padlock_auth-jwt 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 76622de62cd8065e302932783de9a3c02bff49880ec8f376fcdeed84cce97223
+  data.tar.gz: 460cb25344c8150779ad54a189a8d9ec371c63ae7bd1adf4b3b9af3183deca62
+SHA512:
+  metadata.gz: 39e6d74dbedae4ca68c3cef9a19bc3bcc8a4d2307877f2b557c616fd56ea4815e0e176726bb1a539141a2eb66b6c0bc503dce1160d290f4802f7cb2a4f928e2d
+  data.tar.gz: 4f3e41598b073669229e2de1da5543801e7b1182976dbdb67e84260af17215bb1245160da24a580bdd31454060d671f5a61b0510908983c31246c9eb3ec6ab0a

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright Ben Morrall
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,28 @@
+# PadlockAuth::Jwt
+Short description and motivation.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem "padlock_auth-jwt"
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install padlock_auth-jwt
+```
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,13 @@
+require "bundler/setup"
+
+require "bundler/gem_tasks"
+
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec)
+
+require "standard/rake"
+
+task default: %i[
+  spec
+  standard
+]

data/config/locales/padlock_auth-jwt.en.yml

@@ -0,0 +1,22 @@
+en:
+  padlock_auth:
+    errors:
+      messages:
+        invalid_token:
+          invalid_jwt_token: "The access token is not a valid JWT."
+          invalid_signature: "The access token has an invalid signature."
+          missing_exp_claim: "The access token is missing a required exp claim."
+          missing_nbf_claim: "The access token is missing a required nbf claim."
+          missing_iss_claim: "The access token is missing a required iss claim."
+          missing_aud_claim: "The access token is missing a required aud claim."
+          missing_jti_claim: "The access token is missing a required jti claim."
+          missing_iat_claim: "The access token is missing a required iat claim."
+          missing_sub_claim: "The access token is missing a required sub claim."
+          invalid_exp_claim: "The access token has expired."
+          invalid_nbf_claim: "The access token is not yet valid."
+          invalid_iss_claim: "The access token is from an unknown issuer."
+          invalid_jti_claim: "The access token was revoked."
+          invalid_sub_claim: "The access token is for a different subject."
+        forbidden_token:
+          invalid_jwt_token: "The access token is not a valid JWT."
+          invalid_aud_claim: 'Access to this resource requires audience "%{oauth_scopes}".'

