the
|
|
|
101
69
|
Zaikio::JWTAuth.revoked_jwt?('jti-of-token') # returns true if token was revoked
|
|
102
70
|
```
|
|
103
71
|
|
|
104
|
-
7. Optionally, use the test helper module to mock JWTs in your minitests
|
|
72
|
+
### 7. Optionally, use the test helper module to mock JWTs in your minitests
|
|
105
73
|
|
|
106
74
|
```rb
|
|
107
75
|
# in your test_helper.rb
|
|
@@ -110,3 +78,28 @@ include Zaikio::JWTAuth::TestHelper
|
|
|
110
78
|
# in your tests you can use:
|
|
111
79
|
mock_jwt(sub: 'Organization/123', scope: ['directory.organization.r'])
|
|
112
80
|
```
|
|
81
|
+
|
|
82
|
+
## Advanced
|
|
83
|
+
|
|
84
|
+
### `only` and `except`
|
|
85
|
+
|
|
86
|
+
Similar to Rails' controller callbacks, `authorize_by_jwt_scopes` can also be passed a list of actions:
|
|
87
|
+
|
|
88
|
+
```rb
|
|
89
|
+
class API::ResourcesController < API::ApplicationController
|
|
90
|
+
authorize_by_jwt_subject_type 'Organization'
|
|
91
|
+
authorize_by_jwt_scopes 'resources', except: :destroy
|
|
92
|
+
authorize_by_jwt_scopes 'remove_resources', only: [:destroy]
|
|
93
|
+
end
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
|
|
97
|
+
### `if` and `unless`
|
|
98
|
+
|
|
99
|
+
Similar to Rails' controller callbacks, `authorize_by_jwt_scopes` can also handle a lambda in the context of the controller to request parameters.
|
|
100
|
+
|
|
101
|
+
```rb
|
|
102
|
+
class API::ResourcesController < API::ApplicationController
|
|
103
|
+
authorize_by_jwt_scopes 'resources', unless: -> { params[:skip] == '1' }
|
|
104
|
+
end
|
|
105
|
+
```
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
module Zaikio
|
|
2
|
+
module JWTAuth
|
|
3
|
+
class RevokeAccessTokenJob < ApplicationJob
|
|
4
|
+
def perform(event)
|
|
5
|
+
DirectoryCache.update("api/v1/blacklisted_access_tokens.json", expires_after: 60.minutes) do |data|
|
|
6
|
+
data["blacklisted_token_ids"] << event.payload["access_token_id"]
|
|
7
|
+
data
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
end
|
|
11
|
+
end
|
|
12
|
+
end
|
data/lib/zaikio/jwt_auth.rb
CHANGED
|
@@ -5,6 +5,7 @@ require "zaikio/jwt_auth/configuration"
|
|
|
5
5
|
require "zaikio/jwt_auth/directory_cache"
|
|
6
6
|
require "zaikio/jwt_auth/jwk"
|
|
7
7
|
require "zaikio/jwt_auth/token_data"
|
|
8
|
+
require "zaikio/jwt_auth/engine"
|
|
8
9
|
require "zaikio/jwt_auth/test_helper"
|
|
9
10
|
|
|
10
11
|
module Zaikio
|
|
@@ -15,6 +16,12 @@ module Zaikio
|
|
|
15
16
|
|
|
16
17
|
def self.configure
|
|
17
18
|
self.configuration ||= Configuration.new
|
|
19
|
+
|
|
20
|
+
if Zaikio.const_defined?("Webhooks")
|
|
21
|
+
Zaikio::Webhooks.on "directory.revoked_access_token", Zaikio::JWTAuth::RevokeAccessTokenJob,
|
|
22
|
+
perform_now: true
|
|
23
|
+
end
|
|
24
|
+
|
|
18
25
|
yield(configuration)
|
|
19
26
|
end
|
|
20
27
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: zaikio-jwt_auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Crispy Mountain GmbH
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-03-
|
|
11
|
+
date: 2020-03-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: oj
|
|
@@ -62,10 +62,12 @@ files:
|
|
|
62
62
|
- MIT-LICENSE
|
|
63
63
|
- README.md
|
|
64
64
|
- Rakefile
|
|
65
|
+
- app/jobs/zaikio/jwt_auth/revoke_access_token_job.rb
|
|
65
66
|
- lib/tasks/zaikio/jwt_auth_tasks.rake
|
|
66
67
|
- lib/zaikio/jwt_auth.rb
|
|
67
68
|
- lib/zaikio/jwt_auth/configuration.rb
|
|
68
69
|
- lib/zaikio/jwt_auth/directory_cache.rb
|
|
70
|
+
- lib/zaikio/jwt_auth/engine.rb
|
|
69
71
|
- lib/zaikio/jwt_auth/jwk.rb
|
|
70
72
|
- lib/zaikio/jwt_auth/railtie.rb
|
|
71
73
|
- lib/zaikio/jwt_auth/test_helper.rb
|