firejwt 0.3.2 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e2ba30384baf7a421ad475e635a354097b6d3f7fa9fbb19551d8d8686bc06c5a
-  data.tar.gz: ef29232ef99cfd4076e2b99826c350c62b06332d21eca83fd72ed60069b6413e
+  metadata.gz: ab69a025ab89bc78cc7100320e86215b969e65b861321e8166ff0facf2aca0c7
+  data.tar.gz: 566c9ec8876efdde35f727a61c2b6ffc87203c241bd287ee5dbea302f35a5d5b
 SHA512:
-  metadata.gz: c20c9c61e6e70edfddc428c155f2f14c1810cf3460cba4f90735d7aa09be68c44528ba737ae6038748259dcbc3763366256445e96c9047fe91271babff593196
-  data.tar.gz: 4415e3995f78726cd1ab25920a83dc3468daadc111bd91dec87513374c8013b56d2cce074e66a6f2ab2fdd1856193406b29434e1aa13dc8aa802aba3b7e81637
+  metadata.gz: 254b2653d48d41c64b4837e044a19f2412ffd93a019417c1ddf050b715643c0502b93a11439cefde9e13f9ab7416eb5b059f57a4ca9b8b080ad4ad4e7780be74
+  data.tar.gz: 44eb4c65193a62c0a3ae38d2c80898c623168f267caa74080260a9c37c59148a9918ec9e02371e6bb03358705873d5b8314f993cc2707692e5938a4de559f6bd

data/.github/workflows/test.yml

@@ -7,11 +7,20 @@ on:
     branches:
       - main
 jobs:
+  golint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Run lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: latest
   go:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.15.x, 1.16.x]
+        go-version: [1.18.x, 1.17.x]
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -32,7 +41,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ["2.5", "2.6", "2.7", "3.0"]
+        ruby-version: ["2.7", "3.0", "3.1"]
     steps:
       - uses: actions/checkout@v2
       - uses: ruby/setup-ruby@v1

data/.rubocop.yml

@@ -6,7 +6,7 @@ inherit_mode:
     - Exclude
 
 AllCops:
-  TargetRubyVersion: "2.5"
+  TargetRubyVersion: "2.7"
 
 RSpec/FilePath:
   Enabled: false

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    firejwt (0.3.2)
+    firejwt (0.5.0)
       jwt
 
 GEM
@@ -12,58 +12,57 @@ GEM
     ast (2.4.2)
     crack (0.4.5)
       rexml
-    diff-lcs (1.4.4)
+    diff-lcs (1.5.0)
     hashdiff (1.0.1)
-    jwt (2.2.3)
-    parallel (1.20.1)
-    parser (3.0.2.0)
+    jwt (2.3.0)
+    parallel (1.21.0)
+    parser (3.1.1.0)
       ast (~> 2.4.1)
     public_suffix (4.0.6)
-    rainbow (3.0.0)
+    rainbow (3.1.1)
     rake (13.0.6)
-    regexp_parser (2.1.1)
+    regexp_parser (2.2.1)
     rexml (3.2.5)
-    rspec (3.10.0)
-      rspec-core (~> 3.10.0)
-      rspec-expectations (~> 3.10.0)
-      rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.1)
-      rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.1)
+    rspec (3.11.0)
+      rspec-core (~> 3.11.0)
+      rspec-expectations (~> 3.11.0)
+      rspec-mocks (~> 3.11.0)
+    rspec-core (3.11.0)
+      rspec-support (~> 3.11.0)
+    rspec-expectations (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.2)
+      rspec-support (~> 3.11.0)
+    rspec-mocks (3.11.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.10.0)
-    rspec-support (3.10.2)
-    rubocop (1.18.4)
+      rspec-support (~> 3.11.0)
+    rspec-support (3.11.0)
+    rubocop (1.26.0)
       parallel (~> 1.10)
-      parser (>= 3.0.0.0)
+      parser (>= 3.1.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.8.0, < 2.0)
+      rubocop-ast (>= 1.16.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.8.0)
-      parser (>= 3.0.1.1)
+    rubocop-ast (1.16.0)
+      parser (>= 3.1.1.0)
     rubocop-bsm (0.6.0)
       rubocop (~> 1.0)
       rubocop-performance
       rubocop-rake
       rubocop-rspec
-    rubocop-performance (1.11.4)
+    rubocop-performance (1.13.3)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     rubocop-rake (0.6.0)
       rubocop (~> 1.0)
-    rubocop-rspec (2.4.0)
-      rubocop (~> 1.0)
-      rubocop-ast (>= 1.1.0)
+    rubocop-rspec (2.9.0)
+      rubocop (~> 1.19)
     ruby-progressbar (1.11.0)
-    unicode-display_width (2.0.0)
-    webmock (3.13.0)
-      addressable (>= 2.3.6)
+    unicode-display_width (2.1.0)
+    webmock (3.14.0)
+      addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
 
