diff --git a/CHANGELOG.md b/CHANGELOG.md index de77720..fbd6a9f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -44,7 +44,7 @@ ### 0.2.0 - 2019-04-27 * Features - * Added configurable option to blacklist JWT access token on refreshing as requested in this + * Added configurable option to revoke JWT access token on refreshing as requested in this [issue comment](https://github.com/Gokul595/api_guard/issues/8#issuecomment-477436164). ### 0.1.3 - 2019-03-26 diff --git a/README.md b/README.md index 2ffd466..4d9b05c 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ [![Maintainability](https://api.codeclimate.com/v1/badges/ced3e74a26a66ed915cb/maintainability)](https://codeclimate.com/github/Gokul595/api_guard/maintainability) -[JSON Web Token (JWT)](https://jwt.io/) based authentication solution with token refreshing & blacklisting for APIs +[JSON Web Token (JWT)](https://jwt.io/) based authentication solution with token refreshing & revocation for APIs built on Rails. This is built using [Ruby JWT](https://github.com/jwt/ruby-jwt) gem. Currently API Guard supports only HS256 algorithm @@ -30,7 +30,7 @@ for cryptographic signing. * [Access token signing secret](#access-token-signing-secret) * [Invalidate tokens on password change](#invalidate-tokens-on-password-change) * [Token refreshing](#token-refreshing) - * [Token blacklisting](#token-blacklisting) + * [Token revocation](#token-revocation) * [Overriding defaults](#overriding-defaults) * [Controllers](#controllers) * [Routes](#routes) @@ -299,8 +299,8 @@ The response headers for this request will be same as [registration API](#regist ### Sign out -You can use this request to sign out an user. This will blacklist the current access token from future use if -[token blacklisting](#token-blacklisting) configured. +You can use this request to sign out an user. This will revoke the current access token from future use if +[token revocation](#token-revocation) configured. Example request: @@ -377,9 +377,9 @@ ApiGuard.setup do |config| # Default: false # config.invalidate_old_tokens_on_password_change = false - # Blacklist JWT access token after refreshing + # Revoke JWT access token after refreshing # Default: false - # config.blacklist_token_after_refreshing = false + # config.revoke_token_after_refreshing = false end ``` @@ -461,25 +461,25 @@ class User < ApplicationRecord end ``` -If you also have token blacklisting enabled you need to specify both associations as below +If you also have token revocation enabled you need to specify both associations as below ```ruby -api_guard_associations refresh_token: 'refresh_tokens', blacklisted_token: 'blacklisted_tokens' +api_guard_associations refresh_token: 'refresh_tokens', revoked_token: 'revoked_tokens' ``` -### Token blacklisting +### Token revocation -To include token blacklisting in your application you need to create a table to store the blacklisted tokens. This will be -used to blacklist a JWT access token from future use. The access token will be blacklisted on successful sign out of the +To include token revocation in your application you need to create a table to store the revoked tokens. This will be +used to revoke a JWT access token from future use. The access token will be revoked on successful sign out of the resource. -Use below command to create a model `BlacklistedToken` with columns to store the token and the user reference +Use below command to create a model `RevokedToken` with columns to store the token and the user reference ```bash -$ rails generate model blacklisted_token token:string user:references expire_at:datetime +$ rails generate model revoked_token token:string user:references expire_at:datetime ``` -Then, run migration to create the `blacklisted_tokens` table +Then, run migration to create the `revoked_tokens` table ```bash $ rails db:migrate @@ -487,33 +487,33 @@ $ rails db:migrate >**Note:** Replace `user` in the above command with your model name if your model is not User. -After creating model and table for blacklisted token configure the association in the resource model using +After creating model and table for revoked token configure the association in the resource model using `api_guard_associations` method ```ruby class User < ApplicationRecord - api_guard_associations blacklisted_token: 'blacklisted_tokens' - has_many :blacklisted_tokens, dependent: :delete_all + api_guard_associations revoked_token: 'revoked_tokens' + has_many :revoked_tokens, dependent: :delete_all end ``` If you also have token refreshing enabled you need to specify both associations as below ```ruby -api_guard_associations refresh_token: 'refresh_tokens', blacklisted_token: 'blacklisted_tokens' +api_guard_associations refresh_token: 'refresh_tokens', revoked_token: 'revoked_tokens' ``` -And, as this creates rows in `blacklisted_tokens` table you need to have a mechanism to delete the expired blacklisted +And, as this creates rows in `revoked_tokens` table you need to have a mechanism to delete the expired revoked tokens to prevent this table from growing. One option is to have a CRON job to run a task daily that deletes the -blacklisted tokens that are expired i.e. `expire_at < DateTime.now`. +revoked tokens that are expired i.e. `expire_at < DateTime.now`. -**Blacklisting after refreshing token** +**Revocation after refreshing token** -By default, the JWT access token will not be blacklisted on refreshing the JWT access token. To enable this, you can +By default, the JWT access token will not be revoked on refreshing the JWT access token. To enable this, you can configure it in API Guard initializer as below, ```ruby -config.blacklist_token_after_refreshing = true +config.revoke_token_after_refreshing = true ``` ## Overriding defaults diff --git a/app/controllers/api_guard/authentication_controller.rb b/app/controllers/api_guard/authentication_controller.rb index 5bb66b2..1b09dad 100644 --- a/app/controllers/api_guard/authentication_controller.rb +++ b/app/controllers/api_guard/authentication_controller.rb @@ -17,7 +17,7 @@ def create end def destroy - blacklist_token + revoke_token render_success(message: I18n.t('api_guard.authentication.signed_out')) end diff --git a/app/controllers/api_guard/passwords_controller.rb b/app/controllers/api_guard/passwords_controller.rb index 2b82830..bd87e99 100644 --- a/app/controllers/api_guard/passwords_controller.rb +++ b/app/controllers/api_guard/passwords_controller.rb @@ -10,7 +10,7 @@ def update invalidate_old_jwt_tokens(current_resource) if current_resource.update(password_params) - blacklist_token unless ApiGuard.invalidate_old_tokens_on_password_change + revoke_token unless ApiGuard.invalidate_old_tokens_on_password_change destroy_all_refresh_tokens(current_resource) create_token_and_set_header(current_resource, resource_name) diff --git a/app/controllers/api_guard/tokens_controller.rb b/app/controllers/api_guard/tokens_controller.rb index 8c621fe..f662403 100644 --- a/app/controllers/api_guard/tokens_controller.rb +++ b/app/controllers/api_guard/tokens_controller.rb @@ -11,7 +11,7 @@ def create create_token_and_set_header(current_resource, resource_name) @refresh_token.destroy - blacklist_token if ApiGuard.blacklist_token_after_refreshing + revoke_token if ApiGuard.revoke_token_after_refreshing render_success(message: I18n.t('api_guard.access_token.refreshed')) end diff --git a/lib/api_guard.rb b/lib/api_guard.rb index 043b0cd..bdb4a10 100644 --- a/lib/api_guard.rb +++ b/lib/api_guard.rb @@ -23,8 +23,8 @@ module Test mattr_accessor :invalidate_old_tokens_on_password_change self.invalidate_old_tokens_on_password_change = false - mattr_accessor :blacklist_token_after_refreshing - self.blacklist_token_after_refreshing = false + mattr_accessor :revoke_token_after_refreshing + self.revoke_token_after_refreshing = false mattr_accessor :api_guard_associations self.api_guard_associations = {} diff --git a/lib/api_guard/jwt_auth/authentication.rb b/lib/api_guard/jwt_auth/authentication.rb index 0593f07..a435c59 100644 --- a/lib/api_guard/jwt_auth/authentication.rb +++ b/lib/api_guard/jwt_auth/authentication.rb @@ -65,7 +65,7 @@ def define_current_resource_accessors(resource) end # Authenticate the resource with the '{{resource_name}}_id' in the decoded JWT token - # and also, check for valid issued at time and not blacklisted + # and also, check for valid issued at time and not revoked # # Also, set "current_{{resource_name}}" method and "@current_{{resource_name}}" instance variable # for accessing the authenticated resource @@ -77,7 +77,7 @@ def authenticate_token resource = find_resource_from_token(@resource_name.classify.constantize) - if resource && valid_issued_at?(resource) && !blacklisted?