jwt 1.5.4 → 1.5.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -13
- data/.gitignore +5 -0
- data/.rspec +0 -1
- data/CHANGELOG.md +352 -0
- data/README.md +5 -5
- data/Rakefile +10 -0
- data/lib/jwt.rb +37 -14
- data/lib/jwt/error.rb +1 -0
- data/lib/jwt/verify.rb +25 -15
- data/lib/jwt/version.rb +2 -2
- data/ruby-jwt.gemspec +1 -0
- data/spec/integration/readme_examples_spec.rb +190 -0
- data/spec/jwt/verify_spec.rb +12 -3
- data/spec/jwt_spec.rb +8 -0
- metadata +39 -22
checksums.yaml
CHANGED
@@ -1,15 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
|
5
|
-
data.tar.gz: !binary |-
|
6
|
-
YmM3YWU5NTkxNDEzOGQyMTAzMTIyYzVmNWNhY2ZlMWU2NTFlZjliNQ==
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 0ab60d996890a0c93b46c4c86170e03fbfdca0c2
|
4
|
+
data.tar.gz: 83765101b7357c3c548bad68baeff603b83ce446
|
7
5
|
SHA512:
|
8
|
-
metadata.gz:
|
9
|
-
|
10
|
-
N2E3MmE5NmQ1ZjlhZTU2ZDc3NDYxYzIxZjhkMjJjOGE1NDI5MDI4MmVmN2Fi
|
11
|
-
ZGExYWMzOGI3ZDAxNWE2NzdhOWRjNjkzZjAxMjRmMGM0NTIwZDU=
|
12
|
-
data.tar.gz: !binary |-
|
13
|
-
OGQxM2IyM2E1ZTUzM2QzZjBlMmZiYzBiMGU4OGM5YjI5NTU0YjA2ZWQ3MDY3
|
14
|
-
MjQ0ZDMxNTEzMWE0NzUzYjAxOGQ2MTAwZTFiMmU5YmYzZDFjYTVhNTdhOGVm
|
15
|
-
N2Q3Mjk0ODMxYWI3NDg3M2IwYzA5MmMwYTgzNzhjM2U5YTJkODI=
|
6
|
+
metadata.gz: bab32a2372d9a05d4f5b8591c77cb9be60c252b796b778c417a5ad9a2f87a7faae3421029b07543c06f3f7bdf5ad2c786776f6f45a93dca7e128f6753ce143dd
|
7
|
+
data.tar.gz: 1dd7005d75ff1a20cfc95e9362a48776bcc498f26ba4362f027252e32d32dcd30f8a50045fbb85da5486d231c63aaa043b20101169ee1fecf702dee2e95483c8
|
data/.gitignore
CHANGED
data/.rspec
CHANGED
data/CHANGELOG.md
ADDED
@@ -0,0 +1,352 @@
|
|
1
|
+
# Change Log
|
2
|
+
|
3
|
+
## [v1.5.5](https://github.com/jwt/ruby-jwt/tree/v1.5.5) (2016-09-16)
|
4
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.4...v1.5.5)
|
5
|
+
|
6
|
+
**Implemented enhancements:**
|
7
|
+
|
8
|
+
- JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the `exp` parameter [\#148](https://github.com/jwt/ruby-jwt/issues/148)
|
9
|
+
|
10
|
+
**Fixed bugs:**
|
11
|
+
|
12
|
+
- expiration check does not give "Signature has expired" error for the exact time of expiration [\#157](https://github.com/jwt/ruby-jwt/issues/157)
|
13
|
+
- JTI claim broken? [\#152](https://github.com/jwt/ruby-jwt/issues/152)
|
14
|
+
- Audience Claim broken? [\#151](https://github.com/jwt/ruby-jwt/issues/151)
|
15
|
+
- 1.5.3 breaks compatibility with 1.5.2 [\#133](https://github.com/jwt/ruby-jwt/issues/133)
|
16
|
+
- Version 1.5.3 breaks 1.9.3 compatibility, but not documented as such [\#132](https://github.com/jwt/ruby-jwt/issues/132)
|
17
|
+
- Fix: exp claim check [\#161](https://github.com/jwt/ruby-jwt/pull/161) ([excpt](https://github.com/excpt))
|
18
|
+
|
19
|
+
**Closed issues:**
|
20
|
+
|
21
|
+
- Rendering Json Results in JWT::DecodeError [\#162](https://github.com/jwt/ruby-jwt/issues/162)
|
22
|
+
- PHP Libraries [\#154](https://github.com/jwt/ruby-jwt/issues/154)
|
23
|
+
- \[security\] Signature verified after expiration/sub/iss checks [\#153](https://github.com/jwt/ruby-jwt/issues/153)
|
24
|
+
- Is ruby-jwt thread-safe? [\#150](https://github.com/jwt/ruby-jwt/issues/150)
|
25
|
+
- JWT 1.5.3 [\#143](https://github.com/jwt/ruby-jwt/issues/143)
|
26
|
+
- gem install v 1.5.3 returns error [\#141](https://github.com/jwt/ruby-jwt/issues/141)
|
27
|
+
- Adding a CHANGELOG [\#140](https://github.com/jwt/ruby-jwt/issues/140)
|
28
|
+
|
29
|
+
**Merged pull requests:**
|
30
|
+
|
31
|
+
- Bump version [\#165](https://github.com/jwt/ruby-jwt/pull/165) ([excpt](https://github.com/excpt))
|
32
|
+
- Improve error message for exp claim in payload [\#164](https://github.com/jwt/ruby-jwt/pull/164) ([excpt](https://github.com/excpt))
|
33
|
+
- Fix \#151 and code refactoring [\#163](https://github.com/jwt/ruby-jwt/pull/163) ([excpt](https://github.com/excpt))
|
34
|
+
- Signature validation before claim verification [\#160](https://github.com/jwt/ruby-jwt/pull/160) ([excpt](https://github.com/excpt))
|
35
|
+
- Create specs for README.md examples [\#159](https://github.com/jwt/ruby-jwt/pull/159) ([excpt](https://github.com/excpt))
|
36
|
+
- Tiny Readme Improvement [\#156](https://github.com/jwt/ruby-jwt/pull/156) ([b264](https://github.com/b264))
|
37
|
+
- Added test execution to Rakefile [\#147](https://github.com/jwt/ruby-jwt/pull/147) ([jabbrwcky](https://github.com/jabbrwcky))
|
38
|
+
- Add more bling bling to the site [\#146](https://github.com/jwt/ruby-jwt/pull/146) ([excpt](https://github.com/excpt))
|
39
|
+
- Bump version [\#145](https://github.com/jwt/ruby-jwt/pull/145) ([excpt](https://github.com/excpt))
|
40
|
+
- Add first content and basic layout [\#144](https://github.com/jwt/ruby-jwt/pull/144) ([excpt](https://github.com/excpt))
|
41
|
+
- Add a changelog file [\#142](https://github.com/jwt/ruby-jwt/pull/142) ([excpt](https://github.com/excpt))
|
42
|
+
- Return decoded\_segments [\#139](https://github.com/jwt/ruby-jwt/pull/139) ([akostrikov](https://github.com/akostrikov))
|
43
|
+
|
44
|
+
## [v1.5.4](https://github.com/jwt/ruby-jwt/tree/v1.5.4) (2016-03-24)
|
45
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.3...v1.5.4)
|
46
|
+
|
47
|
+
**Closed issues:**
|
48
|
+
|
49
|
+
- 404 at https://rubygems.global.ssl.fastly.net/gems/jwt-1.5.3.gem [\#137](https://github.com/jwt/ruby-jwt/issues/137)
|
50
|
+
|
51
|
+
**Merged pull requests:**
|
52
|
+
|
53
|
+
- Update README.md [\#138](https://github.com/jwt/ruby-jwt/pull/138) ([excpt](https://github.com/excpt))
|
54
|
+
- Fix base64url\_decode [\#136](https://github.com/jwt/ruby-jwt/pull/136) ([excpt](https://github.com/excpt))
|
55
|
+
- Fix ruby 1.9.3 compatibility [\#135](https://github.com/jwt/ruby-jwt/pull/135) ([excpt](https://github.com/excpt))
|
56
|
+
- iat can be a float value [\#134](https://github.com/jwt/ruby-jwt/pull/134) ([llimllib](https://github.com/llimllib))
|
57
|
+
|
58
|
+
## [v1.5.3](https://github.com/jwt/ruby-jwt/tree/v1.5.3) (2016-02-24)
|
59
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.2...v1.5.3)
|
60
|
+
|
61
|
+
**Implemented enhancements:**
|
62
|
+
|
63
|
+
- Refactor obsolete code for ruby 1.8 support [\#120](https://github.com/jwt/ruby-jwt/issues/120)
|
64
|
+
- Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#106](https://github.com/jwt/ruby-jwt/issues/106)
|
65
|
+
- Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#105](https://github.com/jwt/ruby-jwt/issues/105)
|
66
|
+
- Allow a proc to be passed for JTI verification [\#126](https://github.com/jwt/ruby-jwt/pull/126) ([yahooguntu](https://github.com/yahooguntu))
|
67
|
+
- Relax restrictions on "jti" claim verification [\#113](https://github.com/jwt/ruby-jwt/pull/113) ([lwe](https://github.com/lwe))
