eparreno / rack-jwt Goto Github PK

reported by @Morred

https://github.com/eigenbart/rack-jwt/issues/9

Hi there,

First of all, thanks for writing this gem, it's super useful!

I guess this one is more like a feature request, I'm looking for a way to customize the format of the error responses of the Auth class.

Every time something fails, it will automatically return a 401 response with the error body format that is hardcoded into this method, so currently I'm just monkeypatching the return_error method to build the error body into the format I need.

Is a general, more flexible way to format the error responses something you would consider adding to this gem?

Is there an easy way to have rack-jwt read the token from cookies headers instead of just Bearer?

I read several articles and discussions about where to store securely JWTs, and it appears the consensus is don't store in localstorage, instead use cookies with secure flags.

Is there a release planned for the latest additions?

I was putting rack-jwt in a project that has depedency rack ~> 2.2 and bundler complains that there is a dependency issue.

% bundle
Fetching gem metadata from https://rubygems.org/...............
Resolving dependencies...
Bundler could not find compatible versions for gem "rack":
  In Gemfile:
    rack (~> 2.2)

    rack-jwt (~> 0.5) was resolved to 0.5.0, which depends on
      rack (~> 2.0.0)

The rack dependency on rubygems shows rack ~> 2.0.0 but the rack dependency in both the github tagged release and in the current repo show no version dependency on rack at all.

% gem dependency -r 'rack-jwt'
Gem rack-jwt-0.5.0
  bundler (~> 1.16.2, development)
  jwt (~> 2.1.0)
  rack (~> 2.0.0)
  rack-test (~> 1.0.0, development)
  rake (~> 12.0.0, development)
  rbnacl (~> 6.0.1, development)
  rspec (~> 3.8.0, development)
  simplecov (~> 0.16.0, development)

I pulled down the gem file directly from rubygems, and check the specification in gem file itself and the dependency is `rack ~> '2.0.0'

% gem fetch rack-jwt -v 0.5.0
Downloaded rack-jwt-0.5.0

% gem specification -l ./rack-jwt-0.5.0.gem
...
- !ruby/object:Gem::Dependency
  name: rack
  requirement: !ruby/object:Gem::Requirement
    requirements:
    - - "~>"
      - !ruby/object:Gem::Version
        version: 2.0.0
  type: :runtime
  prerelease: false
  version_requirements: !ruby/object:Gem::Requirement
    requirements:
    - - "~>"
      - !ruby/object:Gem::Version
        version: 2.0.0
...

I'm assuming that this is not the intended dependency, specially since the 0.4.0 version was rack >= 1.6.0 and there is no commit in the repo setting the rack dependency to ~> 2.0.0.

I would assume that a release of a 0.5.1 with the right dependency would solve this.

Thanks.

Version 0.5 is incompatible with later versions of Rack. Rack 2.0.x contains security issues. The latest master fixes this problem. Can you please release v0.5.1/0.6?

In #10 the JWT version pin in the Gemspec was changed from '~> 2.0' to '~> 2.1.0'.

This has caused a bundle update to roll back the jwt gem in my project from 2.2.1 to 2.1.0, rolling back a number of features and bug fixes in that gem. It seems like this pin should be ~> 2.1 to allow automatic minor version upgrades. Is there a reason the gemspec is pinning on major.minor and only allowing patch upgrades of the jwt gem?

Hi!

If you try to depend on ruby-jwt 2.1, will it break something?