jwt 2.2.3 → 2.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 52634c4d49dde601c2061590da9c75e1202c6f457d7e72f86081b9ff1ab4bd66
-  data.tar.gz: 9b6ce357479e71e5c04b390d2fcb03ae7bdde4f1fd028de2c59a988aca3aba9b
+  metadata.gz: a43128b4e2f4d47a90b9834ad66b65411794d599660e459f3296ad5eea043a74
+  data.tar.gz: 158319e4108c4001f499fe13195d6659e90e741a1e563fbc6f531bf820fb50e8
 SHA512:
-  metadata.gz: dd81e85c470265ae1f91bd263e52e1d4dc5448274fdfc3233f074fec75a9e4752699653244814bc6d4e7d1d0d15bd65daee70012d542165185486903fa52be76
-  data.tar.gz: 116dc782f864cfbfe742b85fc7a9a487df580540f50efe120841bc5576093f6f18f684e65dc3a0f107c45c11145ae8cb37ba77e3bd8fd2a1f70e44c331043382
+  metadata.gz: f2b714380b47796ead0390f84650d11b0c7a963256cb7475e122e71c7eebfd94af97bf029f091f7916c2c37819eef7795899112e0bdf685a5634445bdf307dce
+  data.tar.gz: a80b9e615d14c8fb673973b4bd9b76aaf2c9685298c0d2c2fd39a50902ddc62900ba2680b2c207593dfc9ea7993c72649c0e535d2a04c50d34c95c37c220b242

data/.github/workflows/test.yml

@@ -31,7 +31,7 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
-          - 3.0
+          - "3.0"
         gemfile:
           - gemfiles/standalone.gemfile
           - gemfiles/openssl.gemfile

data/.rubocop_todo.yml

@@ -134,12 +134,6 @@ Style/ModuleFunction:
     - 'lib/jwt/algos.rb'
     - 'lib/jwt/signature.rb'
 
-# Offense count: 1
-# Cop supports --auto-correct.
-Style/MultilineIfModifier:
-  Exclude:
-    - 'spec/integration/readme_examples_spec.rb'
-
 # Offense count: 1
 # Cop supports --auto-correct.
 Style/MutableConstant:

data/AUTHORS

@@ -8,94 +8,105 @@ Emilio Cristalli
 Egon Zemmer
 Zane Shannon
 Nikita Shatov
-Oliver
 Paul Battley
+Oliver
 blackanger
 Adam Michael
+James Stonehill
 Ville Lautanala
 Tyler Pickett
-James Stonehill
 Peter M. Goldstein
 Martin Emde
-Richard Larocque
 Korstiaan de Ridder
-Klaas Jan Wierenga
-Antonis Berkakis
-Steve Sloan
-Yason Khaburzaniya
+Richard Larocque
+Andrew Davis
 Bill Mill
+Yason Khaburzaniya
+Steve Sloan
+Nick Hammond
+Antonis Berkakis
+Klaas Jan Wierenga
+yann ARMAND
+Brian Flethcer
+Erik Michaels-Ober
+Jurriaan Pruis
+Kevin Olbrich
+Larry Lv
+Rodrigo López Dato
+Simon Fish
+Steven Davidovitz
+Tom Wey
 jb08
 lukas
-Rodrigo López Dato
 ojab
 sawyerzhang
-Kevin Olbrich
 smudge
 wohlgejm
-Tom Wey
-yann ARMAND
-Brian Flethcer
-Erik Michaels-Ober
-Steven Davidovitz
-Jurriaan Pruis
-Larry Lv
+Julio Lopez
+Katelyn Kasperowicz
+fusagiko/takayamaki
+Dorian Marié
+rono23
+Leonardo Saraiva
+Lowell Kirsh
+Lucas Mazza
+Makoto Chiba
+Manuel Bustillo
+Marco Adkins
+Dave Grijalva
+Micah Gates
+Michał Begejowicz
+Mike Eirih
+Mike Pastore
 Mingan
 Mitch Birti
+Dan Leyden
 Nicolas Leger
+Brandon Keepers
+Bouke van der Bijl
+B
+Pierre Michard
+RahulBajaj
+Austin Kabiru
+Ritikesh
 Rob Wygand
+Adam Greene
 Ryan Brushett
 Ryan McIlmoyl
 Ryan Metzler
+Severin Schoepke
+Shaun Guth
+mai fujii
+Artsiom Kuts
 Steve Teti
+nycvotes-dev
 T.J. Schuck
 Taiki Sugawara
 Takehiro Adachi
+Arnaud Mesureur
 Tobias Haar
 Toby Pinder
+revodoge
 Tomé Duarte
 Travis Hunter
+Ariel Salomon
+Aman Gupta
+Alexandr Kostrikov
 Yuji Yaginuma
+Alexander Boyd
 Zuzanna Stolińska
 aarongray
-danielgrippi
-nycvotes-dev
-revodoge
-rono23
-RahulBajaj
-Adam Greene
-Alexander Boyd
-Alexandr Kostrikov
-Aman Gupta
-Ariel Salomon
-Arnaud Mesureur
-Artsiom Kuts
-Austin Kabiru
-B
-Brandon Keepers
-Dan Leyden
-Dave Grijalva
-Dorian Marié
-Ernie Miller
-Evgeni Golov
-Ewoud Kohl van Wijngaarden
 HoneyryderChuck
 Igor Victor
 Ilyaaaaaaaaaaaaa Zhitomirskiy
+Ewoud Kohl van Wijngaarden
+Evgeni Golov
 Jens Hausherr
 Jeremiah Wuenschel
+Ernie Miller
 John Downey
 Jordan Brough
 Josh Bodah
 JotaSe
 Juanito Fatas
-Julio Lopez
-Katelyn Kasperowicz
-Lowell Kirsh
-Lucas Mazza
-Makoto Chiba
-Manuel Bustillo
-Marco Adkins
-Micah Gates
-Michał Begejowicz
-Mike Eirih
-Mike Pastore
+danielgrippi

data/CHANGELOG.md

@@ -1,8 +1,42 @@
 # Changelog
 
-## [2.2.3](https://github.com/jwt/ruby-jwt/tree/2.2.3) (2021-04-19)
+## [v2.3.0](https://github.com/jwt/ruby-jwt/tree/v2.3.0) (2021-10-03)
 
-[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.2...2.2.3)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.3...v2.3.0)
+
+**Closed issues:**
+
+- \[SECURITY\] Algorithm Confusion Through kid Header [\#440](https://github.com/jwt/ruby-jwt/issues/440)
+- JWT to memory [\#436](https://github.com/jwt/ruby-jwt/issues/436)
+- ArgumentError: wrong number of arguments \(given 2, expected 1\) [\#429](https://github.com/jwt/ruby-jwt/issues/429)
+- HMAC section of README outdated [\#421](https://github.com/jwt/ruby-jwt/issues/421)
+- NoMethodError: undefined method `zero?' for nil:NilClass if JWT has no 'alg' field [\#410](https://github.com/jwt/ruby-jwt/issues/410)
+- Release new version [\#409](https://github.com/jwt/ruby-jwt/issues/409)
+- NameError: uninitialized constant JWT::JWK [\#403](https://github.com/jwt/ruby-jwt/issues/403)
+
+**Merged pull requests:**
+
+- Fix Style/MultilineIfModifier issues [\#447](https://github.com/jwt/ruby-jwt/pull/447) ([anakinj](https://github.com/anakinj))
+- feat\(EdDSA\): Accept EdDSA as algorithm header [\#446](https://github.com/jwt/ruby-jwt/pull/446) ([Pierre-Michard](https://github.com/Pierre-Michard))
+- Pass kid param through JWT::JWK.create\_from [\#445](https://github.com/jwt/ruby-jwt/pull/445) ([shaun-guth-allscripts](https://github.com/shaun-guth-allscripts))
+- fix document about passing JWKs as a simple Hash [\#443](https://github.com/jwt/ruby-jwt/pull/443) ([takayamaki](https://github.com/takayamaki))
+- Tests for mixing JWK keys with mismatching algorithms [\#441](https://github.com/jwt/ruby-jwt/pull/441) ([anakinj](https://github.com/anakinj))
+- verify\_claims test shouldnt be within the verify\_sub test [\#431](https://github.com/jwt/ruby-jwt/pull/431) ([andyjdavis](https://github.com/andyjdavis))
+- Allow decode options to specify required claims [\#430](https://github.com/jwt/ruby-jwt/pull/430) ([andyjdavis](https://github.com/andyjdavis))
+- Fix OpenSSL::PKey::EC public\_key handing in tests [\#427](https://github.com/jwt/ruby-jwt/pull/427) ([anakinj](https://github.com/anakinj))
+- Add documentation for find\_key [\#426](https://github.com/jwt/ruby-jwt/pull/426) ([ritikesh](https://github.com/ritikesh))
+- Give ruby 3.0 as a string to avoid number formatting issues [\#424](https://github.com/jwt/ruby-jwt/pull/424) ([anakinj](https://github.com/anakinj))
+- Tests for iat verification behaviour [\#423](https://github.com/jwt/ruby-jwt/pull/423) ([anakinj](https://github.com/anakinj))
+- Remove HMAC with nil secret from documentation [\#422](https://github.com/jwt/ruby-jwt/pull/422) ([boardfish](https://github.com/boardfish))
+- Update broken link in README [\#420](https://github.com/jwt/ruby-jwt/pull/420) ([severin](https://github.com/severin))
+- Add metadata for RubyGems [\#418](https://github.com/jwt/ruby-jwt/pull/418) ([nickhammond](https://github.com/nickhammond))
+- Fixed a typo about class name  [\#417](https://github.com/jwt/ruby-jwt/pull/417) ([mai-f](https://github.com/mai-f))
+- Fix references for v2.2.3 on CHANGELOG [\#416](https://github.com/jwt/ruby-jwt/pull/416) ([vyper](https://github.com/vyper))
+- Raise IncorrectAlgorithm if token has no alg header [\#411](https://github.com/jwt/ruby-jwt/pull/411) ([bouk](https://github.com/bouk))
+
+## [v2.2.3](https://github.com/jwt/ruby-jwt/tree/v2.2.3) (2021-04-19)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.2.2...v2.2.3)
 
 **Implemented enhancements:**
 
@@ -31,6 +65,7 @@
 
 **Merged pull requests:**
 
+- Prepare 2.2.3 release [\#415](https://github.com/jwt/ruby-jwt/pull/415) ([excpt](https://github.com/excpt))
 - Remove codeclimate code coverage dev dependency [\#414](https://github.com/jwt/ruby-jwt/pull/414) ([excpt](https://github.com/excpt))
 - Add forwardable dependency [\#408](https://github.com/jwt/ruby-jwt/pull/408) ([anakinj](https://github.com/anakinj))
 - Ignore casing of algorithm [\#405](https://github.com/jwt/ruby-jwt/pull/405) ([johnnyshields](https://github.com/johnnyshields))

data/README.md

@@ -38,7 +38,7 @@ And run `bundle install`
 
 ## Algorithms and Usage
 
-The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). **It is strongly recommended that you hard code the algorithm, as you may leave yourself vulnerable by dynamically picking the algorithm**
+The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). **It is strongly recommended that you hard code the algorithm, as you may leave yourself vulnerable by dynamically picking the algorithm**
 
 See: [ JSON Web Algorithms (JWA) 3.1. "alg" (Algorithm) Header Parameter Values for JWS](https://tools.ietf.org/html/rfc7518#section-3.1)
 
@@ -76,6 +76,7 @@ puts decoded_token
 * HS512 - HMAC using SHA-512 hash algorithm
 
 ```ruby
+# The secret must be a string. A JWT::DecodeError will be raised if it isn't provided.
 hmac_secret = 'my$ecretK3y'
 
 token = JWT.encode payload, hmac_secret, 'HS256'
@@ -85,21 +86,6 @@ puts token
 
 decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
 
-# Array
-# [
-#   {"data"=>"test"}, # payload
-#   {"alg"=>"HS256"} # header
-# ]
-puts decoded_token
-
-# Without secret key
-token = JWT.encode payload, nil, 'HS256'
-
-# eyJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.pVzcY2dX8JNM3LzIYeP2B1e1Wcpt1K3TWVvIYSF4x-o
-puts token
-
-decoded_token = JWT.decode token, nil, true, { algorithm: 'HS256' }
-
 # Array
 # [
 #   {"data"=>"test"}, # payload
@@ -474,12 +460,42 @@ rescue JWT::InvalidSubError
 end
 ```
 
+### Finding a Key
+
+To dynamically find the key for verifying the JWT signature, pass a block to the decode block. The block receives headers and the original payload as parameters. It should return with the key to verify the signature that was used to sign the JWT.
+
+```ruby
+issuers = %w[My_Awesome_Company1 My_Awesome_Company2]
+iss_payload = { data: 'data', iss: issuers.first }
+
+secrets = { issuers.first => hmac_secret, issuers.last => 'hmac_secret2' }
+
+token = JWT.encode iss_payload, hmac_secret, 'HS256'
+
+begin
+  # Add iss to the validation to check if the token has been manipulated
+  decoded_token = JWT.decode(token, nil, true, { iss: issuers, verify_iss: true, algorithm: 'HS256' }) do |_headers, payload|
+    secrets[payload['iss']]
+  end
+rescue JWT::InvalidIssuerError
+  # Handle invalid token, e.g. logout user or deny access
+end
+```
+
+### Required Claims
+
+You can specify claims that must be present for decoding to be successful. JWT::MissingRequiredClaim will be raised if any are missing
+```ruby
+# Will raise a JWT::ExpiredSignature error if the 'exp' claim is absent
+JWT.decode token, hmac_secret, true, { required_claims: ['exp'], algorithm: 'HS256' }
+```
+
 ### JSON Web Key (JWK)
 
 JWK is a JSON structure representing a cryptographic key. Currently only supports RSA public keys.
 
 ```ruby
-jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), "optional-kid")
 payload, headers = { data: 'data' }, { kid: jwk.kid }
 
 token = JWT.encode(payload, jwk.keypair, 'RS512', headers)
@@ -502,7 +518,7 @@ end
 or by passing JWK as a simple Hash
 
 ```
-jwks = { keys: [{ ... }] } # keys needs to be Symbol
+jwks = { keys: [{ ... }] } # keys accepts both of string and symbol
 JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks})
 ```
 

data/lib/jwt/algos/eddsa.rb

@@ -3,18 +3,25 @@ module JWT
     module Eddsa
       module_function
 
-      SUPPORTED = %w[ED25519].freeze
+      SUPPORTED = %w[ED25519 EdDSA].freeze
 
       def sign(to_sign)
         algorithm, msg, key = to_sign.values
-        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
+        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
+          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
+        end
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
+
         key.sign(msg)
       end
 
       def verify(to_verify)
         algorithm, public_key, signing_input, signature = to_verify.values
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
         raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
         public_key.verify(signature, signing_input)
       end

data/lib/jwt/decode.rb

@@ -34,6 +34,7 @@ module JWT
 
     def verify_signature
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
+      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
 
       @key = find_key(&@keyfinder) if @keyfinder
@@ -70,6 +71,7 @@ module JWT
 
     def verify_claims
       Verify.verify_claims(payload, @options)
+      Verify.verify_required_claims(payload, @options)
     end
 
     def validate_segment_count!

data/lib/jwt/default_options.rb

@@ -9,7 +9,8 @@ module JWT
       verify_aud: false,
       verify_sub: false,
       leeway: 0,
-      algorithms: ['HS256']
+      algorithms: ['HS256'],
+      required_claims: []
     }.freeze
   end
 end

data/lib/jwt/error.rb

@@ -15,6 +15,7 @@ module JWT
   class InvalidSubError < DecodeError; end
   class InvalidJtiError < DecodeError; end
   class InvalidPayload < DecodeError; end
+  class MissingRequiredClaim < DecodeError; end
 
   class JWKError < DecodeError; end
 end

data/lib/jwt/jwk/ec.rb

@@ -66,7 +66,7 @@ module JWT
           crv = 'P-521'
           x_octets, y_octets = encoded_point.unpack('xa66a66')
         else
-          raise Jwt::JWKError, "Unsupported curve '#{ec_keypair.group.curve_name}'"
+          raise JWT::JWKError, "Unsupported curve '#{ec_keypair.group.curve_name}'"
         end
         [crv, x_octets, y_octets]
       end
@@ -85,7 +85,7 @@ module JWT
           # explanation of the relevant parameters.
 
           jwk_crv, jwk_x, jwk_y, jwk_d, jwk_kid = jwk_attrs(jwk_data, %i[crv x y d kid])
-          raise Jwt::JWKError, 'Key format is invalid for EC' unless jwk_crv && jwk_x && jwk_y
+          raise JWT::JWKError, 'Key format is invalid for EC' unless jwk_crv && jwk_x && jwk_y
 
           new(ec_pkey(jwk_crv, jwk_x, jwk_y, jwk_d), jwk_kid)
         end

data/lib/jwt/jwk.rb

@@ -14,10 +14,10 @@ module JWT
         end.import(jwk_data)
       end
 
-      def create_from(keypair)
+      def create_from(keypair, kid = nil)
         mappings.fetch(keypair.class) do |klass|
           raise JWT::JWKError, "Cannot create JWK from a #{klass.name}"
-        end.new(keypair)
+        end.new(keypair, kid)
       end
 
       def classes

data/lib/jwt/verify.rb

@@ -10,7 +10,7 @@ module JWT
     }.freeze
 
     class << self
-      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub verify_required_claims].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
@@ -81,6 +81,13 @@ module JWT
       raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
+    def verify_required_claims
+      return unless (options_required_claims = @options[:required_claims])
+      options_required_claims.each do |required_claim|
+        raise(JWT::MissingRequiredClaim, "Missing required claim #{required_claim}") unless @payload.include?(required_claim)
+      end
+    end
+
     private
 
     def global_leeway

data/lib/jwt/version.rb

@@ -12,9 +12,9 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 2
+    MINOR = 3
     # tiny version
-    TINY  = 3
+    TINY  = 0
     # alpha, beta, etc. tag
     PRE   = nil
 

data/ruby-jwt.gemspec

@@ -14,6 +14,10 @@ Gem::Specification.new do |spec|
   spec.homepage = 'https://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
   spec.required_ruby_version = '>= 2.1'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/jwt/ruby-jwt/issues',
+    'changelog_uri'   => "https://github.com/jwt/ruby-jwt/blob/v#{JWT.gem_version}/CHANGELOG.md"
+  }
 
   spec.files = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(spec|gemfiles|coverage|bin)/}) }
   spec.executables = []

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.2.3
+  version: 2.3.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-19 00:00:00.000000000 Z
+date: 2021-10-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: appraisal
@@ -130,7 +130,9 @@ files:
 homepage: https://github.com/jwt/ruby-jwt
 licenses:
 - MIT
-metadata: {}
+metadata:
+  bug_tracker_uri: https://github.com/jwt/ruby-jwt/issues
+  changelog_uri: https://github.com/jwt/ruby-jwt/blob/v2.3.0/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -146,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.16
+rubygems_version: 3.2.19
 signing_key:
 specification_version: 4
 summary: JSON Web Token implementation in Ruby