ruby-paseto 0.1.2 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5a6ccf377d7535330c1b0bf829685b548afc257e9a4e6b24b746e3e311485f2
-  data.tar.gz: ce2ebaa4d4d354cbc6c1145aa129e4b143f352b6346bff34462c6c729b2b9951
+  metadata.gz: a58c81dd9d66d7512b70184c48f9dce92e1f3a798d0a1dccc7b795e09becc048
+  data.tar.gz: 48064247e0d0dbaa082ca8b602f89bcf5728d923169f51c0a079bb2f1302731f
 SHA512:
-  metadata.gz: 68befb60265a2a408f6066aebafd118477eaeaa6c0161b120e1550199e473b27713ba68c2e042f3e13e338aca648edfbc198b7584ae513b4c9b3a78cedd282ba
-  data.tar.gz: 8e3ed014b61f2b71e9f04a0b9ab06fd6d5485735f33670ee4d75e92425e4905072d73cc9271808601d64537192c218b2429f65166069257f31f187355770e4fd
+  metadata.gz: c21dedaf0227394479b5258ee07acacf2135e1e3be4c86f3e838f95cd8827713a086b575af0c93b27237c7b73492f15ac576b8828b27ba6735c8bc6fbcd16b9f
+  data.tar.gz: fb379b133bdcd64cd09cecefc3edd507a6627291c5b02dece8ab5ab10d64870b2dcc0c8a04a92481e11d692eee1d55af8c8d57711719a76675d010b3ef2fc5bf

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## [Unreleased]
 
+- Minimum ruby version 3.0 -> 3.1
+- Remove support for OpenSSL 1.1.1
+- Remove support for ruby/openssl 3.0.x
+- Refactor how version protocols are implemented to greatly improve sorbet coverage
+- `Paseto.rbnacl?` is replaced by `Paseto::HAS_RBNACL`
+- Fix decoding of multibyte characters in payloads, #216 thanks to @pelted @levicole
+
 ## [0.1.2]
 
 - Fixed versioning in 0.1.1 changelog

data/README.md

@@ -1,4 +1,5 @@
 # Paseto
+
 [![Ruby Style Guide](https://img.shields.io/badge/code_style-community-brightgreen.svg)](https://rubystyle.guide) [![CircleCI](https://dl.circleci.com/status-badge/img/gh/bannable/paseto/tree/main.svg?style=svg)](https://dl.circleci.com/status-badge/redirect/gh/bannable/paseto/tree/main) [![Maintainability](https://api.codeclimate.com/v1/badges/0bc8fcc6751880b68a9c/maintainability)](https://codeclimate.com/github/bannable/paseto/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/0bc8fcc6751880b68a9c/test_coverage)](https://codeclimate.com/github/bannable/paseto/test_coverage)
 
 This is an implementation of the [PASETO token protocol](https://github.com/paseto-standard/paseto-spec), written in Ruby, which supports versions [v3](https://github.com/paseto-standard/paseto-spec/tree/master/docs/01-Protocol-Versions#version-3-nist-modern) and [v4](https://github.com/paseto-standard/paseto-spec/tree/master/docs/01-Protocol-Versions#version-4-sodium-modern). This library passes all [official test vectors](https://github.com/paseto-standard/test-vectors) for supported versions and purposes.
@@ -11,14 +12,15 @@ Additionally, the library uses [Sorbet](https://sorbet.org) to enforce types at
 
 **Optional for v4.local tokens support**: Handling v4.local tokens requires [`RbNaCl`](https://github.com/RubyCrypto/rbnacl) with `libsodium 1.0.0` or newer.
 
-You can find instructions for obtaining libsodium at https://libsodium.org.
+You can find instructions for obtaining libsodium at [libsodium.org](https://libsodium.org).
 
 If you do not intend to create or parse `v4.local` tokens, feel free to skip this dependency.
 
-### Using Bundler:
+### Using Bundler
 
 Add the following to your Gemfile:
-```
+
+```ruby
 gem 'ruby-paseto'
 # and optionally:
 gem 'rbnacl', '~> 7.1.1'
@@ -29,26 +31,26 @@ Then, run `bundle install` and `require 'paseto'`.
 ## Supported PASETO versions
 
 `paseto` supports these PASETO versions and purposes:
-| purpose  |  v4  |  v3  |
-| ---------| ---- | ---- |
-| `local`  |  ✅  |  ✅  |
-| `public` |  ✅  |  ✅  |
+| purpose  | v4  | v3  |
+| -------- | --- | --- |
+| `local`  | ✅   | ✅   |
+| `public` | ✅   | ✅   |
 
 ## Support for PASERK types
 
-|               |  v4  |  v3  |
-| ------------- | ---- | ---- |
-| [`lid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/lid.md)         |  ✅  |  ✅  |
-| [`sid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/sid.md)         |  ✅  |  ✅  |
-| [`pid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/pid.md)         |  ✅  |  ✅  |
-| [`local`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local.md)       |  ✅  |  ✅  |
-| [`secret`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret.md)      |  ✅  |  ✅  |
-| [`public`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/public.md)      |  ✅  |  ✅  |
-| [`seal`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/seal.md)        |  ✅  |  ✅  |
-| [`local-wrap`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local-wrap.md)  |  ✅  |  ✅  |
-| [`secret-wrap`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret-wrap.md) |  ✅  |  ✅  |
-| [`local-pw`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local-pw.md)    |  ✅  |  ✅  |
-| [`secret-pw`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret-pw.md)   |  ✅  |  ✅  |
+|                                                                                                                               | v4  | v3  |
+| ----------------------------------------------------------------------------------------------------------------------------- | --- | --- |
+| [`lid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/lid.md)                 | ✅   | ✅   |
+| [`sid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/sid.md)                 | ✅   | ✅   |
+| [`pid`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/pid.md)                 | ✅   | ✅   |
+| [`local`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local.md)             | ✅   | ✅   |
+| [`secret`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret.md)           | ✅   | ✅   |
+| [`public`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/public.md)           | ✅   | ✅   |
+| [`seal`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/seal.md)               | ✅   | ✅   |
+| [`local-wrap`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local-wrap.md)   | ✅   | ✅   |
+| [`secret-wrap`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret-wrap.md) | ✅   | ✅   |
+| [`local-pw`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/local-pw.md)       | ✅   | ✅   |
+| [`secret-pw`](https://github.com/paseto-standard/paserk/blob/8cc4934687a3c9235387d005fb79eec33f43166d/types/secret-pw.md)     | ✅   | ✅   |
 
 ## Implementation Guideline compliance
 
@@ -167,6 +169,7 @@ signer.pid            # => "k4.pid.5g4..." (PASERK Type pid)
 verifier.pid          # => same as above!
 verifier.id           # => same as above
 ```
+
 ## PASETO/PASERK v4, Sodium Modern
 
 [Description](https://github.com/paseto-standard/paseto-spec/tree/master/docs/01-Protocol-Versions#version-4-nist-modern) and [Specification](https://github.com/paseto-standard/paseto-spec/blob/master/docs/01-Protocol-Versions/Version4.md).
@@ -310,8 +313,8 @@ key == secret_key
 
 ### Version 4, Argon2id Parameters
 
-| param | allowed values | default |
-| :--------: | :---------: | :-----: |
+|   param    |  allowed values   |    default     |
+| :--------: | :---------------: | :------------: |
 | `opslimit` | Symbol \| Integer | `:interactive` |
 | `memlimit` | Symbol \| Integer | `:interactive` |
 
@@ -319,12 +322,11 @@ Allowed symbol values are `:interactive`, `:moderate` and `:sensitive` as descri
 
 You most likely do not want to use the `:interactive` default in production. See [libsodium's documentation](https://libsodium.gitbook.io/doc/~/revisions/-LL5wcLSbESuQhMZUBZo/password_hashing/the_argon2i_function#guidelines-for-choosing-the-parameters) for parameter guidance.
 
-
 ### Version 3, PBKDF2 Parameters
 
-| param | allowed values | default |
-| :--------: | :---------: | :-----: |
-| `iterations` | Integer | `100_000` |
+|    param     | allowed values |  default  |
+| :----------: | :------------: | :-------: |
+| `iterations` |    Integer     | `100_000` |
 
 As with the Version 4 parameters above, you most likely do not want to use the default value and should pick an `iterations` value with time objectives similar to the argon2 guidance.
 
@@ -332,13 +334,14 @@ As with the Version 4 parameters above, you most likely do not want to use the d
 
 PASETO [reserves some claim names](https://github.com/paseto-standard/paseto-spec/blob/master/docs/02-Implementation-Guide/04-Claims.md) for particular use in the protocol, and this gem supports verification of all reserved claims.
 
-In the default configuration, the follow claims are verified when present: `exp`, `nbf` and `iat`
+In the default configuration, the following claims are verified when present: `exp`, `nbf` and `iat`
 
 Verification behavior can be controlled by passing a kwarg for the setting to `decode` calls, or through library-level configuration.
 
 ## Default Configuration
 
 See the appropriate section below for more information on configuring each `verify_foo`.
+
 ```ruby
 Paseto.configure do |config|
   # Controls the behavior of footer deserialization in Result objects.
@@ -359,9 +362,9 @@ end
 
 ## Audience Claim
 
-| claim type | config type | default |
-| :--------: | :---------: | :-----: |
-| String | False \| String \| Array[String] | `false` |
+| claim type |           config type            | default |
+| :--------: | :------------------------------: | :-----: |
+|   String   | False \| String \| Array[String] | `false` |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -379,7 +382,7 @@ crypt.decode(payload, verify_aud: audience) # => { 'aud' => ... }
 
 | claim type | config type | default |
 | :--------: | :---------: | :-----: |
-| DateTime | Boolean | `true` |
+|  DateTime  |   Boolean   | `true`  |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -396,7 +399,7 @@ crypt.decode(payload, verify_exp: false) # { 'exp' => ... }
 
 | claim type | config type | default |
 | :--------: | :---------: | :-----: |
-| DateTime | Boolean | `true` |
+|  DateTime  |   Boolean   | `true`  |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -411,9 +414,9 @@ crypt.decode(payload, verify_iat: false) # { 'iat' => ... }
 
 ### Issuer Claim
 
-| claim type | config type | default |
-| :--------: | :---------: | :-----: |
-| String     | Boolean \| String \| Regexp \| Proc | `false` |
+| claim type |             config type             | default |
+| :--------: | :---------------------------------: | :-----: |
+|   String   | Boolean \| String \| Regexp \| Proc | `false` |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -440,7 +443,7 @@ crypt.decode(payload, verify_issuer: true) # { 'iss' => ... }
 
 | claim type | config type | default |
 | :--------: | :---------: | :-----: |
-| DateTime | Boolean | `true` |
+|  DateTime  |   Boolean   | `true`  |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -454,9 +457,9 @@ crypt.decode(payload, verify_nbf: false) # => { 'nbf' => ... }
 
 ### Subject Claim
 
-| claim type | config type | default |
-| :--------: | :---------: | :-----: |
-| String | False \| String | `false` |
+| claim type |   config type   | default |
+| :--------: | :-------------: | :-----: |
+|   String   | False \| String | `false` |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -469,9 +472,9 @@ crypt.decode(payload, verify_sub: 'example.org') # => Paseto::InvalidSubject
 
 ### Token Identifier Claim
 
-| claim type | config type | default |
-| :--------: | :---------: | :-----: |
-| String | Boolean \| String \| Proc | `false` |
+| claim type |        config type        | default |
+| :--------: | :-----------------------: | :-----: |
+|   String   | Boolean \| String \| Proc | `false` |
 
 ```ruby
 crypt = Paseto::V4::Local.generate
@@ -479,17 +482,17 @@ hash = { data: 'data' }
 payload = crypt.encode(hash)
 
 # Require presence
-crypt.decode(payload, verify_jti: true)) # => Paseto::InvalidTokenIdentifier
+crypt.decode(payload, verify_jti: true) # => Paseto::InvalidTokenIdentifier
 
 # Require exact value
 hash[:jti] = 'foo'
 payload = crypt.encode(payload: hash)
-crypt.decode(payload, verify_jti: 'foo')) # { 'data' => ... }
-crypt.decode(payload, verify_jti: 'bar')) # Paseto::InvalidTokenIdentifier
+crypt.decode(payload, verify_jti: 'foo') # { 'data' => ... }
+crypt.decode(payload, verify_jti: 'bar') # Paseto::InvalidTokenIdentifier
 
 # Or something more complex
 jti_proc = ->(jti) { jti == 'bar'}
-crypt.decode(payload, verify_jti: jti_proc)) # Paseto::InvalidTokenIdentifier
+crypt.decode(payload, verify_jti: jti_proc) # Paseto::InvalidTokenIdentifier
 ```
 
 ## Development
@@ -512,7 +515,7 @@ You can learn more over at the `sorbet` [documentation](https://sorbet.org/docs/
 
 The tests are written with rspec. [Appraisal](https://github.com/thoughtbot/appraisal) is used to ensure compatibility with 3rd party dependencies providing cryptographic features.
 
-```
+```sh
 bundle install
 appraisal install
 # in parallel
@@ -524,19 +527,21 @@ appraisal rake specs
 ### Updating RBI Files
 
 To check that RBI files for gems are up-to-date:
-```
+
+```sh
 appraisal rbnacl bin/tapioca gems --verify
 ```
 
 To update RBI files for gems:
-```
+
+```sh
 appraisal rbnacl bin/tapioca gems
 appraisal rbnacl bin/tapioca annotations
 ```
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/bannable/paseto.
+Bug reports and pull requests are welcome on [GitHub](https://github.com/bannable/paseto).
 
 This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](CODE_OF_CONDUCT.md).
 

data/lib/paseto/asn1/ecdsa_signature.rb

@@ -12,13 +12,13 @@ module Paseto
       def self.from_rs(bytes, part_len)
         r = OpenSSL::BN.new(T.must(bytes[0, part_len]), 2)
         s = OpenSSL::BN.new(T.must(bytes[-part_len, part_len]), 2)
-        new(signature: ECDSASigValue.new(r: r, s: s))
+        new(signature: ECDSASigValue.new(r:, s:))
       end
 
       sig { params(sig: String).returns(ECDSASignature) }
       def self.from_asn1(sig)
         r, s = OpenSSL::ASN1.decode(sig).value.map(&:value)
-        new(signature: ECDSASigValue.new(r: r, s: s))
+        new(signature: ECDSASigValue.new(r:, s:))
       end
 
       sig { returns(OpenSSL::ASN1::Sequence) }

data/lib/paseto/asymmetric_key.rb

@@ -60,7 +60,7 @@ module Paseto
     end
     def encode!(payload, footer: '', implicit_assertion: '', **options)
       MultiJson.dump(payload, options)
-               .then { |json| sign(message: json, footer: footer, implicit_assertion: implicit_assertion) }
+               .then { |json| sign(message: json, footer:, implicit_assertion:) }
                .then(&:to_s)
     end
 
@@ -74,14 +74,17 @@ module Paseto
     def decode!(payload, implicit_assertion: '', **options)
       token = Token.parse(payload)
 
-      verify(token: token, implicit_assertion: implicit_assertion)
+      verify(token:, implicit_assertion:)
         .then { |json| MultiJson.load(json, **options) }
-        .then { |claims| Result.new(claims: claims, footer: token.footer) }
+        .then { |claims| Result.new(claims:, footer: token.footer) }
     end
 
     sig(:final) { override.returns(String) }
     def pbkw_header = protocol.pbkd_secret_header
 
+    sig(:final) { override.returns(String) }
+    def pie_header = "#{paserk_version}.secret-wrap.pie."
+
     sig(:final) { override.returns(String) }
     def purpose = 'public'
 
@@ -95,6 +98,6 @@ module Paseto
     def seal(other) = Paserk.seal(sealing_key: self, key: other)
 
     sig(:final) { params(paserk: String).returns(SymmetricKey) }
-    def unseal(paserk) = Paserk.from_paserk(paserk: paserk, unsealing_key: self)
+    def unseal(paserk) = Paserk.from_paserk(paserk:, unsealing_key: self)
   end
 end

data/lib/paseto/configuration/decode_configuration.rb

@@ -54,13 +54,13 @@ module Paseto
       sig { returns(T::Hash[Symbol, T.untyped]) }
       def to_h
         {
-          verify_exp: verify_exp,
-          verify_nbf: verify_nbf,
-          verify_iss: verify_iss,
-          verify_iat: verify_iat,
-          verify_jti: verify_jti,
-          verify_aud: verify_aud,
-          verify_sub: verify_sub
+          verify_exp:,
+          verify_nbf:,
+          verify_iss:,
+          verify_iat:,
+          verify_jti:,
+          verify_aud:,
+          verify_sub:
         }
       end
     end

data/lib/paseto/interface/key.rb

@@ -41,6 +41,9 @@ module Paseto
       sig { abstract.returns(String) }
       def pbkw_header; end
 
+      sig { abstract.returns(String) }
+      def pie_header; end
+
       sig { abstract.returns(Version) }
       def protocol; end
 
@@ -58,7 +61,7 @@ module Paseto
         ).returns(Result)
       end
       def decode(payload, implicit_assertion: '', **options)
-        decode!(payload, **T.unsafe(implicit_assertion: implicit_assertion, **options))
+        decode!(payload, **T.unsafe(implicit_assertion:, **options))
           .then { |result| Verify.verify(result, options) }
       end
 
@@ -83,7 +86,7 @@ module Paseto
       def encode(payload, footer: '', implicit_assertion: '', **options)
         footer = MultiJson.dump(footer, mode: :object) if footer.is_a?(Hash)
         default_claims.merge(payload)
-                      .then { |claims| encode!(claims, footer: footer, implicit_assertion: implicit_assertion, **options) }
+                      .then { |claims| encode!(claims, footer:, implicit_assertion:, **options) }
       end
 
       sig(:final) { params(other: T.untyped).returns(T::Boolean) }

data/lib/paseto/interface/pbkd.rb

@@ -7,22 +7,8 @@ module Paseto
       extend T::Sig
       extend T::Helpers
 
-      include Kernel
-
       abstract!
 
-      module ClassMethods
-        extend T::Sig
-        extend T::Helpers
-
-        interface!
-
-        sig { abstract.returns(Interface::Version) }
-        def protocol; end
-      end
-
-      mixes_in_class_methods(ClassMethods)
-
       sig do
         abstract.params(
           header: String,
@@ -33,13 +19,13 @@ module Paseto
           params: T::Hash[Symbol, Integer]
         ).returns([String, String])
       end
-      def authenticate(header:, pre_key:, salt:, nonce:, edk:, params:); end  # rubocop:disable Metrics/ParameterLists
+      def authenticate(header:, pre_key:, salt:, nonce:, edk:, params:); end # rubocop:disable Metrics/ParameterLists
 
       sig(:final) { params(payload: String, key: String, nonce: String).returns(String) }
       def crypt(payload:, key:, nonce:)
         ek = protocol.digest("#{Operations::PBKW::DOMAIN_SEPARATOR_ENCRYPT}#{key}", digest_size: 32)
 
-        protocol.crypt(key: ek, nonce: nonce, payload: payload)
+        protocol.crypt(key: ek, nonce:, payload:)
       end
 
       sig do
@@ -63,10 +49,8 @@ module Paseto
         protocol.paserk_version
       end
 
-      sig(:final) { returns(Interface::Version) }
-      def protocol
-        self.class.protocol
-      end
+      sig { abstract.returns(Interface::Version) }
+      def protocol; end
 
       sig { abstract.returns(String) }
       def random_nonce; end

data/lib/paseto/interface/pie.rb

@@ -8,25 +8,8 @@ module Paseto
       extend T::Sig
       extend T::Helpers
 
-      include Kernel
-
       abstract!
 
-      module ClassMethods
-        extend T::Sig
-        extend T::Helpers
-
-        interface!
-
-        sig { abstract.params(data: String).returns({ t: String, n: String, c: String }) }
-        def decode_and_split(data); end
-
-        sig { abstract.returns(Interface::Version) }
-        def protocol; end
-      end
-
-      mixes_in_class_methods(ClassMethods)
-
       sig { abstract.params(nonce: String).returns(String) }
       def authentication_key(nonce:); end
 
@@ -36,24 +19,20 @@ module Paseto
       sig { abstract.params(nonce: String, payload: String).returns(String) }
       def crypt(nonce:, payload:); end
 
-      sig { params(data: String).returns({ t: String, n: String, c: String }) }
-      def decode_and_split(data)
-        self.class.decode_and_split(data)
-      end
+      sig { abstract.params(data: String).returns({ t: String, n: String, c: String }) }
+      def decode_and_split(data); end
 
       sig { abstract.returns(String) }
       def local_header; end
 
+      sig { abstract.returns(Interface::Version) }
+      def protocol; end
+
       sig { abstract.returns(String) }
       def random_nonce; end
 
       sig { abstract.returns(String) }
       def secret_header; end
-
-      sig(:final) { returns(Interface::Version) }
-      def protocol
-        self.class.protocol
-      end
     end
   end
 end

data/lib/paseto/interface/pke.rb

@@ -8,40 +8,11 @@ module Paseto
       extend T::Sig
       extend T::Helpers
 
-      include Kernel
-
       abstract!
 
       DOMAIN_SEPARATOR_ENCRYPT = "\x01"
       DOMAIN_SEPARATOR_AUTH = "\x02"
 
-      module ClassMethods
-        extend T::Sig
-        extend T::Helpers
-
-        interface!
-
-        sig { abstract.params(esk: T.untyped).returns(String) }
-        def epk_bytes_from_esk(esk); end
-
-        sig { abstract.returns(T.untyped) }
-        def generate_ephemeral_key; end
-
-        sig { abstract.returns(String) }
-        def header; end
-
-        sig { abstract.returns(Interface::Version) }
-        def protocol; end
-
-        sig { abstract.params(encoded_data: String).returns([String, T.untyped, String]) }
-        def split(encoded_data); end
-      end
-
-      mixes_in_class_methods(ClassMethods)
-
-      sig { abstract.returns(AsymmetricKey) }
-      def sealing_key; end
-
       sig { abstract.params(xk: String, epk: T.untyped).returns(String) }
       def derive_ak(xk:, epk:); end
 
@@ -54,33 +25,26 @@ module Paseto
       sig { abstract.params(message: String, ek: String, n: String).returns(String) }
       def encrypt(message:, ek:, n:); end
 
-      sig { abstract.params(ak: String, epk: T.untyped, edk: String).returns(String) }
-      def tag(ak:, epk:, edk:); end
+      sig { abstract.params(esk: T.untyped).returns(String) }
+      def epk_bytes_from_esk(esk); end
 
-      sig(:final) { params(esk: T.untyped).returns(String) }
-      def epk_bytes_from_esk(esk)
-        self.class.epk_bytes_from_esk(esk)
-      end
+      sig { abstract.returns(T.untyped) }
+      def generate_ephemeral_key; end
 
-      sig(:final) { returns(T.untyped) }
-      def generate_ephemeral_key
-        self.class.generate_ephemeral_key
-      end
+      sig { abstract.returns(Interface::Version) }
+      def protocol; end
 
-      sig(:final) { returns(String) }
-      def header
-        self.class.header
-      end
+      sig { abstract.returns(String) }
+      def header; end
 
-      sig(:final) { returns(Interface::Version) }
-      def protocol
-        self.class.protocol
-      end
+      sig { abstract.returns(AsymmetricKey) }
+      def sealing_key; end
+
+      sig { abstract.params(encoded_data: String).returns([String, T.untyped, String]) }
+      def split(encoded_data); end
 
-      sig(:final) { params(encoded_data: String).returns([String, T.untyped, String]) }
-      def split(encoded_data)
-        self.class.split(encoded_data)
-      end
+      sig { abstract.params(ak: String, epk: T.untyped, edk: String).returns(String) }
+      def tag(ak:, epk:, edk:); end
     end
   end
 end