feat: Introduce a ClaimSet

Author: kylef

JWT.xcodeproj/project.pbxproj

@@ -10,6 +10,10 @@
 		2734C6A81D88001F00BFF9F1 /* CryptoSwift.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 66725DAB1C59202E00FC32F4 /* CryptoSwift.framework */; };
 		2734C6A91D88002900BFF9F1 /* CryptoSwift.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 66725DAB1C59202E00FC32F4 /* CryptoSwift.framework */; };
 		2734C6AA1D88003000BFF9F1 /* CryptoSwift.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 66725DAB1C59202E00FC32F4 /* CryptoSwift.framework */; };
+		277794051DF221F800573F3E /* ClaimSet.swift in Sources */ = {isa = PBXBuildFile; fileRef = 277794041DF221F800573F3E /* ClaimSet.swift */; };
+		277794061DF221F800573F3E /* ClaimSet.swift in Sources */ = {isa = PBXBuildFile; fileRef = 277794041DF221F800573F3E /* ClaimSet.swift */; };
+		277794071DF221F800573F3E /* ClaimSet.swift in Sources */ = {isa = PBXBuildFile; fileRef = 277794041DF221F800573F3E /* ClaimSet.swift */; };
+		277794081DF221F800573F3E /* ClaimSet.swift in Sources */ = {isa = PBXBuildFile; fileRef = 277794041DF221F800573F3E /* ClaimSet.swift */; };
 		279D63A21AD07FFF0024E2BC /* JWT.h in Headers */ = {isa = PBXBuildFile; fileRef = 279D63A11AD07FFF0024E2BC /* JWT.h */; settings = {ATTRIBUTES = (Public, ); }; };
 		279D63A81AD07FFF0024E2BC /* JWT.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 279D639C1AD07FFF0024E2BC /* JWT.framework */; };
 		279D63AF1AD07FFF0024E2BC /* JWTTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 279D63AE1AD07FFF0024E2BC /* JWTTests.swift */; };
@@ -67,6 +71,7 @@
 /* End PBXContainerItemProxy section */
 
 /* Begin PBXFileReference section */
+		277794041DF221F800573F3E /* ClaimSet.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ClaimSet.swift; sourceTree = "<group>"; };
 		279D639C1AD07FFF0024E2BC /* JWT.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = JWT.framework; sourceTree = BUILT_PRODUCTS_DIR; };
 		279D63A01AD07FFF0024E2BC /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = "<group>"; };
 		279D63A11AD07FFF0024E2BC /* JWT.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = JWT.h; sourceTree = "<group>"; };
@@ -196,6 +201,7 @@
 		520A71121C469F010005C709 /* Sources */ = {
 			isa = PBXGroup;
 			children = (
+				277794041DF221F800573F3E /* ClaimSet.swift */,
 				520A71131C469F010005C709 /* Base64.swift */,
 				520A71141C469F010005C709 /* Claims.swift */,
 				520A71151C469F010005C709 /* Decode.swift */,
@@ -460,6 +466,7 @@
 				520A71181C469F010005C709 /* Claims.swift in Sources */,
 				520A711A1C469F010005C709 /* JWT.swift in Sources */,
 				520A71191C469F010005C709 /* Decode.swift in Sources */,
+				277794051DF221F800573F3E /* ClaimSet.swift in Sources */,
 				520A71171C469F010005C709 /* Base64.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -479,6 +486,7 @@
 				CD9B62171C7753D8005D4844 /* Claims.swift in Sources */,
 				CD9B62181C7753D8005D4844 /* JWT.swift in Sources */,
 				CD9B62191C7753D8005D4844 /* Decode.swift in Sources */,
+				277794061DF221F800573F3E /* ClaimSet.swift in Sources */,
 				CD9B621A1C7753D8005D4844 /* Base64.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -490,6 +498,7 @@
 				CD9B62291C7753EC005D4844 /* Claims.swift in Sources */,
 				CD9B622A1C7753EC005D4844 /* JWT.swift in Sources */,
 				CD9B622B1C7753EC005D4844 /* Decode.swift in Sources */,
+				277794071DF221F800573F3E /* ClaimSet.swift in Sources */,
 				CD9B622C1C7753EC005D4844 /* Base64.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
@@ -501,6 +510,7 @@
 				CD9B623B1C7753FB005D4844 /* Claims.swift in Sources */,
 				CD9B623C1C7753FB005D4844 /* JWT.swift in Sources */,
 				CD9B623D1C7753FB005D4844 /* Decode.swift in Sources */,
+				277794081DF221F800573F3E /* ClaimSet.swift in Sources */,
 				CD9B623E1C7753FB005D4844 /* Base64.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;

