jwt 2.3.0 → 2.10.1

data/lib/jwt/configuration/container.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+require_relative 'decode_configuration'
+require_relative 'jwk_configuration'
+
+module JWT
+  module Configuration
+    # The Container class holds the configuration settings for JWT.
+    class Container
+      # @!attribute [rw] decode
+      #   @return [DecodeConfiguration] the decode configuration.
+      # @!attribute [rw] jwk
+      #   @return [JwkConfiguration] the JWK configuration.
+      # @!attribute [rw] strict_base64_decoding
+      #   @return [Boolean] whether strict Base64 decoding is enabled.
+      attr_accessor :decode, :jwk, :strict_base64_decoding
+
+      # @!attribute [r] deprecation_warnings
+      #   @return [Symbol] the deprecation warnings setting.
+      attr_reader :deprecation_warnings
+
+      # Initializes a new Container instance and resets the configuration.
+      def initialize
+        reset!
+      end
+
+      # Resets the configuration to default values.
+      #
+      # @return [void]
+      def reset!
+        @decode                 = DecodeConfiguration.new
+        @jwk                    = JwkConfiguration.new
+        @strict_base64_decoding = false
+
+        self.deprecation_warnings = :once
+      end
+
+      DEPRECATION_WARNINGS_VALUES = %i[once warn silent].freeze
+      private_constant(:DEPRECATION_WARNINGS_VALUES)
+      # Sets the deprecation warnings setting.
+      #
+      # @param value [Symbol] the deprecation warnings setting. Must be one of `:once`, `:warn`, or `:silent`.
+      # @raise [ArgumentError] if the value is not one of the supported values.
+      # @return [void]
+      def deprecation_warnings=(value)
+        raise ArgumentError, "Invalid deprecation_warnings value #{value}. Supported values: #{DEPRECATION_WARNINGS_VALUES}" unless DEPRECATION_WARNINGS_VALUES.include?(value)
+
+        @deprecation_warnings = value
+      end
+    end
+  end
+end

data/lib/jwt/configuration/decode_configuration.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module JWT
+  module Configuration
+    # The DecodeConfiguration class holds the configuration settings for decoding JWT tokens.
+    class DecodeConfiguration
+      # @!attribute [rw] verify_expiration
+      #   @return [Boolean] whether to verify the expiration claim.
+      # @!attribute [rw] verify_not_before
+      #   @return [Boolean] whether to verify the not before claim.
+      # @!attribute [rw] verify_iss
+      #   @return [Boolean] whether to verify the issuer claim.
+      # @!attribute [rw] verify_iat
+      #   @return [Boolean] whether to verify the issued at claim.
+      # @!attribute [rw] verify_jti
+      #   @return [Boolean] whether to verify the JWT ID claim.
+      # @!attribute [rw] verify_aud
+      #   @return [Boolean] whether to verify the audience claim.
+      # @!attribute [rw] verify_sub
+      #   @return [Boolean] whether to verify the subject claim.
+      # @!attribute [rw] leeway
+      #   @return [Integer] the leeway in seconds for time-based claims.
+      # @!attribute [rw] algorithms
+      #   @return [Array<String>] the list of acceptable algorithms.
+      # @!attribute [rw] required_claims
+      #   @return [Array<String>] the list of required claims.
+
+      attr_accessor :verify_expiration,
+                    :verify_not_before,
+                    :verify_iss,
+                    :verify_iat,
+                    :verify_jti,
+                    :verify_aud,
+                    :verify_sub,
+                    :leeway,
+                    :algorithms,
+                    :required_claims
+
+      # Initializes a new DecodeConfiguration instance with default settings.
+      def initialize
+        @verify_expiration = true
+        @verify_not_before = true
+        @verify_iss = false
+        @verify_iat = false
+        @verify_jti = false
+        @verify_aud = false
+        @verify_sub = false
+        @leeway = 0
+        @algorithms = ['HS256']
+        @required_claims = []
+      end
+
+      # @api private
+      def to_h
+        {
+          verify_expiration: verify_expiration,
+          verify_not_before: verify_not_before,
+          verify_iss: verify_iss,
+          verify_iat: verify_iat,
+          verify_jti: verify_jti,
+          verify_aud: verify_aud,
+          verify_sub: verify_sub,
+          leeway: leeway,
+          algorithms: algorithms,
+          required_claims: required_claims
+        }
+      end
+    end
+  end
+end

