Class: Peatio::Auth::JWTAuthenticator

Inherits:

Object

• Object
• Peatio::Auth::JWTAuthenticator

Defined in:

lib/peatio/auth/jwt_authenticator.rb

Overview

JWTAuthenticator used to authenticate user using JWT.

It allows configuration of JWT verification through following ENV variables (all optional):

• JWT_ISSUER

• JWT_AUDIENCE

• JWT_ALGORITHM (default: RS256)

• JWT_DEFAULT_LEEWAY

• JWT_ISSUED_AT_LEEWAY

• JWT_EXPIRATION_LEEWAY

• JWT_NOT_BEFORE_LEEWAY

Examples:

Token validation

rsa_private = OpenSSL::PKey::RSA.generate(2048)
rsa_public = rsa_private.public_key

payload = {
  iat: Time.now.to_i,
  exp: (Time.now + 60).to_i,
  sub: "session",
  iss: "barong",
  aud: [
    "peatio",
    "barong",
  ],
  jti: "BEF5617B7B2762DDE61702F5",
  uid: "TEST123",
  email: "user@example.com",
  role: "admin",
  level: 4,
  state: "active",
}

token = JWT.encode(payload, rsa_private, "RS256")

auth = Peatio::Auth::JWTAuthenticator.new(rsa_public)
auth.authenticate!("Bearer #{token}")

See Also:

• JWT validation parameters.

Instance Method Summary

• #authenticate!(token) ⇒ Hash

  Decodes and verifies JWT.

• #encode(payload) ⇒ String

  Encodes given payload and produces JWT.

• #initialize(public_key, private_key = nil) ⇒ JWTAuthenticator constructor

  Creates new authenticator with given public key.

Constructor Details

#initialize(public_key, private_key = nil) ⇒ JWTAuthenticator

Creates new authenticator with given public key.

Parameters:

• public_key (OpenSSL::PKey::PKey) —

  Public key object to verify signature.

• private_key (OpenSSL::PKey::PKey) (defaults to: nil) —

  Optional private key that used only to encode new tokens.

# File 'lib/peatio/auth/jwt_authenticator.rb', line 52

def initialize(public_key, private_key = nil)
  @public_key = public_key
  @private_key = private_key

  @verify_options = {
    verify_expiration: true,
    verify_not_before: true,
    iss: ENV["JWT_ISSUER"],
    verify_iss: !ENV["JWT_ISSUER"].nil?,
    verify_iat: true,
    verify_jti: true,
    aud: ENV["JWT_AUDIENCE"].to_s.split(",").reject(&:empty?),
    verify_aud: !ENV["JWT_AUDIENCE"].nil?,
    sub: "session",
    verify_sub: true,
    algorithms: [ENV["JWT_ALGORITHM"] || "RS256"],
    leeway: ENV["JWT_DEFAULT_LEEWAY"].yield_self { |n| n.to_i unless n.nil? },
    iat_leeway: ENV["JWT_ISSUED_AT_LEEWAY"].yield_self { |n| n.to_i unless n.nil? },
    exp_leeway: ENV["JWT_EXPIRATION_LEEWAY"].yield_self { |n| n.to_i unless n.nil? },
    nbf_leeway: ENV["JWT_NOT_BEFORE_LEEWAY"].yield_self { |n| n.to_i unless n.nil? },
  }.compact

  @encode_options = {
    algorithm: @verify_options[:algorithms].first,
  }.compact
end

Instance Method Details

#authenticate!(token) ⇒ Hash

Decodes and verifies JWT. Returns payload from JWT or raises an exception

Parameters:

• token (String) —

  Token string. Must start from "Bearer ".

Returns:

• (Hash) —

  Payload Hash from JWT without any changes.

Raises:

• (Peatio::Auth::Error) —

  If token is invalid or can’t be verified.

# File 'lib/peatio/auth/jwt_authenticator.rb', line 86

def authenticate!(token)
  token_type, token_value = token.to_s.split(" ")

  unless token_type == "Bearer"
    raise(Peatio::Auth::Error, "Token type is not provided or invalid.")
  end

  decode_and_verify_token(token_value)
rescue => error
  case error
  when Peatio::Auth::Error
    raise(error)
  else
    raise(Peatio::Auth::Error, error.message)
  end
end

#encode(payload) ⇒ String

Encodes given payload and produces JWT.

Parameters:

• payload (String, Hash) —

  Payload to encode.

Returns:

• (String) —

  JWT token string.

Raises:

• (ArgumentError) —

  If no private key was passed to constructor.

# File 'lib/peatio/auth/jwt_authenticator.rb', line 109

def encode(payload)
  raise(::ArgumentError, "No private key given.") if @private_key.nil?

  JWT.encode(payload, @private_key, @encode_options[:algorithm])
end