jwt 2.7.1 → 2.9.0

data/lib/jwt/algos/ps.rb

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Ps
-      # RSASSA-PSS signing algorithms
-
-      module_function
-
-      SUPPORTED = %w[PS256 PS384 PS512].freeze
-
-      def sign(algorithm, msg, key)
-        require_openssl!
-
-        raise EncodeError, "The given key is a #{key_class}. It has to be an OpenSSL::PKey::RSA instance." if key.is_a?(String)
-
-        translated_algorithm = algorithm.sub('PS', 'sha')
-
-        key.sign_pss(translated_algorithm, msg, salt_length: :digest, mgf1_hash: translated_algorithm)
-      end
-
-      def verify(algorithm, public_key, signing_input, signature)
-        require_openssl!
-        translated_algorithm = algorithm.sub('PS', 'sha')
-        public_key.verify_pss(translated_algorithm, signature, signing_input, salt_length: :auto, mgf1_hash: translated_algorithm)
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
-      end
-
-      def require_openssl!
-        if Object.const_defined?('OpenSSL')
-          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
-            raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
-          end
-        else
-          raise JWT::RequiredDependencyError, 'PS signing requires OpenSSL +2.1'
-        end
-      end
-    end
-  end
-end

data/lib/jwt/algos/rsa.rb

@@ -1,23 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Rsa
-      module_function
-
-      SUPPORTED = %w[RS256 RS384 RS512].freeze
-
-      def sign(algorithm, msg, key)
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
-
-        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-      end
-
-      def verify(algorithm, public_key, signing_input, signature)
-        public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
-      end
-    end
-  end
-end

data/lib/jwt/algos/unsupported.rb

@@ -1,19 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module Unsupported
-      module_function
-
-      SUPPORTED = [].freeze
-
-      def sign(*)
-        raise NotImplementedError, 'Unsupported signing method'
-      end
-
-      def verify(*)
-        raise JWT::VerificationError, 'Algorithm not supported'
-      end
-    end
-  end
-end

data/lib/jwt/algos.rb

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-
-begin
-  require 'rbnacl'
-rescue LoadError
-  raise if defined?(RbNaCl)
-end
-require 'openssl'
-
-require 'jwt/algos/hmac'
-require 'jwt/algos/eddsa'
-require 'jwt/algos/ecdsa'
-require 'jwt/algos/rsa'
-require 'jwt/algos/ps'
-require 'jwt/algos/none'
-require 'jwt/algos/unsupported'
-require 'jwt/algos/algo_wrapper'
-
-module JWT
-  module Algos
-    extend self
-
-    ALGOS = [Algos::Ecdsa,
-             Algos::Rsa,
-             Algos::Eddsa,
-             Algos::Ps,
-             Algos::None,
-             Algos::Unsupported].tap do |l|
-      if ::JWT.rbnacl_6_or_greater?
-        require_relative 'algos/hmac_rbnacl'
-        l.unshift(Algos::HmacRbNaCl)
-      elsif ::JWT.rbnacl?
-        require_relative 'algos/hmac_rbnacl_fixed'
-        l.unshift(Algos::HmacRbNaClFixed)
-      else
-        l.unshift(Algos::Hmac)
-      end
-    end.freeze
-
-    def find(algorithm)
-      indexed[algorithm && algorithm.downcase]
-    end
-
-    def create(algorithm)
-      Algos::AlgoWrapper.new(*find(algorithm))
-    end
-
-    def implementation?(algorithm)
-      (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
-        (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
-    end
-
-    private
-
-    def indexed
-      @indexed ||= begin
-        fallback = [nil, Algos::Unsupported]
-        ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
-          cls.const_get(:SUPPORTED).each do |alg|
-            hash[alg.downcase] = [alg, cls]
-          end
-        end
-      end
-    end
-  end
-end

data/lib/jwt/claims_validator.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require_relative './error'
-
-module JWT
-  class ClaimsValidator
-    NUMERIC_CLAIMS = %i[
-      exp
-      iat
-      nbf
-    ].freeze
-
-    def initialize(payload)
-      @payload = payload.transform_keys(&:to_sym)
-    end
-
-    def validate!
-      validate_numeric_claims
-
-      true
-    end
-
-    private
-
-    def validate_numeric_claims
-      NUMERIC_CLAIMS.each do |claim|
-        validate_is_numeric(claim) if @payload.key?(claim)
-      end
-    end
-
-    def validate_is_numeric(claim)
-      return if @payload[claim].is_a?(Numeric)
-
-      raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
-    end
-  end
-end

data/lib/jwt/verify.rb

@@ -1,113 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/error'
-
-module JWT
-  # JWT verify methods
-  class Verify
-    DEFAULTS = {
-      leeway: 0
-    }.freeze
-
-    class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
-        define_method method_name do |payload, options|
-          new(payload, options).send(method_name)
-        end
-      end
-
-      def verify_claims(payload, options)
-        options.each do |key, val|
-          next unless key.to_s =~ /verify/
-
-          Verify.send(key, payload, options) if val
-        end
-      end
-    end
-
-    def initialize(payload, options)
-      @payload = payload
-      @options = DEFAULTS.merge(options)
-    end
-
-    def verify_aud
-      return unless (options_aud = @options[:aud])
-
-      aud = @payload['aud']
-      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
-    end
-
-    def verify_expiration
-      return unless @payload.include?('exp')
-      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
-    end
-
-    def verify_iat
-      return unless @payload.include?('iat')
-
-      iat = @payload['iat']
-      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
-    end
-
-    def verify_iss
-      return unless (options_iss = @options[:iss])
-
-      iss = @payload['iss']
-
-      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-
-      case iss
-      when *options_iss
-        nil
-      else
-        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
-      end
-    end
-
-    def verify_jti
-      options_verify_jti = @options[:verify_jti]
-      jti = @payload['jti']
-
-      if options_verify_jti.respond_to?(:call)
-        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
-      elsif jti.to_s.strip.empty?
-        raise(JWT::InvalidJtiError, 'Missing jti')
-      end
-    end
-
-    def verify_not_before
-      return unless @payload.include?('nbf')
-      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
-    end
-
-    def verify_sub
-      return unless (options_sub = @options[:sub])
-
-      sub = @payload['sub']
-      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
-    end
-
-    def verify_required_claims
-      return unless (options_required_claims = @options[:required_claims])
-
-      options_required_claims.each do |required_claim|
-        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
-      end
-    end
-
-    private
-
-    def global_leeway
-      @options[:leeway]
-    end
-
-    def exp_leeway
-      @options[:exp_leeway] || global_leeway
-    end
-
-    def nbf_leeway
-      @options[:nbf_leeway] || global_leeway
-    end
-  end
-end