Add duplicate claim name detection per RFC 7519 Section 4#713
Add duplicate claim name detection per RFC 7519 Section 4#713
Conversation
ydah
force-pushed
the
duplicate_claim_detection
branch
from
0838041 to
bf095f9
Compare
|
Overall I support this feature and think it should be the default behavior. My biggest concern is adding a lot of logic to this now it will stay and live in the gem in the future. Would almost just like to require |
ydah
force-pushed
the
duplicate_claim_detection
branch
from
1acb9e3 to
11450ac
Compare
| os: | ||
| - ubuntu-latest | ||
| ruby: | ||
| - "2.5" |
There was a problem hiding this comment.
MEMO: We added json gem >= 2.13.0 to the dependencies, but this version requires Ruby 2.7+. Since ruby-jwt has required_ruby_version = ‘>= 2.5’, dependency resolution fails during bundle install in a Ruby 2.5 environment.
There was a problem hiding this comment.
Would like to support as many versions as possible, what about dynamically figure out if its possible to enable this feature or not.
There was a problem hiding this comment.
Indeed, I've restored support for 2.5 and 2.6.
|
I updated this PR. WDYT? |
ydah
force-pushed
the
duplicate_claim_detection
branch
from
225ddb0 to
6ef1d19
Compare
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states: > The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name. This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
…on a runtime feature check instead of a hard dependency on json >= 2.13.0
… single call with conditional options
…licate_keys! method
… SignatureVerifier classes to reduce class complexity
…N gem version support
ydah
force-pushed
the
duplicate_claim_detection
branch
from
905c978 to
ad53ab7
Compare
|
Sorry for the back and forth but im a bit starting to regret my suggestions to only allowing enabling it per instance. I wonder if it would still be easier for most users to enable this globally for the gem. Also setting the flag to true/false would allow disabling of the strictness when JSON 3.0 is out with the new default. What do you think: Also as mentioned earlier maybe do the refactorings in separate to keep the scope of this change on the new feature? |
| **Breaking changes:** | ||
| - Drop support for Ruby 2.6 and older [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah)) | ||
| - Bump minimum json gem version to 2.6 [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah)) | ||
|
|
There was a problem hiding this comment.
| **Breaking changes:** | |
| - Drop support for Ruby 2.6 and older [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah)) | |
| - Bump minimum json gem version to 2.6 [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah)) |
No breaking changes anymore, right?
2 participants
Description
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states:
see: https://datatracker.ietf.org/doc/html/rfc7519#section-4
This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
Checklist
Before the PR can be merged be sure the following are checked: