RubyGems - ruby-paseto - Versions diffs - 0.1.0 - Mend

ruby-paseto 0.1.0

Files changed (116) hide show

checksums.yaml +7 -0
data/CHANGELOG.md +8 -0
data/CODE_OF_CONDUCT.md +84 -0
data/LICENSE.txt +21 -0
data/README.md +549 -0
data/lib/paseto/asn1/algorithm_identifier.rb +17 -0
data/lib/paseto/asn1/curve_private_key.rb +22 -0
data/lib/paseto/asn1/ec_private_key.rb +27 -0
data/lib/paseto/asn1/ecdsa_full_r.rb +26 -0
data/lib/paseto/asn1/ecdsa_sig_value.rb +23 -0
data/lib/paseto/asn1/ecdsa_signature.rb +49 -0
data/lib/paseto/asn1/ed25519_identifier.rb +15 -0
data/lib/paseto/asn1/named_curve.rb +17 -0
data/lib/paseto/asn1/one_asymmetric_key.rb +32 -0
data/lib/paseto/asn1/private_key.rb +17 -0
data/lib/paseto/asn1/private_key_algorithm_identifier.rb +17 -0
data/lib/paseto/asn1/public_key.rb +17 -0
data/lib/paseto/asn1/subject_public_key_info.rb +28 -0
data/lib/paseto/asn1.rb +101 -0
data/lib/paseto/asymmetric_key.rb +100 -0
data/lib/paseto/configuration/box.rb +23 -0
data/lib/paseto/configuration/decode_configuration.rb +68 -0
data/lib/paseto/configuration.rb +18 -0
data/lib/paseto/interface/i_d.rb +23 -0
data/lib/paseto/interface/key.rb +113 -0
data/lib/paseto/interface/pbkd.rb +83 -0
data/lib/paseto/interface/pie.rb +59 -0
data/lib/paseto/interface/pke.rb +86 -0
data/lib/paseto/interface/serializer.rb +19 -0
data/lib/paseto/interface/version.rb +161 -0
data/lib/paseto/interface/wrapper.rb +20 -0
data/lib/paseto/operations/i_d.rb +48 -0
data/lib/paseto/operations/id/i_dv3.rb +20 -0
data/lib/paseto/operations/id/i_dv4.rb +20 -0
data/lib/paseto/operations/pbkd/p_b_k_dv3.rb +85 -0
data/lib/paseto/operations/pbkd/p_b_k_dv4.rb +94 -0
data/lib/paseto/operations/pbkw.rb +73 -0
data/lib/paseto/operations/pke/p_k_ev3.rb +97 -0
data/lib/paseto/operations/pke/p_k_ev4.rb +95 -0
data/lib/paseto/operations/pke.rb +57 -0
data/lib/paseto/operations/wrap.rb +29 -0
data/lib/paseto/paserk.rb +55 -0
data/lib/paseto/paserk_types.rb +46 -0
data/lib/paseto/protocol/version3.rb +100 -0
data/lib/paseto/protocol/version4.rb +99 -0
data/lib/paseto/result.rb +9 -0
data/lib/paseto/serializer/optional_json.rb +30 -0
data/lib/paseto/serializer/raw.rb +23 -0
data/lib/paseto/sodium/curve_25519.rb +46 -0
data/lib/paseto/sodium/safe_ed25519_loader.rb +19 -0
data/lib/paseto/sodium/stream/base.rb +82 -0
data/lib/paseto/sodium/stream/x_cha_cha20_xor.rb +31 -0
data/lib/paseto/sodium.rb +5 -0
data/lib/paseto/symmetric_key.rb +119 -0
data/lib/paseto/token.rb +127 -0
data/lib/paseto/token_types.rb +29 -0
data/lib/paseto/util.rb +105 -0
data/lib/paseto/v3/local.rb +63 -0
