ring-jwt-middleware.core

Liking cljdoc? Tell your friends :D

Clojure only.

accepted-by-scopes^clj

(accepted-by-scopes required scopes)

scopes should be strings. if none of the string contains a / nor a :. It works as is a subset of.

:scopes #{"foo" "bar"} only people with scopes which are super sets of #{"foo" "bar"} will be allowed to use the route.

scopes are considered as path with read/write access. so "foo/bar/baz:read" is a sub-scope of "foo" and of "foo:read".

So the more precise rule of access is. All mandatory scopes must be sub-scopes of at least one user scopes.

scopes should be strings.
if none of the string contains a `/` nor a `:`.
It works as is a subset of.

:scopes #{"foo" "bar"}
only people with scopes which are super sets of
#{"foo" "bar"}
will be allowed to use the route.

scopes are considered as path with read/write access.
so "foo/bar/baz:read" is a sub-scope of "foo"
and of "foo:read".

So the more precise rule of access is.
All mandatory scopes must be sub-scopes of at least one user scopes.

source raw docstring

authorize-no-jwt-header-strategy^clj

Authorize all request even with no Auth header.

Authorize all request even with no Auth header.

source raw docstring

check-identity-filter!^clj

(check-identity-filter! required identity)

source

check-jwt-expiry^clj

(check-jwt-expiry jwt jwt-max-lifetime-in-sec long-lived-jwt?)

Return a string if JWT expiration check fails, nil otherwise

Return a string if JWT expiration check fails, nil otherwise

source raw docstring

check-jwt-filter!^clj

(check-jwt-filter! required jwt)

source

check-scopes^clj

(check-scopes required scopes)

This function might be useful to be used directly instead of just relying on the :scope.

This function might be useful to be used directly instead of just relying
on the :scope.

source raw docstring

check-scopes!^clj

(check-scopes! required identity)

source

decode^clj

(decode token pubkey)

Given a JWT return an Auth hash-map

Given a JWT return an Auth hash-map

source raw docstring

default-jwt-lifetime-in-sec^clj

source

forbid-no-jwt-header-strategy^clj

(forbid-no-jwt-header-strategy handler)

Forbid all request with no Auth header

Forbid all request with no Auth header

source raw docstring

get-jwt^clj

(get-jwt req)

get the JWT from a ring request

get the JWT from a ring request

source raw docstring

hr-duration^clj

(hr-duration t)

Given a duration in ms, return a human readable string

Given a duration in ms,
return a human readable string

source raw docstring

jwt->oauth-ids^clj

(jwt->oauth-ids prefix jwt)

can be used as post-jwt-format-fn

This is an example function that given a JWT whose claims looks like:

:sub
"<prefix>/scopes"
"<prefix>/org/id"
"<prefix>/oauth/client/id"

It is a generic format about what an access-token should provide:

user-id, client-id, scopes
org-id

mainly transform a list of <prefix>/foo/bar/baz value into a deep nested map. For example:

=> {:user {:idp {:name "Visibility" :id "iroh"}, :name "John Doe", :email "john.doe@dev.null", :id "user-id"} :oauth {:kind "code" :client {:id "client-id"}}, :org {:name "ACME Inc." :id "org-id"}, :scopes #{"scope1" "scope2"}}

can be used as post-jwt-format-fn

This is an example function that given a JWT whose claims looks like:

- :sub
- "<prefix>/scopes"
- "<prefix>/org/id"
- "<prefix>/oauth/client/id"

It is a generic format about what an access-token should provide:

- user-id, client-id, scopes
- org-id

mainly transform a list of <prefix>/foo/bar/baz value into a deep nested map.
For example:

(sut/jwt->oauth-ids
        "http://example.com/claims"
        {:sub "user-id"
         "http://example.com/claims/scopes" ["scope1" "scope2"]
         "http://example.com/claims/user/id" "user-id"
         "http://example.com/claims/user/name" "John Doe"
         "http://example.com/claims/user/email" "john.doe@dev.null"
         "http://example.com/claims/user/idp/id" "iroh"
         "http://example.com/claims/user/idp/name" "Visibility"
         "http://example.com/claims/org/id" "org-id"
         "http://example.com/claims/org/name" "ACME Inc."
         "http://example.com/claims/oauth/client/id" "client-id"
         "http://example.com/claims/oauth/kind" "code"})

