RubyGems - jwt - Versions diffs - 2.8.2 → 2.10.2 - Mend

jwt 2.8.2 → 2.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +79 -0
data/README.md +189 -93
data/lib/jwt/base64.rb +3 -0
data/lib/jwt/claims/audience.rb +30 -0
data/lib/jwt/claims/crit.rb +35 -0
data/lib/jwt/claims/decode_verifier.rb +40 -0
data/lib/jwt/claims/expiration.rb +32 -0
data/lib/jwt/claims/issued_at.rb +22 -0
data/lib/jwt/claims/issuer.rb +34 -0
data/lib/jwt/claims/jwt_id.rb +35 -0
data/lib/jwt/claims/not_before.rb +32 -0
data/lib/jwt/claims/numeric.rb +77 -0
data/lib/jwt/claims/required.rb +33 -0
data/lib/jwt/claims/subject.rb +30 -0
data/lib/jwt/claims/verification_methods.rb +20 -0
data/lib/jwt/claims/verifier.rb +61 -0
data/lib/jwt/claims.rb +74 -0
data/lib/jwt/claims_validator.rb +6 -25
data/lib/jwt/configuration/container.rb +20 -0
data/lib/jwt/configuration/decode_configuration.rb +24 -0
data/lib/jwt/configuration/jwk_configuration.rb +1 -0
data/lib/jwt/configuration.rb +8 -0
data/lib/jwt/decode.rb +28 -70
data/lib/jwt/deprecations.rb +1 -0
data/lib/jwt/encode.rb +17 -60
data/lib/jwt/encoded_token.rb +139 -0
data/lib/jwt/error.rb +34 -0
data/lib/jwt/json.rb +1 -1
data/lib/jwt/jwa/compat.rb +32 -0
data/lib/jwt/jwa/ecdsa.rb +39 -25
data/lib/jwt/jwa/eddsa.rb +20 -27
data/lib/jwt/jwa/hmac.rb +25 -18
data/lib/jwt/jwa/hmac_rbnacl.rb +43 -43
data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +40 -39
data/lib/jwt/jwa/none.rb +8 -3
data/lib/jwt/jwa/ps.rb +20 -15
data/lib/jwt/jwa/rsa.rb +20 -10
data/lib/jwt/jwa/signing_algorithm.rb +63 -0
data/lib/jwt/jwa/unsupported.rb +9 -8
data/lib/jwt/jwa/wrapper.rb +27 -9
data/lib/jwt/jwa.rb +30 -34
data/lib/jwt/jwk/ec.rb +2 -3
data/lib/jwt/jwk/hmac.rb +2 -3
data/lib/jwt/jwk/key_base.rb +1 -0
data/lib/jwt/jwk/key_finder.rb +1 -0
data/lib/jwt/jwk/kid_as_key_digest.rb +1 -0
data/lib/jwt/jwk/okp_rbnacl.rb +3 -4
data/lib/jwt/jwk/rsa.rb +2 -3
data/lib/jwt/jwk/set.rb +2 -0
data/lib/jwt/jwk.rb +1 -0
data/lib/jwt/token.rb +112 -0
data/lib/jwt/verify.rb +16 -93
data/lib/jwt/version.rb +30 -9
data/lib/jwt.rb +20 -0
data/ruby-jwt.gemspec +1 -0
metadata +36 -7

data/lib/jwt/decode.rb CHANGED Viewed

@@ -1,72 +1,69 @@
 # frozen_string_literal: true
 require 'json'
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
-# JWT::Decode module
 module JWT
-  # Decoding logic for JWT
+  # The Decode class is responsible for decoding and verifying JWT tokens.
   class Decode
+    # Initializes a new Decode instance.
+    #
+    # @param jwt [String] the JWT to decode.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param verify [Boolean] whether to verify the token's signature.
+    # @param options [Hash] additional options for decoding and verification.
+    # @param keyfinder [Proc] an optional key finder block to dynamically find the key for verification.
+    # @raise [JWT::DecodeError] if decoding or verification fails.
     def initialize(jwt, key, verify, options, &keyfinder)
       raise JWT::DecodeError, 'Nil JSON web token' unless jwt
-      @jwt = jwt
+      @token = EncodedToken.new(jwt)
       @key = key
       @options = options
-      @segments = jwt.split('.')
       @verify = verify
-      @signature = ''
       @keyfinder = keyfinder
     end
+    # Decodes the JWT token and verifies its segments if verification is enabled.
+    #
+    # @return [Array<Hash>] an array containing the decoded payload and header.
     def decode_segments
       validate_segment_count!
       if @verify
-        decode_signature
         verify_algo
         set_key
         verify_signature
-        verify_claims
+        Claims::DecodeVerifier.verify!(token.payload, @options)
       end
-      raise JWT::DecodeError, 'Not enough or too many segments' unless header && payload
-      [payload, header]
+      [token.payload, token.header]
     end
     private
-    def verify_signature
-      return unless @key || @verify
+    attr_reader :token
+    def verify_signature
       return if none_algorithm?
       raise JWT::DecodeError, 'No verification key available' unless @key
-      return if Array(@key).any? { |key| verify_signature_for?(key) }
-      raise JWT::VerificationError, 'Signature verification failed'
+      token.verify_signature!(algorithm: allowed_and_valid_algorithms, key: @key)
     end
     def verify_algo
       raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty?
+      raise JWT::DecodeError, 'Token header not a JSON object' unless token.header.is_a?(Hash)
       raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header
       raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty?
     end
     def set_key
       @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks]
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(token.header['kid']) if @options[:jwks]
       return unless (x5c_options = @options[:x5c])
-      @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
-    end
-    def verify_signature_for?(key)
-      allowed_and_valid_algorithms.any? do |alg|
-        alg.verify(data: signing_input, signature: @signature, verification_key: key)
-      end
+      @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(token.header['x5c'])
     end
     def allowed_and_valid_algorithms
@@ -92,71 +89,32 @@ module JWT
     end
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.create(alg) }
-      sort_by_alg_header(algs)
-    end
-    # Move algorithms matching the JWT alg header to the beginning of the list
-    def sort_by_alg_header(algs)
-      return algs if algs.size <= 1
-      algs.partition { |alg| alg.valid_alg?(alg_in_header) }.flatten
+      given_algorithms.map { |alg| JWA.resolve(alg) }
     end
     def find_key(&keyfinder)
-      key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
+      key = (keyfinder.arity == 2 ? yield(token.header, token.payload) : yield(token.header))
       # key can be of type [string, nil, OpenSSL::PKey, Array]
       return key if key && !Array(key).empty?
       raise JWT::DecodeError, 'No verification key available'
     end
-    def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
-    end
     def validate_segment_count!
-      return if segment_length == 3
-      return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
-      return if segment_length == 2 && none_algorithm?
+      segment_count = token.jwt.count('.') + 1
+      return if segment_count == 3
+      return if !@verify && segment_count == 2 # If no verifying required, the signature is not needed
+      return if segment_count == 2 && none_algorithm?
       raise JWT::DecodeError, 'Not enough or too many segments'
     end
-    def segment_length
-      @segments.count
-    end
     def none_algorithm?
       alg_in_header == 'none'
     end
-    def decode_signature
-      @signature = ::JWT::Base64.url_decode(@segments[2] || '')
-    end
     def alg_in_header
-      header['alg']
-    end
-    def header
-      @header ||= parse_and_decode @segments[0]
-    end
-    def payload
-      @payload ||= parse_and_decode @segments[1]
-    end
-    def signing_input
-      @segments.first(2).join('.')
-    end
-    def parse_and_decode(segment)
-      JWT::JSON.parse(::JWT::Base64.url_decode(segment))
-    rescue ::JSON::ParserError
-      raise JWT::DecodeError, 'Invalid segment encoding'
+      token.header['alg']
     end
   end
 end

data/lib/jwt/deprecations.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 module JWT
   # Deprecations module to handle deprecation warnings in the gem
+  # @api private
   module Deprecations
     class << self
       def context

