jwt 1.5.6 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8cd1a9ca017dec28c4984e18003e8ae58aee776c
-  data.tar.gz: c5fef77f9a8e42d8fa92c060c468be6ee2e3c561
+  metadata.gz: c63d3d103ec14f12ea2b51b95ae8f5407dd7ace9
+  data.tar.gz: f1de3f1e8ddfb79aa690a1f6d44492c70d037942
 SHA512:
-  metadata.gz: c0dc92b0ea35004782c8260f8d2d47c9973a1172f5eb6bef33fe42ae3a2e8341c9264e5fafc7cb62442039409194c3aa6fbd3db78667db75af04ffd26586422f
-  data.tar.gz: af9967d4c04b332ef8916d3b837e31c20b2e5db8c96531b277286324f29730edbc65eb66401f6db405b22dbd2701895d2579796fab368c26bd1fca58aae30840
+  metadata.gz: 3b19fcd5018d17e4277a49abc5787cee37ff3991fc8cbcc97dbb00f50c3878fc08062d97e18e07cdaf5f8f2f09cfbf5a8937e11859ae9b44d90a8d5a20caa021
+  data.tar.gz: f9df1adefd0f0d4525567372c8283e72639b2ee67320a893ef03d470bbbd6afd09a65725d3eb3153f8c68e7d40f693c7da3a5ed138ab766a23aa6ebbfe5c62f6

data/.ebert.yml

@@ -0,0 +1,17 @@
+styleguide: plataformatec/linters
+engines:
+  reek:
+    enabled: true
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+  duplication:
+    config:
+      languages:
+      - ruby
+    enabled: true
+  remark-lint:
+    enabled: true
+exclude_paths:
+- spec

data/.reek.yml

@@ -0,0 +1,40 @@
+---
+TooManyStatements:
+  max_statements: 10
+UncommunicativeMethodName:
+  reject:
+  - !ruby/regexp /^[a-z]$/
+  - !ruby/regexp /[0-9]$/
+UncommunicativeParameterName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+  - !ruby/regexp /^_/
+UncommunicativeVariableName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+UtilityFunction:
+  enabled: false
+LongParameterList:
+  enabled: false
+DuplicateMethodCall:
+  max_calls: 2
+IrresponsibleModule:
+  enabled: false
+NestedIterators:
+  max_allowed_nesting: 2
+PrimaDonnaMethod:
+  enabled: false
+UnusedParameters:
+  enabled: false
+FeatureEnvy:
+  enabled: false
+ControlParameter:
+  enabled: false
+UnusedPrivateMethod:
+  enabled: false
+InstanceVariableAssumption:
+  exclude:
+    - !ruby/regexp /Controller$/
+    - !ruby/regexp /Mailer$/s

data/.rubocop.yml

@@ -1,2 +1,98 @@
+AllCops:
+  Exclude:
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'config/**/*'
+    - 'script/**/*'
+
+Rails:
+  Enabled: true
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/CaseIndentation:
+  EnforcedStyle: end
+
+Style/AsciiComments:
+  Enabled: false
+
+Style/IndentHash:
+  Enabled: false
+
+Style/CollectionMethods:
+  Enabled: true
+  PreferredMethods:
+      inject: 'inject'
+
+Style/Documentation:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/BracesAroundHashParameters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/GuardClause:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: false
+
+Style/Lambda:
+  Enabled: false
+
+Style/RaiseArgs:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 20
+
+Metrics/ClassLength:
+  Max: 100
+
+Metrics/ModuleLength:
+  Max: 100
+
 Metrics/LineLength:
   Enabled: false
+
+Metrics/MethodLength:
+  Max: 15
+
+Style/SingleLineBlockParams:
+  Enabled: false
+
+Lint/EndAlignment:
+  EnforcedStyleAlignWith: variable
+
+Style/FormatString:
+  Enabled: false
+
+Style/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Style/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+Style/WordArray:
+  Enabled: false
+
+Style/RedundantSelf:
+  Enabled: false
+
+Style/AlignHash:
+  Enabled: true
+  EnforcedLastArgumentHashStyle: always_ignore
+
+Style/TrivialAccessors:
+  AllowPredicates: true

data/.travis.yml

@@ -1,13 +1,14 @@
-sudo: false
+sudo: required
 cache: bundler
+dist: trusty
 language: ruby
 rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
   - 2.2.0
   - 2.3.0
-script: "bundle exec rspec"
-addons:
-  code_climate:
-    repo_token: e87b175db123ab42ca2ca4420abaa13c0dc2085608402b9a25f08a83ca3ba202
+  - 2.4.0
+script: "bundle exec rspec && bundle exec codeclimate-test-reporter"
+before_install:
+  - sudo add-apt-repository ppa:chris-lea/libsodium -y
+  - sudo apt-get update -q
+  - sudo apt-get install libsodium-dev -y
+  - gem install bundler

data/CHANGELOG.md

@@ -1,5 +1,86 @@
 # Change Log
 
+## [v2.0.0](https://github.com/jwt/ruby-jwt/tree/v2.0.0) (2017-09-03)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0.beta1...v2.0.0)
+
+**Fixed bugs:**
+
+- Support versions outside 2.1 [\#209](https://github.com/jwt/ruby-jwt/issues/209)
+- Verifying expiration without leeway throws exception [\#206](https://github.com/jwt/ruby-jwt/issues/206)
+- Ruby interpreter warning [\#200](https://github.com/jwt/ruby-jwt/issues/200)
+- TypeError: no implicit conversion of String into Integer [\#188](https://github.com/jwt/ruby-jwt/issues/188)
+- Fix JWT.encode\(nil\) [\#203](https://github.com/jwt/ruby-jwt/pull/203) ([tmm1](https://github.com/tmm1))
+
+**Closed issues:**
+
+- Possibility to disable claim verifications [\#222](https://github.com/jwt/ruby-jwt/issues/222)
+- Proper way to verify Firebase id tokens [\#216](https://github.com/jwt/ruby-jwt/issues/216)
+
+**Merged pull requests:**
+
+- Skip 'exp' claim validation for array payloads [\#224](https://github.com/jwt/ruby-jwt/pull/224) ([excpt](https://github.com/excpt))
+- Use a default leeway of 0 [\#223](https://github.com/jwt/ruby-jwt/pull/223) ([travisofthenorth](https://github.com/travisofthenorth))
+- Fix reported codesmells [\#221](https://github.com/jwt/ruby-jwt/pull/221) ([excpt](https://github.com/excpt))
+- Add fancy gem version badge [\#220](https://github.com/jwt/ruby-jwt/pull/220) ([excpt](https://github.com/excpt))
+- Add missing dist option to .travis.yml [\#219](https://github.com/jwt/ruby-jwt/pull/219) ([excpt](https://github.com/excpt))
+- Fix ruby version requirements in gemspec file [\#218](https://github.com/jwt/ruby-jwt/pull/218) ([excpt](https://github.com/excpt))
+- Fix a little typo in the readme [\#214](https://github.com/jwt/ruby-jwt/pull/214) ([RyanBrushett](https://github.com/RyanBrushett))
+- Update README.md [\#212](https://github.com/jwt/ruby-jwt/pull/212) ([zuzannast](https://github.com/zuzannast))
+- Fix typo in HS512256 algorithm description [\#211](https://github.com/jwt/ruby-jwt/pull/211) ([ojab](https://github.com/ojab))
+- Allow configuration of multiple acceptable issuers [\#210](https://github.com/jwt/ruby-jwt/pull/210) ([ojab](https://github.com/ojab))
+- Enforce `exp` to be an `Integer` [\#205](https://github.com/jwt/ruby-jwt/pull/205) ([lucasmazza](https://github.com/lucasmazza))
+- ruby 1.9.3 support message upd [\#204](https://github.com/jwt/ruby-jwt/pull/204) ([maokomioko](https://github.com/maokomioko))
+- Guard against partially loaded RbNaCl when failing to load libsodium [\#202](https://github.com/jwt/ruby-jwt/pull/202) ([Dorian](https://github.com/Dorian))
+
+## [v2.0.0.beta1](https://github.com/jwt/ruby-jwt/tree/v2.0.0.beta1) (2017-02-27)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.6...v2.0.0.beta1)
+
+**Implemented enhancements:**
+
+- Error with method sign for String [\#171](https://github.com/jwt/ruby-jwt/issues/171)
+- Refactor the encondig code [\#121](https://github.com/jwt/ruby-jwt/issues/121)
+- Refactor [\#196](https://github.com/jwt/ruby-jwt/pull/196) ([EmilioCristalli](https://github.com/EmilioCristalli))
+- Move signature logic to its own module [\#195](https://github.com/jwt/ruby-jwt/pull/195) ([EmilioCristalli](https://github.com/EmilioCristalli))
