Class: Cent::Notary

Inherits:

Object

• Object
• Cent::Notary

Defined in:

lib/cent/notary.rb

Overview

Cent::Notary

Issues JWT tokens for Centrifugo client connections and channel subscriptions. Supports HMAC, RSA and ECDSA families of algorithms (HS256/384/512, RS256/384/512, ES256/384/512).

See Also:

• https://centrifugal.dev/docs/server/authentication
• https://centrifugal.dev/docs/server/channel_token_auth

Instance Method Summary

• #initialize(secret:, algorithm: 'HS256') ⇒ Notary constructor

  A new instance of Notary.

• #issue_channel_token(sub:, channel:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil, info: nil, b64info: nil, override: nil, expire_at: nil) ⇒ String

  Issue a subscription JWT used by clients to authorize subscription to a channel that requires token authorization.

• #issue_connection_token(sub:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil, info: nil, b64info: nil, channels: nil, subs: nil, meta: nil, expire_at: nil) ⇒ String

  Issue a connection JWT used by clients when establishing a real-time connection to Centrifugo.

Constructor Details

#initialize(secret:, algorithm: 'HS256') ⇒ Notary

Returns a new instance of Notary.

Parameters:

• secret (String, OpenSSL::PKey::RSA, OpenSSL::PKey::EC) —

  Secret key for the chosen algorithm. For HMAC pass the raw secret as a String. For RSA/ECDSA pass a PEM-loaded OpenSSL::PKey::RSA / OpenSSL::PKey::EC.

• algorithm (String) (defaults to: 'HS256') —

  JWT algorithm, defaults to ‘HS256`.

Raises:

• (Error)

# File 'lib/cent/notary.rb', line 20

def initialize(secret:, algorithm: 'HS256')
  raise Error, 'Secret can not be nil' if secret.nil?

  @secret    = secret
  @algorithm = algorithm
end

Instance Method Details

#issue_channel_token(sub:, channel:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil, info: nil, b64info: nil, override: nil, expire_at: nil) ⇒ String

Issue a subscription JWT used by clients to authorize subscription to a channel that requires token authorization.

Parameters:

• sub (String) —

  Application user ID (same meaning as in connection token).

• channel (String) —

  Channel this subscription token is valid for.

• exp (Integer) (defaults to: nil) —

  UNIX timestamp (seconds) when the token expires.

• iat (Integer) (defaults to: nil) —

  UNIX timestamp (seconds) when the token was issued.

• jti (String) (defaults to: nil) —

  Unique token identifier.

• aud (String) (defaults to: nil) —

  Token audience.

• iss (String) (defaults to: nil) —

  Token issuer.

• info (Hash) (defaults to: nil) —

  Arbitrary channel info.

• b64info (String) (defaults to: nil) —

  Base64-encoded ‘info`.

• override (Hash) (defaults to: nil) —

  Per-subscription channel option overrides.

• expire_at (Integer) (defaults to: nil) —

  Override subscription expiration timestamp.

Returns:

• (String) —

  Encoded JWT.

# File 'lib/cent/notary.rb', line 82

def issue_channel_token(sub:, channel:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil,
                        info: nil, b64info: nil, override: nil, expire_at: nil)
  payload = {
    'sub' => sub,
    'channel' => channel,
    'exp' => exp,
    'iat' => iat,
    'jti' => jti,
    'aud' => aud,
    'iss' => iss,
    'info' => info,
    'b64info' => b64info,
    'override' => override,
    'expire_at' => expire_at
  }.compact

  JWT.encode(payload, secret, algorithm)
end

#issue_connection_token(sub:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil, info: nil, b64info: nil, channels: nil, subs: nil, meta: nil, expire_at: nil) ⇒ String

Issue a connection JWT used by clients when establishing a real-time connection to Centrifugo.

Parameters:

• sub (String) —

  Standard JWT claim with the application user ID. Use an empty string for anonymous connections.

• exp (Integer) (defaults to: nil) —

  UNIX timestamp (seconds) when the token expires.

• iat (Integer) (defaults to: nil) —

  UNIX timestamp (seconds) when the token was issued.

• jti (String) (defaults to: nil) —

  Unique token identifier.

• aud (String) (defaults to: nil) —

  Token audience (matches ‘client.token.audience`).

• iss (String) (defaults to: nil) —

  Token issuer (matches ‘client.token.issuer`).

• info (Hash) (defaults to: nil) —

  Arbitrary public info attached to the connection.

• b64info (String) (defaults to: nil) —

  Base64-encoded ‘info` (for binary payloads).

• channels (Array<String>) (defaults to: nil) —

  Server-side subscription channel list.

• subs (Hash) (defaults to: nil) —

  Server-side subscriptions with per-channel options.

• meta (Hash) (defaults to: nil) —

  Server-only metadata attached to the connection.

• expire_at (Integer) (defaults to: nil) —

  Override connection expiration timestamp.

Returns:

• (String) —

  Encoded JWT.

# File 'lib/cent/notary.rb', line 45

def issue_connection_token(sub:, exp: nil, iat: nil, jti: nil, aud: nil, iss: nil,
                           info: nil, b64info: nil, channels: nil, subs: nil,
                           meta: nil, expire_at: nil)
  payload = {
    'sub' => sub,
    'exp' => exp,
    'iat' => iat,
    'jti' => jti,
    'aud' => aud,
    'iss' => iss,
    'info' => info,
    'b64info' => b64info,
    'channels' => channels,
    'subs' => subs,
    'meta' => meta,
    'expire_at' => expire_at
  }.compact

  JWT.encode(payload, secret, algorithm)
end