Merge branch 'development'

Author: lmajano

.markdownlint.json

@@ -0,0 +1,14 @@
+{
+	"line-length": false,
+	"single-h1": false,
+	"no-hard-tabs" : false,
+	"fenced-code-language" : false,
+	"no-bare-urls" : false,
+	"first-line-h1": false,
+	"no-multiple-blanks": {
+		"maximum": 2
+	},
+	"no-duplicate-header" : {
+		"siblings_only" : true
+	}
+}

ModuleConfig.cfc

@@ -119,7 +119,8 @@ component {
 				"cbSecurity_onJWTInvalidClaims",
 				"cbSecurity_onJWTExpiration",
 				"cbSecurity_onJWTStorageRejection",
-				"cbSecurity_onJWTValidParsing"
+				"cbSecurity_onJWTValidParsing",
+				"cbSecurity_onJWTInvalidateAllTokens"
 			]
 		};
 

box.json

@@ -1,6 +1,6 @@
 {
     "name":"ColdBox Security",
-    "version":"2.7.0",
+    "version":"2.8.0",
     "location":"https://downloads.ortussolutions.com/ortussolutions/coldbox-modules/cbsecurity/@build.version@/[email protected]@.zip",
     "author":"Ortus Solutions.com <[email protected]>",
     "slug":"cbsecurity",

changelog.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ----
 
+## [2.8.0] => 2020-NOV-09
+
+### Added
+
+* `parseToken( token )` now accepts a token of your choice to work with in the request or it will continue to discover it if not passed.
+* Added new JWT Service method: `invalidateAll()` which invalidates all tokens in the token storage
+* Added the new event: `cbSecurity_onJWTInvalidateAllTokens` that fires once all tokens in the storage are cleared
+* Added storage of the authenticated user into the `prc` scope when using `attempt()` to be consistent with API calls
+
+### Fixed
+
+* Spelling corrections on the readme
+* Added full var scoping for `cbsecurity` in JWTService calls
+
+----
+
 ## [2.7.0] => 2020-SEP-14
 
 ### Added

models/jwt/JwtService.cfc

@@ -136,11 +136,18 @@ component accessors="true" singleton {
 		required password,
 		struct customClaims = {}
 	){
-		var oUser = cbSecurity
+		// Authenticate via the auth service wired up
+		// If it fails an exception is thrown
+		var oUser = variables.cbSecurity
 			.getAuthService()
 			.authenticate( arguments.username, arguments.password );
 
-		// Create it
+		// Store User in ColdBox data bus
+		variables.requestService
+			.getContext()
+			.setPrivateValue( variables.settings.prcUserVariable, oUser );
+
+		// Create the token and return it
 		return fromUser( oUser, arguments.customClaims );
 	}
 
@@ -152,14 +159,14 @@ component accessors="true" singleton {
 	 */
 	function logout(){
 		invalidate( this.getToken() );
-		cbSecurity.getAuthService().logout();
+		variables.cbSecurity.getAuthService().logout();
 	}
 
 	/**
 	 * Shortcut function to our authentication services to check if we are logged in
 	 */
 	boolean function isLoggedIn(){
-		return cbSecurity.getAuthService().isLoggedIn();
+		return variables.cbSecurity.getAuthService().isLoggedIn();
 	}
 
 	/**
@@ -306,6 +313,29 @@ component accessors="true" singleton {
 		return results;
 	}
 
+	/**
+	 * Invalidates all tokens in the connected storage provider
+	 *
+	 * @async Run the clearing asynchronously or not, default is false
+	 */
+	JwtService function invalidateAll( boolean async=false ){
+		if ( variables.log.canInfo() ) {
+			variables.log.info( "Token invalidation request issued for all tokens" );
+		}
+
+		// Clear all via storage
+		getTokenStorage().clearAll( arguments.async );
+
+		// Announce the token invalidation
+		variables.interceptorService.processState( "cbSecurity_onJWTInvalidateAllTokens" );
+
+		if ( variables.log.canInfo() ) {
+			variables.log.info( "All tokens cleared via token storage clear all" );
+		}
+
+		return this;
+	}
+
 	/**
 	 * Verifies if the passed in token exists in the storage provider
 	 *
@@ -321,33 +351,34 @@ component accessors="true" singleton {
 
 	/**
 	 * Try's to get a jwt token from the authorization header or the custom header
-	 * defined in the configuration. If it is a valid token and it decodes we will then
-	 * continue to validat the subject it represents.  Once those are satisfied, then it will
+	 * defined in the configuration or passed in by you. If it is a valid token and it decodes we will then
+	 * continue to validate the subject it represents.  Once those are satisfied, then it will
 	 * store it in the `prc` as `prc.jwt_token` and the payload as `prc.jwt_payload`.
 	 *
+	 * @token The token to parse and validate, if not passed we call the discoverToken() method for you.
+	 *
 	 * @throws TokenExpiredException If the token has expired or no longer in the storage (invalidated)
 	 * @throws TokenInvalidException If the token doesn't verify decoding
 	 * @throws TokenNotFoundException If the token cannot be found in the headers
 	 *
 	 * @returns The payload for convenience
 	 */
-	struct function parseToken(){
-		var jwtToken = discoverToken();
+	struct function parseToken( string token = discoverToken() ){
 
 		// Did we find an incoming token
-		if ( !len( jwtToken ) ) {
+		if ( !len( arguments.token ) ) {
 			if ( variables.log.canDebug() ) {
-				variables.log.debug( "Token not found anywhere" );
+				variables.log.debug( "Token empty or not found anywhere (headers, url, form)" );
 			}
 
 			throw(
-				message = "Token not found in authorization header or the custom header or the request collection",
+				message = "Token not found in authorization header or the custom header or the request collection or not passed in",
 				type    = "TokenNotFoundException"
 			);
 		}
 
 		// Decode it
-		var decodedToken  = decode( jwtToken );
+		var decodedToken  = decode( arguments.token );
 		var decodedClaims = decodedToken.keyArray();
 
 		// Verify the required claims
@@ -368,7 +399,7 @@ component accessors="true" singleton {
 				variables.interceptorService.processState(
 					"cbSecurity_onJWTInvalidClaims",
 					{
-						token   : jwtToken,
+						token   : arguments.token,
 						payload : decodedToken
 					}
 				);
@@ -391,7 +422,7 @@ component accessors="true" singleton {
 			variables.interceptorService.processState(
 				"cbSecurity_onJWTExpiration",
 				{
-					token   : jwtToken,
+					token   : arguments.token,
 					payload : decodedToken
 				}
 			);
@@ -409,7 +440,7 @@ component accessors="true" singleton {
 			variables.interceptorService.processState(
 				"cbSecurity_onJWTStorageRejection",
 				{
-					token   : jwtToken,
+					token   : arguments.token,
 					payload : decodedToken
 				}
 			);
@@ -429,22 +460,22 @@ component accessors="true" singleton {
 			);
 		}
 
-		// Store it
+		// Store it on the PRC scope values
 		variables.requestService
 			.getContext()
-			.setPrivateValue( "jwt_token", jwtToken )
+			.setPrivateValue( "jwt_token", arguments.token )
 			.setPrivateValue( "jwt_payload", decodedToken );
 
 		// Announce the valid parsing
 		variables.interceptorService.processState(
 			"cbSecurity_onJWTValidParsing",
 			{
-				token   : jwtToken,
+				token   : arguments.token,
 				payload : decodedToken
 			}
 		);
 
-		// Authenticate the payload
+		// Authenticate the payload, because a token MUST be valid before usage
 		authenticate();
 
 		// Return it
@@ -662,7 +693,12 @@ component accessors="true" singleton {
 	/****************************** PRIVATE ******************************/
 
 	/**
-	 * Try to discover the jwt token from many incoming resources
+	 * Try to discover the jwt token from many incoming resources:
+	 * - The custom auth header: x-auth-token
+	 * - URL/FORM: x-auth-token
+	 * - Authorization Header
+	 *
+	 * @return The discovered token or an empty string
 	 */
 	private string function discoverToken(){
 		var event = variables.requestService.getContext();

readme.md

@@ -51,7 +51,7 @@ cbauth = {
 cbsecurity = {
 	// The global invalid authentication event or URI or URL to go if an invalid authentication occurs
 	"invalidAuthenticationEvent"	: "",
-	// Default Auhtentication Action: override or redirect when a user has not logged in
+	// Default Authentication Action: override or redirect when a user has not logged in
 	"defaultAuthenticationAction"	: "redirect",
 	// The global invalid authorization event or URI or URL to go if an invalid authorization occurs
 	"invalidAuthorizationEvent"		: "",
@@ -134,7 +134,7 @@ Using the default configuration, this module will register the `Security` interc
 
 The interceptor will intercept all calls to your application via the `preProcess()` interception point.  Each request will then be validated against any registered security rules and then validated against any handler/action security annotations (if active) via a Security Validator.  Also, if the request is made to a module, each module has the capability to have it's own separate validator apart from the global one.
 
-> **Info** You can deactive annotation driven security via the `handlerAnnotationSecurity` setting.
+> **Info** You can deactivate annotation driven security via the `handlerAnnotationSecurity` setting.
 
 ### How does validation happen?
 
@@ -327,7 +327,7 @@ component{
 
 ### Authorization Context
 
-You can also give the annotation some value, which can be anything you like: A list of roles, a role, a list of permissions, metadata, etc.  Whatever it is, this is the **authorization context** and the security validator must be able to not only authenticate but authorize the context or an invalid authorization will occurr.
+You can also give the annotation some value, which can be anything you like: A list of roles, a role, a list of permissions, metadata, etc.  Whatever it is, this is the **authorization context** and the security validator must be able to not only authenticate but authorize the context or an invalid authorization will occur.
 
 ```js
 // Secure this handler
@@ -417,7 +417,7 @@ private function permissionValidator( permissions, controller, rule ){
 
 ## Interceptions
 
-When invalid access or authorizations occurr the interceptor will announce the following events:
+When invalid access or authorizations occur the interceptor will announce the following events:
 
 - `cbSecurity_onInvalidAuthentication`
 - `cbSecurity_onInvalidAuthorization`

test-harness/tests/Application.cfc

@@ -32,12 +32,15 @@ component {
 
 	// request start
 	public boolean function onRequestStart( String targetPage ){
-		return true;
-	}
 
-	function onRequestEnd(){
-		structDelete( application, "wirebox" );
+		// Cleanup
+		if( !isNull( application.cbController ) ){
+			application.cbController.getLoaderService().processShutdown();
+		}
 		structDelete( application, "cbController" );
+		structDelete( application, "wirebox" );
+
+		return true;
 	}
 
-}
+}

test-harness/tests/specs/integration/JWTSpec.cfc

@@ -20,6 +20,8 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 			beforeEach( function(currentSpec){
 				// Setup as a new ColdBox request for this suite, VERY IMPORTANT. ELSE EVERYTHING LOOKS LIKE THE SAME REQUEST.
 				setup();
+				// Get the Service
+				variables.jwtService = getInstance( "jwtService@cbSecurity" );
 			} );
 
 			given( "no jwt token and accessing a secure api call", function(){
@@ -87,11 +89,11 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 				} );
 			} );
 
-			given( "an valid jwt token but it is not in the storage", function(){
+			given( "a valid jwt token but it is not in the storage", function(){
 				then( "it should block with no authorization", function(){
-					var thisToken = getInstance( "jwtService@cbSecurity" ).attempt( "test", "test" );
+					var thisToken = variables.jwtService.attempt( "test", "test" );
 
-					getInstance( "jwtService@cbSecurity" )
+					variables.jwtService
 						.getTokenStorage()
 						.clearAll();
 					getRequestContext().setValue( "x-auth-token", thisToken );
@@ -110,7 +112,7 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 					var thisToken = getInvalidUserToken();
 					getRequestContext().setValue( "x-auth-token", thisToken.token );
 
-					getInstance( "jwtService@cbSecurity" )
+					variables.jwtService
 						.getTokenStorage()
 						.set(
 							key 		= thisToken.payload.jti,
@@ -130,20 +132,34 @@ component extends="coldbox.system.testing.BaseTestCase" appMapping="/root" {
 
 			given( "a valid jwt token in all senses", function(){
 				then( "it should allow the call", function(){
-					var thisToken = getInstance( "jwtService@cbSecurity" ).attempt( "test", "test" );
+					var thisToken = variables.jwtService.attempt( "test", "test" );
 					getRequestContext().setValue( "x-auth-token", thisToken );
 
 					var event = execute( route = "/api/secure", renderResults = true );
 					expect( event.getCurrentEvent() ).toBe( "api:secure.index" );
 				} );
 			} );
+
+
+			story( "I want to invalidate all tokens in the storage", function(){
+				given( "a valid jwt token and a invalidate all is issued", function(){
+					then( "the storage should be empty", function(){
+						var thisToken = variables.jwtService.attempt( "test", "test" );
+						expect( variables.jwtService.getTokenStorage().size() ).toBeGT( 0 );
+
+						variables.jwtService.invalidateAll();
+						expect( variables.jwtService.getTokenStorage().size() ).toBe( 0 );
+					} );
+				} );
+			} );
+
 		} );
 	}
 
 	private function getInvalidUserToken(){
 		var timestamp = now();
 		var userId    = 123;
-		var service   = getInstance( "jwtService@cbsecurity" );
+		var service   = variables.jwtService;
 		var payload   = {
 			// Issuing authority
 			"iss"    : service.getSettings().jwt.issuer,