jwt 2.8.2 → 2.9.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/README.md +19 -11
- data/lib/jwt/claims/audience.rb +20 -0
- data/lib/jwt/claims/expiration.rb +22 -0
- data/lib/jwt/claims/issued_at.rb +15 -0
- data/lib/jwt/claims/issuer.rb +24 -0
- data/lib/jwt/claims/jwt_id.rb +25 -0
- data/lib/jwt/claims/not_before.rb +22 -0
- data/lib/jwt/claims/numeric.rb +43 -0
- data/lib/jwt/claims/required.rb +23 -0
- data/lib/jwt/claims/subject.rb +20 -0
- data/lib/jwt/claims.rb +38 -0
- data/lib/jwt/decode.rb +2 -5
- data/lib/jwt/encode.rb +3 -7
- data/lib/jwt/jwa/ecdsa.rb +38 -25
- data/lib/jwt/jwa/eddsa.rb +19 -27
- data/lib/jwt/jwa/hmac.rb +22 -18
- data/lib/jwt/jwa/hmac_rbnacl.rb +38 -43
- data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +35 -39
- data/lib/jwt/jwa/none.rb +7 -3
- data/lib/jwt/jwa/ps.rb +20 -14
- data/lib/jwt/jwa/rsa.rb +20 -9
- data/lib/jwt/jwa/signing_algorithm.rb +59 -0
- data/lib/jwt/jwa/unsupported.rb +8 -8
- data/lib/jwt/jwa/wrapper.rb +26 -9
- data/lib/jwt/jwa.rb +21 -38
- data/lib/jwt/version.rb +2 -2
- data/lib/jwt.rb +1 -0
- metadata +18 -9
- data/lib/jwt/claims_validator.rb +0 -37
- data/lib/jwt/verify.rb +0 -117
data/lib/jwt/verify.rb
DELETED
@@ -1,117 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'jwt/error'
|
4
|
-
|
5
|
-
module JWT
|
6
|
-
# JWT verify methods
|
7
|
-
class Verify
|
8
|
-
DEFAULTS = {
|
9
|
-
leeway: 0
|
10
|
-
}.freeze
|
11
|
-
|
12
|
-
class << self
|
13
|
-
%w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
|
14
|
-
define_method method_name do |payload, options|
|
15
|
-
new(payload, options).send(method_name)
|
16
|
-
end
|
17
|
-
end
|
18
|
-
|
19
|
-
def verify_claims(payload, options)
|
20
|
-
options.each do |key, val|
|
21
|
-
next unless key.to_s =~ /verify/
|
22
|
-
|
23
|
-
Verify.send(key, payload, options) if val
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
|
28
|
-
def initialize(payload, options)
|
29
|
-
@payload = payload
|
30
|
-
@options = DEFAULTS.merge(options)
|
31
|
-
end
|
32
|
-
|
33
|
-
def verify_aud
|
34
|
-
return unless (options_aud = @options[:aud])
|
35
|
-
|
36
|
-
aud = @payload['aud']
|
37
|
-
raise JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}" if ([*aud] & [*options_aud]).empty?
|
38
|
-
end
|
39
|
-
|
40
|
-
def verify_expiration
|
41
|
-
return unless contains_key?(@payload, 'exp')
|
42
|
-
raise JWT::ExpiredSignature, 'Signature has expired' if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
|
43
|
-
end
|
44
|
-
|
45
|
-
def verify_iat
|
46
|
-
return unless contains_key?(@payload, 'iat')
|
47
|
-
|
48
|
-
iat = @payload['iat']
|
49
|
-
raise JWT::InvalidIatError, 'Invalid iat' if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
|
50
|
-
end
|
51
|
-
|
52
|
-
def verify_iss
|
53
|
-
return unless (options_iss = @options[:iss])
|
54
|
-
|
55
|
-
iss = @payload['iss']
|
56
|
-
|
57
|
-
options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
|
58
|
-
|
59
|
-
case iss
|
60
|
-
when *options_iss
|
61
|
-
nil
|
62
|
-
else
|
63
|
-
raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}"
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
def verify_jti
|
68
|
-
options_verify_jti = @options[:verify_jti]
|
69
|
-
jti = @payload['jti']
|
70
|
-
|
71
|
-
if options_verify_jti.respond_to?(:call)
|
72
|
-
verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
|
73
|
-
raise JWT::InvalidJtiError, 'Invalid jti' unless verified
|
74
|
-
elsif jti.to_s.strip.empty?
|
75
|
-
raise JWT::InvalidJtiError, 'Missing jti'
|
76
|
-
end
|
77
|
-
end
|
78
|
-
|
79
|
-
def verify_not_before
|
80
|
-
return unless contains_key?(@payload, 'nbf')
|
81
|
-
raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
|
82
|
-
end
|
83
|
-
|
84
|
-
def verify_sub
|
85
|
-
return unless (options_sub = @options[:sub])
|
86
|
-
|
87
|
-
sub = @payload['sub']
|
88
|
-
raise JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}" unless sub.to_s == options_sub.to_s
|
89
|
-
end
|
90
|
-
|
91
|
-
def verify_required_claims
|
92
|
-
return unless (options_required_claims = @options[:required_claims])
|
93
|
-
|
94
|
-
options_required_claims.each do |required_claim|
|
95
|
-
raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}" unless contains_key?(@payload, required_claim)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
private
|
100
|
-
|
101
|
-
def global_leeway
|
102
|
-
@options[:leeway]
|
103
|
-
end
|
104
|
-
|
105
|
-
def exp_leeway
|
106
|
-
@options[:exp_leeway] || global_leeway
|
107
|
-
end
|
108
|
-
|
109
|
-
def nbf_leeway
|
110
|
-
@options[:nbf_leeway] || global_leeway
|
111
|
-
end
|
112
|
-
|
113
|
-
def contains_key?(payload, key)
|
114
|
-
payload.respond_to?(:key?) && payload.key?(key)
|
115
|
-
end
|
116
|
-
end
|
117
|
-
end
|