jwt 2.3.0 → 2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a43128b4e2f4d47a90b9834ad66b65411794d599660e459f3296ad5eea043a74
-  data.tar.gz: 158319e4108c4001f499fe13195d6659e90e741a1e563fbc6f531bf820fb50e8
+  metadata.gz: 11007e8ec36d148026cd5b6761681b0a71437b7b461efba4ae492622fc5ff27b
+  data.tar.gz: 8090bbba3dce57e42cc203ef168d3d00c624e79e076de0e949b4390b531b4d55
 SHA512:
-  metadata.gz: f2b714380b47796ead0390f84650d11b0c7a963256cb7475e122e71c7eebfd94af97bf029f091f7916c2c37819eef7795899112e0bdf685a5634445bdf307dce
-  data.tar.gz: a80b9e615d14c8fb673973b4bd9b76aaf2c9685298c0d2c2fd39a50902ddc62900ba2680b2c207593dfc9ea7993c72649c0e535d2a04c50d34c95c37c220b242
+  metadata.gz: a035f44be760ad325105329cbaec12e90515afdade9649e798ee5c7cefced3271d4f3084afeef693c03c961541d9e5e45b2876734d1947dccdd24cc194acbca2
+  data.tar.gz: 61e3d071ce44809767f3501f12b452cae574f9ea0de668ca937731838d58e2a9fa85831829ce564f6a015177a86b2a05b1b6ddf60ba34ac515ea12c69ac618fe

data/AUTHORS

@@ -1,6 +1,6 @@
 Tim Rudat
-Jeff Lindsay
 Joakim Antman
+Jeff Lindsay
 A.B
 shields
 Bob Aman
@@ -11,102 +11,109 @@ Nikita Shatov
 Paul Battley
 Oliver
 blackanger
-Adam Michael
-James Stonehill
 Ville Lautanala
 Tyler Pickett
-Peter M. Goldstein
+James Stonehill
+Adam Michael
 Martin Emde
+Saverio Trioni
+Peter M. Goldstein
 Korstiaan de Ridder
 Richard Larocque
 Andrew Davis
-Bill Mill
 Yason Khaburzaniya
-Steve Sloan
+Klaas Jan Wierenga
 Nick Hammond
+Bart de Water
+Steve Sloan
 Antonis Berkakis
-Klaas Jan Wierenga
-yann ARMAND
-Brian Flethcer
-Erik Michaels-Ober
-Jurriaan Pruis
+Bill Mill
 Kevin Olbrich
-Larry Lv
-Rodrigo López Dato
 Simon Fish
-Steven Davidovitz
-Tom Wey
 jb08
 lukas
+Rodrigo López Dato
 ojab
+Ritikesh
 sawyerzhang
+Larry Lv
 smudge
 wohlgejm
-Julio Lopez
-Katelyn Kasperowicz
-fusagiko/takayamaki
-Dorian Marié
-rono23
-Leonardo Saraiva
-Lowell Kirsh
-Lucas Mazza
-Makoto Chiba
-Manuel Bustillo
-Marco Adkins
-Dave Grijalva
-Micah Gates
-Michał Begejowicz
-Mike Eirih
-Mike Pastore
-Mingan
-Mitch Birti
-Dan Leyden
+Tom Wey
+yann ARMAND
+Brian Flethcer
+Jurriaan Pruis
+Erik Michaels-Ober
+Matthew Simpson
+Steven Davidovitz
 Nicolas Leger
-Brandon Keepers
-Bouke van der Bijl
-B
 Pierre Michard
 RahulBajaj
-Austin Kabiru
-Ritikesh
 Rob Wygand
-Adam Greene
 Ryan Brushett
 Ryan McIlmoyl
 Ryan Metzler
 Severin Schoepke
 Shaun Guth
-mai fujii
-Artsiom Kuts
 Steve Teti
-nycvotes-dev
 T.J. Schuck
 Taiki Sugawara
 Takehiro Adachi
-Arnaud Mesureur
 Tobias Haar
 Toby Pinder
-revodoge
 Tomé Duarte
 Travis Hunter
-Ariel Salomon
-Aman Gupta
-Alexandr Kostrikov
 Yuji Yaginuma
-Alexander Boyd
 Zuzanna Stolińska
 aarongray
+danielgrippi
+fusagiko/takayamaki
+mai fujii
+nycvotes-dev
+revodoge
+rono23
+antonmorant
+Adam Greene
+Alexander Boyd
+Alexandr Kostrikov
+Aman Gupta
+Ariel Salomon
+Arnaud Mesureur
+Artsiom Kuts
+Austin Kabiru
+B
+Bouke van der Bijl
+Brandon Keepers
+Dan Leyden
+Dave Grijalva
+Dmitry Pashkevich
+Dorian Marié
+Ernie Miller
+Evgeni Golov
+Ewoud Kohl van Wijngaarden
 HoneyryderChuck
 Igor Victor
 Ilyaaaaaaaaaaaaa Zhitomirskiy
-Ewoud Kohl van Wijngaarden
-Evgeni Golov
 Jens Hausherr
 Jeremiah Wuenschel
-Ernie Miller
 John Downey
 Jordan Brough
 Josh Bodah
 JotaSe
 Juanito Fatas
-danielgrippi
+Julio Lopez
+Katelyn Kasperowicz
+Leonardo Saraiva
+Lowell Kirsh
+Loïc Lengrand
+Lucas Mazza
+Makoto Chiba
+Manuel Bustillo
+Marco Adkins
+Meredith Leu
+Micah Gates
+Michał Begejowicz
+Mike Eirih
+Mike Pastore
+Mingan
+Mitch Birti

data/CHANGELOG.md

@@ -1,5 +1,86 @@
 # Changelog
 
+## [v2.7.1](https://github.com/jwt/ruby-jwt/tree/v2.8.0) (2023-06-09)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.7.0...v2.8.0)
+
+**Fixes and enhancements:**
+
+- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
+- Do not raise error when verifying bad HMAC signature [#563](https://github.com/jwt/ruby-jwt/pull/563) - [@hieuk09](https://github.com/hieuk09)
+
+## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.6.0...v2.7.0)
+
+**Features:**
+
+- Support OKP (Ed25519) keys for JWKs [#540](https://github.com/jwt/ruby-jwt/pull/540) ([@anakinj](https://github.com/anakinj))
+- JWK Sets can now be used for tokens with nil kid [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
+**Fixes and enhancements:**
+
+- Fix issue with multiple keys returned by keyfinder and multiple allowed algorithms [#545](https://github.com/jwt/ruby-jwt/pull/545) ([@mpospelov](https://github.com/mpospelov))
+- Non-string `kid` header values are now rejected [#543](https://github.com/jwt/ruby-jwt/pull/543) ([@bellebaum](https://github.com/bellebaum))
+
+## [v2.6.0](https://github.com/jwt/ruby-jwt/tree/v2.6.0) (2022-12-22)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.5.0...v2.6.0)
+
+**Features:**
+
+- Support custom algorithms by passing algorithm objects[#512](https://github.com/jwt/ruby-jwt/pull/512) ([@anakinj](https://github.com/anakinj)).
+- Support descriptive (not key related) JWK parameters[#520](https://github.com/jwt/ruby-jwt/pull/520) ([@bellebaum](https://github.com/bellebaum)).
+- Support for JSON Web Key Sets[#525](https://github.com/jwt/ruby-jwt/pull/525) ([@bellebaum](https://github.com/bellebaum)).
+- Support HMAC keys over 32 chars when using RbNaCl[#521](https://github.com/jwt/ruby-jwt/pull/521) ([@anakinj](https://github.com/anakinj)).
+
+**Fixes and enhancements:**
+
+- Raise descriptive error on empty hmac_secret and OpenSSL 3.0/openssl gem <3.0.1 [#530](https://github.com/jwt/ruby-jwt/pull/530) ([@jonmchan](https://github.com/jonmchan)).
+
+## [v2.5.0](https://github.com/jwt/ruby-jwt/tree/v2.5.0) (2022-08-25)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.1...v2.5.0)
+
+**Features:**
+
+- Support JWK thumbprints as key ids [#481](https://github.com/jwt/ruby-jwt/pull/481) ([@anakinj](https://github.com/anakinj)).
+- Support OpenSSL >= 3.0 [#496](https://github.com/jwt/ruby-jwt/pull/496) ([@anakinj](https://github.com/anakinj)).
+
+**Fixes and enhancements:**
+- Bring back the old Base64 (RFC2045) deocode mechanisms [#488](https://github.com/jwt/ruby-jwt/pull/488) ([@anakinj](https://github.com/anakinj)).
+- Rescue RbNaCl exception for EdDSA wrong key [#491](https://github.com/jwt/ruby-jwt/pull/491) ([@n-studio](https://github.com/n-studio)).
+- New parameter name for cases when kid is not found using JWK key loader proc [#501](https://github.com/jwt/ruby-jwt/pull/501) ([@anakinj](https://github.com/anakinj)).
+- Fix NoMethodError when a 2 segment token is missing 'alg' header [#502](https://github.com/jwt/ruby-jwt/pull/502) ([@cmrd-senya](https://github.com/cmrd-senya)).
+
+## [v2.4.1](https://github.com/jwt/ruby-jwt/tree/v2.4.1) (2022-06-07)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.4.0...v2.4.1)
+
+**Fixes and enhancements:**
+- Raise JWT::DecodeError on invalid signature [\#484](https://github.com/jwt/ruby-jwt/pull/484) ([@freakyfelt!](https://github.com/freakyfelt!)).
+
+## [v2.4.0](https://github.com/jwt/ruby-jwt/tree/v2.4.0) (2022-06-06)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.3.0...v2.4.0)
+
+**Features:**
+
+- Dropped support for Ruby 2.5 and older [#453](https://github.com/jwt/ruby-jwt/pull/453) - [@anakinj](https://github.com/anakinj).
+- Use Ruby built-in url-safe base64 methods [#454](https://github.com/jwt/ruby-jwt/pull/454) - [@bdewater](https://github.com/bdewater).
+- Updated rubocop to 1.23.0 [#457](https://github.com/jwt/ruby-jwt/pull/457) - [@anakinj](https://github.com/anakinj).
+- Add x5c header key finder [#338](https://github.com/jwt/ruby-jwt/pull/338) - [@bdewater](https://github.com/bdewater).
+- Author driven changelog process [#463](https://github.com/jwt/ruby-jwt/pull/463) - [@anakinj](https://github.com/anakinj).
+- Allow regular expressions and procs to verify issuer [\#437](https://github.com/jwt/ruby-jwt/pull/437) ([rewritten](https://github.com/rewritten)).
+- Add Support to be able to verify from multiple keys [\#425](https://github.com/jwt/ruby-jwt/pull/425) ([ritikesh](https://github.com/ritikesh)).
+
+**Fixes and enhancements:**
+- Readme: Typo fix re MissingRequiredClaim [\#451](https://github.com/jwt/ruby-jwt/pull/451) ([antonmorant](https://github.com/antonmorant)).
+- Fix RuboCop TODOs [\#476](https://github.com/jwt/ruby-jwt/pull/476) ([typhoon2099](https://github.com/typhoon2099)).
+- Make specific algorithms in README linkable [\#472](https://github.com/jwt/ruby-jwt/pull/472) ([milieu](https://github.com/milieu)).
+- Update note about supported JWK types [\#475](https://github.com/jwt/ruby-jwt/pull/475) ([dpashkevich](https://github.com/dpashkevich)).
+- Create CODE\_OF\_CONDUCT.md [\#449](https://github.com/jwt/ruby-jwt/pull/449) ([loic5](https://github.com/loic5)).
+
 ## [v2.3.0](https://github.com/jwt/ruby-jwt/tree/v2.3.0) (2021-10-03)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.3...v2.3.0)
@@ -16,6 +97,7 @@
 
 **Merged pull requests:**
 
+- Release 2.3.0 [\#448](https://github.com/jwt/ruby-jwt/pull/448) ([excpt](https://github.com/excpt))
 - Fix Style/MultilineIfModifier issues [\#447](https://github.com/jwt/ruby-jwt/pull/447) ([anakinj](https://github.com/anakinj))
 - feat\(EdDSA\): Accept EdDSA as algorithm header [\#446](https://github.com/jwt/ruby-jwt/pull/446) ([Pierre-Michard](https://github.com/Pierre-Michard))
 - Pass kid param through JWT::JWK.create\_from [\#445](https://github.com/jwt/ruby-jwt/pull/445) ([shaun-guth-allscripts](https://github.com/shaun-guth-allscripts))

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at antmanj@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/CONTRIBUTING.md

@@ -0,0 +1,99 @@
+# Contributing to [ruby-jwt](https://github.com/jwt/ruby-jwt)
+
+## Forking the project
+
+Fork the project on GitHub and clone your own fork. Instuctions on forking can be found from the [GitHub Docs](https://docs.github.com/en/get-started/quickstart/fork-a-repo)
+
+```
+git clone git@github.com:you/ruby-jwt.git
+cd ruby-jwt
+git remote add upstream https://github.com/jwt/ruby-jwt
+```
+
+## Create a branch for your implementation
+
+Make sure you have the latest upstream main branch of the project.
+
+```
+git fetch --all
+git checkout main
+git rebase upstream/main
+git push origin main
+git checkout -b fix-a-little-problem
+```
+
+## Running the tests and linter
+
+Before you start with your implementation make sure you are able to get a successful test run with the current revision.
+
+The tests are written with rspec and [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
+
+[Rubocop](https://github.com/rubocop/rubocop) is used to enforce the Ruby style.
+
+To run the complete set of tests and linter run the following
+
+```bash
+bundle install
+bundle exec appraisal rake test
+bundle exec rubocop
+```
+
+## Implement your feature
+
+Implement tests and your change. Don't be shy adding a little something in the [README](README.md).
+Add a short description of the change in either the `Features` or `Fixes` section in the [CHANGELOG](CHANGELOG.md) file.
+
+The form of the row (You need to return to the row when you know the pull request id)
+```
+- Fix a little problem [#123](https://github.com/jwt/ruby-jwt/pull/123) - [@you](https://github.com/you).
+```
+
+## Push your branch and create a pull request
+
+Before pushing make sure the tests pass and RuboCop is happy.
+
+```
+bundle exec appraisal rake test
+bundle exec rubocop
+git push origin fix-a-little-problem
+```
+
+Make a new pull request on the [ruby-jwt project](https://github.com/jwt/ruby-jwt/pulls) with a description what the change is about.
+
+## Update the CHANGELOG, again
+
+Update the [CHANGELOG](CHANGELOG.md) with the pull request id from the previous step.
+
+You can ammend the previous commit with the updated changelog change and force push your branch. The PR will get automatically updated.
+
+```
+git add CHANGELOG.md
+git commit --amend --no-edit
+git push origin fix-a-little-problem -f
+```
+
+## Keep an eye on your pull request
+
+A maintainer will review and probably merge you changes when time allows, be patient.
+
+## Keeping your branch up-to-date
+
+It's recommended that you keep your branch up-to-date by rebasing to the upstream main.
+
+```
+git fetch upstream
+git checkout fix-a-little-problem
+git rebase upstream/main
+git push origin fix-a-little-problem -f
+```
+
+# Releasing a new version
+
+The version is using the [Semantic Versioning](http://semver.org/) and the version is located in the [version.rb](lib/jwt/version.rb) file.
+Also update the [CHANGELOG](CHANGELOG.md) to reflect the upcoming version release.
+
+```bash
+rake release
+```
+
+**If you want a release cut with your PR, please include a version bump according to **