Class: JWT::EncodedToken

Inherits:
Object
  • Object
show all
Defined in:
lib/jwt/encoded_token.rb,
lib/jwt/encoded_token/claims_context.rb

Defined Under Namespace

Classes: ClaimsContext

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(jwt) ⇒ EncodedToken

Initializes a new EncodedToken instance.

Parameters:

  • jwt (String)

    the encoded JWT token.

Raises:

  • (ArgumentError)

    if the provided JWT is not a String.



29
30
31
32
33
34
35
36
37
 
# File 'lib/jwt/encoded_token.rb', line 29

def initialize(jwt)
  raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)

  @jwt = jwt
  @signature_verified = false
  @claims_verified    = false

  @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
end

Instance Attribute Details

#encoded_headerString (readonly)

Returns the encoded header of the JWT token.

Returns:

  • (String)

    the encoded header.



61
62
63
 
# File 'lib/jwt/encoded_token.rb', line 61

def encoded_header
  @encoded_header
end

#encoded_payloadString

Sets or returns the encoded payload of the JWT token.

Returns:

  • (String)

    the encoded payload.



83
84
85
 
# File 'lib/jwt/encoded_token.rb', line 83

def encoded_payload
  @encoded_payload
end

#encoded_signatureString (readonly)

Returns the encoded signature of the JWT token.

Returns:

  • (String)

    the encoded signature.



49
50
51
 
# File 'lib/jwt/encoded_token.rb', line 49

def encoded_signature
  @encoded_signature
end

#jwtString (readonly) Also known as: to_s

Returns the original token provided to the class.

Returns:

  • (String)

    The JWT token.



23
24
25
 
# File 'lib/jwt/encoded_token.rb', line 23

def jwt
  @jwt
end

Instance Method Details

#claim_errors(*options) ⇒ Array<Symbol>

Returns the errors of the claims of the token.

Parameters:

  • options (Array<Symbol>, Hash)

    the claims to verify. By default, it checks the ‘exp’ claim.

Returns:

  • (Array<Symbol>)

    the errors of the claims.



168
169
170
 
# File 'lib/jwt/encoded_token.rb', line 168

def claim_errors(*options)
  Claims::Verifier.errors(ClaimsContext.new(self), *claims_options(options))
end

#headerHash

Returns the decoded header of the JWT token.

Returns:

  • (Hash)

    the header.



54
55
56
 
# File 'lib/jwt/encoded_token.rb', line 54

def header
  @header ||= parse_and_decode(@encoded_header)
end

#payloadHash

Returns the payload of the JWT token. Access requires the signature and claims to have been verified.

Returns:

  • (Hash)

    the payload.

Raises:



67
68
69
70
71
72
 
# File 'lib/jwt/encoded_token.rb', line 67

def payload
  raise JWT::DecodeError, 'Verify the token signature before accessing the payload' unless @signature_verified
  raise JWT::DecodeError, 'Verify the token claims before accessing the payload' unless @claims_verified

  decoded_payload
end

#signatureString

Returns the decoded signature of the JWT token.

Returns:

  • (String)

    the decoded signature.



42
43
44
 
# File 'lib/jwt/encoded_token.rb', line 42

def signature
  @signature ||= ::JWT::Base64.url_decode(encoded_signature || '')
end

#signing_inputString

Returns the signing input of the JWT token.

Returns:

  • (String)

    the signing input.



88
89
90
 
# File 'lib/jwt/encoded_token.rb', line 88

def signing_input
  [encoded_header, encoded_payload].join('.')
end

#unverified_payloadHash

Returns the payload of the JWT token without requiring the signature to have been verified.

Returns:

  • (Hash)

    the payload.



76
77
78
 
# File 'lib/jwt/encoded_token.rb', line 76

def unverified_payload
  decoded_payload
end

#valid?(signature:, claims: nil) ⇒ Boolean

Returns true if the signature and claims are valid, false otherwise.

Parameters:

  • signature (Hash)

    the parameters for signature verification (see #verify_signature!).

  • claims (Array<Symbol>, Hash) (defaults to: nil)

    the claims to verify (see #verify_claims!).

Returns:

  • (Boolean)

    true if the signature and claims are valid, false otherwise.