+- Add options for claim-specific leeway [\#187](https://github.com/jwt/ruby-jwt/pull/187) ([EmilioCristalli](https://github.com/EmilioCristalli))
+- Add user friendly encode error if private key is a String, \#171 [\#176](https://github.com/jwt/ruby-jwt/pull/176) ([xamenrax](https://github.com/xamenrax))
+- Return empty string if signature less than byte\_size \#155 [\#175](https://github.com/jwt/ruby-jwt/pull/175) ([xamenrax](https://github.com/xamenrax))
+- Remove 'typ' optional parameter [\#174](https://github.com/jwt/ruby-jwt/pull/174) ([xamenrax](https://github.com/xamenrax))
+- Pass payload to keyfinder [\#172](https://github.com/jwt/ruby-jwt/pull/172) ([CodeMonkeySteve](https://github.com/CodeMonkeySteve))
+- Use RbNaCl for HMAC if available with fallback to OpenSSL [\#149](https://github.com/jwt/ruby-jwt/pull/149) ([mwpastore](https://github.com/mwpastore))
+
+**Fixed bugs:**
+
+- ruby-jwt::raw\_to\_asn1: Fails for signatures less than byte\_size [\#155](https://github.com/jwt/ruby-jwt/issues/155)
+- The leeway parameter is applies to all time based verifications [\#129](https://github.com/jwt/ruby-jwt/issues/129)
+- Add options for claim-specific leeway [\#187](https://github.com/jwt/ruby-jwt/pull/187) ([EmilioCristalli](https://github.com/EmilioCristalli))
+- Make algorithm option required to verify signature [\#184](https://github.com/jwt/ruby-jwt/pull/184) ([EmilioCristalli](https://github.com/EmilioCristalli))
+- Validate audience when payload is a scalar and options is an array [\#183](https://github.com/jwt/ruby-jwt/pull/183) ([steti](https://github.com/steti))
+
+**Closed issues:**
+
+- Different encoded value between servers with same password [\#197](https://github.com/jwt/ruby-jwt/issues/197)
+- Signature is different at each run [\#190](https://github.com/jwt/ruby-jwt/issues/190)
+- Include custom headers with password [\#189](https://github.com/jwt/ruby-jwt/issues/189)
+- can't create token - 'NotImplementedError: Unsupported signing method' [\#186](https://github.com/jwt/ruby-jwt/issues/186)
+- Why jwt depends on json \< 2.0 ? [\#179](https://github.com/jwt/ruby-jwt/issues/179)
+- Cannot verify JWT at all?? [\#177](https://github.com/jwt/ruby-jwt/issues/177)
+- verify\_iss: true is raising JWT::DecodeError instead of JWT::InvalidIssuerError [\#170](https://github.com/jwt/ruby-jwt/issues/170)
+
+**Merged pull requests:**
+
+- Version bump 2.0.0.beta1 [\#199](https://github.com/jwt/ruby-jwt/pull/199) ([excpt](https://github.com/excpt))
+- Update CHANGELOG.md and minor fixes [\#198](https://github.com/jwt/ruby-jwt/pull/198) ([excpt](https://github.com/excpt))
+- Add Codacy coverage reporter [\#194](https://github.com/jwt/ruby-jwt/pull/194) ([excpt](https://github.com/excpt))
+- Add minimum required ruby version to gemspec [\#193](https://github.com/jwt/ruby-jwt/pull/193) ([excpt](https://github.com/excpt))
+- Code smell fixes [\#192](https://github.com/jwt/ruby-jwt/pull/192) ([excpt](https://github.com/excpt))
+- Version bump to 2.0.0.dev [\#191](https://github.com/jwt/ruby-jwt/pull/191) ([excpt](https://github.com/excpt))
+- Basic encode module refactoring \#121 [\#182](https://github.com/jwt/ruby-jwt/pull/182) ([xamenrax](https://github.com/xamenrax))
+- Fix travis ci build configuration [\#181](https://github.com/jwt/ruby-jwt/pull/181) ([excpt](https://github.com/excpt))
+- Fix travis ci build configuration [\#180](https://github.com/jwt/ruby-jwt/pull/180) ([excpt](https://github.com/excpt))
+- Fix typo in README [\#178](https://github.com/jwt/ruby-jwt/pull/178) ([tomeduarte](https://github.com/tomeduarte))
+- Fix code style [\#173](https://github.com/jwt/ruby-jwt/pull/173) ([excpt](https://github.com/excpt))
+- Fixed a typo in a spec name [\#169](https://github.com/jwt/ruby-jwt/pull/169) ([Mingan](https://github.com/Mingan))
+
 ## [v1.5.6](https://github.com/jwt/ruby-jwt/tree/v1.5.6) (2016-09-19)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.5...v1.5.6)
 
