Module: Philiprehberger::JwtKit::Encoder

Defined in:

lib/philiprehberger/jwt_kit/encoder.rb

Overview

Encodes payloads into signed JWT tokens.

Class Method Summary

• .base64url_encode(data) ⇒ String

  Base64url-encodes a string without padding.

• .encode(payload, config) ⇒ String

  Encodes a payload into a JWT token string.

• .sign(data, config, secret: nil) ⇒ String

  Signs data using HMAC with the configured algorithm.

Class Method Details

.base64url_encode(data) ⇒ String

Base64url-encodes a string without padding.

Parameters:

• data (String) —

  data to encode

Returns:

• (String) —

  base64url-encoded string

# File 'lib/philiprehberger/jwt_kit/encoder.rb', line 53

def base64url_encode(data)
  Base64.urlsafe_encode64(data, padding: false)
end

.encode(payload, config) ⇒ String

Encodes a payload into a JWT token string.

Parameters:

• payload (Hash) —

  custom claims to include in the token

• config (Configuration) —

  JWT configuration

Returns:

• (String) —

  signed JWT token

Raises:

• (Error) —

  if no secret is configured

# File 'lib/philiprehberger/jwt_kit/encoder.rb', line 15

def encode(payload, config)
  signing_secret = if config.secrets.is_a?(Array) && !config.secrets.empty?
                     config.secrets.first[:secret] || config.secrets.first['secret']
                   else
                     config.secret
                   end
  raise Error, 'Secret is required for encoding' unless signing_secret

  header = { 'alg' => config.algorithm_name, 'typ' => 'JWT' }
  if config.secrets.is_a?(Array) && !config.secrets.empty?
    kid = config.secrets.first[:kid] || config.secrets.first['kid']
    header['kid'] = kid if kid
  end
  now = Time.now.to_i

  claims = {
    'exp' => now + config.expiration,
    'nbf' => now,
    'iat' => now,
    'jti' => SecureRandom.uuid
  }
  claims['iss'] = config.issuer if config.issuer
  claims['aud'] = config.audience if config.audience

  merged = claims.merge(payload.transform_keys(&:to_s))

  header_segment = base64url_encode(JSON.generate(header))
  payload_segment = base64url_encode(JSON.generate(merged))
  signing_input = "#{header_segment}.#{payload_segment}"
  signature = sign(signing_input, config, secret: signing_secret)

  "#{signing_input}.#{signature}"
end

.sign(data, config, secret: nil) ⇒ String

Signs data using HMAC with the configured algorithm.

Parameters:

• data (String) —

  data to sign

• config (Configuration) —

  JWT configuration

• secret (String, nil) (defaults to: nil) —

  optional secret override (defaults to config.secret)

Returns:

• (String) —

  base64url-encoded signature

# File 'lib/philiprehberger/jwt_kit/encoder.rb', line 63

def sign(data, config, secret: nil)
  signing_key = secret || config.secret
  digest = OpenSSL::Digest.new(config.digest_algorithm)
  signature = OpenSSL::HMAC.digest(digest, signing_key, data)
  base64url_encode(signature)
end