keypairs 1.3.1 → 1.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/keypair.rb +29 -9
- data/lib/keypairs/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3825e9ab54265b0413ed34458988e36a473284609021a930caee44aae4ff2902
|
|
4
|
+
data.tar.gz: dcd24440ff3a15560aa39d6c2da387944f147e89ecdad9e03a54e7de9faa69e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d5b96c7cb4e2a6153b124be6dae5a62c37e43d5eebd9ade45b44fa1efe5f3baca918a654f0991cff393036b18209429da38c0325d3a69e930e0e719ee0651467
|
|
7
|
+
data.tar.gz: 5b5860d35ce4ccc9c4f6fbb1239163d667758f6401f760387e125e89190f24de3ef2e7e79af3cc6d0142021cd7fbb6dc695bb34ac551fbbf148ff35bfc48cf0d
|
data/lib/keypair.rb
CHANGED
|
@@ -114,6 +114,14 @@ class Keypair < ActiveRecord::Base
|
|
|
114
114
|
current.jwt_encode(payload)
|
|
115
115
|
end
|
|
116
116
|
|
|
117
|
+
# Encodes the payload with the current keypair.
|
|
118
|
+
# It forewards the call to the instance method {Keypair#jwt_encode}.
|
|
119
|
+
# @return [String] Encoded JWT token with security credentials.
|
|
120
|
+
# @param payload [Hash] Hash which should be encoded.
|
|
121
|
+
def self.jwt_encode_without_nonce(payload)
|
|
122
|
+
current.jwt_encode_without_nonce(payload, {}, nonce: false)
|
|
123
|
+
end
|
|
124
|
+
|
|
117
125
|
# Decodes the payload and verifies the signature against the current valid keypairs.
|
|
118
126
|
# @param id_token [String] A JWT that should be decoded.
|
|
119
127
|
# @param options [Hash] options for decoding, passed to {JWT::Decode}.
|
|
@@ -137,16 +145,9 @@ class Keypair < ActiveRecord::Base
|
|
|
137
145
|
# It automatically sets the +kid+ in the header.
|
|
138
146
|
# @param payload [Hash] you have to provide a hash since the security attributes have to be added.
|
|
139
147
|
# @param headers [Hash] you can optionally add additional headers to the JWT.
|
|
140
|
-
def jwt_encode(payload, headers = {})
|
|
148
|
+
def jwt_encode(payload, headers = {}, nonce: true)
|
|
141
149
|
# Add security claims to payload
|
|
142
|
-
payload
|
|
143
|
-
# Time at which the Issuer generated the JWT (epoch).
|
|
144
|
-
iat: Time.now.to_i,
|
|
145
|
-
|
|
146
|
-
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
147
|
-
# processing (epoch). This is mostly used to allow some clock skew.
|
|
148
|
-
exp: Time.now.to_i + 5.minutes.to_i
|
|
149
|
-
)
|
|
150
|
+
payload = secure_payload(payload, nonce: nonce)
|
|
150
151
|
|
|
151
152
|
# Add additional info into the headers
|
|
152
153
|
headers.reverse_merge!(
|
|
@@ -225,4 +226,23 @@ class Keypair < ActiveRecord::Base
|
|
|
225
226
|
|
|
226
227
|
errors.add(:expires_at, 'must be after not after')
|
|
227
228
|
end
|
|
229
|
+
|
|
230
|
+
def secure_payload(payload, nonce: true)
|
|
231
|
+
secure_payload = {
|
|
232
|
+
# Time at which the Issuer generated the JWT (epoch).
|
|
233
|
+
iat: Time.now.to_i,
|
|
234
|
+
|
|
235
|
+
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
236
|
+
# processing (epoch). This is mostly used to allow some clock skew.
|
|
237
|
+
exp: Time.now.to_i + 5.minutes.to_i
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
if nonce
|
|
241
|
+
# String value used to associate a tool session with an ID Token, and to mitigate replay
|
|
242
|
+
# attacks. The nonce value is a case-sensitive string.
|
|
243
|
+
secure_payload[:nonce] = SecureRandom.uuid
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
payload.reverse_merge!(secure_payload)
|
|
247
|
+
end
|
|
228
248
|
end
|
data/lib/keypairs/version.rb
CHANGED