Module: JWT
- Extended by:
- Json
- Defined in:
- lib/jwt.rb,
lib/jwt/json.rb
Defined Under Namespace
Modules: Json Classes: DecodeError, ExpiredSignature, ImmatureSignature, InvalidAudError, InvalidIatError, InvalidIssuerError, InvalidJtiError, InvalidSubError, VerificationError
Class Method Summary collapse
- .base64url_decode(str) ⇒ Object
- .base64url_encode(str) ⇒ Object
- .decode(jwt, key = nil, verify = true, options = {}, &keyfinder) ⇒ Object
- .decode_header_and_payload(header_segment, payload_segment) ⇒ Object
- .decoded_segments(jwt, verify = true) ⇒ Object
- .encode(payload, key, algorithm = "HS256", header_fields = {}) ⇒ Object
- .encoded_header(algorithm = "HS256", header_fields = {}) ⇒ Object
- .encoded_payload(payload) ⇒ Object
- .encoded_signature(signing_input, key, algorithm) ⇒ Object
- .raw_segments(jwt, verify = true) ⇒ Object
-
.secure_compare(a, b) ⇒ Object
From devise constant-time comparison algorithm to prevent timing attacks.
- .sign(algorithm, msg, key) ⇒ Object
- .sign_hmac(algorithm, msg, key) ⇒ Object
- .sign_rsa(algorithm, msg, private_key) ⇒ Object
- .signature_algorithm_and_key(header, key, &keyfinder) ⇒ Object
- .verify_rsa(algorithm, public_key, signing_input, signature) ⇒ Object
- .verify_signature(algo, key, signing_input, signature) ⇒ Object
Methods included from Json
Class Method Details
.base64url_decode(str) ⇒ Object
47 48 49 50 |
# File 'lib/jwt.rb', line 47 def base64url_decode(str) str += "=" * (4 - str.length.modulo(4)) Base64.decode64(str.tr("-_", "+/")) end |
.base64url_encode(str) ⇒ Object
52 53 54 |
# File 'lib/jwt.rb', line 52 def base64url_encode(str) Base64.encode64(str).tr("+/", "-_").gsub(/[\n=]/, "") end |
.decode(jwt, key = nil, verify = true, options = {}, &keyfinder) ⇒ Object
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
# File 'lib/jwt.rb', line 104 def decode(jwt, key=nil, verify=true, ={}, &keyfinder) raise JWT::DecodeError.new("Nil JSON web token") unless jwt header, payload, signature, signing_input = decoded_segments(jwt, verify) raise JWT::DecodeError.new("Not enough or too many segments") unless header && payload = { :verify_expiration => true, :verify_not_before => true, :verify_iss => true, :verify_iat => true, :verify_jti => true, :verify_aud => true, :verify_sub => true, :leeway => 0 } = .merge() if verify algo, key = signature_algorithm_and_key(header, key, &keyfinder) verify_signature(algo, key, signing_input, signature) end if [:verify_expiration] && payload.include?('exp') raise JWT::ExpiredSignature.new("Signature has expired") unless payload['exp'].to_i > (Time.now.to_i - [:leeway]) end if [:verify_not_before] && payload.include?('nbf') raise JWT::ImmatureSignature.new("Signature nbf has not been reached") unless payload['nbf'].to_i < (Time.now.to_i + [:leeway]) end if [:verify_iss] && payload.include?('iss') raise JWT::InvalidIssuerError.new("Invalid issuer") unless payload['iss'].to_s == ['iss'].to_s end if [:verify_iat] && payload.include?('iat') raise JWT::InvalidIatError.new("Invalid iat") unless (payload['iat'].is_a?(Integer) and payload['iat'].to_i <= Time.now.to_i) end if [:verify_aud] && payload.include?('aud') if payload['aud'].is_a?(Array) raise JWT::InvalidAudError.new("Invalid audience") unless payload['aud'].include?(['aud']) else raise JWT::InvalidAudError.new("Invalid audience") unless payload['aud'].to_s == ['aud'].to_s end end if [:verify_sub] && payload.include?('sub') raise JWT::InvalidSubError.new("Invalid subject") unless payload['sub'].to_s == ['sub'].to_s end if [:verify_jti] && payload.include?('jti') raise JWT::InvalidJtiError.new("need iat for verify jwt id") unless payload.include?('iat') raise JWT::InvalidJtiError.new("Not a uniq jwt id") unless ['jti'].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}") end return payload,header end |
.decode_header_and_payload(header_segment, payload_segment) ⇒ Object
90 91 92 93 94 |
# File 'lib/jwt.rb', line 90 def decode_header_and_payload(header_segment, payload_segment) header = decode_json(base64url_decode(header_segment)) payload = decode_json(base64url_decode(payload_segment)) [header, payload] end |
.decoded_segments(jwt, verify = true) ⇒ Object
96 97 98 99 100 101 102 |
# File 'lib/jwt.rb', line 96 def decoded_segments(jwt, verify=true) header_segment, payload_segment, crypto_segment = raw_segments(jwt, verify) header, payload = decode_header_and_payload(header_segment, payload_segment) signature = base64url_decode(crypto_segment.to_s) if verify signing_input = [header_segment, payload_segment].join(".") [header, payload, signature, signing_input] end |
.encode(payload, key, algorithm = "HS256", header_fields = {}) ⇒ Object
74 75 76 77 78 79 80 81 |
# File 'lib/jwt.rb', line 74 def encode(payload, key, algorithm="HS256", header_fields={}) algorithm ||= "none" segments = [] segments << encoded_header(algorithm, header_fields) segments << encoded_payload(payload) segments << encoded_signature(segments.join("."), key, algorithm) segments.join(".") end |
.encoded_header(algorithm = "HS256", header_fields = {}) ⇒ Object
56 57 58 59 |
# File 'lib/jwt.rb', line 56 def encoded_header(algorithm="HS256", header_fields={}) header = {"typ" => "JWT", "alg" => algorithm}.merge(header_fields) base64url_encode(encode_json(header)) end |
.encoded_payload(payload) ⇒ Object
61 62 63 |
# File 'lib/jwt.rb', line 61 def encoded_payload(payload) base64url_encode(encode_json(payload)) end |
.encoded_signature(signing_input, key, algorithm) ⇒ Object
65 66 67 68 69 70 71 72 |
# File 'lib/jwt.rb', line 65 def encoded_signature(signing_input, key, algorithm) if algorithm == "none" "" else signature = sign(algorithm, signing_input, key) base64url_encode(signature) end end |
.raw_segments(jwt, verify = true) ⇒ Object
83 84 85 86 87 88 |
# File 'lib/jwt.rb', line 83 def raw_segments(jwt, verify=true) segments = jwt.split(".") required_num_segments = verify ? [3] : [2,3] raise JWT::DecodeError.new("Not enough or too many segments") unless required_num_segments.include? segments.length segments end |
.secure_compare(a, b) ⇒ Object
From devise constant-time comparison algorithm to prevent timing attacks
183 184 185 186 187 188 189 190 |
# File 'lib/jwt.rb', line 183 def secure_compare(a, b) return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end |
.sign(algorithm, msg, key) ⇒ Object
25 26 27 28 29 30 31 32 33 |
# File 'lib/jwt.rb', line 25 def sign(algorithm, msg, key) if ["HS256", "HS384", "HS512"].include?(algorithm) sign_hmac(algorithm, msg, key) elsif ["RS256", "RS384", "RS512"].include?(algorithm) sign_rsa(algorithm, msg, key) else raise NotImplementedError.new("Unsupported signing method") end end |
.sign_hmac(algorithm, msg, key) ⇒ Object
43 44 45 |
# File 'lib/jwt.rb', line 43 def sign_hmac(algorithm, msg, key) OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub("HS", "sha")), key, msg) end |
.sign_rsa(algorithm, msg, private_key) ⇒ Object
35 36 37 |
# File 'lib/jwt.rb', line 35 def sign_rsa(algorithm, msg, private_key) private_key.sign(OpenSSL::Digest.new(algorithm.sub("RS", "sha")), msg) end |
.signature_algorithm_and_key(header, key, &keyfinder) ⇒ Object
158 159 160 161 162 163 |
# File 'lib/jwt.rb', line 158 def signature_algorithm_and_key(header, key, &keyfinder) if keyfinder key = keyfinder.call(header) end [header['alg'], key] end |
.verify_rsa(algorithm, public_key, signing_input, signature) ⇒ Object
39 40 41 |
# File 'lib/jwt.rb', line 39 def verify_rsa(algorithm, public_key, signing_input, signature) public_key.verify(OpenSSL::Digest.new(algorithm.sub("RS", "sha")), signature, signing_input) end |
.verify_signature(algo, key, signing_input, signature) ⇒ Object
165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 |
# File 'lib/jwt.rb', line 165 def verify_signature(algo, key, signing_input, signature) begin if ["HS256", "HS384", "HS512"].include?(algo) raise JWT::VerificationError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key)) elsif ["RS256", "RS384", "RS512"].include?(algo) raise JWT::VerificationError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature) else raise JWT::VerificationError.new("Algorithm not supported") end rescue OpenSSL::PKey::PKeyError raise JWT::VerificationError.new("Signature verification failed") ensure OpenSSL.errors.clear end end |