jti claim validator to it's own class

lib/jwt.rb

@@ -21,10 +21,10 @@
 require_relative 'jwt/dsl'
 
 require_relative 'jwt/validators/audience_claim_validator'
-require_relative 'jwt/validators/claims_validator'
 require_relative 'jwt/validators/expiration_claim_validator'
 require_relative 'jwt/validators/issued_at_claim_validator'
 require_relative 'jwt/validators/issuer_claim_validator'
+require_relative 'jwt/validators/jwt_id_claim_validator'
 require_relative 'jwt/validators/not_before_claim_validator'
 require_relative 'jwt/validators/numeric_claims_validator'
 require_relative 'jwt/validators/required_claims_validator'

lib/jwt/default_decoder.rb

@@ -85,7 +85,6 @@ def decode_segments
         verify_algo
         decode_context.validate_signature!
         decode_context.validate!(:claims)
-        verify_claims
       end
 
       [payload, header]
@@ -117,10 +116,6 @@ def resolve_allowed_algorithms
       end
     end
 
-    def verify_claims
-      Validators::ClaimsValidator.verify_claims(payload, @options)
-    end
-
     def alg_in_header
       decode_context.token.alg_in_header
     end

lib/jwt/validators/jwt_id_claim_validator.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module JWT
+  module Validators
+    class JwtIdClaimValidator
+      def initialize(validator:)
+        @validator = validator
+      end
+
+      def validate!(context:, **_args)
+        jti = context.payload['jti']
+        if validator.respond_to?(:call)
+          verified = validator.arity == 2 ? validator.call(jti, context.payload) : validator.call(jti)
+          raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
+        elsif jti.to_s.strip.empty?
+          raise(JWT::InvalidJtiError, 'Missing jti')
+        end
+      end
+
+      def type?(type)
+        type == :claims
+      end
+
+      private
+
+      attr_reader :validator
+    end
+  end
+end

spec/jwt/validators/jwt_id_claim_validator_spec.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+RSpec.describe ::JWT::Validators::JwtIdClaimValidator do
+  let(:jti) { 'some-random-uuid-or-whatever' }
+  let(:payload) { { 'jti' => jti } }
+  let(:validator) { nil }
+
+  subject(:validate!) { described_class.new(validator: validator).validate!(context: Struct.new(:payload).new(payload)) }
+  context 'when payload contains a jti' do
+    it 'passes validation' do
+      validate!
+    end
+  end
+
+  context 'when payload is missing a jti' do
+    let(:payload) { {} }
+    it 'raises JWT::InvalidJtiError' do
+      expect { validate! }.to raise_error(JWT::InvalidJtiError, 'Missing jti')
+    end
+  end
+
+  context 'when payload contains a jti that is an empty string' do
+    let(:jti) { '' }
+    it 'raises JWT::InvalidJtiError' do
+      expect { validate! }.to raise_error(JWT::InvalidJtiError, 'Missing jti')
+    end
+  end
+
+  context 'when payload contains a jti that is a blank string' do
+    let(:jti) { '   ' }
+    it 'raises JWT::InvalidJtiError' do
+      expect { validate! }.to raise_error(JWT::InvalidJtiError, 'Missing jti')
+    end
+  end
+
+  context 'when jti validator is a proc returning false' do
+    let(:validator) { ->(_jti) { false } }
+    it 'raises JWT::InvalidJtiError' do
+      expect { validate! }.to raise_error(JWT::InvalidJtiError, 'Invalid jti')
+    end
+  end
+
+  context 'when jti validator is a proc returning true' do
+    let(:validator) { ->(_jti) { true } }
+    it 'passes validation' do
+      validate!
+    end
+  end
+
+  context 'when jti validator has 2 args' do
+    let(:validator) { ->(_jti, _pl) { true } }
+    it 'passes validation' do
+      validate!
+    end
+  end
+
+  context 'when jti validator has 2 args' do
+    it 'the second arg is the payload' do
+      described_class.new(validator: ->(_jti, pl) { expect(pl).to eq(payload) }).validate!(context: Struct.new(:payload).new(payload))
+    end
+  end
+end