jwt 1.5.2 → 1.5.4

checksums.yaml

@@ -1,7 +1,15 @@
 ---
-SHA1:
-  metadata.gz: 6ff1115eaca264c9790778ded501361f414caa62
-  data.tar.gz: 9a42e93dc852e9456dbf793a34bd922f38f541c7
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NDM3ZjQ5OWVjMGQ3NDYxZWRmZjAxNTQzZmU5YjlhODg4YzcwY2QzMg==
+  data.tar.gz: !binary |-
+    YmM3YWU5NTkxNDEzOGQyMTAzMTIyYzVmNWNhY2ZlMWU2NTFlZjliNQ==
 SHA512:
-  metadata.gz: 590c037185cc14d2f1dff665960131b6960a601a82448f0330abfd5378f742d038a72dec7bc7bfe15d7e5f4ddee9733f4d3aff9e5c3141c1b950aa0ad61b52fa
-  data.tar.gz: dce378411b1e8f3687afa6fa1cbe75dc60990e7df93b04da9ad71c9529d4a856e4dab215ec568b819b9fea626d150002a067fe1d0ed38680d260f7701337ac0a
+  metadata.gz: !binary |-
+    NzA3NWQ4ZjQ4OWEyNTY5ZjE5NGYzMjBhZDkzMmZhOTdmNzcwMmMxNWI5MmYz
+    N2E3MmE5NmQ1ZjlhZTU2ZDc3NDYxYzIxZjhkMjJjOGE1NDI5MDI4MmVmN2Fi
+    ZGExYWMzOGI3ZDAxNWE2NzdhOWRjNjkzZjAxMjRmMGM0NTIwZDU=
+  data.tar.gz: !binary |-
+    OGQxM2IyM2E1ZTUzM2QzZjBlMmZiYzBiMGU4OGM5YjI5NTU0YjA2ZWQ3MDY3
+    MjQ0ZDMxNTEzMWE0NzUzYjAxOGQ2MTAwZTFiMmU5YmYzZDFjYTVhNTdhOGVm
+    N2Q3Mjk0ODMxYWI3NDg3M2IwYzA5MmMwYTgzNzhjM2U5YTJkODI=

data/.codeclimate.yml

@@ -0,0 +1,20 @@
+engines:
+  rubocop:
+    enabled: true
+  golint:
+    enabled: false
+  gofmt:
+    enabled: false
+  eslint:
+    enabled: false
+  csslint:
+    enabled: false
+
+ratings:
+  paths:
+    - lib/**
+    - "**.rb"
+
+exclude_paths:
+  - spec/**/*
+  - vendor/**/*

data/.gitignore

@@ -0,0 +1,6 @@
+.idea/
+jwt.gemspec
+pkg
+Gemfile.lock
+coverage/
+.DS_Store

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format d

data/.rubocop.yml

@@ -0,0 +1,2 @@
+Metrics/LineLength:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,13 @@
+sudo: false
+cache: bundler
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.2.0
+  - 2.3.0
+script: "bundle exec rspec"
+addons:
+  code_climate:
+    repo_token: e87b175db123ab42ca2ca4420abaa13c0dc2085608402b9a25f08a83ca3ba202

data/Gemfile

@@ -0,0 +1,4 @@
+# encoding: utf-8
+source 'https://rubygems.org'
+
+gemspec

data/README.md

@@ -1,14 +1,33 @@
 # JWT
-A Ruby implementation of [JSON Web Token](https://tools.ietf.org/html/rfc7519).
+
+[![Build Status](https://travis-ci.org/jwt/ruby-jwt.svg)](https://travis-ci.org/jwt/ruby-jwt)
+[![Code Climate](https://codeclimate.com/github/jwt/ruby-jwt/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
+[![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwt/badges/coverage.svg)](https://codeclimate.com/github/jwt/ruby-jwt/coverage)
+[![Issue Count](https://codeclimate.com/github/jwt/ruby-jwt/badges/issue_count.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
+
+A pure ruby implementation of the [RFC 7519 OAuth JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) standard.
 
 If you have further questions releated to development or usage, join us: [ruby-jwt google group](https://groups.google.com/forum/#!forum/ruby-jwt).
 
+## Announcements
+
+* Ruby 1.9.3 support will be dropped by December 31st, 2016.
+* Version 1.5.3 yanked. See: #132 and #133
+
 ## Installing
 
+### Using Rubygems:
 ```bash
 sudo gem install jwt
 ```
 
+### Using Bundler:
+Add the following to your Gemfile
+```
+gem 'jwt'
+```
+And run `bundle install`
+
 ## Algorithms and Usage
 
 The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/).
@@ -227,7 +246,7 @@ token = JWT.encode iss_payload, hmac_secret, 'HS256'
 
 begin
   # Add iss to the validation to check if the token has been manipulated
-  decoded_token = JWT.decode token, hmac_secret, true, { 'iss' => iss, :verify_iss => true, :algorithm => 'HS256' }
+  decoded_token = JWT.decode token, hmac_secret, true, { :iss => iss, :verify_iss => true, :algorithm => 'HS256' }
 rescue JWT::InvalidIssuerError
   # Handle invalid token, e.g. logout user or deny access
 end
@@ -247,7 +266,7 @@ token = JWT.encode aud_payload, hmac_secret, 'HS256'
 
 begin
   # Add aud to the validation to check if the token has been manipulated
-  decoded_token = JWT.decode token, hmac_secret, true, { 'aud' => aud, :verify_aud => true, :algorithm => 'HS256' }
+  decoded_token = JWT.decode token, hmac_secret, true, { :aud => aud, :verify_aud => true, :algorithm => 'HS256' }
 rescue JWT::InvalidAudError
   # Handle invalid token, e.g. logout user or deny access
   puts 'Audience Error'
@@ -261,8 +280,6 @@ From [Oauth JSON Web Token 4.1.7. "jti" (JWT ID) Claim](https://tools.ietf.org/h
 > The `jti` (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The `jti` claim can be used to prevent the JWT from being replayed. The `jti` value is a case-sensitive string. Use of this claim is OPTIONAL.
 
 ```ruby
-# in order to use JTI you have to add iat
-iat = Time.now.to_i
 # Use the secret and iat to create a unique key per request to prevent replay attacks
 jti_raw = [hmac_secret, iat].join(':').to_s
 jti = Digest::MD5.hexdigest(jti_raw)
@@ -271,9 +288,10 @@ jti_payload = { :data => 'data', :iat => iat, :jti => jti }
 token = JWT.encode jti_payload, hmac_secret, 'HS256'
 
 begin
-  # Add jti and iat to the validation to check if the token has been manipulated
-  decoded_token = JWT.decode token, hmac_secret, true, { 'jti' => jti, :verify_jti => true, :algorithm => 'HS256' }
-  # Check if the JTI has already been used
+  # If :verify_jti is true, validation will pass if a JTI is present
+  #decoded_token = JWT.decode token, hmac_secret, true, { :verify_jti => true, :algorithm => 'HS256' }
+  # Alternatively, pass a proc with your own code to check if the JTI has already been used
+  decoded_token = JWT.decode token, hmac_secret, true, { :verify_jti => proc { |jti| my_validation_method(jti) }, :algorithm => 'HS256' }
 rescue JWT::InvalidJtiError
   # Handle invalid token, e.g. logout user or deny access
   puts 'Error'
@@ -323,16 +341,16 @@ end
 
 # Development and Tests
 
-We depend on [Echoe](http://rubygems.org/gems/echoe) for defining gemspec and performing releases to rubygems.org, which can be done with
+We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with
 
 ```bash
 rake release
 ```
 
-The tests are written with rspec. Given you have rake and rspec, you can run tests with
+The tests are written with rspec. Given you have installed the dependencies via bundler, you can run tests with
 
 ```bash
-rake test
+bundle exec rspec
 ```
 
 **If you want a release cut with your PR, please include a version bump according to [Semantic Versioning](http://semver.org/)**

data/Rakefile

@@ -1,18 +1 @@
-# encoding: utf-8
-require 'rubygems'
-require 'rake'
-require 'echoe'
-
-Echoe.new('jwt', '1.5.2') do |p|
-  p.description = 'JSON Web Token implementation in Ruby'
-  p.url = 'http://github.com/progrium/ruby-jwt'
-  p.author = 'Jeff Lindsay'
-  p.email = 'progrium@gmail.com'
-  p.ignore_pattern = ['tmp/*']
-  p.development_dependencies = ['echoe >=4.6.3']
-  p.licenses = 'MIT'
-end
-
-task :test do
-  sh 'rspec spec/jwt_spec.rb'
-end
+require 'bundler/gem_tasks'

data/lib/jwt.rb

@@ -1,7 +1,7 @@
-# encoding: utf-8
-
 require 'base64'
 require 'openssl'
+require 'jwt/decode'
+require 'jwt/error'
 require 'jwt/json'
 
 # JSON Web Token implementation
@@ -9,16 +9,6 @@ require 'jwt/json'
 # Should be up to date with the latest spec:
 # https://tools.ietf.org/html/rfc7519#section-4.1.5
 module JWT
-  class DecodeError < StandardError; end
-  class VerificationError < DecodeError; end
-  class ExpiredSignature < DecodeError; end
-  class IncorrectAlgorithm < DecodeError; end
-  class ImmatureSignature < DecodeError; end
-  class InvalidIssuerError < DecodeError; end
-  class InvalidIatError < DecodeError; end
-  class InvalidAudError < DecodeError; end
-  class InvalidSubError < DecodeError; end
-  class InvalidJtiError < DecodeError; end
   extend JWT::Json
 
   NAMED_CURVES = {
@@ -73,11 +63,6 @@ module JWT
     OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
   end
 
-  def base64url_decode(str)
-    str += '=' * (4 - str.length.modulo(4))
-    Base64.decode64(str.tr('-_', '+/'))
-  end
-
   def base64url_encode(str)
     Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
   end
@@ -109,34 +94,10 @@ module JWT
     segments.join('.')
   end
 
-  def raw_segments(jwt, verify = true)
-    segments = jwt.split('.')
-    required_num_segments = verify ? [3] : [2, 3]
-    fail(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
-    segments
-  end
-
-  def decode_header_and_payload(header_segment, payload_segment)
-    header = decode_json(base64url_decode(header_segment))
-    payload = decode_json(base64url_decode(payload_segment))
-    [header, payload]
-  end
-
-  def decoded_segments(jwt, verify = true)
-    header_segment, payload_segment, crypto_segment = raw_segments(jwt, verify)
-    header, payload = decode_header_and_payload(header_segment, payload_segment)
-    signature = base64url_decode(crypto_segment.to_s) if verify
-    signing_input = [header_segment, payload_segment].join('.')
-    [header, payload, signature, signing_input]
-  end
-
-  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
+  def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
     fail(JWT::DecodeError, 'Nil JSON web token') unless jwt
 
-    header, payload, signature, signing_input = decoded_segments(jwt, verify)
-    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
-
-    default_options = {
+    options = {
       verify_expiration: true,
       verify_not_before: true,
       verify_iss: false,
@@ -147,43 +108,22 @@ module JWT
       leeway: 0
     }
 
-    options = default_options.merge(options)
+    merged_options = options.merge(custom_options)
+
+    decoder = Decode.new jwt, key, verify, merged_options, &keyfinder
+    header, payload, signature, signing_input = decoder.decode_segments
+    decoder.verify
+
+    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
     if verify
       algo, key = signature_algorithm_and_key(header, key, &keyfinder)
-      if options[:algorithm] && algo != options[:algorithm]
+      if merged_options[:algorithm] && algo != merged_options[:algorithm]
         fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
       end
       verify_signature(algo, key, signing_input, signature)
     end
 
-    if options[:verify_expiration] && payload.include?('exp')
-      fail(JWT::ExpiredSignature, 'Signature has expired') unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
-    end
-    if options[:verify_not_before] && payload.include?('nbf')
-      fail(JWT::ImmatureSignature, 'Signature nbf has not been reached') unless payload['nbf'].to_i <= (Time.now.to_i + options[:leeway])
-    end
-    if options[:verify_iss] && options[:iss]
-      fail(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options[:iss]}, received #{payload['iss'] || '<none>'}") unless payload['iss'].to_s == options[:iss].to_s
-    end
-    if options[:verify_iat] && payload.include?('iat')
-      fail(JWT::InvalidIatError, 'Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= (Time.now.to_i + options[:leeway])
-    end
-    if options[:verify_aud] && options[:aud]
-      if payload[:aud].is_a?(Array)
-        fail(JWT::InvalidAudError, 'Invalid audience') unless payload['aud'].include?(options[:aud].to_s)
-      else
-        fail(JWT::InvalidAudError, "Invalid audience. Expected #{options[:aud]}, received #{payload['aud'] || '<none>'}") unless payload['aud'].to_s == options[:aud].to_s
-      end
-    end
-    if options[:verify_sub] && options.include?(:sub)
-      fail(JWT::InvalidSubError, "Invalid subject. Expected #{options[:sub]}, received #{payload['sub'] || '<none>'}") unless payload['sub'].to_s == options[:sub].to_s
-    end
-    if options[:verify_jti] && payload.include?('jti')
-      fail(JWT::InvalidJtiError, 'need iat for verify jwt id') unless payload.include?('iat')
-      fail(JWT::InvalidJtiError, 'Not a uniq jwt id') unless options[:jti].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}")
-    end
-
     [payload, header]
   end
 
@@ -194,11 +134,11 @@ module JWT
 
   def verify_signature(algo, key, signing_input, signature)
     if %w(HS256 HS384 HS512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raiseed') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
+      fail(JWT::VerificationError, 'Signature verification raised') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
     elsif %w(RS256 RS384 RS512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raiseed') unless verify_rsa(algo, key, signing_input, signature)
+      fail(JWT::VerificationError, 'Signature verification raised') unless verify_rsa(algo, key, signing_input, signature)
     elsif %w(ES256 ES384 ES512).include?(algo)
-      fail(JWT::VerificationError, 'Signature verification raiseed') unless verify_ecdsa(algo, key, signing_input, signature)
+      fail(JWT::VerificationError, 'Signature verification raised') unless verify_ecdsa(algo, key, signing_input, signature)
     else
       fail JWT::VerificationError, 'Algorithm not supported'
     end
@@ -230,4 +170,8 @@ module JWT
     byte_size = (public_key.group.degree + 7) / 8
     OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
   end
+
+  def base64url_decode(str)
+    Decode.base64url_decode(str)
+  end
 end

data/lib/jwt/decode.rb

@@ -0,0 +1,56 @@
+require 'jwt/json'
+require 'jwt/verify'
+
+# JWT::Decode module
+module JWT
+  extend JWT::Json
+
+  # Decoding logic for JWT
+  class Decode
+    attr_reader :header, :payload, :signature
+
+    def initialize(jwt, key, verify, options, &keyfinder)
+      @jwt = jwt
+      @key = key
+      @verify = verify
+      @options = options
+      @keyfinder = keyfinder
+    end
+
+    def decode_segments
+      header_segment, payload_segment, crypto_segment = raw_segments(@jwt, @verify)
+      @header, @payload = decode_header_and_payload(header_segment, payload_segment)
+      @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify
+      signing_input = [header_segment, payload_segment].join('.')
+      [@header, @payload, @signature, signing_input]
+    end
+
+    def raw_segments(jwt, verify)
+      segments = jwt.split('.')
+      required_num_segments = verify ? [3] : [2, 3]
+      fail(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
+      segments
+    end
+    private :raw_segments
+
+    def decode_header_and_payload(header_segment, payload_segment)
+      header = JWT.decode_json(Decode.base64url_decode(header_segment))
+      payload = JWT.decode_json(Decode.base64url_decode(payload_segment))
+      [header, payload]
+    end
+    private :decode_header_and_payload
+
+    def self.base64url_decode(str)
+      str += '=' * (4 - str.length.modulo(4))
+      Base64.decode64(str.tr('-_', '+/'))
+    end
+
+    def verify
+      @options.each do |key, val|
+        next unless key.to_s.match(/verify/)
+
+        Verify.send(key, payload, @options) if val
+      end
+    end
+  end
+end

data/lib/jwt/error.rb

@@ -0,0 +1,12 @@
+module JWT
+  class DecodeError < StandardError; end
+  class VerificationError < DecodeError; end
+  class ExpiredSignature < DecodeError; end
+  class IncorrectAlgorithm < DecodeError; end
+  class ImmatureSignature < DecodeError; end
+  class InvalidIssuerError < DecodeError; end
+  class InvalidIatError < DecodeError; end
+  class InvalidAudError < DecodeError; end
+  class InvalidSubError < DecodeError; end
+  class InvalidJtiError < DecodeError; end
+end

data/lib/jwt/json.rb

@@ -1,32 +1,16 @@
-# encoding: utf-8
+require 'json'
+
 module JWT
   # JSON fallback implementation or ruby 1.8.x
   module Json
-    if RUBY_VERSION >= '1.9' && !defined?(MultiJson)
-      require 'json'
-
-      def decode_json(encoded)
-        JSON.parse(encoded)
-      rescue JSON::ParserError
-        raise JWT::DecodeError, 'Invalid segment encoding'
-      end
-
-      def encode_json(raw)
-        JSON.generate(raw)
-      end
-
-    else
-      require 'multi_json'
-
-      def decode_json(encoded)
-        MultiJson.decode(encoded)
-      rescue MultiJson::LoadError
-        raise JWT::DecodeError, 'Invalid segment encoding'
-      end
+    def decode_json(encoded)
+      JSON.parse(encoded)
+    rescue JSON::ParserError
+      raise JWT::DecodeError, 'Invalid segment encoding'
+    end
 
-      def encode_json(raw)
-        MultiJson.encode(raw)
-      end
+    def encode_json(raw)
+      JSON.generate(raw)
     end
   end
 end