std.jwt
Types
enum Algorithm
type DecodeKey = Hmac | VerifyingKey | PublicKey | VerifyingKey
type EncodeKey = Hmac | SigningKey | PrivateKey | SigningKey
struct Header
struct Jwk
type JwkSet = [Jwk]
enum JwtError
struct RegisteredClaims
struct Validation
Functions
decode
pub fn decode<T>(key: DecodeKey, token: string, validation: Validation = Validation {}): T throws JwtError, JsonError
[src]
pub fn decode<T>(
key: DecodeKey, token: string, validation: Validation = Validation {}
): T throws JwtError, JsonError {
if (validation.validate_signature && validation.required_spec_claims.is_empty()) {
throw JwtError.MissingRequiredClaim;
}
if (validation.validate_signature && validation.algorithms.is_empty()) {
throw JwtError.MissingAlgorithm;
}
let parts = token.split(".");
if (parts.len() != 3) {
throw JwtError.InvalidToken;
}
let header = parts[0];
let payload = parts[1];
let signature = parts[2];
let message = token.slice(0, header.len() + payload.len() + 1).bytes();
let header = try? json
.parse::<Header>(base64.decode(header, mode: Base64Mode.URLSafeNoPadding)) else {
throw JwtError.InvalidToken;
};
if (validation.validate_signature && !validation.algorithms.contains(header.algorithm)) {
throw JwtError.InvalidAlgorithm;
}
if (validation.validate_signature) {
let signature = try? base64.decode(signature, mode: Base64Mode.URLSafeNoPadding) else {
throw JwtError.InvalidSignature;
};
try check_signature(key, header.algorithm, message, signature);
}
let payload = try! base64.decode(payload, mode: Base64Mode.URLSafeNoPadding);
let claims = try? json.parse::<RegisteredClaims>(payload) else {
throw JwtError.InvalidToken;
};
try validate(claims, validation);
return try json.parse(payload);
}
Decode and validate a JWT
decode
pub fn decode<T>(key: DecodeKey, token: string, validation: Validation = Validation {}): T throws JwtError, JsonError
[src]
pub fn decode<T>(
key: DecodeKey, token: string, validation: Validation = Validation {}
): T throws JwtError, JsonError {
if (validation.validate_signature && validation.required_spec_claims.is_empty()) {
throw JwtError.MissingRequiredClaim;
}
if (validation.validate_signature && validation.algorithms.is_empty()) {
throw JwtError.MissingAlgorithm;
}
let parts = token.split(".");
if (parts.len() != 3) {
throw JwtError.InvalidToken;
}
let header = parts[0];
let payload = parts[1];
let signature = parts[2];
let message = token.slice(0, header.len() + payload.len() + 1).bytes();
let header = try? json
.parse::<Header>(base64.decode(header, mode: Base64Mode.URLSafeNoPadding)) else {
throw JwtError.InvalidToken;
};
if (validation.validate_signature && !validation.algorithms.contains(header.algorithm)) {
throw JwtError.InvalidAlgorithm;
}
if (validation.validate_signature) {
let signature = try? base64.decode(signature, mode: Base64Mode.URLSafeNoPadding) else {
throw JwtError.InvalidSignature;
};
try check_signature(key, header.algorithm, message, signature);
}
let payload = try! base64.decode(payload, mode: Base64Mode.URLSafeNoPadding);
let claims = try? json.parse::<RegisteredClaims>(payload) else {
throw JwtError.InvalidToken;
};
try validate(claims, validation);
return try json.parse(payload);
}
Decode and validate a JWT
Decode and validate a JWT
If the token or its signature is invalid or the claims fail validation, it will throw an error.
decode_header
pub fn decode_header(token: string): Header throws JwtError, JsonError
[src]
pub fn decode_header(token: string): Header throws JwtError, JsonError {
let idx = token.find(".") else {
throw JwtError.InvalidToken;
};
let header = token.slice(0, idx);
let header = try? json
.parse::<Header>(base64.decode(header, mode: Base64Mode.URLSafeNoPadding)) else {
throw JwtError.InvalidToken;
};
return header;
}
Decode a JWT without any signature verification/validations and return its header.
decode_header
pub fn decode_header(token: string): Header throws JwtError, JsonError
[src]
pub fn decode_header(token: string): Header throws JwtError, JsonError {
let idx = token.find(".") else {
throw JwtError.InvalidToken;
};
let header = token.slice(0, idx);
let header = try? json
.parse::<Header>(base64.decode(header, mode: Base64Mode.URLSafeNoPadding)) else {
throw JwtError.InvalidToken;
};
return header;
}
Decode a JWT without any signature verification/validations and return its header.
Decode a JWT without any signature verification/validations and return its header.
encode
pub fn encode<T>(key: EncodeKey, header: Header, claims: T): string throws JwtError, JsonError
[src]
pub fn encode<T>(key: EncodeKey, header: Header, claims: T): string throws JwtError, JsonError {
let encoded_header = base64
.encode(try json.to_string(header).bytes(), mode: Base64Mode.URLSafeNoPadding);
let encoded_claims = base64
.encode(try json.to_string(claims).bytes(), mode: Base64Mode.URLSafeNoPadding);
let message = `${encoded_header}.${encoded_claims}`;
let signature: Bytes;
switch (header.algorithm) {
case .HS256, .HS384, .HS512:
let key = key.(hmac.Hmac) else {
throw JwtError.MismatchedEncodingKey;
};
key.reset();
key.update(message.bytes());
signature = key.digest();
case .ES256, .ES384, .ES512:
let key = key.(ecdsa.SigningKey) else {
throw JwtError.MismatchedEncodingKey;
};
signature = try (try? key.sign(message.bytes())).ok_or_else(|| JwtError.FailedSigning);
case .RS256:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pkcs1v15::<sha2.Sha256>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .RS384:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pkcs1v15::<sha2.Sha384>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .RS512:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha512>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS256:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha256>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS384:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha384>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS512:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha512>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .EdDSA:
let key = key.(ed25519.SigningKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign(message.bytes())).ok_or_else(|| JwtError.FailedSigning);
}
let signature = base64.encode(signature, mode: Base64Mode.URLSafeNoPadding);
return `${message}.${signature}`;
}
Encode the header and claims given and sign the payload using the algorithm from the header and the key.
encode
pub fn encode<T>(key: EncodeKey, header: Header, claims: T): string throws JwtError, JsonError
[src]
pub fn encode<T>(key: EncodeKey, header: Header, claims: T): string throws JwtError, JsonError {
let encoded_header = base64
.encode(try json.to_string(header).bytes(), mode: Base64Mode.URLSafeNoPadding);
let encoded_claims = base64
.encode(try json.to_string(claims).bytes(), mode: Base64Mode.URLSafeNoPadding);
let message = `${encoded_header}.${encoded_claims}`;
let signature: Bytes;
switch (header.algorithm) {
case .HS256, .HS384, .HS512:
let key = key.(hmac.Hmac) else {
throw JwtError.MismatchedEncodingKey;
};
key.reset();
key.update(message.bytes());
signature = key.digest();
case .ES256, .ES384, .ES512:
let key = key.(ecdsa.SigningKey) else {
throw JwtError.MismatchedEncodingKey;
};
signature = try (try? key.sign(message.bytes())).ok_or_else(|| JwtError.FailedSigning);
case .RS256:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pkcs1v15::<sha2.Sha256>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .RS384:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pkcs1v15::<sha2.Sha384>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .RS512:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha512>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS256:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha256>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS384:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha384>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .PS512:
let key = key.(rsa.PrivateKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign_pss::<sha2.Sha512>(message.bytes()))
.ok_or_else(|| JwtError.FailedSigning);
case .EdDSA:
let key = key.(ed25519.SigningKey) else {
throw JwtError.MismatchedDecodingKey;
};
signature = try (try? key.sign(message.bytes())).ok_or_else(|| JwtError.FailedSigning);
}
let signature = base64.encode(signature, mode: Base64Mode.URLSafeNoPadding);
return `${message}.${signature}`;
}
Encode the header and claims given and sign the payload using the algorithm from the header and the key.
Encode the header and claims given and sign the payload using the algorithm from the header and the key.
Example
nv
use std.jwt.{RegisteredClaims, encode, Algorithm, Header};
use std.crypto.{hmac.Hmac, sha2.Sha256};
use std.time.DateTime;
struct Payload {
name: string,
#[serde(flatten)]
registered: RegisteredClaims,
}
let expiration = (DateTime.now_utc() + 100.days()).timestamp();
let key = Hmac.new::<Sha256>("secret key".bytes());
let payload = Payload {
name: "Sunli",
registered: RegisteredClaims { expiration },
};
let token = try! encode(key, Header { algorithm:Algorithm.HS256 }, payload);