jwt_claims 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: a503400ce945a893631a78c8c38af743587ce810
+  data.tar.gz: 3c7ecfee679bd06e177ef4ca881dbb091d524547
+SHA512:
+  metadata.gz: 7e70c10bdb07d77aa1958744d53588eeb6caca3de41eb4a8959cd77d0dfe4151a7d40c393a3437cf8b9e521e04f1e082a2d2cba04a022bd9d2762f37aec30e45
+  data.tar.gz: b7ac29a45cfb4992b1077d076815c8ebf098a7ad37fd90e3172504f833be6693b198e3f1063fa2c5dc06184f777d6f3cb6a01c6b8303507156ab2bbc598fa10d

data/.gitignore

@@ -0,0 +1,35 @@
+# https://raw.githubusercontent.com/github/gitignore/master/Ruby.gitignore
+
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# custom
+/spec/examples.txt

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'pry-byebug', '~> 3.1', require: false
+gem 'simplecov', '~> 0.10', require: false
+gem 'yard', '~> 0.8', require: false

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Gary Fleshman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,46 @@
+# JWT Claims
+
+## Verification of a JWT (JSON Web Token) Claims Set for Ruby
+
+### Description
+
+A Ruby implementation of the JSON Web Token (JWT) registered claims, [RFC 7519][rfc7519]
+
+## Installation
+    gem install jwt_claims
+
+## Usage
+
+### JwtClaims.verify(jwt, options)
+
+Returns a hash, either:
+* \{:ok, claims\}, a JWT claims set map, if the JWT Message Authentication Code (MAC), or signature, is verified and the registered claims are also verified
+* \{:error, [rejected_claims]\}, a list of any registered claims that fail validation, if the JWT MAC is verified
+* \{:error, 'invalid JWT'\} if the JWT MAC is not verified
+* \{:error, 'invalid input'\} otherwise
+
+`jwt` (required) is a JSON web token string
+
+`options` (required) map
+
+* **alg** (optional, default: `'HS256'`)
+* **key** (required unless alg is 'none')
+
+Please refer to the [JSON Web Token][json_web_token] gem for additional guidance regarding JWT options
+
+Example
+
+```ruby
+
+secure_jwt_example = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'
+
+# verify with default algorithm, HMAC SHA256
+{:ok, verified_claims} = JwtClaims.verify(secure_jwt_example, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
+
+```
+
+### Supported Ruby versions
+Ruby 2.0.0 and up
+
+[rfc7519]: http://tools.ietf.org/html/rfc7519
+[json_web_token]: https://github.com/garyf/json_web_token

data/jwt_claims.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require 'jwt_claims/version'
+
+Gem::Specification.new do |s|
+  s.author = 'Gary Fleshman'
+  s.email = 'gfleshman@newforge-tech.com'
+  s.files = `git ls-files`.split("\n")
+  s.homepage = 'https://github.com/garyf/jwt_claims'
+  s.name = 'jwt_claims'
+  s.platform = Gem::Platform::RUBY
+  s.summary = 'JSON Web Token (JWT) Claims for Ruby'
+  s.version = JwtClaims::VERSION
+  # recommended
+  s.license = 'MIT'
+  # optional
+  s.add_runtime_dependency('json_web_token', '~> 0.3')
+  s.add_development_dependency('rspec', '~> 3.3')
+  s.description = 'Modular implementation of JSON Web Token (JWT) Claims'
+  s.required_ruby_version = '>= 2.0.0'
+end

data/lib/jwt_claims/claim/aud.rb

@@ -0,0 +1,28 @@
+require 'jwt_claims/string_or_uri'
+
+module JwtClaims
+  module Claim
+    # Audience
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.3
+    module Aud
+
+      module_function
+
+      # @param aud [Array, String] the intended recipients of the JWT
+      # @param options [Hash] (key aud:) expected audience (or recipient) to match with claim
+      # @return [true, false] whether to reject the claim
+      def reject?(aud, options = {})
+        audience = aud.is_a?(Array) ? aud : [aud]
+        expected_recipient = options.fetch(:aud, nil)
+        !present_and_member?(audience, expected_recipient)
+      end
+
+      def present_and_member?(collection, value)
+        StringOrUri.present?(value) &&
+          collection.include?(value)
+      end
+
+      private_class_method :present_and_member?
+    end
+  end
+end

data/lib/jwt_claims/claim/exp.rb

@@ -0,0 +1,18 @@
+module JwtClaims
+  module Claim
+    # Expiration time
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.4
+    module Exp
+
+      module_function
+
+      # @param numeric_date [Numeric] the number of seconds from 1970-01-01T00:00:00Z UTC
+      #   until the specified UTC date/time; non-integer values may be used
+      # @return [true, false] whether to reject the claim
+      def reject?(numeric_date, options = {})
+        return true unless numeric_date.is_a?(Numeric)
+        numeric_date <= Time.now.to_i
+      end
+    end
+  end
+end

data/lib/jwt_claims/claim/iat.rb

@@ -0,0 +1,19 @@
+module JwtClaims
+  module Claim
+    # Issued at
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.6
+    module Iat
+
+      module_function
+
+      # @param numeric_date [Numeric] the number of seconds from 1970-01-01T00:00:00Z UTC
+      #   until the specified UTC date/time, and non-integer values may be used
+      # @param options [Hash] optional, ignored
+      # @return [true, false] whether to reject the claim
+      def reject?(numeric_date, _options = {})
+        return true unless numeric_date.is_a?(Numeric)
+        numeric_date >= Time.now.to_i
+      end
+    end
+  end
+end

data/lib/jwt_claims/claim/iss.rb

@@ -0,0 +1,20 @@
+require 'jwt_claims/string_or_uri'
+
+module JwtClaims
+  module Claim
+    # Issuer
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.1
+    module Iss
+
+      module_function
+
+      # @param iss [String] the principal that issued the JWT
+      # @param options [Hash] (key iss:) expected issuer to match with claim
+      # @return [true, false] whether to reject the claim
+      def reject?(iss, options = {})
+        expected_issuer = options.fetch(:iss, nil)
+        !StringOrUri.present_and_equal?(iss, expected_issuer)
+      end
+    end
+  end
+end

data/lib/jwt_claims/claim/jti.rb

@@ -0,0 +1,20 @@
+require 'jwt_claims/string_or_uri'
+
+module JwtClaims
+  module Claim
+    # JWT ID
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.7
+    module Jti
+
+      module_function
+
+      # @param jti [String] a unique identifier for the JWT
+      # @param options [Hash] (key jti:) expected JWT ID to match with claim
+      # @return [true, false] whether to reject the claim
+      def reject?(jti, options = {})
+        expected_jti = options.fetch(:jti, nil)
+        !StringOrUri.present_and_equal?(jti, expected_jti)
+      end
+    end
+  end
+end

data/lib/jwt_claims/claim/nbf.rb

@@ -0,0 +1,18 @@
+module JwtClaims
+  module Claim
+    # Not before
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.5
+    module Nbf
+
+      module_function
+
+      # @param numeric_date [Numeric] the number of seconds from 1970-01-01T00:00:00Z UTC
+      #   until the specified UTC date/time; non-integer values may be used
+      # @return [true, false] whether to reject the claim
+      def reject?(numeric_date, options = {})
+        return true unless numeric_date.is_a?(Numeric)
+        numeric_date > Time.now.to_i
+      end
+    end
+  end
+end

data/lib/jwt_claims/claim/sub.rb

@@ -0,0 +1,20 @@
+require 'jwt_claims/string_or_uri'
+
+module JwtClaims
+  module Claim
+    # Subject
+    # @see https://tools.ietf.org/html/rfc7519#section-4.1.2
+    module Sub
+
+      module_function
+
+      # @param sub [String] the principal that is the subject of the JWT
+      # @param options [Hash] (key sub:) expected subject to match with claim
+      # @return [true, false] whether to reject the claim
+      def reject?(sub, options = {})
+        expected_subject = options.fetch(:sub, nil)
+        !StringOrUri.present_and_equal?(sub, expected_subject)
+      end
+    end
+  end
+end

data/lib/jwt_claims/string_or_uri.rb

@@ -0,0 +1,43 @@
+module JwtClaims
+  # Validation helpers
+  module StringOrUri
+
+    BLANK_STRING_RE = /\A[[:space:]]*\z/
+
+    module_function
+
+    # A predicate that compares two strings for equality
+    #
+    # @param a [String]
+    # @param b [String]
+    # @return [true, false]
+    def present_and_equal?(a, b)
+      present?(a) &&
+        present?(b) &&
+        a == b
+    end
+
+    # A string is present if it is not blank
+    #
+    # @param a [String]
+    # @return [true, false]
+    def present?(a)
+      !blank?(a)
+    end
+
+    # A string is blank if it is empty or contains whitespaces only
+    #
+    #   blank?('')       # => true
+    #   blank?('   ')    # => true
+    #   blank?("\t\n\r") # => true
+    #   blank?('foo ')   # => false
+    #
+    # @param a [String]
+    # @return [true, false]
+    # @see cf. rails activesupport/lib/active_support/core_ext/object/blank.rb
+    def blank?(a)
+      return true unless a
+      BLANK_STRING_RE === a
+    end
+  end
+end

data/lib/jwt_claims/validation.rb

@@ -0,0 +1,39 @@
+module JwtClaims
+  # Validate registered claims
+  # @see http://tools.ietf.org/html/rfc7519#section-4.1
+  module Validation
+
+    module_function
+
+    # @param claims [Hash] JWT claims
+    # @param options [Hash] expected values for certain claims
+    # @return [Array] symbols of the registered claims that fail validation
+    def rejected(claims, options = {})
+      claims.each_with_object([]) do |claim, memo|
+        sym = reject(*claim, options)
+        memo << sym if sym
+      end
+    end
+
+    def reject(key, val, options)
+      return unless reg_claim = registered_claim(key)
+      key if reg_claim.reject?(val, options)
+    end
+
+    def registered_claim(sym)
+      case sym
+      when :aud then Claim::Aud
+      when :exp then Claim::Exp
+      when :iat then Claim::Iat
+      when :iss then Claim::Iss
+      when :jti then Claim::Jti
+      when :nbf then Claim::Nbf
+      when :sub then Claim::Sub
+      else nil # custom claim
+      end
+    end
+
+    private_class_method :reject,
+      :registered_claim
+  end
+end

data/lib/jwt_claims/version.rb

@@ -0,0 +1,3 @@
+module JwtClaims
+  VERSION = '0.0.1'
+end

data/lib/jwt_claims.rb

@@ -0,0 +1,25 @@
+require 'json_web_token'
+require 'jwt_claims/validation'
+
+module JwtClaims
+
+  module_function
+
+  # @param jwt [String] JSON web token
+  # @param options [Hash] expected values for certain claims;
+  #   optional keys include: :aud, :iss, :jti, :sub
+  # @return [Hash] { ok: { the jwt claims set hash } }, or { error: [symbols of all rejected claims] }
+  def verify(jwt, options)
+    hsh = JsonWebToken.verify(jwt, options)
+    return {error: 'invalid JWT'} if hsh[:error]
+    claims = hsh[:ok]
+    return {error: 'invalid input'} unless claims
+    verified(claims, options)
+  end
+
+  def verified(claims, options)
+    rejected_claims = Validation.rejected(claims, options)
+    return {ok: claims} if rejected_claims.empty?
+    {error: rejected_claims}
+  end
+end

data/spec/jwt_claims/claim/aud_spec.rb

@@ -0,0 +1,79 @@
+require 'jwt_claims/claim/aud'
+
+module JwtClaims
+  module Claim
+    describe Aud do
+      context '#reject?' do
+        context 'w :aud claim an array' do
+          let(:recipient) { 'recipient' }
+          let(:uri) { 'http://www.example.com' }
+          let(:aud) { [uri, recipient] }
+          describe 'w match' do
+            it 'string returns false' do
+              expect(Aud.reject? aud, {aud: recipient}).to be false
+            end
+
+            it 'uri returns false' do
+              expect(Aud.reject? aud, {aud: uri}).to be false
+            end
+          end
+
+          it 'w/o match returns true' do
+            expect(Aud.reject? aud, {aud: 'not recipient'}).to be true
+          end
+
+          it 'w/o options[:aud] returns true' do
+            expect(Aud.reject? aud, {iss: 'recipient'}).to be true
+          end
+        end
+
+        describe 'w :aud claim a string' do
+          let(:recipient) { 'recipient' }
+          let(:aud) { recipient }
+          it 'w match returns false' do
+            expect(Aud.reject? aud, {aud: recipient}).to be false
+          end
+
+          it 'w/o match returns true' do
+            expect(Aud.reject? aud, {aud: 'not recipient'}).to be true
+          end
+
+          it 'w/o options[:aud] returns true' do
+            expect(Aud.reject? aud, {iss: 'recipient'}).to be true
+          end
+        end
+
+        shared_examples_for 'a blank :aud claim' do
+          let(:options) { {aud: 'recipient'} }
+          it 'returns true' do
+            expect(Aud.reject? aud, options).to be true
+          end
+        end
+
+        describe 'w :aud an empty array' do
+          let(:aud) { [] }
+          it_behaves_like 'a blank :aud claim'
+        end
+
+        describe 'w :aud an array w an empty string' do
+          let(:aud) { [''] }
+          it_behaves_like 'a blank :aud claim'
+        end
+
+        describe 'w :aud an empty string' do
+          let(:aud) { '' }
+          it_behaves_like 'a blank :aud claim'
+        end
+
+        describe 'w options[:aud] an empty string' do
+          let(:aud) { 'recipient' }
+          let(:options) { {aud: ''} }
+          it 'returns truthy' do
+            expect(Aud.reject? aud, options).to be true
+          end
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/exp_spec.rb

