jwt 2.8.2 → 2.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +66 -0
- data/README.md +38 -12
- data/lib/jwt/claims/audience.rb +20 -0
- data/lib/jwt/claims/decode_verifier.rb +40 -0
- data/lib/jwt/claims/expiration.rb +22 -0
- data/lib/jwt/claims/issued_at.rb +15 -0
- data/lib/jwt/claims/issuer.rb +24 -0
- data/lib/jwt/claims/jwt_id.rb +25 -0
- data/lib/jwt/claims/not_before.rb +22 -0
- data/lib/jwt/claims/numeric.rb +55 -0
- data/lib/jwt/claims/required.rb +23 -0
- data/lib/jwt/claims/subject.rb +20 -0
- data/lib/jwt/claims/verifier.rb +62 -0
- data/lib/jwt/claims.rb +82 -0
- data/lib/jwt/claims_validator.rb +2 -23
- data/lib/jwt/decode.rb +3 -5
- data/lib/jwt/encode.rb +3 -7
- data/lib/jwt/jwa/compat.rb +29 -0
- data/lib/jwt/jwa/ecdsa.rb +42 -25
- data/lib/jwt/jwa/eddsa.rb +19 -27
- data/lib/jwt/jwa/hmac.rb +25 -17
- data/lib/jwt/jwa/hmac_rbnacl.rb +42 -43
- data/lib/jwt/jwa/hmac_rbnacl_fixed.rb +39 -39
- data/lib/jwt/jwa/none.rb +7 -3
- data/lib/jwt/jwa/ps.rb +20 -14
- data/lib/jwt/jwa/rsa.rb +20 -9
- data/lib/jwt/jwa/signing_algorithm.rb +60 -0
- data/lib/jwt/jwa/unsupported.rb +8 -8
- data/lib/jwt/jwa/wrapper.rb +26 -9
- data/lib/jwt/jwa.rb +24 -36
- data/lib/jwt/verify.rb +10 -93
- data/lib/jwt/version.rb +2 -2
- data/lib/jwt.rb +4 -0
- metadata +21 -7
data/lib/jwt/jwa/wrapper.rb
CHANGED
@@ -3,23 +3,40 @@
|
|
3
3
|
module JWT
|
4
4
|
module JWA
|
5
5
|
class Wrapper
|
6
|
-
|
6
|
+
include SigningAlgorithm
|
7
7
|
|
8
|
-
def initialize(
|
9
|
-
@
|
10
|
-
|
8
|
+
def initialize(algorithm)
|
9
|
+
@algorithm = algorithm
|
10
|
+
end
|
11
|
+
|
12
|
+
def alg
|
13
|
+
return @algorithm.alg if @algorithm.respond_to?(:alg)
|
14
|
+
|
15
|
+
super
|
11
16
|
end
|
12
17
|
|
13
18
|
def valid_alg?(alg_to_check)
|
14
|
-
|
19
|
+
return @algorithm.valid_alg?(alg_to_check) if @algorithm.respond_to?(:valid_alg?)
|
20
|
+
|
21
|
+
super
|
15
22
|
end
|
16
23
|
|
17
|
-
def
|
18
|
-
|
24
|
+
def header(*args, **kwargs)
|
25
|
+
return @algorithm.header(*args, **kwargs) if @algorithm.respond_to?(:header)
|
26
|
+
|
27
|
+
super
|
19
28
|
end
|
20
29
|
|
21
|
-
def
|
22
|
-
|
30
|
+
def sign(*args, **kwargs)
|
31
|
+
return @algorithm.sign(*args, **kwargs) if @algorithm.respond_to?(:sign)
|
32
|
+
|
33
|
+
super
|
34
|
+
end
|
35
|
+
|
36
|
+
def verify(*args, **kwargs)
|
37
|
+
return @algorithm.verify(*args, **kwargs) if @algorithm.respond_to?(:verify)
|
38
|
+
|
39
|
+
super
|
23
40
|
end
|
24
41
|
end
|
25
42
|
end
|
data/lib/jwt/jwa.rb
CHANGED
@@ -8,54 +8,42 @@ rescue LoadError
|
|
8
8
|
raise if defined?(RbNaCl)
|
9
9
|
end
|
10
10
|
|
11
|
-
require_relative 'jwa/
|
12
|
-
require_relative 'jwa/
|
11
|
+
require_relative 'jwa/compat'
|
12
|
+
require_relative 'jwa/signing_algorithm'
|
13
13
|
require_relative 'jwa/ecdsa'
|
14
|
-
require_relative 'jwa/
|
15
|
-
require_relative 'jwa/ps'
|
14
|
+
require_relative 'jwa/hmac'
|
16
15
|
require_relative 'jwa/none'
|
16
|
+
require_relative 'jwa/ps'
|
17
|
+
require_relative 'jwa/rsa'
|
17
18
|
require_relative 'jwa/unsupported'
|
18
19
|
require_relative 'jwa/wrapper'
|
19
20
|
|
21
|
+
if JWT.rbnacl?
