keypairs 1.3.1 → 1.3.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f9a566420b6d4de74512b298c61dfef0674d28c21d42f68a7982f6b45180877e
4
- data.tar.gz: 8f37ce5a303975bc0076ab1f9b5b480b7c6b6eac12414a6ab8af1efc9fa6ecff
3
+ metadata.gz: 3825e9ab54265b0413ed34458988e36a473284609021a930caee44aae4ff2902
4
+ data.tar.gz: dcd24440ff3a15560aa39d6c2da387944f147e89ecdad9e03a54e7de9faa69e2
5
5
  SHA512:
6
- metadata.gz: f12e76d5246cf84ad5bbe1df70bfb0223e0ddc0f8b9c639980788bbf09b7dc6a4b1b28f8e6d38a823920624724d68a661173df258837f26feb6379f8c8b49087
7
- data.tar.gz: 5632b282782f4f5bbac7224d289771cbc78139034924efbe755b8f3419ff920b0ef68d65b5fcb1f435f1cc057d6c18794eff910b019a2395bd81a16ba17fc24d
6
+ metadata.gz: d5b96c7cb4e2a6153b124be6dae5a62c37e43d5eebd9ade45b44fa1efe5f3baca918a654f0991cff393036b18209429da38c0325d3a69e930e0e719ee0651467
7
+ data.tar.gz: 5b5860d35ce4ccc9c4f6fbb1239163d667758f6401f760387e125e89190f24de3ef2e7e79af3cc6d0142021cd7fbb6dc695bb34ac551fbbf148ff35bfc48cf0d
data/lib/keypair.rb CHANGED
@@ -114,6 +114,14 @@ class Keypair < ActiveRecord::Base
114
114
  current.jwt_encode(payload)
115
115
  end
116
116
 
117
+ # Encodes the payload with the current keypair.
118
+ # It forewards the call to the instance method {Keypair#jwt_encode}.
119
+ # @return [String] Encoded JWT token with security credentials.
120
+ # @param payload [Hash] Hash which should be encoded.
121
+ def self.jwt_encode_without_nonce(payload)
122
+ current.jwt_encode_without_nonce(payload, {}, nonce: false)
123
+ end
124
+
117
125
  # Decodes the payload and verifies the signature against the current valid keypairs.
118
126
  # @param id_token [String] A JWT that should be decoded.
119
127
  # @param options [Hash] options for decoding, passed to {JWT::Decode}.
@@ -137,16 +145,9 @@ class Keypair < ActiveRecord::Base
137
145
  # It automatically sets the +kid+ in the header.
138
146
  # @param payload [Hash] you have to provide a hash since the security attributes have to be added.
139
147
  # @param headers [Hash] you can optionally add additional headers to the JWT.
140
- def jwt_encode(payload, headers = {})
148
+ def jwt_encode(payload, headers = {}, nonce: true)
141
149
  # Add security claims to payload
142
- payload.reverse_merge!(
143
- # Time at which the Issuer generated the JWT (epoch).
144
- iat: Time.now.to_i,
145
-
146
- # Expiration time on or after which the tool MUST NOT accept the ID Token for
147
- # processing (epoch). This is mostly used to allow some clock skew.
148
- exp: Time.now.to_i + 5.minutes.to_i
149
- )
150
+ payload = secure_payload(payload, nonce: nonce)
150
151
 
151
152
  # Add additional info into the headers
152
153
  headers.reverse_merge!(
@@ -225,4 +226,23 @@ class Keypair < ActiveRecord::Base
225
226
 
226
227
  errors.add(:expires_at, 'must be after not after')
227
228
  end
229
+
230
+ def secure_payload(payload, nonce: true)
231
+ secure_payload = {
232
+ # Time at which the Issuer generated the JWT (epoch).
233
+ iat: Time.now.to_i,
234
+
235
+ # Expiration time on or after which the tool MUST NOT accept the ID Token for
236
+ # processing (epoch). This is mostly used to allow some clock skew.
237
+ exp: Time.now.to_i + 5.minutes.to_i
238
+ }
239
+
240
+ if nonce
241
+ # String value used to associate a tool session with an ID Token, and to mitigate replay
242
+ # attacks. The nonce value is a case-sensitive string.
243
+ secure_payload[:nonce] = SecureRandom.uuid
244
+ end
245
+
246
+ payload.reverse_merge!(secure_payload)
247
+ end
228
248
  end
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Keypairs
4
- VERSION = '1.3.1'
4
+ VERSION = '1.3.2'
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: keypairs
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.3.1
4
+ version: 1.3.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Stef Schenkelaars