keypairs 1.3.1 → 1.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/keypair.rb +29 -9
- data/lib/keypairs/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f204cbb9214023154fb4b23804e6a18b0e6bd929592616fe2cd12b2cd5a180ac
|
|
4
|
+
data.tar.gz: 487339606bd6d7f0d5b90628147e613784dec153165821172efe26565b4351ba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 38fc480ca4a36beee8c5b5c4658359c0cea284e66a6143e9a5cd8c51247d984b1bdd947b8b6f2e32243c94bd3d0212f7e6d27050cab0eda95140eb0b8be45676
|
|
7
|
+
data.tar.gz: c9b87af55f4f38a0397a89c25be5a8d7e82b1daa7bb7bd3ef5cd0094c05c8f12a6b7476b146d2d4fc8b8bac42443adedea7db866aa046b294a3f8722bac83ba3
|
data/lib/keypair.rb
CHANGED
|
@@ -114,6 +114,14 @@ class Keypair < ActiveRecord::Base
|
|
|
114
114
|
current.jwt_encode(payload)
|
|
115
115
|
end
|
|
116
116
|
|
|
117
|
+
# Encodes the payload with the current keypair.
|
|
118
|
+
# It forewards the call to the instance method {Keypair#jwt_encode}.
|
|
119
|
+
# @return [String] Encoded JWT token with security credentials.
|
|
120
|
+
# @param payload [Hash] Hash which should be encoded.
|
|
121
|
+
def self.jwt_encode_without_nonce(payload)
|
|
122
|
+
current.jwt_encode(payload, {}, nonce: false)
|
|
123
|
+
end
|
|
124
|
+
|
|
117
125
|
# Decodes the payload and verifies the signature against the current valid keypairs.
|
|
118
126
|
# @param id_token [String] A JWT that should be decoded.
|
|
119
127
|
# @param options [Hash] options for decoding, passed to {JWT::Decode}.
|
|
@@ -137,16 +145,9 @@ class Keypair < ActiveRecord::Base
|
|
|
137
145
|
# It automatically sets the +kid+ in the header.
|
|
138
146
|
# @param payload [Hash] you have to provide a hash since the security attributes have to be added.
|
|
139
147
|
# @param headers [Hash] you can optionally add additional headers to the JWT.
|
|
140
|
-
def jwt_encode(payload, headers = {})
|
|
148
|
+
def jwt_encode(payload, headers = {}, nonce: true)
|
|
141
149
|
# Add security claims to payload
|
|
142
|
-
payload
|
|
143
|
-
# Time at which the Issuer generated the JWT (epoch).
|
|
144
|
-
iat: Time.now.to_i,
|
|
145
|
-
|
|
146
|
-
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
147
|
-
# processing (epoch). This is mostly used to allow some clock skew.
|
|
148
|
-
exp: Time.now.to_i + 5.minutes.to_i
|
|
149
|
-
)
|
|
150
|
+
payload = secure_payload(payload, nonce: nonce)
|
|
150
151
|
|
|
151
152
|
# Add additional info into the headers
|
|
152
153
|
headers.reverse_merge!(
|
|
@@ -225,4 +226,23 @@ class Keypair < ActiveRecord::Base
|
|
|
225
226
|
|
|
226
227
|
errors.add(:expires_at, 'must be after not after')
|
|
227
228
|
end
|
|
229
|
+
|
|
230
|
+
def secure_payload(payload, nonce: true)
|
|
231
|
+
secure_payload = {
|
|
232
|
+
# Time at which the Issuer generated the JWT (epoch).
|
|
233
|
+
iat: Time.now.to_i,
|
|
234
|
+
|
|
235
|
+
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
236
|
+
# processing (epoch). This is mostly used to allow some clock skew.
|
|
237
|
+
exp: Time.now.to_i + 5.minutes.to_i
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
if nonce
|
|
241
|
+
# String value used to associate a tool session with an ID Token, and to mitigate replay
|
|
242
|
+
# attacks. The nonce value is a case-sensitive string.
|
|
243
|
+
secure_payload[:nonce] = SecureRandom.uuid
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
payload.reverse_merge!(secure_payload)
|
|
247
|
+
end
|
|
228
248
|
end
|
data/lib/keypairs/version.rb
CHANGED