From 8a1882be3c1b354ec189c09315e7442cf983e370 Mon Sep 17 00:00:00 2001 From: Vyacheslav Matyukhin Date: Sun, 5 Mar 2023 18:55:04 -0600 Subject: [PATCH 1/2] new dev credentials, support for RS256 --- config/initializers/knock.rb | 14 ++++++++++++-- config/secrets.yml | 4 ++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/config/initializers/knock.rb b/config/initializers/knock.rb index 01e0b55..05aa370 100644 --- a/config/initializers/knock.rb +++ b/config/initializers/knock.rb @@ -49,7 +49,6 @@ ## ## Default: # config.token_public_key = nil - config.token_audience = -> { Rails.application.secrets.auth0_client_id } ## Exception Class ## --------------- @@ -58,5 +57,16 @@ ## ## Default: # config.not_found_exception_class_name = 'ActiveRecord::RecordNotFound' - config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret } + + if Rails.application.secrets.auth0_rsa_domain + config.token_signature_algorithm = 'RS256' + jwks_raw = Net::HTTP.get URI(Rails.application.secrets.auth0_rsa_domain) + jwks_keys = Array(JSON.parse(jwks_raw)['keys']) + config.token_public_key = OpenSSL::X509::Certificate.new(Base64.decode64(jwks_keys[0]['x5c'].first)).public_key + else + config.token_signature_algorithm = 'HS256' + config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret } + end + + config.token_audience = -> { Rails.application.secrets.auth0_client_id } end diff --git a/config/secrets.yml b/config/secrets.yml index 8e766dc..e9619b6 100644 --- a/config/secrets.yml +++ b/config/secrets.yml @@ -13,9 +13,9 @@ #I use a development account on auth0. development: secret_key_base: 18451581609752ad653f43e9214e87978cf06fdc04daebad9faa2daf9023f4a892efe61a1448b559c55ae343841b5aa873c36478e325c44d9ef0a2c61682e50d - auth0_client_id: X0m2PZEyAOqhtLY1Qz9mdetHzQcDsG8U - auth0_client_secret: B9cx35Lqlejy2ORT2wR-qKVcXCaJEv41enflXTMxUUl383WpEFbwT18IdguGIuw7 + auth0_client_id: hNPSROXtn9Ohg4Pa9ijLxAbvbIEJjFJN auth0_api_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJUWnBQRXp5eWpQbTN2VmdSdU9yQjJTakRTVnhFdnJiSCIsInNjb3BlcyI6eyJ1c2VycyI6eyJhY3Rpb25zIjpbImNyZWF0ZSIsInJlYWQiXX0sInVzZXJfdGlja2V0cyI6eyJhY3Rpb25zIjpbImNyZWF0ZSJdfX0sImlhdCI6MTQ2NDMxNTQ1OSwianRpIjoiODlkZjExNzE5ODc2Zjk0MjI0NzkyMzBmYjcwMzJhMTMifQ.lXofGmhVsIbjuhp0cst_DO6JhUWhJJWfj9FiP4uip1c + auth0_rsa_domain: https://guesstimate-development.auth0.com/.well-known/jwks.json auth0_api_domain: guesstimate-development.auth0.com auth0_connection: Username-Password-Authentication algolia_application_id: M629R9UGSG From f526cea8d374e11866f5de5222ed777baa737020 Mon Sep 17 00:00:00 2001 From: Vyacheslav Matyukhin Date: Fri, 1 Mar 2024 17:52:00 -0600 Subject: [PATCH 2/2] auth0 audience and other small changes --- Gemfile.lock | 4 ++++ app/models/space.rb | 1 + config/initializers/knock.rb | 3 +-- config/secrets.yml | 3 ++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index e3afbdf..61b12dd 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -141,6 +141,7 @@ GEM mime-types-data (~> 3.2015) mime-types-data (3.2022.0105) mini_mime (1.1.2) + mini_portile2 (2.8.5) minitest (5.15.0) multi_json (1.15.0) multipart-post (2.1.1) @@ -148,6 +149,9 @@ GEM connection_pool (~> 2.2) netrc (0.11.0) nio4r (2.5.8) + nokogiri (1.13.7) + mini_portile2 (~> 2.8.0) + racc (~> 1.4) nokogiri (1.13.7-x86_64-linux) racc (~> 1.4) pg (1.4.1) diff --git a/app/models/space.rb b/app/models/space.rb index e3f0146..b4887c5 100644 --- a/app/models/space.rb +++ b/app/models/space.rb @@ -227,6 +227,7 @@ def take_screenshots Net::HTTP.get URI.parse(get_screenshot_url(false, true)) end + # Unused - we don't use prerender.io anymore, token is not configured def recache_html uri = URI.parse('http://api.prerender.io') http = Net::HTTP.new(uri.host, uri.port) diff --git a/config/initializers/knock.rb b/config/initializers/knock.rb index 05aa370..c466b4e 100644 --- a/config/initializers/knock.rb +++ b/config/initializers/knock.rb @@ -20,7 +20,6 @@ ## Default: # config.token_audience = nil - ## If using Auth0, uncomment the line below # config.token_audience = -> { Rails.application.secrets.auth0_client_id } ## Signature algorithm @@ -68,5 +67,5 @@ config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret } end - config.token_audience = -> { Rails.application.secrets.auth0_client_id } + config.token_audience = -> { Rails.application.secrets.auth0_audience } end diff --git a/config/secrets.yml b/config/secrets.yml index e9619b6..6d4f9fc 100644 --- a/config/secrets.yml +++ b/config/secrets.yml @@ -13,7 +13,7 @@ #I use a development account on auth0. development: secret_key_base: 18451581609752ad653f43e9214e87978cf06fdc04daebad9faa2daf9023f4a892efe61a1448b559c55ae343841b5aa873c36478e325c44d9ef0a2c61682e50d - auth0_client_id: hNPSROXtn9Ohg4Pa9ijLxAbvbIEJjFJN + auth0_audience: http://localhost:4000 auth0_api_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJUWnBQRXp5eWpQbTN2VmdSdU9yQjJTakRTVnhFdnJiSCIsInNjb3BlcyI6eyJ1c2VycyI6eyJhY3Rpb25zIjpbImNyZWF0ZSIsInJlYWQiXX0sInVzZXJfdGlja2V0cyI6eyJhY3Rpb25zIjpbImNyZWF0ZSJdfX0sImlhdCI6MTQ2NDMxNTQ1OSwianRpIjoiODlkZjExNzE5ODc2Zjk0MjI0NzkyMzBmYjcwMzJhMTMifQ.lXofGmhVsIbjuhp0cst_DO6JhUWhJJWfj9FiP4uip1c auth0_rsa_domain: https://guesstimate-development.auth0.com/.well-known/jwks.json auth0_api_domain: guesstimate-development.auth0.com @@ -44,6 +44,7 @@ test: # instead read values from the environment. production: secret_key_base: <%= ENV["SECRET_KEY_BASE"] %> + auth0_audience: <%= ENV["AUTH0_AUDIENCE"] %> auth0_client_id: <%= ENV["AUTH0_CLIENT_ID"] %> auth0_client_secret: <%= ENV["AUTH0_CLIENT_SECRET"] %> auth0_api_token: <%= ENV["AUTH0_API_TOKEN"] %>