|
68
|
+
|
69
|
+
**Closed issues:**
|
70
|
+
|
71
|
+
- Verifications not functioning in latest release [\#128](https://github.com/jwt/ruby-jwt/issues/128)
|
72
|
+
- Base64 is generating invalid length base64 strings - cross language interop [\#127](https://github.com/jwt/ruby-jwt/issues/127)
|
73
|
+
- Digest::Digest is deprecated; use Digest [\#119](https://github.com/jwt/ruby-jwt/issues/119)
|
74
|
+
- verify\_rsa no method 'verify' for class String [\#115](https://github.com/jwt/ruby-jwt/issues/115)
|
75
|
+
- Add a changelog [\#111](https://github.com/jwt/ruby-jwt/issues/111)
|
76
|
+
|
77
|
+
**Merged pull requests:**
|
78
|
+
|
79
|
+
- Drop ruby 1.9.3 support [\#131](https://github.com/jwt/ruby-jwt/pull/131) ([excpt](https://github.com/excpt))
|
80
|
+
- Allow string hash keys in validation configurations [\#130](https://github.com/jwt/ruby-jwt/pull/130) ([tpickett66](https://github.com/tpickett66))
|
81
|
+
- Add ruby 2.3.0 for travis ci testing [\#123](https://github.com/jwt/ruby-jwt/pull/123) ([excpt](https://github.com/excpt))
|
82
|
+
- Remove obsolete json code [\#122](https://github.com/jwt/ruby-jwt/pull/122) ([excpt](https://github.com/excpt))
|
83
|
+
- Add fancy badges to README.md [\#118](https://github.com/jwt/ruby-jwt/pull/118) ([excpt](https://github.com/excpt))
|
84
|
+
- Refactor decode and verify functionality [\#117](https://github.com/jwt/ruby-jwt/pull/117) ([excpt](https://github.com/excpt))
|
85
|
+
- Drop echoe dependency for gem releases [\#116](https://github.com/jwt/ruby-jwt/pull/116) ([excpt](https://github.com/excpt))
|
86
|
+
- Updated readme for iss/aud options [\#114](https://github.com/jwt/ruby-jwt/pull/114) ([ryanmcilmoyl](https://github.com/ryanmcilmoyl))
|
87
|
+
- Fix error misspelling [\#112](https://github.com/jwt/ruby-jwt/pull/112) ([kat3kasper](https://github.com/kat3kasper))
|
88
|
+
|
89
|
+
## [jwt-1.5.2](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.2) (2015-10-27)
|
90
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.1...jwt-1.5.2)
|
91
|
+
|
92
|
+
**Implemented enhancements:**
|
93
|
+
|
94
|
+
- Must we specify algorithm when calling decode to avoid vulnerabilities? [\#107](https://github.com/jwt/ruby-jwt/issues/107)
|
95
|
+
- Code review: Rspec test refactoring [\#85](https://github.com/jwt/ruby-jwt/pull/85) ([excpt](https://github.com/excpt))
|
96
|
+
|
97
|
+
**Fixed bugs:**
|
98
|
+
|
99
|
+
- aud verifies if aud is passed in, :sub does not [\#102](https://github.com/jwt/ruby-jwt/issues/102)
|
100
|
+
- iat check does not use leeway so nbf could pass, but iat fail [\#83](https://github.com/jwt/ruby-jwt/issues/83)
|
101
|
+
|
102
|
+
**Closed issues:**
|
103
|
+
|
104
|
+
- Test ticket from Code Climate [\#104](https://github.com/jwt/ruby-jwt/issues/104)
|
105
|
+
- Test ticket from Code Climate [\#100](https://github.com/jwt/ruby-jwt/issues/100)
|
106
|
+
- Is it possible to decode the payload without validating the signature? [\#97](https://github.com/jwt/ruby-jwt/issues/97)
|
107
|
+
- What is audience? [\#96](https://github.com/jwt/ruby-jwt/issues/96)
|
108
|
+
- Options hash uses both symbols and strings as keys. [\#95](https://github.com/jwt/ruby-jwt/issues/95)
|
109
|
+
|
110
|
+
**Merged pull requests:**
|
111
|
+
|
112
|
+
- Fix incorrect `iat` examples [\#109](https://github.com/jwt/ruby-jwt/pull/109) ([kjwierenga](https://github.com/kjwierenga))
|
113
|
+
- Update docs to include instructions for the algorithm parameter. [\#108](https://github.com/jwt/ruby-jwt/pull/108) ([aarongray](https://github.com/aarongray))
|
114
|
+
- make sure :sub check behaves like :aud check [\#103](https://github.com/jwt/ruby-jwt/pull/103) ([skippy](https://github.com/skippy))
|
115
|
+
- Change hash syntax [\#101](https://github.com/jwt/ruby-jwt/pull/101) ([excpt](https://github.com/excpt))
|
116
|
+
- Include LICENSE and README.md in gem [\#99](https://github.com/jwt/ruby-jwt/pull/99) ([bkeepers](https://github.com/bkeepers))
|
117
|
+
- Remove unused variable in the sample code. [\#98](https://github.com/jwt/ruby-jwt/pull/98) ([hypermkt](https://github.com/hypermkt))
|
118
|
+
- Fix iat claim example [\#94](https://github.com/jwt/ruby-jwt/pull/94) ([larrylv](https://github.com/larrylv))
|
119
|
+
- Fix wrong description in README.md [\#93](https://github.com/jwt/ruby-jwt/pull/93) ([larrylv](https://github.com/larrylv))
|
120
|
+
- JWT and JWA are now RFC. [\#92](https://github.com/jwt/ruby-jwt/pull/92) ([aj-michael](https://github.com/aj-michael))
|
121
|
+
- Update README.md [\#91](https://github.com/jwt/ruby-jwt/pull/91) ([nsarno](https://github.com/nsarno))
|
122
|
+
- Fix missing verify parameter in docs [\#90](https://github.com/jwt/ruby-jwt/pull/90) ([ernie](https://github.com/ernie))
|
123
|
+
- Iat check uses leeway. [\#89](https://github.com/jwt/ruby-jwt/pull/89) ([aj-michael](https://github.com/aj-michael))
|
124
|
+
- nbf check allows exact time matches. [\#88](https://github.com/jwt/ruby-jwt/pull/88) ([aj-michael](https://github.com/aj-michael))
|
125
|
+
|
126
|
+
## [jwt-1.5.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.1) (2015-06-22)
|
127
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.0...jwt-1.5.1)
|
128
|
+
|
129
|
+
**Implemented enhancements:**
|
130
|
+
|
131
|
+
- Fix either README or source code [\#78](https://github.com/jwt/ruby-jwt/issues/78)
|
132
|
+
- Validate against draft 20 [\#38](https://github.com/jwt/ruby-jwt/issues/38)
|
133
|
+
|
134
|
+
**Fixed bugs:**
|
135
|
+
|
136
|
+
- ECDSA signature verification fails for valid tokens [\#84](https://github.com/jwt/ruby-jwt/issues/84)
|
137
|
+
- Shouldn't verification of additional claims, like iss, aud etc. be enforced when in options? [\#81](https://github.com/jwt/ruby-jwt/issues/81)
|
138
|
+
- Fix either README or source code [\#78](https://github.com/jwt/ruby-jwt/issues/78)
|
139
|
+
- decode fails with 'none' algorithm and verify [\#75](https://github.com/jwt/ruby-jwt/issues/75)
|
140
|
+
|
141
|
+
**Closed issues:**
|
142
|
+
|
143
|
+
- Doc mismatch: uninitialized constant JWT::ExpiredSignature [\#79](https://github.com/jwt/ruby-jwt/issues/79)
|
144
|
+
- TypeError when specifying a wrong algorithm [\#77](https://github.com/jwt/ruby-jwt/issues/77)
|
145
|
+
- jti verification doesn't prevent replays [\#73](https://github.com/jwt/ruby-jwt/issues/73)
|
146
|
+
|
147
|
+
**Merged pull requests:**
|
148
|
+
|
149
|
+
- Correctly sign ECDSA JWTs [\#87](https://github.com/jwt/ruby-jwt/pull/87) ([jurriaan](https://github.com/jurriaan))
|
150
|
+
- fixed results of decoded tokens in readme [\#86](https://github.com/jwt/ruby-jwt/pull/86) ([piscolomo](https://github.com/piscolomo))