(resource) + if resource && valid_issued_at?(resource) && !revoked?(resource) define_current_resource_accessors(resource) end end diff --git a/lib/api_guard/jwt_auth/blacklist_token.rb b/lib/api_guard/jwt_auth/blacklist_token.rb deleted file mode 100644 index 85a3da1..0000000 --- a/lib/api_guard/jwt_auth/blacklist_token.rb +++ /dev/null @@ -1,35 +0,0 @@ -# frozen_string_literal: true - -module ApiGuard - module JwtAuth - # Common module for token blacklisting functionality - module BlacklistToken - def blacklisted_token_association(resource) - resource.class.blacklisted_token_association - end - - def token_blacklisting_enabled?(resource) - blacklisted_token_association(resource).present? - end - - def blacklisted_tokens_for(resource) - blacklisted_token_association = blacklisted_token_association(resource) - resource.send(blacklisted_token_association) - end - - # Returns whether the JWT token is blacklisted or not - def blacklisted?(resource) - return false unless token_blacklisting_enabled?(resource) - - blacklisted_tokens_for(resource).exists?(token: @token) - end - - # Blacklist the current JWT token from future access - def blacklist_token - return unless token_blacklisting_enabled?(current_resource) - - blacklisted_tokens_for(current_resource).create(token: @token, expire_at: Time.at(@decoded_token[:exp]).utc) - end - end - end -end diff --git a/lib/api_guard/jwt_auth/revoke_token.rb b/lib/api_guard/jwt_auth/revoke_token.rb new file mode 100644 index 0000000..fae8450 --- /dev/null +++ b/lib/api_guard/jwt_auth/revoke_token.rb @@ -0,0 +1,35 @@ +# frozen_string_literal: true + +module ApiGuard + module JwtAuth + # Common module for token revocation functionality + module RevokeToken + def revoked_token_association(resource) + resource.class.revoked_token_association + end + + def token_revocation_enabled?(resource) + revoked_token_association(resource).present? + end + + def revoked_tokens_for(resource) + revoked_token_association = revoked_token_association(resource) + resource.send(revoked_token_association) + end + + # Returns whether the JWT token is revoked or not + def revoked?(resource) + return false unless token_revocation_enabled?(resource) + + revoked_tokens_for(resource).exists?(token: @token) + end + + # Revoke the current JWT token from future access + def revoke_token + return unless token_revocation_enabled?(current_resource) + + revoked_tokens_for(current_resource).create(token: @token, expire_at: Time.at(@decoded_token[:exp]).utc) + end + end + end +end diff --git a/lib/api_guard/models/concerns.rb b/lib/api_guard/models/concerns.rb index 4bc8fc2..d69b716 100644 --- a/lib/api_guard/models/concerns.rb +++ b/lib/api_guard/models/concerns.rb @@ -6,20 +6,20 @@ module Concerns extend ActiveSupport::Concern class_methods do - def api_guard_associations(refresh_token: nil, blacklisted_token: nil) + def api_guard_associations(refresh_token: nil, revoked_token: nil) return if ApiGuard.api_guard_associations[name] ApiGuard.api_guard_associations[name] = {} ApiGuard.api_guard_associations[name][:refresh_token] = refresh_token - ApiGuard.api_guard_associations[name][:blacklisted_token] = blacklisted_token + ApiGuard.api_guard_associations[name][:revoked_token] = revoked_token end def refresh_token_association ApiGuard.api_guard_associations.dig(name, :refresh_token) end - def blacklisted_token_association - ApiGuard.api_guard_associations.dig(name, :blacklisted_token) + def revoked_token_association + ApiGuard.api_guard_associations.dig(name, :revoked_token) end end end diff --git a/lib/api_guard/modules.rb b/lib/api_guard/modules.rb index 397ac3d..0ac4b0c 100644 --- a/lib/api_guard/modules.rb +++ b/lib/api_guard/modules.rb @@ -4,7 +4,7 @@ require 'api_guard/jwt_auth/json_web_token' require 'api_guard/jwt_auth/authentication' require 'api_guard/jwt_auth/refresh_jwt_token' -require 'api_guard/jwt_auth/blacklist_token' +require 'api_guard/jwt_auth/revoke_token' require 'api_guard/response_formatters/renderer' require 'api_guard/models/concerns' @@ -15,7 +15,7 @@ module Modules include ApiGuard::JwtAuth::JsonWebToken include ApiGuard::JwtAuth::Authentication include ApiGuard::JwtAuth::RefreshJwtToken - include ApiGuard::JwtAuth::BlacklistToken + include ApiGuard::JwtAuth::RevokeToken include ApiGuard::ResponseFormatters::Renderer end diff --git