Improved rake task for generating keys

• Add description so rake task is discoverable with rake -T and rake -T
• Include better examples in key output (including correct heroku command to run to set the private key with heroku:config)

Fix test helpers

Fix test helpers (tests using the rspec shared examples provided by this gem will be broken with 0.5.0 (#18)

SECURITY: Automatically verify `aud` claim

Security

• Verify the aud claim by default when using automatic public key selection (#14)

  This resolves a security concern introduced in 0.4.0. To upgrade, make sure each service that uses automatic public key selection is upgraded to at least 0.4.1 before upgrading the key server to 0.5.0.

  When generating keys, it is now required to add an aud claim with the url of the request. See the aud verification section of the README for more specific instructions.

Fixed

• Fix redefined const warning (#13)
• Fix gemspec warnings by being more specific about dependencies (#12)

Pre-security release

Added

• Include the aud claim when requesting a public key for automatic public key
  selection (#10)

  This is in preparation for 0.5.0 and is provided as an intermidiate step to
  upgrade to 0.5.0 to avoid circular or deep dependencies from allowing any one
  server from upgrading to 0.5.0 quickly.

Automatic public key selection (and name change)

Changed

• Name change: The name of this gem changed from as_jwt_auth to
  action_sprout-jwt_auth (#7)

  Therefore, the base module is now ActionSprout::JWTAuth, as opposed to
  AsJWTAuth. All references to AsJWTAuth will need to be updated to
  ActionSprout::JWTAuth.

Fixed

• Move automatic claims to the JWT payload (#8)

  Originally, I incorrectly thought that these claims should be in the header
  and I was wrong. In order to take advantage of verification provided by the
  JWT gem, these claims need to be stored in the payload and not the header.

Added

• Automatic public key selection: When using the verify_jwt!
  before_action, JWTAuth can determine the issuer from the JWT and use that to
  request a public key from a key server. (#6)

  • Use the environment variable JWT_KEY_SERVER_URL_TEMPLATE to configure the
    public key server endpoint

  • This endpoint should be protected with the same gem using verify_jwt!

  • The result is cached in an ActiveSupport::Cache::MemoryStore

  • SECURITY NOTE: This feature is safe only if JWTs signed with keys
    existing in the key server's database are only used internally (meaning
    they are not shared with clients)

    In the case that these JWTs are shared with clients (such as a smart web client, for example), and the corresponding public key is available from the key server, then any server using verify_jwt! that does not have specific scoping rules will be vulnerable.

    UPDATE: Please upgrade to 0.5.0 for a security fix.

• ActionSprout::JWTAuth.jwt_body returns the body of the JWT without the
  header

Removed

• AsJWTAuth.jwt_header has been removed in favor of
  ActionSprout::JWTAuth.jwt_issuer

  • Before, the only existing use of jwt_header was to get the issuer
  • Now, the issuer is no longer even stored in the header

Automatic issuer and private key

Added

• Automatically set private key and issuer using environment variables (#4)

  When generating a JWT, if the key and/or issuer options are missing, this
  gem will attempt to use values from ENV instead, namely APP_NAME for
  issuer and PRIVATE_KEY for key.

Deprecated

• This is the last version of this gem to be released under the name
  as_jwt_auth

  • The next version will be action_sprout-jwt_auth v0.4.0
  • With the name change, there will probably be a fair amount of internal
    refactoring and potentially breaking changes.

Rails Plugin

Add Rails plugin (#3)

• Controller helper verify_jwt! makes a good before_action
• Add Rails testing helpers for testing controllers using verify_jwt!

Automatically add iss, jid, and iat claims when generating a JWT