The Hotsock Ruby library provides convenient access to Hotsock message publishing APIs and JWT signing from applications written in Ruby.
You can install the gem with:
gem install hotsock
source "https://rubygems.org"
gem "hotsock"
The library needs to be configured with information specific to your Hotsock installation.
require "hotsock"
# Setup the default configuration
Hotsock.configure do |config|
config.publish_function_arn = "..."
config.aws_region = "us-east-1"
# ... see below for all `configure` options
end
# Publish a message
Hotsock.publish_message(
channel: "user.1",
event: "user.updated",
data: user.attributes
# ... see below for all `publish_message` options
)
# Issue a JWT. `issue_token` takes an options hash of claims that will be
# included in the token payload.
token = Hotsock.issue_token(
channels: {
"user.#{current_user.id}": {
subscribe: true
}
},
exp: Time.now.to_i + 30,
iat: Time.now.to_i,
scope: "connect",
uid: current_user.id.to_s,
umd: current_user.metadata_hash
)
# => "eyJ0eXAiOiJKV1QiLCJraWQiOiI5NTYxNmI3MCIsI..."
For apps that need to use multiple configurations during the lifetime of a process, like when interacting with multiple Hotsock installations, it's also possible to configure any number of publishers or issuers.
require "hotsock"
eastConfig = Hotsock::Config.new
eastConfig.aws_region = "us-east-1"
eastConfig.publish_function_arn = "arn:aws:lambda:us-east-1:111111111111:function:Hotsock-Publishing-J718-PublishFunction-t8ix"
westConfig = Hotsock::Config.new
westConfig.aws_region = "us-west-2"
westConfig.publish_function_arn = "arn:aws:lambda:us-west-2:111111111111:function:Hotsock-Publishing-UUA5-PublishFunction-f5h8"
eastPublisher = Hotsock::Publisher.new(eastConfig)
eastPublisher.publish_message(...)
westPublisher = Hotsock::Publisher.new(westConfig)
westPublisher.publish_message(...)
It's safe (and recommended) to use a single instance of Hotsock::Publisher or Hotsock::Issuer across threads. Do not create a publisher for each message or an issuer for each token. Doing so will cause performance issues when obtaining AWS credentials. It will also slow down token issuing because the private key will need to be loaded for each token.
configureYou typically call configure once when your application is starting up. If using Rails, place your call to configure in an initializer.
require "hotsock"
Hotsock.configure do |config|
# The Amazon Resource Name (Arn) of the Lambda function used to publish
# Hotsock messages. Grab the value from `PublishFunctionArn` in your
# installation's CloudFormation stack output. (required)
config.publish_function_arn = "arn:aws:lambda:us-east-1:111111111111:function:Hotsock-Publishing-J718-PublishFunction-t8ix"
# The AWS region where your Hotsock installation resides. (required)
config.aws_region = "us-east-1"
# If using static IAM user credentials to authorize access to invoke the
# message publishing Lambda function, specify the user's Access Key ID and
# Secret Access Key. (optional)
config.aws_access_key_id = "AKIAIOSFODNN7EXAMPLE"
config.aws_secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
# If the IAM principal (user or role) that you are authorizing as must assume
# another role to publish messages to the Lambda function, specify the role
# that must be assumed. (optional)
config.aws_assume_role_arn = "arn:aws:iam::111111111111:role/MyRoleToAssume"
# If specifying `aws_assume_role_arn`, you can specify a session name. If
# unspecified and assuming a role, this will be set to
# "hotsock-ruby-#{Hotsock::VERSION}"
# (optional)
config.aws_assume_role_session_name = "my-application-name"
# If required by your administrator when assuming a role, specify an
# External ID. (optional)
config.aws_assume_role_external_id = "6f4c10321f"
# If using this library for signing tokens, this is the private key.
# Committing this key to source control is not recommended. Instead consider
# using environment variables, Rails encrypted credentials, AWS Parameter
# Store, etc. and loading this key from there. For ES256 (ECDSA using P-256
# and SHA-256), this key must be in PEM format. Don't use the key below!
# Generate your own! (optional)
config.issuer_private_key = "-----BEGIN EC PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg72ab3fXPvtD2iIQQ\n/RWiZh8WA6T9u6JNhEuy1DPSFpuhRANCAASmEDhCts7/LkmooXH1tMhyh9Qn94e3\ny3e/UtmnnAYMPwro8iySvqEUrYaDUqQ3iMjYpf+mvxOFmCy97MsBj/pu\n-----END EC PRIVATE KEY-----"
