keypairs 1.3.1 → 1.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/keypair.rb +29 -9
- data/lib/keypairs/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3825e9ab54265b0413ed34458988e36a473284609021a930caee44aae4ff2902
|
|
4
|
+
data.tar.gz: dcd24440ff3a15560aa39d6c2da387944f147e89ecdad9e03a54e7de9faa69e2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d5b96c7cb4e2a6153b124be6dae5a62c37e43d5eebd9ade45b44fa1efe5f3baca918a654f0991cff393036b18209429da38c0325d3a69e930e0e719ee0651467
|
|
7
|
+
data.tar.gz: 5b5860d35ce4ccc9c4f6fbb1239163d667758f6401f760387e125e89190f24de3ef2e7e79af3cc6d0142021cd7fbb6dc695bb34ac551fbbf148ff35bfc48cf0d
|
data/lib/keypair.rb
CHANGED
|
@@ -114,6 +114,14 @@ class Keypair < ActiveRecord::Base
|
|
|
114
114
|
current.jwt_encode(payload)
|
|
115
115
|
end
|
|
116
116
|
|
|
117
|
+
# Encodes the payload with the current keypair.
|
|
118
|
+
# It forewards the call to the instance method {Keypair#jwt_encode}.
|
|
119
|
+
# @return [String] Encoded JWT token with security credentials.
|
|
120
|
+
# @param payload [Hash] Hash which should be encoded.
|
|
121
|
+
def self.jwt_encode_without_nonce(payload)
|
|
122
|
+
current.jwt_encode_without_nonce(payload, {}, nonce: false)
|
|
123
|
+
end
|
|
124
|
+
|
|
117
125
|
# Decodes the payload and verifies the signature against the current valid keypairs.
|
|
118
126
|
# @param id_token [String] A JWT that should be decoded.
|
|
119
127
|
# @param options [Hash] options for decoding, passed to {JWT::Decode}.
|
|
@@ -137,16 +145,9 @@ class Keypair < ActiveRecord::Base
|
|
|
137
145
|
# It automatically sets the +kid+ in the header.
|
|
138
146
|
# @param payload [Hash] you have to provide a hash since the security attributes have to be added.
|
|
139
147
|
# @param headers [Hash] you can optionally add additional headers to the JWT.
|
|
140
|
-
def jwt_encode(payload, headers = {})
|
|
148
|
+
def jwt_encode(payload, headers = {}, nonce: true)
|
|
141
149
|
# Add security claims to payload
|
|
142
|
-
payload
|
|
143
|
-
# Time at which the Issuer generated the JWT (epoch).
|
|
144
|
-
iat: Time.now.to_i,
|
|
145
|
-
|
|
146
|
-
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
147
|
-
# processing (epoch). This is mostly used to allow some clock skew.
|
|
148
|
-
exp: Time.now.to_i + 5.minutes.to_i
|
|
149
|
-
)
|
|
150
|
+
payload = secure_payload(payload, nonce: nonce)
|
|
150
151
|
|
|
151
152
|
# Add additional info into the headers
|
|
152
153
|
headers.reverse_merge!(
|
|
@@ -225,4 +226,23 @@ class Keypair < ActiveRecord::Base
|
|
|
225
226
|
|
|
226
227
|
errors.add(:expires_at, 'must be after not after')
|
|
227
228
|
end
|
|
229
|
+
|
|
230
|
+
def secure_payload(payload, nonce: true)
|
|
231
|
+
secure_payload = {
|
|
232
|
+
# Time at which the Issuer generated the JWT (epoch).
|
|
233
|
+
iat: Time.now.to_i,
|
|
234
|
+
|
|
235
|
+
# Expiration time on or after which the tool MUST NOT accept the ID Token for
|
|
236
|
+
# processing (epoch). This is mostly used to allow some clock skew.
|
|
237
|
+
exp: Time.now.to_i + 5.minutes.to_i
|
|
238
|
+
}
|
|
239
|
+
|
|
240
|
+
if nonce
|
|
241
|
+
# String value used to associate a tool session with an ID Token, and to mitigate replay
|
|
242
|
+
# attacks. The nonce value is a case-sensitive string.
|
|
243
|
+
secure_payload[:nonce] = SecureRandom.uuid
|
|
244
|
+
end
|
|
245
|
+
|
|
246
|
+
payload.reverse_merge!(secure_payload)
|
|
247
|
+
end
|
|
228
248
|
end
|
data/lib/keypairs/version.rb
CHANGED