Add duplicate claim name detection per RFC 7519 Section 4

[ydah]

Description

Implements duplicate claim name detection as specified in RFC 7519 Section 4, which states:

The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate member name.

see: https://datatracker.ietf.org/doc/html/rfc7519#section-4

This feature allows users to reject JWTs that contain duplicate keys in the header or payload, which is recommended for security-sensitive applications to prevent claim confusion attacks.

Checklist

Before the PR can be merged be sure the following are checked:

• There are tests for the fix or feature added/changed
• A description of the changes and a reference to the PR has been added to CHANGELOG.md. More details in the CONTRIBUTING.md

[anakinj]

Overall I support this feature and think it should be the default behavior.

My biggest concern is adding a lot of logic to this now it will stay and live in the gem in the future.

Would almost just like to require json >= 2.13.0 and always parse the json with allow_duplicate_key: false. Then ship a jwt gem with this potentially breaking change. If needed we can then add a feature to loosen this behavior by for example allowing swapping the JSON parser.

[ydah]

MEMO: We added json gem >= 2.13.0 to the dependencies, but this version requires Ruby 2.7+. Since ruby-jwt has required_ruby_version = ‘>= 2.5’, dependency resolution fails during bundle install in a Ruby 2.5 environment.

[anakinj]

Would like to support as many versions as possible, what about dynamically figure out if its possible to enable this feature or not.

[ydah]

Indeed, I've restored support for 2.5 and 2.6.

[ydah]

I updated this PR. WDYT?

[anakinj]

This is problematic in a way that when JSON 3.0 ships with the switched default we still are allowing duplicate keys by default. Would rather at that point enforce the new default for everyone.

Could we pass the parameter to the JSON lib only if the parameter is false,

[ydah]

I fixed it. Please point out if I understand something wrong.

[anakinj]

Wonder if we could do something to not need to disable cops 🤔

[ydah]

I've extracted some classes. WDYT?

[anakinj]

The refactorings are pretty nice but could we do those in a separate PR?

[anakinj]

Sorry for the back and forth but im a bit starting to regret my suggestions to only allowing enabling it per instance. I wonder if it would still be easier for most users to enable this globally for the gem. Also setting the flag to true/false would allow disabling of the strictness when JSON 3.0 is out with the new default.

What do you think:

JWT.configuration.decode.allow_duplicate_json_keys 

nil/not set - default behavior of the JSON gem
false - always deny, if set require the JSON gem that supports it
true - always allow, no gem restrictions

Also as mentioned earlier maybe do the refactorings in separate to keep the scope of this change on the new feature?

[anakinj]

Suggested change

	**Breaking changes:**
	- Drop support for Ruby 2.6 and older [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah))
	- Bump minimum json gem version to 2.6 [#713](https://github.com/jwt/ruby-jwt/pull/713) ([@ydah](https://github.com/ydah))

No breaking changes anymore, right?

[anakinj]

The refactorings are pretty nice but could we do those in a separate PR?