Module: Sandal::Claims

Defined in:

lib/sandal/claims.rb

Overview

A module that can be mixed into Hash-like objects to provide claims-related functionality.

Instance Method Summary

• #validate_aud(valid_aud) ⇒ void

  Validates the audience claim.

• #validate_claims(options = {}) ⇒ Hash

  Validates the set of claims.

• #validate_exp(max_clock_skew = 0) ⇒ void

  Validates the expires claim.

• #validate_iss(valid_iss) ⇒ void

  Validates the issuer claim.

• #validate_nbf(max_clock_skew = 0) ⇒ void

  Validates the not-before claim.

Instance Method Details

#validate_aud(valid_aud) ⇒ void

This method returns an undefined value.

Validates the audience claim.

Parameters:

• valid_aud (Array) —

  The valid audiences.

Raises:

• (Sandal::ClaimError) —

  The “aud” claim value does not contain a valid audience.

# File 'lib/sandal/claims.rb', line 69

def validate_aud(valid_aud)
  return unless valid_aud && valid_aud.length > 0

  aud = self["aud"]
  aud = [aud] unless aud.is_a?(Array)
  unless (aud & valid_aud).length > 0
    raise Sandal::ClaimError, "The audence is invalid."
  end
end

#validate_claims(options = {}) ⇒ Hash

Validates the set of claims.

Parameters:

• options (Hash) (defaults to: {}) —

  The claim validation options (see DEFAULT_OPTIONS for details).

Returns:

• (Hash) —

  A reference to self.

Raises:

• (Sandal::ClaimError) —

  One or more claims is invalid.

# File 'lib/sandal/claims.rb', line 12

def validate_claims(options = {})
  validate_exp(options[:max_clock_skew]) unless options[:ignore_exp]
  validate_nbf(options[:max_clock_skew]) unless options[:ignore_nbf]
  validate_iss(options[:valid_iss])
  validate_aud(options[:valid_aud])
  self
end

#validate_exp(max_clock_skew = 0) ⇒ void

This method returns an undefined value.

Validates the expires claim.

Parameters:

• max_clock_skew (Numeric) (defaults to: 0) —

  The maximum clock skew, in seconds.

Raises:

• (Sandal::ClaimError) —

  The “exp” claim is invalid, or the token has expired.

# File 'lib/sandal/claims.rb', line 26

def validate_exp(max_clock_skew = 0)
  max_clock_skew ||= 0

  exp = time_claim("exp")
  if exp && exp <= (Time.now - max_clock_skew)
    raise Sandal::ExpiredTokenError, "The token has expired." 
  end
end

#validate_iss(valid_iss) ⇒ void

This method returns an undefined value.

Validates the issuer claim.

Parameters:

• valid_iss (Array) —

  The valid issuers.

Raises:

• (Sandal::ClaimError) —

  The “iss” claim value is not a valid issuer.

# File 'lib/sandal/claims.rb', line 55

def validate_iss(valid_iss)
  return unless valid_iss && valid_iss.length > 0

  unless valid_iss.include?(self["iss"])
    raise Sandal::ClaimError, "The issuer is invalid."
  end
end

#validate_nbf(max_clock_skew = 0) ⇒ void

This method returns an undefined value.

Validates the not-before claim.

Parameters:

• max_clock_skew (Numeric) (defaults to: 0) —

  The maximum clock skew, in seconds.

Raises:

• (Sandal::ClaimError) —

  The “nbf” claim is invalid, or the token is not valid yet.

# File 'lib/sandal/claims.rb', line 41

def validate_nbf(max_clock_skew = 0)
  max_clock_skew ||= 0

  nbf = time_claim("nbf")
  if nbf && nbf > (Time.now + max_clock_skew)
    raise Sandal::ClaimError, "The token is not valid yet."
  end
end