Various refactoring

Author: kylef

JWT.xcodeproj/project.pbxproj

@@ -11,6 +11,7 @@
 		279D63A81AD07FFF0024E2BC /* JWT.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 279D639C1AD07FFF0024E2BC /* JWT.framework */; };
 		279D63AF1AD07FFF0024E2BC /* JWTTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 279D63AE1AD07FFF0024E2BC /* JWTTests.swift */; };
 		279D63B91AD0803F0024E2BC /* JWT.swift in Sources */ = {isa = PBXBuildFile; fileRef = 279D63B81AD0803F0024E2BC /* JWT.swift */; };
+		279D63BB1AD0E3FA0024E2BC /* Claims.swift in Sources */ = {isa = PBXBuildFile; fileRef = 279D63BA1AD0E3FA0024E2BC /* Claims.swift */; };
 		885619E9E1C342A9D8BD77B7 /* Pods_JWT.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 540942F3614C41E3827F2013 /* Pods_JWT.framework */; settings = {ATTRIBUTES = (Weak, ); }; };
 		EBEC5851F5183DF2D7BFE1AF /* Pods_JWTTests.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = CE8198B6E30BA6B8F8125FA7 /* Pods_JWTTests.framework */; settings = {ATTRIBUTES = (Weak, ); }; };
 /* End PBXBuildFile section */
@@ -33,6 +34,7 @@
 		279D63AD1AD07FFF0024E2BC /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		279D63AE1AD07FFF0024E2BC /* JWTTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = JWTTests.swift; sourceTree = "<group>"; };
 		279D63B81AD0803F0024E2BC /* JWT.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = JWT.swift; sourceTree = "<group>"; };
+		279D63BA1AD0E3FA0024E2BC /* Claims.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = Claims.swift; sourceTree = "<group>"; };
 		3BD8D638895FE8AF4FDDA8A9 /* Pods-JWTTests.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-JWTTests.debug.xcconfig"; path = "Pods/Target Support Files/Pods-JWTTests/Pods-JWTTests.debug.xcconfig"; sourceTree = "<group>"; };
 		540942F3614C41E3827F2013 /* Pods_JWT.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Pods_JWT.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		56671E3EAC540766DE31974E /* Pods-JWT.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-JWT.release.xcconfig"; path = "Pods/Target Support Files/Pods-JWT/Pods-JWT.release.xcconfig"; sourceTree = "<group>"; };
@@ -89,6 +91,7 @@
 			children = (
 				279D63A11AD07FFF0024E2BC /* JWT.h */,
 				279D63B81AD0803F0024E2BC /* JWT.swift */,
+				279D63BA1AD0E3FA0024E2BC /* Claims.swift */,
 				279D639F1AD07FFF0024E2BC /* Supporting Files */,
 			);
 			path = JWT;
@@ -345,6 +348,7 @@
 			isa = PBXSourcesBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
+				279D63BB1AD0E3FA0024E2BC /* Claims.swift in Sources */,
 				279D63B91AD0803F0024E2BC /* JWT.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;

JWT/Claims.swift

@@ -0,0 +1,53 @@
+import Foundation
+
+func validateClaims(payload:Payload, audience:String?, issuer:String?) -> InvalidToken? {
+  return validateIssuer(payload, issuer) ?? validateAudience(payload, audience) ??
+    validateDate(payload, "exp", .OrderedAscending, .ExpiredSignature, "Expiration time claim (exp) must be an integer") ??
+    validateDate(payload, "nbf", .OrderedDescending, .ImmatureSignature, "Not before claim (nbf) must be an integer") ??
+    validateDate(payload, "iat", .OrderedDescending, .InvalidIssuedAt, "Issued at claim (iat) must be an integer")
+}
+
+func validateAudience(payload:Payload, audience:String?) -> InvalidToken? {
+  if let audience = audience {
+    if let aud = payload["aud"] as? [String] {
+      if !contains(aud, audience) {
+        return .InvalidAudience
+      }
+    } else if let aud = payload["aud"] as? String {
+      if aud != audience {
+        return .InvalidAudience
+      }
+    } else {
+      return .DecodeError("Invalid audience claim, must be a string or an array of strings")
+    }
+  }
+
+  return nil
+}
+
+func validateIssuer(payload:Payload, issuer:String?) -> InvalidToken? {
+  if let issuer = issuer {
+    if let iss = payload["iss"] as? String {
+      if iss != issuer {
+        return .InvalidIssuer
+      }
+    } else {
+      return .InvalidIssuer
+    }
+  }
+
+  return nil
+}
+
+func validateDate(payload:Payload, key:String, comparison:NSComparisonResult, failure:InvalidToken, decodeError:String) -> InvalidToken? {
+  if let timestamp = payload[key] as? NSTimeInterval {
+    let date = NSDate(timeIntervalSince1970: timestamp)
+    if date.compare(NSDate()) == comparison {
+      return failure
+    }
+  } else if let timestamp:AnyObject = payload[key] {
+    return .DecodeError(decodeError)
+  }
+
+  return nil
+}

