class JWT::EncodedToken
encoded_token.payload # => {‘pay’ => ‘load’}
encoded_token.verify_signature!(algorithm: ‘HS256’, key: ‘secret’)
encoded_token = JWT::EncodedToken.new(token.jwt)
token.sign!(algorithm: ‘HS256’, key: ‘secret’)
token = JWT::Token.new(payload: {pay: ‘load’})
Processing an encoded and signed token:
Represents an encoded JWT token
def claim_errors(*options)
-
(Array- the errors of the claims.)
Parameters:
-
options(Array) -- the claims to verify. By default, it checks the 'exp' claim., Hash
def claim_errors(*options) Claims::Verifier.errors(ClaimsContext.new(self), *claims_options(options)) end
def claims_options(options)
def claims_options(options) return DEFAULT_CLAIMS if options.first.nil? options end
def decode_payload
def decode_payload raise JWT::DecodeError, 'Encoded payload is empty' if encoded_payload == '' if unencoded_payload? verify_claims!(crit: ['b64']) return parse_unencoded(encoded_payload) end parse_and_decode(encoded_payload) end
def decoded_payload
def decoded_payload @decoded_payload ||= decode_payload end
def header
-
(Hash)- the header.
def header @header ||= parse_and_decode(@encoded_header) end
def initialize(jwt)
-
(ArgumentError)- if the provided JWT is not a String.
Parameters:
-
jwt(String) -- the encoded JWT token.
def initialize(jwt) raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String) @jwt = jwt @signature_verified = false @claims_verified = false @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.') end
def parse(segment)
def parse(segment) JWT::JSON.parse(segment) rescue ::JSON::ParserError raise JWT::DecodeError, 'Invalid segment encoding' end
def parse_and_decode(segment)
def parse_and_decode(segment) parse(::JWT::Base64.url_decode(segment || '')) end
def parse_unencoded(segment)
def parse_unencoded(segment) parse(segment) end
def payload
-
(JWT::DecodeError)- if the signature has not been verified.
Returns:
-
(Hash)- the payload.
def payload raise JWT::DecodeError, 'Verify the token signature before accessing the payload' unless @signature_verified raise JWT::DecodeError, 'Verify the token claims before accessing the payload' unless @claims_verified decoded_payload end
def signature
-
(String)- the decoded signature.
def signature @signature ||= ::JWT::Base64.url_decode(encoded_signature || '') end
def signing_input
-
(String)- the signing input.
def signing_input [encoded_header, encoded_payload].join('.') end
def unencoded_payload?
def unencoded_payload? header['b64'] == false end
def unverified_payload
-
(Hash)- the payload.
def unverified_payload decoded_payload end
def valid?(signature:, claims: nil)
-
(Boolean)- true if the signature and claims are valid, false otherwise.
Parameters:
-
claims(Array) -- the claims to verify (see {#verify_claims!})., Hash -
signature(Hash) -- the parameters for signature verification (see {#verify_signature!}).
def valid?(signature:, claims: nil) valid_signature?(**signature) && (claims.is_a?(Array) ? valid_claims?(*claims) : valid_claims?(claims)) end
def valid_claims?(*options)
-
(Boolean)- whether the claims are valid.
Parameters:
-
options(Array) -- the claims to verify. By default, it checks the 'exp' claim., Hash
def valid_claims?(*options) claim_errors(*claims_options(options)).empty?.tap { |verified| @claims_verified = verified } end
def valid_signature?(algorithm: nil, key: nil, key_finder: nil)
-
(Boolean)- true if the signature is valid, false otherwise.
Parameters:
-
key_finder(#call) -- an object responding to `call` to find the key for verification. -
key(String, Array) -- the key(s) to use for verification., JWT::JWK::KeyBase, Array -
algorithm(String, Array) -- the algorithm(s) to use for verification., Object, Array
def valid_signature?(algorithm: nil, key: nil, key_finder: nil) raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil? keys = Array(key || key_finder.call(self)) verifiers = JWA.create_verifiers(algorithms: algorithm, keys: keys, preferred_algorithm: header['alg']) raise JWT::VerificationError, 'No algorithm provided' if verifiers.empty? valid = verifiers.any? do |jwa| jwa.verify(data: signing_input, signature: signature) end valid.tap { |verified| @signature_verified = verified } end
def verify!(signature:, claims: nil)
-
(JWT::DecodeError)- if the signature or claim verification fails.
Returns:
-
(nil)-
Parameters:
-
claims(Array) -- the claims to verify (see {#verify_claims!})., Hash -
signature(Hash) -- the parameters for signature verification (see {#verify_signature!}).
def verify!(signature:, claims: nil) verify_signature!(**signature) claims.is_a?(Array) ? verify_claims!(*claims) : verify_claims!(claims) nil end
def verify_claims!(*options)
-
(JWT::DecodeError)- if the claims are invalid.
Parameters:
-
options(Array) -- the claims to verify. By default, it checks the 'exp' claim., Hash
def verify_claims!(*options) Claims::Verifier.verify!(ClaimsContext.new(self), *claims_options(options)).tap do @claims_verified = true end rescue StandardError @claims_verified = false raise end
def verify_signature!(algorithm:, key: nil, key_finder: nil)
-
(ArgumentError)- if neither key nor key_finder is provided, or if both are provided. -
(JWT::VerificationError)- if the signature verification fails.
Returns:
-
(nil)-
Parameters:
-
key_finder(#call) -- an object responding to `call` to find the key for verification. -
key(String, Array) -- the key(s) to use for verification. -
algorithm(String, Array) -- the algorithm(s) to use for verification., Object, Array
def verify_signature!(algorithm:, key: nil, key_finder: nil) return if valid_signature?(algorithm: algorithm, key: key, key_finder: key_finder) raise JWT::VerificationError, 'Signature verification failed' end