Skip to content

Commit e1e62fd

Browse files
committed
docs: remove boilerplate parameter/return sections
Remove ## Parameters / ## Returns sections that restate type signatures from ~171 doc comments across all public modules. Preserve non-obvious behavioral notes, security warnings, and examples. Fix README typo and broken encrypted_jwk module example.
1 parent 0ba3392 commit e1e62fd

10 files changed

Lines changed: 11 additions & 1580 deletions

File tree

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ A Gleam implementation of JOSE (JSON Object Signing and Encryption) standards:
1919

2020
## Should you use this?
2121

22-
My professional opinion as a long-time security engineering practitioner is that you should basically never use JWT, JWS, or JWE in a greenfield system. This library was created for the purpose of integrting with existing systems that already use these standards (like ACME). I wouldn't recommend it if you were starting something new where you control the environment.
22+
My professional opinion as a long-time security engineering practitioner is that you should basically never use JWT, JWS, or JWE in a greenfield system. This library was created for the purpose of integrating with existing systems that already use these standards (like ACME). I wouldn't recommend it if you were starting something new where you control the environment.
2323

2424
## Installation
2525

src/gose.gleam

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -28,14 +28,6 @@ pub type GoseError {
2828
}
2929

3030
/// Extract the message string from a GoseError, regardless of variant.
31-
///
32-
/// ## Parameters
33-
///
34-
/// - `error` - The error to extract the message from.
35-
///
36-
/// ## Returns
37-
///
38-
/// The human-readable description string contained in the error variant.
3931
pub fn error_message(error: GoseError) -> String {
4032
case error {
4133
ParseError(msg) -> msg

src/gose/encrypted_jwk.gleam

Lines changed: 2 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,10 @@
2727
//// )
2828
////
2929
//// // Import it back
30-
//// let decryptor = jwe.key_decryptor(
30+
//// let assert Ok(decryptor) = jwe.key_decryptor(
3131
//// jwa.JweDirect,
3232
//// jwa.AesGcm(jwa.Aes256),
33-
//// wrapping_key,
33+
//// [wrapping_key],
3434
//// )
3535
//// let assert Ok(recovered) = encrypted_jwk.decrypt(decryptor, encrypted)
3636
//// ```
@@ -78,16 +78,6 @@ import gose/jwk
7878
/// Works for all algorithms. Create a decryptor with `jwe.key_decryptor`
7979
/// for key-based algorithms or `jwe.password_decryptor` for PBES2.
8080
///
81-
/// ## Parameters
82-
///
83-
/// - `decryptor` - A decryptor created with `jwe.key_decryptor` or `jwe.password_decryptor`.
84-
/// - `encrypted` - The encrypted JWE in compact format.
85-
///
86-
/// ## Returns
87-
///
88-
/// `Ok(Jwk)` with the decrypted and parsed key, or `Error(GoseError)` if
89-
/// decryption or parsing fails.
90-
///
9181
/// ## Example
9282
///
9383
/// ```gleam
@@ -123,18 +113,6 @@ pub fn decrypt(
123113
/// - `JweEcdhEs(_)`: EC or XDH key
124114
///
125115
/// If the encryption key has a `kid`, it is included in the JWE header.
126-
///
127-
/// ## Parameters
128-
///
129-
/// - `key` - The JWK to export.
130-
/// - `alg` - The JWE key encryption algorithm to use.
131-
/// - `enc` - The content encryption algorithm to use.
132-
/// - `encryption_key` - The key used to encrypt the JWK.
133-
///
134-
/// ## Returns
135-
///
136-
/// `Ok(String)` with the encrypted JWE in compact format, or
137-
/// `Error(GoseError)` if serialization or encryption fails.
138116
pub fn encrypt_with_key(
139117
key: jwk.Jwk,
140118
alg alg: jwa.JweAlg,
@@ -160,18 +138,6 @@ pub fn encrypt_with_key(
160138
/// This is the most common method for protecting stored keys with a password.
161139
/// The JWK is serialized to JSON, then encrypted using the specified PBES2
162140
/// algorithm and content encryption algorithm.
163-
///
164-
/// ## Parameters
165-
///
166-
/// - `key` - The JWK to export.
167-
/// - `alg` - The PBES2 algorithm variant to use.
168-
/// - `enc` - The content encryption algorithm to use.
169-
/// - `password` - The password to protect the key with.
170-
///
171-
/// ## Returns
172-
///
173-
/// `Ok(String)` with the encrypted JWE in compact format, or
174-
/// `Error(GoseError)` if serialization or encryption fails.
175141
pub fn encrypt_with_password(
176142
key: jwk.Jwk,
177143
alg alg: jwa.Pbes2Alg,

