class Stytch::M2M

def authenticate_token(

The type of this field is +object+.
A map of custom claims present in the token.
custom_claims::
The type of this field is +String+.
The ID of the client that was issued the token
client_id::
The type of this field is list of +String+.
An array of scopes granted to the token holder.
scopes::
+nil+ if the token could not be validated, or an object with the following fields:
== Returns:
The type of this field is nilable +Integer+.
The tolerance to use during verification of the nbf claim. This can help with clock drift issues.
clock_tolerance_seconds:
documentation for +perform_authorization_check+ for more information.
scopes are either direct string matches or written in the form "action:resource". See the
A function to check if the token has the required scopes. This defaults to a function that assumes
scope_authorization_func::
The type of this field is nilable +Integer+.
The maximum possible lifetime in seconds for the token to be valid.
max_token_age::
The type of this field is nilable list of +String+.
A list of scopes the token must have to be valid.
required_scopes::
The type of this field is +String+.
The access token granted to the client. Access tokens are JWTs signed with the project's JWKs.
access_token::
== Parameters:

+authenticate_token+ validates a M2M JWT locally.
MANUAL(M2M::authenticate_token)(SERVICE_METHOD) 
def authenticate_token(
  access_token:,
  required_scopes: nil,
  max_token_age: nil,
  scope_authorization_func: method(:perform_authorization_check),
  clock_tolerance_seconds: nil
)
  # Intentionally allow this to re-raise if authentication fails
  decoded_jwt = authenticate_token_local(access_token, clock_tolerance_seconds: clock_tolerance_seconds)
  iat_time = Time.at(decoded_jwt['iat']).to_datetime
  # Token too old
  raise JWTExpiredError if !max_token_age.nil? && (iat_time + max_token_age < Time.now)
  resp = marshal_jwt_into_response(decoded_jwt)
  unless required_scopes.nil?
    is_authorized = scope_authorization_func.call(
      has_scopes: resp['scopes'],
      required_scopes: required_scopes
    )
    raise M2MPermissionError.new(resp['scopes'], required_scopes) unless is_authorized
  end
  resp
end

def authenticate_token_local(jwt, clock_tolerance_seconds: nil)

If clock_tolerance_seconds is not supplied 0 seconds will be used as the default.
Parse a M2M token and verify the signature locally (without calling /authenticate in the API) 
def authenticate_token_local(jwt, clock_tolerance_seconds: nil)
  clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
  issuer = 'stytch.com/' + @project_id
  begin
    decoded_token = JWT.decode jwt, nil, true,
                               { jwks: @jwks_loader, iss: issuer, verify_iss: true, aud: @project_id, verify_aud: true, algorithms: ['RS256'], nbf_leeway: clock_tolerance_seconds }
    decoded_token[0]
  rescue JWT::InvalidIssuerError
    raise JWTInvalidIssuerError
  rescue JWT::InvalidAudError
    raise JWTInvalidAudienceError
  rescue JWT::ExpiredSignature
    raise JWTExpiredSignatureError
  rescue JWT::IncorrectAlgorithm
    raise JWTIncorrectAlgorithmError
  end
end

def get_jwks(

This is a helper so we can retrieve the JWKS for a project for decoding M2M access tokens
MANUAL(M2M::get_jwks)(SERVICE_METHOD) 
def get_jwks(
  project_id:
)
  headers = {}
  query_params = {}
  path = @is_b2b_client ? "/v1/b2b/sessions/jwks/#{project_id}" : "/v1/sessions/jwks/#{project_id}"
  request = request_with_query_params(path, query_params)
  get_request(request, headers)
end

def initialize(connection, project_id, is_b2b_client) 

def initialize(connection, project_id, is_b2b_client)
  @connection = connection
  @clients = Stytch::M2M::Clients.new(@connection)
  @project_id = project_id
  @cache_last_update = 0
  @is_b2b_client = is_b2b_client
  @jwks_loader = lambda do |options|
    @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
    @cached_keys ||= begin
      @cache_last_update = Time.now.to_i
      keys = []
      get_jwks(project_id: @project_id)['keys'].each do |r|
        keys << r
      end
      { keys: keys }
    end
  end
end

def marshal_jwt_into_response(jwt) 

def marshal_jwt_into_response(jwt)
  # The custom claim set is all the claims in the payload except for the standard claims.
  # The cleanest way to collect those seems to be naming what we want
  # to omit and filtering the rest to collect the custom claims.
  reserved_claims = %w[aud exp iat iss jti nbf sub]
  custom_claims = jwt.reject { |key, _| reserved_claims.include?(key) }
  {
    'scopes' => jwt['scope'].split(' '),
    'client_id' => jwt['sub'],
    'custom_claims' => custom_claims
  }
end

def perform_authorization_check(

*not* supported in the prefix piece of a scope.
Note that a scope of "*" will only match another literal "*" because wildcards are
but it is ultimately up to the developer to ensure consistency in the scopes format.
"specific_scope". It is _also_ possible to represent scopes as "resource:action",
This function assumes that scopes are of the form "action:resource" or just
A scope can match if the client has a wildcard resource or the specific resource.
scopes. Returns true if the client has all the required scopes, false otherwise.
Performs an authorization check against an M2M client and a set of required 
def perform_authorization_check(
  has_scopes:,
  required_scopes:
)
  client_scopes = Hash.new { |hash, key| hash[key] = Set.new }
  has_scopes.each do |scope|
    action = scope
    resource = '-'
    action, resource = scope.split(':') if scope.include?(':')
    client_scopes[action].add(resource)
  end
  required_scopes.each do |required_scope|
    required_action = required_scope
    required_resource = '-'
    required_action, required_resource = required_scope.split(':') if required_scope.include?(':')
    return false unless client_scopes.key?(required_action)
    resources = client_scopes[required_action]
    # The client can either have a wildcard resource or the specific resource
    return false unless resources.include?('*') || resources.include?(required_resource)
  end
  true
end

def token(client_id:, client_secret:, scopes: nil)

The type of this field is +String+.
The type of the returned access token. Today, this value will always be equal to "bearer"
token_type::
The type of this field is +Integer+.
For example, the value 3600 denotes that the access token will expire in one hour from the time the response was generated.
The lifetime in seconds of the access token.
expires_in::
The type of this field is +String+.
The access token granted to the client. Access tokens are JWTs signed with the project's JWKs.
access_token::
An object with the following fields:
== Returns:

The type of this field is nilable list of +String+.
An array scopes requested. If omitted, all scopes assigned to the client will be returned.
scopes::
The type of this field is +String+.
The secret of the client.
client_secret::
The type of this field is +String+.
The ID of the client.
client_id::
== Parameters:

M2M Access tokens contain a standard set of claims as well as any custom claims generated from templates.
Access tokens are JWTs signed with the project's JWKs, and are valid for one hour after issuance.
+token+ retrieves an access token for the given M2M Client.
MANUAL(M2M::token)(SERVICE_METHOD) 
def token(client_id:, client_secret:, scopes: nil)
  headers = {}
  request = {
    grant_type: 'client_credentials',
    client_id: client_id,
    client_secret: client_secret
  }
  request[:scope] = scopes.join(' ') unless scopes.nil?
  post_request("/v1/public/#{@project_id}/oauth2/token", request, headers)
end