Sources/ClaimSet.swift

@@ -0,0 +1,199 @@
+public struct ClaimSet {
+  var claims: [String: Any]
+
+  public init(claims: [String: Any]? = nil) {
+    self.claims = claims ?? [:]
+  }
+
+  public subscript(key: String) -> Any? {
+    get {
+      return claims[key]
+    }
+
+    set {
+      if let newValue = newValue, let date = newValue as? Date {
+        claims[key] = date.timeIntervalSince1970
+      } else {
+        claims[key] = newValue
+      }
+    }
+  }
+}
+
+
+// MARK: Accessors
+
+extension ClaimSet {
+  public var issuer: String? {
+    get {
+      return claims["iss"] as? String
+    }
+
+    set {
+      claims["iss"] = newValue
+    }
+  }
+
+  public var audience: String? {
+    get {
+      return claims["aud"] as? String
+    }
+
+    set {
+      claims["aud"] = newValue
+    }
+  }
+
+  public var expiration: Date? {
+    get {
+      if let expiration = claims["exp"] as? TimeInterval {
+        return Date(timeIntervalSince1970: expiration)
+      }
+
+      return nil
+    }
+
+    set {
+      self["exp"] = newValue
+    }
+  }
+
+  public var notBefore: Date? {
+    get {
+      if let notBefore = claims["nbf"] as? TimeInterval {
+        return Date(timeIntervalSince1970: notBefore)
+      }
+
+      return nil
+    }
+
+    set {
+      self["nbf"] = newValue
+    }
+  }
+
+  public var issuedAt: Date? {
+    get {
+      if let issuedAt = claims["iat"] as? TimeInterval {
+        return Date(timeIntervalSince1970: issuedAt)
+      }
+
+      return nil
+    }
+
+    set {
+      self["iat"] = newValue
+    }
+  }
+}
+
+
+// MARK: Validations
+
+extension ClaimSet {
+  func validate(audience: String? = nil, issuer: String? = nil) throws {
+    if let issuer = issuer {
+      try validateIssuer(issuer)
+    }
+
+    if let audience = audience {
+      try validateAudience(audience)
+    }
+
+    try validateDate(claims, key: "exp", comparison: .orderedAscending, failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")
+    try validateDate(claims, key: "nbf", comparison: .orderedDescending, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")
+    try validateDate(claims, key: "iat", comparison: .orderedDescending, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")
+  }
+
+  func validateAudience(_ audience: String) throws {
+    if let aud = self["aud"] as? [String] {
+      if !aud.contains(audience) {
+        throw InvalidToken.invalidAudience
+      }
+    } else if let aud = self["aud"] as? String {
+      if aud != audience {
+        throw InvalidToken.invalidAudience
+      }
+    } else {
+      throw InvalidToken.decodeError("Invalid audience claim, must be a string or an array of strings")
+    }
+  }
+
+  func validateIssuer(_ issuer: String) throws {
+    if let iss = self["iss"] as? String {
+      if iss != issuer {
+        throw InvalidToken.invalidIssuer
+      }
+    } else {
+      throw InvalidToken.invalidIssuer
+    }
+  }
+}
+
+// MARK: Builder
+
+public class ClaimSetBuilder {
+  var claims = ClaimSet()
+
+  public var issuer: String? {
+    get {
+      return claims.issuer
+    }
+
+    set {
+      claims.issuer = newValue
+    }
+  }
+
+  public var audience: String? {
+    get {
+      return claims.audience
+    }
+
+    set {
+      claims.audience = newValue
+    }
+  }
+
+  public var expiration: Date? {
+    get {
+      return claims.expiration
+    }
+
+    set {
+      claims.expiration = newValue
+    }
+  }
+
+  public var notBefore: Date? {
+    get {
+      return claims.notBefore
+    }
+
+    set {
+      claims.notBefore = newValue
+    }
+  }
+
+  public var issuedAt: Date? {
+    get {
+      return claims.issuedAt
+    }
+
+    set {
+      claims.issuedAt = newValue
+    }
+  }
+
+  public subscript(key: String) -> Any? {
+    get {
+      return claims[key]
+    }
+
+    set {
+      claims[key] = newValue
+    }
+  }
+}
+
+typealias PayloadBuilder = ClaimSetBuilder

