Allow regular expressions and procs to verify issuer

[rewritten]

This PR adds support for regexp/callable object in issuer validation:

JWT.decode(token, nil, true, verify_iss: true, iss: /some-regexp/)
JWT.decode(token, nil, true, verify_iss: true, iss: ->(issuer) { check_something(issuer) })
JWT.decode(token, nil, true, verify_iss: true, iss: method(:foo_bar))

The use case is when one has a generic public key resolver (using a block) and there is a need of additional restrictions in a specific context. Of course the rules here are completely arbitrary.

# This endpoint will accept JWTs from all registered issuers.
class ApplicationController
  PublicKeyRegistry = lambda do |_, claims|
    retrieve_the_corresponding_pulic_key_or_null(claims['iss'])
  end

  def check_jwt
    token = request.authorization&.delete_prefix('Bearer ')
    JWT.decode(token, nil, true, verify_iss: true, iss: allowed_issuers, algorithm: 'HS256', &PublicKeyRegistry)
  end

  def allowed_issuers = //
end

# This endpoint will only accept calls from a subset of the registered issuers.
class ChildController < ApplicationController
  # only issuers namespaced on one service
  def allowed_issuers = ->(iss) { iss.start_with('my-internal-service') }
end

# This endpoint will only accept calls from a subset of the registered issuers.
class NewController < ApplicationController
  # only issuers with the current year
  def allowed_issuers = ->(iss) { iss[/\d{4}].to_i == Date.today.year }
end

[sourcelevel-bot]

Hello, @rewritten! This is your first Pull Request that will be reviewed by SourceLevel, an automatic Code Review service. It will leave comments on this diff with potential issues and style violations found in the code as you push new commits. You can also see all the issues found on this Pull Request on its review page. Please check our documentation for more information.

[anakinj]

does the method definition need to be before calling JWT.decode?

[rewritten]

Method definition order does not matter, they are all available when an instance is created. Of course I expect the valid_issuer? method to be defined at the class level, not inside the same code block.

[anakinj]

If this would have been a script or a snipped pasted into a console i think the order would matter.

[anakinj]

@rewritten Are you planning on continuing on the feature. Just trying to ignore the tests on the old rubies would be enough to get the workflow happy.

Also thinking that after the next release we will drop the official support fo EOLed Rubies and this PR can be merged without changes.

[rewritten]

@anakinj owww I completely missed your message. I will keep this PR updated to the latest master and make it work on non-EOLed rubies (and therefore I don't have to dance around them)

[anakinj]

@rewritten EOL ruby support is now dropped from the master branch. Think a rebase will make everything greener.

[rewritten]

I'll rebase this week

[sourcelevel-bot]

SourceLevel has finished reviewing this Pull Request and has found:

• 1 possible new issue (including those that may have been commented here).

See more details about this review.

[rewritten]

@anakinj ready for CI

[rewritten]

Should be fixed now - I have run rubocop locally and it does not complain anymore

[anakinj]

Thanks for your contribution @rewritten. Highly appreciated.

[rewritten]

NP, count on me for further PRs if you want to offload work