Module: BetterAuth::Crypto::JWE

Defined in:

lib/better_auth/crypto/jwe.rb

Constant Summary

ALG =

"dir"

ENC =

"A256CBC-HS512"

INFO =

"BetterAuth.js Generated Encryption Key"

CLOCK_TOLERANCE =

15

Class Method Summary

• .all_secrets(secret) ⇒ Object
• .current_secret(secret) ⇒ Object
• .decode(token, secret, salt) ⇒ Object
• .decryption_keys(secret, salt, kid) ⇒ Object
• .encode(payload, secret, salt, expires_in: 3600) ⇒ Object
• .encryption_key(secret, salt) ⇒ Object
• .expired?(payload) ⇒ Boolean
• .protected_header(token) ⇒ Object
• .thumbprint(key) ⇒ Object
• .valid_header?(header) ⇒ Boolean

Class Method Details

.all_secrets(secret) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 69

def all_secrets(secret)
  return [[0, secret]] unless secret.is_a?(SecretConfig)

  secret.all_secrets
end

.current_secret(secret) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 65

def current_secret(secret)
  secret.is_a?(SecretConfig) ? secret.current_secret : secret
end

.decode(token, secret, salt) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 33

def decode(token, secret, salt)
  return nil if token.to_s.empty?

  header = protected_header(token)
  return nil unless valid_header?(header)

  decryption_keys(secret, salt, header["kid"]).each do |key|
    payload = JSON.parse(::JWE.decrypt(token.to_s, key))
    return nil if expired?(payload)

    return payload
  rescue JSON::ParserError, ::JWE::DecodeError, ::JWE::InvalidData, ::JWE::BadCEK
    next
  end

  nil
rescue JSON::ParserError, ArgumentError, ::JWE::DecodeError, ::JWE::InvalidData, ::JWE::BadCEK
  nil
end

.decryption_keys(secret, salt, kid) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 75

def decryption_keys(secret, salt, kid)
  keys = all_secrets(secret).map { |_version, value| encryption_key(value, salt) }
  return keys if kid.nil?

  keys.select { |key| thumbprint(key) == kid }
end

.encode(payload, secret, salt, expires_in: 3600) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 23

def encode(payload, secret, salt, expires_in: 3600)
  claims = Crypto.stringify_keys(payload).merge(
    "iat" => Time.now.to_i,
    "exp" => Time.now.to_i + expires_in.to_i,
    "jti" => SecureRandom.uuid
  )
  key = encryption_key(current_secret(secret), salt)
  ::JWE.encrypt(JSON.generate(claims), key, alg: ALG, enc: ENC, kid: thumbprint(key))
end

.encryption_key(secret, salt) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 53

def encryption_key(secret, salt)
  OpenSSL::KDF.hkdf(secret.to_s, salt: salt.to_s, info: INFO, length: 64, hash: "SHA256")
end

.expired?(payload) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/better_auth/crypto/jwe.rb', line 93

def expired?(payload)
  payload["exp"] && payload["exp"].to_i < Time.now.to_i - CLOCK_TOLERANCE
end

.protected_header(token) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 82

def protected_header(token)
  first_segment = token.to_s.split(".", 2).first
  JSON.parse(Crypto.base64url_decode(first_segment))
rescue JSON::ParserError, ArgumentError
  {}
end

.thumbprint(key) ⇒ Object

# File 'lib/better_auth/crypto/jwe.rb', line 57

def thumbprint(key)
  jwk = {
    "k" => Base64.urlsafe_encode64(key, padding: false),
    "kty" => "oct"
  }
  Crypto.base64url_encode(OpenSSL::Digest.digest("SHA256", JSON.generate(jwk)))
end

.valid_header?(header) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/better_auth/crypto/jwe.rb', line 89

def valid_header?(header)
  header["alg"] == ALG && header["enc"] == ENC
end