Remove duplicate key detection from JWT.decode API in favor of EncodedToken API

Author: ydah

README.md

@@ -327,31 +327,24 @@ encoded_token.payload # => {"pay"=>"load"}
 
 ## Duplicate Claim Name Detection
 
-RFC 7519 Section 4 specifies that claim names within a JWT Claims Set MUST be unique. By default, ruby-jwt follows ECMAScript 5.1 behavior and uses the last value for duplicate keys. You can enable strict duplicate key detection to reject JWTs with duplicate claim names.
+RFC 7519 Section 4 specifies that claim names within a JWT Claims Set MUST be unique. By default, ruby-jwt follows ECMAScript 5.1 behavior and uses the last value for duplicate keys. You can enable strict duplicate key detection to reject JWTs with duplicate claim names using the `EncodedToken` API.
 
-### Rejecting Duplicate Keys
+### Using EncodedToken API
 
 ```ruby
-# Reject JWTs with duplicate keys in header or payload
+# Enable strict duplicate key detection
+token = JWT::EncodedToken.new(jwt_string)
+token.raise_on_duplicate_keys!
+
 begin
-  JWT.decode(token, secret, true, algorithm: 'HS256', allow_duplicate_keys: false)
+  token.verify_signature!(algorithm: 'HS256', key: secret)
+  token.verify_claims!
+  token.payload
 rescue JWT::DuplicateKeyError => e
   puts "Duplicate key detected: #{e.message}"
 end
 ```
 
-### Global Configuration
-
-```ruby
-# Globally reject duplicate keys
-JWT.configure do |config|
-  config.decode.allow_duplicate_keys = false
-end
-
-# Per-decode override
-JWT.decode(token, secret, true, algorithm: 'HS256', allow_duplicate_keys: true)
-```
-
 This is recommended for security-sensitive applications to prevent attacks that exploit different systems reading different values from the same JWT.
 
 ## Claims

lib/jwt/configuration/decode_configuration.rb

@@ -24,8 +24,6 @@ class DecodeConfiguration
       #   @return [Array<String>] the list of acceptable algorithms.
       # @!attribute [rw] required_claims
       #   @return [Array<String>] the list of required claims.
-      # @!attribute [rw] allow_duplicate_keys
-      #   @return [Boolean] whether to allow duplicate keys in JWT header and payload.
 
       attr_accessor :verify_expiration,
                     :verify_not_before,
@@ -36,8 +34,7 @@ class DecodeConfiguration
                     :verify_sub,
                     :leeway,
                     :algorithms,
-                    :required_claims,
-                    :allow_duplicate_keys
+                    :required_claims
 
       # Initializes a new DecodeConfiguration instance with default settings.
       def initialize
@@ -51,7 +48,6 @@ def initialize
         @leeway = 0
         @algorithms = ['HS256']
         @required_claims = []
-        @allow_duplicate_keys = true
       end
 
       # @api private
@@ -66,8 +62,7 @@ def to_h
           verify_sub: verify_sub,
           leeway: leeway,
           algorithms: algorithms,
-          required_claims: required_claims,
-          allow_duplicate_keys: allow_duplicate_keys
+          required_claims: required_claims
         }
       end
     end

lib/jwt/decode.rb

@@ -22,7 +22,7 @@ class Decode
     def initialize(jwt, key, verify, options, &keyfinder)
       raise JWT::DecodeError, 'Nil JSON web token' unless jwt
 
-      @token = EncodedToken.new(jwt, allow_duplicate_keys: allow_duplicate_keys?(options))
+      @token = EncodedToken.new(jwt)
       @key = key
       @options = options
       @verify = verify
@@ -119,11 +119,5 @@ def none_algorithm?
     def alg_in_header
       token.header['alg']
     end
-
-    def allow_duplicate_keys?(options)
-      return options[:allow_duplicate_keys] if options.key?(:allow_duplicate_keys)
-
-      JWT.configuration.decode.allow_duplicate_keys
-    end
   end
 end

lib/jwt/encoded_token.rb

@@ -39,20 +39,34 @@ def payload
     # Initializes a new EncodedToken instance.
     #
     # @param jwt [String] the encoded JWT token.
-    # @param allow_duplicate_keys [Boolean] whether to allow duplicate keys in header/payload (default: true).
     # @raise [ArgumentError] if the provided JWT is not a String.
-    # @raise [JWT::DuplicateKeyError] if allow_duplicate_keys is false and duplicate keys are found.
-    def initialize(jwt, allow_duplicate_keys: true)
+    def initialize(jwt)
       raise ArgumentError, 'Provided JWT must be a String' unless jwt.is_a?(String)
 
       @jwt = jwt
-      @allow_duplicate_keys = allow_duplicate_keys
+      @allow_duplicate_keys = true
       @signature_verified = false
       @claims_verified    = false
 
       @encoded_header, @encoded_payload, @encoded_signature = jwt.split('.')
     end
 
+    # Enables strict duplicate key detection for this token.
+    # When called, the token will raise JWT::DuplicateKeyError if duplicate keys
+    # are found in the header or payload during parsing.
+    #
+    # @example
+    #   token = JWT::EncodedToken.new(jwt_string)
+    #   token.raise_on_duplicate_keys!
+    #   token.header # May raise JWT::DuplicateKeyError
+    #
+    # @return [self]
+    # @raise [JWT::DuplicateKeyError] if duplicate keys are found during subsequent parsing.
+    def raise_on_duplicate_keys!
+      @allow_duplicate_keys = false
+      self
+    end
+
     # Returns the decoded signature of the JWT token.
     #
     # @return [String] the decoded signature.

lib/jwt/json.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 require 'json'
-require 'strscan'
 
 module JWT
   # JSON parsing utilities with duplicate key detection support
@@ -29,101 +28,12 @@ def generate(data)
       #   JWT::JSON.parse('{"a":1,"a":2}', allow_duplicate_keys: false)
       #   # => raises JWT::DuplicateKeyError
       def parse(data, allow_duplicate_keys: true)
-        DuplicateKeyChecker.check!(data) unless allow_duplicate_keys
-        ::JSON.parse(data)
-      end
-    end
-
-    # @api private
-    # Checks for duplicate keys in a JSON string using a StringScanner-based tokenizer
-    # rubocop:disable Style/RedundantRegexpArgument
-    class DuplicateKeyChecker
-      def self.check!(json_str)
-        new(json_str).check!
-      end
-
-      def initialize(json_str)
-        @scanner = StringScanner.new(json_str)
-        @seen_keys_stack = [[]]
-        @depth = 0
-        @in_array_stack = [false]
-      end
-
-      def check!
-        scan_tokens until @scanner.eos?
-      end
-
-      private
-
-      def scan_tokens # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
-        skip_whitespace
-        return if @scanner.eos?
-
-        if @scanner.scan(/\{/)
-          handle_object_start
-        elsif @scanner.scan(/\}/)
-          handle_container_end
-        elsif @scanner.scan(/\[/)
-          handle_array_start
-        elsif @scanner.scan(/\]/)
-          @depth -= 1
-        elsif @scanner.scan(/,/) || @scanner.scan(/:/)
-          # skip comma and colon
-        elsif @scanner.scan(/"/)
-          handle_string
-        elsif @scanner.scan(/-?[0-9]+(?:\.[0-9]+)?(?:[eE][+-]?[0-9]+)?/)
-          # skip number
-        elsif @scanner.scan(/true|false|null/)
-          # skip literal
-        else
-          @scanner.getch
-        end
-      end
-
-      def skip_whitespace
-        @scanner.scan(/\s+/)
-      end
-
-      def handle_object_start
-        @depth += 1
-        @seen_keys_stack[@depth] = []
-        @in_array_stack[@depth] = false
-      end
-
-      def handle_array_start
-        @depth += 1
-        @seen_keys_stack[@depth] = []
-        @in_array_stack[@depth] = true
-      end
-
-      def handle_container_end
-        @depth -= 1
-      end
-
-      def handle_string
-        str = scan_string_content
-        check_if_key(str)
-      end
-
-      def scan_string_content
-        str = +''
-        str << (@scanner.getch || '') until @scanner.scan(/"/)
-        str
-      end
-
-      def check_if_key(str)
-        return if @in_array_stack[@depth]
-
-        pos = @scanner.pos
-        skip_whitespace
-        if @scanner.peek(1) == ':'
-          raise JWT::DuplicateKeyError, "Duplicate key detected: #{str}" if @seen_keys_stack[@depth].include?(str)
+        ::JSON.parse(data, allow_duplicate_key: allow_duplicate_keys)
+      rescue ::JSON::ParserError => e
+        raise JWT::DuplicateKeyError, e.message if e.message.include?('duplicate key')
 
-          @seen_keys_stack[@depth] << str
-        end
-        @scanner.pos = pos
+        raise
       end
     end
-    # rubocop:enable Style/RedundantRegexpArgument
   end
 end

ruby-jwt.gemspec

@@ -32,6 +32,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = %w[lib]
 
   spec.add_dependency 'base64'
+  spec.add_dependency 'json', '>= 2.13.0'
 
   spec.add_development_dependency 'appraisal'
   spec.add_development_dependency 'bundler'