ey-hmac 2.0.2 → 2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 8fb0c319d78d62b3a2c0dc9f006a806612790afd
-  data.tar.gz: 394cb290db9772f2846b2643987d1651f20848de
+SHA256:
+  metadata.gz: '0395ec2d5516cbf5d39c1490f0f84c9674da117158e4af1de439b98e3a60b03e'
+  data.tar.gz: d58723b34816d4555610989bfe9e6e0a93f75e735b82ca0853966cc9e0b171fc
 SHA512:
-  metadata.gz: f2a86f65cdfafb683257853c022cfdbfed5aaadd82eb7a602fcc629916553b5db98a2c6a28a85ac06068df176e88ed37fe5e8a0e12fe48bf88e465c1905cfd00
-  data.tar.gz: 565198e1eb37c1695a9b776d88aa9193d24b64a7b7725bb1310a85db2f8c88196a4bc5d84fc2d90d524a04950d2b4461039ba26f9c5b1e6f02ea23827499444d
+  metadata.gz: eae3a563262f394b556c11833269dc222018d54218378911cc6009dc185790cbc658ceb7350be3a89e667e580e28c3b6a0838393768bf5db9d576e55da5103ce
+  data.tar.gz: 2a720b806b64471333982dd534687f242f306d3276f653317e049a778b0e1a8830b0f37aabca8f0c260244c52bea6c2354e60ddb1279973404125dae93466d7a

data/.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '36 16 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'ruby' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

data/.github/workflows/ruby.yml

@@ -0,0 +1,37 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will download a prebuilt Ruby version, install dependencies and run tests with Rake
+# For more information see: https://github.com/marketplace/actions/setup-ruby-jruby-and-truffleruby
+
+name: Ruby
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.5', '2.6', '2.7', '3.0']
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+    # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+    # change this to (see https://github.com/ruby/setup-ruby#versioning):
+    # uses: ruby/setup-ruby@v1
+      uses: ruby/setup-ruby@473e4d8fe5dd94ee328fdfca9f8c9c7afc9dae5e
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+    - name: Lint
+      run: bundle exec rubocop -D
+    - name: Run tests
+      run: bundle exec rspec

data/.rubocop.yml

@@ -0,0 +1,29 @@
+inherit_from: .rubocop_todo.yml
+
+# The behavior of RuboCop can be controlled via the .rubocop.yml
+# configuration file. It makes it possible to enable/disable
+# certain cops (checks) and to alter their behavior if they accept
+# any parameters. The file can be placed either in your home
+# directory or in some project directory.
+#
+# RuboCop will start looking for the configuration file in the directory
+# where the inspected file is and continue its way up to the root directory.
+#
+# See https://docs.rubocop.org/rubocop/configuration
+AllCops:
+  SuggestExtensions: false
+  NewCops: 'disable'
+require:
+  - rubocop-rspec
+Metrics/BlockLength:
+  Enabled: false
+Metrics/AbcSize:
+  Enabled: false
+Style/ClassAndModuleChildren:
+  EnforcedStyle: compact
+Metrics/MethodLength:
+  Enabled: false
+RSpec/ExampleLength:
+  Enabled: false
+RSpec/MultipleExpectations:
+  Enabled: false

