jwt 2.8.2 → 2.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +14 -0
- data/README.md +19 -11
- data/lib/jwt/claims/audience.rb +20 -0
- data/lib/jwt/claims/expiration.rb +22 -0
- data/lib/jwt/claims/issued_at.rb +15 -0
- data/lib/jwt/claims/issuer.rb +24 -0
- data/lib/jwt/claims/jwt_id.rb +25 -0
- data/lib/jwt/claims/not_before.rb +22 -0
- data/lib/jwt/claims/numeric.rb +43 -0
- data/lib/jwt/claims/required.rb +23 -0
- data/lib/jwt/claims/subject.rb +20 -0
- data/lib/jwt/claims.rb +38 -0
- data/lib/jwt/decode.rb +2 -5
- data/lib/jwt/encode.rb +3 -7
- data/lib/jwt/jwa/ecdsa.rb +38 -25
- data/lib/jwt/jwa/eddsa.rb +19 -27
- data/lib/jwt/jwa/hmac.rb +22 -18
- data/lib/jwt/jwa/hmac_rbnacl.rb +38 -43
- data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +35 -39
- data/lib/jwt/jwa/none.rb +7 -3
- data/lib/jwt/jwa/ps.rb +20 -14
- data/lib/jwt/jwa/rsa.rb +20 -9
- data/lib/jwt/jwa/signing_algorithm.rb +59 -0
- data/lib/jwt/jwa/unsupported.rb +8 -8
- data/lib/jwt/jwa/wrapper.rb +26 -9
- data/lib/jwt/jwa.rb +21 -38
- data/lib/jwt/version.rb +2 -2
- data/lib/jwt.rb +1 -0
- metadata +18 -9
- data/lib/jwt/claims_validator.rb +0 -37
- data/lib/jwt/verify.rb +0 -117
data/lib/jwt/verify.rb
DELETED
|
@@ -1,117 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require 'jwt/error'
|
|
4
|
-
|
|
5
|
-
module JWT
|
|
6
|
-
# JWT verify methods
|
|
7
|
-
class Verify
|
|
8
|
-
DEFAULTS = {
|
|
9
|
-
leeway: 0
|
|
10
|
-
}.freeze
|
|
11
|
-
|
|
12
|
-
class << self
|
|
13
|
-
%w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
|
|
14
|
-
define_method method_name do |payload, options|
|
|
15
|
-
new(payload, options).send(method_name)
|
|
16
|
-
end
|
|
17
|
-
end
|
|
18
|
-
|
|
19
|
-
def verify_claims(payload, options)
|
|
20
|
-
options.each do |key, val|
|
|
21
|
-
next unless key.to_s =~ /verify/
|
|
22
|
-
|
|
23
|
-
Verify.send(key, payload, options) if val
|
|
24
|
-
end
|
|
25
|
-
end
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
def initialize(payload, options)
|
|
29
|
-
@payload = payload
|
|
30
|
-
@options = DEFAULTS.merge(options)
|
|
31
|
-
end
|
|
32
|
-
|
|
33
|
-
def verify_aud
|
|
34
|
-
return unless (options_aud = @options[:aud])
|
|
35
|
-
|
|
36
|
-
aud = @payload['aud']
|
|
37
|
-
raise JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}" if ([*aud] & [*options_aud]).empty?
|
|
38
|
-
end
|
|
39
|
-
|
|
40
|
-
def verify_expiration
|
|
41
|
-
return unless contains_key?(@payload, 'exp')
|
|
42
|
-
raise JWT::ExpiredSignature, 'Signature has expired' if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
|
|
43
|
-
end
|
|
44
|
-
|
|
45
|
-
def verify_iat
|
|
46
|
-
return unless contains_key?(@payload, 'iat')
|
|
47
|
-
|
|
48
|
-
iat = @payload['iat']
|
|
49
|
-
raise JWT::InvalidIatError, 'Invalid iat' if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
|
|
50
|
-
end
|
|
51
|
-
|
|
52
|
-
def verify_iss
|
|
53
|
-
return unless (options_iss = @options[:iss])
|
|
54
|
-
|
|
55
|
-
iss = @payload['iss']
|
|
56
|
-
|
|
57
|
-
options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
|
|
58
|
-
|
|
59
|
-
case iss
|
|
60
|
-
when *options_iss
|
|
61
|
-
nil
|
|
62
|
-
else
|
|
63
|
-
raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}"
|
|
64
|
-
end
|
|
65
|
-
end
|
|
66
|
-
|
|
67
|
-
def verify_jti
|
|
68
|
-
options_verify_jti = @options[:verify_jti]
|
|
69
|
-
jti = @payload['jti']
|
|
70
|
-
|
|
71
|
-
if options_verify_jti.respond_to?(:call)
|
|
72
|
-
verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
|
|
73
|
-
raise JWT::InvalidJtiError, 'Invalid jti' unless verified
|
|
74
|
-
elsif jti.to_s.strip.empty?
|
|
75
|
-
raise JWT::InvalidJtiError, 'Missing jti'
|
|
76
|
-
end
|
|
77
|
-
end
|
|
78
|
-
|
|
79
|
-
def verify_not_before
|
|
80
|
-
return unless contains_key?(@payload, 'nbf')
|
|
81
|
-
raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
|
|
82
|
-
end
|
|
83
|
-
|
|
84
|
-
def verify_sub
|
|
85
|
-
return unless (options_sub = @options[:sub])
|
|
86
|
-
|
|
87
|
-
sub = @payload['sub']
|
|
88
|
-
raise JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}" unless sub.to_s == options_sub.to_s
|
|
89
|
-
end
|
|
90
|
-
|
|
91
|
-
def verify_required_claims
|
|
92
|
-
return unless (options_required_claims = @options[:required_claims])
|
|
93
|
-
|
|
94
|
-
options_required_claims.each do |required_claim|
|
|
95
|
-
raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}" unless contains_key?(@payload, required_claim)
|
|
96
|
-
end
|
|
97
|
-
end
|
|
98
|
-
|
|
99
|
-
private
|
|
100
|
-
|
|
101
|
-
def global_leeway
|
|
102
|
-
@options[:leeway]
|
|
103
|
-
end
|
|
104
|
-
|
|
105
|
-
def exp_leeway
|
|
106
|
-
@options[:exp_leeway] || global_leeway
|
|
107
|
-
end
|
|
108
|
-
|
|
109
|
-
def nbf_leeway
|
|
110
|
-
@options[:nbf_leeway] || global_leeway
|
|
111
|
-
end
|
|
112
|
-
|
|
113
|
-
def contains_key?(payload, key)
|
|
114
|
-
payload.respond_to?(:key?) && payload.key?(key)
|
|
115
|
-
end
|
|
116
|
-
end
|
|
117
|
-
end
|