jwt 2.8.2 → 2.9.3

data/lib/jwt/jwa/wrapper.rb

@@ -3,23 +3,40 @@
 module JWT
   module JWA
     class Wrapper
-      attr_reader :alg, :cls
+      include SigningAlgorithm
 
-      def initialize(alg, cls)
-        @alg = alg
-        @cls = cls
+      def initialize(algorithm)
+        @algorithm = algorithm
+      end
+
+      def alg
+        return @algorithm.alg if @algorithm.respond_to?(:alg)
+
+        super
       end
 
       def valid_alg?(alg_to_check)
-        alg&.casecmp(alg_to_check)&.zero? == true
+        return @algorithm.valid_alg?(alg_to_check) if @algorithm.respond_to?(:valid_alg?)
+
+        super
       end
 
-      def sign(data:, signing_key:)
-        cls.sign(alg, data, signing_key)
+      def header(*args, **kwargs)
+        return @algorithm.header(*args, **kwargs) if @algorithm.respond_to?(:header)
+
+        super
       end
 
-      def verify(data:, signature:, verification_key:)
-        cls.verify(alg, verification_key, data, signature)
+      def sign(*args, **kwargs)
+        return @algorithm.sign(*args, **kwargs) if @algorithm.respond_to?(:sign)
+
+        super
+      end
+
+      def verify(*args, **kwargs)
+        return @algorithm.verify(*args, **kwargs) if @algorithm.respond_to?(:verify)
+
+        super
       end
     end
   end

data/lib/jwt/jwa.rb

@@ -8,54 +8,42 @@ rescue LoadError
   raise if defined?(RbNaCl)
 end
 
-require_relative 'jwa/hmac'
-require_relative 'jwa/eddsa'
+require_relative 'jwa/compat'
+require_relative 'jwa/signing_algorithm'
 require_relative 'jwa/ecdsa'
-require_relative 'jwa/rsa'
-require_relative 'jwa/ps'
+require_relative 'jwa/hmac'
 require_relative 'jwa/none'
+require_relative 'jwa/ps'
+require_relative 'jwa/rsa'
 require_relative 'jwa/unsupported'
 require_relative 'jwa/wrapper'
 
+if JWT.rbnacl?
+  require_relative 'jwa/eddsa'
+end
+
+if JWT.rbnacl_6_or_greater?
+  require_relative 'jwa/hmac_rbnacl'
+elsif JWT.rbnacl?
+  require_relative 'jwa/hmac_rbnacl_fixed'
+end
+
 module JWT
   module JWA
-    ALGOS = [Hmac, Ecdsa, Rsa, Eddsa, Ps, None, Unsupported].tap do |l|
-      if ::JWT.rbnacl_6_or_greater?
-        require_relative 'jwa/hmac_rbnacl'
-        l << Algos::HmacRbNaCl
-      elsif ::JWT.rbnacl?
-        require_relative 'jwa/hmac_rbnacl_fixed'
-        l << Algos::HmacRbNaClFixed
-      end
-    end.freeze
-
     class << self
-      def find(algorithm)
-        indexed[algorithm&.downcase]
-      end
-
-      def create(algorithm)
-        return algorithm if JWA.implementation?(algorithm)
+      def resolve(algorithm)
+        return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
 
-        Wrapper.new(*find(algorithm))
-      end
+        unless algorithm.is_a?(SigningAlgorithm)
+          Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm. Custom algorithms that do not include this module may stop working in the next major version of ruby-jwt.')
+          return Wrapper.new(algorithm)
+        end
 
-      def implementation?(algorithm)
-        (algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
-          (algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
+        algorithm
       end
 
-      private
-
-      def indexed
-        @indexed ||= begin
-          fallback = [nil, Unsupported]
-          ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
-            cls.const_get(:SUPPORTED).each do |alg|
-              hash[alg.downcase] = [alg, cls]
-            end
-          end
-        end
+      def create(algorithm)
+        resolve(algorithm)
       end
     end
   end

data/lib/jwt/verify.rb

@@ -1,27 +1,22 @@
 # frozen_string_literal: true
 
-require 'jwt/error'
+require_relative 'error'
 
 module JWT
-  # JWT verify methods
   class Verify
-    DEFAULTS = {
-      leeway: 0
-    }.freeze
+    DEFAULTS = { leeway: 0 }.freeze
+    METHODS = %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].freeze
 
     class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
-        define_method method_name do |payload, options|
+      METHODS.each do |method_name|
+        define_method(method_name) do |payload, options|
           new(payload, options).send(method_name)
         end
       end
 
       def verify_claims(payload, options)
-        options.each do |key, val|
-          next unless key.to_s =~ /verify/
-
-          Verify.send(key, payload, options) if val
-        end
+        ::JWT::Claims.verify!(payload, options)
+        true
       end
     end
 
@@ -30,88 +25,10 @@ module JWT
       @options = DEFAULTS.merge(options)
     end
 
-    def verify_aud
-      return unless (options_aud = @options[:aud])
-
-      aud = @payload['aud']
-      raise JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}" if ([*aud] & [*options_aud]).empty?
-    end
-
-    def verify_expiration
-      return unless contains_key?(@payload, 'exp')
-      raise JWT::ExpiredSignature, 'Signature has expired' if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
-    end
-
-    def verify_iat
-      return unless contains_key?(@payload, 'iat')
-
-      iat = @payload['iat']
-      raise JWT::InvalidIatError, 'Invalid iat' if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
-    end
-
-    def verify_iss
-      return unless (options_iss = @options[:iss])
-
-      iss = @payload['iss']
-
-      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-
-      case iss
-      when *options_iss
-        nil
-      else
-        raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}"
+    METHODS.each do |method_name|
+      define_method(method_name) do
+        ::JWT::Claims.verify!(@payload, @options.merge(method_name => true))
       end
     end
-
-    def verify_jti
-      options_verify_jti = @options[:verify_jti]
-      jti = @payload['jti']
-
-      if options_verify_jti.respond_to?(:call)
-        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
-        raise JWT::InvalidJtiError, 'Invalid jti' unless verified
-      elsif jti.to_s.strip.empty?
-        raise JWT::InvalidJtiError, 'Missing jti'
-      end
-    end
-
-    def verify_not_before
-      return unless contains_key?(@payload, 'nbf')
-      raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
-    end
-
-    def verify_sub
-      return unless (options_sub = @options[:sub])
-
-      sub = @payload['sub']
-      raise JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}" unless sub.to_s == options_sub.to_s
-    end
-
-    def verify_required_claims
-      return unless (options_required_claims = @options[:required_claims])
-
-      options_required_claims.each do |required_claim|
-        raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}" unless contains_key?(@payload, required_claim)
-      end
-    end
-
-    private
-
-    def global_leeway
-      @options[:leeway]
-    end
-
-    def exp_leeway
-      @options[:exp_leeway] || global_leeway
-    end
-
-    def nbf_leeway
-      @options[:nbf_leeway] || global_leeway
-    end
-
-    def contains_key?(payload, key)
-      payload.respond_to?(:key?) && payload.key?(key)
-    end
   end
 end

data/lib/jwt/version.rb

@@ -11,9 +11,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 8
+    MINOR = 9
     # tiny version
-    TINY  = 2
+    TINY  = 3
     # alpha, beta, etc. tag
     PRE   = nil
 

data/lib/jwt.rb

@@ -9,6 +9,10 @@ require 'jwt/deprecations'
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
+
+require 'jwt/claims_validator'
+require 'jwt/verify'
 
 # JSON Web Token implementation
 #

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.8.2
+  version: 2.9.3
 platform: ruby
 authors:
 - Tim Rudat
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-06-18 00:00:00.000000000 Z
+date: 2024-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -123,6 +123,18 @@ files:
 - README.md
 - lib/jwt.rb
 - lib/jwt/base64.rb
+- lib/jwt/claims.rb
+- lib/jwt/claims/audience.rb
+- lib/jwt/claims/decode_verifier.rb
+- lib/jwt/claims/expiration.rb
+- lib/jwt/claims/issued_at.rb
+- lib/jwt/claims/issuer.rb
+- lib/jwt/claims/jwt_id.rb
+- lib/jwt/claims/not_before.rb
+- lib/jwt/claims/numeric.rb
+- lib/jwt/claims/required.rb
+- lib/jwt/claims/subject.rb
+- lib/jwt/claims/verifier.rb
 - lib/jwt/claims_validator.rb
 - lib/jwt/configuration.rb
 - lib/jwt/configuration/container.rb
@@ -134,6 +146,7 @@ files:
 - lib/jwt/error.rb
 - lib/jwt/json.rb
 - lib/jwt/jwa.rb
+- lib/jwt/jwa/compat.rb
 - lib/jwt/jwa/ecdsa.rb
 - lib/jwt/jwa/eddsa.rb
 - lib/jwt/jwa/hmac.rb
@@ -142,6 +155,7 @@ files:
 - lib/jwt/jwa/none.rb
 - lib/jwt/jwa/ps.rb
 - lib/jwt/jwa/rsa.rb
+- lib/jwt/jwa/signing_algorithm.rb
 - lib/jwt/jwa/unsupported.rb
 - lib/jwt/jwa/wrapper.rb
 - lib/jwt/jwk.rb
@@ -163,9 +177,9 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
-  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.8.2/CHANGELOG.md
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.9.3/CHANGELOG.md
   rubygems_mfa_required: 'true'
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -180,8 +194,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 3.5.16
+signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby
 test_files: []