114
115
116
117
 
# File 'lib/jwt/encoded_token.rb', line 114

def valid?(signature:, claims: nil)
  valid_signature?(**signature) &&
    (claims.is_a?(Array) ? valid_claims?(*claims) : valid_claims?(claims))
end

#valid_claims?(*options) ⇒ Boolean

Returns whether the claims of the token are valid.

Parameters:

  • options (Array<Symbol>, Hash)

    the claims to verify. By default, it checks the ‘exp’ claim.

Returns:

  • (Boolean)

    whether the claims are valid.



175
176
177
 
# File 'lib/jwt/encoded_token.rb', line 175

def valid_claims?(*options)
  claim_errors(*claims_options(options)).empty?.tap { |verified| @claims_verified = verified }
end

#valid_signature?(algorithm: nil, key: nil, key_finder: nil) ⇒ Boolean

Checks if the signature of the JWT token is valid.

Parameters:

  • algorithm (String, Array<String>, Object, Array<Object>) (defaults to: nil)

    the algorithm(s) to use for verification.

  • key (String, Array<String>, JWT::JWK::KeyBase, Array<JWT::JWK::KeyBase>) (defaults to: nil)

    the key(s) to use for verification.

  • key_finder (#call) (defaults to: nil)

    an object responding to ‘call` to find the key for verification.

Returns:

  • (Boolean)

    true if the signature is valid, false otherwise.

Raises:

  • (ArgumentError) 


139
140
141
142
143
144
145
146
147
148
149
150
151
 
# File 'lib/jwt/encoded_token.rb', line 139

def valid_signature?(algorithm: nil, key: nil, key_finder: nil)
  raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil?

  keys      = Array(key || key_finder.call(self))
  verifiers = JWA.create_verifiers(algorithms: algorithm, keys: keys, preferred_algorithm: header['alg'])

  raise JWT::VerificationError, 'No algorithm provided' if verifiers.empty?

  valid = verifiers.any? do |jwa|
    jwa.verify(data: signing_input, signature: signature)
  end
  valid.tap { |verified| @signature_verified = verified }
end

#verify!(signature:, claims: nil) ⇒ nil

Verifies the token signature and claims. By default it verifies the ‘exp’ claim.

Examples:

encoded_token.verify!(signature: { algorithm: 'HS256', key: 'secret' }, claims: [:exp])

Parameters:

  • signature (Hash)

    the parameters for signature verification (see #verify_signature!).

  • claims (Array<Symbol>, Hash) (defaults to: nil)

    the claims to verify (see #verify_claims!).

Returns:

  • (nil)

Raises:



102
103
104
105
106
 
# File 'lib/jwt/encoded_token.rb', line 102

def verify!(signature:, claims: nil)
  verify_signature!(**signature)
  claims.is_a?(Array) ? verify_claims!(*claims) : verify_claims!(claims)
  nil
end

#verify_claims!(*options) ⇒ Object

Verifies the claims of the token.

Parameters:

  • options (Array<Symbol>, Hash)

    the claims to verify. By default, it checks the ‘exp’ claim.

Raises:



156
157
158
159
160
161
162
163
 
# File 'lib/jwt/encoded_token.rb', line 156

def verify_claims!(*options)
  Claims::Verifier.verify!(ClaimsContext.new(self), *claims_options(options)).tap do
    @claims_verified = true
  end
rescue StandardError
  @claims_verified = false
  raise
end

#verify_signature!(algorithm:, key: nil, key_finder: nil) ⇒ nil

Verifies the signature of the JWT token.

Parameters:

  • algorithm (String, Array<String>, Object, Array<Object>)

    the algorithm(s) to use for verification.

  • key (String, Array<String>) (defaults to: nil)

    the key(s) to use for verification.

  • key_finder (#call) (defaults to: nil)

    an object responding to ‘call` to find the key for verification.

Returns:

  • (nil)

Raises:

  • (JWT::VerificationError)

    if the signature verification fails.

  • (ArgumentError)

    if neither key nor key_finder is provided, or if both are provided.



127
128
129
130
131
 
# File 'lib/jwt/encoded_token.rb', line 127

def verify_signature!(algorithm:, key: nil, key_finder: nil)
  return if valid_signature?(algorithm: algorithm, key: key, key_finder: key_finder)

  raise JWT::VerificationError, 'Signature verification failed'
end