RubyGems - json-jwt - Versions diffs - 0.3.2 → 0.3.3 - Mend

json-jwt 0.3.2 → 0.3.3

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    json-jwt (0.3.1)
+    json-jwt (0.3.3)
       activesupport (>= 2.3)
       i18n
       json (>= 1.4.3)
@@ -22,7 +22,6 @@ GEM
     hashie (1.2.0)
     i18n (0.6.1)
     json (1.7.5)
-    json (1.7.5-java)
     multi_json (1.3.6)
     rake (0.9.2.2)
     rspec (2.11.0)

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.3.2
1	+ 0.3.3

data/lib/json/jws.rb CHANGED

@@ -13,8 +13,8 @@ module JSON
       self
     end
-    def verify(public_key_or_secret)
-      public_key_or_secret && valid?(public_key_or_secret) or
+    def verify(signature_base_string, public_key_or_secret)
+      public_key_or_secret && valid?(signature_base_string, public_key_or_secret) or
       raise VerificationFailed
     end
@@ -66,7 +66,7 @@ module JSON
       end
     end
-    def valid?(public_key_or_secret)
+    def valid?(signature_base_string, public_key_or_secret)
       case
       when hmac?
         secret = public_key_or_secret

data/lib/json/jwt.rb CHANGED

@@ -28,12 +28,12 @@ module JSON
       JWS.new(self).sign!(private_key_or_secret)
     end
-    def verify(public_key_or_secret = nil)
+    def verify(signature_base_string, public_key_or_secret = nil)
       if header[:alg].to_s == 'none'
         raise UnexpectedAlgorithm if public_key_or_secret
         signature == '' or raise VerificationFailed
       else
-        JWS.new(self).verify(public_key_or_secret)
+        JWS.new(self).verify(signature_base_string, public_key_or_secret)
       end
     end
@@ -61,7 +61,11 @@ module JSON
           jwt = new claims
           jwt.header = header
           jwt.signature = signature
-          jwt.verify key_or_secret unless key_or_secret == :skip_verification
+          # NOTE:
+          #  Some JSON libraries generates wrong format of JSON (spaces between keys and values etc.)
+          #  So we need to use raw base64 strings for signature verification.
+          jwt.verify signature_base_string, key_or_secret unless key_or_secret == :skip_verification
           jwt
         when 3 # JWE
           # TODO: Concept code first.

data/spec/json/jws_spec.rb CHANGED

@@ -131,7 +131,7 @@ describe JSON::JWS do
       let(:alg) { :unknown }
       it do
         expect do
-          jws.verify 'key'
+          jws.verify jws.send(:signature_base_string), 'key'
         end.to raise_error JSON::JWS::InvalidFormat
       end
     end

data/spec/json/jwt_spec.rb CHANGED

@@ -46,10 +46,10 @@ describe JSON::JWT do
   describe '#verify' do
     context 'when not signed nor encrypted' do
       let(:jwt) do
-        header, claims, signature = no_signed.split('.', 3).collect do |segment|
+        header_base64, claims_base64, signature = no_signed.split('.', 3).collect do |segment|
           UrlSafeBase64.decode64 segment.to_s
         end
-        header, claims = [header, claims].collect do |json|
+        header, claims = [header_base64, claims_base64].collect do |json|
           JSON.parse json, symbolize_names: true, symbolize_keys: true
         end
         jwt = JSON::JWT.new claims
@@ -57,17 +57,18 @@ describe JSON::JWT do
         jwt.signature = signature
         jwt
       end
+      let(:signature_base_string) { no_signed.split('.', 3)[0,2].join('.') }
       context 'when no signature nor public_key_or_secret given' do
         it do
-          jwt.verify.should be_true
+          jwt.verify(signature_base_string).should be_true
         end
       end
       context 'when public_key_or_secret given' do
         it do
           expect do
-            jwt.verify 'secret'
+            jwt.verify signature_base_string, 'secret'
           end.to raise_error JSON::JWT::UnexpectedAlgorithm
         end
       end
@@ -77,7 +78,7 @@ describe JSON::JWT do
         it do
           expect do
-            jwt.verify
+            jwt.verify signature_base_string
           end.to raise_error JSON::JWT::VerificationFailed
         end
       end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json-jwt
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.3.3
   prerelease:
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-10-17 00:00:00.000000000 Z
+date: 2012-10-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -172,12 +172,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -4331477712692770542
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: -4331477712692770542
 requirements: []
 rubyforge_project:
 rubygems_version: 1.8.24