a/lib/generators/api_guard/controllers/templates/authentication_controller.rb b/lib/generators/api_guard/controllers/templates/authentication_controller.rb index c50e59e..6f2c3cd 100644 --- a/lib/generators/api_guard/controllers/templates/authentication_controller.rb +++ b/lib/generators/api_guard/controllers/templates/authentication_controller.rb @@ -13,7 +13,7 @@ class AuthenticationController < ApiGuard::AuthenticationController # end # def destroy - # blacklist_token + # revoke_token # render_success(message: I18n.t('api_guard.authentication.signed_out')) # end diff --git a/lib/generators/api_guard/controllers/templates/passwords_controller.rb b/lib/generators/api_guard/controllers/templates/passwords_controller.rb index 381c85f..4515114 100644 --- a/lib/generators/api_guard/controllers/templates/passwords_controller.rb +++ b/lib/generators/api_guard/controllers/templates/passwords_controller.rb @@ -6,7 +6,7 @@ class PasswordsController < ApiGuard::PasswordsController # invalidate_old_jwt_tokens(current_resource) # # if current_resource.update_attributes(password_params) - # blacklist_token unless ApiGuard.invalidate_old_tokens_on_password_change + # revoke_token unless ApiGuard.invalidate_old_tokens_on_password_change # destroy_all_refresh_tokens(current_resource) # # create_token_and_set_header(current_resource, resource_name) diff --git a/lib/generators/api_guard/controllers/templates/tokens_controller.rb b/lib/generators/api_guard/controllers/templates/tokens_controller.rb index 0e861a0..edc8136 100644 --- a/lib/generators/api_guard/controllers/templates/tokens_controller.rb +++ b/lib/generators/api_guard/controllers/templates/tokens_controller.rb @@ -7,7 +7,7 @@ class TokensController < ApiGuard::TokensController # create_token_and_set_header(current_resource, resource_name) # # @refresh_token.destroy - # blacklist_token if ApiGuard.blacklist_token_after_refreshing + # revoke_token if ApiGuard.revoke_token_after_refreshing # # render_success(message: I18n.t('api_guard.access_token.refreshed')) # end diff --git a/lib/generators/api_guard/initializer/templates/initializer.rb b/lib/generators/api_guard/initializer/templates/initializer.rb index 7fae0ea..fa004f9 100644 --- a/lib/generators/api_guard/initializer/templates/initializer.rb +++ b/lib/generators/api_guard/initializer/templates/initializer.rb @@ -17,7 +17,7 @@ # Default: false # config.invalidate_old_tokens_on_password_change = false - # Blacklist JWT access token after refreshing + # Revoke JWT access token after refreshing # Default: false - # config.blacklist_token_after_refreshing = false + # config.revoke_token_after_refreshing = false end diff --git a/spec/dummy/app/models/admin.rb b/spec/dummy/app/models/admin.rb index 224c133..e9b6792 100644 --- a/spec/dummy/app/models/admin.rb +++ b/spec/dummy/app/models/admin.rb @@ -3,7 +3,7 @@ class Admin < ApplicationRecord has_secure_password - api_guard_associations refresh_token: 'refresh_tokens', blacklisted_token: 'blacklisted_tokens' + api_guard_associations refresh_token: 'refresh_tokens', revoked_token: 'revoked_tokens' # == Validations ===================================================================================================== validates :email, presence: true @@ -11,5 +11,5 @@ class Admin < ApplicationRecord # == Relationships =================================================================================================== has_many :refresh_tokens, dependent: :delete_all - has_many :blacklisted_tokens, dependent: :delete_all + has_many :revoked_tokens, dependent: :delete_all end diff --git a/spec/dummy/app/models/blacklisted_token.rb b/spec/dummy/app/models/revoked_token.rb similarity index 71% rename from spec/dummy/app/models/blacklisted_token.rb rename to spec/dummy/app/models/revoked_token.rb index 9d4dd6c..7dfe417 100644 --- a/spec/dummy/app/models/blacklisted_token.rb +++ b/spec/dummy/app/models/revoked_token.