diff --git a/CHANGELOG.md b/CHANGELOG.md index 51861e18..2c8c54f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,27 @@ # Changelog +## Upcoming breaking changes + +Notable changes in the upcoming **version 3.0**: + +- The indirect dependency to [rbnacl](https://github.com/RubyCrypto/rbnacl) will be removed: + - Support for the nonstandard SHA512256 algorithm will be removed. + - Support for Ed25519 will be moved to a [separate gem](https://github.com/anakinj/jwt-eddsa) for better dependency handling. + +- Base64 decoding will no longer fallback on the looser RFC 2045. + +- Claim verification has been [split into separate classes](https://github.com/jwt/ruby-jwt/pull/605) and has [a new api](https://github.com/jwt/ruby-jwt/pull/626) and lead to the following deprecations: + - The `::JWT::ClaimsValidator` class will be removed in favor of the functionality provided by `::JWT::Claims`. + - The `::JWT::Claims::verify!` method will be removed in favor of `::JWT::Claims::verify_payload!`. + - The `::JWT::JWA.create` method will be removed. No recommended alternatives. + - The `::JWT::Verify` class will be removed in favor of the functionality provided by `::JWT::Claims`. + - Calling `::JWT::Claims::Numeric.new` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)` + - Calling `::JWT::Claims::Numeric.verify!` with a payload will be removed in favor of `::JWT::Claims::verify_payload!(payload, :numeric)` + +- The internal algorithms were [restructured](https://github.com/jwt/ruby-jwt/pull/607) to support extensions from separate libraries. The changes lead to a few deprecations and new requirements: + - The `sign` and `verify` static methods on all the algorithms (`::JWT::JWA`) will be removed. + - Custom algorithms are expected to include the `JWT::JWA::SigningAlgorithm` module. + ## [v2.9.2](https://github.com/jwt/ruby-jwt/tree/v2.9.2) (NEXT) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.9.1...main) diff --git a/README.md b/README.md index dfb44b09..1ae02d73 100644 --- a/README.md +++ b/README.md @@ -530,6 +530,24 @@ rescue JWT::InvalidSubError end ``` +### Standalone claim verification + +The JWT claim verifications can be used to verify any Hash to include expected keys and values. + +A few example on verifying the claims for a payload: +```ruby +JWT::Claims.verify_payload!({"exp" => Time.now.to_i + 10}, :numeric, :exp) +JWT::Claims.valid_payload?({"exp" => Time.now.to_i + 10}, :exp) +# => true +JWT::Claims.payload_errors({"exp" => Time.now.to_i - 10}, :exp) +# => [#] +JWT::Claims.verify_payload!({"exp" => Time.now.to_i - 10}, exp: { leeway: 11}) + +JWT::Claims.verify_payload!({"exp" => Time.now.to_i + 10, "sub" => "subject"}, :exp, sub: "subject") +``` + + + ### Finding a Key To dynamically find the key for verifying the JWT signature, pass a block to the decode block. The block receives headers and the original payload as parameters. It should return with the key to verify the signature that was used to sign the JWT. diff --git a/lib/jwt/claims.rb b/lib/jwt/claims.rb index f4e00b53..e1732d7b 100644 --- a/lib/jwt/claims.rb +++ b/lib/jwt/claims.rb @@ -34,7 +34,7 @@ module Claims class << self # @deprecated Use {verify_payload!} instead. Will be removed in the next major version of ruby-jwt. def verify!(payload, options) - Deprecations.warning('Calling ::JWT::Claims::verify! will be removed in the next major version of ruby-jwt') + Deprecations.warning('The ::JWT::Claims.verify! method is deprecated will be removed in the next major version of ruby-jwt') DecodeVerifier.verify!(payload, options) end