Class: Authentic::Validator

Inherits:

Object

• Object
• Authentic::Validator

Defined in:

lib/authentic/validator.rb

Overview

Public: validates JWTs against JWKs.

Instance Attribute Summary

• #iss_whitelist ⇒ Object readonly

  Returns the value of attribute iss_whitelist.

• #manager ⇒ Object readonly

  Returns the value of attribute manager.

• #opts ⇒ Object readonly

  Returns the value of attribute opts.

Instance Method Summary

• #decode_jwt(token) ⇒ Object

  Decodes and does basic validation of JWT.

• #ensure_valid(token) ⇒ Object

  Public: validates JWT, raises an error for invalid JWTs, errors requesting JWKs, the lack of valid JWKs, or non white listed ISS.

• #initialize(options = {}) ⇒ Validator constructor

  A new instance of Validator.

• #valid?(token) ⇒ Boolean

  Public: validates JWT, returns true if valid, false if not.

Constructor Details

#initialize(options = {}) ⇒ Validator

Returns a new instance of Validator.

Raises:

• (IncompleteOptions)

# File 'lib/authentic/validator.rb', line 12

def initialize(options = {})
  @iss_whitelist = options.fetch(:iss_whitelist) { [] }
  raise IncompleteOptions if iss_whitelist.empty?

  max_age = options.fetch(:cache_max_age) { '10h' }
  @manager = options.fetch(:key_manager) { KeyManager.new(max_age) }
end

Instance Attribute Details

#iss_whitelist ⇒ Object (readonly)

Returns the value of attribute iss_whitelist.

# File 'lib/authentic/validator.rb', line 10

def iss_whitelist
  @iss_whitelist
end

#manager ⇒ Object (readonly)

Returns the value of attribute manager.

# File 'lib/authentic/validator.rb', line 10

def manager
  @manager
end

#opts ⇒ Object (readonly)

Returns the value of attribute opts.

# File 'lib/authentic/validator.rb', line 10

def opts
  @opts
end

Instance Method Details

#decode_jwt(token) ⇒ Object

Decodes and does basic validation of JWT.

token - raw JWT.

Returns JSON::JWT

# File 'lib/authentic/validator.rb', line 62

def decode_jwt(token)
  raise InvalidToken, 'JWT was nil' unless token

  JSON::JWT.decode(token, :skip_verification).tap do |jwt|
    raise InvalidIssuer, 'JWT iss was not located in provided whitelist' unless iss_whitelist.include?(jwt[:iss])
  end
rescue JSON::JWT::InvalidFormat
  raise InvalidToken, 'JWT was in an invalid format'
end

#ensure_valid(token) ⇒ Object

Public: validates JWT, raises an error for invalid JWTs, errors requesting JWKs, the lack of valid JWKs, or non white listed ISS.

token - raw JWT.

Returns nothing.

# File 'lib/authentic/validator.rb', line 38

def ensure_valid(token)
  decode_jwt(token).tap do |jwt|
    key = manager.get(jwt)

    # Slightly more accurate to raise a key error here for nil key,
    # rather then verify raising an error that would lead to InvalidToken
    raise InvalidKey if key.nil?

    exp = Time.at(jwt[:exp])
    raise ExpiredToken, "Token expired at #{exp}" unless exp > Time.now

    jwt.verify!(key)
  end
rescue JSON::JWT::UnexpectedAlgorithm, JSON::JWT::VerificationFailed
  raise InvalidToken, 'Failed to validate token against JWK'
rescue OpenSSL::PKey::PKeyError
  raise InvalidKey
end

#valid?(token) ⇒ Boolean

Public: validates JWT, returns true if valid, false if not.

token - raw JWT.

Returns boolean.

Returns:

• (Boolean)

# File 'lib/authentic/validator.rb', line 25

def valid?(token)
  ensure_valid(token)
  true
rescue InvalidToken, ExpiredToken, InvalidKey, RequestError, InvalidIssuer
  false
end