@@ -0,0 +1,23 @@
+require 'jwt_claims/claim/exp'
+
+module JwtClaims
+  module Claim
+    describe Exp do
+      let(:after_now) { Time.now.to_i + 1 }
+      describe '#reject?' do
+        it 'w numeric_date after now returns false' do
+          expect(Exp.reject? after_now).to be false
+        end
+
+        it 'w numeric_date now returns true' do
+          expect(Exp.reject? Time.now.to_i).to be true
+        end
+
+        it 'w/o numeric numeric_date returns true' do
+          expect(Exp.reject? after_now.to_s).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/iat_spec.rb

@@ -0,0 +1,23 @@
+require 'jwt_claims/claim/iat'
+
+module JwtClaims
+  module Claim
+    describe Iat do
+      let(:before_now) { Time.now.to_i - 1 }
+      describe '#reject?' do
+        it 'w numeric_date now returns false' do
+          expect(Iat.reject? before_now).to be false
+        end
+
+        it 'w numeric_date now returns true' do
+          expect(Iat.reject? Time.now.to_i).to be true
+        end
+
+        it 'w/o numeric claimed_time returns true' do
+          expect(Iat.reject? before_now.to_s).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/iss_spec.rb

@@ -0,0 +1,30 @@
+require 'jwt_claims/claim/iss'
+
+module JwtClaims
+  module Claim
+    describe Iss do
+      context '#reject?' do
+        let(:issuer) { 'issuer' }
+        describe 'w an :iss claim' do
+          let(:iss) { issuer }
+          it 'w match returns false' do
+            expect(Iss.reject? iss, {iss: issuer}).to be false
+          end
+
+          it 'w/o match returns true' do
+            expect(Iss.reject? iss, {iss: 'not issuer'}).to be true
+          end
+
+          it 'w/o options[:iss] returns true' do
+            expect(Iss.reject? iss, {aud: 'issuer'}).to be true
+          end
+        end
+
+        it 'w a blank :iss claim returns true' do
+          expect(Iss.reject? '', {iss: issuer}).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/jti_spec.rb

@@ -0,0 +1,30 @@
+require 'jwt_claims/claim/jti'
+
+module JwtClaims
+  module Claim
+    describe Jti do
+      context '#reject?' do
+        let(:jwt_id) { 'jwt_id' }
+        describe 'w a :jti claim' do
+          let(:jti) { jwt_id }
+          it 'w match returns false' do
+            expect(Jti.reject? jti, {jti: jwt_id}).to be false
+          end
+
+          it 'w/o match returns true' do
+            expect(Jti.reject? jti, {jti: 'not jwt_id'}).to be true
+          end
+
+          it 'w/o options[:jti] returns true' do
+            expect(Jti.reject? jti, {aud: jwt_id}).to be true
+          end
+        end
+
+        it 'w a blank :jti claim returns true' do
+          expect(Jti.reject? '', {jti: jwt_id}).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/nbf_spec.rb

@@ -0,0 +1,23 @@
+require 'jwt_claims/claim/nbf'
+
+module JwtClaims
+  module Claim
+    describe Nbf do
+      let(:after_now) { Time.now.to_i + 1 }
+      describe '#reject?' do
+        it 'w numeric_date now returns false' do
+          expect(Nbf.reject? Time.now.to_i).to be false
+        end
+
+        it 'w numeric_date after now returns true' do
+          expect(Nbf.reject? after_now).to be true
+        end
+
+        it 'w/o numeric claimed_time returns true' do
+          expect(Nbf.reject? after_now.to_s).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/claim/sub_spec.rb

@@ -0,0 +1,30 @@
+require 'jwt_claims/claim/sub'
+
+module JwtClaims
+  module Claim
+    describe Sub do
+      context '#reject?' do
+        let(:subject) { 'subject' }
+        describe 'w a :sub claim' do
+          let(:sub) { subject }
+          it 'w match returns false' do
+            expect(Sub.reject? sub, {sub: subject}).to be false
+          end
+
+          it 'w/o match returns true' do
+            expect(Sub.reject? sub, {sub: 'not subject'}).to be true
+          end
+
+          it 'w/o options[:sub] returns true' do
+            expect(Sub.reject? sub, {aud: subject}).to be true
+          end
+        end
+
+        it 'w a blank :sub claim returns true' do
+          expect(Sub.reject? '', {sub: subject}).to be true
+        end
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/string_or_uri_spec.rb

@@ -0,0 +1,48 @@
+require 'jwt_claims/string_or_uri'
+
+module JwtClaims
+  describe StringOrUri do
+    context '#present_and_equal?' do
+      it 'w equality, returns true' do
+        expect(StringOrUri.present_and_equal? 'foo', 'foo').to be true
+      end
+
+      shared_examples_for 'a blank value or not equal' do
+        it 'returns false' do
+          expect(StringOrUri.present_and_equal? a, b).to be false
+        end
+      end
+
+      describe 'w 1st argument blank' do
+        let(:a) { '' }
+        let(:b) { 'bar' }
+        it_behaves_like 'a blank value or not equal'
+      end
+
+      describe 'w 2nd argument blank' do
+        let(:a) { 'foo' }
+        let(:b) { '' }
+        it_behaves_like 'a blank value or not equal'
+      end
+
+      describe 'w/o equality' do
+        let(:a) { 'foo' }
+        let(:b) { 'bar' }
+        it_behaves_like 'a blank value or not equal'
+      end
+    end
+
+    describe '#blank?' do
+      it 'classifies nil, empty, or exclusively whitespace strings' do
+        expect(StringOrUri.blank? nil).to be true
+        expect(StringOrUri.blank? '').to be true
+        expect(StringOrUri.blank? '   ').to be true
+        expect(StringOrUri.blank? "\t\n\r").to be true
+
+        expect(StringOrUri.blank? 'foo').to be false
+        expect(StringOrUri.blank? 'bar ').to be false
+      end
+    end
+  end
+end
+    

data/spec/jwt_claims/validation_spec.rb

@@ -0,0 +1,69 @@
+require 'jwt_claims/validation'
+
+module JwtClaims
+  describe Validation do
+    context 'example data' do
+      let(:uri) { 'http://www.example.com' }
+      let(:recipient) { 'recipient' }
+      let(:aud) { [uri, recipient] }
+
+      let(:after_now) { Time.now.to_i + 1 }
+      let(:before_now) { Time.now.to_i - 1 }
+
+      let(:issuer) { 'issuer' }
+      let(:jwt_id) { 'jwt_id' }
+      let(:subject) { 'subject' }
+
+      let(:default_options) do
+        {
+          aud: uri,
+          iss: issuer,
+          jti: jwt_id,
+          sub: subject
+        }
+      end
+      let(:default_claims) do
+        {
+          aud: [uri, recipient],
+          exp: after_now,
+          iat: before_now,
+          iss: issuer,
+          jti: jwt_id,
+          nbf: before_now,
+          sub: subject
+        }
+      end
+      context '#rejected' do
+        it 'w valid claims, returns empty array' do
+          expect(Validation.rejected default_claims, default_options).to eql []
+        end
+
+        describe 'w all registered claims invalid' do
+          let(:invalid_claims) do
+            {
+              aud: ['http://www.other.com', 'other recipient'],
+              exp: before_now,
+              iat: after_now,
+              iss: 'other issuer',
+              jti: 'other jwt_id',
+              nbf: after_now,
+              sub: 'other subject'
+            }
+          end
+          it 'returns array of failed claims' do
+            expect(Validation.rejected invalid_claims, default_options)
+              .to include(
+                :aud,
+                :exp,
+                :iat,
+                :iss,
+                :jti,
+                :nbf,
+                :sub
+              )
+          end
+        end
+      end
+    end
+  end
+end

data/spec/jwt_claims_spec.rb

@@ -0,0 +1,50 @@
+require 'jwt_claims'
+
+describe JwtClaims do
+  let(:after_now) { Time.now.to_i + 1 }
+  let(:before_now) { Time.now.to_i - 1 }
+  context '#verify' do
+    describe 'JsonWebToken integration w :exp claim before now' do
+      let(:jwt_w_exp_before_now_w_iss_joe) do
+        "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiZXhwIjoxMzAwODE5MzgwfQ.Ktfu3EdLz0SpuTIMpMoRZMtZsCATWJHeDEBGrsZE6LI"
+      end
+      let(:hs256_key) { "gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C" }
+      it 'w :iss claim matching' do
+        options = {iss: 'joe', key: hs256_key}
+        rejected_claims = JwtClaims.verify(jwt_w_exp_before_now_w_iss_joe, options)[:error]
+        expect(rejected_claims.length).to eql 1
+        expect(rejected_claims).to include(:exp)
+      end
+
+      it 'w/o :iss claim matching' do
+        options = {iss: 'mary', key: hs256_key}
+        rejected_claims = JwtClaims.verify(jwt_w_exp_before_now_w_iss_joe, options)[:error]
+        expect(rejected_claims.length).to eql 2
+        expect(rejected_claims).to include(:exp, :iss)
+      end
+    end
+
+    describe 'w invalid JWT' do
+      let(:invalid_jwt) do
+        "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLCJodHRwOi8vZXhhbXBsZS5jb20vaXNfcm9vdCI6dHJ1ZSwiZXhwIjoxMzAwODE5MzgwfQ.Ktfu3EdLz0SpuTIMpMoRZMtZsCATWJHeDEBGrsZE6LX"
+      end
+      it 'returns error' do
+        options = {exp: after_now}
+        error = JwtClaims.verify(invalid_jwt, options)[:error]
+        expect(error).to eql 'invalid JWT'
+      end
+    end
+  end
+
+  describe '#verified' do
+    it 'w rejected_claims' do
+      claims = {exp: before_now}
+      expect(JwtClaims.verified claims, {}).to include(error: [:exp])
+    end
+
+    it 'w/o rejected_claims' do
+      claims = {exp: after_now}
+      expect(JwtClaims.verified claims, {}).to include(ok: claims)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,85 @@
+require 'simplecov'
+SimpleCov.start
+
+# Conventionally, all specs live under a `spec` directory, which RSpec adds to
+# the `$LOAD_PATH`. The generated `.rspec` file contains `--require spec_helper`
+# which will cause this file to always be loaded, without a need to explicitly
+# require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider
+# making a separate helper file that requires the additional dependencies and
+# performs the additional setup, and require it from the spec files that
+# actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+
+  # These two settings work together to allow you to limit a spec run to
+  # individual examples or groups you care about by tagging them with `:focus`
+  # metadata. When nothing is tagged with `:focus`, all examples get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support the
+  # `--only-failures` and `--next-failure` CLI options. We recommend you
+  # configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  # config.disable_monkey_patching!
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output, unless a formatter
+    # has already been configured (e.g. via a command-line flag)
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the end of the spec
+  # run, to help surface which specs are running particularly slowly.
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+end

metadata

@@ -0,0 +1,100 @@
+--- !ruby/object:Gem::Specification
+name: jwt_claims
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Gary Fleshman
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-08-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json_web_token
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.3'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+description: Modular implementation of JSON Web Token (JWT) Claims
+email: gfleshman@newforge-tech.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE
+- README.md
+- jwt_claims.gemspec
+- lib/jwt_claims.rb
+- lib/jwt_claims/claim/aud.rb
+- lib/jwt_claims/claim/exp.rb
+- lib/jwt_claims/claim/iat.rb
+- lib/jwt_claims/claim/iss.rb
+- lib/jwt_claims/claim/jti.rb
+- lib/jwt_claims/claim/nbf.rb
+- lib/jwt_claims/claim/sub.rb
+- lib/jwt_claims/string_or_uri.rb
+- lib/jwt_claims/validation.rb
+- lib/jwt_claims/version.rb
+- spec/jwt_claims/claim/aud_spec.rb
+- spec/jwt_claims/claim/exp_spec.rb
+- spec/jwt_claims/claim/iat_spec.rb
+- spec/jwt_claims/claim/iss_spec.rb
+- spec/jwt_claims/claim/jti_spec.rb
+- spec/jwt_claims/claim/nbf_spec.rb
+- spec/jwt_claims/claim/sub_spec.rb
+- spec/jwt_claims/string_or_uri_spec.rb
+- spec/jwt_claims/validation_spec.rb
+- spec/jwt_claims_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/garyf/jwt_claims
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: JSON Web Token (JWT) Claims for Ruby
+test_files: []
+has_rdoc: