@@ -21,9 +21,10 @@ This implementation doesn't support the v1 protocol. Please note that v1 should
2121- [x] v2 local authentication (Blake2b and XChaCha20-Poly1305)
2222- [x] v2 public authentication (Ed25519 signatures)
2323- [x] JSON payload and footer processing
24- - [ ] Claims validation
25- - [ ] Integrated key ID (kid) support
24+ - [x] Registered claims validation
25+ - [x] Custom claims validation
2626- [ ] High-level token builder API
27+ - [ ] Integrated key ID (kid) support
2728- [ ] API documentation
2829
2930## Installation
@@ -66,48 +67,98 @@ __v2.local__ :
6667```
6768local paseto = require "paseto.v2"
6869
69- local key, payload_claims, token, footer_claims
70- local extracted_footer_claims, extracted_footer, decrypted_claims
71- payload_claims = {}
72- payload_claims["clientid"] = 100099
73- payload_claims["message"] = "secret"
74- footer_claims = { kid = "123456789" }
70+ local key, payload_claims, token, footer_claims, claim_rules
71+ local extracted_footer_claims, extracted_footer, decrypted_claims, enforced_claims
72+ payload_claims = {
73+ iss = "paragonie.com",
74+ jti = "87IFSGFgPNtQNNuw0AtuLttP",
75+ aud = "some-audience.com",
76+ sub = "test",
77+ iat = "2018-01-01T00:00:00+00:00",
78+ nbf = "2018-01-01T00:00:00+00:00",
79+ exp = "2099-01-01T00:00:00+00:00",
80+ data = "this is a secret message",
81+ myclaim = "required value"
82+ }
83+ footer_claims = { kid = "MDlCMUIwNzU4RTA2QzZFMDQ4" }
84+ claim_rules = {
85+ IssuedBy = "paragonie.com",
86+ IdentifiedBy = "87IFSGFgPNtQNNuw0AtuLttP",
87+ ForAudience = "some-audience.com",
88+ Subject = "test",
89+ NotExpired = true,
90+ ValidAt = true,
91+ ContainsClaim = "data",
92+ myclaim = "required value"
93+ }
7594
7695-- generate symmetric key
7796key = paseto.generate_symmetric_key()
7897
79- -- encrypt/decrypt without footer
98+ -- encrypt/decrypt without footer and without enforcing claim rules
8099token = paseto.encrypt(key, payload_claims)
81100decrypted_claims = paseto.decrypt(key, token)
82101
83- -- encrypt/decrypt with footer
102+ -- encrypt with footer
84103token = paseto.encrypt(key, payload_claims, footer_claims)
104+
105+ -- extract footer claims (e.g. to determine public key from kid claim)
85106extracted_footer_claims, extracted_footer = paseto.extract_footer_claims(token)
86- decrypted_claims = paseto.decrypt(key, token, extracted_footer)
107+
108+ -- decrypt without enforcing claim rules
109+ decrypted_claims = paseto.decrypt(key, token, nil, extracted_footer)
110+
111+ -- decrypt and enforce claim rules
112+ enforced_claims = paseto.decrypt(key, token, claim_rules, extracted_footer)
87113```
88114
89115__ v2.public__ :
90116```
91117local paseto = require "paseto.v2"
92118
93- local secret_key, public_key, payload_claims, token, footer_claims
94- local extracted_footer_claims, extracted_footer, verified_claims
95- payload_claims = {}
96- payload_claims["clientid"] = 100099
97- payload_claims["message"] = "secret"
98- footer_claims = { kid = "123456789" }
119+ local secret_key, public_key, payload_claims, token, footer_claims, claim_rules
120+ local extracted_footer_claims, extracted_footer, verified_claims, enforced_claims
121+ payload_claims = {
122+ iss = "paragonie.com",
123+ jti = "87IFSGFgPNtQNNuw0AtuLttP",
124+ aud = "some-audience.com",
125+ sub = "test",
126+ iat = "2018-01-01T00:00:00+00:00",
127+ nbf = "2018-01-01T00:00:00+00:00",
128+ exp = "2099-01-01T00:00:00+00:00",
129+ data = "this is a signed message",
130+ myclaim = "required value"
131+ }
132+ footer_claims = { kid = "MDlCMUIwNzU4RTA2QzZFMDQ4" }
133+ claim_rules = {
134+ IssuedBy = "paragonie.com",
135+ IdentifiedBy = "87IFSGFgPNtQNNuw0AtuLttP",
136+ ForAudience = "some-audience.com",
137+ Subject = "test",
138+ NotExpired = true,
139+ ValidAt = true,
140+ ContainsClaim = "data",
141+ myclaim = "required value"
142+ }
99143
100144-- generate key pair
101145secret_key, public_key = paseto.generate_asymmetric_secret_key()
102146
103- -- sign/verify without footer
147+ -- sign/verify without footer and without enforcing claim rules
104148token = paseto.sign(secret_key, payload_claims)
105149verified_claims = paseto.verify(public_key, token)
106150
107- -- sign/verify with footer
151+ -- sign with footer
108152token = paseto.sign(secret_key, payload_claims, footer_claims)
153+
154+ -- extract footer claims (e.g. to determine public key from kid claim)
109155extracted_footer_claims, extracted_footer = paseto.extract_footer_claims(token)
110- verified_claims = paseto.verify(public_key, token, extracted_footer)
156+
157+ -- verify without enforcing claim rules
158+ verified_claims = paseto.verify(public_key, token, nil, extracted_footer)
159+
160+ -- verify and enforce claim rules
161+ enforced_claims = paseto.verify(public_key, token, claim_rules, extracted_footer)
111162```
112163
113164#### Core API
0 commit comments