data/lib/jwt/encode.rb CHANGED Viewed

@@ -1,73 +1,30 @@
 # frozen_string_literal: true
 require_relative 'jwa'
-require_relative 'claims_validator'
-# JWT::Encode module
 module JWT
-  # Encoding logic for JWT
+  # The Encode class is responsible for encoding JWT tokens.
   class Encode
-    ALG_KEY = 'alg'
+    # Initializes a new Encode instance.
+    #
+    # @param options [Hash] the options for encoding the JWT token.
+    # @option options [Hash] :payload the payload of the JWT token.
+    # @option options [Hash] :headers the headers of the JWT token.
+    # @option options [String] :key the key used to sign the JWT token.
+    # @option options [String] :algorithm the algorithm used to sign the JWT token.
     def initialize(options)
-      @payload          = options[:payload]
-      @key              = options[:key]
-      @algorithm        = JWA.create(options[:algorithm])
-      @headers          = options[:headers].transform_keys(&:to_s)
-      @headers[ALG_KEY] = @algorithm.alg
+      @token     = Token.new(payload: options[:payload], header: options[:headers])
+      @key       = options[:key]
+      @algorithm = options[:algorithm]
     end
+    # Encodes the JWT token and returns its segments.
+    #
+    # @return [String] the encoded JWT token.
     def segments
-      validate_claims!
-      combine(encoded_header_and_payload, encoded_signature)
-    end
-    private
-    def encoded_header
-      @encoded_header ||= encode_header
-    end
-    def encoded_payload
-      @encoded_payload ||= encode_payload
-    end
-    def encoded_signature
-      @encoded_signature ||= encode_signature
-    end
-    def encoded_header_and_payload
-      @encoded_header_and_payload ||= combine(encoded_header, encoded_payload)
-    end
-    def encode_header
-      encode_data(@headers)
-    end
-    def encode_payload
-      encode_data(@payload)
-    end
-    def signature
-      @algorithm.sign(data: encoded_header_and_payload, signing_key: @key)
-    end
-    def validate_claims!
-      return unless @payload.is_a?(Hash)
-      ClaimsValidator.new(@payload).validate!
-    end
-    def encode_signature
-      ::JWT::Base64.url_encode(signature)
-    end
-    def encode_data(data)
-      ::JWT::Base64.url_encode(JWT::JSON.generate(data))
-    end
-    def combine(*parts)
-      parts.join('.')
+      @token.verify_claims!(:numeric)
+      @token.sign!(algorithm: @algorithm, key: @key)
+      @token.jwt
     end
   end
 end

data/lib/jwt/encoded_token.rb ADDED Viewed

@@ -0,0 +1,139 @@
+# frozen_string_literal: true
+module JWT
+  # Represents an encoded JWT token
+  #
+  # Processing an encoded and signed token:
+  #
+  #   token = JWT::Token.new(payload: {pay: 'load'})
+  #   token.sign!(algorithm: 'HS256', key: 'secret')
+  #
+  #   encoded_token = JWT::EncodedToken.new(token.jwt)
+  #   encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
+  #   encoded_token.payload # => {'pay' => 'load'}
+  class EncodedToken
+    include Claims::VerificationMethods
+    # Returns the original token provided to the class.
+    # @return [String] The JWT token.
+    attr_reader :jwt
+    # Initializes a new EncodedToken instance.
+    #
+    # @param jwt [String] the encoded JWT token.
+    # @raise [ArgumentError] if the provided JWT is not a String.
+    def initialize(jwt)
+      raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)
+      @jwt = jwt
+      @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
+    end
+    # Returns the decoded signature of the JWT token.
+    #
+    # @return [String] the decoded signature.
+    def signature
+      @signature ||= ::JWT::Base64.url_decode(encoded_signature || '')
+    end
+    # Returns the encoded signature of the JWT token.
+    #
+    # @return [String] the encoded signature.
+    attr_reader :encoded_signature
+    # Returns the decoded header of the JWT token.
+    #
+    # @return [Hash] the header.
+    def header
+      @header ||= parse_and_decode(@encoded_header)
+    end
+    # Returns the encoded header of the JWT token.
+    #
+    # @return [String] the encoded header.
+    attr_reader :encoded_header
+    # Returns the payload of the JWT token.
+    #
+    # @return [Hash] the payload.
+    def payload
+      @payload ||= decode_payload
+    end
+    # Sets or returns the encoded payload of the JWT token.
+    #
+    # @return [String] the encoded payload.
+    attr_accessor :encoded_payload
+    # Returns the signing input of the JWT token.
+    #
+    # @return [String] the signing input.
+    def signing_input
+      [encoded_header, encoded_payload].join('.')
+    end
+    # Verifies the signature of the JWT token.
+    #
+    # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param key_finder [#call] an object responding to `call` to find the key for verification.
+    # @return [nil]
+    # @raise [JWT::VerificationError] if the signature verification fails.
+    # @raise [ArgumentError] if neither key nor key_finder is provided, or if both are provided.
+    def verify_signature!(algorithm:, key: nil, key_finder: nil)
+      raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil?
+      key ||= key_finder.call(self)
+      return if valid_signature?(algorithm: algorithm, key: key)
+      raise JWT::VerificationError, 'Signature verification failed'
+    end
+    # Checks if the signature of the JWT token is valid.
+    #
+    # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
+    # @param key [String, Array<String>] the key(s) to use for verification.
+    # @return [Boolean] true if the signature is valid, false otherwise.
+    def valid_signature?(algorithm:, key:)
+      Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
+        Array(key).any? do |one_key|
+          algo.verify(data: signing_input, signature: signature, verification_key: one_key)
+        end
+      end
+    end
+    alias to_s jwt
+    private
+    def decode_payload
+      raise JWT::DecodeError, 'Encoded payload is empty' if encoded_payload == ''
+      if unencoded_payload?
+        verify_claims!(crit: ['b64'])
+        return parse_unencoded(encoded_payload)
+      end
+      parse_and_decode(encoded_payload)
+    end
+    def unencoded_payload?
+      header['b64'] == false
+    end
+    def parse_and_decode(segment)
+      parse(::JWT::Base64.url_decode(segment || ''))
+    end
+    def parse_unencoded(segment)
+      parse(segment)
+    end
+    def parse(segment)
+      JWT::JSON.parse(segment)
+    rescue ::JSON::ParserError
+      raise JWT::DecodeError, 'Invalid segment encoding'
+    end
+  end
+end

data/lib/jwt/error.rb CHANGED Viewed

@@ -1,23 +1,57 @@
 # frozen_string_literal: true
 module JWT
+  # The EncodeError class is raised when there is an error encoding a JWT.
   class EncodeError < StandardError; end
+  # The DecodeError class is raised when there is an error decoding a JWT.
   class DecodeError < StandardError; end
+  # The RequiredDependencyError class is raised when a required dependency is missing.
   class RequiredDependencyError < StandardError; end
+  # The VerificationError class is raised when there is an error verifying a JWT.
   class VerificationError < DecodeError; end
+  # The ExpiredSignature class is raised when the JWT signature has expired.
   class ExpiredSignature < DecodeError; end
+  # The IncorrectAlgorithm class is raised when the JWT algorithm is incorrect.
   class IncorrectAlgorithm < DecodeError; end
+  # The ImmatureSignature class is raised when the JWT signature is immature.
   class ImmatureSignature < DecodeError; end
+  # The InvalidIssuerError class is raised when the JWT issuer is invalid.
   class InvalidIssuerError < DecodeError; end
+  # The UnsupportedEcdsaCurve class is raised when the ECDSA curve is unsupported.
   class UnsupportedEcdsaCurve < IncorrectAlgorithm; end
+  # The InvalidIatError class is raised when the JWT issued at (iat) claim is invalid.
   class InvalidIatError < DecodeError; end
+  # The InvalidAudError class is raised when the JWT audience (aud) claim is invalid.
   class InvalidAudError < DecodeError; end
+  # The InvalidSubError class is raised when the JWT subject (sub) claim is invalid.
   class InvalidSubError < DecodeError; end
+  # The InvalidCritError class is raised when the JWT crit header is invalid.
+  class InvalidCritError < DecodeError; end
+  # The InvalidJtiError class is raised when the JWT ID (jti) claim is invalid.
   class InvalidJtiError < DecodeError; end
+  # The InvalidPayload class is raised when the JWT payload is invalid.
   class InvalidPayload < DecodeError; end
+  # The MissingRequiredClaim class is raised when a required claim is missing from the JWT.
   class MissingRequiredClaim < DecodeError; end
+  # The Base64DecodeError class is raised when there is an error decoding a Base64-encoded string.
   class Base64DecodeError < DecodeError; end
+  # The JWKError class is raised when there is an error with the JSON Web Key (JWK).
   class JWKError < DecodeError; end
 end

data/lib/jwt/json.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 require 'json'
 module JWT
-  # JSON wrapper
+  # @api private
   class JSON
     class << self
       def generate(data)

data/lib/jwt/jwa/compat.rb ADDED Viewed

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+module JWT
+  module JWA
+    # Provides backwards compatibility for algorithms
+    # @api private
+    module Compat
+      # @api private
+      module ClassMethods
+        def from_algorithm(algorithm)
+          new(algorithm)
+        end
+        def sign(algorithm, msg, key)
+          Deprecations.warning('Support for calling sign with positional arguments will be removed in future ruby-jwt versions')
+          from_algorithm(algorithm).sign(data: msg, signing_key: key)
+        end
+        def verify(algorithm, key, signing_input, signature)
+          Deprecations.warning('Support for calling verify with positional arguments will be removed in future ruby-jwt versions')
+          from_algorithm(algorithm).verify(data: signing_input, signature: signature, verification_key: key)
+        end
+      end
+      def self.included(klass)
+        klass.extend(ClassMethods)
+      end
+    end
+  end
+end

data/lib/jwt/jwa/ecdsa.rb CHANGED Viewed

@@ -2,8 +2,32 @@
 module JWT
   module JWA
-    module Ecdsa
-      module_function
+    # ECDSA signing algorithm
+    class Ecdsa
+      include JWT::JWA::SigningAlgorithm
+      def initialize(alg, digest)
+        @alg = alg
+        @digest = digest
+      end
+      def sign(data:, signing_key:)
+        curve_definition = curve_by_name(signing_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} signing key was provided" if alg != key_algorithm
+        asn1_to_raw(signing_key.dsa_sign_asn1(OpenSSL::Digest.new(digest).digest(data)), signing_key)
+      end
+      def verify(data:, signature:, verification_key:)
+        curve_definition = curve_by_name(verification_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
+        raise IncorrectAlgorithm, "payload algorithm is #{alg} but #{key_algorithm} verification key was provided" if alg != key_algorithm
+        verification_key.dsa_verify_asn1(OpenSSL::Digest.new(digest).digest(data), raw_to_asn1(signature, verification_key))
+      rescue OpenSSL::PKey::PKeyError
+        raise JWT::VerificationError, 'Signature verification raised'
+      end
       NAMED_CURVES = {
         'prime256v1' => {
@@ -28,38 +52,28 @@ module JWT
         }
       }.freeze
-      SUPPORTED = NAMED_CURVES.map { |_, c| c[:algorithm] }.uniq.freeze
-      def sign(algorithm, msg, key)
-        curve_definition = curve_by_name(key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-        end
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+      NAMED_CURVES.each_value do |v|
+        register_algorithm(new(v[:algorithm], v[:digest]))
       end
-      def verify(algorithm, public_key, signing_input, signature)
-        curve_definition = curve_by_name(public_key.group.curve_name)
-        key_algorithm = curve_definition[:algorithm]
-        if algorithm != key_algorithm
-          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-        end
-        digest = OpenSSL::Digest.new(curve_definition[:digest])
-        public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
-      rescue OpenSSL::PKey::PKeyError
-        raise JWT::VerificationError, 'Signature verification raised'
+      def self.from_algorithm(algorithm)
+        new(algorithm, algorithm.downcase.gsub('es', 'sha'))
       end
-      def curve_by_name(name)
+      def self.curve_by_name(name)
         NAMED_CURVES.fetch(name) do
           raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
         end
       end
+      private
+      attr_reader :digest
+      def curve_by_name(name)
+        self.class.curve_by_name(name)
+      end
       def raw_to_asn1(signature, private_key)
         byte_size = (private_key.group.degree + 7) / 8
         sig_bytes = signature[0..(byte_size - 1)]

data/lib/jwt/jwa/eddsa.rb CHANGED Viewed

@@ -2,41 +2,34 @@
 module JWT
   module JWA
-    module Eddsa
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
+    # Implementation of the EdDSA family of algorithms
+    class Eddsa
+      include JWT::JWA::SigningAlgorithm
-      class << self
-        def sign(algorithm, msg, key)
-          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-          end
-          validate_algorithm!(algorithm)
-          key.sign(msg)
-        end
+      def initialize(alg)
+        @alg = alg
+      end
-        def verify(algorithm, public_key, signing_input, signature)
-          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
-          end
+      def sign(data:, signing_key:)
+        raise_sign_error!("Key given is a #{signing_key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey") unless signing_key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-          validate_algorithm!(algorithm)
+        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
-          public_key.verify(signature, signing_input)
-        rescue RbNaCl::CryptoError
-          false
-        end
+        signing_key.sign(data)
+      end
-        private
+      def verify(data:, signature:, verification_key:)
+        raise_verify_error!("key given is a #{verification_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey") unless verification_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-        def validate_algorithm!(algorithm)
-          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
+        Deprecations.warning('Using the EdDSA algorithm is deprecated and will be removed in a future version of ruby-jwt. In the future the algorithm will be provided by the jwt-eddsa gem.')
-          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
-        end
+        verification_key.verify(signature, data)
+      rescue RbNaCl::CryptoError
+        false
       end
+      register_algorithm(new('ED25519'))
+      register_algorithm(new('EdDSA'))
     end
   end
 end