jwt 2.8.1 → 2.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: af3792b982f014801d3ff7ae3410be6bd1e0b27f199c500942eb86267bb2b764
-  data.tar.gz: c37fc4b72cf3819210b15164548eff44579de1e8f8c48d9ce35864a84f007d9a
+  metadata.gz: 0f3d3ea752a6b4dee8f1b020a3e0af95e003f74a8c40f730faab73b616fc9e98
+  data.tar.gz: 8dcdb470771f56931485824c32739bfcec1ce310b7096d6cd28c656d0f8c21fd
 SHA512:
-  metadata.gz: 3f61fd13a1d56c657691abb4bfde3671a7d93b5c853785b804c0d119d27f4641685828eb9c65a8e4856487782530e791ecbce5f1a5f1cb61c883daff97a44367
-  data.tar.gz: ef36aa81991e28cb9d3df65f1ebbeb6599eb99dee8e1953aff1a6231e91c6a3f9633e3afd22fbbc6c09f6318c4e516ee7a908428eee303f3952fed890395b267
+  metadata.gz: c68cccb66154a824751df6e7cd4d0b9d31372c0bada498097770feb8992ac3c7a462cd11eb759171d096e8d957b2a67b088fb35dc79fe7b4dd6eac6b25140d63
+  data.tar.gz: 03fe234584cce6458fb1a0f64cb399f81bc3c7aee40e25c011f0c27484ede3c6c6a6d950a9c5f3f13e4d66db5a76de98f2801942762df514097b2f663bf79247

data/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## [v2.9.0](https://github.com/jwt/ruby-jwt/tree/v2.9.0) (NEXT)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.2...v2.9.0)
+
+**Features:**
+
+- Build and push gem using a GH action [#612](https://github.com/jwt/ruby-jwt/pull/612) ([@anakinj](https://github.com/anakinj))
+
+**Fixes and enhancements:**
+
+- Refactor claim validators into their own classes [#605](https://github.com/jwt/ruby-jwt/pull/605) ([@anakinj](https://github.com/anakinj), [@MatteoPierro](https://github.com/MatteoPierro))
+- Allow extending available algorithms [#607](https://github.com/jwt/ruby-jwt/pull/607) ([@anakinj](https://github.com/anakinj))
+- Do not include the EdDSA algorithm if rbnacl not available [#613](https://github.com/jwt/ruby-jwt/pull/613) ([@anakinj](https://github.com/anakinj))
+
+## [v2.8.2](https://github.com/jwt/ruby-jwt/tree/v2.8.2) (2024-06-18)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.1...v2.8.2)
+
+**Fixes and enhancements:**
+
+- Print deprecation warnings only on when token decoding succeeds [#600](https://github.com/jwt/ruby-jwt/pull/600) ([@anakinj](https://github.com/anakinj))
+- Unify code style [#602](https://github.com/jwt/ruby-jwt/pull/602) ([@anakinj](https://github.com/anakinj))
+
 ## [v2.8.1](https://github.com/jwt/ruby-jwt/tree/v2.8.1) (2024-02-29)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.0...v2.8.1)

data/README.md

@@ -223,18 +223,22 @@ puts decoded_token
 
 ### **Custom algorithms**
 
-An object implementing custom signing or verification behaviour can be passed in the `algorithm` option when encoding and decoding. The given object needs to implement the method `valid_alg?` and `verify` and/or `alg` and `sign`, depending if object is used for encoding or decoding.
+When encoding or decoding a token, you can pass in a custom object through the `algorithm` option to handle signing or verification. This custom object must include or extend the `JWT::JWA::SigningAlgorithm` module and implement certain methods:
+
+- For decoding/verifying: The object must implement the methods `alg` and `verify`.
+- For encoding/signing: The object must implement the methods `alg` and `sign`.
+
+For customization options check the details from `JWT::JWA::SigningAlgorithm`.
+
 
 ```ruby
 module CustomHS512Algorithm
+  extend JWT::JWA::SigningAlgorithm
+
   def self.alg
     'HS512'
   end
 
-  def self.valid_alg?(alg_to_validate)
-    alg_to_validate == alg
-  end
-
   def self.sign(data:, signing_key:)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), data, signing_key)
   end
@@ -690,21 +694,25 @@ jwk_hash = jwk.export
 thumbprint_as_the_kid = jwk_hash[:kid]
 ```
 
