RubyGems - jwt - Versions diffs - 2.10.2 → 3.0.0.beta1 - Mend

jwt 2.10.2 → 3.0.0.beta1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (36) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +23 -4
data/README.md +44 -54
data/UPGRADING.md +46 -0
data/lib/jwt/base64.rb +1 -10
data/lib/jwt/claims/numeric.rb +0 -32
data/lib/jwt/claims.rb +0 -7
data/lib/jwt/configuration/container.rb +0 -1
data/lib/jwt/decode.rb +5 -8
data/lib/jwt/encoded_token.rb +71 -4
data/lib/jwt/jwa/ecdsa.rb +3 -7
data/lib/jwt/jwa/hmac.rb +0 -4
data/lib/jwt/jwa/ps.rb +1 -0
data/lib/jwt/jwa/rsa.rb +4 -3
data/lib/jwt/jwa/signing_algorithm.rb +0 -1
data/lib/jwt/jwa.rb +1 -26
data/lib/jwt/jwk/ec.rb +0 -4
data/lib/jwt/jwk/hmac.rb +2 -2
data/lib/jwt/jwk/key_finder.rb +14 -1
data/lib/jwt/jwk/rsa.rb +3 -0
data/lib/jwt/jwk.rb +0 -1
data/lib/jwt/token.rb +22 -3
data/lib/jwt/version.rb +5 -21
data/lib/jwt.rb +1 -7
data/ruby-jwt.gemspec +0 -1
metadata +5 -28
data/lib/jwt/claims/verification_methods.rb +0 -20
data/lib/jwt/claims_validator.rb +0 -18
data/lib/jwt/deprecations.rb +0 -49
data/lib/jwt/jwa/compat.rb +0 -32
data/lib/jwt/jwa/eddsa.rb +0 -35
data/lib/jwt/jwa/hmac_rbnacl.rb +0 -50
data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +0 -47
data/lib/jwt/jwa/wrapper.rb +0 -44
data/lib/jwt/jwk/okp_rbnacl.rb +0 -109
data/lib/jwt/verify.rb +0 -40

data/lib/jwt/jwk/hmac.rb CHANGED Viewed

@@ -70,7 +70,7 @@ module JWT
       private
       def secret
-        self[:k]
+        @secret ||= ::JWT::Base64.url_decode(self[:k])
       end
       def extract_key_params(key)
@@ -78,7 +78,7 @@ module JWT
         when JWT::JWK::HMAC
           key.export(include_private: true)
         when String # Accept String key as input
-          { kty: KTY, k: key }
+          { kty: KTY, k: ::JWT::Base64.url_encode(key) }
         when Hash
           key.transform_keys(&:to_sym)
         else

data/lib/jwt/jwk/key_finder.rb CHANGED Viewed

@@ -2,8 +2,13 @@
 module JWT
   module JWK
-    # @api private
+    # JSON Web Key keyfinder
+    # To find the key for a given kid
     class KeyFinder
+      # Initializes a new KeyFinder instance.
+      # @param [Hash] options the options to create a KeyFinder with
+      # @option options [Proc, JWT::JWK::Set] :jwks the jwks or a loader proc
+      # @option options [Boolean] :allow_nil_kid whether to allow nil kid
       def initialize(options)
         @allow_nil_kid = options[:allow_nil_kid]
         jwks_or_loader = options[:jwks]
@@ -15,6 +20,8 @@ module JWT
                        end
       end
+      # Returns the verification key for the given kid
+      # @param [String] kid the key id
       def key_for(kid)
         raise ::JWT::DecodeError, 'No key id (kid) found from token headers' unless kid || @allow_nil_kid
         raise ::JWT::DecodeError, 'Invalid type for kid header parameter' unless kid.nil? || kid.is_a?(String)
@@ -27,6 +34,12 @@ module JWT
         jwk.verify_key
       end
+      # Returns the key for the given token
+      # @param [JWT::EncodedToken] token the token
+      def call(token)
+        key_for(token.header['kid'])
+      end
       private
       def resolve_key(kid)

data/lib/jwt/jwk/rsa.rb CHANGED Viewed

@@ -165,6 +165,8 @@ module JWT
           end
         end
+        # :nocov:
+        # Before openssl 2.0, we need to use the accessors to set the key
         def create_rsa_key_using_accessors(rsa_parameters) # rubocop:disable Metrics/AbcSize
           validate_rsa_parameters!(rsa_parameters)
@@ -179,6 +181,7 @@ module JWT
             rsa_key.iqmp = rsa_parameters[:qi] if rsa_parameters[:qi]
           end
         end
+        # :nocov:
         def validate_rsa_parameters!(rsa_parameters)
           return unless rsa_parameters.key?(:d)

data/lib/jwt/jwk.rb CHANGED Viewed

@@ -53,4 +53,3 @@ require_relative 'jwk/key_base'
 require_relative 'jwk/ec'
 require_relative 'jwk/rsa'
 require_relative 'jwk/hmac'
-require_relative 'jwk/okp_rbnacl' if JWT.rbnacl?

data/lib/jwt/token.rb CHANGED Viewed

@@ -15,8 +15,6 @@ module JWT
   #   token.header # => {"custom"=>"value", "alg"=>"HS256"}
   #
   class Token
-    include Claims::VerificationMethods
     # Initializes a new Token instance.
     #
     # @param header [Hash] the header of the JWT token.
@@ -97,13 +95,34 @@ module JWT
       raise ::JWT::EncodeError, 'Token already signed' if @signature
       JWA.resolve(algorithm).tap do |algo|
-        header.merge!(algo.header)
+        header.merge!(algo.header) { |_key, old, _new| old }
         @signature = algo.sign(data: signing_input, signing_key: key)
       end
       nil
     end
+    # Verifies the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @raise [JWT::DecodeError] if the claims are invalid.
+    def verify_claims!(*options)
+      Claims::Verifier.verify!(self, *options)
+    end
+    # Returns the errors of the claims of the token.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Array<Symbol>] the errors of the claims.
+    def claim_errors(*options)
+      Claims::Verifier.errors(self, *options)
+    end
+    # Returns whether the claims of the token are valid.
+    # @param options [Array<Symbol>, Hash] the claims to verify.
+    # @return [Boolean] whether the claims are valid.
+    def valid_claims?(*options)
+      claim_errors(*options).empty?
+    end
     # Returns the JWT token as a string.
     #
     # @return [String] the JWT token as a string.

data/lib/jwt/version.rb CHANGED Viewed

@@ -12,12 +12,12 @@ module JWT
     Gem::Version.new(VERSION::STRING)
   end
-  # @api private
+  # Version constants
   module VERSION
-    MAJOR = 2
-    MINOR = 10
-    TINY  = 2
-    PRE   = nil
+    MAJOR = 3
+    MINOR = 0
+    TINY  = 0
+    PRE   = 'beta1'
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
@@ -32,22 +32,6 @@ module JWT
     true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
   end
-  # Checks if the RbNaCl library is defined.
-  #
-  # @return [Boolean] true if RbNaCl is defined, false otherwise.
-  # @api private
-  def self.rbnacl?
-    defined?(::RbNaCl)
-  end
-  # Checks if the RbNaCl library version is 6.0.0 or greater.
-  #
-  # @return [Boolean] true if RbNaCl version is 6.0.0 or greater, false otherwise.
-  # @api private
-  def self.rbnacl_6_or_greater?
-    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
-  end
   # Checks if there is an OpenSSL 3 HMAC empty key regression.
   #
   # @return [Boolean] true if there is an OpenSSL 3 HMAC empty key regression, false otherwise.

data/lib/jwt.rb CHANGED Viewed

@@ -5,7 +5,6 @@ require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
 require 'jwt/configuration'
-require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
@@ -13,9 +12,6 @@ require 'jwt/claims'
 require 'jwt/encoded_token'
 require 'jwt/token'
-require 'jwt/claims_validator'
-require 'jwt/verify'
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
@@ -47,8 +43,6 @@ module JWT
   # @param options [Hash] additional options for decoding.
   # @return [Array<Hash>] the decoded payload and headers.
   def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
-    Deprecations.context do
-      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
-    end
+    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
   end
 end

data/ruby-jwt.gemspec CHANGED Viewed

@@ -35,7 +35,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'logger'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
   spec.add_development_dependency 'rubocop'

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.10.2
+  version: 3.0.0.beta1
 platform: ruby
 authors:
 - Tim Rudat
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-01-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -51,20 +51,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: logger
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -134,6 +120,7 @@ files:
 - CONTRIBUTING.md
 - LICENSE
 - README.md
+- UPGRADING.md
 - lib/jwt.rb
 - lib/jwt/base64.rb
 - lib/jwt/claims.rb
@@ -148,44 +135,34 @@ files:
 - lib/jwt/claims/numeric.rb
 - lib/jwt/claims/required.rb
 - lib/jwt/claims/subject.rb
-- lib/jwt/claims/verification_methods.rb
 - lib/jwt/claims/verifier.rb
-- lib/jwt/claims_validator.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
 - lib/jwt/configuration/decode_configuration.rb
 - lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
-- lib/jwt/deprecations.rb
 - lib/jwt/encode.rb
 - lib/jwt/encoded_token.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwa.rb
-- lib/jwt/jwa/compat.rb
 - lib/jwt/jwa/ecdsa.rb
-- lib/jwt/jwa/eddsa.rb
 - lib/jwt/jwa/hmac.rb
-- lib/jwt/jwa/hmac_rbnacl.rb
-- lib/jwt/jwa/hmac_rbnacl_fixed.rb
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
 - lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
-- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
 - lib/jwt/jwk/kid_as_key_digest.rb
-- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
 - lib/jwt/token.rb
-- lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
@@ -194,7 +171,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.2/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.0.0.beta1/CHANGELOG.md
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
@@ -210,7 +187,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.2
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/lib/jwt/claims/verification_methods.rb DELETED Viewed

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module Claims
-    # @api private
-    module VerificationMethods
-      def verify_claims!(*options)
-        Verifier.verify!(self, *options)
-      end
-      def claim_errors(*options)
-        Verifier.errors(self, *options)
-      end
-      def valid_claims?(*options)
-        claim_errors(*options).empty?
-      end
-    end
-  end
-end

data/lib/jwt/claims_validator.rb DELETED Viewed

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  # @deprecated Use `Claims.verify_payload!` directly instead.
-  class ClaimsValidator
-    # @deprecated Use `Claims.verify_payload!` directly instead.
-    def initialize(payload)
-      Deprecations.warning('The ::JWT::ClaimsValidator class is deprecated and will be removed in the next major version of ruby-jwt')
-      @payload = payload
-    end
-    # @deprecated Use `Claims.verify_payload!` directly instead.
-    def validate!
-      Claims.verify_payload!(@payload, :numeric)
-      true
-    end
-  end
-end

data/lib/jwt/deprecations.rb DELETED Viewed

@@ -1,49 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  # Deprecations module to handle deprecation warnings in the gem
-  # @api private
-  module Deprecations
-    class << self
-      def context
-        yield.tap { emit_warnings }
-      ensure
-        Thread.current[:jwt_warning_store] = nil
-      end
-      def warning(message, only_if_valid: false)
-        method_name = only_if_valid ? :store : :warn
-        case JWT.configuration.deprecation_warnings
-        when :once
-          return if record_warned(message)
-        when :warn
-          # noop
-        else
-          return
-        end
-        send(method_name, "[DEPRECATION WARNING] #{message}")
-      end
-      def store(message)
-        (Thread.current[:jwt_warning_store] ||= []) << message
-      end
-      def emit_warnings
-        return if Thread.current[:jwt_warning_store].nil?
-        Thread.current[:jwt_warning_store].each { |warning| warn(warning) }
-      end
-      private
-      def record_warned(message)
-        @warned ||= []
-        return true if @warned.include?(message)
-        @warned << message
-        false
-      end
-    end
-  end
-end

data/lib/jwt/jwa/compat.rb DELETED Viewed

@@ -1,32 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module JWA
-    # Provides backwards compatibility for algorithms
-    # @api private
-    module Compat
-      # @api private
-      module ClassMethods
-        def from_algorithm(algorithm)
-          new(algorithm)
-        end
-        def sign(algorithm, msg, key)
-          Deprecations.warning('Support for calling sign with positional arguments will be removed in future ruby-jwt versions')
-          from_algorithm(algorithm).sign(data: msg, signing_key: key)
-        end
-        def verify(algorithm, key, signing_input, signature)
-          Deprecations.warning('Support for calling verify with positional arguments will be removed in future ruby-jwt versions')
-          from_algorithm(algorithm).verify(data: signing_input, signature: signature, verification_key: key)
-        end
-      end
-      def self.included(klass)
-        klass.extend(ClassMethods)
-      end
-    end
-  end
-end

data/lib/jwt/jwa/eddsa.rb DELETED Viewed

@@ -1,35 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module JWA
-    # Implementation of the EdDSA family of algorithms
-    class Eddsa
-      include JWT::JWA::SigningAlgorithm
-      def initialize(alg)
-        @alg = alg
-      end
-      def sign(data:, signing_key:)
-        raise_sign_error!("Key given is a #{signing_key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey") unless signing_key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
-        signing_key.sign(data)
-      end
-      def verify(data:, signature:, verification_key:)
-        raise_verify_error!("key given is a #{verification_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey") unless verification_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
-        verification_key.verify(signature, data)
-      rescue RbNaCl::CryptoError
-        false
-      end
-      register_algorithm(new('ED25519'))
-      register_algorithm(new('EdDSA'))
-    end
-  end
-end

data/lib/jwt/jwa/hmac_rbnacl.rb DELETED Viewed

@@ -1,50 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module JWA
-    # Implementation of the HMAC family of algorithms (using RbNaCl)
-    class HmacRbNaCl
-      include JWT::JWA::SigningAlgorithm
-      def self.from_algorithm(algorithm)
-        new(algorithm, ::RbNaCl::HMAC.const_get(algorithm.upcase.gsub('HS', 'SHA')))
-      end
-      def initialize(alg, hmac)
-        @alg = alg
-        @hmac = hmac
-      end
-      def sign(data:, signing_key:)
-        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
-        hmac.auth(key_for_rbnacl(hmac, signing_key).encode('binary'), data.encode('binary'))
-      end
-      def verify(data:, signature:, verification_key:)
-        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
-        hmac.verify(key_for_rbnacl(hmac, verification_key).encode('binary'), signature.encode('binary'), data.encode('binary'))
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-      register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256))
-      private
-      attr_reader :hmac
-      def key_for_rbnacl(hmac, key)
-        key ||= ''
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-        return padded_empty_key(hmac.key_bytes) if key == ''
-        key
-      end
-      def padded_empty_key(length)
-        Array.new(length, 0x0).pack('C*').encode('binary')
-      end
-    end
-  end
-end

data/lib/jwt/jwa/hmac_rbnacl_fixed.rb DELETED Viewed

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module JWA
-    # Implementation of the HMAC family of algorithms (using RbNaCl prior to a certain version)
-    class HmacRbNaClFixed
-      include JWT::JWA::SigningAlgorithm
-      def self.from_algorithm(algorithm)
-        new(algorithm, ::RbNaCl::HMAC.const_get(algorithm.upcase.gsub('HS', 'SHA')))
-      end
-      def initialize(alg, hmac)
-        @alg = alg
-        @hmac = hmac
-      end
-      def sign(data:, signing_key:)
-        signing_key ||= ''
-        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless signing_key.is_a?(String)
-        hmac.auth(padded_key_bytes(signing_key, hmac.key_bytes), data.encode('binary'))
-      end
-      def verify(data:, signature:, verification_key:)
-        verification_key ||= ''
-        Deprecations.warning("The use of the algorithm #{alg} is deprecated and will be removed in the next major version of ruby-jwt")
-        raise JWT::DecodeError, 'HMAC key expected to be a String' unless verification_key.is_a?(String)
-        hmac.verify(padded_key_bytes(verification_key, hmac.key_bytes), signature.encode('binary'), data.encode('binary'))
-      rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-        false
-      end
-      register_algorithm(new('HS512256', ::RbNaCl::HMAC::SHA512256))
-      private
-      attr_reader :hmac
-      def padded_key_bytes(key, bytesize)
-        key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-      end
-    end
-  end
-end

data/lib/jwt/jwa/wrapper.rb DELETED Viewed

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-module JWT
-  module JWA
-    # @api private
-    class Wrapper
-      include SigningAlgorithm
-      def initialize(algorithm)
-        @algorithm = algorithm
-      end
-      def alg
-        return @algorithm.alg if @algorithm.respond_to?(:alg)
-        super
-      end
-      def valid_alg?(alg_to_check)
-        return @algorithm.valid_alg?(alg_to_check) if @algorithm.respond_to?(:valid_alg?)
-        super
-      end
-      def header(*args, **kwargs)
-        return @algorithm.header(*args, **kwargs) if @algorithm.respond_to?(:header)
-        super
-      end
-      def sign(*args, **kwargs)
-        return @algorithm.sign(*args, **kwargs) if @algorithm.respond_to?(:sign)
-        super
-      end
-      def verify(*args, **kwargs)
-        return @algorithm.verify(*args, **kwargs) if @algorithm.respond_to?(:verify)
-        super
-      end
-    end
-  end
-end