@@ -9,6 +90,7 @@
 
 **Merged pull requests:**
 
+- Update changelog [\#168](https://github.com/jwt/ruby-jwt/pull/168) ([excpt](https://github.com/excpt))
 - Fix rubocop code smells [\#167](https://github.com/jwt/ruby-jwt/pull/167) ([excpt](https://github.com/excpt))
 
 ## [v1.5.5](https://github.com/jwt/ruby-jwt/tree/v1.5.5) (2016-09-16)
@@ -253,7 +335,6 @@
 
 **Closed issues:**
 
-- yanking of version 0.1.12 causes issues [\#39](https://github.com/jwt/ruby-jwt/issues/39)
 - Semantic versioning [\#37](https://github.com/jwt/ruby-jwt/issues/37)
 - Update gem to get latest changes [\#36](https://github.com/jwt/ruby-jwt/issues/36)
 

data/Gemfile

@@ -1,4 +1,3 @@
-# encoding: utf-8
 source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -1,5 +1,6 @@
 # JWT
 
+[![Gem Version](https://badge.fury.io/rb/jwt.svg)](https://badge.fury.io/rb/jwt)
 [![Build Status](https://travis-ci.org/jwt/ruby-jwt.svg)](https://travis-ci.org/jwt/ruby-jwt)
 [![Code Climate](https://codeclimate.com/github/jwt/ruby-jwt/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
 [![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwt/badges/coverage.svg)](https://codeclimate.com/github/jwt/ruby-jwt/coverage)
@@ -7,11 +8,11 @@
 
 A pure ruby implementation of the [RFC 7519 OAuth JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) standard.
 
-If you have further questions releated to development or usage, join us: [ruby-jwt google group](https://groups.google.com/forum/#!forum/ruby-jwt).
+If you have further questions related to development or usage, join us: [ruby-jwt google group](https://groups.google.com/forum/#!forum/ruby-jwt).
 
 ## Announcements
 
-* Ruby 1.9.3 support will be dropped by December 31st, 2016.
+* Ruby 1.9.3 support was dropped at December 31st, 2016.
 * Version 1.5.3 yanked. See: [#132](https://github.com/jwt/ruby-jwt/issues/132) and [#133](https://github.com/jwt/ruby-jwt/issues/133)
 
 ## Installing
@@ -55,7 +56,7 @@ decoded_token = JWT.decode token, nil, false
 # Array
 # [
 #   {"data"=>"test"}, # payload
-#   {"typ"=>"JWT", "alg"=>"none"} # header
+#   {"alg"=>"none"} # header
 # ]
 puts decoded_token
 ```
@@ -63,6 +64,7 @@ puts decoded_token
 **HMAC** (default: HS256)
 
 * HS256 - HMAC using SHA-256 hash algorithm (default)
+* HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
 
@@ -79,11 +81,17 @@ decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' }
 # Array
 # [
 #   {"data"=>"test"}, # payload
-#   {"typ"=>"JWT", "alg"=>"HS256"} # header
+#   {"alg"=>"HS256"} # header
 # ]
 puts decoded_token
 ```
 
+Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl enforces a maximum key size of 32 bytes for these algorithms.
+
+[RbNaCl](https://github.com/cryptosphere/rbnacl) requires
+[libsodium](https://github.com/jedisct1/libsodium), it can be installed
+on MacOS with `brew install libsodium`.
+
 **RSA**
 
