jwt 3.1.0 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/README.md +1 -1
- data/lib/jwt/encoded_token.rb +1 -1
- data/lib/jwt/jwa.rb +26 -5
- data/lib/jwt/jwk/key_base.rb +3 -8
- data/lib/jwt/token.rb +2 -2
- data/lib/jwt/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3380efe421e4f603914588590fc533c17279e19e85c463b23966a3a8c8e7c663
|
|
4
|
+
data.tar.gz: 56c81c1ab9cbdd91b6b390ba01a27b4ec45d26956b8fba29e2af313de049f785
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 044edf6b74d2f0c3efd3dd3280aa6aeeb8a8c6532b96b4def9745b0a1c3dca53940af68e3e5bf169aeef0be92583c279efd8f60af1156e5a7625d63d4bfade8e
|
|
7
|
+
data.tar.gz: 58beba33f077fd033cbcfb674bebae905360dd96dcd11520b5633b4be0579a4e7e8b9584c99f8dcc605481f7e67e003ca356e1b7d75368db3ae1abb0056611ac
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
## [v3.1.1](https://github.com/jwt/ruby-jwt/tree/v3.1.1) (2025-06-24)
|
|
4
|
+
|
|
5
|
+
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v3.1.0...v3.1.1)
|
|
6
|
+
|
|
7
|
+
**Fixes and enhancements:**
|
|
8
|
+
|
|
9
|
+
- Require the algorithm to be provided when signing and verifying tokens using JWKs [#695](https://github.com/jwt/ruby-jwt/pull/695) ([@anakinj](https://github.com/anakinj))
|
|
10
|
+
|
|
3
11
|
## [v3.1.0](https://github.com/jwt/ruby-jwt/tree/v3.1.0) (2025-06-23)
|
|
4
12
|
|
|
5
13
|
[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v3.0.0...v3.1.0)
|
data/README.md
CHANGED
|
@@ -268,7 +268,7 @@ token = JWT::Token.new(payload: payload, header: header)
|
|
|
268
268
|
token.sign!(key: jwk)
|
|
269
269
|
|
|
270
270
|
encoded_token = JWT::EncodedToken.new(token.jwt)
|
|
271
|
-
encoded_token.verify!(signature: { key: jwk})
|
|
271
|
+
encoded_token.verify!(signature: { algorithm: ["HS256", "HS512"], key: jwk})
|
|
272
272
|
```
|
|
273
273
|
|
|
274
274
|
#### Using a keyfinder
|
data/lib/jwt/encoded_token.rb
CHANGED
|
@@ -138,7 +138,7 @@ module JWT
|
|
|
138
138
|
# @return [nil]
|
|
139
139
|
# @raise [JWT::VerificationError] if the signature verification fails.
|
|
140
140
|
# @raise [ArgumentError] if neither key nor key_finder is provided, or if both are provided.
|
|
141
|
-
def verify_signature!(algorithm
|
|
141
|
+
def verify_signature!(algorithm:, key: nil, key_finder: nil)
|
|
142
142
|
return if valid_signature?(algorithm: algorithm, key: key, key_finder: key_finder)
|
|
143
143
|
|
|
144
144
|
raise JWT::VerificationError, 'Signature verification failed'
|
data/lib/jwt/jwa.rb
CHANGED
|
@@ -15,6 +15,8 @@ module JWT
|
|
|
15
15
|
module JWA
|
|
16
16
|
# @api private
|
|
17
17
|
class VerifierContext
|
|
18
|
+
attr_reader :jwa
|
|
19
|
+
|
|
18
20
|
def initialize(jwa:, keys:)
|
|
19
21
|
@jwa = jwa
|
|
20
22
|
@keys = Array(keys)
|
|
@@ -29,6 +31,8 @@ module JWT
|
|
|
29
31
|
|
|
30
32
|
# @api private
|
|
31
33
|
class SignerContext
|
|
34
|
+
attr_reader :jwa
|
|
35
|
+
|
|
32
36
|
def initialize(jwa:, key:)
|
|
33
37
|
@jwa = jwa
|
|
34
38
|
@key = key
|
|
@@ -37,10 +41,6 @@ module JWT
|
|
|
37
41
|
def sign(*args, **kwargs)
|
|
38
42
|
@jwa.sign(*args, **kwargs, signing_key: @key)
|
|
39
43
|
end
|
|
40
|
-
|
|
41
|
-
def jwa_header
|
|
42
|
-
@jwa.header
|
|
43
|
-
end
|
|
44
44
|
end
|
|
45
45
|
|
|
46
46
|
class << self
|
|
@@ -64,7 +64,11 @@ module JWT
|
|
|
64
64
|
|
|
65
65
|
# @api private
|
|
66
66
|
def create_signer(algorithm:, key:)
|
|
67
|
-
|
|
67
|
+
if key.is_a?(JWK::KeyBase)
|
|
68
|
+
validate_jwk_algorithms!(key, algorithm, DecodeError)
|
|
69
|
+
|
|
70
|
+
return key
|
|
71
|
+
end
|
|
68
72
|
|
|
69
73
|
SignerContext.new(jwa: resolve(algorithm), key: key)
|
|
70
74
|
end
|
|
@@ -73,10 +77,27 @@ module JWT
|
|
|
73
77
|
def create_verifiers(algorithms:, keys:, preferred_algorithm:)
|
|
74
78
|
jwks, other_keys = keys.partition { |key| key.is_a?(JWK::KeyBase) }
|
|
75
79
|
|
|
80
|
+
validate_jwk_algorithms!(jwks, algorithms, VerificationError)
|
|
81
|
+
|
|
76
82
|
jwks + resolve_and_sort(algorithms: algorithms,
|
|
77
83
|
preferred_algorithm: preferred_algorithm)
|
|
78
84
|
.map { |jwa| VerifierContext.new(jwa: jwa, keys: other_keys) }
|
|
79
85
|
end
|
|
86
|
+
|
|
87
|
+
# @api private
|
|
88
|
+
def validate_jwk_algorithms!(jwks, algorithms, error_class)
|
|
89
|
+
algorithms = Array(algorithms)
|
|
90
|
+
|
|
91
|
+
return if algorithms.empty?
|
|
92
|
+
|
|
93
|
+
return if Array(jwks).all? do |jwk|
|
|
94
|
+
algorithms.any? do |alg|
|
|
95
|
+
jwk.jwa.valid_alg?(alg)
|
|
96
|
+
end
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
raise error_class, "Provided JWKs do not support one of the specified algorithms: #{algorithms.join(', ')}"
|
|
100
|
+
end
|
|
80
101
|
end
|
|
81
102
|
end
|
|
82
103
|
end
|
data/lib/jwt/jwk/key_base.rb
CHANGED
|
@@ -50,11 +50,6 @@ module JWT
|
|
|
50
50
|
jwa.sign(**kwargs, signing_key: signing_key)
|
|
51
51
|
end
|
|
52
52
|
|
|
53
|
-
# @api private
|
|
54
|
-
def jwa_header
|
|
55
|
-
jwa.header
|
|
56
|
-
end
|
|
57
|
-
|
|
58
53
|
alias eql? ==
|
|
59
54
|
|
|
60
55
|
def <=>(other)
|
|
@@ -63,12 +58,12 @@ module JWT
|
|
|
63
58
|
self[:kid] <=> other[:kid]
|
|
64
59
|
end
|
|
65
60
|
|
|
66
|
-
private
|
|
67
|
-
|
|
68
61
|
def jwa
|
|
69
62
|
raise JWT::JWKError, 'Could not resolve the JWA, the "alg" parameter is missing' unless self[:alg]
|
|
70
63
|
|
|
71
|
-
JWA.resolve(self[:alg])
|
|
64
|
+
JWA.resolve(self[:alg]).tap do |jwa|
|
|
65
|
+
raise JWT::JWKError, 'none algorithm usage not supported via JWK' if jwa.is_a?(JWA::None)
|
|
66
|
+
end
|
|
72
67
|
end
|
|
73
68
|
|
|
74
69
|
attr_reader :parameters
|
data/lib/jwt/token.rb
CHANGED
|
@@ -91,11 +91,11 @@ module JWT
|
|
|
91
91
|
# @param algorithm [String, Object] the algorithm to use for signing.
|
|
92
92
|
# @return [void]
|
|
93
93
|
# @raise [JWT::EncodeError] if the token is already signed or other problems when signing
|
|
94
|
-
def sign!(key:, algorithm:
|
|
94
|
+
def sign!(key:, algorithm:)
|
|
95
95
|
raise ::JWT::EncodeError, 'Token already signed' if @signature
|
|
96
96
|
|
|
97
97
|
JWA.create_signer(algorithm: algorithm, key: key).tap do |signer|
|
|
98
|
-
header.merge!(signer.
|
|
98
|
+
header.merge!(signer.jwa.header) { |_key, old, _new| old }
|
|
99
99
|
@signature = signer.sign(data: signing_input)
|
|
100
100
|
end
|
|
101
101
|
|
data/lib/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.1.
|
|
4
|
+
version: 3.1.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Tim Rudat
|
|
@@ -199,7 +199,7 @@ licenses:
|
|
|
199
199
|
- MIT
|
|
200
200
|
metadata:
|
|
201
201
|
bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
|
|
202
|
-
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.1.
|
|
202
|
+
changelog_uri: https://github.com/jwt/ruby-jwt/blob/v3.1.1/CHANGELOG.md
|
|
203
203
|
rubygems_mfa_required: 'true'
|
|
204
204
|
rdoc_options: []
|
|
205
205
|
require_paths:
|