jwt 2.3.0 → 2.10.1

data/lib/jwt/version.rb

@@ -1,24 +1,66 @@
-# encoding: utf-8
 # frozen_string_literal: true
 
-# Moments version builder module
+# JSON Web Token implementation
+#
+# Should be up to date with the latest spec:
+# https://tools.ietf.org/html/rfc7519
 module JWT
+  # Returns the gem version of the JWT library.
+  #
+  # @return [Gem::Version] the gem version.
   def self.gem_version
-    Gem::Version.new VERSION::STRING
+    Gem::Version.new(VERSION::STRING)
   end
 
-  # Moments version builder module
+  # @api private
   module VERSION
-    # major version
     MAJOR = 2
-    # minor version
-    MINOR = 3
-    # tiny version
-    TINY  = 0
-    # alpha, beta, etc. tag
+    MINOR = 10
+    TINY  = 1
     PRE   = nil
 
-    # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end
+
+  # Checks if the OpenSSL version is 3 or greater.
+  #
+  # @return [Boolean] true if OpenSSL version is 3 or greater, false otherwise.
+  # @api private
+  def self.openssl_3?
+    return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')
+
+    true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
+  end
+
+  # Checks if the RbNaCl library is defined.
+  #
+  # @return [Boolean] true if RbNaCl is defined, false otherwise.
+  # @api private
+  def self.rbnacl?
+    defined?(::RbNaCl)
+  end
+
+  # Checks if the RbNaCl library version is 6.0.0 or greater.
+  #
+  # @return [Boolean] true if RbNaCl version is 6.0.0 or greater, false otherwise.
+  # @api private
+  def self.rbnacl_6_or_greater?
+    rbnacl? && ::Gem::Version.new(::RbNaCl::VERSION) >= ::Gem::Version.new('6.0.0')
+  end
+
+  # Checks if there is an OpenSSL 3 HMAC empty key regression.
+  #
+  # @return [Boolean] true if there is an OpenSSL 3 HMAC empty key regression, false otherwise.
+  # @api private
+  def self.openssl_3_hmac_empty_key_regression?
+    openssl_3? && openssl_version <= ::Gem::Version.new('3.0.0')
+  end
+
+  # Returns the OpenSSL version.
+  #
+  # @return [Gem::Version] the OpenSSL version.
+  # @api private
+  def self.openssl_version
+    @openssl_version ||= ::Gem::Version.new(OpenSSL::VERSION)
+  end
 end

data/lib/jwt/x5c_key_finder.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module JWT
+  # If the x5c header certificate chain can be validated by trusted root
+  # certificates, and none of the certificates are revoked, returns the public
+  # key from the first certificate.
+  # See https://tools.ietf.org/html/rfc7515#section-4.1.6
+  class X5cKeyFinder
+    def initialize(root_certificates, crls = nil)
+      raise ArgumentError, 'Root certificates must be specified' unless root_certificates
+
+      @store = build_store(root_certificates, crls)
+    end
+
+    def from(x5c_header_or_certificates)
+      signing_certificate, *certificate_chain = parse_certificates(x5c_header_or_certificates)
+      store_context = OpenSSL::X509::StoreContext.new(@store, signing_certificate, certificate_chain)
+
+      if store_context.verify
+        signing_certificate.public_key
+      else
+        error = "Certificate verification failed: #{store_context.error_string}."
+        if (current_cert = store_context.current_cert)
+          error = "#{error} Certificate subject: #{current_cert.subject}."
+        end
+
+        raise JWT::VerificationError, error
+      end
+    end
+
+    private
+
+    def build_store(root_certificates, crls)
+      store = OpenSSL::X509::Store.new
+      store.purpose = OpenSSL::X509::PURPOSE_ANY
+      store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+      root_certificates.each { |certificate| store.add_cert(certificate) }
+      crls&.each { |crl| store.add_crl(crl) }
+      store
+    end
+
+    def parse_certificates(x5c_header_or_certificates)
+      if x5c_header_or_certificates.all? { |obj| obj.is_a?(OpenSSL::X509::Certificate) }
+        x5c_header_or_certificates
+      else
+        x5c_header_or_certificates.map do |encoded|
+          OpenSSL::X509::Certificate.new(::JWT::Base64.url_decode(encoded))
+        end
+      end
+    end
+  end
+end

data/lib/jwt.rb

@@ -1,22 +1,37 @@
 # frozen_string_literal: true
 
+require 'jwt/version'
 require 'jwt/base64'
 require 'jwt/json'
 require 'jwt/decode'
-require 'jwt/default_options'
+require 'jwt/configuration'
+require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
+require 'jwt/encoded_token'
+require 'jwt/token'
+
+require 'jwt/claims_validator'
+require 'jwt/verify'
 
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
 # https://tools.ietf.org/html/rfc7519
 module JWT
-  include JWT::DefaultOptions
+  extend ::JWT::Configuration
 
   module_function
 
+  # Encodes a payload into a JWT.
+  #
+  # @param payload [Hash] the payload to encode.
+  # @param key [String] the key used to sign the JWT.
+  # @param algorithm [String] the algorithm used to sign the JWT.
+  # @param header_fields [Hash] additional headers to include in the JWT.
+  # @return [String] the encoded JWT.
   def encode(payload, key, algorithm = 'HS256', header_fields = {})
     Encode.new(payload: payload,
                key: key,
@@ -24,7 +39,16 @@ module JWT
                headers: header_fields).segments
   end
 
-  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
-    Decode.new(jwt, key, verify, DEFAULT_OPTIONS.merge(options), &keyfinder).decode_segments
+  # Decodes a JWT to extract the payload and header
+  #
+  # @param jwt [String] the JWT to decode.
+  # @param key [String] the key used to verify the JWT.
+  # @param verify [Boolean] whether to verify the JWT signature.
+  # @param options [Hash] additional options for decoding.
+  # @return [Array<Hash>] the decoded payload and headers.
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
+    Deprecations.context do
+      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    end
   end
 end

data/ruby-jwt.gemspec

@@ -1,4 +1,6 @@
-lib = File.expand_path('../lib/', __FILE__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'jwt/version'
 
@@ -13,20 +15,28 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '>= 2.1'
+  spec.required_ruby_version = '>= 2.5'
   spec.metadata = {
     'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
-    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+    'changelog_uri' => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md",
+    'rubygems_mfa_required' => 'true'
   }
 
-  spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(spec|gemfiles|coverage|bin)/}) || # Irrelevant folders
+      f.match(/^\.+/) || # Files and folders starting with .
+      f.match(/^(Appraisals|Gemfile|Rakefile)$/) # Irrelevant files
+  end
+
   spec.executables = []
-  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = %w[lib]
 
+  spec.add_dependency 'base64'
+
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'simplecov'
 end

metadata

@@ -1,15 +1,28 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.3.0
+  version: 2.10.1
 platform: ruby
 authors:
 - Tim Rudat
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-03 00:00:00.000000000 Z
+date: 2024-12-26 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: appraisal
   requirement: !ruby/object:Gem::Requirement
@@ -66,6 +79,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -87,53 +114,74 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- ".github/workflows/test.yml"
-- ".gitignore"
-- ".rspec"
-- ".rubocop.yml"
-- ".rubocop_todo.yml"
-- ".sourcelevel.yml"
 - AUTHORS
-- Appraisals
 - CHANGELOG.md
-- Gemfile
+- CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
 - LICENSE
 - README.md
-- Rakefile
 - lib/jwt.rb
-- lib/jwt/algos.rb
-- lib/jwt/algos/ecdsa.rb
-- lib/jwt/algos/eddsa.rb
-- lib/jwt/algos/hmac.rb
-- lib/jwt/algos/none.rb
-- lib/jwt/algos/ps.rb
-- lib/jwt/algos/rsa.rb
-- lib/jwt/algos/unsupported.rb
 - lib/jwt/base64.rb
+- lib/jwt/claims.rb
+- lib/jwt/claims/audience.rb
+- lib/jwt/claims/crit.rb
+- lib/jwt/claims/decode_verifier.rb
+- lib/jwt/claims/expiration.rb
+- lib/jwt/claims/issued_at.rb
+- lib/jwt/claims/issuer.rb
+- lib/jwt/claims/jwt_id.rb
+- lib/jwt/claims/not_before.rb
+- lib/jwt/claims/numeric.rb
+- lib/jwt/claims/required.rb
+- lib/jwt/claims/subject.rb
+- lib/jwt/claims/verification_methods.rb
+- lib/jwt/claims/verifier.rb
 - lib/jwt/claims_validator.rb
+- lib/jwt/configuration.rb
+- lib/jwt/configuration/container.rb
+- lib/jwt/configuration/decode_configuration.rb
+- lib/jwt/configuration/jwk_configuration.rb
 - lib/jwt/decode.rb
-- lib/jwt/default_options.rb
+- lib/jwt/deprecations.rb
 - lib/jwt/encode.rb
+- lib/jwt/encoded_token.rb
 - lib/jwt/error.rb
 - lib/jwt/json.rb
+- lib/jwt/jwa.rb
+- lib/jwt/jwa/compat.rb
+- lib/jwt/jwa/ecdsa.rb
+- lib/jwt/jwa/eddsa.rb
+- lib/jwt/jwa/hmac.rb
+- lib/jwt/jwa/hmac_rbnacl.rb
+- lib/jwt/jwa/hmac_rbnacl_fixed.rb
+- lib/jwt/jwa/none.rb
+- lib/jwt/jwa/ps.rb
+- lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signing_algorithm.rb
+- lib/jwt/jwa/unsupported.rb
+- lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
 - lib/jwt/jwk/ec.rb
 - lib/jwt/jwk/hmac.rb
 - lib/jwt/jwk/key_base.rb
 - lib/jwt/jwk/key_finder.rb
+- lib/jwt/jwk/kid_as_key_digest.rb
+- lib/jwt/jwk/okp_rbnacl.rb
 - lib/jwt/jwk/rsa.rb
-- lib/jwt/security_utils.rb
-- lib/jwt/signature.rb
+- lib/jwt/jwk/set.rb
+- lib/jwt/jwk/thumbprint.rb
+- lib/jwt/token.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
+- lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
-post_install_message:
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.10.1/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths:
 - lib
@@ -141,15 +189,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '2.1'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.19
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/.github/workflows/test.yml