Sources/Claims.swift

@@ -1,43 +1,5 @@
 import Foundation
 
-func validateClaims(_ payload: Payload, audience: String?, issuer: String?) throws {
-  try validateIssuer(payload, issuer: issuer)
-  try validateAudience(payload, audience: audience)
-  try validateDate(payload, key: "exp", comparison: .orderedAscending, failure: .expiredSignature, decodeError: "Expiration time claim (exp) must be an integer")
-  try validateDate(payload, key: "nbf", comparison: .orderedDescending, failure: .immatureSignature, decodeError: "Not before claim (nbf) must be an integer")
-  try validateDate(payload, key: "iat", comparison: .orderedDescending, failure: .invalidIssuedAt, decodeError: "Issued at claim (iat) must be an integer")
-}
-
-func validateAudience(_ payload: Payload, audience: String?) throws {
-  guard let audience = audience else {
-    return
-  }
-
-  if let aud = payload["aud"] as? [String] {
-    if !aud.contains(audience) {
-      throw InvalidToken.invalidAudience
-    }
-  } else if let aud = payload["aud"] as? String {
-    if aud != audience {
-      throw InvalidToken.invalidAudience
-    }
-  } else {
-    throw InvalidToken.decodeError("Invalid audience claim, must be a string or an array of strings")
-  }
-}
-
-func validateIssuer(_ payload: Payload, issuer: String?) throws {
-  if let issuer = issuer {
-    if let iss = payload["iss"] as? String {
-      if iss != issuer {
-        throw InvalidToken.invalidIssuer
-      }
-    } else {
-      throw InvalidToken.invalidIssuer
-    }
-  }
-}
-
 func validateDate(_ payload:Payload, key:String, comparison:ComparisonResult, failure:InvalidToken, decodeError:String) throws {
   if payload[key] == nil {
     return

Sources/Decode.swift

@@ -47,24 +47,33 @@ public enum InvalidToken : CustomStringConvertible, Error {
 
 
 /// Decode a JWT
-public func decode(_ jwt:String, algorithms:[Algorithm], verify:Bool = true, audience:String? = nil, issuer:String? = nil) throws -> Payload {
-  let (header, payload, signature, signatureInput) = try load(jwt)
+func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> ClaimSet {
+  let (header, claims, signature, signatureInput) = try load(jwt)
+
   if verify {
-    try validateClaims(payload, audience: audience, issuer: issuer)
+    try claims.validate(audience: audience, issuer: issuer)
     try verifySignature(algorithms, header: header, signingInput: signatureInput, signature: signature)
   }
 
-  return payload
+  return claims
 }
 
+
 /// Decode a JWT
-public func decode(_ jwt:String, algorithm:Algorithm, verify:Bool = true, audience:String? = nil, issuer:String? = nil) throws -> Payload {
-  return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer)
+public func decode(_ jwt: String, algorithms: [Algorithm], verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> Payload {
+  return try decode(jwt, algorithms: algorithms, verify: verify, audience: audience, issuer: issuer).claims
 }
 
+
+/// Decode a JWT
+public func decode(_ jwt: String, algorithm: Algorithm, verify: Bool = true, audience: String? = nil, issuer: String? = nil) throws -> Payload {
+  return try decode(jwt, algorithms: [algorithm], verify: verify, audience: audience, issuer: issuer).claims
+}
+
+
 // MARK: Parsing a JWT
 
-func load(_ jwt:String) throws -> (header: Payload, payload: Payload, signature: Data, signatureInput: String) {
+func load(_ jwt:String) throws -> (header: Payload, payload: ClaimSet, signature: Data, signatureInput: String) {
   let segments = jwt.components(separatedBy: ".")
   if segments.count != 3 {
     throw InvalidToken.decodeError("Not enough segments")
@@ -98,7 +107,7 @@ func load(_ jwt:String) throws -> (header: Payload, payload: Payload, signature:
     throw InvalidToken.decodeError("Signature is not correctly encoded as base64")
   }
 
-  return (header: header!, payload: payload!, signature: signature, signatureInput: signatureInput)
+  return (header: header!, payload: ClaimSet(claims: payload!), signature: signature, signatureInput: signatureInput)
 }
 
 // MARK: Signature Verification