Add keyfinder mechanics

jwt · Oct 5, 2024 · f513cbd · f513cbd
1 parent 6e0fc09
commit f513cbd
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/lib/jwt/encoded_token.rb b/lib/jwt/encoded_token.rb
@@ -75,9 +75,14 @@ def payload
     #
     # @param algorithm [String, Array<String>, Object, Array<Object>] the algorithm(s) to use for verification.
     # @param key [String, Array<String>] the key(s) to use for verification.
+    # @param key_finder [#call] an object responding to `call` to find the key for verification.
     # @return [nil]
     # @raise [JWT::VerificationError] if the signature verification fails.
-    def verify_signature!(algorithm:, key:)
+    # @raise [ArgumentError] if neither key nor key_finder is provided, or if both are provided.
+    def verify_signature!(algorithm:, key: nil, key_finder: nil)
+      raise ArgumentError, 'Provide either key or key_finder, not both or neither' if key.nil? == key_finder.nil?
+
+      key ||= key_finder.call(self)
       return if valid_signature?(algorithm: algorithm, key: key)
 
       raise JWT::VerificationError, 'Signature verification failed'

diff --git a/spec/jwt/encoded_token_spec.rb b/spec/jwt/encoded_token_spec.rb
@@ -24,7 +24,7 @@
 
   describe '#verify_signature!' do
     context 'when key is valid' do
-      it 'returns nil' do
+      it 'does not raise' do
         expect(token.verify_signature!(algorithm: 'HS256', key: 'secret')).to eq(nil)
       end
     end
@@ -34,6 +34,34 @@
         expect { token.verify_signature!(algorithm: 'HS256', key: 'wrong') }.to raise_error(JWT::VerificationError, 'Signature verification failed')
       end
     end
+
+    context 'when key is an array with one valid entry' do
+      it 'does not raise' do
+        expect(token.verify_signature!(algorithm: 'HS256', key: %w[wrong secret])).to eq(nil)
+      end
+    end
+
+    context 'when key_finder is given' do
+      it 'uses key provided by keyfinder' do
+        expect(token.verify_signature!(algorithm: 'HS256', key_finder: ->(_token) { 'secret' })).to eq(nil)
+      end
+
+      it 'can utilize an array provided by keyfinder' do
+        expect(token.verify_signature!(algorithm: 'HS256', key_finder: ->(_token) { %w[wrong secret] })).to eq(nil)
+      end
+    end
+
+    context 'when neither key or key_finder is given' do
+      it 'raises an ArgumentError' do
+        expect { token.verify_signature!(algorithm: 'HS256') }.to raise_error(ArgumentError, 'Provide either key or key_finder, not both or neither')
+      end
+    end
+
+    context 'when both key or key_finder is given' do
+      it 'raises an ArgumentError' do
+        expect { token.verify_signature!(algorithm: 'HS256', key: 'key', key_finder: 'finder') }.to raise_error(ArgumentError, 'Provide either key or key_finder, not both or neither')
+      end
+    end
   end
 
   describe '#verify_claims!' do