new dev credentials, support for RS256

Gemfile.lock

@@ -141,13 +141,17 @@ GEM
       mime-types-data (~> 3.2015)
     mime-types-data (3.2022.0105)
     mini_mime (1.1.2)
+    mini_portile2 (2.8.5)
     minitest (5.15.0)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     net-http-persistent (4.0.1)
       connection_pool (~> 2.2)
     netrc (0.11.0)
     nio4r (2.5.8)
+    nokogiri (1.13.7)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
     nokogiri (1.13.7-x86_64-linux)
       racc (~> 1.4)
     pg (1.4.1)

app/models/space.rb

@@ -227,6 +227,7 @@ def take_screenshots
     Net::HTTP.get URI.parse(get_screenshot_url(false, true))
   end
 
+  # Unused - we don't use prerender.io anymore, token is not configured
   def recache_html
     uri = URI.parse('http://api.prerender.io')
     http = Net::HTTP.new(uri.host, uri.port)

config/initializers/knock.rb

@@ -20,7 +20,6 @@
   ## Default:
   # config.token_audience = nil
 
-  ## If using Auth0, uncomment the line below
   # config.token_audience = -> { Rails.application.secrets.auth0_client_id }
 
   ## Signature algorithm
@@ -49,7 +48,6 @@
   ##
   ## Default:
   # config.token_public_key = nil
-  config.token_audience = -> { Rails.application.secrets.auth0_client_id }
 
   ## Exception Class
   ## ---------------
@@ -58,5 +56,16 @@
   ##
   ## Default:
   # config.not_found_exception_class_name = 'ActiveRecord::RecordNotFound'
-   config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }
+
+  if Rails.application.secrets.auth0_rsa_domain
+    config.token_signature_algorithm = 'RS256'
+    jwks_raw = Net::HTTP.get URI(Rails.application.secrets.auth0_rsa_domain)
+    jwks_keys = Array(JSON.parse(jwks_raw)['keys'])
+    config.token_public_key = OpenSSL::X509::Certificate.new(Base64.decode64(jwks_keys[0]['x5c'].first)).public_key
+  else
+    config.token_signature_algorithm = 'HS256'
+    config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }
+  end
+
+  config.token_audience = -> { Rails.application.secrets.auth0_audience }
 end

config/secrets.yml

@@ -13,9 +13,9 @@
 #I use a development account on auth0.
 development:
   secret_key_base: 18451581609752ad653f43e9214e87978cf06fdc04daebad9faa2daf9023f4a892efe61a1448b559c55ae343841b5aa873c36478e325c44d9ef0a2c61682e50d
-  auth0_client_id: X0m2PZEyAOqhtLY1Qz9mdetHzQcDsG8U
-  auth0_client_secret: B9cx35Lqlejy2ORT2wR-qKVcXCaJEv41enflXTMxUUl383WpEFbwT18IdguGIuw7
+  auth0_audience: http://localhost:4000
   auth0_api_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJUWnBQRXp5eWpQbTN2VmdSdU9yQjJTakRTVnhFdnJiSCIsInNjb3BlcyI6eyJ1c2VycyI6eyJhY3Rpb25zIjpbImNyZWF0ZSIsInJlYWQiXX0sInVzZXJfdGlja2V0cyI6eyJhY3Rpb25zIjpbImNyZWF0ZSJdfX0sImlhdCI6MTQ2NDMxNTQ1OSwianRpIjoiODlkZjExNzE5ODc2Zjk0MjI0NzkyMzBmYjcwMzJhMTMifQ.lXofGmhVsIbjuhp0cst_DO6JhUWhJJWfj9FiP4uip1c
+  auth0_rsa_domain: https://guesstimate-development.auth0.com/.well-known/jwks.json
   auth0_api_domain: guesstimate-development.auth0.com
   auth0_connection: Username-Password-Authentication
   algolia_application_id: M629R9UGSG
@@ -44,6 +44,7 @@ test:
 # instead read values from the environment.
 production:
   secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+  auth0_audience: <%= ENV["AUTH0_AUDIENCE"] %>
   auth0_client_id: <%= ENV["AUTH0_CLIENT_ID"] %>
   auth0_client_secret: <%= ENV["AUTH0_CLIENT_SECRET"] %>
   auth0_api_token: <%= ENV["AUTH0_API_TOKEN"] %>