Class: Ronin::Web::SessionCookie::JWT

Inherits:
Cookie
  • Object
show all
Defined in:
lib/ronin/web/session_cookie/jwt.rb

Overview

Represents a JSON Web Token (JWT).

Examples

Ronin::Web::SessionCookie.parse('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c')
# =>
# #<Ronin::Web::SessionCookie::JWT:0x00007f18d5a45e58
#  @header={"alg"=>"HS256", "typ"=>"JWT"},
#  @hmac=
#   ":\x93\x92K\x0E\xDE\xE3\xCEK8\xFEO\xAF4\x9C\xC4v\xFBI\x1E\xAC\x00\xE3\x11rG\xC5\xC2.+\xA7\xBA",
#  @params={"id"=>123456789, "name"=>"Joseph"}>

See Also:

Constant Summary collapse

REGEXP =

Regular expression to match JWT session cookies.

/\A(Bearer )?#{URL_SAFE_BASE64_REGEXP}\.#{URL_SAFE_BASE64_REGEXP}\.#{URL_SAFE_BASE64_REGEXP}\z/

Constants inherited from Cookie

Cookie::STRICT_BASE64_REGEXP, Cookie::URI_ENCODED_BASE64_REGEXP, Cookie::URL_SAFE_BASE64_REGEXP

Instance Attribute Summary collapse

Attributes inherited from Cookie

#params

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from Cookie

#[], #each, #has_key?, #to_h

Constructor Details

#initialize(header, payload, hmac) ⇒ JWT

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Initializes the parsed JWT session cookie.

Parameters:

  • header (Hash{String => Object})

    The parsed header information.

  • payload (Hash{String => Object})

    The parsed JWT payload.

  • hmac (String)

    The SHA256 HMAC of the encoded header + . + the encoded payload.



77
78
79
80
81
82
83
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 77

def initialize(header,payload,hmac)
  @header = header

  super(payload)

  @hmac = hmac
end

Instance Attribute Details

#headerHash{String => Object} (readonly)

The parsed JWT header information.

Returns:

  • (Hash{String => Object}) 


51
52
53
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 51

def header
  @header
end

#hmacString (readonly)

The SHA256 HMAC of the encoded #header + . + the encoded #payload.

Returns:

  • (String) 


59
60
61
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 59

def hmac
  @hmac
end

Class Method Details

.extract(response) ⇒ JWT?

Extracts the JWT session cookie from the HTTP response.

Parameters:

  • response (Net::HTTPResponse)

    The HTTP response object.

Returns:

  • (JWT, nil)

    The parsed JWT session cookie, or nil if there was no Authorization header containing a JWT session cookie.



140
141
142
143
144
145
146
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 140

def self.extract(response)
  if (authorization = response['Authorization'])
    if (match = authorization.match(REGEXP))
      return parse(match[0])
    end
  end
end

.identify?(string) ⇒ Boolean

Identifies whether the string is a JWT session cookie.

Parameters:

  • string (String)

    The raw session cookie value to identify.

Returns:

  • (Boolean)

    Indicates whether the session cookie value is a JWT session cookie.



99
100
101
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 99

def self.identify?(string)
  string =~ REGEXP
end

.parse(string) ⇒ JWT

Parses a JWT session cookie.

Parameters:

  • string (String)

    The raw session cookie string to parse.

Returns:

  • (JWT)

    The parsed and deserialized session cookie



114
115
116
117
118
119
120
121
122
123
124
125
126
 
# File 'lib/ronin/web/session_cookie/jwt.rb', line 114

def self.parse(string)
  # remove any 'Bearer ' prefix.
  string = string.sub(/\ABearer /,'')

  # split the string
  header, payload, hmac = string.split('.',3)

  header  = JSON.parse(Base64.decode64(header))
  payload = JSON.parse(Base64.decode64(payload))
  hmac    = Base64.decode64(hmac)

  return new(header,payload,hmac)
end