src/gose/encrypted_jwt.gleam

Lines changed: 0 additions & 131 deletions
Original file line numberDiff line numberDiff line change
@@ -113,20 +113,6 @@ fn validate_decryption_keys(
113113
///
114114
/// The decryptor pins the expected algorithms. Tokens with different
115115
/// algorithms will be rejected.
116-
///
117-
/// ## Parameters
118-
///
119-
/// - `alg` - The expected key encryption algorithm.
120-
/// - `enc` - The expected content encryption algorithm.
121-
/// - `keys` - One or more keys for decryption.
122-
/// - `options` - Validation options for JWT claims.
123-
///
124-
/// ## Returns
125-
///
126-
/// `Ok(Decryptor)` configured and ready for use with
127-
/// `decrypt_and_validate`, or `Error(JoseError(_))` if the key list is
128-
/// empty, any key's `use` field is set but not `Encrypting`, or any key's
129-
/// `key_ops` doesn't include `Decrypt` or `UnwrapKey`.
130116
pub fn key_decryptor(
131117
alg: jwa.JweAlg,
132118
enc: jwa.Enc,
@@ -142,17 +128,6 @@ pub fn key_decryptor(
142128
///
143129
/// The decryptor pins the expected algorithms. Tokens with different
144130
/// algorithms will be rejected.
145-
///
146-
/// ## Parameters
147-
///
148-
/// - `alg` - The expected PBES2 algorithm.
149-
/// - `enc` - The expected content encryption algorithm.
150-
/// - `password` - The password for key derivation.
151-
/// - `options` - Validation options for JWT claims.
152-
///
153-
/// ## Returns
154-
///
155-
/// A `Decryptor` configured for use with `decrypt_and_validate`.
156131
pub fn password_decryptor(
157132
alg: jwa.Pbes2Alg,
158133
enc: jwa.Enc,
@@ -170,19 +145,6 @@ pub fn password_decryptor(
170145
///
171146
/// Sets `typ: "JWT"` in the header. If the encryption key has a `kid`, it is
172147
/// included in the JWE header.
173-
///
174-
/// ## Parameters
175-
///
176-
/// - `claims` - The JWT claims to encrypt.
177-
/// - `alg` - The key encryption algorithm.
178-
/// - `enc` - The content encryption algorithm.
179-
/// - `key` - The encryption key.
180-
///
181-
/// ## Returns
182-
///
183-
/// `Ok(EncryptedJwt)` with the encrypted JWT ready for
184-
/// serialization, or `Error(JoseError(_))` if key validation or encryption
185-
/// fails.
186148
pub fn encrypt_with_key(
187149
claims: jwt.Claims,
188150
alg: jwa.JweAlg,
@@ -213,19 +175,6 @@ fn do_encrypt_with_key(
213175
/// Encrypt claims using PBES2 password-based encryption.
214176
///
215177
/// Sets `typ: "JWT"` in the header.
216-
///
217-
/// ## Parameters
218-
///
219-
/// - `claims` - The JWT claims to encrypt.
220-
/// - `alg` - The PBES2 algorithm.
221-
/// - `enc` - The content encryption algorithm.
222-
/// - `password` - The password for key derivation.
223-
/// - `kid` - Optional key ID to include in the header.
224-
///
225-
/// ## Returns
226-
///
227-
/// `Ok(EncryptedJwt)` with the encrypted JWT ready for
228-
/// serialization, or `Error(JoseError(_))` if encryption fails.
229178
pub fn encrypt_with_password(
230179
claims: jwt.Claims,
231180
alg: jwa.Pbes2Alg,
@@ -277,15 +226,6 @@ fn claims_to_plaintext(claims: jwt.Claims) -> BitArray {
277226
}
278227

279228
/// Serialize a decrypted encrypted JWT to compact format.
280-
///
281-
/// ## Parameters
282-
///
283-
/// - `jwt` - A `EncryptedJwt` from `encrypt_with_key`,
284-
/// `encrypt_with_password`, or `decrypt_and_validate`.
285-
///
286-
/// ## Returns
287-
///
288-
/// The JWE compact serialization string.
289229
pub fn serialize(jwt: EncryptedJwt) -> String {
290230
jwt.token
291231
}
@@ -296,16 +236,6 @@ pub type PeekHeaders {
296236
}
297237