 * RS256 - RSA using SHA-256 hash algorithm
@@ -104,7 +112,7 @@ decoded_token = JWT.decode token, rsa_public, true, { :algorithm => 'RS256' }
 # Array
 # [
 #   {"data"=>"test"}, # payload
-#   {"typ"=>"JWT", "alg"=>"RS256"} # header
+#   {"alg"=>"RS256"} # header
 # ]
 puts decoded_token
 ```
@@ -131,7 +139,7 @@ decoded_token = JWT.decode token, ecdsa_public, true, { :algorithm => 'ES256' }
 # Array
 # [
 #    {"test"=>"data"}, # payload
-#    {"typ"=>"JWT", "alg"=>"ES256"} # header
+#    {"alg"=>"ES256"} # header
 # ]
 puts decoded_token
 ```
@@ -152,6 +160,38 @@ used. JWT supports these reserved claim names:
  - 'iat' (Issued At) Claim
  - 'sub' (Subject) Claim
 
+## Add custom header fields
+Ruby-jwt gem supports custom [header fields] (https://tools.ietf.org/html/rfc7519#section-5)
+To add custom header fields you need to pass `header_fields` parameter
+
+```ruby
+token = JWT.encode payload, key, algorithm='HS256', header_fields={}
+```
+
+**Example:**
+
+```ruby
+require 'jwt'
+
+payload = {:data => 'test'}
+
+# IMPORTANT: set nil as password parameter
+token = JWT.encode payload, nil, 'none', { :typ => "JWT" }
+
+# eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJkYXRhIjoidGVzdCJ9.
+puts token
+
+# Set password to nil and validation to false otherwise this won't work
+decoded_token = JWT.decode token, nil, false
+
+# Array
+# [
+#   {"data"=>"test"}, # payload
+#   {"typ"=>"JWT", "alg"=>"none"} # header
+# ]
+puts decoded_token
+```
+
 ### Expiration Time Claim
 
 From [Oauth JSON Web Token 4.1.4. "exp" (Expiration Time) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.4):
@@ -186,7 +226,7 @@ token = JWT.encode exp_payload, hmac_secret, 'HS256'
 
 begin
   # add leeway to ensure the token is still accepted
-  decoded_token = JWT.decode token, hmac_secret, true, { :leeway => leeway, :algorithm => 'HS256' }
+  decoded_token = JWT.decode token, hmac_secret, true, { :exp_leeway => leeway, :algorithm => 'HS256' }
 rescue JWT::ExpiredSignature
   # Handle expired token, e.g. logout user or deny access
 end
@@ -226,7 +266,7 @@ token = JWT.encode nbf_payload, hmac_secret, 'HS256'
 
 begin
   # add leeway to ensure the token is valid
-  decoded_token = JWT.decode token, hmac_secret, true, { :leeway => leeway, :algorithm => 'HS256' }
+  decoded_token = JWT.decode token, hmac_secret, true, { :nbf_leeway => leeway, :algorithm => 'HS256' }
 rescue JWT::ImmatureSignature
   # Handle invalid token, e.g. logout user or deny access
 end
@@ -238,6 +278,8 @@ From [Oauth JSON Web Token 4.1.1. "iss" (Issuer) Claim](https://tools.ietf.org/h
 
 > The `iss` (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The `iss` value is a case-sensitive string containing a ***StringOrURI*** value. Use of this claim is OPTIONAL.
 