|
151
|
+
- Force verification of "iss" and "aud" claims [\#82](https://github.com/jwt/ruby-jwt/pull/82) ([lwe](https://github.com/lwe))
|
152
|
+
|
153
|
+
## [jwt-1.5.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.0) (2015-05-09)
|
154
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.1...jwt-1.5.0)
|
155
|
+
|
156
|
+
**Implemented enhancements:**
|
157
|
+
|
158
|
+
- Needs to support asymmetric key signatures over shared secrets [\#46](https://github.com/jwt/ruby-jwt/issues/46)
|
159
|
+
- Implement Elliptic Curve Crypto Signatures [\#74](https://github.com/jwt/ruby-jwt/pull/74) ([jtdowney](https://github.com/jtdowney))
|
160
|
+
- Add an option to verify the signature on decode [\#71](https://github.com/jwt/ruby-jwt/pull/71) ([javawizard](https://github.com/javawizard))
|
161
|
+
|
162
|
+
**Closed issues:**
|
163
|
+
|
164
|
+
- Check JWT vulnerability [\#76](https://github.com/jwt/ruby-jwt/issues/76)
|
165
|
+
|
166
|
+
**Merged pull requests:**
|
167
|
+
|
168
|
+
- Fixed some examples to make them copy-pastable [\#72](https://github.com/jwt/ruby-jwt/pull/72) ([jer](https://github.com/jer))
|
169
|
+
|
170
|
+
## [jwt-1.4.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.1) (2015-03-12)
|
171
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.0...jwt-1.4.1)
|
172
|
+
|
173
|
+
**Fixed bugs:**
|
174
|
+
|
175
|
+
- jti verification not working per the spec [\#68](https://github.com/jwt/ruby-jwt/issues/68)
|
176
|
+
- Verify ISS should be off by default [\#66](https://github.com/jwt/ruby-jwt/issues/66)
|
177
|
+
|
178
|
+
**Merged pull requests:**
|
179
|
+
|
180
|
+
- Fix \#66 \#68 [\#69](https://github.com/jwt/ruby-jwt/pull/69) ([excpt](https://github.com/excpt))
|
181
|
+
- When throwing errors, mention expected/received values [\#65](https://github.com/jwt/ruby-jwt/pull/65) ([rolodato](https://github.com/rolodato))
|
182
|
+
|
183
|
+
## [jwt-1.4.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.0) (2015-03-10)
|
184
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.3.0...jwt-1.4.0)
|
185
|
+
|
186
|
+
**Closed issues:**
|
187
|
+
|
188
|
+
- The behavior using 'json' differs from 'multi\_json' [\#41](https://github.com/jwt/ruby-jwt/issues/41)
|
189
|
+
|
190
|
+
**Merged pull requests:**
|
191
|
+
|
192
|
+
- Release 1.4.0 [\#64](https://github.com/jwt/ruby-jwt/pull/64) ([excpt](https://github.com/excpt))
|
193
|
+
- Update README.md and remove dead code [\#63](https://github.com/jwt/ruby-jwt/pull/63) ([excpt](https://github.com/excpt))
|
194
|
+
- Add 'iat/ aud/ sub/ jti' support for ruby-jwt [\#62](https://github.com/jwt/ruby-jwt/pull/62) ([ZhangHanDong](https://github.com/ZhangHanDong))
|
195
|
+
- Add 'iss' support for ruby-jwt [\#61](https://github.com/jwt/ruby-jwt/pull/61) ([ZhangHanDong](https://github.com/ZhangHanDong))
|
196
|
+
- Clarify .encode API in README [\#60](https://github.com/jwt/ruby-jwt/pull/60) ([jbodah](https://github.com/jbodah))
|
197
|
+
|
198
|
+
## [jwt-1.3.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.3.0) (2015-02-24)
|
199
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.1...jwt-1.3.0)
|
200
|
+
|
201
|
+
**Closed issues:**
|
202
|
+
|
203
|
+
- Signature Verification to Return Verification Error rather than decode error [\#57](https://github.com/jwt/ruby-jwt/issues/57)
|
204
|
+
- Incorrect readme for leeway [\#55](https://github.com/jwt/ruby-jwt/issues/55)
|
205
|
+
- What is the reason behind stripping the = in base64 encoding? [\#54](https://github.com/jwt/ruby-jwt/issues/54)
|
206
|
+
- Preperations for version 2.x [\#50](https://github.com/jwt/ruby-jwt/issues/50)
|
207
|
+
- Release a new version [\#47](https://github.com/jwt/ruby-jwt/issues/47)
|
208
|
+
- Catch up for ActiveWhatever 4.1.1 series [\#40](https://github.com/jwt/ruby-jwt/issues/40)
|
209
|
+
|
210
|
+
**Merged pull requests:**
|
211
|
+
|
212
|
+
- raise verification error for signiture verification [\#58](https://github.com/jwt/ruby-jwt/pull/58) ([punkle](https://github.com/punkle))
|
213
|
+
- Added support for not before claim verification [\#56](https://github.com/jwt/ruby-jwt/pull/56) ([punkle](https://github.com/punkle))
|
214
|
+
- Preperations for version 2.x [\#49](https://github.com/jwt/ruby-jwt/pull/49) ([excpt](https://github.com/excpt))
|
215
|
+
|
216
|
+
## [jwt-1.2.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.1) (2015-01-22)
|
217
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.0...jwt-1.2.1)
|
218
|
+
|
219
|
+
**Closed issues:**
|
220
|
+
|
221
|
+
- JWT.encode\({"exp": 10}, "secret"\) [\#52](https://github.com/jwt/ruby-jwt/issues/52)
|
222
|
+
- JWT.encode\({"exp": 10}, "secret"\) [\#51](https://github.com/jwt/ruby-jwt/issues/51)
|
223
|
+
|
224
|
+
**Merged pull requests:**
|
225
|
+
|
226
|
+
- Accept expiration claims as string [\#53](https://github.com/jwt/ruby-jwt/pull/53) ([yarmand](https://github.com/yarmand))
|
227
|
+
|
228
|
+
## [jwt-1.2.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.0) (2014-11-24)
|
229
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.13...jwt-1.2.0)
|
230
|
+
|
231
|
+
**Closed issues:**
|
232
|
+
|
233
|
+
- set token to expire [\#42](https://github.com/jwt/ruby-jwt/issues/42)
|
234
|
+
|
235
|
+
**Merged pull requests:**
|
236
|
+
|
237
|
+
- Added support for `exp` claim [\#45](https://github.com/jwt/ruby-jwt/pull/45) ([zshannon](https://github.com/zshannon))
|
238
|
+
- rspec 3 breaks passing tests [\#44](https://github.com/jwt/ruby-jwt/pull/44) ([zshannon](https://github.com/zshannon))
|
239
|
+
|
240
|
+
## [jwt-0.1.13](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.13) (2014-05-08)
|
241
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.0.0...jwt-0.1.13)
|
242
|
+
|
243
|
+
**Closed issues:**
|
244
|
+
|
245
|
+
- yanking of version 0.1.12 causes issues [\#39](https://github.com/jwt/ruby-jwt/issues/39)
|
246
|
+
- Semantic versioning [\#37](https://github.com/jwt/ruby-jwt/issues/37)
|
247
|
+
- Update gem to get latest changes [\#36](https://github.com/jwt/ruby-jwt/issues/36)
|
248
|
+
|
249
|
+
## [jwt-1.0.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.0.0) (2014-05-07)
|
250
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.11...jwt-1.0.0)
|
251
|
+
|
252
|
+
**Closed issues:**
|
253
|
+
|
254
|
+
- API request - JWT::decoded\_header\(\) [\#26](https://github.com/jwt/ruby-jwt/issues/26)
|
255
|
+
|
256
|
+
**Merged pull requests:**
|
257
|
+
|
258
|
+
- return header along with playload after decoding [\#35](https://github.com/jwt/ruby-jwt/pull/35) ([sawyerzhang](https://github.com/sawyerzhang))
|
259
|
+
- Raise JWT::DecodeError on nil token [\#34](https://github.com/jwt/ruby-jwt/pull/34) ([tjmw](https://github.com/tjmw))
|
260
|
+
- Make MultiJson optional for Ruby 1.9+ [\#33](https://github.com/jwt/ruby-jwt/pull/33) ([petergoldstein](https://github.com/petergoldstein))
|
261
|
+
- Allow access to header and payload without signature verification [\#32](https://github.com/jwt/ruby-jwt/pull/32) ([petergoldstein](https://github.com/petergoldstein))
|
262
|
+
- Update specs to use RSpec 3.0.x syntax [\#31](https://github.com/jwt/ruby-jwt/pull/31) ([petergoldstein](https://github.com/petergoldstein))
|
263
|
+
- Travis - Add Ruby 2.0.0, 2.1.0, Rubinius [\#30](https://github.com/jwt/ruby-jwt/pull/30) ([petergoldstein](https://github.com/petergoldstein))
|
264
|
+
|
265
|
+
## [jwt-0.1.11](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.11) (2014-01-17)
|
266
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.10...jwt-0.1.11)
|
267
|
+
|
268
|
+
**Closed issues:**
|
269
|
+
|
270
|
+
- url safe encode and decode [\#28](https://github.com/jwt/ruby-jwt/issues/28)
|
271
|
+
- Release [\#27](https://github.com/jwt/ruby-jwt/issues/27)
|
272
|
+
|
273
|
+
**Merged pull requests:**
|
274
|
+
|
275
|
+
- fixed urlsafe base64 encoding [\#29](https://github.com/jwt/ruby-jwt/pull/29) ([tobscher](https://github.com/tobscher))
|
276
|
+
|
277
|
+
## [jwt-0.1.10](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.10) (2014-01-10)
|
278
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.8...jwt-0.1.10)
|
279
|
+
|
280
|
+
**Closed issues:**
|
281
|
+
|
282
|
+
- change to signature of JWT.decode method [\#14](https://github.com/jwt/ruby-jwt/issues/14)
|
283
|
+
|
284
|
+
**Merged pull requests:**
|
285
|
+
|
286
|
+
- Fix warning: assigned but unused variable - e [\#25](https://github.com/jwt/ruby-jwt/pull/25) ([sferik](https://github.com/sferik))
|
287
|
+
- Echoe doesn't define a license= method [\#24](https://github.com/jwt/ruby-jwt/pull/24) ([sferik](https://github.com/sferik))
|
288
|
+
- Use OpenSSL::Digest instead of deprecated OpenSSL::Digest::Digest [\#23](https://github.com/jwt/ruby-jwt/pull/23) ([JuanitoFatas](https://github.com/JuanitoFatas))
|
289
|
+
- Handle some invalid JWTs [\#22](https://github.com/jwt/ruby-jwt/pull/22) ([steved](https://github.com/steved))
|
290
|
+
- Add MIT license to gemspec [\#21](https://github.com/jwt/ruby-jwt/pull/21) ([nycvotes-dev](https://github.com/nycvotes-dev))
|
291
|
+
- Tweaks and improvements [\#20](https://github.com/jwt/ruby-jwt/pull/20) ([threedaymonk](https://github.com/threedaymonk))
|
292
|
+
- Don't leave errors in OpenSSL.errors when there is a decoding error. [\#19](https://github.com/jwt/ruby-jwt/pull/19) ([lowellk](https://github.com/lowellk))
|
293
|
+
|
294
|
+
## [jwt-0.1.8](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.8) (2013-03-14)
|
295
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.7...jwt-0.1.8)
|
296
|
+
|
297
|
+
**Merged pull requests:**
|
298
|
+
|
299
|
+
- Contrib and update [\#18](https://github.com/jwt/ruby-jwt/pull/18) ([threedaymonk](https://github.com/threedaymonk))
|
300
|
+
- Verify if verify is truthy \(not just true\) [\#17](https://github.com/jwt/ruby-jwt/pull/17) ([threedaymonk](https://github.com/threedaymonk))
|
301
|
+
|
302
|
+
## [jwt-0.1.7](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.7) (2013-03-07)
|
303
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.6...jwt-0.1.7)
|
304
|
+
|
305
|
+
**Merged pull requests:**
|
306
|
+
|
307
|
+
- Catch MultiJson::LoadError and reraise as JWT::DecodeError [\#16](https://github.com/jwt/ruby-jwt/pull/16) ([rwygand](https://github.com/rwygand))
|
308
|
+
|
309
|
+
## [jwt-0.1.6](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.6) (2013-03-05)
|
310
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.5...jwt-0.1.6)
|
311
|
+
|
312
|
+
**Merged pull requests:**
|
313
|
+
|
314
|
+
- Fixes a theoretical timing attack [\#15](https://github.com/jwt/ruby-jwt/pull/15) ([mgates](https://github.com/mgates))
|
315
|
+
- Use StandardError as parent for DecodeError [\#13](https://github.com/jwt/ruby-jwt/pull/13) ([Oscil8](https://github.com/Oscil8))
|
316
|
+
|
317
|
+
## [jwt-0.1.5](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.5) (2012-07-20)
|
318
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.4...jwt-0.1.5)
|
319
|
+
|
320
|
+
**Closed issues:**
|
321
|
+
|
322
|
+
- Unable to specify signature header fields [\#7](https://github.com/jwt/ruby-jwt/issues/7)
|
323
|
+
|
324
|
+
**Merged pull requests:**
|
325
|
+
|
326
|
+
- MultiJson dependency uses ~\> but should be \>= [\#12](https://github.com/jwt/ruby-jwt/pull/12) ([sporkmonger](https://github.com/sporkmonger))
|
327
|
+
- Oops. :-\) [\#11](https://github.com/jwt/ruby-jwt/pull/11) ([sporkmonger](https://github.com/sporkmonger))
|
328
|
+
- Fix issue with signature verification in JRuby [\#10](https://github.com/jwt/ruby-jwt/pull/10) ([sporkmonger](https://github.com/sporkmonger))
|
329
|
+
- Depend on MultiJson [\#9](https://github.com/jwt/ruby-jwt/pull/9) ([lautis](https://github.com/lautis))
|
330
|
+
- Allow for custom headers on encode and decode [\#8](https://github.com/jwt/ruby-jwt/pull/8) ([dgrijalva](https://github.com/dgrijalva))
|
331
|
+
- Missing development dependency for echoe gem. [\#6](https://github.com/jwt/ruby-jwt/pull/6) ([sporkmonger](https://github.com/sporkmonger))
|
332
|
+
|
333
|
+
## [jwt-0.1.4](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.4) (2011-11-11)
|
334
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.3...jwt-0.1.4)
|
335
|
+
|
336
|
+
**Merged pull requests:**
|
337
|
+
|
338
|
+
- Fix for RSA verification [\#5](https://github.com/jwt/ruby-jwt/pull/5) ([jordan-brough](https://github.com/jordan-brough))
|
339
|
+
|
340
|
+
## [jwt-0.1.3](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.3) (2011-06-30)
|
341
|
+
**Closed issues:**
|
342
|
+
|
343
|
+
- signatures calculated incorrectly \(hexdigest instead of digest\) [\#1](https://github.com/jwt/ruby-jwt/issues/1)
|
344
|
+
|
345
|
+
**Merged pull requests:**
|
346
|
+
|
347
|
+
- Bumped a version and added a .gemspec using rake build\_gemspec [\#3](https://github.com/jwt/ruby-jwt/pull/3) ([zhitomirskiyi](https://github.com/zhitomirskiyi))
|
348
|
+
- Added RSA support [\#2](https://github.com/jwt/ruby-jwt/pull/2) ([zhitomirskiyi](https://github.com/zhitomirskiyi))
|
349
|
+
|
350
|
+
|
351
|
+
|
352
|
+
\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*
|
data/README.md
CHANGED
@@ -12,7 +12,7 @@ If you have further questions releated to development or usage, join us: [ruby-j
|
|
12
12
|
## Announcements
|
13
13
|
|
14
14
|
* Ruby 1.9.3 support will be dropped by December 31st, 2016.
|
15
|
-
* Version 1.5.3 yanked. See: #132 and #133
|
15
|
+
* Version 1.5.3 yanked. See: [#132](https://github.com/jwt/ruby-jwt/issues/132) and [#133](https://github.com/jwt/ruby-jwt/issues/133)
|
16
16
|
|
17
17
|
## Installing
|
18
18
|
|
@@ -46,7 +46,7 @@ payload = {:data => 'test'}
|
|
46
46
|
# IMPORTANT: set nil as password parameter
|
47
47
|
token = JWT.encode payload, nil, 'none'
|
48
48
|
|
49
|
-
# eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.
|
49
|
+
# eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJkYXRhIjoidGVzdCJ9.
|
50
50
|
puts token
|
51
51
|
|
52
52
|
# Set password to nil and validation to false otherwise this won't work
|
@@ -62,8 +62,8 @@ puts decoded_token
|
|
62
62
|
|
63
63
|
**HMAC** (default: HS256)
|
64
64
|
|
65
|
-
* HS256
|
66
|
-
* HS384
|
65
|
+
* HS256 - HMAC using SHA-256 hash algorithm (default)
|
66
|
+
* HS384 - HMAC using SHA-384 hash algorithm
|
67
67
|
* HS512 - HMAC using SHA-512 hash algorithm
|
68
68
|
|
69
69
|
```ruby
|
@@ -71,7 +71,7 @@ hmac_secret = 'my$ecretK3y'
|
|
71
71
|
|
72
72
|
token = JWT.encode payload, hmac_secret, 'HS256'
|
73
73
|
|
74
|
-
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.
|
74
|
+
# eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.ZxW8go9hz3ETCSfxFxpwSkYg_602gOPKearsf6DsxgY
|
75
75
|
puts token
|
76
76
|
|
77
77
|
decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' }
|
data/Rakefile
CHANGED
data/lib/jwt.rb
CHANGED
@@ -15,7 +15,7 @@ module JWT
|
|
15
15
|
'prime256v1' => 'ES256',
|
16
16
|
'secp384r1' => 'ES384',
|
17
17
|
'secp521r1' => 'ES512'
|
18
|
-
}
|
18
|
+
}.freeze
|
19
19
|
|
20
20
|
module_function
|
21
21
|
|
@@ -27,7 +27,7 @@ module JWT
|
|
27
27
|
elsif %w(ES256 ES384 ES512).include?(algorithm)
|
28
28
|
sign_ecdsa(algorithm, msg, key)
|
29
29
|
else
|
30
|
-
|
30
|
+
raise NotImplementedError, 'Unsupported signing method'
|
31
31
|
end
|
32
32
|
end
|
33
33
|
|
@@ -38,7 +38,7 @@ module JWT
|
|
38
38
|
def sign_ecdsa(algorithm, msg, private_key)
|
39
39
|
key_algorithm = NAMED_CURVES[private_key.group.curve_name]
|
40
40
|
if algorithm != key_algorithm
|
41
|
-
|
41
|
+
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
|
42
42
|
end
|
43
43
|
|
44
44
|
digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
|
@@ -52,7 +52,7 @@ module JWT
|
|
52
52
|
def verify_ecdsa(algorithm, public_key, signing_input, signature)
|
53
53
|
key_algorithm = NAMED_CURVES[public_key.group.curve_name]
|
54
54
|
if algorithm != key_algorithm
|
55
|
-
|
55
|
+
raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
|
56
56
|
end
|
57
57
|
|
58
58
|
digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
|
@@ -73,6 +73,7 @@ module JWT
|
|
73
73
|
end
|
74
74
|
|
75
75
|
def encoded_payload(payload)
|
76
|
+
raise InvalidPayload, "exp claim must be an integer" if payload['exp'] && payload['exp'].is_a?(Time)
|
76
77
|
base64url_encode(encode_json(payload))
|
77
78
|
end
|
78
79
|
|
@@ -94,8 +95,29 @@ module JWT
|
|
94
95
|
segments.join('.')
|
95
96
|
end
|
96
97
|
|
98
|
+
def decoded_segments(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
|
99
|
+
raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
|
100
|
+
|
101
|
+
options = {
|
102
|
+
verify_expiration: true,
|
103
|
+
verify_not_before: true,
|
104
|
+
verify_iss: false,
|
105
|
+
verify_iat: false,
|
106
|
+
verify_jti: false,
|
107
|
+
verify_aud: false,
|
108
|
+
verify_sub: false,
|
109
|
+
leeway: 0
|
110
|
+
}
|
111
|
+
|
112
|
+
merged_options = options.merge(custom_options)
|
113
|
+
|
114
|
+
decoder = Decode.new jwt, key, verify, merged_options, &keyfinder
|
115
|
+
decoder.decode_segments
|
116
|
+
end
|
117
|
+
|
118
|
+
|
97
119
|
def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
|
98
|
-
|
120
|
+
raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
|
99
121
|
|
100
122
|
options = {
|
101
123
|
verify_expiration: true,
|
@@ -112,35 +134,36 @@ module JWT
|
|
112
134
|
|
113
135
|
decoder = Decode.new jwt, key, verify, merged_options, &keyfinder
|
114
136
|
header, payload, signature, signing_input = decoder.decode_segments
|
115
|
-
decoder.verify
|
116
|
-
|
117
|
-
fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
|
118
137
|
|
119
138
|
if verify
|
120
139
|
algo, key = signature_algorithm_and_key(header, key, &keyfinder)
|
121
140
|
if merged_options[:algorithm] && algo != merged_options[:algorithm]
|
122
|
-
|
141
|
+
raise JWT::IncorrectAlgorithm, 'Expected a different algorithm'
|
123
142
|
end
|
124
143
|
verify_signature(algo, key, signing_input, signature)
|
125
144
|
end
|
126
145
|
|
146
|
+
decoder.verify
|
147
|
+
|
148
|
+
raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
|
149
|
+
|
127
150
|
[payload, header]
|
128
151
|
end
|
129
152
|
|
130
153
|
def signature_algorithm_and_key(header, key, &keyfinder)
|
131
|
-
key =
|
154
|
+
key = yield(header) if keyfinder
|
132
155
|
[header['alg'], key]
|
133
156
|
end
|
134
157
|
|
135
158
|
def verify_signature(algo, key, signing_input, signature)
|
136
159
|
if %w(HS256 HS384 HS512).include?(algo)
|
137
|
-
|
160
|
+
raise(JWT::VerificationError, 'Signature verification raised') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
|
138
161
|
elsif %w(RS256 RS384 RS512).include?(algo)
|
139
|
-
|
162
|
+
raise(JWT::VerificationError, 'Signature verification raised') unless verify_rsa(algo, key, signing_input, signature)
|
140
163
|
elsif %w(ES256 ES384 ES512).include?(algo)
|
141
|
-
|
164
|
+
raise(JWT::VerificationError, 'Signature verification raised') unless verify_ecdsa(algo, key, signing_input, signature)
|
142
165
|
else
|
143
|
-
|
166
|
+
raise JWT::VerificationError, 'Algorithm not supported'
|
144
167
|
end
|
145
168
|
rescue OpenSSL::PKey::PKeyError
|
146
169
|
raise JWT::VerificationError, 'Signature verification raised'
|
data/lib/jwt/error.rb
CHANGED
data/lib/jwt/verify.rb
CHANGED