298238
/// Peek at the header fields from a token without decrypting.
299-
///
300-
/// ## Parameters
301-
///
302-
/// - `token` - The JWE compact serialization string.
303-
///
304-
/// ## Returns
305-
///
306-
/// `Ok(PeekHeaders)` with the algorithm, encryption, and optional key ID
307-
/// from the header, or `Error(MalformedToken(_))` if the token cannot be
308-
/// parsed.
309239
pub fn peek_headers(token: String) -> Result(PeekHeaders, jwt.JwtError) {
310240
parse_jwe(token)
311241
|> result.map(fn(parsed_jwe) {
@@ -332,18 +262,6 @@ fn parse_jwe(
332262
///
333263
/// Still enforces algorithm pinning for security. **Note:** `kid_policy` only
334264
/// applies to key-based decryptors, not password-based decryptors.
335-
///
336-
/// ## Parameters
337-
///
338-
/// - `decryptor` - A `Decryptor` created by `key_decryptor` or
339-
/// `password_decryptor`.
340-
/// - `token` - The JWE compact serialization string.
341-
///
342-
/// ## Returns
343-
///
344-
/// `Ok(EncryptedJwt)` with the decrypted JWT and accessible
345-
/// claims, `Error(JweAlgorithmMismatch(_))` if the token's algorithms
346-
/// don't match, or `Error(DecryptionFailed(_))` if decryption fails.
347265
pub fn dangerously_decrypt_and_skip_validation(
348266
decryptor: Decryptor,
349267
token: String,
@@ -376,21 +294,6 @@ pub fn dangerously_decrypt_and_skip_validation(
376294
/// - Keys with matching `kid` are tried first (if token has `kid` header)
377295
/// - `kid_policy` controls kid header enforcement (see `KidPolicy` type)
378296
/// - With `NoKidRequirement`, all keys are tried with matching keys prioritized
379-
///
380-
/// ## Parameters
381-
///
382-
/// - `decryptor` - A `Decryptor` created by `key_decryptor` or
383-
/// `password_decryptor`.
384-
/// - `token` - The JWE compact serialization string.
385-
/// - `now` - The current timestamp for time-based claim validation.
386-
///
387-
/// ## Returns
388-
///
389-
/// `Ok(EncryptedJwt)` with the decrypted and validated JWT,
390-
/// `Error(JweAlgorithmMismatch(_))` if the token's algorithms don't match
391-
/// the decryptor's expected algorithms, `Error(DecryptionFailed(_))` if
392-
/// decryption fails, or a claim validation error (`TokenExpired`,
393-
/// `TokenNotYetValid`, etc.) if claim validation fails.
394297
pub fn decrypt_and_validate(
395298
decryptor: Decryptor,
396299
token: String,
@@ -417,16 +320,6 @@ pub fn decrypt_and_validate(
417320
///
418321
/// This allows extracting claims directly into your own types using
419322
/// `gleam/dynamic/decode`. The decoder receives the raw claims JSON.
420-
///
421-
/// ## Parameters
422-
///
423-
/// - `jwt` - A decrypted and validated encrypted JWT.
424-
/// - `decoder` - A `gleam/dynamic/decode` decoder for the claims.
425-
///
426-
/// ## Returns
427-
///
428-
/// `Ok(a)` with the decoded claims value, or
429-
/// `Error(ClaimDecodingFailed(_))` if decoding fails.
430323
pub fn decode(
431324
jwt: EncryptedJwt,
432325
decoder: decode.Decoder(a),
@@ -436,27 +329,11 @@ pub fn decode(
436329
}
437330

438331
/// Get the key encryption algorithm (`alg`) from a decrypted and validated encrypted JWT.
439-
///
440-
/// ## Parameters
441-
///
442-
/// - `jwt` - The decrypted and validated encrypted JWT.
443-
///
444-
/// ## Returns
445-
///
446-
/// The `JweAlg` from the token's header.
447332
pub fn alg(jwt: EncryptedJwt) -> jwa.JweAlg {
448333
jwt.alg
449334
}
450335

451336
/// Get the content encryption algorithm (`enc`) from a decrypted and validated encrypted JWT.
452-
///
453-
/// ## Parameters
454-
///
455-
/// - `jwt` - The decrypted and validated encrypted JWT.
456-
///
457-
/// ## Returns
458-
///
459-
/// The `Enc` from the token's header.
460337
pub fn enc(jwt: EncryptedJwt) -> jwa.Enc {
461338
jwt.enc
462339
}
@@ -466,14 +343,6 @@ pub fn enc(jwt: EncryptedJwt) -> jwa.Enc {
466343
/// **Security Warning:** The `kid` value comes from the token and is untrusted
467344
/// input. If you use it to look up keys (from a database, filesystem, or key
468345
/// store), you must sanitize it first to prevent injection attacks.
469-
///
470-
/// ## Parameters
471-
///
472-
/// - `jwt` - The decrypted and validated encrypted JWT.
473-
///
474-
/// ## Returns
475-
///
476-
/// `Ok(String)` with the key ID, or `Error(Nil)` if no kid was set.
477346
pub fn kid(jwt: EncryptedJwt) -> Result(String, Nil) {
478347
option.to_result(jwt.kid, Nil)
479348
}

0 commit comments

Comments
 (0)