data/.rubocop_todo.yml

@@ -0,0 +1,82 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config --auto-gen-only-exclude`
+# on 2022-02-08 03:20:19 UTC using RuboCop version 1.25.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Configuration parameters: Include.
+# Include: **/*.gemspec
+Gemspec/RequiredRubyVersion:
+  Exclude:
+    - 'ey-hmac.gemspec'
+
+# Offense count: 1
+# Configuration parameters: ExpectMatchingDefinition, CheckDefinitionPathHierarchy, CheckDefinitionPathHierarchyRoots, Regex, IgnoreExecutableScripts, AllowedAcronyms.
+# CheckDefinitionPathHierarchyRoots: lib, spec, test, src
+# AllowedAcronyms: CLI, DSL, ACL, API, ASCII, CPU, CSS, DNS, EOF, GUID, HTML, HTTP, HTTPS, ID, IP, JSON, LHS, QPS, RAM, RHS, RPC, SLA, SMTP, SQL, SSH, TCP, TLS, TTL, UDP, UI, UID, UUID, URI, URL, UTF8, VM, XML, XMPP, XSRF, XSS
+Naming/FileName:
+  Exclude:
+    - 'lib/ey-hmac.rb'
+
+# Offense count: 2
+# Configuration parameters: MinNameLength, AllowNamesEndingInNumbers, AllowedNames, ForbiddenNames.
+# AllowedNames: at, by, db, id, in, io, ip, of, on, os, pp, to
+Naming/MethodParameterName:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'
+
+# Offense count: 2
+RSpec/BeforeAfterAll:
+  Exclude:
+    - 'spec/spec_helper.rb'
+    - 'spec/rails_helper.rb'
+    - 'spec/support/**/*.rb'
+    - 'spec/faraday_spec.rb'
+    - 'spec/rack_spec.rb'
+
+# Offense count: 2
+# Configuration parameters: IgnoredMetadata.
+RSpec/DescribeClass:
+  Exclude:
+    - '**/spec/features/**/*'
+    - '**/spec/requests/**/*'
+    - '**/spec/routing/**/*'
+    - '**/spec/system/**/*'
+    - '**/spec/views/**/*'
+    - 'spec/faraday_spec.rb'
+    - 'spec/rack_spec.rb'
+
+# Offense count: 1
+RSpec/LetSetup:
+  Exclude:
+    - 'spec/faraday_spec.rb'
+
+# Offense count: 4
+# Configuration parameters: AllowedConstants.
+Style/Documentation:
+  Exclude:
+    - 'spec/**/*'
+    - 'test/**/*'
+    - 'lib/ey-hmac.rb'
+    - 'lib/ey-hmac/adapter/faraday.rb'
+    - 'lib/ey-hmac/adapter/rack.rb'
+    - 'lib/ey-hmac/faraday.rb'
+
+# Offense count: 3
+# Configuration parameters: MinBodyLength.
+Style/GuardClause:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'
+    - 'lib/ey-hmac/adapter/faraday.rb'
+    - 'lib/ey-hmac/adapter/rack.rb'
+
+# Offense count: 2
+# Cop supports --auto-correct.
+# Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns.
+# URISchemes: http, https
+Layout/LineLength:
+  Exclude:
+    - 'lib/ey-hmac/adapter.rb'

data/CHANGELOG.md

@@ -0,0 +1,68 @@
+# Change Log
+
+## [v2.2.0](https://github.com/engineyard/hmac/tree/v2.2.0) (2017-01-09)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v2.1.0...v2.2.0)
+
+**Closed issues:**
+
+- :sha512 and :sha384 [\#4](https://github.com/engineyard/hmac/issues/4)
+
+**Merged pull requests:**
+
+- use Base64\#strict\_encode64 when signing requests [\#5](https://github.com/engineyard/hmac/pull/5) ([lanej](https://github.com/lanej))
+
+## [v2.1.0](https://github.com/engineyard/hmac/tree/v2.1.0) (2015-12-03)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v2.0.2...v2.1.0)
+
+**Merged pull requests:**
+
+- add optional server-side HMAC TTL to prevent replay attacks [\#3](https://github.com/engineyard/hmac/pull/3) ([hudon](https://github.com/hudon))
+
+## [v2.0.2](https://github.com/engineyard/hmac/tree/v2.0.2) (2015-09-17)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v2.0.1...v2.0.2)
+
+## [v2.0.1](https://github.com/engineyard/hmac/tree/v2.0.1) (2015-09-17)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v2.0.0...v2.0.1)
+
+**Merged pull requests:**
+
+- update faraday usage in the readme [\#2](https://github.com/engineyard/hmac/pull/2) ([svarks](https://github.com/svarks))
+
+## [v2.0.0](https://github.com/engineyard/hmac/tree/v2.0.0) (2014-08-09)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v1.0.0...v2.0.0)
+
+## [v1.0.0](https://github.com/engineyard/hmac/tree/v1.0.0) (2014-04-29)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.1.3...v1.0.0)
+
+## [v0.1.3](https://github.com/engineyard/hmac/tree/v0.1.3) (2014-04-29)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.1.2...v0.1.3)
+
+## [v0.1.2](https://github.com/engineyard/hmac/tree/v0.1.2) (2014-04-01)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.1.1...v0.1.2)
+
+**Merged pull requests:**
+
+- Fix deprecated usage of Digest::Digest. [\#1](https://github.com/engineyard/hmac/pull/1) ([ericlathrop](https://github.com/ericlathrop))
+
+## [v0.1.1](https://github.com/engineyard/hmac/tree/v0.1.1) (2014-02-19)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.1.0...v0.1.1)
+
+## [v0.1.0](https://github.com/engineyard/hmac/tree/v0.1.0) (2014-02-18)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.0.5...v0.1.0)
+
+## [v0.0.5](https://github.com/engineyard/hmac/tree/v0.0.5) (2013-10-18)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.0.4...v0.0.5)
+
+## [v0.0.4](https://github.com/engineyard/hmac/tree/v0.0.4) (2013-02-08)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.0.3...v0.0.4)
+
+## [v0.0.3](https://github.com/engineyard/hmac/tree/v0.0.3) (2013-02-06)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.0.2...v0.0.3)
+
+## [v0.0.2](https://github.com/engineyard/hmac/tree/v0.0.2) (2013-02-05)
+[Full Changelog](https://github.com/engineyard/hmac/compare/v0.0.1...v0.0.2)
+
+## [v0.0.1](https://github.com/engineyard/hmac/tree/v0.0.1) (2013-02-05)
+
+
+\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*

data/Gemfile

@@ -1,8 +1,13 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in ey-hmac.gemspec
 gemspec
 
+gem 'rubocop', require: false
+gem 'rubocop-rspec', require: false
+
 group(:test) do
   gem 'pry-nav'
   gem 'rspec', '~> 3.3'
@@ -10,11 +15,11 @@ end
 
 group(:rack) do
   gem 'rack'
-  gem 'rack-test'
   gem 'rack-client'
+  gem 'rack-test'
 end
 
 group(:faraday) do
-  gem 'faraday', '~> 0.9'
+  gem 'faraday', '>= 1.3'
   gem 'faraday_middleware'
 end

data/Rakefile

@@ -1 +1,3 @@
-require "bundler/gem_tasks"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'

data/ey-hmac.gemspec

@@ -1,21 +1,25 @@
-# -*- encoding: utf-8 -*-
-require File.expand_path('../lib/ey-hmac/version', __FILE__)
+# frozen_string_literal: true
+
+require 'English'
+require File.expand_path('lib/ey-hmac/version', __dir__)
 
 Gem::Specification.new do |gem|
-  gem.name          = "ey-hmac"
+  gem.name          = 'ey-hmac'
   gem.version       = Ey::Hmac::VERSION
-  gem.authors       = ["Josh Lane & Jason Hansen"]
-  gem.email         = ["jlane@engineyard.com"]
-  gem.description   = %q{Lightweight HMAC signing libraries and middleware for Farday and Rack}
-  gem.summary       = %q{Lightweight HMAC signing libraries and middleware for Farday and Rack}
-  gem.homepage      = ""
+  gem.authors       = ['Josh Lane']
+  gem.email         = ['me@joshualane.com']
+  gem.description   = 'Lightweight HMAC signing libraries and middleware for Farday and Rack'
+  gem.summary       = 'Lightweight HMAC signing libraries and middleware for Farday and Rack'
+  gem.homepage      = ''
 
