-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT::Encode refactorings, alg and exp related bugfixes #293
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'base64' | ||
|
||
module JWT | ||
# Base64 helpers | ||
class Base64 | ||
class << self | ||
def url_encode(str) | ||
::Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '') | ||
end | ||
|
||
def url_decode(str) | ||
str += '=' * (4 - str.length.modulo(4)) | ||
::Base64.decode64(str.tr('-_', '+/')) | ||
end | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,51 +1,76 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'json' | ||
|
||
# JWT::Encode module | ||
module JWT | ||
# Encoding logic for JWT | ||
class Encode | ||
attr_reader :payload, :key, :algorithm, :header_fields, :segments | ||
ALG_NONE = 'none'.freeze | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Wouldn't There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is something related to creating a JWT without a signature. none is the algorithm the JWA spec defines as "Unsecured JWS" |
||
ALG_KEY = 'alg'.freeze | ||
EXP_KEY = 'exp'.freeze | ||
EXP_KEYS = [EXP_KEY, EXP_KEY.to_sym].freeze | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Might be better off refactoring to use a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Did not spend that much time focusing on this payload validation, think that it belongs somewhere else than the Encode class. I think #287 is a more elegant way to handle this. |
||
|
||
def self.base64url_encode(str) | ||
Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '') | ||
def initialize(options) | ||
@payload = options[:payload] | ||
@key = options[:key] | ||
@algorithm = options[:algorithm] | ||
@headers = options[:headers] | ||
end | ||
|
||
def initialize(payload, key, algorithm, header_fields) | ||
@payload = payload | ||
@key = key | ||
@algorithm = algorithm | ||
@header_fields = header_fields | ||
@segments = encode_segments | ||
def segments | ||
@segments ||= combine(encoded_header_and_payload, encoded_signature) | ||
end | ||
|
||
private | ||
|
||
def validate_payload! | ||
return unless @payload && @payload.is_a?(Hash) | ||
|
||
validate_exp! | ||
end | ||
|
||
def validate_exp! | ||
return if EXP_KEYS.all? { |key| [email protected]?(key) || @payload[key].is_a?(Integer) } | ||
|
||
raise InvalidPayload, 'exp claim must be an integer' | ||
end | ||
|
||
def encoded_header | ||
header = { 'alg' => @algorithm }.merge(@header_fields) | ||
Encode.base64url_encode(JSON.generate(header)) | ||
@encoded_header ||= encode_header | ||
end | ||
|
||
def encoded_payload | ||
raise InvalidPayload, 'exp claim must be an integer' if @payload && @payload.is_a?(Hash) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer) | ||
Encode.base64url_encode(JSON.generate(@payload)) | ||
@encoded_payload ||= encode_payload | ||
end | ||
|
||
def encoded_signature | ||
@encoded_signature ||= encode_signature | ||
end | ||
|
||
def encoded_header_and_payload | ||
@encoded_header_and_payload ||= combine(encoded_header, encoded_payload) | ||
end | ||
|
||
def encode_header | ||
encode(@headers.merge(ALG_KEY => @algorithm)) | ||
end | ||
|
||
def encode_payload | ||
validate_payload! | ||
encode(@payload) | ||
end | ||
|
||
def encode_signature | ||
return '' if @algorithm == ALG_NONE | ||
|
||
JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key)) | ||
end | ||
|
||
def encoded_signature(signing_input) | ||
if @algorithm == 'none' | ||
'' | ||
else | ||
signature = JWT::Signature.sign(@algorithm, signing_input, @key) | ||
Encode.base64url_encode(signature) | ||
end | ||
def encode(data) | ||
JWT::Base64.url_encode(JWT::JSON.generate(data)) | ||
end | ||
|
||
def encode_segments | ||
header = encoded_header | ||
payload = encoded_payload | ||
signature = encoded_signature([header, payload].join('.')) | ||
[header, payload, signature].join('.') | ||
def combine(*parts) | ||
parts.join('.') | ||
end | ||
end | ||
end |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
# frozen_string_literal: true | ||
|
||
require 'json' | ||
|
||
module JWT | ||
# JSON wrapper | ||
class JSON | ||
class << self | ||
def generate(data) | ||
::JSON.generate(data) | ||
end | ||
|
||
def parse(data) | ||
::JSON.parse(data) | ||
end | ||
end | ||
end | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you really want to add two more methods to the public API of this gem that handle Base64 encoding? This kind of thing should probably be kept private.