JWT/JWT.swift

@@ -36,6 +36,52 @@ public enum InvalidToken : Printable {
   }
 }
 
+/// The supported Algorithms
+public enum Algorithm : Printable {
+  /// No Algorithm, i-e, insecure
+  case None
+
+  /// HMAC using SHA-256 hash algorithm
+  case HS256(String)
+
+  static func algorithm(name:String, key:String?) -> Algorithm? {
+    if name == "none" {
+      return Algorithm.None
+    } else if let key = key {
+      if name == "HS256" {
+        return .HS256(key)
+      }
+    }
+
+    return nil
+  }
+
+  public var description:String {
+    switch self {
+    case .None:
+      return "none"
+    case .HS256(let key):
+      return "HS256"
+    }
+  }
+
+  func sign(message:String) -> String {
+    switch self {
+    case .None:
+      return ""
+
+    case .HS256(let key):
+      let mac = Authenticator.HMAC(key: key.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!, variant:.sha256)
+      let result = mac.authenticate(message.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!)!
+      return base64encode(result)
+    }
+  }
+
+  func verify(message:String, signature:NSData) -> Bool {
+    return sign(message) == base64encode(signature)
+  }
+}
+
 public enum DecodeResult {
   case Success(Payload)
   case Failure(InvalidToken)
@@ -60,8 +106,7 @@ public func decode(jwt:String, key:String? = nil, verify:Bool = true, audience:S
 
 
 /// Encoding a payload
-
-public func encode(payload:Payload, key:String) -> String {
+public func encode(payload:Payload, algorithm:Algorithm) -> String {
   func encode(payload:Payload) -> String? {
     if let data = NSJSONSerialization.dataWithJSONObject(payload, options: NSJSONWritingOptions(0), error: nil) {
       return base64encode(data)
@@ -70,13 +115,10 @@ public func encode(payload:Payload, key:String) -> String {
     return nil
   }
 
-  let algorithm = "HS256"
-  let header = encode(["typ": "JWT", "alg": algorithm])!
+  let header = encode(["typ": "JWT", "alg": algorithm.description])!
   let payload = encode(payload)!
   let signingInput = "\(header).\(payload)"
-  let mac = Authenticator.HMAC(key: key.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: true)!, variant:.sha256)
-  let result = mac.authenticate(signingInput.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!)!
-  let signature = base64encode(result)
+  let signature = algorithm.sign(signingInput)
   return "\(signingInput).\(signature)"
 }
 
@@ -156,80 +198,16 @@ func load(jwt:String) -> LoadResult {
 
 func verifySignature(header:Payload, signingInput:String, signature:NSData, key:String?) -> InvalidToken? {
   if let alg = header["alg"] as? String {
-    switch alg {
-      case "none":
+    if let algoritm = Algorithm.algorithm(alg, key: key) {
+      if algoritm.verify(signingInput, signature: signature) {
         return nil
-      case "HS256":
-        if let key = key?.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false) {
-          let mac = Authenticator.HMAC(key: key, variant:.sha256)
-          let result = mac.authenticate(signingInput.dataUsingEncoding(NSUTF8StringEncoding, allowLossyConversion: false)!)
-          if result! == signature {
-            return nil
-          } else {
-            return .DecodeError("Signature verification failed")
-          }
-        }
-        break
-      default:
-        break
+      } else {
+        return .DecodeError("Signature verification failed")
+      }
     }
 
     return .InvalidAlgorithm
   }
 
   return .DecodeError("Missing Algorithm")
 }
-
-// MARK: Claim Validation
-
-func validateAudience(payload:Payload, audience:String?) -> InvalidToken? {
-  if let audience = audience {
-    if let aud = payload["aud"] as? [String] {
-      if !contains(aud, audience) {
-        return .InvalidAudience
-      }
-    } else if let aud = payload["aud"] as? String {
-      if aud != audience {
-        return .InvalidAudience
-      }
-    } else {
-      return .DecodeError("Invalid audience claim, must be a string or an array of strings")
-    }
-  }
-
-  return nil
-}
-
-func validateIssuer(payload:Payload, issuer:String?) -> InvalidToken? {
-  if let issuer = issuer {
-    if let iss = payload["iss"] as? String {
-      if iss != issuer {
-        return .InvalidIssuer
-      }
-    } else {
-      return .InvalidIssuer
-    }
-  }
-
-  return nil
-}
-
-func validateDate(payload:Payload, key:String, comparison:NSComparisonResult, failure:InvalidToken, decodeError:String) -> InvalidToken? {
-  if let timestamp = payload[key] as? NSTimeInterval {
-    let date = NSDate(timeIntervalSince1970: timestamp)
-    if date.compare(NSDate()) == comparison {
-      return failure
-    }
-  } else if let timestamp:AnyObject = payload[key] {
-    return .DecodeError(decodeError)
-  }
-
-  return nil
-}
-
-func validateClaims(payload:Payload, audience:String?, issuer:String?) -> InvalidToken? {
-  return validateIssuer(payload, issuer) ?? validateAudience(payload, audience) ??
-    validateDate(payload, "exp", .OrderedAscending, .ExpiredSignature, "Expiration time claim (exp) must be an integer") ??
-    validateDate(payload, "nbf", .OrderedDescending, .ImmatureSignature, "Not before claim (nbf) must be an integer") ??
-    validateDate(payload, "iat", .OrderedDescending, .InvalidIssuedAt, "Issued at claim (iat) must be an integer")
-}

JWTTests/JWTTests.swift

@@ -4,7 +4,7 @@ import JWT
 class JWTEncodeTests : XCTestCase {
   func testEncodingJWT() {
     let payload = ["name": "Kyle"] as Payload
-    let jwt = JWT.encode(payload, "secret")
+    let jwt = JWT.encode(payload, .HS256("secret"))
     let fixture = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS3lsZSJ9.zxm7xcp1eZtZhp4t-nlw09ATQnnFKIiSN83uG8u6cAg"
     XCTAssertEqual(jwt, fixture)
   }

README.md

@@ -22,6 +22,12 @@ import JWT
 JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w")
 ```
 
+### Encoding a claim
+
+```swift
+JWT.encode(["my": "payload"], .HS256("secret"))
+```
+
 #### Supported claims
 
 - Issuer (`iss`) Claim