-# Development and Tests
+# Development and testing
 
-We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with
+The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 
 ```bash
-rake release
+bundle install
+bundle exec appraisal rake test
 ```
 
-The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
+# Releasing
+
+To cut a new release adjust the [version.rb](lib/jwt/version.rb) and [CHANGELOG](CHANGELOG.md) with desired version numbers and dates and commit the changes. Tag the release with the version number using the following command:
 
 ```bash
-bundle install
-bundle exec appraisal rake test
+rake release:source_control_push
 ```
 
+This will tag a new version an trigger a [GitHub action](.github/workflows/push_gem.yml) that eventually will push the gem to rubygems.org.
+
 ## How to contribute
 See [CONTRIBUTING](CONTRIBUTING.md).
 

data/lib/jwt/base64.rb

@@ -20,7 +20,7 @@ module JWT
         raise Base64DecodeError, 'Invalid base64 encoding' if JWT.configuration.strict_base64_decoding
 
         loose_urlsafe_decode64(str).tap do
-          Deprecations.warning('Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt')
+          Deprecations.warning('Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt', only_if_valid: true)
         end
       end
 

data/lib/jwt/claims/audience.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Audience
+      def initialize(expected_audience:)
+        @expected_audience = expected_audience
+      end
+
+      def verify!(context:, **_args)
+        aud = context.payload['aud']
+        raise JWT::InvalidAudError, "Invalid audience. Expected #{expected_audience}, received #{aud || '<none>'}" if ([*aud] & [*expected_audience]).empty?
+      end
+
+      private
+
+      attr_reader :expected_audience
+    end
+  end
+end

data/lib/jwt/claims/expiration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Expiration
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('exp')
+
+        raise JWT::ExpiredSignature, 'Signature has expired' if context.payload['exp'].to_i <= (Time.now.to_i - leeway)
+      end
+
+      private
+
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/issued_at.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class IssuedAt
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('iat')
+
+        iat = context.payload['iat']
+        raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(::Numeric) || iat.to_f > Time.now.to_f
+      end
+    end
+  end
+end

data/lib/jwt/claims/issuer.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Issuer
+      def initialize(issuers:)
+        @issuers = Array(issuers).map { |item| item.is_a?(Symbol) ? item.to_s : item }
+      end
+
+      def verify!(context:, **_args)
+        case (iss = context.payload['iss'])
+        when *issuers
+          nil
+        else
+          raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{issuers}, received #{iss || '<none>'}"
+        end
+      end
+
+      private
+
+      attr_reader :issuers
+    end
+  end
+end

data/lib/jwt/claims/jwt_id.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class JwtId
+      def initialize(validator:)
+        @validator = validator
+      end
+
+      def verify!(context:, **_args)
+        jti = context.payload['jti']
+        if validator.respond_to?(:call)
+          verified = validator.arity == 2 ? validator.call(jti, context.payload) : validator.call(jti)
+          raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+        elsif jti.to_s.strip.empty?
+          raise(JWT::InvalidJtiError, 'Missing jti')
+        end
+      end
+
+      private
+
+      attr_reader :validator
+    end
+  end
+end

data/lib/jwt/claims/not_before.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class NotBefore
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('nbf')
+
+        raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if context.payload['nbf'].to_i > (Time.now.to_i + leeway)
+      end
+
+      private
+
+      attr_reader :leeway
+    end
+  end
+end

data/lib/jwt/claims/numeric.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Numeric
+      def self.verify!(payload:, **_args)
+        return unless payload.is_a?(Hash)
+
+        new(payload).verify!
+      end
+
+      NUMERIC_CLAIMS = %i[
+        exp
+        iat
+        nbf
+      ].freeze
+
+      def initialize(payload)
+        @payload = payload.transform_keys(&:to_sym)
+      end
+
+      def verify!
+        validate_numeric_claims
+
+        true
+      end
+
+      private
+
+      def validate_numeric_claims
+        NUMERIC_CLAIMS.each do |claim|
+          validate_is_numeric(claim) if @payload.key?(claim)
+        end
+      end
+
+      def validate_is_numeric(claim)
+        return if @payload[claim].is_a?(::Numeric)
+
+        raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
+      end
+    end
+  end
+end

data/lib/jwt/claims/required.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Required
+      def initialize(required_claims:)
+        @required_claims = required_claims
+      end
+
+      def verify!(context:, **_args)
+        required_claims.each do |required_claim|
+          next if context.payload.is_a?(Hash) && context.payload.key?(required_claim)
+
+          raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}"
+        end
+      end
+
+      private
+
+      attr_reader :required_claims
+    end
+  end
+end

data/lib/jwt/claims/subject.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Subject
+      def initialize(expected_subject:)
+        @expected_subject = expected_subject.to_s
+      end
+
+      def verify!(context:, **_args)
+        sub = context.payload['sub']
+        raise(JWT::InvalidSubError, "Invalid subject. Expected #{expected_subject}, received #{sub || '<none>'}") unless sub.to_s == expected_subject
+      end
+
+      private
+
+      attr_reader :expected_subject
+    end
+  end
+end

data/lib/jwt/claims.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative 'claims/audience'
+require_relative 'claims/expiration'
+require_relative 'claims/issued_at'
+require_relative 'claims/issuer'
+require_relative 'claims/jwt_id'
+require_relative 'claims/not_before'
+require_relative 'claims/numeric'
+require_relative 'claims/required'
+require_relative 'claims/subject'
+
+module JWT
+  module Claims
+    VerificationContext = Struct.new(:payload, keyword_init: true)
+
+    VERIFIERS = {
+      verify_expiration: ->(options) { Claims::Expiration.new(leeway: options[:exp_leeway] || options[:leeway]) },
+      verify_not_before: ->(options) { Claims::NotBefore.new(leeway: options[:nbf_leeway] || options[:leeway]) },
+      verify_iss: ->(options) { Claims::Issuer.new(issuers: options[:iss]) },
+      verify_iat: ->(*) { Claims::IssuedAt.new },
+      verify_jti: ->(options) { Claims::JwtId.new(validator: options[:verify_jti]) },
+      verify_aud: ->(options) { Claims::Audience.new(expected_audience: options[:aud]) },
+      verify_sub: ->(options) { options[:sub] && Claims::Subject.new(expected_subject: options[:sub]) },
+      required_claims: ->(options) { Claims::Required.new(required_claims: options[:required_claims]) }
+    }.freeze
+
+    class << self
+      def verify!(payload, options)
+        VERIFIERS.each do |key, verifier_builder|
+          next unless options[key]
+
+          verifier_builder&.call(options)&.verify!(context: VerificationContext.new(payload: payload))
+        end
+      end
+    end
+  end
+end

data/lib/jwt/configuration/jwk_configuration.rb

@@ -18,7 +18,7 @@ module JWT
                                JWT::JWK::Thumbprint
                              else
                                raise ArgumentError, "#{value} is not a valid kid generator type."
-        end
+                             end
       end
 
       attr_accessor :kid_generator

data/lib/jwt/decode.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require 'json'
-
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
 
 # JWT::Decode module
@@ -10,7 +8,7 @@ module JWT
   # Decoding logic for JWT
   class Decode
     def initialize(jwt, key, verify, options, &keyfinder)
-      raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
+      raise JWT::DecodeError, 'Nil JSON web token' unless jwt
 
       @jwt = jwt
       @key = key
@@ -30,7 +28,7 @@ module JWT
         verify_signature
         verify_claims
       end
-      raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+      raise JWT::DecodeError, 'Not enough or too many segments' unless header && payload
 
       [payload, header]
     end
@@ -46,21 +44,21 @@ module JWT
 
       return if Array(@key).any? { |key| verify_signature_for?(key) }
 
-      raise(JWT::VerificationError, 'Signature verification failed')
+      raise JWT::VerificationError, 'Signature verification failed'
     end
 
     def verify_algo
-      raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
-      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless alg_in_header
-      raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') if allowed_and_valid_algorithms.empty?
+      raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty?
+      raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header
+      raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty?
     end
 
     def set_key
       @key = find_key(&@keyfinder) if @keyfinder
       @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks]
-      if (x5c_options = @options[:x5c])
-        @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
-      end
+      return unless (x5c_options = @options[:x5c])
+
+      @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
     end
 
     def verify_signature_for?(key)
@@ -92,7 +90,7 @@ module JWT
     end
 
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.create(alg) }
+      algs = given_algorithms.map { |alg| JWA.resolve(alg) }
 
       sort_by_alg_header(algs)
     end
@@ -113,8 +111,7 @@ module JWT
     end
 
     def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
+      Claims.verify!(payload, @options)
     end
 
     def validate_segment_count!
@@ -122,7 +119,7 @@ module JWT
       return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
       return if segment_length == 2 && none_algorithm?
 
-      raise(JWT::DecodeError, 'Not enough or too many segments')
+      raise JWT::DecodeError, 'Not enough or too many segments'
     end
 
     def segment_length

data/lib/jwt/deprecations.rb

@@ -4,15 +4,34 @@ module JWT
   # Deprecations module to handle deprecation warnings in the gem
   module Deprecations
     class << self
-      def warning(message)
+      def context
+        yield.tap { emit_warnings }
+      ensure
+        Thread.current[:jwt_warning_store] = nil
+      end
+
+      def warning(message, only_if_valid: false)
+        method_name = only_if_valid ? :store : :warn
         case JWT.configuration.deprecation_warnings
-        when :warn
-          warn("[DEPRECATION WARNING] #{message}")
         when :once
           return if record_warned(message)
-
-          warn("[DEPRECATION WARNING] #{message}")
+        when :warn
+          # noop
+        else
+          return
         end
+
+        send(method_name, "[DEPRECATION WARNING] #{message}")
+      end
+
+      def store(message)
+        (Thread.current[:jwt_warning_store] ||= []) << message
+      end
+
+      def emit_warnings
+        return if Thread.current[:jwt_warning_store].nil?
+
+        Thread.current[:jwt_warning_store].each { |warning| warn(warning) }
       end
 
       private

data/lib/jwt/encode.rb

@@ -1,20 +1,16 @@
 # frozen_string_literal: true
 
 require_relative 'jwa'
-require_relative 'claims_validator'
 
 # JWT::Encode module
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_KEY = 'alg'
-
     def initialize(options)
       @payload          = options[:payload]
       @key              = options[:key]
-      @algorithm        = JWA.create(options[:algorithm])
+      @algorithm        = JWA.resolve(options[:algorithm])
       @headers          = options[:headers].transform_keys(&:to_s)
-      @headers[ALG_KEY] = @algorithm.alg
     end
 
     def segments
@@ -41,7 +37,7 @@ module JWT
     end
 
     def encode_header
-      encode_data(@headers)
+      encode_data(@headers.merge(@algorithm.header(signing_key: @key)))
     end
 
     def encode_payload
@@ -55,7 +51,7 @@ module JWT
     def validate_claims!
       return unless @payload.is_a?(Hash)
 
-      ClaimsValidator.new(@payload).validate!
+      Claims::Numeric.new(@payload).verify!
     end
 
     def encode_signature

data/lib/jwt/jwa/ecdsa.rb

@@ -2,8 +2,35 @@
 
 module JWT
   module JWA
-    module Ecdsa
-      module_function
+    class Ecdsa
+      include JWT::JWA::SigningAlgorithm
+
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = OpenSSL::Digest.new(digest)
+      end
+
+      def sign(data:, signing_key:)
+        curve_definition = curve_by_name(signing_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} signing key was provided"
+        end
+
+        asn1_to_raw(signing_key.dsa_sign_asn1(digest.digest(data)), signing_key)
+      end
+
+      def verify(data:, signature:, verification_key:)
+        curve_definition = curve_by_name(verification_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        if alg != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} verification key was provided"
+        end
+
+        verification_key.dsa_verify_asn1(digest.digest(data), raw_to_asn1(signature, verification_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
 
       NAMED_CURVES = {
         'prime256v1' => {
@@ -28,36 +55,22 @@ module JWT
         }
       }.freeze
 
-      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
+      NAMED_CURVES.each_value do |v|
+        register_algorithm(new(v[:algorithm], v[:digest]))
+      end
 
-      def sign(algorithm, msg, key)
-        curve_definition = curve_by_name(key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+      def self.curve_by_name(name)
+        NAMED_CURVES.fetch(name) do
+          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
-
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
-      def verify(algorithm, public_key, signing_input, signature)
-        curve_definition = curve_by_name(public_key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
+      private
 
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
-      end
+      attr_reader :digest
 
       def curve_by_name(name)
-        NAMED_CURVES.fetch(name) do
-          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
-        end
+        self.class.curve_by_name(name)
       end
 
       def raw_to_asn1(signature, private_key)