json-jwt 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of json-jwt might be problematic. Click here for more details.

Files changed (7) hide show
  1. data/Gemfile.lock +1 -2
  2. data/VERSION +1 -1
  3. data/lib/json/jws.rb +3 -3
  4. data/lib/json/jwt.rb +7 -3
  5. data/spec/json/jws_spec.rb +1 -1
  6. data/spec/json/jwt_spec.rb +6 -5
  7. metadata +8 -2
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- json-jwt (0.3.1)
4
+ json-jwt (0.3.3)
5
5
  activesupport (>= 2.3)
6
6
  i18n
7
7
  json (>= 1.4.3)
@@ -22,7 +22,6 @@ GEM
22
22
  hashie (1.2.0)
23
23
  i18n (0.6.1)
24
24
  json (1.7.5)
25
- json (1.7.5-java)
26
25
  multi_json (1.3.6)
27
26
  rake (0.9.2.2)
28
27
  rspec (2.11.0)
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.3.2
1
+ 0.3.3
data/lib/json/jws.rb CHANGED
@@ -13,8 +13,8 @@ module JSON
13
13
  self
14
14
  end
15
15
 
16
- def verify(public_key_or_secret)
17
- public_key_or_secret && valid?(public_key_or_secret) or
16
+ def verify(signature_base_string, public_key_or_secret)
17
+ public_key_or_secret && valid?(signature_base_string, public_key_or_secret) or
18
18
  raise VerificationFailed
19
19
  end
20
20
 
@@ -66,7 +66,7 @@ module JSON
66
66
  end
67
67
  end
68
68
 
69
- def valid?(public_key_or_secret)
69
+ def valid?(signature_base_string, public_key_or_secret)
70
70
  case
71
71
  when hmac?
72
72
  secret = public_key_or_secret
data/lib/json/jwt.rb CHANGED
@@ -28,12 +28,12 @@ module JSON
28
28
  JWS.new(self).sign!(private_key_or_secret)
29
29
  end
30
30
 
31
- def verify(public_key_or_secret = nil)
31
+ def verify(signature_base_string, public_key_or_secret = nil)
32
32
  if header[:alg].to_s == 'none'
33
33
  raise UnexpectedAlgorithm if public_key_or_secret
34
34
  signature == '' or raise VerificationFailed
35
35
  else
36
- JWS.new(self).verify(public_key_or_secret)
36
+ JWS.new(self).verify(signature_base_string, public_key_or_secret)
37
37
  end
38
38
  end
39
39
 
@@ -61,7 +61,11 @@ module JSON
61
61
  jwt = new claims
62
62
  jwt.header = header
63
63
  jwt.signature = signature
64
- jwt.verify key_or_secret unless key_or_secret == :skip_verification
64
+
65
+ # NOTE:
66
+ # Some JSON libraries generates wrong format of JSON (spaces between keys and values etc.)
67
+ # So we need to use raw base64 strings for signature verification.
68
+ jwt.verify signature_base_string, key_or_secret unless key_or_secret == :skip_verification
65
69
  jwt
66
70
  when 3 # JWE
67
71
  # TODO: Concept code first.
data/spec/json/jws_spec.rb CHANGED
@@ -131,7 +131,7 @@ describe JSON::JWS do
131
131
  let(:alg) { :unknown }
132
132
  it do
133
133
  expect do
134
- jws.verify 'key'
134
+ jws.verify jws.send(:signature_base_string), 'key'
135
135
  end.to raise_error JSON::JWS::InvalidFormat
136
136
  end
137
137
  end
data/spec/json/jwt_spec.rb CHANGED
@@ -46,10 +46,10 @@ describe JSON::JWT do
46
46
  describe '#verify' do
47
47
  context 'when not signed nor encrypted' do
48
48
  let(:jwt) do
49
- header, claims, signature = no_signed.split('.', 3).collect do |segment|
49
+ header_base64, claims_base64, signature = no_signed.split('.', 3).collect do |segment|
50
50
  UrlSafeBase64.decode64 segment.to_s
51
51
  end
52
- header, claims = [header, claims].collect do |json|
52
+ header, claims = [header_base64, claims_base64].collect do |json|
53
53
  JSON.parse json, symbolize_names: true, symbolize_keys: true
54
54
  end
55
55
  jwt = JSON::JWT.new claims
@@ -57,17 +57,18 @@ describe JSON::JWT do
57
57
  jwt.signature = signature
58
58
  jwt
59
59
  end
60
+ let(:signature_base_string) { no_signed.split('.', 3)[0,2].join('.') }
60
61
 
61
62
  context 'when no signature nor public_key_or_secret given' do
62
63
  it do
63
- jwt.verify.should be_true
64
+ jwt.verify(signature_base_string).should be_true
64
65
  end
65
66
  end
66
67
 
67
68
  context 'when public_key_or_secret given' do
68
69
  it do
69
70
  expect do
70
- jwt.verify 'secret'
71
+ jwt.verify signature_base_string, 'secret'
71
72
  end.to raise_error JSON::JWT::UnexpectedAlgorithm
72
73
  end
73
74
  end
@@ -77,7 +78,7 @@ describe JSON::JWT do
77
78
 
78
79
  it do
79
80
  expect do
80
- jwt.verify
81
+ jwt.verify signature_base_string
81
82
  end.to raise_error JSON::JWT::VerificationFailed
82
83
  end
83
84
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: json-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.2
4
+ version: 0.3.3
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-10-17 00:00:00.000000000 Z
12
+ date: 2012-10-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: json
@@ -172,12 +172,18 @@ required_ruby_version: !ruby/object:Gem::Requirement
172
172
  - - ! '>='
173
173
  - !ruby/object:Gem::Version
174
174
  version: '0'
175
+ segments:
176
+ - 0
177
+ hash: -4331477712692770542
175
178
  required_rubygems_version: !ruby/object:Gem::Requirement
176
179
  none: false
177
180
  requirements:
178
181
  - - ! '>='
179
182
  - !ruby/object:Gem::Version
180
183
  version: '0'
184
+ segments:
185
+ - 0
186
+ hash: -4331477712692770542
181
187
  requirements: []
182
188
  rubyforge_project:
183
189
  rubygems_version: 1.8.24