=> {:user {:idp {:name "Visibility"
                 :id "iroh"},
           :name "John Doe",
           :email "john.doe@dev.null",
           :id "user-id"}
    :oauth {:kind "code"
            :client {:id "client-id"}},
    :org   {:name "ACME Inc."
            :id "org-id"},
    :scopes #{"scope1" "scope2"}}

source raw docstring

jwt->user-id^clj

(jwt->user-id jwt)

can be used as post-jwt-format-fn

can be used as post-jwt-format-fn

source raw docstring

jwt-expiry-ms^clj

(jwt-expiry-ms jwt-created jwt-max-lifetime-in-sec)

Given a JWT and a lifetime, calculate when it expired

Given a JWT and a lifetime,
calculate when it expired

source raw docstring

log-and-refuse^clj

(log-and-refuse error-log-msg error-msg)

Return an unauthorized HTTP response and log the error along debug infos

Return an `unauthorized` HTTP response
and log the error along debug infos

source raw docstring

match-access^clj

(match-access required-access access)

source

match-scope^clj

(match-scope required-scope scope)

source

no-long-lived-jwt^clj

source

no-revocation-strategy^clj

source

sub-hash?^clj

(sub-hash? m1 m2)

Return true if the 1st hashmap is a sub hashmap of the second.

Take into account that if some value is a collection then only check if the corresponding value in the first hashmap is a sub-collection.

> (sub-hash? {:foo 1 :bar 2} {:foo 1 :bar 2 :baz 3})
true
> (sub-hash? {:foo 1 :bar #{2 3}} {:foo 1 :bar #{1 2 3 4} :baz 3})
true
> (sub-hash? {:foo 1 :bar 2} {:foo 1})
false
> (sub-hash? {:foo 1 :bar 2} {:foo 1 :bar 3})
false

Return true if the 1st hashmap is a sub hashmap of the second.

Take into account that if some value is a collection then
only check if the corresponding value in the first hashmap
is a sub-collection.

  ~~~clojure
  > (sub-hash? {:foo 1 :bar 2} {:foo 1 :bar 2 :baz 3})
  true
  > (sub-hash? {:foo 1 :bar #{2 3}} {:foo 1 :bar #{1 2 3 4} :baz 3})
  true
  > (sub-hash? {:foo 1 :bar 2} {:foo 1})
  false
  > (sub-hash? {:foo 1 :bar 2} {:foo 1 :bar 3})
  false
  ~~~

source raw docstring

sub-list^clj

(sub-list req-list scope-path-list)

source

to-scope-repr^clj

(to-scope-repr txt)

Transform a textual scope as an internal representation to help check rules typically

"foo" {:path ["foo"] :access #{:read :write}}

"foo/bar/baz:write" {:path ["foo" "bar" "baz"] :access #{:write}}

Transform a textual scope as an internal representation to help
check rules typically

> "foo"
{:path ["foo"]
 :access #{:read :write}}

> "foo/bar/baz:write"
{:path ["foo" "bar" "baz"]
 :access #{:write}}

source raw docstring

validate-jwt^clj

(validate-jwt jwt jwt-max-lifetime-in-sec)

(validate-jwt jwt jwt-max-lifetime-in-sec jwt-check-fn long-lived-jwt?)

Run both expiration and user checks, return a vec of errors or nothing

Run both expiration and user checks,
return a vec of errors or nothing

source raw docstring

wrap-jwt-auth-fn^clj

(wrap-jwt-auth-fn {:keys [pubkey-path is-revoked-fn jwt-check-fn
                          jwt-max-lifetime-in-sec post-jwt-format-fn
                          no-jwt-handler long-lived-jwt?]
                   :or {jwt-max-lifetime-in-sec default-jwt-lifetime-in-sec
                        is-revoked-fn no-revocation-strategy
                        post-jwt-format-fn jwt->user-id
                        no-jwt-handler forbid-no-jwt-header-strategy
                        long-lived-jwt? no-long-lived-jwt}})

wrap a ring handler with JWT check

wrap a ring handler with JWT check

source raw docstring

cljdoc is a website building & hosting documentation for Clojure/Script libraries

Keyboard shortcuts Report a problem cljdoc on GitHub

× close