@@ -1,10 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
require 'jwt/error'
|
2
3
|
|
3
4
|
module JWT
|
4
5
|
# JWT verify methods
|
5
6
|
class Verify
|
6
7
|
class << self
|
7
|
-
%w
|
8
|
+
%w(verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub).each do |method_name|
|
8
9
|
define_method method_name do |payload, options|
|
9
10
|
new(payload, options).send(method_name)
|
10
11
|
end
|
@@ -20,12 +21,21 @@ module JWT
|
|
20
21
|
return unless (options_aud = extract_option(:aud))
|
21
22
|
|
22
23
|
if @payload['aud'].is_a?(Array)
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
24
|
+
if options_aud.is_a?(Array)
|
25
|
+
options_aud.each do |aud|
|
26
|
+
raise(
|
27
|
+
JWT::InvalidAudError,
|
28
|
+
'Invalid audience'
|
29
|
+
) unless @payload['aud'].include?(aud)
|
30
|
+
end
|
31
|
+
else
|
32
|
+
raise(
|
33
|
+
JWT::InvalidAudError,
|
34
|
+
'Invalid audience'
|
35
|
+
) unless @payload['aud'].include?(options_aud)
|
36
|
+
end
|
27
37
|
else
|
28
|
-
|
38
|
+
raise(
|
29
39
|
JWT::InvalidAudError,
|
30
40
|
"Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
|
31
41
|
) unless @payload['aud'].to_s == options_aud.to_s
|
@@ -35,16 +45,16 @@ module JWT
|
|
35
45
|
def verify_expiration
|
36
46
|
return unless @payload.include?('exp')
|
37
47
|
|
38
|
-
if @payload['exp'].to_i
|
39
|
-
|
48
|
+
if @payload['exp'].to_i <= (Time.now.to_i - leeway)
|
49
|
+
raise(JWT::ExpiredSignature, 'Signature has expired')
|
40
50
|
end
|
41
51
|
end
|
42
52
|
|
43
53
|
def verify_iat
|
44
54
|
return unless @payload.include?('iat')
|
45
55
|
|
46
|
-
if
|
47
|
-
|
56
|
+
if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + leeway)
|
57
|
+
raise(JWT::InvalidIatError, 'Invalid iat')
|
48
58
|
end
|
49
59
|
end
|
50
60
|
|
@@ -52,7 +62,7 @@ module JWT
|
|
52
62
|
return unless (options_iss = extract_option(:iss))
|
53
63
|
|
54
64
|
if @payload['iss'].to_s != options_iss.to_s
|
55
|
-
|
65
|
+
raise(
|
56
66
|
JWT::InvalidIssuerError,
|
57
67
|
"Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}"
|
58
68
|
)
|
@@ -62,9 +72,9 @@ module JWT
|
|
62
72
|
def verify_jti
|
63
73
|
options_verify_jti = extract_option(:verify_jti)
|
64
74
|
if options_verify_jti.respond_to?(:call)
|
65
|
-
|
75
|
+
raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
|
66
76
|
else
|
67
|
-
|
77
|
+
raise(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty?
|
68
78
|
end
|
69
79
|
end
|
70
80
|
|
@@ -72,14 +82,14 @@ module JWT
|
|
72
82
|
return unless @payload.include?('nbf')
|
73
83
|
|
74
84
|
if @payload['nbf'].to_i > (Time.now.to_i + leeway)
|
75
|
-
|
85
|
+
raise(JWT::ImmatureSignature, 'Signature nbf has not been reached')
|
76
86
|
end
|
77
87
|
end
|
78
88
|
|
79
89
|
def verify_sub
|
80
90
|
return unless (options_sub = extract_option(:sub))
|
81
91
|
|
82
|
-
|
92
|
+
raise(
|
83
93
|
JWT::InvalidSubError,
|
84
94
|
"Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}"
|
85
95
|
) unless @payload['sub'].to_s == options_sub.to_s
|
data/lib/jwt/version.rb
CHANGED
data/ruby-jwt.gemspec
CHANGED
@@ -22,6 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
|
23
23
|
spec.add_development_dependency 'bundler'
|
24
24
|
spec.add_development_dependency 'rake'
|
25
|
+
spec.add_development_dependency 'json', '< 2.0'
|
25
26
|
spec.add_development_dependency 'rspec'
|
26
27
|
spec.add_development_dependency 'simplecov'
|
27
28
|
spec.add_development_dependency 'simplecov-json'
|
@@ -0,0 +1,190 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
require_relative '../spec_helper'
|
3
|
+
require 'jwt'
|
4
|
+
|
5
|
+
describe 'README.md code test' do
|
6
|
+
context 'algorithm usage' do
|
7
|
+
let(:payload) { { data: 'test' } }
|
8
|
+
|
9
|
+
it 'NONE' do
|
10
|
+
token = JWT.encode payload, nil, 'none'
|
11
|
+
decoded_token = JWT.decode token, nil, false
|
12
|
+
|
13
|
+
expect(token).to eq 'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJkYXRhIjoidGVzdCJ9.'
|
14
|
+
expect(decoded_token).to eq [
|
15
|
+
{ 'data' => 'test' },
|
16
|
+
{ 'typ' => 'JWT', 'alg' => 'none' }
|
17
|
+
]
|
18
|
+
end
|
19
|
+
|
20
|
+
it 'HMAC' do
|
21
|
+
token = JWT.encode payload, 'my$ecretK3y', 'HS256'
|
22
|
+
decoded_token = JWT.decode token, 'my$ecretK3y', false
|
23
|
+
|
24
|
+
expect(token).to eq 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.ZxW8go9hz3ETCSfxFxpwSkYg_602gOPKearsf6DsxgY'
|
25
|
+
expect(decoded_token).to eq [
|
26
|
+
{ 'data' => 'test' },
|
27
|
+
{ 'typ' => 'JWT', 'alg' => 'HS256' }
|
28
|
+
]
|
29
|
+
end
|
30
|
+
|
31
|
+
it 'RSA' do
|
32
|
+
rsa_private = OpenSSL::PKey::RSA.generate 2048
|
33
|
+
rsa_public = rsa_private.public_key
|
34
|
+
|
35
|
+
token = JWT.encode payload, rsa_private, 'RS256'
|
36
|
+
decoded_token = JWT.decode token, rsa_public, true, algorithm: 'RS256'
|
37
|
+
|
38
|
+
expect(decoded_token).to eq [
|
39
|
+
{ 'data' => 'test' },
|
40
|
+
{ 'typ' => 'JWT', 'alg' => 'RS256' }
|
41
|
+
]
|
42
|
+
end
|
43
|
+
|
44
|
+
it 'ECDSA' do
|
45
|
+
ecdsa_key = OpenSSL::PKey::EC.new 'prime256v1'
|
46
|
+
ecdsa_key.generate_key
|
47
|
+
ecdsa_public = OpenSSL::PKey::EC.new ecdsa_key
|
48
|
+
ecdsa_public.private_key = nil
|
49
|
+
|
50
|
+
token = JWT.encode payload, ecdsa_key, 'ES256'
|
51
|
+
decoded_token = JWT.decode token, ecdsa_public, true, algorithm: 'ES256'
|
52
|
+
|
53
|
+
expect(decoded_token).to eq [
|
54
|
+
{ 'data' => 'test' },
|
55
|
+
{ 'typ' => 'JWT', 'alg' => 'ES256' }
|
56
|
+
]
|
57
|
+
end
|
58
|
+
end
|
59
|
+
|
60
|
+
context 'claims' do
|
61
|
+
let(:hmac_secret) { 'MyP4ssW0rD' }
|
62
|
+
|
63
|
+
context 'exp' do
|
64
|
+
it 'without leeway' do
|
65
|
+
exp = Time.now.to_i + 4 * 3600
|
66
|
+
exp_payload = { data: 'data', exp: exp }
|
67
|
+
|
68
|
+
token = JWT.encode exp_payload, hmac_secret, 'HS256'
|
69
|
+
|
70
|
+
expect do
|
71
|
+
JWT.decode token, hmac_secret, true, algorithm: 'HS256'
|
72
|
+
end.not_to raise_error
