Skip to content

duhruh/hotel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
lib
lib
 
 
spec
spec
 
 
.editorconfig
.editorconfig
 
 
.gitignore
.gitignore
 
 
.rubocop.yml
.rubocop.yml
 
 
.travis.yml
.travis.yml
 
 
Gemfile
Gemfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
Rakefile
Rakefile
 
 
hotel.gemspec
hotel.gemspec
 
 

Repository files navigation

Hotel

Helps you manage all of those keys you're giving out.

Build Status Code Climate Inline docs

Setup

  • run rails g hotel:install
  • edit the file found at config/initializers/hotel.rb
  • add a config/redis.yml keyed with the application environment, these options will be piped directly to Redis.new
production:
  ...
development:
  ...
  • u dun

Basic Usage

Here are the basic methods you can call to perform various operations

Hotel.token.generate(your_custom_claim_hash)

Hotel.token.invalidate(some_token)

Hotel.token.refresh(token)

Hotel.token.validate(token)

Hotel.token.validate!(token)

Hotel.token.valid?(token)

How invalidation happens

JSON Web Tokens by nature cannot be invalidated, there are few methods for rotating out compromised ones such as

  • shortening the time to expire
  • storing a whitelist of issued tokens in your DDL
  • tracking which tokens you've issued to who
These solutions to me all seemed lame, shortening the time to expiry means you are rotating out good non-compromised keys more frequently possibly running into situations causing your users to have to re-login, which is bad for obvious reasons. Storing a whitelist in your DDL also doesn't make sense because the point of JWT is the minimize the hits to the DDL by letting you store your own claims, like user permissions, and by being able to validate it without the need for any DB call. Lastly tracking issued JWT's also makes no sense. The point of them is to be able to issue them to anything an android phone, a web browser, a toaster it doesn't matter. It's suppose to account for scaling so you're suppose to be able to issue as many as need be. Then authenticate them on any web head. Tracking issued ones just causes more DB lookups to happen and the need for more database synchronization (running into the [CAP](https://en.wikipedia.org/wiki/CAP_theorem))

So I made Hotel. The way we invalidate tokens is by storing a blacklist of compromised tokens in redis. Tokens only need to be stored until their expiry, after that they are, well, expired and no longer need to be tracked. Redis provides a nice feature called expire. So all we have to do is set the redis expiry for the record equal to the difference of the tokens expiry and the current time.

This approach provides for nice self cleaning records and doesn't require any change to your DDL.

About

Redis backed JWT in/validation

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages