Module: Gitlab::JwtAuthenticatable::ClassMethods

Includes:
Utils::StrongMemoize
Defined in:
lib/gitlab/jwt_authenticatable.rb

Instance Method Summary collapse

Instance Method Details

#decode_jwt(encoded_message, jwt_secret = secret, algorithm: 'HS256', issuer: nil, iat_after: nil, audience: nil) ⇒ Object 



16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
 
# File 'lib/gitlab/jwt_authenticatable.rb', line 16

def decode_jwt(
  encoded_message, jwt_secret = secret, algorithm: 'HS256', issuer: nil, iat_after: nil, audience: nil)
  options = { algorithm: algorithm }
  options = options.merge(iss: issuer, verify_iss: true) if issuer.present?
  options = options.merge(verify_iat: true) if iat_after.present?
  options = options.merge(aud: audience, verify_aud: true) if audience.present?

  decoded_message = JWT.decode(encoded_message, jwt_secret, true, options)
  payload = decoded_message[0]
  if iat_after.present?
    raise JWT::DecodeError, "JWT iat claim is missing" if payload['iat'].blank?

    iat = payload['iat'].to_i
    raise JWT::ExpiredSignature, 'Token has expired' if iat < iat_after.to_i
  end

  decoded_message
end

#read_secret(path) ⇒ Object 



41
42
43
44
45
 
# File 'lib/gitlab/jwt_authenticatable.rb', line 41

def read_secret(path)
  Base64.strict_decode64(File.read(path).chomp).tap do |bytes|
    raise "#{path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
  end
end

#secretObject 



35
36
37
38
39
 
# File 'lib/gitlab/jwt_authenticatable.rb', line 35

def secret
  strong_memoize(:secret) do
    read_secret(secret_path)
  end
end

#write_secret(path = secret_path) ⇒ Object 



47
48
49
50
51
52
53
 
# File 'lib/gitlab/jwt_authenticatable.rb', line 47

def write_secret(path = secret_path)
  bytes = SecureRandom.random_bytes(SECRET_LENGTH)
  File.open(path, 'w:BINARY', 0600) do |f|
    f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op.
    f.write(Base64.strict_encode64(bytes))
  end
end