Class: Himari::AccessToken

Inherits:

Object

• Object
• Himari::AccessToken

Includes:

TokenString

Defined in:

lib/himari/access_token.rb

Defined Under Namespace

Classes: Bearer

Instance Attribute Summary

• #claims ⇒ Object readonly

  Returns the value of attribute claims.

• #client_id ⇒ Object readonly

  Returns the value of attribute client_id.

• #expiry ⇒ Object readonly

  Returns the value of attribute expiry.

• #handle ⇒ Object readonly

  Returns the value of attribute handle.

• #scopes ⇒ Object readonly

  Returns the value of attribute scopes.

• #session_handle ⇒ Object readonly

  Returns the value of attribute session_handle.

Attributes included from TokenString

#verification

Class Method Summary

• .default_lifetime ⇒ Object
• .from_authz(authz) ⇒ Object
• .magic_header ⇒ Object
• .parse(str, signing_key_provider: nil) ⇒ Object

  Parse a presented access token into its opaque Format (handle + secret) for verification against storage.

• .parse_jwt(str, signing_key_provider) ⇒ Object

Instance Method Summary

• #as_json ⇒ Object
• #as_log ⇒ Object
• #initialize(handle:, client_id:, claims:, expiry:, scopes: [], session_handle: nil, secret: nil, secret_hash: nil) ⇒ AccessToken constructor

  A new instance of AccessToken.

• #to_bearer(token_string: format.to_s) ⇒ Object
• #to_jwt(signing_key:, issuer:, now: Time.now) ⇒ Object

  Render this token as an RFC 9068 JWT (Himari::AccessTokenJwt).

• #userinfo ⇒ Object

Methods included from TokenString

#format, hash_secret, included, #magic_header, #secret, #secret_hash, #secret_hash_prev, #verify!, #verify_expiry!, #verify_secret!

Constructor Details

#initialize(handle:, client_id:, claims:, expiry:, scopes: [], session_handle: nil, secret: nil, secret_hash: nil) ⇒ AccessToken

Returns a new instance of AccessToken.

# File 'lib/himari/access_token.rb', line 76

def initialize(handle:, client_id:, claims:, expiry:, scopes: [], session_handle: nil, secret: nil, secret_hash: nil)
  @handle = handle
  @client_id = client_id
  @claims = claims
  @scopes = scopes
  @session_handle = session_handle
  @expiry = expiry

  @secret = secret
  @secret_hash = secret_hash
  @secret_hash_prev = nil
  @verification = nil
end

Instance Attribute Details

#claims ⇒ Object (readonly)

Returns the value of attribute claims.

# File 'lib/himari/access_token.rb', line 90

def claims
  @claims
end

#client_id ⇒ Object (readonly)

Returns the value of attribute client_id.

# File 'lib/himari/access_token.rb', line 90

def client_id
  @client_id
end

#expiry ⇒ Object (readonly)

Returns the value of attribute expiry.

# File 'lib/himari/access_token.rb', line 90

def expiry
  @expiry
end

#handle ⇒ Object (readonly)

Returns the value of attribute handle.

# File 'lib/himari/access_token.rb', line 90

def handle
  @handle
end

#scopes ⇒ Object (readonly)

Returns the value of attribute scopes.

# File 'lib/himari/access_token.rb', line 90

def scopes
  @scopes
end

#session_handle ⇒ Object (readonly)

Returns the value of attribute session_handle.

# File 'lib/himari/access_token.rb', line 90

def session_handle
  @session_handle
end

Class Method Details

.default_lifetime ⇒ Object

# File 'lib/himari/access_token.rb', line 26

def self.default_lifetime
  3600
end

.from_authz(authz) ⇒ Object

Parameters:

• authz (Himari::AuthorizationCode)

# File 'lib/himari/access_token.rb', line 66

def self.from_authz(authz)
  make(
    client_id: authz.client_id,
    claims: authz.claims,
    scopes: authz.scopes,
    session_handle: authz.session_handle,
    lifetime: authz.lifetime.access_token,
  )
end

.magic_header ⇒ Object

# File 'lib/himari/access_token.rb', line 22

def self.magic_header
  'hmat'
end

.parse(str, signing_key_provider: nil) ⇒ Object

Parse a presented access token into its opaque Format (handle + secret) for verification against storage. Two on-the-wire shapes are accepted:

• the opaque token “hmat.<handle>.<secret>” (TokenString format), or

• an RFC 9068 JWT (Himari::AccessTokenJwt) carrying the opaque token in its hmat claim.

For a JWT, the signature is verified first (requires signing_key_provider to resolve the kid), then the embedded opaque token is returned so the caller validates the secret against storage exactly as for an opaque token. Any malformed/unverifiable JWT becomes TokenString::InvalidFormat so callers handle one failure type.

Parameters:

• signing_key_provider (Himari::ProviderChain<Himari::SigningKey>, nil) (defaults to: nil)

# File 'lib/himari/access_token.rb', line 42

def self.parse(str, signing_key_provider: nil)
  return TokenString::Format.parse(magic_header, str) if str.to_s.start_with?("#{magic_header}.")

  parse_jwt(str, signing_key_provider)
end

.parse_jwt(str, signing_key_provider) ⇒ Object

# File 'lib/himari/access_token.rb', line 48

def self.parse_jwt(str, signing_key_provider)
  raise TokenString::InvalidFormat, 'signing keys are required to verify a JWT access token' unless signing_key_provider

  jwt = JSON::JWT.decode(str, :skip_verification)
  key = jwt.kid && signing_key_provider.find(id: jwt.kid)
  raise TokenString::InvalidFormat, 'unknown or missing signing key (kid)' unless key

  jwt.verify!(key.pkey)

  hmat = jwt[magic_header]
  raise TokenString::InvalidFormat, 'missing hmat claim' unless hmat.is_a?(String) && hmat.start_with?("#{magic_header}.")

  TokenString::Format.parse(magic_header, hmat)
rescue JSON::JWT::Exception, JSON::ParserError => e
  raise TokenString::InvalidFormat, "invalid JWT access token: #{e.class}"
end

Instance Method Details

#as_json ⇒ Object

# File 'lib/himari/access_token.rb', line 135

def as_json
  {
    handle: handle,
    secret_hash: secret_hash,
    client_id: client_id,
    claims: claims,
    scopes: scopes,
    session_handle: session_handle,
    expiry: expiry.to_i,
  }
end

#as_log ⇒ Object

# File 'lib/himari/access_token.rb', line 124

def as_log
  {
    handle: handle,
    client_id: client_id,
    claims: claims,
    scopes: scopes,
    session_handle: session_handle,
    expiry: expiry,
  }
end

#to_bearer(token_string: format.to_s) ⇒ Object

Parameters:

• token_string (String) (defaults to: format.to_s) —

  the on-the-wire access token to deliver. Defaults to the opaque format; the token endpoint passes the RFC 9068 JWT when one was minted.

# File 'lib/himari/access_token.rb', line 100

def to_bearer(token_string: format.to_s)
  Bearer.new(
    access_token: token_string,
    expires_in: (expiry - Time.now.to_i).to_i,
  )
end

#to_jwt(signing_key:, issuer:, now: Time.now) ⇒ Object

Render this token as an RFC 9068 JWT (Himari::AccessTokenJwt). The opaque secret travels in the JWT’s hmat claim, so the token validates against storage the same way either form does. exp is tied to this token’s own expiry rather than recomputed, keeping both forms in sync.

Parameters:

• signing_key (Himari::SigningKey)
• issuer (String)

# File 'lib/himari/access_token.rb', line 112

def to_jwt(signing_key:, issuer:, now: Time.now)
  AccessTokenJwt.new(
    access: self,
    claims: claims,
    client_id: client_id,
    signing_key: signing_key,
    issuer: issuer,
    time: now,
    lifetime: expiry - now.to_i,
  ).to_jwt
end

#userinfo ⇒ Object

# File 'lib/himari/access_token.rb', line 92

def userinfo
  claims.merge(
    aud: client_id,
  )
end