-  gem.files         = `git ls-files`.split($/)
-  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split($INPUT_RECORD_SEPARATOR)
+  gem.executables   = gem.files.grep(%r{^bin/}).map { |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
-  gem.require_paths = ["lib"]
-  gem.license       = "MIT"
+  gem.require_paths = ['lib']
+  gem.license       = 'MIT'
+
+  gem.required_ruby_version = '>= 2.5'
 
-  gem.add_development_dependency "rake"
-  gem.add_development_dependency "bundler", "~> 1.3"
+  gem.add_development_dependency 'bundler', '~> 2.3'
+  gem.add_development_dependency 'rake'
 end

data/lib/ey-hmac/adapter/faraday.rb

@@ -1,36 +1,47 @@
+# frozen_string_literal: true
+
 class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
   def method
     request[:method].to_s.upcase
   end
 
   def content_type
-    %w[CONTENT-TYPE CONTENT_TYPE Content-Type Content_Type].inject(nil) { |r,h| r || request[:request_headers][h] }
+    @content_type ||= find_header(
+      'CONTENT-TYPE', 'CONTENT_TYPE', 'Content-Type', 'Content_Type'
+    )
   end
 
   def content_digest
-    if existing = %w[CONTENT-DIGEST CONTENT_DIGEST Content-Digest Content_Digest].inject(nil) { |r,h| r || request[:request_headers][h] }
-      existing
-    elsif body
-      digestable = if body.respond_to?(:rewind)
-                     body.rewind
-                     body.read.tap { |_| body.rewind }
-                   else
-                     body.to_s
-                   end
-
-      request[:request_headers]['Content-Digest'] = Digest::MD5.hexdigest(digestable)
+    @content_digest ||= find_header(
+      'CONTENT-DIGEST', 'CONTENT_DIGEST', 'Content-Digest', 'Content_Digest'
+    )
+  end
+
+  def set_content_digest
+    return if content_digest
+
+    digestable = if body.respond_to?(:rewind)
+                   body.rewind
+                   body.read.tap { |_| body.rewind }
+                 else
+                   body.to_s
+                 end
+
+    if digestable && digestable != ''
+      @content_digest = request[:request_headers]['Content-Digest'] = Digest::MD5.hexdigest(digestable)
     end
   end
 
   def body
-    if request[:body] && request[:body].to_s != ""
-      request[:body]
-    end
+    request[:body] if request[:body] && request[:body].to_s != ''
   end
 
   def date
-    existing = %w[DATE Date].inject(nil) { |r,h| r || request[h] }
-    existing || (request[:request_headers]['Date'] = Time.now.httpdate)
+    find_header('DATE', 'Date')
+  end
+
+  def set_date
+    request[:request_headers]['Date'] = Time.now.httpdate unless date
   end
 
   def path
@@ -38,16 +49,23 @@ class Ey::Hmac::Adapter::Faraday < Ey::Hmac::Adapter
   end
 
   def sign!(key_id, key_secret)
-    %w[CONTENT-TYPE CONTENT_TYPE Content-Type Content_Type].inject(nil) { |r,h| request[:request_headers][h] }
+    set_content_digest
+    set_date
 
-    if options[:version]
-      request[:request_headers]['X-Signature-Version'] = options[:version]
-    end
+    request[:request_headers]['X-Signature-Version'] = options[:version] if options[:version]
 
     request[:request_headers][authorization_header] = authorization(key_id, key_secret)
   end
 
   def authorization_signature
-    %w[Authorization AUTHORIZATION].inject(nil){|r, h| r || request[:request_headers][h]}
+    find_header('Authorization', 'AUTHORIZATION')
+  end
+
+  private
+
+  def find_header(*keys)
+    value = nil
+    keys.find { |k| value = request[:request_headers][k] }
+    value
   end
 end

data/lib/ey-hmac/adapter/rack.rb

@@ -1,12 +1,11 @@
+# frozen_string_literal: true
+
 require 'rack'
 
 class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
   def initialize(request, options)
     super
-    @request = if request.is_a?(Hash)
-                 ::Rack::Request.new(request)
-               else request
-               end
+    @request = request.is_a?(Hash) ? ::Rack::Request.new(request) : request
   end
 
   def method
@@ -18,25 +17,28 @@ class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
   end
 
   def content_digest
-    if existing = request.env['HTTP_CONTENT_DIGEST']
-      existing
-    elsif digest = body && Digest::MD5.hexdigest(body)
-      request.env['HTTP_CONTENT_DIGEST'] = digest
-    end
+    request.env['HTTP_CONTENT_DIGEST']
+  end
+
+  def set_content_digest
+    request.env['HTTP_CONTENT_DIGEST'] = Digest::MD5.hexdigest(body) if body
   end
 
   def body
-    if request.env["rack.input"]
-      request.env["rack.input"].rewind
-      body = request.env["rack.input"].read
-      request.env["rack.input"].rewind
-      body == "" ? nil : body
-    else nil
+    if request.env['rack.input']
+      request.env['rack.input'].rewind
+      body = request.env['rack.input'].read
+      request.env['rack.input'].rewind
+      body == '' ? nil : body
     end
   end
 
   def date
-    request.env['HTTP_DATE'] ||= Time.now.httpdate
+    request.env['HTTP_DATE']
+  end
+
+  def set_date
+    request.env['HTTP_DATE'] = Time.now.httpdate
   end
 
   def path
@@ -44,9 +46,10 @@ class Ey::Hmac::Adapter::Rack < Ey::Hmac::Adapter
   end
 
   def sign!(key_id, key_secret)
-    if options[:version]
-      request.env['HTTP_X_SIGNATURE_VERSION'] = options[:version]
-    end
+    set_date
+    set_content_digest
+
+    request.env['HTTP_X_SIGNATURE_VERSION'] = options[:version] if options[:version]
 
     request.env["HTTP_#{authorization_header.to_s.upcase}"] = authorization(key_id, key_secret)
   end

data/lib/ey-hmac/adapter.rb

@@ -1,22 +1,27 @@
+# frozen_string_literal: true
+
 # This class is responsible for forming the canonical string to used to sign requests
 # @abstract override methods {#method}, {#path}, {#body}, {#content_type} and {#content_digest}
 class Ey::Hmac::Adapter
-  AUTHORIZATION_REGEXP = /\w+ ([^:]+):(.+)$/
+  AUTHORIZATION_REGEXP = /\w+ ([^:]+):(.+)$/.freeze
 
-  autoload :Rack, "ey-hmac/adapter/rack"
-  autoload :Faraday, "ey-hmac/adapter/faraday"
+  autoload :Rack, 'ey-hmac/adapter/rack'
+  autoload :Faraday, 'ey-hmac/adapter/faraday'
 
   attr_reader :request, :options, :authorization_header, :service, :sign_with, :accept_digests
 
   # @param [Object] request signer-specific request implementation
   # @option options [Integer] :version signature version
+  # @option options [Integer] :ttl (nil) duration during which HMAC is valid after signed date
   # @option options [String] :authorization_header ('Authorization') Authorization header key.
   # @option options [String] :server ('EyHmac') service name prefixed to {#authorization}. set to {#service}
   # @option options [Symbol] :sign_with (:sha_256) outgoing signature digest algorithm. See {OpenSSL::Digest#new}
   # @option options [Array] :accepted_digests ([:sha_256]) accepted incoming signature digest algorithm. See {OpenSSL::Digest#new}
-  def initialize(request, options={})
-    @request, @options = request, options
+  def initialize(request, options = {})
+    @request = request
+    @options = options
 
+    @ttl                  = options[:ttl]
     @authorization_header = options[:authorization_header] || 'Authorization'
     @service              = options[:service] || 'EyHmac'
     @sign_with            = options[:sign_with] || :sha256
@@ -34,8 +39,12 @@ class Ey::Hmac::Adapter
   # @param [String] key_secret private HMAC key
   # @param [String] signature digest hash function. Defaults to #sign_with
   # @return [String] HMAC signature of {#request}
-  def signature(key_secret, digest = self.sign_with)
-    Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new(digest.to_s), key_secret, canonicalize)).strip
+  def signature(key_secret, digest = sign_with)
+    Base64.strict_encode64(
+      OpenSSL::HMAC.digest(
+        OpenSSL::Digest.new(digest.to_s), key_secret, canonicalize
+      )
+    ).strip
   end
 
   # @param [String] key_id public HMAC key
@@ -102,7 +111,7 @@ class Ey::Hmac::Adapter
   # @yieldparam key_id [String] public HMAC key
   # @return [Boolean] true if block yields matching private key and signature matches, else false
   # @see #authenticated!
-  def authenticated?(options={}, &block)
+  def authenticated?(_options = {}, &block)
     authenticated!(&block)
   rescue Ey::Hmac::Error
     false
@@ -110,35 +119,60 @@ class Ey::Hmac::Adapter
 
   # @see Ey::Hmac#authenticate!
   def authenticated!(&block)
-    unless authorization_match = AUTHORIZATION_REGEXP.match(authorization_signature)
-      raise(Ey::Hmac::MissingAuthorization, "Failed to parse authorization_signature #{authorization_signature}")
+    key_id, signature_value = check_signature!
+    key_secret = block.call(key_id)
+
+    unless key_secret
+      raise Ey::Hmac::MissingSecret,
+            "Failed to find secret matching #{key_id.inspect}"
     end
 
-    key_id          = authorization_match[1]
-    signature_value = authorization_match[2]
+    check_ttl!
 
-    unless key_secret = block.call(key_id)
-      raise(Ey::Hmac::MissingSecret, "Failed to find secret matching #{key_id.inspect}")
-    end
+    calculated_signatures = accept_digests.map { |ad| signature(key_secret, ad) }
+    matching_signature = calculated_signatures.any? { |cs| secure_compare(signature_value, cs) }
 
-    calculated_signatures = self.accept_digests.map { |ad| signature(key_secret, ad) }
+    raise Ey::Hmac::SignatureMismatch unless matching_signature
 
-    unless calculated_signatures.any? { |cs| secure_compare(signature_value, cs) }
-      raise(Ey::Hmac::SignatureMismatch, "Calculated signature #{signature_value} does not match #{calculated_signatures.inspect} using #{canonicalize.inspect}")
-    end
     true
   end
   alias authenticate! authenticated!
 
+  protected
+
   # Constant time string comparison.
   # pulled from https://github.com/rack/rack/blob/master/lib/rack/utils.rb#L399
   def secure_compare(a, b)
     return false unless a.bytesize == b.bytesize
 
-    l = a.unpack("C*")
+    l = a.unpack('C*')
+
+    r = 0
+    i = -1
+    b.each_byte { |v| r |= v ^ l[i += 1] }
+    r.zero?
+  end
+
+  def check_ttl!
+    if @ttl && date
+      expiry       = Time.parse(date).to_i + @ttl
+      current_time = Time.now.to_i
+
+      unless expiry > current_time
+        raise Ey::Hmac::ExpiredHmac,
+              "Signature has expired passed #{expiry}. Current time is #{current_time}"
+      end
+    end
+  end
+
+  def check_signature!
+    authorization_match = AUTHORIZATION_REGEXP.match(authorization_signature)
+
+    unless authorization_match
+      raise Ey::Hmac::MissingAuthorization,
+            "Failed to parse authorization_signature #{authorization_signature}"
+    end
 
-    r, i = 0, -1
-    b.each_byte { |v| r |= v ^ l[i+=1] }
-    r == 0
+    [authorization_match[1], authorization_match[2]]
   end
 end