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class BlacklistedToken < ApplicationRecord +class RevokedToken < ApplicationRecord belongs_to :user, optional: true belongs_to :admin, optional: true end diff --git a/spec/dummy/app/models/user.rb b/spec/dummy/app/models/user.rb index 56e28ac..675e757 100644 --- a/spec/dummy/app/models/user.rb +++ b/spec/dummy/app/models/user.rb @@ -3,7 +3,7 @@ class User < ApplicationRecord has_secure_password - api_guard_associations refresh_token: 'refresh_tokens', blacklisted_token: 'blacklisted_tokens' + api_guard_associations refresh_token: 'refresh_tokens', revoked_token: 'revoked_tokens' # == Validations ===================================================================================================== validates :email, presence: true @@ -11,6 +11,6 @@ class User < ApplicationRecord # == Relationships =================================================================================================== has_many :refresh_tokens, dependent: :delete_all - has_many :blacklisted_tokens, dependent: :delete_all + has_many :revoked_tokens, dependent: :delete_all has_many :posts, dependent: :delete_all end diff --git a/spec/dummy/db/migrate/20181027142552_create_blacklisted_tokens.rb b/spec/dummy/db/migrate/20181027142552_create_revoked_tokens.rb similarity index 67% rename from spec/dummy/db/migrate/20181027142552_create_blacklisted_tokens.rb rename to spec/dummy/db/migrate/20181027142552_create_revoked_tokens.rb index c614830..7f0add1 100644 --- a/spec/dummy/db/migrate/20181027142552_create_blacklisted_tokens.rb +++ b/spec/dummy/db/migrate/20181027142552_create_revoked_tokens.rb @@ -1,8 +1,8 @@ # frozen_string_literal: true -class CreateBlacklistedTokens < ActiveRecord::Migration[5.1] +class CreateRevokedTokens < ActiveRecord::Migration[5.1] def change - create_table :blacklisted_tokens do |t| + create_table :revoked_tokens do |t| t.string :token t.datetime :expire_at t.references :user, foreign_key: true diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb index 04a1b73..6415e87 100644 --- a/spec/dummy/db/schema.rb +++ b/spec/dummy/db/schema.rb @@ -21,15 +21,15 @@ t.boolean "edit_all_posts", default: false end - create_table "blacklisted_tokens", force: :cascade do |t| + create_table "revoked_tokens", force: :cascade do |t| t.string "token" t.datetime "expire_at" t.integer "user_id" t.integer "admin_id" t.datetime "created_at", null: false t.datetime "updated_at", null: false - t.index ["admin_id"], name: "index_blacklisted_tokens_on_admin_id" - t.index ["user_id"], name: "index_blacklisted_tokens_on_user_id" + t.index ["admin_id"], name: "index_revoked_tokens_on_admin_id" + t.index ["user_id"], name: "index_revoked_tokens_on_user_id" end create_table "posts", force: :cascade do |t| @@ -60,8 +60,8 @@ t.datetime "token_issued_at" end - add_foreign_key "blacklisted_tokens", "admins" - add_foreign_key "blacklisted_tokens", "users" + add_foreign_key "revoked_tokens", "admins" + add_foreign_key "revoked_tokens", "users" add_foreign_key "posts", "users" add_foreign_key "refresh_tokens", "admins" add_foreign_key "refresh_tokens", "users" diff --git a/spec/dummy/spec/requests/admins/authentication_requests_spec.rb b/spec/dummy/spec/requests/admins/authentication_requests_spec.rb index 3ce1a9f..635cd14 100644 --- a/spec/dummy/spec/requests/admins/authentication_requests_spec.rb +++ b/spec/dummy/spec/requests/admins/authentication_requests_spec.rb @@ -65,13 +65,13 @@ expect(response).to have_http_status(200) end - it 'should blacklist access token from future use' do + it 'should revoke access token from future use' do admin = create(:admin) access_token = jwt_and_refresh_token(admin, 'admin')[0] expect do delete '/admins/sign_out', headers: { 'Authorization': "Bearer #{access_token}" } - end.to change(admin.blacklisted_tokens, :count).by(1) + end.to change(admin.revoked_tokens, :count).by(1) end end end diff --git a/spec/dummy/spec/requests/custom_token_payload_spec.rb b/spec/dummy/spec/requests/custom_token_payload_spec.rb index bcc6809..1e1242d 100644 --- a/spec/dummy/spec/requests/custom_token_payload_spec.rb +++ b/spec/dummy/spec/requests/custom_token_payload_spec.rb @@ -34,11 +34,11 @@ expect(response_errors).to eq('Access token expired') end - it 'should return 401 - blacklisted access token' do + it 'should return 401 - revoked access token' do admin = create(:admin) access_token = jwt_and_refresh_token(admin, 'admin')[0] - admin.blacklisted_tokens.create(token: access_token, expire_at: Time.now.utc) + admin.revoked_tokens.create(token: access_token, expire_at: Time.now.utc) patch '/admins/posts/1', headers: { 'Authorization': "Bearer #{access_token}" } diff --git a/spec/dummy/spec/requests/customers/authentication_requests_spec.rb b/spec/dummy/spec/requests/customers/authentication_requests_spec.rb index 