Class: JWT::EncodedToken

Inherits:

Object

• Object
• JWT::EncodedToken

Defined in:

lib/jwt/encoded_token.rb

Overview

Represents an encoded JWT token

Processing an encoded and signed token:

token = JWT::Token.new(payload: {pay: 'load'})
token.sign!(algorithm: 'HS256', key: 'secret')

encoded_token = JWT::EncodedToken.new(token.jwt)
encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret')
encoded_token.payload # => {'pay' => 'load'}

Instance Attribute Summary

• #encoded_header ⇒ String readonly

  Returns the encoded header of the JWT token.

• #encoded_payload ⇒ String

  Sets or returns the encoded payload of the JWT token.

• #encoded_signature ⇒ String readonly

  Returns the encoded signature of the JWT token.

• #jwt ⇒ String (also: #to_s) readonly

  Returns the original token provided to the class.

Instance Method Summary

• #claim_errors(*options) ⇒ Array<Symbol>

  Returns the errors of the claims of the token.

• #header ⇒ Hash

  Returns the decoded header of the JWT token.

• #initialize(jwt) ⇒ EncodedToken constructor

  Initializes a new EncodedToken instance.

• #payload ⇒ Hash

  Returns the payload of the JWT token.

• #signature ⇒ String

  Returns the decoded signature of the JWT token.

• #signing_input ⇒ String

  Returns the signing input of the JWT token.

• #unverified_payload ⇒ Hash

  Returns the payload of the JWT token without requiring the signature to have been verified.

• #valid_claims?(*options) ⇒ Boolean

  Returns whether the claims of the token are valid.

• #valid_signature?(algorithm:, key:) ⇒ Boolean

  Checks if the signature of the JWT token is valid.

• #verify!(signature:, claims: [:exp]) ⇒ nil

  Verifies the token signature and claims.

• #verify_claims!(*options) ⇒ Object

  Verifies the claims of the token.

• #verify_signature!(algorithm:, key: nil, key_finder: nil) ⇒ nil

  Verifies the signature of the JWT token.

Constructor Details

#initialize(jwt) ⇒ EncodedToken

Initializes a new EncodedToken instance.

Parameters:

• jwt (String) —

  the encoded JWT token.

Raises:

• (ArgumentError) —

  if the provided JWT is not a String.

# File 'lib/jwt/encoded_token.rb', line 39

def initialize(jwt)
  raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)

  @jwt = jwt
  @signature_verified = false
  @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
end

Instance Attribute Details

#encoded_header ⇒ String (readonly)

Returns the encoded header of the JWT token.

Returns:

• (String) —

  the encoded header.

# File 'lib/jwt/encoded_token.rb', line 69

def encoded_header
  @encoded_header
end

#encoded_payload ⇒ String

Sets or returns the encoded payload of the JWT token.

Returns:

• (String) —

  the encoded payload.

# File 'lib/jwt/encoded_token.rb', line 90

def encoded_payload
  @encoded_payload
end

#encoded_signature ⇒ String (readonly)

Returns the encoded signature of the JWT token.

Returns:

• (String) —

  the encoded signature.

# File 'lib/jwt/encoded_token.rb', line 57

def encoded_signature
  @encoded_signature
end

#jwt ⇒ String (readonly) Also known as: to_s

Returns the original token provided to the class.

Returns:

• (String) —

  The JWT token.

# File 'lib/jwt/encoded_token.rb', line 33

def jwt
  @jwt
end

Instance Method Details

#claim_errors(*options) ⇒ Array<Symbol>

Returns the errors of the claims of the token.

Parameters:

• options (Array<Symbol>, Hash) —

  the claims to verify.

Returns:

• (Array<Symbol>) —

  the errors of the claims.

# File 'lib/jwt/encoded_token.rb', line 158

def claim_errors(*options)
  Claims::Verifier.errors(ClaimsContext.new(self), *options)
end

#header ⇒ Hash

Returns the decoded header of the JWT token.

Returns:

• (Hash) —

  the header.

# File 'lib/jwt/encoded_token.rb', line 62

def header
  @header ||= parse_and_decode(@encoded_header)
end

#payload ⇒ Hash

Returns the payload of the JWT token. Access requires the signature to have been verified.

Returns:

• (Hash) —

  the payload.

Raises:

• (JWT::DecodeError) —

  if the signature has not been verified.