|
73
|
+
end
|
74
|
+
|
75
|
+
it 'with leeway' do
|
76
|
+
exp = Time.now.to_i - 10
|
77
|
+
leeway = 30 # seconds
|
78
|
+
|
79
|
+
exp_payload = { data: 'data', exp: exp }
|
80
|
+
|
81
|
+
token = JWT.encode exp_payload, hmac_secret, 'HS256'
|
82
|
+
|
83
|
+
expect do
|
84
|
+
JWT.decode token, hmac_secret, true, leeway: leeway, algorithm: 'HS256'
|
85
|
+
end.not_to raise_error
|
86
|
+
end
|
87
|
+
end
|
88
|
+
|
89
|
+
context 'nbf' do
|
90
|
+
it 'without leeway' do
|
91
|
+
nbf = Time.now.to_i - 3600
|
92
|
+
nbf_payload = { data: 'data', nbf: nbf }
|
93
|
+
token = JWT.encode nbf_payload, hmac_secret, 'HS256'
|
94
|
+
|
95
|
+
expect do
|
96
|
+
JWT.decode token, hmac_secret, true, algorithm: 'HS256'
|
97
|
+
end.not_to raise_error
|
98
|
+
end
|
99
|
+
|
100
|
+
it 'with leeway' do
|
101
|
+
nbf = Time.now.to_i + 10
|
102
|
+
leeway = 30
|
103
|
+
nbf_payload = { data: 'data', nbf: nbf }
|
104
|
+
token = JWT.encode nbf_payload, hmac_secret, 'HS256'
|
105
|
+
|
106
|
+
expect do
|
107
|
+
JWT.decode token, hmac_secret, true, leeway: leeway, algorithm: 'HS256'
|
108
|
+
end.not_to raise_error
|
109
|
+
end
|
110
|
+
end
|
111
|
+
|
112
|
+
it 'iss' do
|
113
|
+
iss = 'My Awesome Company Inc. or https://my.awesome.website/'
|
114
|
+
iss_payload = { data: 'data', iss: iss }
|
115
|
+
|
116
|
+
token = JWT.encode iss_payload, hmac_secret, 'HS256'
|
117
|
+
|
118
|
+
expect do
|
119
|
+
JWT.decode token, hmac_secret, true, iss: iss, algorithm: 'HS256'
|
120
|
+
end.not_to raise_error
|
121
|
+
end
|
122
|
+
|
123
|
+
context 'aud' do
|
124
|
+
it 'array' do
|
125
|
+
aud = %w(Young Old)
|
126
|
+
aud_payload = { data: 'data', aud: aud }
|
127
|
+
|
128
|
+
token = JWT.encode aud_payload, hmac_secret, 'HS256'
|
129
|
+
|
130
|
+
expect do
|
131
|
+
JWT.decode token, hmac_secret, true, aud: %w(Old Young), verify_aud: true, algorithm: 'HS256'
|
132
|
+
end.not_to raise_error
|
133
|
+
end
|
134
|
+
|
135
|
+
it 'string' do
|
136
|
+
expect do
|
137
|
+
end.not_to raise_error
|
138
|
+
end
|
139
|
+
end
|
140
|
+
|
141
|
+
it 'jti' do
|
142
|
+
iat = Time.now.to_i
|
143
|
+
hmac_secret = 'test'
|
144
|
+
jti_raw = [hmac_secret, iat].join(':').to_s
|
145
|
+
jti = Digest::MD5.hexdigest(jti_raw)
|
146
|
+
jti_payload = { data: 'data', iat: iat, jti: jti }
|
147
|
+
|
148
|
+
token = JWT.encode jti_payload, hmac_secret, 'HS256'
|
149
|
+
|
150
|
+
expect do
|
151
|
+
JWT.decode token, hmac_secret, true, verify_jti: true, algorithm: 'HS256'
|
152
|
+
end.not_to raise_error
|
153
|
+
end
|
154
|
+
|
155
|
+
context 'iat' do
|
156
|
+
it 'without leeway' do
|
157
|
+
iat = Time.now.to_i
|
158
|
+
iat_payload = { data: 'data', iat: iat }
|
159
|
+
|
160
|
+
token = JWT.encode iat_payload, hmac_secret, 'HS256'
|
161
|
+
|
162
|
+
expect do
|
163
|
+
JWT.decode token, hmac_secret, true, verify_iat: true, algorithm: 'HS256'
|
164
|
+
end.not_to raise_error
|
165
|
+
end
|
166
|
+
|
167
|
+
it 'with leeway' do
|
168
|
+
iat = Time.now.to_i - 7
|
169
|
+
iat_payload = { data: 'data', iat: iat, leeway: 10 }
|
170
|
+
|
171
|
+
token = JWT.encode iat_payload, hmac_secret, 'HS256'
|
172
|
+
|
173
|
+
expect do
|
174
|
+
JWT.decode token, hmac_secret, true, verify_iat: true, algorithm: 'HS256'
|
175
|
+
end.not_to raise_error
|
176
|
+
end
|
177
|
+
end
|
178
|
+
|
179
|
+
it 'sub' do
|
180
|
+
sub = 'Subject'
|
181
|
+
sub_payload = { data: 'data', sub: sub }
|
182
|
+
|
183
|
+
token = JWT.encode sub_payload, hmac_secret, 'HS256'
|
184
|
+
|
185
|
+
expect do
|
186
|
+
JWT.decode token, hmac_secret, true, 'sub' => sub, :verify_sub => true, :algorithm => 'HS256'
|
187
|
+
end.not_to raise_error
|
188
|
+
end
|
189
|
+
end
|
190
|
+
end
|
data/spec/jwt/verify_spec.rb
CHANGED
@@ -1,10 +1,11 @@
|
|
1
|
+
# frozen_string_literal: true
|
1
2
|
require 'spec_helper'
|
2
3
|
require 'jwt/verify'
|
3
4
|
|
4
5
|
module JWT
|
5
6
|
RSpec.describe Verify do
|
6
7
|
let(:base_payload) { { 'user_id' => 'some@user.tld' } }
|
7
|
-
let(:options) {
|
8
|
+
let(:options) { { leeway: 0 } }
|
8
9
|
|
9
10
|
context '.verify_aud(payload, options)' do
|
10
11
|
let(:scalar_aud) { 'ruby-jwt-audience' }
|
@@ -60,6 +61,14 @@ module JWT
|
|
60
61
|
it 'must allow some leeway in the expiration when configured' do
|
61
62
|
Verify.verify_expiration(payload, options.merge(leeway: 10))
|
62
63
|
end
|
64
|
+
|
65
|
+
it 'must be expired if the exp claim equals the current time' do
|
66
|
+
payload['exp'] = Time.now.to_i
|
67
|
+
|
68
|
+
expect do
|
69
|
+
Verify.verify_expiration(payload, options)
|
70
|
+
end.to raise_error JWT::ExpiredSignature
|
71
|
+
end
|
63
72
|
end
|
64
73
|
|
65
74
|
context '.verify_iat(payload, options)' do
|
@@ -135,12 +144,12 @@ module JWT
|
|
135
144
|
|
136
145
|
it 'must raise JWT::InvalidJtiError when verify_jti proc returns false' do
|
137
146
|
expect do
|
138
|
-
Verify.verify_jti(payload, options.merge(verify_jti: ->(
|
147
|
+
Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { false }))
|
139
148
|
end.to raise_error JWT::InvalidJtiError, /invalid/i
|
140
149
|
end
|
141
150
|
|
142
151
|
it 'true proc should not raise JWT::InvalidJtiError' do
|
143
|
-
Verify.verify_jti(payload, options.merge(verify_jti: ->(
|
152
|
+
Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { true }))
|
144
153
|
end
|
145
154
|
end
|
146
155
|
|
data/spec/jwt_spec.rb
CHANGED
@@ -50,6 +50,14 @@ describe JWT do
|
|
50
50
|
expect(header['alg']).to eq alg
|
51
51
|
expect(jwt_payload).to eq payload
|
52
52
|
end
|
53
|
+
|
54
|
+
it 'should display a better error message if payload exp is_a?(Time)' do
|
55
|
+
payload['exp'] = Time.now
|
56
|
+
|
57
|
+
expect do
|
58
|
+
JWT.encode payload, nil, alg
|
59
|
+
end.to raise_error JWT::InvalidPayload
|
60
|
+
end
|
53
61
|
end
|
54
62
|
|
55
63
|
%w(HS256 HS384 HS512).each do |alg|
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.5.
|
4
|
+
version: 1.5.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeff Lindsay
|
@@ -9,90 +9,104 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2016-
|
12
|
+
date: 2016-09-16 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bundler
|
16
16
|
requirement: !ruby/object:Gem::Requirement
|
17
17
|
requirements:
|
18
|
-
- -
|
18
|
+
- - ">="
|
19
19
|
- !ruby/object:Gem::Version
|
20
20
|
version: '0'
|
21
21
|
type: :development
|
22
22
|
prerelease: false
|
23
23
|
version_requirements: !ruby/object:Gem::Requirement
|
24
24
|
requirements:
|
25
|
-
- -
|
25
|
+
- - ">="
|
26
26
|
- !ruby/object:Gem::Version
|
27
27
|
version: '0'
|
28
28
|
- !ruby/object:Gem::Dependency
|
29
29
|
name: rake
|
30
30
|
requirement: !ruby/object:Gem::Requirement
|
31
31
|
requirements:
|
32
|
-
- -
|
32
|
+
- - ">="
|
33
33
|
- !ruby/object:Gem::Version
|
34
34
|
version: '0'
|
35
35
|
type: :development
|
36
36
|
prerelease: false
|
37
37
|
version_requirements: !ruby/object:Gem::Requirement
|
38
38
|
requirements:
|
39
|
-
- -
|
39
|
+
- - ">="
|
40
40
|
- !ruby/object:Gem::Version
|
41
41
|
version: '0'
|
42
|
+
- !ruby/object:Gem::Dependency
|
43
|
+
name: json
|
44
|
+
requirement: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - "<"
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '2.0'
|
49
|
+
type: :development
|
50
|
+
prerelease: false
|
51
|
+
version_requirements: !ruby/object:Gem::Requirement
|
52
|
+
requirements:
|
53
|
+
- - "<"
|
54
|
+
- !ruby/object:Gem::Version
|
55
|
+
version: '2.0'
|
42
56
|
- !ruby/object:Gem::Dependency
|
43
57
|
name: rspec
|
44
58
|
requirement: !ruby/object:Gem::Requirement
|
45
59
|
requirements:
|
46
|
-
- -
|
60
|
+
- - ">="
|
47
61
|
- !ruby/object:Gem::Version
|
48
62
|
version: '0'
|
49
63
|
type: :development
|
50
64
|
prerelease: false
|
51
65
|
version_requirements: !ruby/object:Gem::Requirement
|
52
66
|
requirements:
|
53
|
-
- -
|
67
|
+
- - ">="
|
54
68
|
- !ruby/object:Gem::Version
|
55
69
|
version: '0'
|
56
70
|
- !ruby/object:Gem::Dependency
|
57
71
|
name: simplecov
|
58
72
|
requirement: !ruby/object:Gem::Requirement
|
59
73
|
requirements:
|
60
|
-
- -
|
74
|
+
- - ">="
|
61
75
|
- !ruby/object:Gem::Version
|
62
76
|
version: '0'
|
63
77
|
type: :development
|
64
78
|
prerelease: false
|
65
79
|
version_requirements: !ruby/object:Gem::Requirement
|
66
80
|
requirements:
|
67
|
-
- -
|
81
|
+
- - ">="
|
68
82
|
- !ruby/object:Gem::Version
|
69
83
|
version: '0'
|
70
84
|
- !ruby/object:Gem::Dependency
|
71
85
|
name: simplecov-json
|
72
86
|
requirement: !ruby/object:Gem::Requirement
|
73
87
|
requirements:
|
74
|
-
- -
|
88
|
+
- - ">="
|
75
89
|
- !ruby/object:Gem::Version
|
76
90
|
version: '0'
|
77
91
|
type: :development
|
78
92
|
prerelease: false
|
79
93
|
version_requirements: !ruby/object:Gem::Requirement
|
80
94
|
requirements:
|
81
|
-
- -
|
95
|
+
- - ">="
|
82
96
|
- !ruby/object:Gem::Version
|
83
97
|
version: '0'
|
84
98
|
- !ruby/object:Gem::Dependency
|
85
99
|
name: codeclimate-test-reporter
|
86
100
|
requirement: !ruby/object:Gem::Requirement
|
87
101
|
requirements:
|
88
|
-
- -
|
102
|
+
- - ">="
|
89
103
|
- !ruby/object:Gem::Version
|
90
104
|
version: '0'
|
91
105
|
type: :development
|
92
106
|
prerelease: false
|
93
107
|
version_requirements: !ruby/object:Gem::Requirement
|
94
108
|
requirements:
|
95
|
-
- -
|
109
|
+
- - ">="
|
96
110
|
- !ruby/object:Gem::Version
|
97
111
|
version: '0'
|
98
112
|
description: A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT)
|
@@ -102,11 +116,12 @@ executables: []
|
|
102
116
|
extensions: []
|
103
117
|
extra_rdoc_files: []
|
104
118
|
files:
|
105
|
-
- .codeclimate.yml
|
106
|
-
- .gitignore
|
107
|
-
- .rspec
|
108
|
-
- .rubocop.yml
|
109
|
-
- .travis.yml
|
119
|
+
- ".codeclimate.yml"
|
120
|
+
- ".gitignore"
|
121
|
+
- ".rspec"
|
122
|
+
- ".rubocop.yml"
|
123
|
+
- ".travis.yml"
|
124
|
+
- CHANGELOG.md
|
110
125
|
- Gemfile
|
111
126
|
- LICENSE
|
112
127
|
- Manifest
|
@@ -139,6 +154,7 @@ files:
|
|
139
154
|
- spec/fixtures/certs/rsa-2048-wrong-public.pem
|
140
155
|
- spec/fixtures/certs/rsa-4096-private.pem
|
141
156
|
- spec/fixtures/certs/rsa-4096-public.pem
|
157
|
+
- spec/integration/readme_examples_spec.rb
|
142
158
|
- spec/jwt/verify_spec.rb
|
143
159
|
- spec/jwt_spec.rb
|
144
160
|
- spec/spec_helper.rb
|
@@ -152,17 +168,17 @@ require_paths:
|
|
152
168
|
- lib
|
153
169
|
required_ruby_version: !ruby/object:Gem::Requirement
|
154
170
|
requirements:
|
155
|
-
- -
|
171
|
+
- - ">="
|
156
172
|
- !ruby/object:Gem::Version
|
157
173
|
version: '0'
|
158
174
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
159
175
|
requirements:
|
160
|
-
- -
|
176
|
+
- - ">="
|
161
177
|
- !ruby/object:Gem::Version
|
162
178
|
version: '0'
|
163
179
|
requirements: []
|
164
180
|
rubyforge_project:
|
165
|
-
rubygems_version: 2.
|
181
|
+
rubygems_version: 2.6.6
|
166
182
|
signing_key:
|
167
183
|
specification_version: 4
|
168
184
|
summary: JSON Web Token implementation in Ruby
|
@@ -187,6 +203,7 @@ test_files:
|
|
187
203
|
- spec/fixtures/certs/rsa-2048-wrong-public.pem
|
188
204
|
- spec/fixtures/certs/rsa-4096-private.pem
|
189
205
|
- spec/fixtures/certs/rsa-4096-public.pem
|
206
|
+
- spec/integration/readme_examples_spec.rb
|
190
207
|
- spec/jwt/verify_spec.rb
|
191
208
|
- spec/jwt_spec.rb
|
192
209
|
- spec/spec_helper.rb
|