@@ -78,4 +77,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.2.21
+   2.3.6

data/firejwt.gemspec

@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name          = 'firejwt'
-  s.version       = '0.3.2'
+  s.version       = '0.5.0'
   s.authors       = ['Black Square Media Ltd']
   s.email         = ['info@blacksquaremedia.com']
   s.summary       = %(Firebase JWT validation)
@@ -11,11 +11,14 @@ Gem::Specification.new do |s|
   s.files         = `git ls-files -z`.split("\x0").reject {|f| f.match(%r{^spec/}) }
   s.test_files    = `git ls-files -z -- spec/*`.split("\x0")
   s.require_paths = ['lib']
-  s.required_ruby_version = '>= 2.5'
+  s.required_ruby_version = '>= 2.7'
 
   s.add_dependency 'jwt'
   s.add_development_dependency 'rake'
   s.add_development_dependency 'rspec'
   s.add_development_dependency 'rubocop-bsm'
   s.add_development_dependency 'webmock'
+  s.metadata = {
+    'rubygems_mfa_required' => 'true',
+  }
 end

data/firejwt.go

@@ -13,9 +13,13 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )
 
+func init() {
+	jwt.MarshalSingleStringAsArray = false
+}
+
 const defaultURL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
 
 // Validator validates Firebase JWTs
@@ -99,11 +103,9 @@ func (v *Validator) Refresh() error {
 }
 
 var (
-	errKIDMissing   = errors.New("missing kid header")
-	errExpired      = errors.New("token has expired")
-	errIssuedFuture = errors.New("issued in the future")
-	errNoSubject    = errors.New("subject is missing")
-	errAuthFuture   = errors.New("auth-time in the future")
+	errKIDMissing   = errors.New("token is missing kid header")
+	errNoSubject    = errors.New("token has no subject")
+	errAuthFuture   = errors.New("token auth_time not valid")
 	errTokenInvalid = errors.New("token is invalid")
 )
 
@@ -118,22 +120,10 @@ func (v *Validator) verify(token *jwt.Token) (interface{}, error) {
 		return nil, fmt.Errorf("invalid kid header %q", kid)
 	}
 
-	now := time.Now().Unix()
 	claims := token.Claims.(*Claims)
-	if claims.Audience != v.audience {
-		return nil, fmt.Errorf("invalid audience claim %q", claims.Audience)
-	} else if claims.Issuer != v.issuer {
-		return nil, fmt.Errorf("invalid issuer claim %q", claims.Issuer)
-	} else if claims.Subject == "" {
-		return nil, errNoSubject
-	} else if claims.ExpiresAt <= now {
-		return nil, errExpired
-	} else if claims.IssuedAt > now {
-		return nil, errIssuedFuture
-	} else if claims.AuthAt > now {
-		return nil, errAuthFuture
+	if err := claims.validate(time.Now(), v.audience, v.issuer); err != nil {
+		return nil, err
 	}
-
 	return key.PublicKey, nil
 }
 
