migration complete

Author: lmajano

ModuleConfig.cfc

@@ -19,7 +19,7 @@ component {
 	// Helpers
 	this.applicationHelper 	= [ "helpers/mixins.cfm" ];
 	// Dependencies
-	this.dependencies 		= [ "cbauth", "jwt" ];
+	this.dependencies 		= [ "cbauth", "jwtcfml" ];
 
 	/**
 	 * Module Config

box.json

@@ -28,7 +28,7 @@
         "*/.md"
     ],
     "dependencies":{
-        "jwt":"^1.1.0",
+		"jwt-cfml":"^1.0.0",
         "cbauth":"^4.0.0"
     },
     "scripts":{

changelog.md

@@ -2,7 +2,19 @@
 
 ## 2.2.0
 
+* `Feature` : Migrated from the jwt to the `jwtcfml` (https://forgebox.io/view/jwt-cfml) library to expand encoding/decoding capabilities to support `RS` and `ES` algorithms:
+  * HS256
+  * HS384
+  * HS512
+  * RS256
+  * RS384
+  * RS512
+  * ES256
+  * ES384
+  * ES512
 * `Feature` : Added a new convenience method on the JWT Service: `isTokenInStorage( token )` to verify if a token still exists in the token storage
+* `Feature` : If no jwt secret is given in the settings, we will dynamically generate one that will last for the duration of the application scope.
+* `Improve` : Ability to have defaults for all JWT settings instead of always typing them in the configs
 * `Improve` : More cfformating goodness!
 * `Bug` : Invalidation of tokens was not happening due to not using the actual key for the storage
 

models/jwt/JwtService.cfc

@@ -7,14 +7,21 @@
  */
 component accessors="true" singleton {
 
-	// DI
-	property name="jwt"                inject="provider:JWTService@jwt";
+	/*********************************************************************************************/
+	/** DI **/
+	/*********************************************************************************************/
+
+	property name="jwt"                inject="provider:jwt@jwtcfml";
 	property name="wirebox"            inject="wirebox";
 	property name="settings"           inject="coldbox:moduleSettings:cbSecurity";
 	property name="interceptorService" inject="coldbox:interceptorService";
 	property name="requestService"     inject="coldbox:requestService";
 	property name="log"                inject="logbox:logger:{this}";
 
+	/*********************************************************************************************/
+	/** PROPERTIES **/
+	/*********************************************************************************************/
+
 	/**
 	 * The auth service in use
 	 */
@@ -30,6 +37,10 @@ component accessors="true" singleton {
 	 */
 	property name="tokenStorage";
 
+	/*********************************************************************************************/
+	/** STATIC PROPERTIES **/
+	/*********************************************************************************************/
+
 	// Required Claims
 	variables.REQUIRED_CLAIMS = [
 		"jti",
@@ -40,6 +51,41 @@ component accessors="true" singleton {
 		"scopes"
 	];
 
+	// Default Settings
+	variables.DEFAULT_SETTINGS = {
+		// The jwt secret encoding key
+		"secretKey"               : "",
+		// The Custom header to inspect for tokens
+		"customAuthHeader"        : "x-auth-token",
+		// The expiration in minutes for the jwt tokens
+		"expiration"              : 60,
+		// If true, enables refresh tokens, longer lived tokens (not implemented yet)
+		"enableRefreshTokens"     : false,
+		// The default expiration for refresh tokens, defaults to 30 days
+		"refreshExpiration"       : 43200,
+		// encryption algorithm to use, valid algorithms are: HS256, HS384, and HS512
+		"algorithm"               : "HS512",
+		// Which claims neds to be present on the jwt token or `TokenInvalidException` upon verification and decoding
+		"requiredClaims"          : [] ,
+		// The token storage settings
+		"tokenStorage"            : {
+			// enable or not, default is true
+			"enabled"       : true,
+			// A cache key prefix to use when storing the tokens
+			"keyPrefix"     : "cbjwt_",
+			// The driver to use: db, cachebox or a WireBox ID
+			"driver"        : "cachebox",
+			// Driver specific properties
+			"properties"    : {
+				"cacheName" : "default"
+			}
+		}
+	};
+
+	/*********************************************************************************************/
+	/** CONSTRUCTOR & STARTUP **/
+	/*********************************************************************************************/
+
 	/**
 	 * Constructor
 	 */
@@ -48,17 +94,24 @@ component accessors="true" singleton {
 	}
 
 	/**
-	 * Runs after DI
+	 * Runs after DI, here is where we setup the jwt settings for operation
 	 */
 	function onDIComplete(){
-		// Verify a few settings just in case
+		// If no settings defined, use the defaults
+		if( !structKeyExists( variables.settings, "jwt" ) ){
+			variables.settings.jwt = variables.DEFAULT_SETTINGS;
+		}
+
+		// Incorporate defaults into incoming data
+		structAppend( variables.settings.jwt, variables.DEFAULT_SETTINGS, false );
+		structAppend( variables.settings.jwt.tokenStorage, variables.DEFAULT_SETTINGS.tokenStorage, false );
+
+		// If no secret is defined, then let's create one dynamically
 		if ( isNull( variables.settings.jwt.secretKey ) || !len( variables.settings.jwt.secretKey ) ) {
-			throw(
-				message = "The JWT secret key cannot be empty, please fill this out in your `config/ColdBox.cfc` under your cbsecurity settings",
-				detail  = "cbsecurity.jwt.secretKey",
-				type    = "InvalidSecretKey"
-			)
+			variables.settings.jwt.secretKey = generateSecretKey( "blowfish", 448 );
+			variables.log.warn( "No jwt secret key setting found, automatically generating one" );
 		}
+
 	}
 
 	/************************************************************************************/
@@ -326,8 +379,14 @@ component accessors="true" singleton {
 			}
 		} );
 
+
 		// Verify Expiration first
-		if ( dateCompare( fromEpoch( decodedToken.exp ), now() ) < 0 ) {
+		if (
+			dateCompare(
+				( isDate( decodedToken.exp ) ? decodedToken.exp : fromEpoch( decodedToken.exp ) ),
+				now()
+			) < 0
+		) {
 			if ( variables.log.canWarn() ) {
 				variables.log.warn( "Token rejected, it has expired", decodedToken );
 			}
@@ -477,11 +536,17 @@ component accessors="true" singleton {
 	 * @token The token to validate
 	 */
 	boolean function verify( required token ){
-		return variables.jwt.verify(
-			arguments.token,
-			variables.settings.jwt.secretKey,
-			variables.settings.jwt.algorithm
-		);
+		try{
+			variables.jwt.decode(
+				token = arguments.token,
+				key = variables.settings.jwt.secretKey,
+				algorithms = variables.settings.jwt.algorithm,
+				verify = false
+			);
+			return true;
+		} catch( Any e ){
+			return false;
+		}
 	}
 
 	/**
@@ -494,9 +559,9 @@ component accessors="true" singleton {
 	struct function decode( required token ){
 		try {
 			return variables.jwt.decode(
-				arguments.token,
-				variables.settings.jwt.secretKey,
-				variables.settings.jwt.algorithm
+				token = arguments.token,
+				key = variables.settings.jwt.secretKey,
+				algorithms = variables.settings.jwt.algorithm
 			);
 		} catch ( any e ) {
 			throw(
@@ -567,7 +632,9 @@ component accessors="true" singleton {
 	}
 
 	/**
-	 * Get the appropriate token storage
+	 * Get the appropriate token storage provider
+	 *
+	 * @return cbsecurity.interfaces.jwt.IJwtStorage
 	 */
 	function getTokenStorage(){
 		// If loaded, use it!
@@ -725,4 +792,4 @@ component accessors="true" singleton {
 			.len();
 	}
 
-}
+}

test-harness/box.json

@@ -7,27 +7,27 @@
     "dependencies":{
         "coldbox":"^5.0.0",
         "testbox":"be",
-        "jwt":"^1.1.0",
         "cbauth":"^4.0.0",
-        "BCrypt":"^2.5.0-snapshot"
+        "BCrypt":"^2.5.0-snapshot",
+        "jwt-cfml":"^1.0.0"
     },
     "devDependencies":{
         "route-visualizer":"^1.2.0+4"
     },
     "installPaths":{
         "coldbox":"coldbox/",
         "testbox":"testbox/",
-        "jwt":"modules/jwt/",
         "cbauth":"modules/cbauth/",
         "BCrypt":"modules/BCrypt/",
-        "route-visualizer":"modules/route-visualizer/"
+        "route-visualizer":"modules/route-visualizer/",
+        "jwt-cfml":"modules/jwtcfml/"
     },
     "testbox":{
         "runner":"http://localhost:60299/tests/runner.cfm"
     },
     "scripts":{
-        "format":"cfformat config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --overwrite",
-        "format:watch":"cfformat config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --watch",
-        "format:check":"cfformat config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --check"
+        "format":"cfformat run config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --overwrite",
+        "format:watch":"cfformat run config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --watch",
+        "format:check":"cfformat run config/**.cfc,handlers/**.cfc,models/**.cfc,modules_app/**.cfc,tests/specs/**/*.cfc --check"
     }
 }

test-harness/config/Coldbox.cfc

@@ -118,9 +118,9 @@
 				"jwt" : {
 					"secretKey"           : "C3D4AF35-8FCD-49AB-943A39AEFFB584EE",
 					"customAuthHeader"    : "x-auth-token",
-					"expiration"          : 60,
-					"enableRefreshTokens" : false,
-					"refreshExpiration"   : 43200,
+					//"expiration"          : 60,
+					//"enableRefreshTokens" : false,
+					//"refreshExpiration"   : 43200,
 					"algorithm"           : "HS512",
 					"requiredClaims"      : [ "role" ],
 					"tokenStorage"        : {

test-harness/[email protected]

@@ -10,8 +10,8 @@
         },
         "rewrites":{
             "enable":"true"
-		},
-		"aliases":{
+        },
+        "aliases":{
             "/moduleroot/cbsecurity":"../"
         }
     },

test-harness/tests/Application.cfc

@@ -32,6 +32,9 @@ component {
 
 	// request start
 	public boolean function onRequestStart( String targetPage ){
+		if( server.keyExists( "lucee" ) ){
+			pagePoolClear();
+		}
 		return true;
 	}
 

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -82,7 +82,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 					expect( event.getCurrentEvent() ).toBe( "api:Home.onInvalidAuth" );
 					expect( event.valueExists( "relocate_event" ) ).toBeFalse();
 					expect( event.getPrivateValue( "cbsecurity_validatorResults" ).messages ).toInclude(
-						"TokenExpiredException"
+						"Token has expired"
 					);
 				} );
 			} );