data/lib/jwt/configuration/jwk_configuration.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require_relative '../jwk/kid_as_key_digest'
+require_relative '../jwk/thumbprint'
+
+module JWT
+  module Configuration
+    # @api private
+    class JwkConfiguration
+      def initialize
+        self.kid_generator_type = :key_digest
+      end
+
+      def kid_generator_type=(value)
+        self.kid_generator = case value
+                             when :key_digest
+                               JWT::JWK::KidAsKeyDigest
+                             when :rfc7638_thumbprint
+                               JWT::JWK::Thumbprint
+                             else
+                               raise ArgumentError, "#{value} is not a valid kid generator type."
+                             end
+      end
+
+      attr_accessor :kid_generator
+    end
+  end
+end

data/lib/jwt/configuration.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'configuration/container'
+
+module JWT
+  # The Configuration module provides methods to configure JWT settings.
+  module Configuration
+    # Configures the JWT settings.
+    #
+    # @yield [config] Gives the current configuration to the block.
+    # @yieldparam config [JWT::Configuration::Container] the configuration container.
+    def configure
+      yield(configuration)
+    end
+
+    # Returns the JWT configuration container.
+    #
+    # @return [JWT::Configuration::Container] the configuration container.
+    def configuration
+      @configuration ||= ::JWT::Configuration::Container.new
+    end
+  end
+end

data/lib/jwt/decode.rb

@@ -1,111 +1,120 @@
 # frozen_string_literal: true
 
 require 'json'
+require 'jwt/x5c_key_finder'
 
-require 'jwt/signature'
-require 'jwt/verify'
-# JWT::Decode module
 module JWT
-  # Decoding logic for JWT
+  # The Decode class is responsible for decoding and verifying JWT tokens.
   class Decode
+    # Initializes a new Decode instance.
+    #
+    # @param jwt [String] the JWT to decode.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param verify [Boolean] whether to verify the token's signature.
+    # @param options [Hash] additional options for decoding and verification.
+    # @param keyfinder [Proc] an optional key finder block to dynamically find the key for verification.
+    # @raise [JWT::DecodeError] if decoding or verification fails.
     def initialize(jwt, key, verify, options, &keyfinder)
-      raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
-      @jwt = jwt
+      raise JWT::DecodeError, 'Nil JSON web token' unless jwt
+
+      @token = EncodedToken.new(jwt)
       @key = key
       @options = options
-      @segments = jwt.split('.')
       @verify = verify
-      @signature = ''
       @keyfinder = keyfinder
     end
 
+    # Decodes the JWT token and verifies its segments if verification is enabled.
+    #
+    # @return [Array<Hash>] an array containing the decoded payload and header.
     def decode_segments
       validate_segment_count!
       if @verify
-        decode_crypto
+        verify_algo
+        set_key
         verify_signature
-        verify_claims
+        Claims::DecodeVerifier.verify!(token.payload, @options)
       end
-      raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
-      [payload, header]
+
+      [token.payload, token.header]
     end
 
     private
 
+    attr_reader :token
+
     def verify_signature
-      raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
-      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']
-      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+      return if none_algorithm?
 
-      @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      raise JWT::DecodeError, 'No verification key available' unless @key
 
-      Signature.verify(header['alg'], @key, signing_input, @signature)
+      token.verify_signature!(algorithm: allowed_and_valid_algorithms, key: @key)
     end
 
-    def options_includes_algo_in_header?
-      allowed_algorithms.any? { |alg| alg.casecmp(header['alg']).zero? }
+    def verify_algo
+      raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty?
+      raise JWT::DecodeError, 'Token header not a JSON object' unless token.header.is_a?(Hash)
+      raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header
+      raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty?
     end
 
-    def allowed_algorithms
-      # Order is very important - first check for string keys, next for symbols
-      algos = if @options.key?('algorithm')
-        @options['algorithm']
-      elsif @options.key?(:algorithm)
-        @options[:algorithm]
-      elsif @options.key?('algorithms')
-        @options['algorithms']
-      elsif @options.key?(:algorithms)
-        @options[:algorithms]
-      else
-        []
-      end
-      Array(algos)
-    end
+    def set_key
+      @key = find_key(&@keyfinder) if @keyfinder
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(token.header['kid']) if @options[:jwks]
+      return unless (x5c_options = @options[:x5c])
 
-    def find_key(&keyfinder)
-      key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
-      raise JWT::DecodeError, 'No verification key available' unless key
-      key
+      @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(token.header['x5c'])
     end
 
-    def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
+    def allowed_and_valid_algorithms
+      @allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) }
     end
 
-    def validate_segment_count!
-      return if segment_length == 3
-      return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
-      return if segment_length == 2 && header['alg'] == 'none'
+    # Order is very important - first check for string keys, next for symbols
+    ALGORITHM_KEYS = ['algorithm',
+                      :algorithm,
+                      'algorithms',
+                      :algorithms].freeze
 
-      raise(JWT::DecodeError, 'Not enough or too many segments')
+    def given_algorithms
+      ALGORITHM_KEYS.each do |alg_key|
+        alg = @options[alg_key]
+        return Array(alg) if alg
+      end
+      []
     end
 
-    def segment_length
-      @segments.count
+    def allowed_algorithms
+      @allowed_algorithms ||= resolve_allowed_algorithms
     end
 
-    def decode_crypto
-      @signature = JWT::Base64.url_decode(@segments[2] || '')
+    def resolve_allowed_algorithms
+      given_algorithms.map { |alg| JWA.resolve(alg) }
     end
 
-    def header
-      @header ||= parse_and_decode @segments[0]
+    def find_key(&keyfinder)
+      key = (keyfinder.arity == 2 ? yield(token.header, token.payload) : yield(token.header))
+      # key can be of type [string, nil, OpenSSL::PKey, Array]
+      return key if key && !Array(key).empty?
+
+      raise JWT::DecodeError, 'No verification key available'
     end
 
-    def payload
-      @payload ||= parse_and_decode @segments[1]
+    def validate_segment_count!
+      segment_count = token.jwt.count('.') + 1
+      return if segment_count == 3
+      return if !@verify && segment_count == 2 # If no verifying required, the signature is not needed
+      return if segment_count == 2 && none_algorithm?
+
+      raise JWT::DecodeError, 'Not enough or too many segments'
     end
 
-    def signing_input
-      @segments.first(2).join('.')
+    def none_algorithm?
+      alg_in_header == 'none'
     end
 
-    def parse_and_decode(segment)
-      JWT::JSON.parse(JWT::Base64.url_decode(segment))
-    rescue ::JSON::ParserError
-      raise JWT::DecodeError, 'Invalid segment encoding'
+    def alg_in_header
+      token.header['alg']
     end
   end
 end

data/lib/jwt/deprecations.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module JWT
+  # Deprecations module to handle deprecation warnings in the gem
+  # @api private
+  module Deprecations
+    class << self
+      def context
+        yield.tap { emit_warnings }
+      ensure
+        Thread.current[:jwt_warning_store] = nil
+      end
+
+      def warning(message, only_if_valid: false)
+        method_name = only_if_valid ? :store : :warn
+        case JWT.configuration.deprecation_warnings
+        when :once
+          return if record_warned(message)
+        when :warn
+          # noop
+        else
+          return
+        end
+
+        send(method_name, "[DEPRECATION WARNING] #{message}")
+      end
+
+      def store(message)
+        (Thread.current[:jwt_warning_store] ||= []) << message
+      end
+
+      def emit_warnings
+        return if Thread.current[:jwt_warning_store].nil?
+
+        Thread.current[:jwt_warning_store].each { |warning| warn(warning) }
+      end
+
+      private
+
+      def record_warned(message)
+        @warned ||= []
+        return true if @warned.include?(message)
+
+        @warned << message
+        false
+      end
+    end
+  end
+end

data/lib/jwt/encode.rb

@@ -1,69 +1,30 @@
 # frozen_string_literal: true
 
-require_relative './algos'
-require_relative './claims_validator'
+require_relative 'jwa'
 
-# JWT::Encode module
 module JWT
-  # Encoding logic for JWT
+  # The Encode class is responsible for encoding JWT tokens.
   class Encode
-    ALG_NONE = 'none'.freeze
-    ALG_KEY  = 'alg'.freeze
-
+    # Initializes a new Encode instance.
+    #
+    # @param options [Hash] the options for encoding the JWT token.
+    # @option options [Hash] :payload the payload of the JWT token.
+    # @option options [Hash] :headers the headers of the JWT token.
+    # @option options [String] :key the key used to sign the JWT token.
+    # @option options [String] :algorithm the algorithm used to sign the JWT token.
     def initialize(options)
-      @payload = options[:payload]
-      @key = options[:key]
-      _, @algorithm = Algos.find(options[:algorithm])
-      @headers = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+      @token     = Token.new(payload: options[:payload], header: options[:headers])
+      @key       = options[:key]
+      @algorithm = options[:algorithm]
     end
 
