class JWT::Decode
Decoding logic for JWT
Constants
- ALGORITHM_KEYS
Order is very important - first check for string keys, next for symbols
Public Class Methods
new(jwt, key, verify, options, &keyfinder)
click to toggle source
# File lib/jwt/decode.rb, line 10 def initialize(jwt, key, verify, options, &keyfinder) raise JWT::DecodeError, 'Nil JSON web token' unless jwt @jwt = jwt @key = key @options = options @segments = jwt.split('.') @verify = verify @signature = '' @keyfinder = keyfinder end
Public Instance Methods
decode_segments()
click to toggle source
# File lib/jwt/decode.rb, line 22 def decode_segments validate_segment_count! if @verify decode_signature verify_algo set_key verify_signature verify_claims end raise JWT::DecodeError, 'Not enough or too many segments' unless header && payload [payload, header] end
Private Instance Methods
alg_in_header()
click to toggle source
# File lib/jwt/decode.rb, line 138 def alg_in_header header['alg'] end
allowed_algorithms()
click to toggle source
# File lib/jwt/decode.rb, line 89 def allowed_algorithms @allowed_algorithms ||= resolve_allowed_algorithms end
allowed_and_valid_algorithms()
click to toggle source
# File lib/jwt/decode.rb, line 71 def allowed_and_valid_algorithms @allowed_and_valid_algorithms ||= allowed_algorithms.select { |alg| alg.valid_alg?(alg_in_header) } end
decode_signature()
click to toggle source
# File lib/jwt/decode.rb, line 134 def decode_signature @signature = ::JWT::Base64.url_decode(@segments[2] || '') end
find_key() { |header, payload| ... }
click to toggle source
# File lib/jwt/decode.rb, line 106 def find_key(&keyfinder) key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header)) # key can be of type [string, nil, OpenSSL::PKey, Array] return key if key && !Array(key).empty? raise JWT::DecodeError, 'No verification key available' end
given_algorithms()
click to toggle source
# File lib/jwt/decode.rb, line 81 def given_algorithms ALGORITHM_KEYS.each do |alg_key| alg = @options[alg_key] return Array(alg) if alg end [] end
header()
click to toggle source
# File lib/jwt/decode.rb, line 142 def header @header ||= parse_and_decode @segments[0] end
none_algorithm?()
click to toggle source
# File lib/jwt/decode.rb, line 130 def none_algorithm? alg_in_header == 'none' end
parse_and_decode(segment)
click to toggle source
# File lib/jwt/decode.rb, line 154 def parse_and_decode(segment) JWT::JSON.parse(::JWT::Base64.url_decode(segment)) rescue ::JSON::ParserError raise JWT::DecodeError, 'Invalid segment encoding' end
payload()
click to toggle source
# File lib/jwt/decode.rb, line 146 def payload @payload ||= parse_and_decode @segments[1] end
resolve_allowed_algorithms()
click to toggle source
# File lib/jwt/decode.rb, line 93 def resolve_allowed_algorithms algs = given_algorithms.map { |alg| JWA.resolve(alg) } sort_by_alg_header(algs) end
segment_length()
click to toggle source
# File lib/jwt/decode.rb, line 126 def segment_length @segments.count end
set_key()
click to toggle source
# File lib/jwt/decode.rb, line 57 def set_key @key = find_key(&@keyfinder) if @keyfinder @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks], allow_nil_kid: @options[:allow_nil_kid]).key_for(header['kid']) if @options[:jwks] return unless (x5c_options = @options[:x5c]) @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c']) end
signing_input()
click to toggle source
# File lib/jwt/decode.rb, line 150 def signing_input @segments.first(2).join('.') end
sort_by_alg_header(algs)
click to toggle source
Move algorithms matching the JWT
alg header to the beginning of the list
# File lib/jwt/decode.rb, line 100 def sort_by_alg_header(algs) return algs if algs.size <= 1 algs.partition { |alg| alg.valid_alg?(alg_in_header) }.flatten end
validate_segment_count!()
click to toggle source
# File lib/jwt/decode.rb, line 118 def validate_segment_count! return if segment_length == 3 return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed return if segment_length == 2 && none_algorithm? raise JWT::DecodeError, 'Not enough or too many segments' end
verify_algo()
click to toggle source
# File lib/jwt/decode.rb, line 50 def verify_algo raise JWT::IncorrectAlgorithm, 'An algorithm must be specified' if allowed_algorithms.empty? raise JWT::DecodeError, 'Token header not a JSON object' unless header.is_a?(Hash) raise JWT::IncorrectAlgorithm, 'Token is missing alg header' unless alg_in_header raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' if allowed_and_valid_algorithms.empty? end
verify_claims()
click to toggle source
# File lib/jwt/decode.rb, line 114 def verify_claims Claims::DecodeVerifier.verify!(payload, @options) end
verify_signature()
click to toggle source
# File lib/jwt/decode.rb, line 38 def verify_signature return unless @key || @verify return if none_algorithm? raise JWT::DecodeError, 'No verification key available' unless @key return if Array(@key).any? { |key| verify_signature_for?(key) } raise JWT::VerificationError, 'Signature verification failed' end
verify_signature_for?(key)
click to toggle source
# File lib/jwt/decode.rb, line 65 def verify_signature_for?(key) allowed_and_valid_algorithms.any? do |alg| alg.verify(data: signing_input, signature: @signature, verification_key: key) end end