Merge pull request #28 from traitify/token-validation

add token validation for rails controller actions

Author: Jbur43

Gemfile.lock

@@ -6,129 +6,147 @@ PATH
       faraday (~> 2.5)
       faraday-net_http (~> 3.0)
       faraday-retry (~> 2.2)
+      jwt (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.1.4)
+    activesupport (7.1.5.2)
       base64
+      benchmark (>= 0.3)
       bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
       mutex_m
+      securerandom (>= 0.3)
       tzinfo (~> 2.0)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
-    ast (2.4.2)
-    base64 (0.2.0)
-    bigdecimal (3.1.8)
+    ast (2.4.3)
+    base64 (0.3.0)
+    benchmark (0.4.1)
+    bigdecimal (3.3.0)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
     coderay (1.1.3)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
     crack (1.0.0)
       bigdecimal
       rexml
     debug_inspector (1.2.0)
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.2)
     docile (1.4.1)
-    drb (2.2.1)
+    drb (2.2.3)
     faraday (2.8.1)
       base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
-    faraday-retry (2.2.1)
+    faraday-retry (2.3.2)
       faraday (~> 2.0)
-    hashdiff (1.1.1)
-    i18n (1.14.6)
+    hashdiff (1.2.1)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    json (2.7.2)
-    language_server-protocol (3.17.0.3)
+    json (2.15.1)
+    jwt (2.10.2)
+      base64
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    logger (1.7.0)
     method_source (1.1.0)
-    minitest (5.25.1)
-    mutex_m (0.2.0)
-    parallel (1.26.3)
-    parser (3.3.5.0)
+    minitest (5.25.5)
+    mutex_m (0.3.0)
+    parallel (1.27.0)
+    parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
-    pry (0.14.2)
+    prism (1.5.1)
+    pry (0.15.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (5.1.1)
     racc (1.8.1)
     rack (3.1.17)
     rainbow (3.1.1)
-    rake (13.2.1)
-    regexp_parser (2.9.2)
-    rexml (3.4.2)
-    rspec (3.13.0)
+    rake (13.3.0)
+    regexp_parser (2.11.3)
+    rexml (3.4.4)
+    rspec (3.13.1)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.1)
+    rspec-core (3.13.5)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.1)
-    rubocop (1.66.1)
+    rspec-support (3.13.6)
+    rubocop (1.81.1)
       json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.32.2, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-airbnb (7.0.0)
-      rubocop (~> 1.61)
-      rubocop-performance (~> 1.20)
-      rubocop-rails (~> 2.24)
-      rubocop-rspec (~> 2.26)
-    rubocop-ast (1.32.3)
-      parser (>= 3.3.1.0)
-    rubocop-capybara (2.21.0)
-      rubocop (~> 1.41)
-    rubocop-factory_bot (2.26.1)
-      rubocop (~> 1.61)
-    rubocop-performance (1.22.1)
-      rubocop (>= 1.48.1, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.26.2)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-airbnb (8.0.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72)
+      rubocop-capybara (~> 2.22)
+      rubocop-factory_bot (~> 2.27)
+      rubocop-performance (~> 1.24)
+      rubocop-rails (~> 2.30)
+      rubocop-rspec (~> 3.5)
+    rubocop-ast (1.47.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    rubocop-capybara (2.22.1)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-factory_bot (2.27.1)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-performance (1.26.0)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rails (2.33.4)
       activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
       rack (>= 1.1)
-      rubocop (>= 1.52.0, < 2.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rspec (2.31.0)
-      rubocop (~> 1.40)
-      rubocop-capybara (~> 2.17)
-      rubocop-factory_bot (~> 2.22)
-      rubocop-rspec_rails (~> 2.28)
-    rubocop-rspec_rails (2.29.1)
-      rubocop (~> 1.61)
-    rubocop-traitify (1.3.0.pre.alpha.0)
-      rubocop-airbnb (~> 7.0.0)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
+    rubocop-rspec (3.7.0)
+      lint_roller (~> 1.1)
+      rubocop (~> 1.72, >= 1.72.1)
+    rubocop-traitify (1.3.0)
+      rubocop-airbnb (~> 8.0.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
+    securerandom (0.3.2)
     simplecov (0.21.2)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.13.1)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.6.0)
-    webmock (3.24.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -150,4 +168,4 @@ DEPENDENCIES
   webmock (~> 3.18)
 
 BUNDLED WITH
-   2.4.22
+   2.3.16

lib/traitify.rb

@@ -1,5 +1,8 @@
 require "active_support"
 require "active_support/core_ext/object/deep_dup"
+require "ostruct"
+require "jwt"
+require "openssl"
 require "traitify/configuration"
 require "traitify/client"
 require "traitify/data"
@@ -33,9 +36,64 @@ def log(level, message)
       case level
       when :debug
         logger.debug message
+      when :warn
+        logger.warn message
+      when :error
+        logger.error message
       else
         logger.info message
       end
     end
+
+    def valid_jwt_token?(token)
+      algorithm = "RS256"
+      return false unless jwt_public_keys && jwt_public_keys.any?
+
+      public_keys = jwt_public_keys.map { |key| OpenSSL::PKey::RSA.new(key) }
+
+      public_keys.each do |public_key|
+        decoded_token = JWT.decode(token, public_key, true, {
+          algorithm: algorithm,
+          iss: "Traitify by Paradox",
+          verify_iss: true,
+          verify_iat: true,
+          verify_nbf: true,
+          verify_jti: true
+        })
+
+        payload = decoded_token[0]
+        validate_claims(payload)
+        return true
+      rescue JWT::ExpiredSignature, JWT::DecodeError, JWT::VerificationError => e
+        log(:warn, "[JWT] #{e.class.name}: #{e.message}")
+        next
+      rescue => e
+        log(:error, "[JWT] Unexpected error: #{e.class} - #{e.message}")
+        next
+      end
+
+      false
+    end
+
+    private
+
+    def validate_claims(payload)
+      current_time = Time.now.to_i
+
+      iat_value = payload["iat"] || payload[:iat]
+      if iat_value && iat_value > current_time
+        raise JWT::InvalidIatError.new("Token issued in the future")
+      end
+
+      nbf_value = payload["nbf"] || payload[:nbf]
+      if nbf_value && nbf_value > current_time
+        raise JWT::DecodeError.new("Token not yet valid")
+      end
+
+      jti_value = payload["jti"] || payload[:jti]
+      if jti_value.nil? || jti_value.empty?
+        raise JWT::DecodeError.new("Missing JWT ID (jti)")
+      end
+    end
   end
 end

lib/traitify/configuration.rb

@@ -1,15 +1,16 @@
 module Traitify
   module Configuration
     VALID_OPTIONS_KEYS = [
-      :host,
-      :public_key,
-      :secret_key,
-      :version,
       :auto_retry,
       :deck_id,
+      :host,
       :image_pack,
+      :jwt_public_keys,
       :locale_key,
-      :retry_options
+      :public_key,
+      :retry_options,
+      :secret_key,
+      :version
     ].freeze
 
     attr_accessor(*VALID_OPTIONS_KEYS)

lib/traitify/version.rb

@@ -1,3 +1,3 @@
 module Traitify
-  VERSION = "2.1.0".freeze
+  VERSION = "2.1.1".freeze
 end

spec/spec_helper.rb

@@ -1,6 +1,7 @@
 require "active_support"
 require "active_support/core_ext/object/conversions"
 require "active_support/core_ext/object/json"
+require "active_support/core_ext/numeric/time"
 require "webmock/rspec"
 require "pry"
 require "simplecov"