Draft
Conversation
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| # @raise [JWT::DecodeError] if key count doesn't match nesting depth. | ||
| # @raise [JWT::VerificationError] if any signature verification fails. | ||
| def verify!(keys:, claims: nil) | ||
| raise JWT::DecodeError, "Expected #{count} key configurations, got #{keys.length}" unless keys.length == count |
Member
Author
There was a problem hiding this comment.
Do we really care, the same key could be used to validate multiple tokens
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| token.verify_signature!(algorithm: keys[index][:algorithm], key: keys[index][:key]) | ||
| end | ||
|
|
||
| last.verify_claims!(*Array(claims).compact) |
Member
Author
There was a problem hiding this comment.
Why do we only verify the last tokens claims?
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| current = jwt | ||
|
|
||
| loop do | ||
| raise JWT::DecodeError, "Nested JWT exceeds maximum depth of #{MAX_DEPTH}" if tokens.length >= MAX_DEPTH |
Member
Author
There was a problem hiding this comment.
Max depth could be an instance variable, so it can be changed if needed
anakinj
commented
Mar 20, 2026
lib/jwt/nested_token.rb
Outdated
| # The payload is base64url-encoded directly (not JSON-encoded). | ||
| # | ||
| # @example Creating a Nested JWT | ||
| # inner_jwt = JWT.encode({ user_id: 123 }, 'inner_secret', 'HS256') |
Member
Author
There was a problem hiding this comment.
Lets use the class based generations for consistency
2 tasks
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| end | ||
|
|
||
| def last | ||
| @tokens.last |
Member
Author
There was a problem hiding this comment.
We can access last before the chain has been verified. Maybe we need to protect against that?
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String) | ||
|
|
||
| @max_depth = max_depth | ||
| @tokens = unwrap(jwt) |
Member
Author
There was a problem hiding this comment.
Can we make it unwrap lazy when tokens are acessed?
anakinj
commented
Mar 20, 2026
lib/jwt/encoded_nested_token.rb
Outdated
| # | ||
| # @example Verifying a Nested JWT | ||
| # nested = JWT::EncodedNestedToken.new(nested_jwt_string) | ||
| # nested.verify!(algorithm: ['RS256', 'HS256'], key: [rsa_public, 'inner_secret']) |
Member
Author
There was a problem hiding this comment.
Think the example in the comment is wrong. mixing algos did not work
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is just me vibing and brainstorming
Checklist
Before the PR can be merged be sure the following are checked: