jwt 2.10.1 → 3.0.0

data/lib/jwt/decode.rb

@@ -6,6 +6,11 @@ require 'jwt/x5c_key_finder'
 module JWT
   # The Decode class is responsible for decoding and verifying JWT tokens.
   class Decode
+    # Order is very important - first check for string keys, next for symbols
+    ALGORITHM_KEYS = ['algorithm',
+                      :algorithm,
+                      'algorithms',
+                      :algorithms].freeze
     # Initializes a new Decode instance.
     #
     # @param jwt [String] the JWT to decode.
@@ -33,10 +38,10 @@ module JWT
         verify_algo
         set_key
         verify_signature
-        Claims::DecodeVerifier.verify!(token.payload, @options)
+        Claims::DecodeVerifier.verify!(token.unverified_payload, @options)
       end
 
-      [token.payload, token.header]
+      [token.unverified_payload, token.header]
     end
 
     private
@@ -70,18 +75,9 @@ module JWT
       @allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
     end
 
-    # Order is very important - first check for string keys, next for symbols
-    ALGORITHM_KEYS = ['algorithm',
-                      :algorithm,
-                      'algorithms',
-                      :algorithms].freeze
-
     def given_algorithms
-      ALGORITHM_KEYS.each do |alg_key|
-        alg = @options[alg_key]
-        return Array(alg) if alg
-      end
-      []
+      alg_key = ALGORITHM_KEYS.find { |key| @options[key] }
+      Array(@options[alg_key])
     end
 
     def allowed_algorithms
@@ -93,7 +89,7 @@ module JWT
     end
 
     def find_key(&keyfinder)
-      key = (keyfinder.arity == 2 ? yield(token.header, token.payload) : yield(token.header))
+      key = (keyfinder.arity == 2 ? yield(token.header, token.unverified_payload) : yield(token.header))
       # key can be of type [string, nil, OpenSSL::PKey, Array]
       return key if key && !Array(key).empty?
 

data/lib/jwt/encoded_token.rb

@@ -12,7 +12,21 @@ module JWT
   #   encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
   #   encoded_token.payload # => {'pay' => 'load'}
   class EncodedToken
-    include Claims::VerificationMethods
+    # @private
+    # Allow access to the unverified payload for claim verification.
+    class ClaimsContext
+      extend Forwardable
+
+      def_delegators :@token, :header, :unverified_payload
+
+      def initialize(token)
+        @token = token
+      end
+
+      def payload
+        unverified_payload
+      end
+    end
 
     # Returns the original token provided to the class.
     # @return [String] The JWT token.
@@ -26,6 +40,7 @@ module JWT
       raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)
 
       @jwt = jwt
+      @signature_verified = false
       @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
     end
 
@@ -53,11 +68,20 @@ module JWT
     # @return [String] the encoded header.
     attr_reader :encoded_header
 
-    # Returns the payload of the JWT token.
+    # Returns the payload of the JWT token. Access requires the signature to have been verified.
     #
     # @return [Hash] the payload.
+    # @raise [JWT::DecodeError] if the signature has not been verified.
     def payload
-      @payload ||= decode_payload
+      raise JWT::DecodeError, 'Verify the token signature before accessing the payload' unless @signature_verified
+
+      decoded_payload
+    end
+
+    # Returns the payload of the JWT token without requiring the signature to have been verified.
+    # @return [Hash] the payload.
+    def unverified_payload
+      decoded_payload
     end
 
     # Sets or returns the encoded payload of the JWT token.
@@ -72,6 +96,22 @@ module JWT
       [encoded_header, encoded_payload].join('.')
     end
 
+    # Verifies the token signature and claims.
+    # By default it verifies the 'exp' claim.
+    #
+    # @example
+    #  encoded_token.verify!(signature: { algorithm: 'HS256', key: 'secret' }, claims: [:exp])
+    #
+    # @param signature [Hash] the parameters for signature verification (see {#verify_signature!}).
+    # @param claims [Array<Symbol>, Hash] the claims to verify (see {#verify_claims!}).
+    # @return [nil]
+    # @raise [JWT::DecodeError] if the signature or claim verification fails.
+    def verify!(signature:, claims: [:exp])
+      verify_signature!(**signature)
+      claims.is_a?(Array) ? verify_claims!(*claims) : verify_claims!(claims)
+      nil
+    end
+
     # Verifies the signature of the JWT token.
     #
     # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
@@ -96,11 +136,34 @@ module JWT
     # @param key [String, Array<String>] the key(s) to use for verification.
     # @return [Boolean] true if the signature is valid, false otherwise.
     def valid_signature?(algorithm:, key:)
-      Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
+      valid = Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
         Array(key).any? do |one_key|
           algo.verify(data: signing_input, signature: signature, verification_key: one_key)
         end
       end
+
+      valid.tap { |verified| @signature_verified = verified }
+    end
+
+    # Verifies the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @raise [JWT::DecodeError] if the claims are invalid.
+    def verify_claims!(*options)
+      Claims::Verifier.verify!(ClaimsContext.new(self), *options)
+    end
+
+    # Returns the errors of the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Array<Symbol>] the errors of the claims.
+    def claim_errors(*options)
+      Claims::Verifier.errors(ClaimsContext.new(self), *options)
+    end
+
+    # Returns whether the claims of the token are valid.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Boolean] whether the claims are valid.
+    def valid_claims?(*options)
+      claim_errors(*options).empty?
     end
 