data/lib/paseto/v3/public.rb +204 -0
data/lib/paseto/v4/local.rb +56 -0
data/lib/paseto/v4/public.rb +169 -0
data/lib/paseto/validator.rb +154 -0
data/lib/paseto/verifiers/footer.rb +30 -0
data/lib/paseto/verifiers/payload.rb +42 -0
data/lib/paseto/verify.rb +48 -0
data/lib/paseto/version.rb +6 -0
data/lib/paseto/versions.rb +25 -0
data/lib/paseto/wrappers/pie/pie_v3.rb +72 -0
data/lib/paseto/wrappers/pie/pie_v4.rb +72 -0
data/lib/paseto/wrappers/pie.rb +71 -0
data/lib/paseto.rb +99 -0
data/paseto.gemspec +58 -0
data/sorbet/config +3 -0
data/sorbet/rbi/annotations/rainbow.rbi +269 -0
data/sorbet/rbi/gems/ast@2.4.2.rbi +584 -0
data/sorbet/rbi/gems/diff-lcs@1.5.0.rbi +1083 -0
data/sorbet/rbi/gems/docile@1.4.0.rbi +376 -0
data/sorbet/rbi/gems/ffi@1.15.5.rbi +1994 -0
data/sorbet/rbi/gems/io-console@0.5.11.rbi +8 -0
data/sorbet/rbi/gems/irb@1.5.1.rbi +342 -0
data/sorbet/rbi/gems/json@2.6.3.rbi +1541 -0
data/sorbet/rbi/gems/multi_json@1.15.0.rbi +267 -0
data/sorbet/rbi/gems/netrc@0.11.0.rbi +158 -0
data/sorbet/rbi/gems/oj@3.13.23.rbi +603 -0
data/sorbet/rbi/gems/openssl@3.0.1.rbi +1735 -0
data/sorbet/rbi/gems/parallel@1.22.1.rbi +277 -0
data/sorbet/rbi/gems/rainbow@3.1.1.rbi +407 -0
data/sorbet/rbi/gems/rake@13.0.6.rbi +3021 -0
data/sorbet/rbi/gems/rbnacl@7.1.1.rbi +3218 -0
data/sorbet/rbi/gems/regexp_parser@2.6.1.rbi +3481 -0
data/sorbet/rbi/gems/reline@0.3.1.rbi +8 -0
data/sorbet/rbi/gems/rexml@3.2.5.rbi +4717 -0
data/sorbet/rbi/gems/rspec-core@3.12.0.rbi +10887 -0
data/sorbet/rbi/gems/rspec-expectations@3.12.0.rbi +8090 -0
data/sorbet/rbi/gems/rspec-mocks@3.12.0.rbi +5300 -0
data/sorbet/rbi/gems/rspec-support@3.12.0.rbi +1617 -0
data/sorbet/rbi/gems/rspec@3.12.0.rbi +88 -0
data/sorbet/rbi/gems/ruby-progressbar@1.11.0.rbi +1239 -0
data/sorbet/rbi/gems/simplecov-html@0.12.3.rbi +219 -0
data/sorbet/rbi/gems/simplecov@0.21.2.rbi +2135 -0
data/sorbet/rbi/gems/simplecov_json_formatter@0.1.4.rbi +8 -0
data/sorbet/rbi/gems/thor@1.2.1.rbi +3956 -0
data/sorbet/rbi/gems/timecop@0.9.6.rbi +350 -0
data/sorbet/rbi/gems/unicode-display_width@2.3.0.rbi +48 -0
data/sorbet/rbi/gems/webrick@1.7.0.rbi +2555 -0
data/sorbet/rbi/gems/yard-sorbet@0.7.0.rbi +391 -0
data/sorbet/rbi/gems/yard@0.9.28.rbi +17816 -0
data/sorbet/rbi/gems/zeitwerk@2.6.6.rbi +950 -0
data/sorbet/rbi/shims/multi_json.rbi +19 -0
data/sorbet/rbi/shims/openssl.rbi +111 -0
data/sorbet/rbi/shims/rbnacl.rbi +65 -0
data/sorbet/rbi/shims/zeitwerk.rbi +6 -0
data/sorbet/rbi/todo.rbi +7 -0
data/sorbet/tapioca/config.yml +30 -0
data/sorbet/tapioca/require.rb +12 -0
metadata +376 -0

data/lib/paseto/validator.rb ADDED Viewed

@@ -0,0 +1,154 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  class Validator
+    extend T::Sig
+    extend T::Helpers
+    abstract!
+    sig { returns(T::Hash[String, T.untyped]) }
+    attr_reader :payload
+    sig { returns(T::Hash[Symbol, T.untyped]) }
+    attr_reader :options
+    sig { params(payload: T::Hash[String, T.untyped], options: T::Hash[Symbol, T.untyped]).void }
+    def initialize(payload, options)
+      @payload = payload
+      @options = options
+    end
+    sig { abstract.void }
+    def verify; end
+    class Audience < Validator
+      sig { override.void }
+      def verify
+        return unless (aud = options[:verify_aud])
+        given = payload['aud']
+        raise InvalidAudience, "Invalid audience. Expected #{aud}, got #{given || '<none>'}" if ([*aud] & [*given]).empty?
+      end
+    end
+    class Expiration < Validator
+      sig { override.void }
+      def verify
+        return unless options[:verify_exp]
+        given = payload['exp']
+        begin
+          exp = Time.iso8601(given)
+        rescue ArgumentError
+          raise ExpiredToken, "Expiry not valid iso8601, got #{given || '<none>'}"
+        end
+        raise ExpiredToken, 'Expiry has passed' if Time.now > exp
+      end
+    end
+    class IssuedAt < Validator
+      sig { override.void }
+      def verify
+        return unless options[:verify_iat]
+        given = payload['iat']
+        begin
+          iat = Time.iso8601(given)
+        rescue ArgumentError
+          raise ImmatureToken, "IssuedAt not valid iso8601, got #{given || '<none>'}"
+        end
+        raise ImmatureToken, 'Token is from the future' if Time.now < iat
+      end
+    end
+    class Issuer < Validator
+      sig { override.void }
+      def verify
+        return unless (permitted = options[:verify_iss])
+        given = payload['iss']
+        permitted = Array(permitted).map { |i| i.is_a?(Symbol) ? i.to_s : i }
+        case given
+        when *permitted
+          nil
+        else
+          raise InvalidIssuer, "Invalid issuer. Expected #{permitted}, got #{given || '<none>'}"
+        end
+      end
+    end
+    class WPK < Validator
+      PERMITTED = T.let(%w[seal local-wrap secret-wrap].freeze, T::Array[String])
+      sig { override.void }
+      def verify
+        return unless (wpk = payload['wpk'])
+        wpk.split('.', 3) => [_, String => type, _]
+        raise InvalidWPK unless PERMITTED.include?(type)
+      end
+    end
+    class KeyID < Validator
+      PERMITTED = T.let(%w[lid sid pid].freeze, T::Array[String])
+      sig { override.void }
+      def verify
+        return unless (kid = payload['kid'])
+        case kid.split('.')
+        in [_, String => type, _] if PERMITTED.include?(type)
+          nil
+        else
+          raise InvalidKID
+        end
+      end
+    end
+    class NotBefore < Validator
+      sig { override.void }
+      def verify
+        return unless options[:verify_nbf]
+        given = payload['nbf']
+        begin
+          nbf = Time.iso8601(given)
+        rescue ArgumentError
+          raise InactiveToken, "NotBefore not valid iso8601, got #{given || '<none>'}"
+        end
+        raise InactiveToken, 'Not yet active' if nbf > Time.now
+      end
+    end
+    class Subject < Validator
+      sig { override.void }
+      def verify
+        return unless (sub = options[:verify_sub])
+        given = payload['sub']
+        raise InvalidSubject, "Invalid subject. Expected #{sub}, got #{given || '<none>'}" unless sub == given
+      end
+    end
+    class TokenIdentifier < Validator
+      sig { override.void }
+      def verify
+        return unless (jti = options[:verify_jti])
+        given = payload['jti']
+        if jti.respond_to?(:call)
+          raise InvalidTokenIdentifier, 'Invalid jti' unless jti.call(given)
+        elsif given.to_s.empty?
+          raise InvalidTokenIdentifier, 'Missing jti'
+        end
+      end
+    end
+  end
+end

data/lib/paseto/verifiers/footer.rb ADDED Viewed

@@ -0,0 +1,30 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Verifiers
+    class Footer < T::Enum
+      extend T::Sig
+      enums do
+        ForbiddenWPKValue = new
+        ForbiddenKIDValue = new
+      end
+      sig { params(footer: T::Hash[String, T.untyped], options: T::Hash[Symbol, T.untyped]).void }
+      def self.verify(footer, options)
+        values.each { |v| v.verifier.new(footer, options).verify }
+      end
+      sig { returns(T.class_of(Validator)) }
+      def verifier
+        case self
+        when ForbiddenWPKValue then Paseto::Validator::WPK
+        when ForbiddenKIDValue then Paseto::Validator::KeyID
+        else
+          T.absurd(self)
+        end
+      end
+    end
+  end
+end

data/lib/paseto/verifiers/payload.rb ADDED Viewed

@@ -0,0 +1,42 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Verifiers
+    class Payload < T::Enum
+      extend T::Sig
+      enums do
+        Audience = new
+        IssuedAt = new
+        Issuer = new
+        Expiration = new
+        NotBefore = new
+        Subject = new
+        TokenIdentifier = new
+      end
+      sig { params(body: T::Hash[String, T.untyped], options: T::Hash[Symbol, T.untyped]).void }
+      def self.verify(body, options)
+        values.each { |v| v.verifier.new(body, options).verify }
+      end
+      sig { returns(T.class_of(Validator)) }
+      def verifier # rubocop:disable Metrics/CyclomaticComplexity
+        case self
+        when Audience then Paseto::Validator::Audience
+        when IssuedAt then Paseto::Validator::IssuedAt
+        when Issuer then Paseto::Validator::Issuer
+        when Expiration then Paseto::Validator::Expiration
+        when NotBefore then Paseto::Validator::NotBefore
+        when Subject then Paseto::Validator::Subject
+        when TokenIdentifier then Paseto::Validator::TokenIdentifier
+        else
+          # :nocov:
+          T.absurd(self)
+          # :nocov:
+        end
+      end
+    end
+  end
+end

data/lib/paseto/verify.rb ADDED Viewed

@@ -0,0 +1,48 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  class Verify
+    extend T::Sig
+    sig { returns(Result) }
+    attr_reader :result
+    sig do
+      params(
+        result: Result,
+        options: T::Hash[Symbol, T.untyped]
+      ).returns(Result)
+    end
+    def self.verify(result, options = {})
+      new(result, Paseto.config.decode.to_h.merge(options))
+        .then(&:verify_footer)
+        .then(&:verify_claims)
+        .then(&:result)
+    end
+    sig do
+      params(
+        result: Result,
+        options: T::Hash[Symbol, T.untyped]
+      ).void
+    end
+    def initialize(result, options)
+      @result = result
+      @options = options
+    end
+    sig { returns(T.self_type) }
+    def verify_claims
+      Verifiers::Payload.verify(@result.claims, @options)
+      self
+    end
+    sig { returns(T.self_type) }
+    def verify_footer
+      footer = @result.footer
+      Verifiers::Footer.verify(footer, @options) if footer.is_a?(Hash)
+      self
+    end
+  end
+end

data/lib/paseto/version.rb ADDED Viewed

@@ -0,0 +1,6 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  VERSION = '0.1.0'
+end

data/lib/paseto/versions.rb ADDED Viewed

@@ -0,0 +1,25 @@
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  class Versions < T::Enum
+    extend T::Sig
+    enums do
+      V3Version = new(Protocol::Version3)
+      V4Version = new(Protocol::Version4)
+      V3Str = new('v3')
+      V4Str = new('v4')
+      K3Str = new('k3')
+      K4Str = new('k4')
+    end
+    sig { returns(Interface::Version) }
+    def instance
+      case self
+      when V3Version, V3Str, K3Str then Protocol::Version3.new
+      when V4Version, V4Str, K4Str then Protocol::Version4.new
+      end
+    end
+  end
+end

data/lib/paseto/wrappers/pie/pie_v3.rb ADDED Viewed

@@ -0,0 +1,72 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Wrappers
+    class PIE
+      class PieV3
+        extend T::Sig
+        include Interface::PIE
+        DOMAIN_SEPARATOR_AUTH = "\x81"
+        DOMAIN_SEPARATOR_ENCRYPT = "\x80"
+        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
+        def self.decode_and_split(data)
+          b = Util.decode64(data)
+          {
+            t: T.must(b.byteslice(0, 48)),
+            n: T.must(b.byteslice(48, 32)),
+            c: T.must(b.byteslice(80..))
+          }
+        end
+        sig { override.returns(Protocol::Version3) }
+        def self.protocol
+          Protocol::Version3.new
+        end
+        sig { override.returns(String) }
+        def local_header
+          'k3.local-wrap.pie.'
+        end
+        sig { override.returns(String) }
+        def secret_header
+          'k3.secret-wrap.pie.'
+        end
+        sig { params(wrapping_key: SymmetricKey).void }
+        def initialize(wrapping_key)
+          @wrapping_key = wrapping_key
+        end
+        sig { override.params(nonce: String).returns(String) }
+        def authentication_key(nonce:)
+          protocol.hmac("#{DOMAIN_SEPARATOR_AUTH}#{nonce}", key: @wrapping_key.to_bytes, digest_size: 32)
+        end
+        sig { override.params(payload: String, auth_key: String).returns(String) }
+        def authentication_tag(payload:, auth_key:)
+          protocol.hmac(payload, key: auth_key)
+        end
+        sig { override.returns(String) }
+        def random_nonce
+          protocol.random(32)
+        end
+        sig { override.params(nonce: String, payload: String).returns(String) }
+        def crypt(nonce:, payload:)
+          x = OpenSSL::HMAC.digest('SHA384', @wrapping_key.to_bytes, "#{DOMAIN_SEPARATOR_ENCRYPT}#{nonce}")
+          ek = T.must(x[0, 32])
+          n2 = T.must(x[32..])
+          protocol.crypt(key: ek, nonce: n2, payload: payload)
+        end
+      end
+    end
+  end
+end

data/lib/paseto/wrappers/pie/pie_v4.rb ADDED Viewed

@@ -0,0 +1,72 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Wrappers
+    class PIE
+      class PieV4
+        extend T::Sig
+        include Interface::PIE
+        DOMAIN_SEPARATOR_AUTH = "\x81"
+        DOMAIN_SEPARATOR_ENCRYPT = "\x80"
+        sig { override.params(data: String).returns({ t: String, n: String, c: String }) }
+        def self.decode_and_split(data)
+          b = Util.decode64(data)
+          {
+            t: T.must(b.byteslice(0, 32)),
+            n: T.must(b.byteslice(32, 32)),
+            c: T.must(b.byteslice(64..))
+          }
+        end
+        sig { override.returns(Protocol::Version4) }
+        def self.protocol
+          Protocol::Version4.new
+        end
+        sig { override.returns(String) }
+        def local_header
+          'k4.local-wrap.pie.'
+        end
+        sig { override.returns(String) }
+        def secret_header
+          'k4.secret-wrap.pie.'
+        end
+        sig { params(wrapping_key: SymmetricKey).void }
+        def initialize(wrapping_key)
+          @wrapping_key = wrapping_key
+        end
+        sig { override.params(nonce: String).returns(String) }
+        def authentication_key(nonce:)
+          protocol.hmac("#{DOMAIN_SEPARATOR_AUTH}#{nonce}", key: @wrapping_key.to_bytes, digest_size: 32)
+        end
+        sig { override.params(payload: String, auth_key: String).returns(String) }
+        def authentication_tag(payload:, auth_key:)
+          protocol.hmac(payload, key: auth_key, digest_size: 32)
+        end
+        sig { override.returns(String) }
+        def random_nonce
+          protocol.random(32)
+        end
+        sig { override.params(nonce: String, payload: String).returns(String) }
+        def crypt(nonce:, payload:)
+          x = protocol.hmac("#{DOMAIN_SEPARATOR_ENCRYPT}#{nonce}", key: @wrapping_key.to_bytes, digest_size: 56)
+          ek = T.must(x[0, 32])
+          n2 = T.must(x[32..])
+          protocol.crypt(key: ek, nonce: n2, payload: payload)
+        end
+      end
+    end
+  end
+end

data/lib/paseto/wrappers/pie.rb ADDED Viewed

@@ -0,0 +1,71 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+module Paseto
+  module Wrappers
+    class PIE
+      extend T::Sig
+      include Interface::Wrapper
+      sig { params(wrapping_key: SymmetricKey).void }
+      def initialize(wrapping_key)
+        @wrapping_key = wrapping_key
+        @coder = T.let(wrapping_key.pie, Interface::PIE)
+      end
+      sig { override.params(key: Interface::Key, nonce: T.nilable(String)).returns(String) }
+      def encode(key, nonce: nil)
+        raise LucidityError unless key.version == @wrapping_key.version
+        nonce ||= @coder.random_nonce
+        header = pie_header(key)
+        c = @coder.crypt(nonce: nonce, payload: key.to_bytes)
+        ak = @coder.authentication_key(nonce: nonce)
+        t = @coder.authentication_tag(payload: "#{header}#{nonce}#{c}", auth_key: ak)
+        [header, Util.encode64("#{t}#{nonce}#{c}")].join
+      end
+      sig { override.params(paserk: [String, String, String, String]).returns(Interface::Key) }
+      def decode(paserk)
+        paserk => [version, type, protocol, data]
+        raise UnknownProtocol, 'payload does not use PIE' unless protocol == 'pie'
+        raise ParseError, 'not a valid PIE PASERK' if data.empty?
+        raise LucidityError unless version == @wrapping_key.paserk_version
+        header = "#{version}.#{type}.pie."
+        # :nocov:
+        @coder.decode_and_split(data) => {t:, n:, c:}
+        # :nocov:
+        ak = @coder.authentication_key(nonce: n)
+        t2 = @coder.authentication_tag(payload: "#{header}#{n}#{c}", auth_key: ak)
+        raise InvalidAuthenticator unless Util.constant_compare(t, t2)
+        ptk = @coder.crypt(nonce: n, payload: c)
+        PaserkTypes.deserialize("#{version}.#{type}").generate(ptk)
+      end
+      private
+      sig { params(key: Interface::Key).returns(String) }
+      def pie_header(key)
+        case key
+        when SymmetricKey then @coder.local_header
+        when AsymmetricKey then @coder.secret_header
+        else
+          # :nocov:
+          raise ArgumentError, 'not a valid type of key'
+          # :nocov:
+        end
+      end
+    end
+  end
+end

data/lib/paseto.rb ADDED Viewed

@@ -0,0 +1,99 @@
+# encoding: binary
+# typed: strict
+# frozen_string_literal: true
+require 'base64'
+require 'multi_json'
+require 'openssl'
+begin
+  require 'rbnacl'
+rescue LoadError
+  raise if defined?(RbNaCl)
+end
+require 'securerandom'
+require 'sorbet-runtime'
+T::Configuration.enable_final_checks_on_hooks
+require 'time'
+require 'zeitwerk'
+loader = Zeitwerk::Loader.for_gem
+unless defined?(RbNaCl)
+  loader.ignore(
+    "#{__dir__}/paseto/v4/",
+    "#{__dir__}/paseto/sodium/",
+    "#{__dir__}/paseto/sodium.rb"
+  )
+end
+loader.inflector.inflect(
+  'asn1' => 'ASN1',
+  'ec_private_key' => 'ECPrivateKey',
+  'ecdsa_sig_value' => 'ECDSASigValue',
+  'ecdsa_signature' => 'ECDSASignature',
+  'ecdsa_full_r' => 'ECDSAFullR',
+  'pie' => 'PIE',
+  'pbkw' => 'PBKW',
+  'pbkd' => 'PBKD',
+  'id' => 'ID',
+  'pke' => 'PKE'
+)
+loader.setup
+module Paseto
+  extend T::Sig
+  extend Configuration
+  class Error < StandardError; end
+  class AlgorithmError < Error; end
+  # An algorithm assertion was violated, such as attempting to wrap a
+  # v4 key with a v3 key, or providing an EC key other than secp384 to v3.
+  class LucidityError < AlgorithmError; end
+  # A cryptographic primitive has failed for any reason,
+  # such as attempting to initialize a stream cipher with
+  # an invalid nonce.
+  class CryptoError < Error; end
+  # An authenticator was forged or otherwise corrupt
+  class InvalidAuthenticator < CryptoError; end
+  # A signature was forged or otherwise corrupt
+  class InvalidSignature < CryptoError; end
+  # Key is not valid for algorithm
+  class InvalidKeyPair < CryptoError; end
+  # Superclass for claim validation errors
+  class ValidationError < Error; end
+  # Token is expired
+  class ExpiredToken < ValidationError; end
+  # Token has a nbf before the current time
+  class InactiveToken < ValidationError; end
+  # Disallowed issuer
+  class InvalidIssuer < ValidationError; end
+  # Incorrect audience
+  class InvalidAudience < ValidationError; end
+  # Token issued in the future
+  class ImmatureToken < ValidationError; end
+  # Unacceptable sub
+  class InvalidSubject < ValidationError; end
+  # Missing or unacceptable jti
+  class InvalidTokenIdentifier < ValidationError; end
+  # Footer contains unknown or forbidden payload types
+  class InvalidWPK < ValidationError; end
+  # Footer contains unknown or invalid KID payloads
+  class InvalidKID < ValidationError; end
+  class PaserkError < Error; end
+  class UnknownProtocol < PaserkError; end
+  class UnknownOperation < PaserkError; end
+  # Deserialized data did not include mandatory fields.
+  class ParseError < Error; end
+  # Tried to work with a V4 token without RbNaCl loaded
+  class UnsupportedToken < ParseError; end
+  sig { returns(T::Boolean) }
+  def self.rbnacl?
+    !!defined?(RbNaCl)
+  end
+end
+loader.eager_load

data/paseto.gemspec ADDED Viewed

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+require_relative 'lib/paseto/version'
+Gem::Specification.new do |spec|
+  spec.name = 'ruby-paseto'
+  spec.version = Paseto::VERSION
+  spec.platform = Gem::Platform::RUBY
+  spec.authors = ['Joe Truba']
+  spec.email = ['joe@bannable.net']
+  spec.summary = 'A ruby implementation of PASETO and PASERK tokens'
+  spec.description = <<-DESCRIPTION
+    Platform Agnostic SEcurity TOkens are a specification for secure stateless tokens.
+    This is an implementation of PASETO tokens, and the PASERK key management extensions,
+    in ruby, with runtime static type checking provided by Sorbet.
+  DESCRIPTION
+  spec.homepage = 'https://github.com/bannable/paseto'
+  spec.license = 'MIT'
+  spec.required_ruby_version = '>= 3.0.0'
+  spec.metadata = {
+    'bug_tracker_uri' => 'https://github.com/bannable/paseto/issues',
+    'changelog_uri' => 'https://github.com/bannable/paseto/blob/main/CHANGELOG.md',
+    'documentation_uri' => 'https://github.com/bannable/paseto',
+    'homepage_uri' => 'https://github.com/bannable/paseto',
+    'source_code_uri' => 'https://github.com/bannable/paseto',
+    'rubygems_mfa_required' => 'true'
+  }
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      f.match(/^(?:bin|spec|coverage|tmp|devcontainers|gemfiles)/) || # Irrelevant directories
+        f.match(/^\.+/) || # Anything starting with .
+        f.match(/^(Gemfile|Gemfile\.lock|Rakefile|Appraisals)$/) # Irrelevant files
+    end
+  end
+  spec.require_paths = ['lib']
+  spec.add_runtime_dependency 'multi_json', '~> 1.15.0'
+  spec.add_runtime_dependency 'openssl', '~> 3.0.0'
+  spec.add_runtime_dependency 'sorbet-runtime'
+  spec.add_runtime_dependency 'zeitwerk'
+  spec.add_development_dependency 'appraisal'
+  spec.add_development_dependency 'bundler', '~> 2'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rubocop', '~> 1.38.0'
+  spec.add_development_dependency 'rubocop-performance', '~> 1.15.0'
+  spec.add_development_dependency 'rubocop-rspec', '~> 2.14.2'
+  spec.add_development_dependency 'rubocop-sorbet', '~> 0.6.11'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'sorbet'
+  spec.add_development_dependency 'timecop'
+  spec.metadata['rubygems_mfa_required'] = 'true'
+end

data/sorbet/config ADDED Viewed

@@ -0,0 +1,3 @@
+--dir
+.
+--ignore=vendor/