|
22
|
+
require_relative 'jwa/eddsa'
|
23
|
+
end
|
24
|
+
|
25
|
+
if JWT.rbnacl_6_or_greater?
|
26
|
+
require_relative 'jwa/hmac_rbnacl'
|
27
|
+
elsif JWT.rbnacl?
|
28
|
+
require_relative 'jwa/hmac_rbnacl_fixed'
|
29
|
+
end
|
30
|
+
|
20
31
|
module JWT
|
21
32
|
module JWA
|
22
|
-
ALGOS = [Hmac, Ecdsa, Rsa, Eddsa, Ps, None, Unsupported].tap do |l|
|
23
|
-
if ::JWT.rbnacl_6_or_greater?
|
24
|
-
require_relative 'jwa/hmac_rbnacl'
|
25
|
-
l << Algos::HmacRbNaCl
|
26
|
-
elsif ::JWT.rbnacl?
|
27
|
-
require_relative 'jwa/hmac_rbnacl_fixed'
|
28
|
-
l << Algos::HmacRbNaClFixed
|
29
|
-
end
|
30
|
-
end.freeze
|
31
|
-
|
32
33
|
class << self
|
33
|
-
def
|
34
|
-
|
35
|
-
end
|
36
|
-
|
37
|
-
def create(algorithm)
|
38
|
-
return algorithm if JWA.implementation?(algorithm)
|
34
|
+
def resolve(algorithm)
|
35
|
+
return find(algorithm) if algorithm.is_a?(String) || algorithm.is_a?(Symbol)
|
39
36
|
|
40
|
-
|
41
|
-
|
37
|
+
unless algorithm.is_a?(SigningAlgorithm)
|
38
|
+
Deprecations.warning('Custom algorithms are required to include JWT::JWA::SigningAlgorithm. Custom algorithms that do not include this module may stop working in the next major version of ruby-jwt.')
|
39
|
+
return Wrapper.new(algorithm)
|
40
|
+
end
|
42
41
|
|
43
|
-
|
44
|
-
(algorithm.respond_to?(:valid_alg?) && algorithm.respond_to?(:verify)) ||
|
45
|
-
(algorithm.respond_to?(:alg) && algorithm.respond_to?(:sign))
|
42
|
+
algorithm
|
46
43
|
end
|
47
44
|
|
48
|
-
|
49
|
-
|
50
|
-
def indexed
|
51
|
-
@indexed ||= begin
|
52
|
-
fallback = [nil, Unsupported]
|
53
|
-
ALGOS.each_with_object(Hash.new(fallback)) do |cls, hash|
|
54
|
-
cls.const_get(:SUPPORTED).each do |alg|
|
55
|
-
hash[alg.downcase] = [alg, cls]
|
56
|
-
end
|
57
|
-
end
|
58
|
-
end
|
45
|
+
def create(algorithm)
|
46
|
+
resolve(algorithm)
|
59
47
|
end
|
60
48
|
end
|
61
49
|
end
|
data/lib/jwt/verify.rb
CHANGED
@@ -1,27 +1,22 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
-
|
3
|
+
require_relative 'error'
|
4
4
|
|
5
5
|
module JWT
|
6
|
-
# JWT verify methods
|
7
6
|
class Verify
|
8
|
-
DEFAULTS = {
|
9
|
-
|
10
|
-
}.freeze
|
7
|
+
DEFAULTS = { leeway: 0 }.freeze
|
8
|
+
METHODS = %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].freeze
|
11
9
|
|
12
10
|
class << self
|
13
|
-
|
14
|
-
define_method
|
11
|
+
METHODS.each do |method_name|
|
12
|
+
define_method(method_name) do |payload, options|
|
15
13
|
new(payload, options).send(method_name)
|
16
14
|
end
|
17
15
|
end
|
18
16
|
|
19
17
|
def verify_claims(payload, options)
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
Verify.send(key, payload, options) if val
|
24
|
-
end
|
18
|
+
::JWT::Claims.verify!(payload, options)
|
19
|
+
true
|
25
20
|
end
|
26
21
|
end
|
27
22
|
|
@@ -30,88 +25,10 @@ module JWT
|
|
30
25
|
@options = DEFAULTS.merge(options)
|
31
26
|
end
|
32
27
|
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
aud = @payload['aud']
|
37
|
-
raise JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}" if ([*aud] & [*options_aud]).empty?
|
38
|
-
end
|
39
|
-
|
40
|
-
def verify_expiration
|
41
|
-
return unless contains_key?(@payload, 'exp')
|
42
|
-
raise JWT::ExpiredSignature, 'Signature has expired' if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
|
43
|
-
end
|
44
|
-
|
45
|
-
def verify_iat
|
46
|
-
return unless contains_key?(@payload, 'iat')
|
47
|
-
|
48
|
-
iat = @payload['iat']
|
49
|
-
raise JWT::InvalidIatError, 'Invalid iat' if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
|
50
|
-
end
|
51
|
-
|
52
|
-
def verify_iss
|
53
|
-
return unless (options_iss = @options[:iss])
|
54
|
-
|
55
|
-
iss = @payload['iss']
|
56
|
-
|
57
|
-
options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
|
58
|
-
|
59
|
-
case iss
|
60
|
-
when *options_iss
|
61
|
-
nil
|
62
|
-
else
|
63
|
-
raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}"
|
28
|
+
METHODS.each do |method_name|
|
29
|
+
define_method(method_name) do
|
30
|
+
::JWT::Claims.verify!(@payload, @options.merge(method_name => true))
|
64
31
|
end
|
65
32
|
end
|
66
|
-
|
67
|
-
def verify_jti
|
68
|
-
options_verify_jti = @options[:verify_jti]
|
69
|
-
jti = @payload['jti']
|
70
|
-
|
71
|
-
if options_verify_jti.respond_to?(:call)
|
72
|
-
verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
|
73
|
-
raise JWT::InvalidJtiError, 'Invalid jti' unless verified
|
74
|
-
elsif jti.to_s.strip.empty?
|
75
|
-
raise JWT::InvalidJtiError, 'Missing jti'
|
76
|
-
end
|
77
|
-
end
|
78
|
-
|
79
|
-
def verify_not_before
|
80
|
-
return unless contains_key?(@payload, 'nbf')
|
81
|
-
raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
|
82
|
-
end
|
83
|
-
|
84
|
-
def verify_sub
|
85
|
-
return unless (options_sub = @options[:sub])
|
86
|
-
|
87
|
-
sub = @payload['sub']
|
88
|
-
raise JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}" unless sub.to_s == options_sub.to_s
|
89
|
-
end
|
90
|
-
|
91
|
-
def verify_required_claims
|
92
|
-
return unless (options_required_claims = @options[:required_claims])
|
93
|
-
|
94
|
-
options_required_claims.each do |required_claim|
|
95
|
-
raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}" unless contains_key?(@payload, required_claim)
|
96
|
-
end
|
97
|
-
end
|
98
|
-
|
99
|
-
private
|
100
|
-
|
101
|
-
def global_leeway
|
102
|
-
@options[:leeway]
|
103
|
-
end
|
104
|
-
|
105
|
-
def exp_leeway
|
106
|
-
@options[:exp_leeway] || global_leeway
|
107
|
-
end
|
108
|
-
|
109
|
-
def nbf_leeway
|
110
|
-
@options[:nbf_leeway] || global_leeway
|
111
|
-
end
|
112
|
-
|
113
|
-
def contains_key?(payload, key)
|
114
|
-
payload.respond_to?(:key?) && payload.key?(key)
|
115
|
-
end
|
116
33
|
end
|
117
34
|
end
|
data/lib/jwt/version.rb
CHANGED
data/lib/jwt.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.
|
4
|
+
version: 2.9.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Tim Rudat
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2024-
|
11
|
+
date: 2024-10-03 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: base64
|
@@ -123,6 +123,18 @@ files:
|
|
123
123
|
- README.md
|
124
124
|
- lib/jwt.rb
|
125
125
|
- lib/jwt/base64.rb
|
126
|
+
- lib/jwt/claims.rb
|
127
|
+
- lib/jwt/claims/audience.rb
|
128
|
+
- lib/jwt/claims/decode_verifier.rb
|
129
|
+
- lib/jwt/claims/expiration.rb
|
130
|
+
- lib/jwt/claims/issued_at.rb
|
131
|
+
- lib/jwt/claims/issuer.rb
|
132
|
+
- lib/jwt/claims/jwt_id.rb
|
133
|
+
- lib/jwt/claims/not_before.rb
|
134
|
+
- lib/jwt/claims/numeric.rb
|
135
|
+
- lib/jwt/claims/required.rb
|
136
|
+
- lib/jwt/claims/subject.rb
|
137
|
+
- lib/jwt/claims/verifier.rb
|
126
138
|
- lib/jwt/claims_validator.rb
|
127
139
|
- lib/jwt/configuration.rb
|
128
140
|
- lib/jwt/configuration/container.rb
|
@@ -134,6 +146,7 @@ files:
|
|
134
146
|
- lib/jwt/error.rb
|
135
147
|
- lib/jwt/json.rb
|
136
148
|
- lib/jwt/jwa.rb
|
149
|
+
- lib/jwt/jwa/compat.rb
|
137
150
|
- lib/jwt/jwa/ecdsa.rb
|
138
151
|
- lib/jwt/jwa/eddsa.rb
|
139
152
|
- lib/jwt/jwa/hmac.rb
|
@@ -142,6 +155,7 @@ files:
|
|
142
155
|
- lib/jwt/jwa/none.rb
|
143
156
|
- lib/jwt/jwa/ps.rb
|
144
157
|
- lib/jwt/jwa/rsa.rb
|
158
|
+
- lib/jwt/jwa/signing_algorithm.rb
|
145
159
|
- lib/jwt/jwa/unsupported.rb
|
146
160
|
- lib/jwt/jwa/wrapper.rb
|
147
161
|
- lib/jwt/jwk.rb
|
@@ -163,9 +177,9 @@ licenses:
|
|
163
177
|
- MIT
|
164
178
|
metadata:
|
165
179
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
166
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.
|
180
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.9.3/CHANGELOG.md
|
167
181
|
rubygems_mfa_required: 'true'
|
168
|
-
post_install_message:
|
182
|
+
post_install_message:
|
169
183
|
rdoc_options: []
|
170
184
|
require_paths:
|
171
185
|
- lib
|
@@ -180,8 +194,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
180
194
|
- !ruby/object:Gem::Version
|
181
195
|
version: '0'
|
182
196
|
requirements: []
|
183
|
-
rubygems_version: 3.5.
|
184
|
-
signing_key:
|
197
|
+
rubygems_version: 3.5.16
|
198
|
+
signing_key:
|
185
199
|
specification_version: 4
|
186
200
|
summary: JSON Web Token implementation in Ruby
|
187
201
|
test_files: []
|