module Sandal::Claims

A module that can be mixed into Hash-like objects to provide claims-related functionality.

Public Instance Methods

validate_aud(valid_aud) click to toggle source

Validates the audience claim.

@param valid_aud [Array] The valid audiences. @return [void]. @raise [Sandal::ClaimError] The “aud” claim value does not contain a valid

audience.
# File lib/sandal/claims.rb, line 69
def validate_aud(valid_aud)
  return unless valid_aud && valid_aud.length > 0

  aud = self["aud"]
  aud = [aud] unless aud.is_a?(Array)
  unless (aud & valid_aud).length > 0
    raise Sandal::ClaimError, "The audence is invalid."
  end
end
validate_claims(options = {}) click to toggle source

Validates the set of claims.

@param options [Hash] The claim validation options (see

{Sandal::DEFAULT_OPTIONS} for details).

@return [Hash] A reference to self. @raise [Sandal::ClaimError] One or more claims is invalid.

# File lib/sandal/claims.rb, line 12
def validate_claims(options = {})
  validate_exp(options[:max_clock_skew]) unless options[:ignore_exp]
  validate_nbf(options[:max_clock_skew]) unless options[:ignore_nbf]
  validate_iss(options[:valid_iss])
  validate_aud(options[:valid_aud])
  self
end
validate_exp(max_clock_skew = 0) click to toggle source

Validates the expires claim.

@param max_clock_skew [Numeric] The maximum clock skew, in seconds. @return [void]. @raise [Sandal::ClaimError] The “exp” claim is invalid, or the token has

expired.
# File lib/sandal/claims.rb, line 26
def validate_exp(max_clock_skew = 0)
  max_clock_skew ||= 0

  exp = time_claim("exp")
  if exp && exp <= (Time.now - max_clock_skew)
    raise Sandal::ExpiredTokenError, "The token has expired." 
  end
end
validate_iss(valid_iss) click to toggle source

Validates the issuer claim.

@param valid_iss [Array] The valid issuers. @return [void]. @raise [Sandal::ClaimError] The “iss” claim value is not a valid issuer.

# File lib/sandal/claims.rb, line 55
def validate_iss(valid_iss)
  return unless valid_iss && valid_iss.length > 0

  unless valid_iss.include?(self["iss"])
    raise Sandal::ClaimError, "The issuer is invalid."
  end
end
validate_nbf(max_clock_skew = 0) click to toggle source

Validates the not-before claim.

@param max_clock_skew [Numeric] The maximum clock skew, in seconds. @return [void]. @raise [Sandal::ClaimError] The “nbf” claim is invalid, or the token is

not valid yet.
# File lib/sandal/claims.rb, line 41
def validate_nbf(max_clock_skew = 0)
  max_clock_skew ||= 0

  nbf = time_claim("nbf")
  if nbf && nbf > (Time.now + max_clock_skew)
    raise Sandal::ClaimError, "The token is not valid yet."
  end
end

Private Instance Methods

time_claim(name) click to toggle source

Gets the value of a claim as a Time.

# File lib/sandal/claims.rb, line 82
def time_claim(name)
  claim = self[name]
  if claim
    begin
      Time.at(claim)
    rescue
      raise Sandal::ClaimError, "The \"#{name}\" claim is invalid."
    end
  end
end