@@ -113,20 +113,6 @@ fn validate_decryption_keys(
113113///
114114/// The decryptor pins the expected algorithms. Tokens with different
115115/// algorithms will be rejected.
116- ///
117- /// ## Parameters
118- ///
119- /// - `alg` - The expected key encryption algorithm.
120- /// - `enc` - The expected content encryption algorithm.
121- /// - `keys` - One or more keys for decryption.
122- /// - `options` - Validation options for JWT claims.
123- ///
124- /// ## Returns
125- ///
126- /// `Ok(Decryptor)` configured and ready for use with
127- /// `decrypt_and_validate`, or `Error(JoseError(_))` if the key list is
128- /// empty, any key's `use` field is set but not `Encrypting`, or any key's
129- /// `key_ops` doesn't include `Decrypt` or `UnwrapKey`.
130116pub fn key_decryptor (
131117 alg : jwa . JweAlg ,
132118 enc : jwa . Enc ,
@@ -142,17 +128,6 @@ pub fn key_decryptor(
142128///
143129/// The decryptor pins the expected algorithms. Tokens with different
144130/// algorithms will be rejected.
145- ///
146- /// ## Parameters
147- ///
148- /// - `alg` - The expected PBES2 algorithm.
149- /// - `enc` - The expected content encryption algorithm.
150- /// - `password` - The password for key derivation.
151- /// - `options` - Validation options for JWT claims.
152- ///
153- /// ## Returns
154- ///
155- /// A `Decryptor` configured for use with `decrypt_and_validate`.
156131pub fn password_decryptor (
157132 alg : jwa . Pbes2Alg ,
158133 enc : jwa . Enc ,
@@ -170,19 +145,6 @@ pub fn password_decryptor(
170145///
171146/// Sets `typ: "JWT"` in the header. If the encryption key has a `kid`, it is
172147/// included in the JWE header.
173- ///
174- /// ## Parameters
175- ///
176- /// - `claims` - The JWT claims to encrypt.
177- /// - `alg` - The key encryption algorithm.
178- /// - `enc` - The content encryption algorithm.
179- /// - `key` - The encryption key.
180- ///
181- /// ## Returns
182- ///
183- /// `Ok(EncryptedJwt)` with the encrypted JWT ready for
184- /// serialization, or `Error(JoseError(_))` if key validation or encryption
185- /// fails.
186148pub fn encrypt_with_key (
187149 claims : jwt . Claims ,
188150 alg : jwa . JweAlg ,
@@ -213,19 +175,6 @@ fn do_encrypt_with_key(
213175/// Encrypt claims using PBES2 password-based encryption.
214176///
215177/// Sets `typ: "JWT"` in the header.
216- ///
217- /// ## Parameters
218- ///
219- /// - `claims` - The JWT claims to encrypt.
220- /// - `alg` - The PBES2 algorithm.
221- /// - `enc` - The content encryption algorithm.
222- /// - `password` - The password for key derivation.
223- /// - `kid` - Optional key ID to include in the header.
224- ///
225- /// ## Returns
226- ///
227- /// `Ok(EncryptedJwt)` with the encrypted JWT ready for
228- /// serialization, or `Error(JoseError(_))` if encryption fails.
229178pub fn encrypt_with_password (
230179 claims : jwt . Claims ,
231180 alg : jwa . Pbes2Alg ,
@@ -277,15 +226,6 @@ fn claims_to_plaintext(claims: jwt.Claims) -> BitArray {
277226}
278227
279228/// Serialize a decrypted encrypted JWT to compact format.
280- ///
281- /// ## Parameters
282- ///
283- /// - `jwt` - A `EncryptedJwt` from `encrypt_with_key`,
284- /// `encrypt_with_password`, or `decrypt_and_validate`.
285- ///
286- /// ## Returns
287- ///
288- /// The JWE compact serialization string.
289229pub fn serialize ( jwt : EncryptedJwt ) -> String {
290230 jwt . token
291231}
@@ -296,16 +236,6 @@ pub type PeekHeaders {
296236}
297237
298238/// Peek at the header fields from a token without decrypting.
299- ///
300- /// ## Parameters
301- ///
302- /// - `token` - The JWE compact serialization string.
303- ///
304- /// ## Returns
305- ///
306- /// `Ok(PeekHeaders)` with the algorithm, encryption, and optional key ID
307- /// from the header, or `Error(MalformedToken(_))` if the token cannot be
308- /// parsed.
309239pub fn peek_headers ( token : String ) -> Result ( PeekHeaders , jwt . JwtError ) {
310240 parse_jwe ( token )
311241 |> result . map ( fn ( parsed_jwe ) {
@@ -332,18 +262,6 @@ fn parse_jwe(
332262///
333263/// Still enforces algorithm pinning for security. **Note:** `kid_policy` only
334264/// applies to key-based decryptors, not password-based decryptors.
335- ///
336- /// ## Parameters
337- ///
338- /// - `decryptor` - A `Decryptor` created by `key_decryptor` or
339- /// `password_decryptor`.
340- /// - `token` - The JWE compact serialization string.
341- ///
342- /// ## Returns
343- ///
344- /// `Ok(EncryptedJwt)` with the decrypted JWT and accessible
345- /// claims, `Error(JweAlgorithmMismatch(_))` if the token's algorithms
346- /// don't match, or `Error(DecryptionFailed(_))` if decryption fails.
347265pub fn dangerously_decrypt_and_skip_validation (
348266 decryptor : Decryptor ,
349267 token : String ,
@@ -376,21 +294,6 @@ pub fn dangerously_decrypt_and_skip_validation(
376294/// - Keys with matching `kid` are tried first (if token has `kid` header)
377295/// - `kid_policy` controls kid header enforcement (see `KidPolicy` type)
378296/// - With `NoKidRequirement`, all keys are tried with matching keys prioritized
379- ///
380- /// ## Parameters
381- ///
382- /// - `decryptor` - A `Decryptor` created by `key_decryptor` or
383- /// `password_decryptor`.
384- /// - `token` - The JWE compact serialization string.
385- /// - `now` - The current timestamp for time-based claim validation.
386- ///
387- /// ## Returns
388- ///
389- /// `Ok(EncryptedJwt)` with the decrypted and validated JWT,
390- /// `Error(JweAlgorithmMismatch(_))` if the token's algorithms don't match
391- /// the decryptor's expected algorithms, `Error(DecryptionFailed(_))` if
392- /// decryption fails, or a claim validation error (`TokenExpired`,
393- /// `TokenNotYetValid`, etc.) if claim validation fails.
394297pub fn decrypt_and_validate (
395298 decryptor : Decryptor ,
396299 token : String ,
@@ -417,16 +320,6 @@ pub fn decrypt_and_validate(
417320///
418321/// This allows extracting claims directly into your own types using
419322/// `gleam/dynamic/decode`. The decoder receives the raw claims JSON.
420- ///
421- /// ## Parameters
422- ///
423- /// - `jwt` - A decrypted and validated encrypted JWT.
424- /// - `decoder` - A `gleam/dynamic/decode` decoder for the claims.
425- ///
426- /// ## Returns
427- ///
428- /// `Ok(a)` with the decoded claims value, or
429- /// `Error(ClaimDecodingFailed(_))` if decoding fails.
430323pub fn decode (
431324 jwt : EncryptedJwt ,
432325 decoder : decode . Decoder ( a) ,
@@ -436,27 +329,11 @@ pub fn decode(
436329}
437330
438331/// Get the key encryption algorithm (`alg`) from a decrypted and validated encrypted JWT.
439- ///
440- /// ## Parameters
441- ///
442- /// - `jwt` - The decrypted and validated encrypted JWT.
443- ///
444- /// ## Returns
445- ///
446- /// The `JweAlg` from the token's header.
447332pub fn alg ( jwt : EncryptedJwt ) -> jwa . JweAlg {
448333 jwt . alg
449334}
450335
451336/// Get the content encryption algorithm (`enc`) from a decrypted and validated encrypted JWT.
452- ///
453- /// ## Parameters
454- ///
455- /// - `jwt` - The decrypted and validated encrypted JWT.
456- ///
457- /// ## Returns
458- ///
459- /// The `Enc` from the token's header.
460337pub fn enc ( jwt : EncryptedJwt ) -> jwa . Enc {
461338 jwt . enc
462339}
@@ -466,14 +343,6 @@ pub fn enc(jwt: EncryptedJwt) -> jwa.Enc {
466343/// **Security Warning:** The `kid` value comes from the token and is untrusted
467344/// input. If you use it to look up keys (from a database, filesystem, or key
468345/// store), you must sanitize it first to prevent injection attacks.
469- ///
470- /// ## Parameters
471- ///
472- /// - `jwt` - The decrypted and validated encrypted JWT.
473- ///
474- /// ## Returns
475- ///
476- /// `Ok(String)` with the key ID, or `Error(Nil)` if no kid was set.
477346pub fn kid ( jwt : EncryptedJwt ) -> Result ( String , Nil ) {
478347 option . to_result ( jwt . kid , Nil )
479348}
0 commit comments