@@ -1,74 +0,0 @@
----
-name: test
-on:
-  push:
-    branches:
-      - "*"
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  lint:
-    name: RuboCop
-    timeout-minutes: 30
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: "2.4"
-        bundler-cache: true
-    - name: Run RuboCop
-      run: bundle exec rubocop
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        ruby:
-          - 2.3
-          - 2.4
-          - 2.5
-          - 2.6
-          - 2.7
-          - "3.0"
-        gemfile:
-          - gemfiles/standalone.gemfile
-          - gemfiles/openssl.gemfile
-          - gemfiles/rbnacl.gemfile
-        experimental: [false]
-        include:
-          - ruby: 2.1
-            gemfile: 'gemfiles/rbnacl.gemfile'
-            experimental: false
-          - ruby: 2.2
-            gemfile: 'gemfiles/rbnacl.gemfile'
-            experimental: false
-          - ruby: 2.7
-            coverage: "true"
-            gemfile: 'gemfiles/rbnacl.gemfile'
-          - ruby: "ruby-head"
-            experimental: true
-          - ruby: "truffleruby-head"
-            experimental: true
-    runs-on: ubuntu-20.04
-    continue-on-error: ${{ matrix.experimental }}
-    env:
-      BUNDLE_GEMFILE: ${{ matrix.gemfile }}
-
-    steps:
-    - uses: actions/checkout@v2
-
-    - name: Install libsodium
-      run: |
-        sudo apt-get update -q
-        sudo apt-get install libsodium-dev -y
-
-    - name: Set up Ruby
-      uses: ruby/setup-ruby@v1
-      with:
-        ruby-version: ${{ matrix.ruby }}
-        bundler-cache: true
-
-    - name: Run tests
-      run: bundle exec rspec

data/.gitignore

@@ -1,11 +0,0 @@
-.idea/
-jwt.gemspec
-pkg
-Gemfile.lock
-coverage/
-.DS_Store
-.rbenv-gemsets
-.ruby-version
-.vscode/
-.bundle
-*gemfile.lock

data/.rspec

@@ -1,2 +0,0 @@
---require spec_helper
---color

data/.rubocop.yml

@@ -1,97 +0,0 @@
-inherit_from: .rubocop_todo.yml
-
-AllCops:
-  TargetRubyVersion: 2.1
-
-Layout/AlignParameters:
-  EnforcedStyle: with_fixed_indentation
-
-Layout/CaseIndentation:
-  EnforcedStyle: end
-
-Style/AsciiComments:
-  Enabled: false
-
-Layout/IndentHash:
-  Enabled: false
-
-Style/CollectionMethods:
-  Enabled: true
-  PreferredMethods:
-      inject: 'inject'
-
-Style/Documentation:
-  Enabled: false
-
-Style/BlockDelimiters:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Style/BracesAroundHashParameters:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Style/GuardClause:
-  Enabled: false
-
-Style/IfUnlessModifier:
-  Enabled: false
-
-Layout/SpaceInsideHashLiteralBraces:
-  Enabled: false
-
-Style/Lambda:
-  Enabled: false
-
-Style/RaiseArgs:
-  Enabled: false
-
-Style/SignalException:
-  Enabled: false
-
-Metrics/AbcSize:
-  Max: 20
-
-Metrics/ClassLength:
-  Max: 101
-
-Metrics/ModuleLength:
-  Max: 100
-
-Metrics/LineLength:
-  Enabled: false
-
-Metrics/BlockLength:
-  Exclude:
-    - spec/**/*_spec.rb
-
-Metrics/MethodLength:
-  Max: 15
-
-Style/SingleLineBlockParams:
-  Enabled: false
-
-Lint/EndAlignment:
-  EnforcedStyleAlignWith: variable
-
-Style/FormatString:
-  Enabled: false
-
-Layout/MultilineMethodCallIndentation:
-  EnforcedStyle: indented
-
-Layout/MultilineOperationIndentation:
-  EnforcedStyle: indented
-
-Style/WordArray:
-  Enabled: false
-
-Style/RedundantSelf:
-  Enabled: false
-
-Layout/AlignHash:
-  Enabled: true
-  EnforcedLastArgumentHashStyle: always_ignore
-
-Style/TrivialAccessors:
-  AllowPredicates: true