90af4ed..040c6f9 100644 --- a/spec/dummy/spec/requests/customers/authentication_requests_spec.rb +++ b/spec/dummy/spec/requests/customers/authentication_requests_spec.rb @@ -66,13 +66,13 @@ expect(response).to have_http_status(200) end - it 'should blacklist access token from future use' do + it 'should revoke access token from future use' do customer = create(:user) access_token = jwt_and_refresh_token(customer, 'user')[0] expect do delete '/customers/sign_out', headers: { 'Authorization': "Bearer #{access_token}" } - end.to change(customer.blacklisted_tokens, :count).by(1) + end.to change(customer.revoked_tokens, :count).by(1) end end end diff --git a/spec/dummy/spec/requests/posts_requests_spec.rb b/spec/dummy/spec/requests/posts_requests_spec.rb index 5688743..0fbd452 100644 --- a/spec/dummy/spec/requests/posts_requests_spec.rb +++ b/spec/dummy/spec/requests/posts_requests_spec.rb @@ -39,11 +39,11 @@ expect(response_errors).to eq('Access token expired') end - it 'should return 401 - blacklisted access token' do + it 'should return 401 - revoked access token' do user = create(:user) access_token = jwt_and_refresh_token(user, 'user')[0] - user.blacklisted_tokens.create(token: access_token, expire_at: Time.now.utc) + user.revoked_tokens.create(token: access_token, expire_at: Time.now.utc) get '/posts', headers: { 'Authorization': "Bearer #{access_token}" } @@ -51,11 +51,11 @@ expect(response_errors).to eq('Invalid access token') end - it 'should return 401 - blacklisted access token - admin' do + it 'should return 401 - revoked access token - admin' do admin = create(:admin) access_token = jwt_and_refresh_token(admin, 'admin')[0] - admin.blacklisted_tokens.create(token: access_token, expire_at: Time.now.utc) + admin.revoked_tokens.create(token: access_token, expire_at: Time.now.utc) get '/posts', headers: { 'Authorization': "Bearer #{access_token}" } diff --git a/spec/dummy/spec/requests/users/authentication_requests_spec.rb b/spec/dummy/spec/requests/users/authentication_requests_spec.rb index 207f603..345e9a2 100644 --- a/spec/dummy/spec/requests/users/authentication_requests_spec.rb +++ b/spec/dummy/spec/requests/users/authentication_requests_spec.rb @@ -74,13 +74,13 @@ expect(response).to have_http_status(200) end - it 'should blacklist access token from future use' do + it 'should revoke access token from future use' do user = create(:user) access_token = jwt_and_refresh_token(user, 'user')[0] expect do delete '/users/sign_out', headers: { 'Authorization': "Bearer #{access_token}" } - end.to change(user.blacklisted_tokens, :count).by(1) + end.to change(user.revoked_tokens, :count).by(1) end end end diff --git a/spec/dummy/spec/requests/users/tokens_requests_spec.rb b/spec/dummy/spec/requests/users/tokens_requests_spec.rb index 3f9ef6c..823e121 100644 --- a/spec/dummy/spec/requests/users/tokens_requests_spec.rb +++ b/spec/dummy/spec/requests/users/tokens_requests_spec.rb @@ -87,17 +87,17 @@ expect(user.refresh_tokens.find_by(token: refresh_token)).to be_nil end - it 'should blacklist JWT access token after refreshing' do + it 'should revoke JWT access token after refreshing' do user = create(:user) access_token, refresh_token = jwt_and_refresh_token(user, 'user') - ApiGuard.blacklist_token_after_refreshing = true + ApiGuard.revoke_token_after_refreshing = true expect do post '/users/tokens', headers: { 'Authorization': "Bearer #{access_token}", 'Refresh-Token': refresh_token } - end.to change(user.blacklisted_tokens, :count).by(1) + end.to change(user.revoked_tokens, :count).by(1) - ApiGuard.blacklist_token_after_refreshing = false + ApiGuard.revoke_token_after_refreshing = false expect(response).to have_http_status(200) expect(response.headers['Access-Token']).to be_present @@ -105,13 +105,13 @@ expect(response.headers['Refresh-Token']).to be_present end - it 'should not blacklist JWT access token after refreshing' do + it 'should not revoke JWT access token after refreshing' do user = create(:user) access_token, refresh_token = jwt_and_refresh_token(user, 'user') expect do post '/users/tokens', headers: { 'Authorization': "Bearer #{access_token}", 'Refresh-Token': refresh_token } - end.to change(user.blacklisted_tokens, :count).by(0) + end.to change(user.revoked_tokens, :count).by(0) expect(response).to have_http_status(200) expect(response.headers['Access-Token']).to be_present