# The algorithm to use when signing with the above key. Defaults to ES256.
# Supports HS256, HS384, HS512, ES256, ES384, ES512, RS256, RS384, RS512.
config.issuer_key_algorithm = "ES256"
# Sets the `kid` JWT header to this value for all issued tokens. (optional)
config.issuer_key_id = "95616b70"
# Sets the default value of the `aud` JWT payload claim to this value for
# issued tokens. Override by setting `aud` in the claims hash passed to
# `issue_token`. Ensure this matches the required audience claim required by
# your Hotsock installation configuration. (optional)
config.issuer_aud_claim = "hotsock"
# Sets the default value of the `iat` JWT payload claim to the timestamp when
# the token is generated. Override by setting `iat` in the claims hash passed
# to `issue_token`. (optional, false by default)
config.issuer_iat_claim = true
# Sets the default value of the `iss` JWT payload claim to this value for
# issued tokens. Override by setting `iss` in the claims hash passed to
# `issue_token`. (optional)
config.issuer_iss_claim = "my-application-name"
# Sets the default value of the `jti` JWT payload claim to a unique ID (UUID)
# when the token is generated. Override by setting `jti` in the claims hash
# passed to `issue_token`. (optional, false by default)
config.issuer_jti_claim = true
# Sets the default value of the `exp` JWT payload claim to this many seconds
# from the time that the token was issued. Override by setting `exp` in the
# claims hash passed to `issue_token`. (optional)
config.issuer_token_ttl = 10
end
Hotsock.publish_message or Hotsock::Publisher#publish_messageThe publish_message method directly invokes the AWS Lambda function specified in config.publish_function_arn. Supported attributes are documented here.
publish_message returns the raw Aws::Lambda::Types::InvocationResponse struct. The reason for this is because the actual response body is rarely needed - parsing the JSON and returning another object for each message would consume unnecessary cycles in the majority of cases.
A case where you may want the response is when eager_id_generation is true. In this case you can access the payload like the following. This can obviously be shortened in a real application, but is illustrated in multiple steps here to clarify how it works.
lambda_response = Hotsock.publish_message(channel: "mychannel", event: "myevent", eager_id_generation: true)
# => #<struct Aws::Lambda::Types::InvocationResponse
# status_code=200,
# function_error=nil,
# log_result=nil,
# payload=#<StringIO:0x000000010af76290>,
# executed_version="$LATEST">
hotsock_response = lambda_response.payload.read
# => "{\"id\":\"01HBM6KJCPNZK11H79ZSHGAEE9\",\"channel\":\"mychannel\",\"event\":\"myevent\"}"
message_id = JSON.load(response)["id"]
# => "01HBM6KJCPNZK11H79ZSHGAEE9"
Hotsock.issue_token or Hotsock::Issuer#issue_tokenThe issue_token method locally signs and returns a JSON Web Token (JWT) using the key specified in config.issuer_private_key. It takes a single argument with a Hash of payload claims. This can be used to issue a JWT for anything, but provides some configuration options with Hotsock in mind. Hotsock-supported token claims are documented here.
At a minimum, Hotsock requires an exp claim to produce a valid token. Here's an example issuing a token that is valid for 30 seconds. You'll likely want additional claims.
Hotsock.issue_token(exp: Time.now.to_i + 30, scope: "connect")
# => "eyJ0eXAiOiJKV1QiLCJraWQiOiI5NTYxNmI3MCIsImFsZyI6IkhTMjU2In0.eyJleHAiOjE2OTYxMTcwNTIsInNjb3BlIjoiY29ubmVjdCJ9.CRam2nIGu55tIGRdXmU2rBpg2IVWzrBRmroSVquhg5I"
This translates to the following decoded token.
{
"typ": "JWT",
"kid": "95616b70",
"alg": "ES256"
}
{
"exp": 1696117052,
"scope": "connect"
}
If your application is running on EC2, ECS, Lambda, or another service that provides a built-in role (recommended), there is no need to specify credentials when calling Hotsock.configure. They will be loaded and refreshed automatically from the instance, task, or function role.
Regardless of the AWS principal type, this role or user must be granted lambda:InvokeFunction permission to publish messages to the Hotsock publisher Lambda function. The policy might look something like this (replace the example function Arn with your PublishFunctionArn) and attach the policy to your role or user:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["lambda:InvokeFunction"],
"Effect": "Allow",
"Resource": [
"arn:aws:lambda:us-east-1:111111111111:function:Hotsock-Publishing-J718-PublishFunction-t8ix"
]
}
]
}
See LICENSE.
FAQs
Unknown package
We found that hotsock demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.