Comments (3)
@dtakeshta your example is valid and correct, I'll try to explain the meaning of support for any model.
First of all, this library does not enforce any business logic. It does provide a basic authentication flow, but the overall design and purpose are not reflected through this example.
Based on your example, both models use integer primary keys and since to_jwt
and from_jwt
uses the primary key to set the JWT subject, this means that any record with the integer value that matches the other record primary key, will return the relevant record.
You can change this default behavior by overwriting your to_jwt
and from_jwt
methods to be model-specific (in the end these are a very light wrapper around the OTP::JWT::Token
).
Consider this:
module CustomAuth
extend ActiveSupport::Concern
def to_jwt(_claims = nil)
OTP::JWT::Token.sign(sub: self.id, scope: self.class.name.underscore)
end
class_methods do
def from_jwt(token, _claim_name = nil)
OTP::JWT::Token.decode(token) do |payload|
return if payload['scope'] != self.name.underscore
self.find_by(self.primary_key => payload['sub'])
end
end
end
end
Now you can replace the OTP::JWT::ActiveRecord
mixin with your own custom mixin with support for private claim scope.
A bit more context.... JWT does not provide rules on how claims should be used except for the registed ones. The introduction of new claims is application/business specific and with this library I'm trying to keep things as generic as possible, but offer enough flexibility to implement custom authentication mechanisms.
How am I using this library without the extra claims? I use UUIDs as primary key values.
@dtakeshta let me know if this helps. In the meantime I will explore the idea of providing a mixin I shared with you as part of the included mixins if you think this is something that will help.
Thanks for filling the issue!
from otp-jwt.
Hi @stas,
Thanks for the quick reply! This makes sense, I guess I wasn't thinking through this very clearly. Using UUID would avoid this issue completely. I agree with your approach to keep things as generic as possible. I think having this issue should provide a bit more context if someone runs into this in the future. I have very little experience with JWT's, so maybe my inexperience is why I ended up with this problem. I will go ahead and close this issue.
from otp-jwt.
Thanks @dtakeshta! Still I'll be happy to explore a solution for non-UUID entities. Will keep this issue updated once I come up with something...
from otp-jwt.
Related Issues (9)
- otp_secret is not being saved for preexisting data HOT 2
- Provided `jwt_algorithm` isn't being considered on `OTP::JWT::Token.verify`
- Sponsors HOT 1
- Encrypting OTP Secret in the database HOT 2
- verify_otp returns otp_counter or nil HOT 3
- Previously correct OTP is invalidated when a wrong otp is received HOT 2
- Is there any example app available? HOT 4
- Fix docs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from otp-jwt.