Make it even less magical

jwt · Jul 22, 2024 · bb36d76 · bb36d76
1 parent 3ea39ec
commit bb36d76
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 104 deletions.
diff --git a/lib/jwt/claims.rb b/lib/jwt/claims.rb
@@ -1,5 +1,78 @@
 # frozen_string_literal: true
 
+module JWT
+  module Claims
+    DEFAULTS = {
+      leeway: 0
+    }.freeze
+
+    ClaimsContext = Struct.new(:payload, keyword_init: true)
+
+    class << self
+      def verify!(payload, options)
+        options = DEFAULTS.merge(options)
+        verify_aud(payload, options)
+        verify_expiration(payload, options)
+        verify_iat(payload, options)
+        verify_iss(payload, options)
+        verify_jti(payload, options)
+        verify_not_before(payload, options)
+        verify_sub(payload, options)
+        verify_required_claims(payload, options)
+      end
+
+      def verify_aud(payload, options)
+        return unless options[:verify_aud]
+
+        Claims::Audience.new(expected_audience: options[:aud]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_expiration(payload, options)
+        return unless options[:verify_expiration]
+
+        Claims::Expiration.new(leeway: options[:exp_leeway] || options[:leeway]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_iat(payload, options)
+        return unless options[:verify_iat]
+
+        Claims::IssuedAt.new.validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_iss(payload, options)
+        return unless options[:verify_iss]
+
+        Claims::Issuer.new(issuers: options[:iss]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_jti(payload, options)
+        return unless options[:verify_jti]
+
+        Claims::JwtId.new(validator: options[:verify_jti]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_not_before(payload, options)
+        return unless options[:verify_not_before]
+
+        Claims::NotBefore.new(leeway: options[:nbf_leeway] || options[:leeway]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_sub(payload, options)
+        return unless options[:verify_sub]
+        return unless options[:sub]
+
+        Claims::Subject.new(expected_subject: options[:sub]).validate!(context: ClaimsContext.new(payload: payload))
+      end
+
+      def verify_required_claims(payload, options)
+        return unless (options_required_claims = options[:required_claims])
+
+        Claims::Required.new(required_claims: options_required_claims).validate!(context: ClaimsContext.new(payload: payload))
+      end
+    end
+  end
+end
+
 require_relative 'claims/audience'
 require_relative 'claims/expiration'
 require_relative 'claims/issued_at'

diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
 require 'json'
-
-require 'jwt/verify'
 require 'jwt/x5c_key_finder'
 
 # JWT::Decode module
@@ -113,7 +111,7 @@ def find_key(&keyfinder)
     end
 
     def verify_claims
-      Verify.verify_claims(payload, @options)
+      Claims.verify!(payload, @options)
     end
 
     def validate_segment_count!

diff --git a/lib/jwt/verify.rb b/lib/jwt/verify.rb