Class: Philiprehberger::SignedPayload::Signer

Inherits:

Object

• Object
• Philiprehberger::SignedPayload::Signer

Defined in:

lib/philiprehberger/signed_payload/signer.rb

Constant Summary

ALGORITHMS =

{
  sha256: 'SHA256',
  sha384: 'SHA384',
  sha512: 'SHA512'
}.freeze

Instance Method Summary

• #decode(token) ⇒ Object
• #expired?(token) ⇒ Boolean

  Check if a token has expired without verifying the signature.

• #initialize(key:, algorithm: :sha256) ⇒ Signer constructor

  A new instance of Signer.

• #peek(token) ⇒ Hash

  Inspect token metadata without verifying the signature.

• #refresh(token, expires_in:) ⇒ String

  Re-sign a verified token with a new expiration.

• #sign(data, expires_in: nil) ⇒ Object
• #sign_with_exp(data, exp:) ⇒ String

  Re-sign a verified token’s payload preserving the original expiration timestamp.

• #valid?(token) ⇒ Boolean
• #verify(token, keys: nil) ⇒ Object

  Verify a token’s signature and decode its payload.

Constructor Details

#initialize(key:, algorithm: :sha256) ⇒ Signer

Returns a new instance of Signer.

# File 'lib/philiprehberger/signed_payload/signer.rb', line 16

def initialize(key:, algorithm: :sha256)
  @key = key
  @algorithm = validate_algorithm!(algorithm)
end

Instance Method Details

#decode(token) ⇒ Object

# File 'lib/philiprehberger/signed_payload/signer.rb', line 53

def decode(token)
  encoded, _sig = split_token(token)
  parsed = JSON.parse(Base64.urlsafe_decode64(encoded))
  parsed['data']
rescue JSON::ParserError
  raise MalformedToken, 'invalid payload encoding'
end

#expired?(token) ⇒ Boolean

Check if a token has expired without verifying the signature.

Parameters:

• token (String) —

  the token to check

Returns:

• (Boolean) —

  true if the token has expired or has no expiration

# File 'lib/philiprehberger/signed_payload/signer.rb', line 91

def expired?(token)
  encoded, _sig = split_token(token)
  parsed = JSON.parse(Base64.urlsafe_decode64(encoded))
  return false unless parsed.key?('exp')

  parsed['exp'] <= Time.now.to_i
rescue JSON::ParserError
  raise MalformedToken, 'invalid payload encoding'
end

#peek(token) ⇒ Hash

Inspect token metadata without verifying the signature.

Parameters:

• token (String) —

  the token to inspect

Returns:

• (Hash) —

  with :data, :exp (Integer or nil), and :expired (Boolean)

# File 'lib/philiprehberger/signed_payload/signer.rb', line 105

def peek(token)
  encoded, _sig = split_token(token)
  parsed = JSON.parse(Base64.urlsafe_decode64(encoded))
  exp = parsed['exp']
  {
    data: parsed['data'],
    exp: exp,
    expired: exp ? exp <= Time.now.to_i : false
  }
rescue JSON::ParserError
  raise MalformedToken, 'invalid payload encoding'
end

#refresh(token, expires_in:) ⇒ String

Re-sign a verified token with a new expiration.

Parameters:

• token (String) —

  the token to refresh

• expires_in (Integer) —

  new TTL in seconds

Returns:

• (String) —

  a new token with the same data and a fresh expiration

Raises:

• (InvalidSignature, ExpiredToken, MalformedToken) —

  if the current token is invalid

# File 'lib/philiprehberger/signed_payload/signer.rb', line 67

def refresh(token, expires_in:)
  data = verify(token)
  sign(data, expires_in: expires_in)
end

#sign(data, expires_in: nil) ⇒ Object

# File 'lib/philiprehberger/signed_payload/signer.rb', line 21

def sign(data, expires_in: nil)
  payload = build_payload(data, expires_in)
  encoded = Base64.urlsafe_encode64(payload)
  signature = compute_signature(encoded)
  "#{encoded}.#{Base64.urlsafe_encode64(signature)}"
end

#sign_with_exp(data, exp:) ⇒ String

Re-sign a verified token’s payload preserving the original expiration timestamp. Used internally by key rotation to avoid shifting expiry during re-signing.

Parameters:

• data (Object) —

  the payload data to sign

• exp (Integer, nil) —

  Unix timestamp to preserve (or nil for no expiry)

Returns:

• (String) —

  a new token with the given data and exp

# File 'lib/philiprehberger/signed_payload/signer.rb', line 78

def sign_with_exp(data, exp:)
  hash = { 'data' => data }
  hash['exp'] = exp unless exp.nil?
  payload = JSON.generate(hash)
  encoded = Base64.urlsafe_encode64(payload)
  signature = compute_signature(encoded)
  "#{encoded}.#{Base64.urlsafe_encode64(signature)}"
end

#valid?(token) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/philiprehberger/signed_payload/signer.rb', line 46

def valid?(token)
  verify(token)
  true
rescue Error
  false
end

#verify(token, keys: nil) ⇒ Object

Verify a token’s signature and decode its payload.

Parameters:

• token (String) —

  the token to verify

• keys (Array<String>, nil) (defaults to: nil) —

  optional list of candidate keys to try for zero-downtime secret rotation. Signature passes if any key validates. When nil (default), the key supplied at construction is used.

Returns:

• (Object) —

  the decoded payload data

Raises:

• (ArgumentError) —

  if keys is an empty array

• (InvalidSignature, ExpiredToken, MalformedToken) —

  on failure

# File 'lib/philiprehberger/signed_payload/signer.rb', line 38

def verify(token, keys: nil)
  raise ArgumentError, 'no keys provided' if keys.is_a?(Array) && keys.empty?

  encoded, sig = split_token(token)
  verify_signature!(encoded, sig, keys: keys)
  decode_payload(encoded)
end