2021-06-08 01:23:25 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
module Gitlab
|
|
|
|
class JWTToken < JSONWebToken::HMACToken
|
|
|
|
HMAC_ALGORITHM = 'SHA256'
|
|
|
|
HMAC_KEY = 'gitlab-jwt'
|
|
|
|
HMAC_EXPIRES_IN = 5.minutes.freeze
|
|
|
|
|
|
|
|
class << self
|
|
|
|
def decode(jwt)
|
|
|
|
payload = super(jwt, secret).first
|
|
|
|
|
|
|
|
new.tap do |jwt_token|
|
|
|
|
jwt_token.id = payload.delete('jti')
|
|
|
|
jwt_token.issued_at = payload.delete('iat')
|
|
|
|
jwt_token.not_before = payload.delete('nbf')
|
|
|
|
jwt_token.expire_time = payload.delete('exp')
|
|
|
|
|
|
|
|
payload.each do |key, value|
|
|
|
|
jwt_token[key] = value
|
|
|
|
end
|
|
|
|
end
|
|
|
|
rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::ImmatureSignature => ex
|
|
|
|
# we want to log and return on expired and errored tokens
|
|
|
|
Gitlab::ErrorTracking.track_exception(ex)
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def secret
|
|
|
|
OpenSSL::HMAC.hexdigest(
|
|
|
|
HMAC_ALGORITHM,
|
|
|
|
::Settings.attr_encrypted_db_key_base,
|
|
|
|
HMAC_KEY
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
super(self.class.secret)
|
|
|
|
self.expire_time = self.issued_at + HMAC_EXPIRES_IN.to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
def ==(other)
|
|
|
|
self.id == other.id &&
|
2023-03-04 22:38:38 +05:30
|
|
|
self.payload == other.payload
|
2021-06-08 01:23:25 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
def issued_at=(value)
|
|
|
|
super(convert_time(value))
|
|
|
|
end
|
|
|
|
|
|
|
|
def not_before=(value)
|
|
|
|
super(convert_time(value))
|
|
|
|
end
|
|
|
|
|
|
|
|
def expire_time=(value)
|
|
|
|
super(convert_time(value))
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
def convert_time(value)
|
|
|
|
# JSONWebToken::Token truncates subsecond precision causing comparisons to
|
|
|
|
# fail unless we truncate it here first
|
|
|
|
value = value.to_i if value.is_a?(Float)
|
|
|
|
value = Time.zone.at(value) if value.is_a?(Integer)
|
|
|
|
value
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|