     alias to_s jwt
@@ -135,5 +198,9 @@ module JWT
     rescue ::JSON::ParserError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end
+
+    def decoded_payload
+      @decoded_payload ||= decode_payload
+    end
   end
 end

data/lib/jwt/error.rb

@@ -7,9 +7,6 @@ module JWT
   # The DecodeError class is raised when there is an error decoding a JWT.
   class DecodeError < StandardError; end
 
-  # The RequiredDependencyError class is raised when a required dependency is missing.
-  class RequiredDependencyError < StandardError; end
-
   # The VerificationError class is raised when there is an error verifying a JWT.
   class VerificationError < DecodeError; end
 

data/lib/jwt/jwa/ecdsa.rb

@@ -56,10 +56,6 @@ module JWT
         register_algorithm(new(v[:algorithm], v[:digest]))
       end
 
-      def self.from_algorithm(algorithm)
-        new(algorithm, algorithm.downcase.gsub('es', 'sha'))
-      end
-
       def self.curve_by_name(name)
         NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"

data/lib/jwt/jwa/hmac.rb

@@ -6,10 +6,6 @@ module JWT
     class Hmac
       include JWT::JWA::SigningAlgorithm
 
-      def self.from_algorithm(algorithm)
-        new(algorithm, OpenSSL::Digest.new(algorithm.downcase.gsub('hs', 'sha')))
-      end
-
       def initialize(alg, digest)
         @alg = alg
         @digest = digest

data/lib/jwt/jwa/ps.rb

@@ -13,6 +13,7 @@ module JWT
 
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance.") unless signing_key.is_a?(::OpenSSL::PKey::RSA)
+        raise_sign_error!('The key length must be greater than or equal to 2048 bits') if signing_key.n.num_bits < 2048
 
         signing_key.sign_pss(digest_algorithm, data, salt_length: :digest, mgf1_hash: digest_algorithm)
       end

data/lib/jwt/jwa/rsa.rb

@@ -13,6 +13,7 @@ module JWT
 
       def sign(data:, signing_key:)
         raise_sign_error!("The given key is a #{signing_key.class}. It has to be an OpenSSL::PKey::RSA instance") unless signing_key.is_a?(OpenSSL::PKey::RSA)
+        raise_sign_error!('The key length must be greater than or equal to 2048 bits') if signing_key.n.num_bits < 2048
 
         signing_key.sign(digest, data)
       end

data/lib/jwt/jwa/signing_algorithm.rb

@@ -14,7 +14,6 @@ module JWT
 
       def self.included(klass)
         klass.extend(ClassMethods)
-        klass.include(JWT::JWA::Compat)
       end
 
       attr_reader :alg

data/lib/jwt/jwa.rb

@@ -2,13 +2,6 @@
 
 require 'openssl'
 
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-
-require_relative 'jwa/compat'
 require_relative 'jwa/signing_algorithm'
 require_relative 'jwa/ecdsa'
 require_relative 'jwa/hmac'
@@ -16,15 +9,6 @@ require_relative 'jwa/none'
 require_relative 'jwa/ps'
 require_relative 'jwa/rsa'
 require_relative 'jwa/unsupported'
-require_relative 'jwa/wrapper'
-
-require_relative 'jwa/eddsa' if JWT.rbnacl?
-
-if JWT.rbnacl_6_or_greater?
-  require_relative 'jwa/hmac_rbnacl'
-elsif JWT.rbnacl?
-  require_relative 'jwa/hmac_rbnacl_fixed'
-end
 
 module JWT
   # The JWA module contains all supported algorithms.
@@ -34,10 +18,7 @@ module JWT
       def resolve(algorithm)
         return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
 
-        unless algorithm.is_a?(SigningAlgorithm)
-          Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm. Custom algorithms that do not include this module may stop working in the next major version of ruby-jwt.')
-          return Wrapper.new(algorithm)
-        end
+        raise ArgumentError, 'Custom algorithms are required to include JWT::JWA::SigningAlgorithm' unless algorithm.is_a?(SigningAlgorithm)
 
         algorithm
       end
@@ -47,12 +28,6 @@ module JWT
         algs = Array(algorithms).map { |alg| JWA.resolve(alg) }
         algs.partition { |alg| alg.valid_alg?(preferred_algorithm) }.flatten
       end
-
-      # @deprecated The `::JWT::JWA.create` method is deprecated and will be removed in the next major version of ruby-jwt.
-      def create(algorithm)
-        Deprecations.warning('The ::JWT::JWA.create method is deprecated and will be removed in the next major version of ruby-jwt.')
-        resolve(algorithm)
-      end
     end
   end
 end

data/lib/jwt/jwk/ec.rb

@@ -68,7 +68,7 @@ module JWT
       def []=(key, value)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' if EC_KEY_ELEMENTS.include?(key.to_sym)
 
-        super(key, value)
+        super
       end
 
       private
@@ -124,10 +124,6 @@ module JWT
         ::JWT::Base64.url_encode(octets)
       end
 
-      def encode_open_ssl_bn(key_part)
-        ::JWT::Base64.url_encode(key_part.to_s(BINARY))
-      end
-
       def parse_ec_key(key)
         crv, x_octets, y_octets = keypair_components(key)
         octets = key.private_key&.to_bn&.to_s(BINARY)

data/lib/jwt/jwk/hmac.rb

@@ -64,13 +64,13 @@ module JWT
       def []=(key, value)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' if HMAC_KEY_ELEMENTS.include?(key.to_sym)
 
-        super(key, value)
+        super
       end
 
       private
 
       def secret
-        self[:k]
+        @secret ||= ::JWT::Base64.url_decode(self[:k])
       end
 
       def extract_key_params(key)
@@ -78,7 +78,7 @@ module JWT
         when JWT::JWK::HMAC
           key.export(include_private: true)
         when String # Accept String key as input
-          { kty: KTY, k: key }
+          { kty: KTY, k: ::JWT::Base64.url_encode(key) }
         when Hash
           key.transform_keys(&:to_sym)
         else

data/lib/jwt/jwk/key_finder.rb

@@ -2,8 +2,13 @@
 
 module JWT
   module JWK
-    # @api private
+    # JSON Web Key keyfinder
+    # To find the key for a given kid
     class KeyFinder
+      # Initializes a new KeyFinder instance.
+      # @param [Hash] options the options to create a KeyFinder with
+      # @option options [Proc, JWT::JWK::Set] :jwks the jwks or a loader proc
+      # @option options [Boolean] :allow_nil_kid whether to allow nil kid
       def initialize(options)
         @allow_nil_kid = options[:allow_nil_kid]
         jwks_or_loader = options[:jwks]
@@ -15,6 +20,8 @@ module JWT
                        end
       end
 
+      # Returns the verification key for the given kid
+      # @param [String] kid the key id
       def key_for(kid)
         raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
         raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
@@ -27,6 +34,12 @@ module JWT
         jwk.verify_key
       end
 
+      # Returns the key for the given token
+      # @param [JWT::EncodedToken] token the token
+      def call(token)
+        key_for(token.header['kid'])
+      end
+
       private
 
       def resolve_key(kid)

data/lib/jwt/jwk/rsa.rb

@@ -67,7 +67,7 @@ module JWT
       def []=(key, value)
         raise ArgumentError, 'cannot overwrite cryptographic key attributes' if RSA_KEY_ELEMENTS.include?(key.to_sym)
 
-        super(key, value)
+        super
       end
 
       private
@@ -165,6 +165,8 @@ module JWT
           end
         end
 
+        # :nocov:
+        # Before openssl 2.0, we need to use the accessors to set the key
         def create_rsa_key_using_accessors(rsa_parameters) # rubocop:disable Metrics/AbcSize
           validate_rsa_parameters!(rsa_parameters)
 
@@ -179,6 +181,7 @@ module JWT
             rsa_key.iqmp = rsa_parameters[:qi] if rsa_parameters[:qi]
           end
         end
+        # :nocov:
 
         def validate_rsa_parameters!(rsa_parameters)
           return unless rsa_parameters.key?(:d)

data/lib/jwt/jwk.rb

@@ -53,4 +53,3 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
-require_relative 'jwk/okp_rbnacl' if JWT.rbnacl?

data/lib/jwt/token.rb

@@ -15,8 +15,6 @@ module JWT
   #   token.header # => {"custom"=>"value", "alg"=>"HS256"}
   #
   class Token
-    include Claims::VerificationMethods
-
     # Initializes a new Token instance.
     #
     # @param header [Hash] the header of the JWT token.
@@ -97,13 +95,34 @@ module JWT
       raise ::JWT::EncodeError, 'Token already signed' if @signature
 
       JWA.resolve(algorithm).tap do |algo|
-        header.merge!(algo.header)
+        header.merge!(algo.header) { |_key, old, _new| old }
         @signature = algo.sign(data: signing_input, signing_key: key)
       end
 
       nil
     end
 
+    # Verifies the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @raise [JWT::DecodeError] if the claims are invalid.
+    def verify_claims!(*options)
+      Claims::Verifier.verify!(self, *options)
+    end
+
+    # Returns the errors of the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Array<Symbol>] the errors of the claims.
+    def claim_errors(*options)
+      Claims::Verifier.errors(self, *options)
+    end
+
+    # Returns whether the claims of the token are valid.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Boolean] whether the claims are valid.
+    def valid_claims?(*options)
+      claim_errors(*options).empty?
+    end
+
     # Returns the JWT token as a string.
     #
     # @return [String] the JWT token as a string.

data/lib/jwt/version.rb

@@ -12,11 +12,11 @@ module JWT
     Gem::Version.new(VERSION::STRING)
   end
 
-  # @api private
+  # Version constants
   module VERSION
-    MAJOR = 2
-    MINOR = 10
-    TINY  = 1
+    MAJOR = 3
+    MINOR = 0
+    TINY  = 0
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
@@ -32,22 +32,6 @@ module JWT
     true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
 
-  # Checks if the RbNaCl library is defined.
-  #
-  # @return [Boolean] true if RbNaCl is defined, false otherwise.
-  # @api private
-  def self.rbnacl?
-    defined?(::RbNaCl)
-  end
-
-  # Checks if the RbNaCl library version is 6.0.0 or greater.
-  #
-  # @return [Boolean] true if RbNaCl version is 6.0.0 or greater, false otherwise.
-  # @api private
-  def self.rbnacl_6_or_greater?
-    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
-  end
-
   # Checks if there is an OpenSSL 3 HMAC empty key regression.
   #
   # @return [Boolean] true if there is an OpenSSL 3 HMAC empty key regression, false otherwise.

data/lib/jwt.rb

@@ -5,7 +5,6 @@ require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/configuration'
-require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
@@ -13,9 +12,6 @@ require 'jwt/claims'
 require 'jwt/encoded_token'
 require 'jwt/token'
 
-require 'jwt/claims_validator'
-require 'jwt/verify'
-
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
@@ -47,8 +43,6 @@ module JWT
   # @param options [Hash] additional options for decoding.
   # @return [Array<Hash>] the decoded payload and headers.
   def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
-    Deprecations.context do
-      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
-    end
+    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec

@@ -35,6 +35,7 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'logger'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'rubocop'

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.10.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Tim Rudat
 bindir: bin
 cert_chain: []
-date: 2024-12-26 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -51,6 +51,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: logger
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -120,6 +134,7 @@ files:
 - CONTRIBUTING.md
 - LICENSE
 - README.md
+- UPGRADING.md
 - lib/jwt.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims.rb
@@ -134,44 +149,34 @@ files:
 - lib/jwt/claims/numeric.rb
 - lib/jwt/claims/required.rb
 - lib/jwt/claims/subject.rb
-- lib/jwt/claims/verification_methods.rb
 - lib/jwt/claims/verifier.rb
-- lib/jwt/claims_validator.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
 - lib/jwt/configuration/decode_configuration.rb
 - lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
-- lib/jwt/deprecations.rb
 - lib/jwt/encode.rb
 - lib/jwt/encoded_token.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwa.rb
-- lib/jwt/jwa/compat.rb
 - lib/jwt/jwa/ecdsa.rb
-- lib/jwt/jwa/eddsa.rb
 - lib/jwt/jwa/hmac.rb
-- lib/jwt/jwa/hmac_rbnacl.rb
-- lib/jwt/jwa/hmac_rbnacl_fixed.rb
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
 - lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
-- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
 - lib/jwt/jwk/kid_as_key_digest.rb
-- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
 - lib/jwt/token.rb
-- lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
@@ -180,7 +185,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.1/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.0.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -196,7 +201,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.7
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/lib/jwt/claims/verification_methods.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Claims
-    # @api private
-    module VerificationMethods
-      def verify_claims!(*options)
-        Verifier.verify!(self, *options)
-      end
-
-      def claim_errors(*options)
-        Verifier.errors(self, *options)
-      end
-
-      def valid_claims?(*options)
-        claim_errors(*options).empty?
-      end
-    end
-  end
-end

data/lib/jwt/claims_validator.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # @deprecated Use `Claims.verify_payload!` directly instead.
-  class ClaimsValidator
-    # @deprecated Use `Claims.verify_payload!` directly instead.
-    def initialize(payload)
-      Deprecations.warning('The ::JWT::ClaimsValidator class is deprecated and will be removed in the next major version of ruby-jwt')
-      @payload = payload
-    end
-
-    # @deprecated Use `Claims.verify_payload!` directly instead.
-    def validate!
-      Claims.verify_payload!(@payload, :numeric)
-      true
-    end
-  end
-end