# File 'lib/jwt/encoded_token.rb', line 75

def payload
  raise JWT::DecodeError, 'Verify the token signature before accessing the payload' unless @signature_verified

  decoded_payload
end

#signature ⇒ String

Returns the decoded signature of the JWT token.

Returns:

• (String) —

  the decoded signature.

# File 'lib/jwt/encoded_token.rb', line 50

def signature
  @signature ||= ::JWT::Base64.url_decode(encoded_signature || '')
end

#signing_input ⇒ String

Returns the signing input of the JWT token.

Returns:

• (String) —

  the signing input.

# File 'lib/jwt/encoded_token.rb', line 95

def signing_input
  [encoded_header, encoded_payload].join('.')
end

#unverified_payload ⇒ Hash

Returns the payload of the JWT token without requiring the signature to have been verified.

Returns:

• (Hash) —

  the payload.

# File 'lib/jwt/encoded_token.rb', line 83

def unverified_payload
  decoded_payload
end

#valid_claims?(*options) ⇒ Boolean

Returns whether the claims of the token are valid.

Parameters:

• options (Array<Symbol>, Hash) —

  the claims to verify.

Returns:

• (Boolean) —

  whether the claims are valid.

# File 'lib/jwt/encoded_token.rb', line 165

def valid_claims?(*options)
  claim_errors(*options).empty?
end

#valid_signature?(algorithm:, key:) ⇒ Boolean

Checks if the signature of the JWT token is valid.

Parameters:

• algorithm (String, Array<String>, Object, Array<Object>) —

  the algorithm(s) to use for verification.

• key (String, Array<String>) —

  the key(s) to use for verification.

Returns:

• (Boolean) —

  true if the signature is valid, false otherwise.

# File 'lib/jwt/encoded_token.rb', line 138

def valid_signature?(algorithm:, key:)
  valid = Array(JWA.resolve_and_sort(algorithms: algorithm, preferred_algorithm: header['alg'])).any? do |algo|
    Array(key).any? do |one_key|
      algo.verify(data: signing_input, signature: signature, verification_key: one_key)
    end
  end

  valid.tap { |verified| @signature_verified = verified }
end

#verify!(signature:, claims: [:exp]) ⇒ nil

Verifies the token signature and claims. By default it verifies the ‘exp’ claim.

Examples:

encoded_token.verify!(signature: { algorithm: 'HS256', key: 'secret' }, claims: [:exp])

Parameters:

• signature (Hash) —

  the parameters for signature verification (see #verify_signature!).

• claims (Array<Symbol>, Hash) (defaults to: [:exp]) —

  the claims to verify (see #verify_claims!).

Returns:

• (nil)

Raises:

• (JWT::DecodeError) —

  if the signature or claim verification fails.

# File 'lib/jwt/encoded_token.rb', line 109

def verify!(signature:, claims: [:exp])
  verify_signature!(**signature)
  claims.is_a?(Array) ? verify_claims!(*claims) : verify_claims!(claims)
  nil
end

#verify_claims!(*options) ⇒ Object

Verifies the claims of the token.

Parameters:

• options (Array<Symbol>, Hash) —

  the claims to verify.

Raises:

• (JWT::DecodeError) —

  if the claims are invalid.

# File 'lib/jwt/encoded_token.rb', line 151

def verify_claims!(*options)
  Claims::Verifier.verify!(ClaimsContext.new(self), *options)
end

#verify_signature!(algorithm:, key: nil, key_finder: nil) ⇒ nil

Verifies the signature of the JWT token.

Parameters:

• algorithm (String, Array<String>, Object, Array<Object>) —

  the algorithm(s) to use for verification.

• key (String, Array<String>) (defaults to: nil) —

  the key(s) to use for verification.

• key_finder (#call) (defaults to: nil) —

  an object responding to ‘call` to find the key for verification.

Returns:

• (nil)

Raises:

• (JWT::VerificationError) —

  if the signature verification fails.

• (ArgumentError) —

  if neither key nor key_finder is provided, or if both are provided.

# File 'lib/jwt/encoded_token.rb', line 123

def verify_signature!(algorithm:, key: nil, key_finder: nil)
  raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil?

  key ||= key_finder.call(self)

  return if valid_signature?(algorithm: algorithm, key: key)

  raise JWT::VerificationError, 'Signature verification failed'
end