+    # Encodes the JWT token and returns its segments.
+    #
+    # @return [String] the encoded JWT token.
     def segments
-      @segments ||= combine(encoded_header_and_payload, encoded_signature)
-    end
-
-    private
-
-    def encoded_header
-      @encoded_header ||= encode_header
-    end
-
-    def encoded_payload
-      @encoded_payload ||= encode_payload
-    end
-
-    def encoded_signature
-      @encoded_signature ||= encode_signature
-    end
-
-    def encoded_header_and_payload
-      @encoded_header_and_payload ||= combine(encoded_header, encoded_payload)
-    end
-
-    def encode_header
-      @headers[ALG_KEY] = @algorithm
-      encode(@headers)
-    end
-
-    def encode_payload
-      if @payload && @payload.is_a?(Hash)
-        ClaimsValidator.new(@payload).validate!
-      end
-
-      encode(@payload)
-    end
-
-    def encode_signature
-      return '' if @algorithm == ALG_NONE
-
-      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
-    end
-
-    def encode(data)
-      JWT::Base64.url_encode(JWT::JSON.generate(data))
-    end
-
-    def combine(*parts)
-      parts.join('.')
+      @token.verify_claims!(:numeric)
+      @token.sign!(algorithm: @algorithm, key: @key)
+      @token.jwt
     end
   end
 end

data/lib/jwt/encoded_token.rb

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+
+module JWT
+  # Represents an encoded JWT token
+  #
+  # Processing an encoded and signed token:
+  #
+  #   token = JWT::Token.new(payload: {pay: 'load'})
+  #   token.sign!(algorithm: 'HS256', key: 'secret')
+  #
+  #   encoded_token = JWT::EncodedToken.new(token.jwt)
+  #   encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
+  #   encoded_token.payload # => {'pay' => 'load'}
+  class EncodedToken
+    include Claims::VerificationMethods
+
+    # Returns the original token provided to the class.
+    # @return [String] The JWT token.
+    attr_reader :jwt
+
+    # Initializes a new EncodedToken instance.
+    #
+    # @param jwt [String] the encoded JWT token.
+    # @raise [ArgumentError] if the provided JWT is not a String.
+    def initialize(jwt)
+      raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)
+
+      @jwt = jwt
+      @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
+    end
+
+    # Returns the decoded signature of the JWT token.
+    #
+    # @return [String] the decoded signature.
+    def signature
+      @signature ||= ::JWT::Base64.url_decode(encoded_signature || '')
+    end
+
+    # Returns the encoded signature of the JWT token.
+    #
+    # @return [String] the encoded signature.
+    attr_reader :encoded_signature
+
+    # Returns the decoded header of the JWT token.
+    #
+    # @return [Hash] the header.
+    def header
+      @header ||= parse_and_decode(@encoded_header)
+    end
+
+    # Returns the encoded header of the JWT token.
+    #
+    # @return [String] the encoded header.
+    attr_reader :encoded_header
+
+    # Returns the payload of the JWT token.
+    #
+    # @return [Hash] the payload.
+    def payload
+      @payload ||= decode_payload
+    end
+
+    # Sets or returns the encoded payload of the JWT token.
+    #
+    # @return [String] the encoded payload.
+    attr_accessor :encoded_payload
+
+    # Returns the signing input of the JWT token.
+    #
+    # @return [String] the signing input.
+    def signing_input
+      [encoded_header, encoded_payload].join('.')
+    end
+
+    # Verifies the signature of the JWT token.
+    #
+    # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param key_finder [#call] an object responding to `call` to find the key for verification.
+    # @return [nil]
+    # @raise [JWT::VerificationError] if the signature verification fails.
+    # @raise [ArgumentError] if neither key nor key_finder is provided, or if both are provided.
+    def verify_signature!(algorithm:, key: nil, key_finder: nil)
+      raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil?
+
+      key ||= key_finder.call(self)
+
+      return if valid_signature?(algorithm: algorithm, key: key)
+
+      raise JWT::VerificationError, 'Signature verification failed'
+    end
+
+    # Checks if the signature of the JWT token is valid.
+    #
+    # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @return [Boolean] true if the signature is valid, false otherwise.
+    def valid_signature?(algorithm:, key:)
+      Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
+        Array(key).any? do |one_key|
+          algo.verify(data: signing_input, signature: signature, verification_key: one_key)
+        end
+      end
+    end
+
+    alias to_s jwt
+
+    private
+
+    def decode_payload
+      raise JWT::DecodeError, 'Encoded payload is empty' if encoded_payload == ''
+
+      if unencoded_payload?
+        verify_claims!(crit: ['b64'])
+        return parse_unencoded(encoded_payload)
+      end
+
+      parse_and_decode(encoded_payload)
+    end
+
+    def unencoded_payload?
+      header['b64'] == false
+    end
+
+    def parse_and_decode(segment)
+      parse(::JWT::Base64.url_decode(segment || ''))
+    end
+
+    def parse_unencoded(segment)
+      parse(segment)
+    end
+
+    def parse(segment)
+      JWT::JSON.parse(segment)
+    rescue ::JSON::ParserError
+      raise JWT::DecodeError, 'Invalid segment encoding'
+    end
+  end
+end