jwt 2.8.1 → 2.9.0

data/lib/jwt/jwk/ec.rb

@@ -153,26 +153,26 @@ module JWT
           )
 
           sequence = if jwk_d
-            # https://datatracker.ietf.org/doc/html/rfc5915.html
-            # ECPrivateKey ::= SEQUENCE {
-            #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
-            #   privateKey     OCTET STRING,
-            #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
-            #   publicKey  [1] BIT STRING OPTIONAL
-            # }
-
-            OpenSSL::ASN1::Sequence([
-                                      OpenSSL::ASN1::Integer(1),
-                                      OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
-                                      OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
-                                      OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
-                                    ])
-          else
-            OpenSSL::ASN1::Sequence([
-                                      OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
-                                      OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
-                                    ])
-          end
+                       # https://datatracker.ietf.org/doc/html/rfc5915.html
+                       # ECPrivateKey ::= SEQUENCE {
+                       #   version        INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1),
+                       #   privateKey     OCTET STRING,
+                       #   parameters [0] ECParameters {{ NamedCurve }} OPTIONAL,
+                       #   publicKey  [1] BIT STRING OPTIONAL
+                       # }
+
+                       OpenSSL::ASN1::Sequence([
+                                                 OpenSSL::ASN1::Integer(1),
+                                                 OpenSSL::ASN1::OctetString(OpenSSL::BN.new(decode_octets(jwk_d), 2).to_s(2)),
+                                                 OpenSSL::ASN1::ObjectId(curve, 0, :EXPLICIT),
+                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed), 1, :EXPLICIT)
+                                               ])
+                     else
+                       OpenSSL::ASN1::Sequence([
+                                                 OpenSSL::ASN1::Sequence([OpenSSL::ASN1::ObjectId('id-ecPublicKey'), OpenSSL::ASN1::ObjectId(curve)]),
+                                                 OpenSSL::ASN1::BitString(point.to_octet_string(:uncompressed))
+                                               ])
+                     end
 
           OpenSSL::PKey::EC.new(sequence.to_der)
         end

data/lib/jwt/jwk/key_finder.rb

@@ -8,10 +8,10 @@ module JWT
         jwks_or_loader = options[:jwks]
 
         @jwks_loader = if jwks_or_loader.respond_to?(:call)
-          jwks_or_loader
-        else
-          ->(_options) { jwks_or_loader }
-        end
+                         jwks_or_loader
+                       else
+                         ->(_options) { jwks_or_loader }
+                       end
       end
 
       def key_for(kid)

data/lib/jwt/jwk/set.rb

@@ -25,7 +25,7 @@ module JWT
                   jwks.map { |k| JWT::JWK.new(k, nil, options) }
                 else
                   raise ArgumentError, 'Can only create new JWKS from Hash, Array and JWK'
-        end
+                end
       end
 
       def export(options = {})

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 8
+    MINOR = 9
     # tiny version
-    TINY  = 1
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 

data/lib/jwt/x5c_key_finder.rb

@@ -7,7 +7,7 @@ module JWT
   # See https://tools.ietf.org/html/rfc7515#section-4.1.6
   class X5cKeyFinder
     def initialize(root_certificates, crls = nil)
-      raise(ArgumentError, 'Root certificates must be specified') unless root_certificates
+      raise ArgumentError, 'Root certificates must be specified' unless root_certificates
 
       @store = build_store(root_certificates, crls)
     end
@@ -24,7 +24,7 @@ module JWT
           error = "#{error} Certificate subject: #{current_cert.subject}."
         end
 
-        raise(JWT::VerificationError, error)
+        raise JWT::VerificationError, error
       end
     end
 

data/lib/jwt.rb

@@ -9,6 +9,7 @@ require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
 
 # JSON Web Token implementation
 #
@@ -27,6 +28,8 @@ module JWT
   end
 
   def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
-    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    Deprecations.context do
+      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.8.1
+  version: 2.9.0
 platform: ruby
 authors:
 - Tim Rudat
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-02-29 00:00:00.000000000 Z
+date: 2024-09-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -123,7 +123,16 @@ files:
 - README.md
 - lib/jwt.rb
 - lib/jwt/base64.rb
-- lib/jwt/claims_validator.rb
+- lib/jwt/claims.rb
+- lib/jwt/claims/audience.rb
+- lib/jwt/claims/expiration.rb
+- lib/jwt/claims/issued_at.rb
+- lib/jwt/claims/issuer.rb
+- lib/jwt/claims/jwt_id.rb
+- lib/jwt/claims/not_before.rb
+- lib/jwt/claims/numeric.rb
+- lib/jwt/claims/required.rb
+- lib/jwt/claims/subject.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
 - lib/jwt/configuration/decode_configuration.rb
@@ -142,6 +151,7 @@ files:
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
 - lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
@@ -154,7 +164,6 @@ files:
 - lib/jwt/jwk/rsa.rb
 - lib/jwt/jwk/set.rb
 - lib/jwt/jwk/thumbprint.rb
-- lib/jwt/verify.rb
 - lib/jwt/version.rb
 - lib/jwt/x5c_key_finder.rb
 - ruby-jwt.gemspec
@@ -163,9 +172,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.8.1/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.9.0/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -180,8 +189,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []

data/lib/jwt/claims_validator.rb

@@ -1,37 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'error'
-
-module JWT
-  class ClaimsValidator
-    NUMERIC_CLAIMS = %i[
-      exp
-      iat
-      nbf
-    ].freeze
-
-    def initialize(payload)
-      @payload = payload.transform_keys(&:to_sym)
-    end
-
-    def validate!
-      validate_numeric_claims
-
-      true
-    end
-
-    private
-
-    def validate_numeric_claims
-      NUMERIC_CLAIMS.each do |claim|
-        validate_is_numeric(claim) if @payload.key?(claim)
-      end
-    end
-
-    def validate_is_numeric(claim)
-      return if @payload[claim].is_a?(Numeric)
-
-      raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
-    end
-  end
-end

data/lib/jwt/verify.rb

@@ -1,117 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/error'
-
-module JWT
-  # JWT verify methods
-  class Verify
-    DEFAULTS = {
-      leeway: 0
-    }.freeze
-
-    class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
-        define_method method_name do |payload, options|
-          new(payload, options).send(method_name)
-        end
-      end
-
-      def verify_claims(payload, options)
-        options.each do |key, val|
-          next unless key.to_s =~ /verify/
-
-          Verify.send(key, payload, options) if val
-        end
-      end
-    end
-
-    def initialize(payload, options)
-      @payload = payload
-      @options = DEFAULTS.merge(options)
-    end
-
-    def verify_aud
-      return unless (options_aud = @options[:aud])
-
-      aud = @payload['aud']
-      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
-    end
-
-    def verify_expiration
-      return unless contains_key?(@payload, 'exp')
-      raise(JWT::ExpiredSignature, 'Signature has expired') if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
-    end
-
-    def verify_iat
-      return unless contains_key?(@payload, 'iat')
-
-      iat = @payload['iat']
-      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
-    end
-
-    def verify_iss
-      return unless (options_iss = @options[:iss])
-
-      iss = @payload['iss']
-
-      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-
-      case iss
-      when *options_iss
-        nil
-      else
-        raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
-      end
-    end
-
-    def verify_jti
-      options_verify_jti = @options[:verify_jti]
-      jti = @payload['jti']
-
-      if options_verify_jti.respond_to?(:call)
-        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
-      elsif jti.to_s.strip.empty?
-        raise(JWT::InvalidJtiError, 'Missing jti')
-      end
-    end
-
-    def verify_not_before
-      return unless contains_key?(@payload, 'nbf')
-      raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
-    end
-
-    def verify_sub
-      return unless (options_sub = @options[:sub])
-
-      sub = @payload['sub']
-      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
-    end
-
-    def verify_required_claims
-      return unless (options_required_claims = @options[:required_claims])
-
-      options_required_claims.each do |required_claim|
-        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless contains_key?(@payload, required_claim)
-      end
-    end
-
-    private
-
-    def global_leeway
-      @options[:leeway]
-    end
-
-    def exp_leeway
-      @options[:exp_leeway] || global_leeway
-    end
-
-    def nbf_leeway
-      @options[:nbf_leeway] || global_leeway
-    end
-
-    def contains_key?(payload, key)
-      payload.respond_to?(:key?) && payload.key?(key)
-    end
-  end
-end