Module: Gitlab::JwtAuthenticatable::ClassMethods
- Includes:
- Utils::StrongMemoize
- Defined in:
- lib/gitlab/jwt_authenticatable.rb
Instance Method Summary collapse
- #decode_jwt(encoded_message, jwt_secret = secret, algorithm: 'HS256', issuer: nil, iat_after: nil, audience: nil) ⇒ Object
- #read_secret(path) ⇒ Object
- #secret ⇒ Object
- #write_secret(path = secret_path) ⇒ Object
Instance Method Details
#decode_jwt(encoded_message, jwt_secret = secret, algorithm: 'HS256', issuer: nil, iat_after: nil, audience: nil) ⇒ Object
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
# File 'lib/gitlab/jwt_authenticatable.rb', line 16 def decode_jwt( , jwt_secret = secret, algorithm: 'HS256', issuer: nil, iat_after: nil, audience: nil) = { algorithm: algorithm } = .merge(iss: issuer, verify_iss: true) if issuer.present? = .merge(verify_iat: true) if iat_after.present? = .merge(aud: audience, verify_aud: true) if audience.present? = JWT.decode(, jwt_secret, true, ) payload = [0] if iat_after.present? raise JWT::DecodeError, "JWT iat claim is missing" if payload['iat'].blank? iat = payload['iat'].to_i raise JWT::ExpiredSignature, 'Token has expired' if iat < iat_after.to_i end end |
#read_secret(path) ⇒ Object
41 42 43 44 45 |
# File 'lib/gitlab/jwt_authenticatable.rb', line 41 def read_secret(path) Base64.strict_decode64(File.read(path).chomp).tap do |bytes| raise "#{path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH end end |
#secret ⇒ Object
35 36 37 38 39 |
# File 'lib/gitlab/jwt_authenticatable.rb', line 35 def secret strong_memoize(:secret) do read_secret(secret_path) end end |
#write_secret(path = secret_path) ⇒ Object
47 48 49 50 51 52 53 |
# File 'lib/gitlab/jwt_authenticatable.rb', line 47 def write_secret(path = secret_path) bytes = SecureRandom.random_bytes(SECRET_LENGTH) File.open(path, 'w:BINARY', 0600) do |f| f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op. f.write(Base64.strict_encode64(bytes)) end end |