Add duplicate claim name detection per RFC 7519 Section 4 #713
Conversation
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states: > The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name. This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
ydah
force-pushed
the
duplicate_claim_detection
branch
from
0838041 to
bf095f9
Compare
lib/jwt/json.rb
Outdated
|
|
||
| # @api private | ||
| # Checks for duplicate keys in a JSON string using a StringScanner-based tokenizer | ||
| # rubocop:disable Style/RedundantRegexpArgument |
There was a problem hiding this comment.
lib/jwt/encoded_token.rb
Outdated
| # @raise [ArgumentError] if the provided JWT is not a String. | ||
| def initialize(jwt) | ||
| # @raise [JWT::DuplicateKeyError] if allow_duplicate_keys is false and duplicate keys are found. | ||
| def initialize(jwt, allow_duplicate_keys: true) |
There was a problem hiding this comment.
Would like to avoid bloating the initializer with feature parameters, the original JWT.encode and JWT.decode methods became parameter monsters over time.
A few random options, not sure if Im a fan of either of my own suggestions :)
token = EncodedToken.new(jwt)
token.raise_on_duplicate_keys!
token = EncodedToken.new(jwt)
token.decode_payload!(raise_on_duplicate_keys:true)
Or allowing changing the default JSON decoder with a stricter one, token.raise_on_duplicate_keys! could internally do something like this.
token = EncodedToken.new(jwt)
token.parser = JWT::JSON.new(raise_on_duplicate_keys:true)
There was a problem hiding this comment.
I've organized it. What do you think?
lib/jwt/json.rb
Outdated
| # JWT::JSON.parse('{"a":1,"a":2}', allow_duplicate_keys: false) | ||
| # # => raises JWT::DuplicateKeyError | ||
| def parse(data, allow_duplicate_keys: true) | ||
| DuplicateKeyChecker.check!(data) unless allow_duplicate_keys |
There was a problem hiding this comment.
Should we try to use the built-in-soon-to-be-default ::JSON.parse(data, allow_duplicate_key: false) to deal with this issue. Feels like this gem is not supposed to be dealing with parsing concerns.
Also the new default will kick in in json 3.0. Think if the user has not taken a stance the default behavior of the json gem should be honored.
So adding as little logic as possible related to this feature will make future maintenance easier.
lib/jwt/decode.rb
Outdated
| token.header['alg'] | ||
| end | ||
|
|
||
| def allow_duplicate_keys?(options) |
There was a problem hiding this comment.
I have the urge not to add features to the old API anymore. Could we try that and document how to use this feature using the new EncodedToken class.
There was a problem hiding this comment.
I've added instructions for use. How does that look?
|
Overall I support this feature and think it should be the default behavior. My biggest concern is adding a lot of logic to this now it will stay and live in the gem in the future. Would almost just like to require |
ydah
force-pushed
the
duplicate_claim_detection
branch
from
1acb9e3 to
11450ac
Compare
| os: | ||
| - ubuntu-latest | ||
| ruby: | ||
| - "2.5" |
There was a problem hiding this comment.
MEMO: We added json gem >= 2.13.0 to the dependencies, but this version requires Ruby 2.7+. Since ruby-jwt has required_ruby_version = ‘>= 2.5’, dependency resolution fails during bundle install in a Ruby 2.5 environment.
|
I updated this PR. WDYT? |
2 participants
Description
Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states:
see: https://datatracker.ietf.org/doc/html/rfc7519#section-4
This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.
Checklist
Before the PR can be merged be sure the following are checked: