jwt 2.8.2 → 3.1.1

data/lib/jwt/deprecations.rb

@@ -1,48 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  # Deprecations module to handle deprecation warnings in the gem
-  module Deprecations
-    class << self
-      def context
-        yield.tap { emit_warnings }
-      ensure
-        Thread.current[:jwt_warning_store] = nil
-      end
-
-      def warning(message, only_if_valid: false)
-        method_name = only_if_valid ? :store : :warn
-        case JWT.configuration.deprecation_warnings
-        when :once
-          return if record_warned(message)
-        when :warn
-          # noop
-        else
-          return
-        end
-
-        send(method_name, "[DEPRECATION WARNING] #{message}")
-      end
-
-      def store(message)
-        (Thread.current[:jwt_warning_store] ||= []) << message
-      end
-
-      def emit_warnings
-        return if Thread.current[:jwt_warning_store].nil?
-
-        Thread.current[:jwt_warning_store].each { |warning| warn(warning) }
-      end
-
-      private
-
-      def record_warned(message)
-        @warned ||= []
-        return true if @warned.include?(message)
-
-        @warned << message
-        false
-      end
-    end
-  end
-end

data/lib/jwt/jwa/eddsa.rb

@@ -1,42 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module JWA
-    module Eddsa
-      SUPPORTED = %w[ED25519 EdDSA].freeze
-      SUPPORTED_DOWNCASED = SUPPORTED.map(&:downcase).freeze
-
-      class << self
-        def sign(algorithm, msg, key)
-          unless key.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)
-            raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
-          end
-
-          validate_algorithm!(algorithm)
-
-          key.sign(msg)
-        end
-
-        def verify(algorithm, public_key, signing_input, signature)
-          unless public_key.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey)
-            raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey"
-          end
-
-          validate_algorithm!(algorithm)
-
-          public_key.verify(signature, signing_input)
-        rescue RbNaCl::CryptoError
-          false
-        end
-
-        private
-
-        def validate_algorithm!(algorithm)
-          return if SUPPORTED_DOWNCASED.include?(algorithm.downcase)
-
-          raise IncorrectAlgorithm, "Algorithm #{algorithm} not supported. Supported algoritms are #{SUPPORTED.join(', ')}"
-        end
-      end
-    end
-  end
-end

data/lib/jwt/jwa/hmac_rbnacl.rb

@@ -1,50 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaCl
-      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
-      SUPPORTED = MAPPING.keys
-      class << self
-        def sign(algorithm, msg, key)
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          if (hmac = resolve_algorithm(algorithm))
-            hmac.auth(key_for_rbnacl(hmac, key).encode('binary'), msg.encode('binary'))
-          else
-            Hmac.sign(algorithm, msg, key)
-          end
-        end
-
-        def verify(algorithm, key, signing_input, signature)
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          if (hmac = resolve_algorithm(algorithm))
-            hmac.verify(key_for_rbnacl(hmac, key).encode('binary'), signature.encode('binary'), signing_input.encode('binary'))
-          else
-            Hmac.verify(algorithm, key, signing_input, signature)
-          end
-        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-          false
-        end
-
-        private
-
-        def key_for_rbnacl(hmac, key)
-          key ||= ''
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          return padded_empty_key(hmac.key_bytes) if key == ''
-
-          key
-        end
-
-        def resolve_algorithm(algorithm)
-          MAPPING.fetch(algorithm)
-        end
-
-        def padded_empty_key(length)
-          Array.new(length, 0x0).pack('C*').encode('binary')
-        end
-      end
-    end
-  end
-end

data/lib/jwt/jwa/hmac_rbnacl_fixed.rb

@@ -1,46 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module Algos
-    module HmacRbNaClFixed
-      MAPPING   = { 'HS512256' => ::RbNaCl::HMAC::SHA512256 }.freeze
-      SUPPORTED = MAPPING.keys
-
-      class << self
-        def sign(algorithm, msg, key)
-          key ||= ''
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-            hmac.auth(padded_key_bytes(key, hmac.key_bytes), msg.encode('binary'))
-          else
-            Hmac.sign(algorithm, msg, key)
-          end
-        end
-
-        def verify(algorithm, key, signing_input, signature)
-          key ||= ''
-          Deprecations.warning("The use of the algorithm #{algorithm} is deprecated and will be removed in the next major version of ruby-jwt")
-          raise JWT::DecodeError, 'HMAC key expected to be a String' unless key.is_a?(String)
-
-          if (hmac = resolve_algorithm(algorithm)) && key.bytesize <= hmac.key_bytes
-            hmac.verify(padded_key_bytes(key, hmac.key_bytes), signature.encode('binary'), signing_input.encode('binary'))
-          else
-            Hmac.verify(algorithm, key, signing_input, signature)
-          end
-        rescue ::RbNaCl::BadAuthenticatorError, ::RbNaCl::LengthError
-          false
-        end
-
-        def resolve_algorithm(algorithm)
-          MAPPING.fetch(algorithm)
-        end
-
-        def padded_key_bytes(key, bytesize)
-          key.bytes.fill(0, key.bytesize...bytesize).pack('C*')
-        end
-      end
-    end
-  end
-end

data/lib/jwt/jwa/wrapper.rb

@@ -1,26 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module JWA
-    class Wrapper
-      attr_reader :alg, :cls
-
-      def initialize(alg, cls)
-        @alg = alg
-        @cls = cls
-      end
-
-      def valid_alg?(alg_to_check)
-        alg&.casecmp(alg_to_check)&.zero? == true
-      end
-
-      def sign(data:, signing_key:)
-        cls.sign(alg, data, signing_key)
-      end
-
-      def verify(data:, signature:, verification_key:)
-        cls.verify(alg, verification_key, data, signature)
-      end
-    end
-  end
-end

data/lib/jwt/jwk/okp_rbnacl.rb

@@ -1,110 +0,0 @@
-# frozen_string_literal: true
-
-module JWT
-  module JWK
-    class OKPRbNaCl < KeyBase
-      KTY  = 'OKP'
-      KTYS = [KTY, JWT::JWK::OKPRbNaCl, RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey].freeze
-      OKP_PUBLIC_KEY_ELEMENTS = %i[kty n x].freeze
-      OKP_PRIVATE_KEY_ELEMENTS = %i[d].freeze
-
-      def initialize(key, params = nil, options = {})
-        params ||= {}
-
-        # For backwards compatibility when kid was a String
-        params = { kid: params } if params.is_a?(String)
-
-        key_params = extract_key_params(key)
-
-        params = params.transform_keys(&:to_sym)
-        check_jwk_params!(key_params, params)
-        super(options, key_params.merge(params))
-      end
-
-      def verify_key
-        return @verify_key if defined?(@verify_key)
-
-        @verify_key = verify_key_from_parameters
-      end
-
-      def signing_key
-        return @signing_key if defined?(@signing_key)
-
-        @signing_key = signing_key_from_parameters
-      end
-
-      def key_digest
-        Thumbprint.new(self).to_s
-      end
-
-      def private?
-        !signing_key.nil?
-      end
-
-      def members
-        OKP_PUBLIC_KEY_ELEMENTS.each_with_object({}) { |i, h| h[i] = self[i] }
-      end
-
-      def export(options = {})
-        exported = parameters.clone
-        exported.reject! { |k, _| OKP_PRIVATE_KEY_ELEMENTS.include?(k) } unless private? && options[:include_private] == true
-        exported
-      end
-
-      private
-
-      def extract_key_params(key)
-        case key
-        when JWT::JWK::KeyBase
-          key.export(include_private: true)
-        when RbNaCl::Signatures::Ed25519::SigningKey
-          @signing_key = key
-          @verify_key = key.verify_key
-          parse_okp_key_params(@verify_key, @signing_key)
-        when RbNaCl::Signatures::Ed25519::VerifyKey
-          @signing_key = nil
-          @verify_key = key
-          parse_okp_key_params(@verify_key)
-        when Hash
-          key.transform_keys(&:to_sym)
-        else
-          raise ArgumentError, 'key must be of type RbNaCl::Signatures::Ed25519::SigningKey, RbNaCl::Signatures::Ed25519::VerifyKey or Hash with key parameters'
-        end
-      end
-
-      def check_jwk_params!(key_params, _given_params)
-        raise JWT::JWKError, "Incorrect 'kty' value: #{key_params[:kty]}, expected #{KTY}" unless key_params[:kty] == KTY
-      end
-
-      def parse_okp_key_params(verify_key, signing_key = nil)
-        params = {
-          kty: KTY,
-          crv: 'Ed25519',
-          x: ::JWT::Base64.url_encode(verify_key.to_bytes)
-        }
-
-        if signing_key
-          params[:d] = ::JWT::Base64.url_encode(signing_key.to_bytes)
-        end
-
-        params
-      end
-
-      def verify_key_from_parameters
-        RbNaCl::Signatures::Ed25519::VerifyKey.new(::JWT::Base64.url_decode(self[:x]))
-      end
-
-      def signing_key_from_parameters
-        return nil unless self[:d]
-
-        RbNaCl::Signatures::Ed25519::SigningKey.new(::JWT::Base64.url_decode(self[:d]))
-      end
-
-      class << self
-        def import(jwk_data)
-          new(jwk_data)
-        end
-      end
-    end
-  end
-end

data/lib/jwt/verify.rb

@@ -1,117 +0,0 @@
-# frozen_string_literal: true
-
-require 'jwt/error'
-
-module JWT
-  # JWT verify methods
-  class Verify
-    DEFAULTS = {
-      leeway: 0
-    }.freeze
-
-    class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
-        define_method method_name do |payload, options|
-          new(payload, options).send(method_name)
-        end
-      end
-
-      def verify_claims(payload, options)
-        options.each do |key, val|
-          next unless key.to_s =~ /verify/
-
-          Verify.send(key, payload, options) if val
-        end
-      end
-    end
-
-    def initialize(payload, options)
-      @payload = payload
-      @options = DEFAULTS.merge(options)
-    end
-
-    def verify_aud
-      return unless (options_aud = @options[:aud])
-
-      aud = @payload['aud']
-      raise JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}" if ([*aud] & [*options_aud]).empty?
-    end
-
-    def verify_expiration
-      return unless contains_key?(@payload, 'exp')
-      raise JWT::ExpiredSignature, 'Signature has expired' if @payload['exp'].to_i <= (Time.now.to_i - exp_leeway)
-    end
-
-    def verify_iat
-      return unless contains_key?(@payload, 'iat')
-
-      iat = @payload['iat']
-      raise JWT::InvalidIatError, 'Invalid iat' if !iat.is_a?(Numeric) || iat.to_f > Time.now.to_f
-    end
-
-    def verify_iss
-      return unless (options_iss = @options[:iss])
-
-      iss = @payload['iss']
-
-      options_iss = Array(options_iss).map { |item| item.is_a?(Symbol) ? item.to_s : item }
-
-      case iss
-      when *options_iss
-        nil
-      else
-        raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}"
-      end
-    end
-
-    def verify_jti
-      options_verify_jti = @options[:verify_jti]
-      jti = @payload['jti']
-
-      if options_verify_jti.respond_to?(:call)
-        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
-        raise JWT::InvalidJtiError, 'Invalid jti' unless verified
-      elsif jti.to_s.strip.empty?
-        raise JWT::InvalidJtiError, 'Missing jti'
-      end
-    end
-
-    def verify_not_before
-      return unless contains_key?(@payload, 'nbf')
-      raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if @payload['nbf'].to_i > (Time.now.to_i + nbf_leeway)
-    end
-
-    def verify_sub
-      return unless (options_sub = @options[:sub])
-
-      sub = @payload['sub']
-      raise JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}" unless sub.to_s == options_sub.to_s
-    end
-
-    def verify_required_claims
-      return unless (options_required_claims = @options[:required_claims])
-
-      options_required_claims.each do |required_claim|
-        raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}" unless contains_key?(@payload, required_claim)
-      end
-    end
-
-    private
-
-    def global_leeway
-      @options[:leeway]
-    end
-
-    def exp_leeway
-      @options[:exp_leeway] || global_leeway
-    end
-
-    def nbf_leeway
-      @options[:nbf_leeway] || global_leeway
-    end
-
-    def contains_key?(payload, key)
-      payload.respond_to?(:key?) && payload.key?(key)
-    end
-  end
-end