@spree/docs 0.1.100 → 0.1.101
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -76,7 +76,7 @@ module MyApp
|
|
|
76
76
|
|
|
77
77
|
def authenticate
|
|
78
78
|
token = params[:token] || extract_bearer
|
|
79
|
-
return failure(
|
|
79
|
+
return failure(Spree.t('api.unauthorized')) if token.blank?
|
|
80
80
|
|
|
81
81
|
payload = verify_with_jwks(token)
|
|
82
82
|
|
|
@@ -92,13 +92,13 @@ module MyApp
|
|
|
92
92
|
|
|
93
93
|
success(user)
|
|
94
94
|
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIssuerError, JWT::InvalidAudError, KeyError => e
|
|
95
|
-
failure(
|
|
95
|
+
failure(Spree.t('api.unauthorized'))
|
|
96
96
|
end
|
|
97
97
|
|
|
98
98
|
private
|
|
99
99
|
|
|
100
100
|
def verify_with_jwks(token)
|
|
101
|
-
jwks_loader = ->(opts) { jwks(force: opts[:
|
|
101
|
+
jwks_loader = ->(opts) { jwks(force: opts[:kid_not_found]) }
|
|
102
102
|
|
|
103
103
|
JWT.decode(
|
|
104
104
|
token, nil, true,
|
|
@@ -318,7 +318,7 @@ This revokes the Spree refresh token. The Spree JWT itself remains valid until i
|
|
|
318
318
|
A few things worth getting right:
|
|
319
319
|
|
|
320
320
|
- **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and the expected audience (`store_api` or `admin_api`) with HS256 against the Spree secret — a foreign RS256 token will never validate, and you don't want it to. The exchange-at-login model is the right one.
|
|
321
|
-
- **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `
|
|
321
|
+
- **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `kid_not_found: true` option so that an unrecognized `kid` triggers a refetch. Otherwise key rotation at the IdP locks users out for up to the TTL.
|
|
322
322
|
- **Validate `iss` and `aud` claims.** Always. The example passes `verify_iss: true, verify_aud: true` to `JWT.decode` — don't drop those.
|
|
323
323
|
- **Algorithm pinning.** Hard-code `algorithms: ['RS256']` (or whatever your IdP uses). Never let the token's own `alg` header decide — the classic `alg: none` and HS-as-RS confusion attacks both exploit lax algorithm selection.
|
|
324
324
|
- **Rate limiting.** `POST /auth/login` is rate-limited per IP via `Spree::Api::Config[:rate_limit_login]`. Tune it in your app config if needed — the same limit applies to email/password and provider-dispatched logins.
|