Add duplicate claim name detection per RFC 7519 Section 4 #713
Conversation
ydah
force-pushed
the
duplicate_claim_detection
branch
from
0838041 to
bf095f9
Compare
|
Overall I support this feature and think it should be the default behavior. My biggest concern is adding a lot of logic to this now it will stay and live in the gem in the future. Would almost just like to require |
ydah
force-pushed
the
duplicate_claim_detection
branch
from
1acb9e3 to
11450ac
Compare
| os: | ||
| - ubuntu-latest | ||
| ruby: | ||
| - "2.5" |
There was a problem hiding this comment.
MEMO: We added json gem >= 2.13.0 to the dependencies, but this version requires Ruby 2.7+. Since ruby-jwt has required_ruby_version = ‘>= 2.5’, dependency resolution fails during bundle install in a Ruby 2.5 environment.
There was a problem hiding this comment.
Would like to support as many versions as possible, what about dynamically figure out if its possible to enable this feature or not.
There was a problem hiding this comment.
Indeed, I've restored support for 2.5 and 2.6.
|
I updated this PR. WDYT? |
lib/jwt/json.rb
Outdated
| # JWT::JSON.parse('{"a":1,"a":2}', allow_duplicate_keys: false) | ||
| # # => raises JWT::DuplicateKeyError | ||
| def parse(data, allow_duplicate_keys: true) | ||
| ::JSON.parse(data, allow_duplicate_key: allow_duplicate_keys) |
There was a problem hiding this comment.
This is problematic in a way that when JSON 3.0 ships with the switched default we still are allowing duplicate keys by default. Would rather at that point enforce the new default for everyone.
Could we pass the parameter to the JSON lib only if the parameter is false,
There was a problem hiding this comment.
I fixed it. Please point out if I understand something wrong.
| # @return [self] | ||
| # @raise [JWT::DuplicateKeyError] if duplicate keys are found during subsequent parsing. | ||
| def raise_on_duplicate_keys! | ||
| @allow_duplicate_keys = false |
There was a problem hiding this comment.
Could we here detect if the JSON gem is supporting the feature and raise if we are not compatible? Would allow us to support older Ruby versions still.
There was a problem hiding this comment.
It sounds good! I modified it that way. WDYT?
lib/jwt/encoded_token.rb
Outdated
| # encoded_token.verify_signature!(algorithm: 'HS256', key: 'secret') | ||
| # encoded_token.payload # => {'pay' => 'load'} | ||
| class EncodedToken | ||
| class EncodedToken # rubocop:disable Metrics/ClassLength |
There was a problem hiding this comment.
Wonder if we could do something to not need to disable cops 🤔
There was a problem hiding this comment.
I've extracted some classes. WDYT?
ydah
force-pushed
the
duplicate_claim_detection
branch
from
225ddb0 to
6ef1d19
Compare
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states: > The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name. This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
…on a runtime feature check instead of a hard dependency on json >= 2.13.0
… single call with conditional options
…licate_keys! method
… SignatureVerifier classes to reduce class complexity
…N gem version support
ydah
force-pushed
the
duplicate_claim_detection
branch
from
905c978 to
ad53ab7
Compare
2 participants
Description
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states:
see: https://datatracker.ietf.org/doc/html/rfc7519#section-4
This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
Checklist
Before the PR can be merged be sure the following are checked: