1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# frozen_string_literal: true
module JWT
# Represents a JWT token
#
# Basic token signed using the HS256 algorithm:
#
# token = JWT::Token.new(payload: {pay: 'load'})
# token.sign!(algorithm: 'HS256', key: 'secret')
# token.jwt # => eyJhb....
#
# Custom headers will be combined with generated headers:
# token = JWT::Token.new(payload: {pay: 'load'}, header: {custom: "value"})
# token.sign!(algorithm: 'HS256', key: 'secret')
# token.header # => {"custom"=>"value", "alg"=>"HS256"}
#
class Token
# Initializes a new Token instance.
#
# @param header [Hash] the header of the JWT token.
# @param payload [Hash] the payload of the JWT token.
def initialize(payload:, header: {})
@header = header&.transform_keys(&:to_s)
@payload = payload
end
# Returns the decoded signature of the JWT token.
#
# @return [String] the decoded signature of the JWT token.
def signature
@signature ||= ::JWT::Base64.url_decode(encoded_signature || '')
end
# Returns the encoded signature of the JWT token.
#
# @return [String] the encoded signature of the JWT token.
def encoded_signature
@encoded_signature ||= ::JWT::Base64.url_encode(signature)
end
# Returns the decoded header of the JWT token.
#
# @return [Hash] the header of the JWT token.
attr_reader :header
# Returns the encoded header of the JWT token.
#
# @return [String] the encoded header of the JWT token.
def encoded_header
@encoded_header ||= ::JWT::Base64.url_encode(JWT::JSON.generate(header))
end
# Returns the payload of the JWT token.
#
# @return [Hash] the payload of the JWT token.
attr_reader :payload
# Returns the encoded payload of the JWT token.
#
# @return [String] the encoded payload of the JWT token.
def encoded_payload
@encoded_payload ||= ::JWT::Base64.url_encode(JWT::JSON.generate(payload))
end
# Returns the signing input of the JWT token.
#
# @return [String] the signing input of the JWT token.
def signing_input
@signing_input ||= [encoded_header, encoded_payload].join('.')
end
# Returns the JWT token as a string.
#
# @return [String] the JWT token as a string.
# @raise [JWT::EncodeError] if the token is not signed or other encoding issues
def jwt
@jwt ||= (@signature && [encoded_header, @detached_payload ? '' : encoded_payload, encoded_signature].join('.')) || raise(::JWT::EncodeError, 'Token is not signed')
end
# Detaches the payload according to https://datatracker.ietf.org/doc/html/rfc7515#appendix-F
#
def detach_payload!
@detached_payload = true
nil
end
# Signs the JWT token.
#
# @param key [String, JWT::JWK::KeyBase] the key to use for signing.
# @param algorithm [String, Object] the algorithm to use for signing.
# @return [void]
# @raise [JWT::EncodeError] if the token is already signed or other problems when signing
def sign!(key:, algorithm:)
raise ::JWT::EncodeError, 'Token already signed' if @signature
JWA.create_signer(algorithm: algorithm, key: key).tap do |signer|
header.merge!(signer.jwa.header) { |_key, old, _new| old }
@signature = signer.sign(data: signing_input)
end
nil
end
# Verifies the claims of the token.
# @param options [Array<Symbol>, Hash] the claims to verify.
# @raise [JWT::DecodeError] if the claims are invalid.
def verify_claims!(*options)
Claims::Verifier.verify!(self, *options)
end
# Returns the errors of the claims of the token.
# @param options [Array<Symbol>, Hash] the claims to verify.
# @return [Array<Symbol>] the errors of the claims.
def claim_errors(*options)
Claims::Verifier.errors(self, *options)
end
# Returns whether the claims of the token are valid.
# @param options [Array<Symbol>, Hash] the claims to verify.
# @return [Boolean] whether the claims are valid.
def valid_claims?(*options)
claim_errors(*options).empty?
end
# Returns the JWT token as a string.
#
# @return [String] the JWT token as a string.
alias to_s jwt
end
end
|
