class JwtTagger
Defined in:
tagger/taggers/jwt.crConstant Summary
-
AUTH_PATH_PARTS =
Set {"auth", "authenticate", "authentication", "login", "signin", "sign_in", "token", "refresh", "jwt"} -
EXCLUDED_TOKEN_NAMES =
Set {"csrf_token", "xsrf_token", "authenticity_token", "anti_csrf_token", "captcha_token", "recaptcha_token", "turnstile_token"} -
NON_BEARER_SCHEMES =
/\A\s*(basic|digest|negotiate|ntlm|hoba|aws4|hmac)\b/i -
HTTP auth schemes that are not bearer/JWT; when an Authorization value advertises one of these, the header is not a JWT signal.
-
NON_JWT_TOKEN_HINTS =
["csrf", "xsrf", "captcha", "recaptcha", "turnstile", "authenticity", "nonce", "reset", "unlock", "confirmation", "verification", "invitation", "activation", "remember", "unsubscribe", "page", "pagination", "next", "continuation", "cursor", "sync"] of ::String -
Substrings that mark a
*_tokenparam as an opaque, non-JWT token: CSRF/anti-bot tokens, Rails/Devise lifecycle tokens (password reset, email confirmation, account unlock/activation, remember-me, invites), and API pagination cursors. These are random strings, not signed JWTs, so counting them as JWT signals produces false positives on otherwise auth-shaped routes. -
STRONG_NAMES =
Set {"jwt", "bearer", "authorization", "access_token", "refresh_token", "id_token", "auth_token", "api_token", "x_api_token", "x_access_token"}