+You can pass multiple allowed issuers as an Array, verification will pass if one of them matches the `iss` value in the payload.
+
 ```ruby
 iss = 'My Awesome Company Inc. or https://my.awesome.website/'
 iss_payload = { :data => 'data', :iss => iss }
@@ -305,6 +347,8 @@ From [Oauth JSON Web Token 4.1.6. "iat" (Issued At) Claim](https://tools.ietf.or
 
 > The `iat` (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a ***NumericDate*** value. Use of this claim is OPTIONAL.
 
+**Handle Issued At Claim**
+
 ```ruby
 iat = Time.now.to_i
 iat_payload = { :data => 'data', :iat => iat }
@@ -319,6 +363,25 @@ rescue JWT::InvalidIatError
 end
 ```
 
+**Adding Leeway**
+
+```ruby
+iat = Time.now.to_i + 10
+leeway = 30 # seconds
+
+iat_payload = { :data => 'data', :iat => iat }
+
+# build token issued in the future
+token = JWT.encode iat_payload, hmac_secret, 'HS256'
+
+begin
+  # add leeway to ensure the token is accepted
+  decoded_token = JWT.decode token, hmac_secret, true, { :iat_leeway => leeway, :verify_iat => true, :algorithm => 'HS256' }
+rescue JWT::InvalidIatError
+  # Handle invalid token, e.g. logout user or deny access
+end
+```
+
 ### Subject Claim
 
 From [Oauth JSON Web Token 4.1.2. "sub" (Subject) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.2):

data/lib/jwt/decode.rb

@@ -1,57 +1,49 @@
 # frozen_string_literal: true
-require 'jwt/json'
-require 'jwt/verify'
+
+require 'json'
 
 # JWT::Decode module
 module JWT
-  extend JWT::Json
-
   # Decoding logic for JWT
   class Decode
     attr_reader :header, :payload, :signature
 
-    def initialize(jwt, key, verify, options, &keyfinder)
+    def self.base64url_decode(str)
+      str += '=' * (4 - str.length.modulo(4))
+      Base64.decode64(str.tr('-_', '+/'))
+    end
+
+    def initialize(jwt, verify)
       @jwt = jwt
-      @key = key
       @verify = verify
-      @options = options
-      @keyfinder = keyfinder
+      @header = ''
+      @payload = ''
+      @signature = ''
     end
 
     def decode_segments
-      header_segment, payload_segment, crypto_segment = raw_segments(@jwt, @verify)
+      header_segment, payload_segment, crypto_segment = raw_segments
       @header, @payload = decode_header_and_payload(header_segment, payload_segment)
       @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify
       signing_input = [header_segment, payload_segment].join('.')
       [@header, @payload, @signature, signing_input]
     end
 
-    def raw_segments(jwt, verify)
-      segments = jwt.split('.')
-      required_num_segments = verify ? [3] : [2, 3]
+    private
+
+    def raw_segments
+      segments = @jwt.split('.')
+      required_num_segments = @verify ? [3] : [2, 3]
       raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
       segments
     end
-    private :raw_segments
 
     def decode_header_and_payload(header_segment, payload_segment)
-      header = JWT.decode_json(Decode.base64url_decode(header_segment))
-      payload = JWT.decode_json(Decode.base64url_decode(payload_segment))
+      header = JSON.parse(Decode.base64url_decode(header_segment))
+      payload = JSON.parse(Decode.base64url_decode(payload_segment))
       [header, payload]
-    end
-    private :decode_header_and_payload
-
-    def self.base64url_decode(str)
-      str += '=' * (4 - str.length.modulo(4))
-      Base64.decode64(str.tr('-_', '+/'))
-    end
-
-    def verify
-      @options.each do |key, val|
-        next unless key.to_s =~ /verify/
-
-        Verify.send(key, payload, @options) if val
-      end
+    rescue JSON::ParserError
+      raise JWT::DecodeError, 'Invalid segment encoding'
     end
   end
 end

data/lib/jwt/default_options.rb

@@ -0,0 +1,14 @@
+module JWT
+  module DefaultOptions
+    DEFAULT_OPTIONS = {
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0
+    }.freeze
+  end
+end

data/lib/jwt/encode.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'json'
+
+# JWT::Encode module
+module JWT
+  # Encoding logic for JWT
+  class Encode
+    attr_reader :payload, :key, :algorithm, :header_fields, :segments
+
+    def self.base64url_encode(str)
+      Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
+    end
+
+    def initialize(payload, key, algorithm, header_fields)
+      @payload = payload
+      @key = key
+      @algorithm = algorithm
+      @header_fields = header_fields
+      @segments = encode_segments
+    end
+
+    private
+
+    def encoded_header
+      header = { 'alg' => @algorithm }.merge(@header_fields)
+      Encode.base64url_encode(JSON.generate(header))
+    end
+
+    def encoded_payload
+      raise InvalidPayload, 'exp claim must be an integer' if @payload && !@payload.is_a?(Array) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
+      Encode.base64url_encode(JSON.generate(@payload))
+    end
+
+    def encoded_signature(signing_input)
+      if @algorithm == 'none'
+        ''
+      else
+        signature = JWT::Signature.sign(@algorithm, signing_input, @key)
+        Encode.base64url_encode(signature)
+      end
+    end
+
+    def encode_segments
+      header = encoded_header
+      payload = encoded_payload
+      signature = encoded_signature([header, payload].join('.'))
+      [header, payload, signature].join('.')
+    end
+  end
+end

data/lib/jwt/error.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+
 module JWT
+  class EncodeError < StandardError; end
   class DecodeError < StandardError; end
   class VerificationError < DecodeError; end
   class ExpiredSignature < DecodeError; end