@@ -188,19 +178,34 @@ func (k *publicKey) UnmarshalText(data []byte) error {
 
 // Claims are included in the token.
 type Claims struct {
-	Subject   string `json:"sub,omitempty"`
-	Audience  string `json:"aud,omitempty"`
-	Issuer    string `json:"iss,omitempty"`
-	IssuedAt  int64  `json:"iat,omitempty"`
-	ExpiresAt int64  `json:"exp,omitempty"`
-
-	Name          string         `json:"name,omitempty"`
-	Picture       string         `json:"picture,omitempty"`
-	UserID        string         `json:"user_id,omitempty"`
-	AuthAt        int64          `json:"auth_time,omitempty"`
-	Email         string         `json:"email,omitempty"`
-	EmailVerified bool           `json:"email_verified"`
-	Firebase      *FirebaseClaim `json:"firebase,omitempty"`
+	Name          string           `json:"name,omitempty"`
+	Picture       string           `json:"picture,omitempty"`
+	UserID        string           `json:"user_id,omitempty"`
+	AuthAt        *jwt.NumericDate `json:"auth_time,omitempty"`
+	Email         string           `json:"email,omitempty"`
+	EmailVerified bool             `json:"email_verified"`
+	Firebase      *FirebaseClaim   `json:"firebase,omitempty"`
+
+	jwt.RegisteredClaims
+}
+
+func (c *Claims) validate(now time.Time, audience, issuer string) error {
+	if !c.VerifyExpiresAt(now, false) {
+		return jwt.ErrTokenExpired
+	} else if !c.VerifyIssuedAt(now, false) {
+		return jwt.ErrTokenUsedBeforeIssued
+	} else if !c.VerifyNotBefore(now, false) {
+		return jwt.ErrTokenNotValidYet
+	} else if !c.VerifyAudience(audience, true) {
+		return jwt.ErrTokenInvalidAudience
+	} else if !c.VerifyIssuer(issuer, true) {
+		return jwt.ErrTokenInvalidIssuer
+	} else if c.Subject == "" {
+		return errNoSubject
+	} else if c.AuthAt.After(now) {
+		return errAuthFuture
+	}
+	return nil
 }
 
 // FirebaseClaim represents firebase specific claim.
@@ -208,8 +213,3 @@ type FirebaseClaim struct {
 	SignInProvider string              `json:"sign_in_provider,omitempty"`
 	Identities     map[string][]string `json:"identities,omitempty"`
 }
-
-// Valid implements the jwt.Claims interface.
-func (c *Claims) Valid() error {
-	return nil
-}

data/firejwt_test.go

@@ -17,9 +17,9 @@ import (
 	"time"
 
 	"github.com/bsm/firejwt"
-	. "github.com/bsm/ginkgo"
+	. "github.com/bsm/ginkgo/v2"
 	. "github.com/bsm/gomega"
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v4"
 )
 
 var _ = Describe("Validator", func() {
@@ -43,7 +43,7 @@ var _ = Describe("Validator", func() {
 				certKID: string(certPEM),
 			})
 		}))
-		seeds = mockClaims(time.Now().Unix())
+		seeds = mockClaims(time.Now())
 
 		var err error
 		subject, err = firejwt.Mocked(server.URL)
@@ -72,51 +72,51 @@ var _ = Describe("Validator", func() {
 	})
 
 	It("should verify exp", func() {
-		seeds.ExpiresAt = time.Now().Unix() - 1
+		seeds.ExpiresAt = jwt.NewNumericDate(time.Now().Add(-time.Second))
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`token has expired`))
+		Expect(err).To(MatchError(`token is expired`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
 	It("should verify iat", func() {
-		seeds.IssuedAt = time.Now().Unix() + 1
+		seeds.IssuedAt = jwt.NewNumericDate(time.Now().Add(time.Second))
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`issued in the future`))
+		Expect(err).To(MatchError(`token used before issued`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
 	It("should verify aud", func() {
-		seeds.Audience = "other"
+		seeds.Audience = jwt.ClaimStrings{"other"}
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`invalid audience claim "other"`))
+		Expect(err).To(MatchError(`token has invalid audience`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
 	It("should verify iss", func() {
 		seeds.Issuer = "other"
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`invalid issuer claim "other"`))
+		Expect(err).To(MatchError(`token has invalid issuer`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
 	It("should verify sub", func() {
 		seeds.Subject = ""
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`subject is missing`))
+		Expect(err).To(MatchError(`token has no subject`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 
 	It("should verify auth time", func() {
-		seeds.AuthAt = time.Now().Unix() + 1
+		seeds.AuthAt = jwt.NewNumericDate(time.Now().Add(time.Second))
 		_, err := subject.Decode(generate())
-		Expect(err).To(MatchError(`auth-time in the future`))
+		Expect(err).To(MatchError(`token auth_time not valid`))
 		Expect(err).To(BeAssignableToTypeOf(&jwt.ValidationError{}))
 	})
 })
 
 var _ = Describe("Claims", func() {
 	It("should be JWT compatible", func() {
-		subject := mockClaims(1515151515)
+		subject := mockClaims(time.Unix(1515151515, 0))
 		Expect(json.Marshal(subject)).To(MatchJSON(`{
 			"name": "Me",
 			"picture": "https://test.host/me.jpg",
@@ -185,17 +185,12 @@ var _ = BeforeSuite(func() {
 	certPEM = buf.String()
 })
 
-func mockClaims(now int64) *firejwt.Claims {
+func mockClaims(now time.Time) *firejwt.Claims {
 	return &firejwt.Claims{
 		Name:          "Me",
 		Picture:       "https://test.host/me.jpg",
-		Subject:       "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
 		UserID:        "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
-		Audience:      "mock-project",
-		Issuer:        "https://securetoken.google.com/mock-project",
-		IssuedAt:      now - 1800,
-		ExpiresAt:     now + 3600,
-		AuthAt:        now,
+		AuthAt:        jwt.NewNumericDate(now),
 		Email:         "me@example.com",
 		EmailVerified: true,
 		Firebase: &firejwt.FirebaseClaim{
@@ -205,5 +200,12 @@ func mockClaims(now int64) *firejwt.Claims {
 				"email":      {"me@example.com"},
 			},
 		},
+		RegisteredClaims: jwt.RegisteredClaims{
+			Subject:   "MDYwNDQwNjUtYWQ0ZC00ZDkwLThl",
+			Audience:  jwt.ClaimStrings{"mock-project"},
+			Issuer:    "https://securetoken.google.com/mock-project",
+			IssuedAt:  jwt.NewNumericDate(now.Add(-30 * time.Minute)),
+			ExpiresAt: jwt.NewNumericDate(now.Add(time.Hour)),
+		},
 	}
 }

data/go.mod

@@ -1,9 +1,9 @@
 module github.com/bsm/firejwt
 
-go 1.13
+go 1.16
 
 require (
-	github.com/bsm/ginkgo v1.16.1
+	github.com/bsm/ginkgo/v2 v2.0.0
 	github.com/bsm/gomega v1.11.0
-	github.com/golang-jwt/jwt v3.2.1+incompatible
+	github.com/golang-jwt/jwt/v4 v4.4.0
 )

data/go.sum

@@ -1,6 +1,6 @@
-github.com/bsm/ginkgo v1.16.1 h1:jp1v1dbmbGZDWmnGXDTN+XK3U1fTTNja9xYa7VBI0l0=
-github.com/bsm/ginkgo v1.16.1/go.mod h1:RabIZLzOCPghgHJKUqHZpqrQETA5AnF4aCSIYy5C1bk=
+github.com/bsm/ginkgo/v2 v2.0.0 h1:JZAs5u7SmJCrZlGFrC3v1stg/uC7OIj2q2FW9NxeIVE=
+github.com/bsm/ginkgo/v2 v2.0.0/go.mod h1:AiKlXPm7ItEHNc/2+OkrNG4E0ITzojb9/xWzvQ9XZ9w=
 github.com/bsm/gomega v1.11.0 h1:wg9DVGPETNZLIbMsseneMV1a7uo/x+wsCyNXdEcifDI=
 github.com/bsm/gomega v1.11.0/go.mod h1:JifAceMQ4crZIWYUKrlGcmbN3bqHogVTADMD2ATsbwk=
-github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
-github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.4.0 h1:EmVIxB5jzbllGIjiCV5JG4VylbK3KE400tLGLI1cdfU=
+github.com/golang-jwt/jwt/v4 v4.4.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: firejwt
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.5.0
 platform: ruby
 authors:
 - Black Square Media Ltd
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-27 00:00:00.000000000 Z
+date: 2022-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -87,7 +87,6 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/lint.yml"
 - ".github/workflows/test.yml"
 - ".gitignore"
 - ".rubocop.yml"
@@ -112,7 +111,8 @@ files:
 homepage: https://github.com/bsm/firejwt
 licenses:
 - Apache-2.0
-metadata: {}
+metadata:
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -121,14 +121,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.5'
+      version: '2.7'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
 summary: Firebase JWT validation

data/.github/workflows/lint.yml

@@ -1,18 +0,0 @@
-name: Lint
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-jobs:
-  golangci:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Run lint
-        uses: golangci/golangci-lint-action@v2
-        with:
-          version: latest