data/lib/padlock_auth/jwt/access_token.rb

@@ -0,0 +1,171 @@
+require "jwt"
+
+module PadlockAuth
+  module Jwt
+    class AccessToken < PadlockAuth::AbstractAccessToken
+      def initialize(jwt, strategy)
+        @jwt = jwt
+        @encoded_token = JWT::EncodedToken.new(jwt)
+        @strategy = strategy
+      end
+
+      def accessible?
+        return false unless valid_jwt_token?
+
+        return false unless valid_signature?
+
+        return false unless includes_required_claims?
+
+        # "exp" (Expiration Time) Claim
+        return false unless valid_exp_claim?
+
+        # "nbf" (Not Before) Claim
+        return false unless valid_nbf_claim?
+
+        # "iss" (Issuer) Claim
+        return false unless valid_iss_claim?
+
+        # "jti" (JWT ID) Claim
+        return false unless valid_jti_claim?
+
+        # "sub" (Subject) Claim
+        return false unless valid_sub_claim?
+
+        true
+      end
+
+      def invalid_token_reason
+        return :invalid_jwt_token unless valid_jwt_token?
+        return :invalid_signature unless valid_signature?
+
+        return :missing_exp_claim unless includes_required_exp_claim?
+        return :invalid_exp_claim unless valid_exp_claim?
+
+        return :missing_nbf_claim unless includes_required_nbf_claim?
+        return :invalid_nbf_claim unless valid_nbf_claim?
+
+        return :missing_iss_claim unless includes_required_iss_claim?
+        return :invalid_iss_claim unless valid_iss_claim?
+
+        return :missing_aud_claim unless includes_required_aud_claim?
+        # validity checked by #includes_scope?
+
+        return :missing_jti_claim unless includes_required_jti_claim?
+        return :invalid_jti_claim unless valid_jti_claim?
+
+        return :missing_iat_claim unless includes_required_iat_claim?
+
+        return :missing_sub_claim unless includes_required_sub_claim?
+        return :invalid_sub_claim unless valid_sub_claim?
+
+        super # :unknown
+      end
+
+      def includes_scope?(required_scopes)
+        return false unless valid_jwt_token?
+
+        required_scopes.none? || valid_aud_claim?(required_scopes.map(&:to_s))
+      end
+
+      def forbidden_token_reason
+        return :invalid_jwt_token unless valid_jwt_token?
+
+        :invalid_aud_claim
+      end
+
+      def header
+        @encoded_token.header if valid_jwt_token?
+      end
+
+      def payload
+        @encoded_token.payload if valid_jwt_token?
+      end
+
+      private
+
+      # https://datatracker.ietf.org/doc/html/rfc9068#JWTATLValidate
+      # The resource server MUST verify that the "typ" header value is "at+jwt" or "application/at+jwt" and reject tokens carrying any other value.
+      def valid_jwt_token?
+        return @valid_jwt_token if instance_variable_defined?(:@valid_jwt_token)
+        @valid_jwt_token = @encoded_token.header.present? &&
+          @strategy.header_types.include?(@encoded_token.header["typ"])
+      rescue JWT::DecodeError
+        @valid_jwt_token = false
+      end
+
+      def valid_signature?
+        return @valid_signature if instance_variable_defined?(:@valid_signature)
+        @valid_signature = @encoded_token.valid_signature?(algorithm: @strategy.algorithm, key: @strategy.secret_key)
+      end
+
+      def includes_required_claims?
+        includes_required_exp_claim? &&
+          includes_required_nbf_claim? &&
+          includes_required_iss_claim? &&
+          includes_required_aud_claim? &&
+          includes_required_jti_claim? &&
+          includes_required_iat_claim? &&
+          includes_required_sub_claim?
+      end
+
+      def includes_required_exp_claim?
+        !@strategy.exp_required? || @encoded_token.valid_claims?(required: ["exp"])
+      end
+
+      def includes_required_nbf_claim?
+        !@strategy.nbf_required? || @encoded_token.valid_claims?(required: ["nbf"])
+      end
+
+      def includes_required_iss_claim?
+        !@strategy.iss_required? || @encoded_token.valid_claims?(required: ["iss"])
+      end
+
+      def includes_required_aud_claim?
+        !@strategy.aud_required? || @encoded_token.valid_claims?(required: ["aud"])
+      end
+
+      def includes_required_jti_claim?
+        !@strategy.jti_required? || @encoded_token.valid_claims?(required: ["jti"])
+      end
+
+      def includes_required_iat_claim?
+        !@strategy.iat_required? || @encoded_token.valid_claims?(required: ["iat"])
+      end
+
+      def includes_required_sub_claim?
+        !@strategy.sub_required? || @encoded_token.valid_claims?(required: ["sub"])
+      end
+
+      def valid_exp_claim?
+        return @valid_exp_claim if instance_variable_defined?(:@valid_exp_claim)
+        @valid_exp_claim = @encoded_token.valid_claims?(exp: {leeway: @strategy.expiry_leeway})
+      end
+
+      def valid_nbf_claim?
+        return @valid_nbf_claim if instance_variable_defined?(:@valid_nbf_claim)
+        @valid_nbf_claim = @encoded_token.valid_claims?(nbf: {leeway: @strategy.not_before_leeway})
+      end
+
+      def valid_iss_claim?
+        return @valid_iss_claim if instance_variable_defined?(:@valid_iss_claim)
+        @valid_iss_claim = @strategy.issuers.none? || @encoded_token.valid_claims?(iss: @strategy.issuers)
+      end
+
+      def valid_aud_claim?(required_scopes)
+        @encoded_token.valid_claims?(aud: required_scopes.map(&:to_s))
+      end
+
+      def valid_jti_claim?
+        return @valid_jti_claim if instance_variable_defined?(:@valid_jti_claim)
+        @valid_jti_claim = @encoded_token.valid_claims?(jti: @strategy.verify_jti)
+      end
+
+      def valid_sub_claim?
+        return true if @strategy.subject.blank?
+
+        return @valid_sub_claim if instance_variable_defined?(:@valid_sub_claim)
+        @valid_sub_claim = @encoded_token.valid_claims?(sub: @strategy.subject)
+      end
+    end
+  end
+end

data/lib/padlock_auth/jwt/errors.rb

@@ -0,0 +1,25 @@
+module PadlockAuth
+  module Jwt
+    module Errors
+      # Invalid Token errors
+
+      class InvalidSignature < PadlockAuth::Errors::InvalidToken; end
+
+      class MissingRequiredClaim < PadlockAuth::Errors::InvalidToken; end
+
+      class InvalidExpClaim < PadlockAuth::Errors::TokenExpired; end
+
+      class InvalidNbfClaim < PadlockAuth::Errors::InvalidToken; end
+
+      class InvalidIssClaim < PadlockAuth::Errors::InvalidToken; end
+
+      class InvalidJtiClaim < PadlockAuth::Errors::TokenRevoked; end
+
+      class InvalidSubClaim < PadlockAuth::Errors::InvalidToken; end
+
+      # Forbidden Token errors
+
+      class InvalidAudClaim < PadlockAuth::Errors::TokenForbidden; end
+    end
+  end
+end

data/lib/padlock_auth/jwt/http/forbidden_token_response.rb

@@ -0,0 +1,14 @@
+module PadlockAuth
+  module Jwt
+    module Http
+      # Adds JWT specific errors to the ForbiddenTokenResponse
+      class ForbiddenTokenResponse < PadlockAuth::Http::ForbiddenTokenResponse
+        protected
+
+        def exception_class
+          PadlockAuth::Jwt::Errors::InvalidAudClaim
+        end
+      end
+    end
+  end
+end

data/lib/padlock_auth/jwt/http/invalid_token_response.rb

@@ -0,0 +1,35 @@
+module PadlockAuth
+  module Jwt
+    module Http
+      # Adds JWT specific errors to the InvalidTokenResponse
+      class InvalidTokenResponse < PadlockAuth::Http::InvalidTokenResponse
+        protected
+
+        def exception_class
+          jwt_errors_mapping.fetch(reason) { super }
+        end
+
+        private
+
+        def jwt_errors_mapping
+          {
+            invalid_signature: PadlockAuth::Jwt::Errors::InvalidSignature,
+            missing_exp_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_nbf_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_iss_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_aud_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_jti_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_iat_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            missing_sub_claim: PadlockAuth::Jwt::Errors::MissingRequiredClaim,
+            invalid_exp_claim: PadlockAuth::Jwt::Errors::InvalidExpClaim,
+            invalid_nbf_claim: PadlockAuth::Jwt::Errors::InvalidNbfClaim,
+            invalid_iss_claim: PadlockAuth::Jwt::Errors::InvalidIssClaim,
+            invalid_jti_claim: PadlockAuth::Jwt::Errors::InvalidJtiClaim,
+            invalid_sub_claim: PadlockAuth::Jwt::Errors::InvalidSubClaim
+
+          }
+        end
+      end
+    end
+  end
+end

data/lib/padlock_auth/jwt/railtie.rb

@@ -0,0 +1,9 @@
+module PadlockAuthJwt
+  class Railtie < ::Rails::Railtie
+    initializer "padlock_auth-jwt.i18n" do
+      Dir.glob(File.join(File.dirname(__FILE__), "..", "..", "..", "config", "locales", "*.yml")).each do |file|
+        I18n.load_path << File.expand_path(file)
+      end
+    end
+  end
+end

data/lib/padlock_auth/jwt/strategy.rb

@@ -0,0 +1,208 @@
+module PadlockAuth
+  module Jwt
+    class Strategy < PadlockAuth::AbstractStrategy
+      include PadlockAuth::Mixins::BuildWith
+
+      class Builder < PadlockAuth::Utils::AbstractBuilder
+        def nbf_leeway(nbf_leeway)
+          not_before_leeway(nbf_leeway)
+        end
+      end
+
+      build_with Builder
+
+      extend PadlockAuth::Config::Option
+
+      # Token Factory
+
+      def build_access_token(raw_token)
+        Jwt::AccessToken.new(raw_token, self)
+      end
+
+      # HTTP Responses
+
+      def build_invalid_token_response(access_token)
+        Jwt::Http::InvalidTokenResponse.from_access_token(access_token)
+      end
+
+      def build_forbidden_token_response(access_token, scopes)
+        Jwt::Http::ForbiddenTokenResponse.from_access_token(access_token, scopes)
+      end
+
+      # Signature
+
+      option :secret_key
+
+      # https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
+      option :algorithm, default: "RS256"
+
+      # "typ" (Type) Header Parameter
+      #
+      # RFC9068 registers the "application/at+jwt" media type, which can be used to
+      # indicate that the content is a JWT access token. JWT access tokens MUST include this media
+      # type in the "typ" header parameter to explicitly declare that the JWT represents an access
+      # token complying with this profile.
+
+      # https://datatracker.ietf.org/doc/html/rfc9068#JWTATLValidate
+      REQUIRED_HEADER_TYPES = ["at+jwt", "application/at+jwt"]
+
+      option :header_types, default: REQUIRED_HEADER_TYPES
+
+      def header_types
+        Array.wrap(@header_types || REQUIRED_HEADER_TYPES)
+      end
+
+      # "exp" (Expiration Time) Claim
+      #
+      #  The "exp" (expiration time) claim identifies the expiration time on
+      #  or after which the JWT MUST NOT be accepted for processing.  The
+      #  processing of the "exp" claim requires that the current date/time
+      #  MUST be before the expiration date/time listed in the "exp" claim.
+      #
+      #  Implementers MAY provide for some small leeway, usually no more than
+      #  a few minutes, to account for clock skew.  Its value MUST be a number
+      #  containing a NumericDate value.  Use of this claim is OPTIONAL.
+
+      # @!attribute require_exp [r] Boolean
+      option :require_exp, default: true
+
+      def exp_required?
+        !!require_exp
+      end
+
+      option :expiry_leeway, default: 0
+
+      # "nbf" (Not Before) Claim
+      #
+      # The "nbf" (not before) claim identifies the time before which the JWT
+      # MUST NOT be accepted for processing.  The processing of the "nbf"
+      # claim requires that the current date/time MUST be after or equal to
+      # the not-before date/time listed in the "nbf" claim.  Implementers MAY
+      # provide for some small leeway, usually no more than a few minutes, to
+      # account for clock skew.  Its value MUST be a number containing a
+      # NumericDate value.  Use of this claim is OPTIONAL.
+
+      option :require_nbf, default: false
+
+      def nbf_required?
+        !!require_nbf
+      end
+
+      option :not_before_leeway, default: 0
+
+      # "iss" (Issuer) Claim
+      #
+      # The "iss" (issuer) claim identifies the principal that issued the
+      # JWT.  The processing of this claim is generally application specific.
+      # The "iss" value is a case-sensitive string containing a StringOrURI
+      # value.  Use of this claim is OPTIONAL.
+
+      # @!attribute require_iss [r] Boolean
+      option :require_iss, default: false
+
+      def iss_required?
+        !!require_iss
+      end
+
+      option :issuers, default: nil
+
+      def issuers
+        Array.wrap(@issuers)
+      end
+
+      # "aud" (Audience) Claim
+      #
+      # The "aud" (audience) claim identifies the recipients that the JWT is
+      # intended for.  Each principal intended to process the JWT MUST
+      # identify itself with a value in the audience claim.  If the principal
+      # processing the claim does not identify itself with a value in the
+      # "aud" claim when this claim is present, then the JWT MUST be
+      # rejected.  In the general case, the "aud" value is an array of case-
+      # sensitive strings, each containing a StringOrURI value.  In the
+      # special case when the JWT has one audience, the "aud" value MAY be a
+      # single case-sensitive string containing a StringOrURI value.  The
+      # interpretation of audience values is generally application specific.
+      # Use of this claim is OPTIONAL.
+
+      option :require_aud, default: true
+
+      def aud_required?
+        !!require_aud
+      end
+
+      # "jti" (JWT ID) Claim
+      #
+      # The "jti" (JWT ID) claim provides a unique identifier for the JWT.
+      # The identifier value MUST be assigned in a manner that ensures that
+      # there is a negligible probability that the same value will be
+      # accidentally assigned to a different data object; if the application
+      # uses multiple issuers, collisions MUST be prevented among values
+      # produced by different issuers as well.  The "jti" claim can be used
+      # to prevent the JWT from being replayed.  The "jti" value is a case-
+      # sensitive string.  Use of this claim is OPTIONAL.
+
+      option :require_jti, default: true
+
+      def jti_required?
+        !!require_jti
+      end
+
+      option :verify_jti, default: proc { true }
+
+      # "iat" (Issued At) Claim
+      #
+      # The "iat" (issued at) claim identifies the time at which the JWT was
+      # issued.  This claim can be used to determine the age of the JWT.  Its
+      # value MUST be a number containing a NumericDate value.  Use of this
+      # claim is OPTIONAL.
+
+      option :require_iat, default: true
+
+      def iat_required?
+        !!require_iat
+      end
+
+      # "sub" (Subject) Claim
+      #
+      # The "sub" (subject) claim identifies the principal that is the
+      # subject of the JWT.  The claims in a JWT are normally statements
+      # about the subject.  The subject value MUST either be scoped to be
+      # locally unique in the context of the issuer or be globally unique.
+      # The processing of this claim is generally application specific.  The
+      # "sub" value is a case-sensitive string containing a StringOrURI
+      # value.  Use of this claim is OPTIONAL.
+
+      option :require_sub, default: true
+
+      def sub_required?
+        !!require_sub
+      end
+
+      option :subject, default: nil
+
+      def subject
+        Array.wrap(@subject)
+      end
+
+      # Builder Validation
+
+      def validate!
+        raise ArgumentError, "secret_key is required" unless secret_key.present?
+
+        raise ArgumentError, "algorithm is required" unless algorithm.present?
+
+        raise ArgumentError, "header_types cannot be empty" unless header_types.present?
+
+        if subject.present? && !sub_required?
+          raise ArgumentError, "subject is not required"
+        end
+
+        if iss_required? && issuers.blank?
+          raise ArgumentError, "issuers are required when require_iss is true"
+        end
+
+        true
+      end
+    end
+  end
+end

data/lib/padlock_auth/jwt/version.rb

@@ -0,0 +1,5 @@
+module PadlockAuth
+  module Jwt
+    VERSION = "0.1.0"
+  end
+end

data/lib/padlock_auth/jwt.rb

@@ -0,0 +1,18 @@
+require "padlock_auth"
+
+require "padlock_auth/jwt/version"
+require "padlock_auth/jwt/errors"
+
+module PadlockAuth
+  module Jwt
+    autoload :AccessToken, "padlock_auth/jwt/access_token"
+    autoload :Strategy, "padlock_auth/jwt/strategy"
+
+    module Http
+      autoload :InvalidTokenResponse, "padlock_auth/jwt/http/invalid_token_response"
+      autoload :ForbiddenTokenResponse, "padlock_auth/jwt/http/forbidden_token_response"
+    end
+  end
+end
+
+require "padlock_auth/jwt/railtie"

data/lib/padlock_auth-jwt.rb

@@ -0,0 +1 @@
+require "padlock_auth/jwt"

data/lib/tasks/padlock_auth/jwt_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :padlock_auth_jwt do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,130 @@
+--- !ruby/object:Gem::Specification
+name: padlock_auth-jwt
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ben Morrall
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2024-12-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: padlock_auth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.9.4
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.41.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.41.1
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Allows API endpoints to be secured by a JWT Access Token.
+email:
+- bemo56@hotmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- config/locales/padlock_auth-jwt.en.yml
+- lib/padlock_auth-jwt.rb
+- lib/padlock_auth/jwt.rb
+- lib/padlock_auth/jwt/access_token.rb
+- lib/padlock_auth/jwt/errors.rb
+- lib/padlock_auth/jwt/http/forbidden_token_response.rb
+- lib/padlock_auth/jwt/http/invalid_token_response.rb
+- lib/padlock_auth/jwt/railtie.rb
+- lib/padlock_auth/jwt/strategy.rb
+- lib/padlock_auth/jwt/version.rb
+- lib/tasks/padlock_auth/jwt_tasks.rake
+homepage: https://github.com/bmorrall/padlock_auth-jwt
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/bmorrall/padlock_auth-jwt
+  source_code_uri: https://github.com/bmorrall/padlock_auth-jwt
+  changelog_uri: https://github.com/bmorrall/padlock_auth-jwt/main/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.17
+signing_key:
+specification_version: 4
+summary: Adds JWT Support to PadlockAuth.
+test_files: []