Make extending algorithms easier

Co-authored-by: Matteo Pierro <[email protected]>

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [v2.8.3](https://github.com/jwt/ruby-jwt/tree/v2.8.3) (NEXT)
+
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.2...main)
+
+**Features:**
+
+- Your contribution here
+
+**Fixes and enhancements:**
+
+- Refactor claim validators into their own classes [#605](https://github.com/jwt/ruby-jwt/pull/605) ([@anakinj](https://github.com/anakinj), [@MatteoPierro](https://github.com/MatteoPierro))
+- Allow extending available algorithms [#607](https://github.com/jwt/ruby-jwt/pull/607) ([@anakinj](https://github.com/anakinj))
+- Your contribution here
+
 ## [v2.8.2](https://github.com/jwt/ruby-jwt/tree/v2.8.2) (2024-06-18)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.1...v2.8.2)

README.md

@@ -223,18 +223,22 @@ puts decoded_token
 
 ### **Custom algorithms**
 
-An object implementing custom signing or verification behaviour can be passed in the `algorithm` option when encoding and decoding. The given object needs to implement the method `valid_alg?` and `verify` and/or `alg` and `sign`, depending if object is used for encoding or decoding.
+When encoding or decoding a token, you can pass in a custom object through the `algorithm` option to handle signing or verification. This custom object must include or extend the `JWT::JWA::SigningAlgorithm` module and implement certain methods:
+
+- For decoding/verifying: The object must implement the methods `alg` and `verify`.
+- For encoding/signing: The object must implement the methods `alg` and `sign`.
+
+For customization options check the details from `JWT::JWA::SigningAlgorithm`.
+
 
 ```ruby
 module CustomHS512Algorithm
+  extend JWT::JWA::SigningAlgorithm
+
   def self.alg
     'HS512'
   end
 
-  def self.valid_alg?(alg_to_validate)
-    alg_to_validate == alg
-  end
-
   def self.sign(data:, signing_key:)
     OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), data, signing_key)
   end

lib/jwt.rb

@@ -9,6 +9,7 @@
 require 'jwt/encode'
 require 'jwt/error'
 require 'jwt/jwk'
+require 'jwt/claims'
 
 # JSON Web Token implementation
 #

lib/jwt/claims.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative 'claims/audience'
+require_relative 'claims/expiration'
+require_relative 'claims/issued_at'
+require_relative 'claims/issuer'
+require_relative 'claims/jwt_id'
+require_relative 'claims/not_before'
+require_relative 'claims/numeric'
+require_relative 'claims/required'
+require_relative 'claims/subject'
+
+module JWT
+  module Claims
+    VerificationContext = Struct.new(:payload, keyword_init: true)
+
+    VERIFIERS = {
+      verify_expiration: ->(options) { Claims::Expiration.new(leeway: options[:exp_leeway] || options[:leeway]) },
+      verify_not_before: ->(options) { Claims::NotBefore.new(leeway: options[:nbf_leeway] || options[:leeway]) },
+      verify_iss: ->(options) { Claims::Issuer.new(issuers: options[:iss]) },
+      verify_iat: ->(*) { Claims::IssuedAt.new },
+      verify_jti: ->(options) { Claims::JwtId.new(validator: options[:verify_jti]) },
+      verify_aud: ->(options) { Claims::Audience.new(expected_audience: options[:aud]) },
+      verify_sub: ->(options) { options[:sub] && Claims::Subject.new(expected_subject: options[:sub]) },
+      required_claims: ->(options) { Claims::Required.new(required_claims: options[:required_claims]) }
+    }.freeze
+
+    class << self
+      def verify!(payload, options)
+        VERIFIERS.each do |key, verifier_builder|
+          next unless options[key]
+
+          verifier_builder&.call(options)&.verify!(context: VerificationContext.new(payload: payload))
+        end
+      end
+    end
+  end
+end

lib/jwt/claims/audience.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Audience
+      def initialize(expected_audience:)
+        @expected_audience = expected_audience
+      end
+
+      def verify!(context:, **_args)
+        aud = context.payload['aud']
+        raise JWT::InvalidAudError, "Invalid audience. Expected #{expected_audience}, received #{aud || '<none>'}" if ([*aud] & [*expected_audience]).empty?
+      end
+
+      private
+
+      attr_reader :expected_audience
+    end
+  end
+end

lib/jwt/claims/expiration.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Expiration
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('exp')
+
+        raise JWT::ExpiredSignature, 'Signature has expired' if context.payload['exp'].to_i <= (Time.now.to_i - leeway)
+      end
+
+      private
+
+      attr_reader :leeway
+    end
+  end
+end

lib/jwt/claims/issued_at.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class IssuedAt
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('iat')
+
+        iat = context.payload['iat']
+        raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(::Numeric) || iat.to_f > Time.now.to_f
+      end
+    end
+  end
+end

lib/jwt/claims/issuer.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Issuer
+      def initialize(issuers:)
+        @issuers = Array(issuers).map { |item| item.is_a?(Symbol) ? item.to_s : item }
+      end
+
+      def verify!(context:, **_args)
+        case (iss = context.payload['iss'])
+        when *issuers
+          nil
+        else
+          raise JWT::InvalidIssuerError, "Invalid issuer. Expected #{issuers}, received #{iss || '<none>'}"
+        end
+      end
+
+      private
+
+      attr_reader :issuers
+    end
+  end
+end

lib/jwt/claims/jwt_id.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class JwtId
+      def initialize(validator:)
+        @validator = validator
+      end
+
+      def verify!(context:, **_args)
+        jti = context.payload['jti']
+        if validator.respond_to?(:call)
+          verified = validator.arity == 2 ? validator.call(jti, context.payload) : validator.call(jti)
+          raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+        elsif jti.to_s.strip.empty?
+          raise(JWT::InvalidJtiError, 'Missing jti')
+        end
+      end
+
+      private
+
+      attr_reader :validator
+    end
+  end
+end

lib/jwt/claims/not_before.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class NotBefore
+      def initialize(leeway:)
+        @leeway = leeway || 0
+      end
+
+      def verify!(context:, **_args)
+        return unless context.payload.is_a?(Hash)
+        return unless context.payload.key?('nbf')
+
+        raise JWT::ImmatureSignature, 'Signature nbf has not been reached' if context.payload['nbf'].to_i > (Time.now.to_i + leeway)
+      end
+
+      private
+
+      attr_reader :leeway
+    end
+  end
+end

lib/jwt/claims/numeric.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Numeric
+      def self.verify!(payload:, **_args)
+        return unless payload.is_a?(Hash)
+
+        new(payload).verify!
+      end
+
+      NUMERIC_CLAIMS = %i[
+        exp
+        iat
+        nbf
+      ].freeze
+
+      def initialize(payload)
+        @payload = payload.transform_keys(&:to_sym)
+      end
+
+      def verify!
+        validate_numeric_claims
+
+        true
+      end
+
+      private
+
+      def validate_numeric_claims
+        NUMERIC_CLAIMS.each do |claim|
+          validate_is_numeric(claim) if @payload.key?(claim)
+        end
+      end
+
+      def validate_is_numeric(claim)
+        return if @payload[claim].is_a?(::Numeric)
+
+        raise InvalidPayload, "#{claim} claim must be a Numeric value but it is a #{@payload[claim].class}"
+      end
+    end
+  end
+end

lib/jwt/claims/required.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Required
+      def initialize(required_claims:)
+        @required_claims = required_claims
+      end
+
+      def verify!(context:, **_args)
+        required_claims.each do |required_claim|
+          next if context.payload.is_a?(Hash) && context.payload.key?(required_claim)
+
+          raise JWT::MissingRequiredClaim, "Missing required claim #{required_claim}"
+        end
+      end
+
+      private
+
+      attr_reader :required_claims
+    end
+  end
+end

lib/jwt/claims/subject.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module JWT
+  module Claims
+    class Subject
+      def initialize(expected_subject:)
+        @expected_subject = expected_subject.to_s
+      end
+
+      def verify!(context:, **_args)
+        sub = context.payload['sub']
+        raise(JWT::InvalidSubError, "Invalid subject. Expected #{expected_subject}, received #{sub || '<none>'}") unless sub.to_s == expected_subject
+      end
+
+      private
+
+      attr_reader :expected_subject
+    end
+  end
+end

lib/jwt/decode.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require 'json'
-
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
 
 # JWT::Decode module
@@ -92,7 +90,7 @@ def allowed_algorithms
     end
 
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.create(alg) }
+      algs = given_algorithms.map { |alg| JWA.resolve(alg) }
 
       sort_by_alg_header(algs)
     end
@@ -113,8 +111,7 @@ def find_key(&keyfinder)
     end
 
     def verify_claims
-      Verify.verify_claims(payload, @options)
-      Verify.verify_required_claims(payload, @options)
+      Claims.verify!(payload, @options)
     end
 
     def validate_segment_count!