json_web_token 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d9c63b5c2fa2302f1cee322ac44cb54eddda7538
-  data.tar.gz: c2215846a69b4d8f3a4705dbedbbebfbb32253ae
+  metadata.gz: d1518a4e0fe92dc8de73a3ed606115ac89ef466b
+  data.tar.gz: 5d38d88d1307780db38343d0c23d315963fa376d
 SHA512:
-  metadata.gz: a4eb15f1a8da6eded296e6165d1ed0ffe7d62b21f11116efc7108385f0202150511a0f87325fab3ec4b243318923759d241a607b3650126f83a5885a066c78df
-  data.tar.gz: 5be8f29d618889f7315230b94b1b0694eb6c80d78d0006aec65cea4835d783af66f23e13a7d5a5ede42971a4145a5c44e25c19aeee3340dd1f981fb5d60bc673
+  metadata.gz: 781e08e80e4ec08fa00f02e7d7127bca5ba50ce83f2708c7e5135c53b4edeaac53891bac3a0fcc517112511210ab55fd38552e105db62bc631453f3f5df289c1
+  data.tar.gz: 4c55609063885e415f48ea97c9169076837551fdc2a779f80ee27d14442cdfaf487d3f3dcdeae9fca6ceb6000af210b81d12876e7697250f7ec7ccaff9d976bc

data/CHANGELOG.md

@@ -0,0 +1,11 @@
+## Changelog
+
+### 0.0.2 2015-07-11
+
+* enhancements
+  * support RSASSA-PKCS-v1_5 algorithm
+
+### 0.0.1 2015-07-09
+
+* initial
+  * support HMAC algorithm

data/Gemfile

@@ -2,4 +2,5 @@ source 'https://rubygems.org'
 
 gemspec
 
+gem 'pry-byebug', '~> 3.1', require: false
 gem 'simplecov', '~> 0.10', require: false

data/README.md

@@ -28,36 +28,99 @@ Token authentication of API requests to Rails via these popular gems
 Secure Cross-Origin Resource Sharing ([CORS][cors]) using the [rack-cors][rack-cors] gem
 
 ## Usage
-Create a JSON web token
+
+### JsonWebToken.create(claims, options)
+
+Returns a JSON Web Token string
+
+`claims` (required) string or hash
+
+`options` (optional) hash
+
+* **alg**, default: `HS256`
+* **key** (required unless alg is 'none')
+
+Example
 
 ```ruby
 require 'json_web_token'
 
-JsonWebToken.create(claims, options)
+# sign with default algorithm, HMAC SHA256
+jwt = JsonWebToken.create({foo: 'bar'}, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
+
+# sign with RSA SHA256 algorithm
+options = {
+  alg: 'RSA256',
+  key: < RSA private key >
+}
+
+jwt = JsonWebToken.create({foo: 'bar'}, options)
+
+# unsecured token (algorithm is 'none')
+jwt = JsonWebToken.create({foo: 'bar'}, alg: 'none')
+
 ```
 
-Validate a JSON web token
+### JsonWebToken.validate(jwt, options)
+
+Returns a JWT claims set string or hash, if the MAC signature is valid
+
+`jwt` (required) is a JSON web token string
+
+`options` (optional) hash
+
+* **algorithm**, default: `HS256`
+* **key** (required unless alg is 'none')
+
+Example
 
 ```ruby
+require 'json_web_token'
+
+secure_jwt = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.cGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk'
+
+# verify with default algorithm, HMAC SHA256
+claims = JsonWebToken.validate(secure_jwt, key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C')
+
+# verify with RSA SHA256 algorithm
+options = {
+  alg: 'RSA256',
+  key: < RSA public key >
+}
+
 claims = JsonWebToken.validate(jwt, options)
+
+# unsecured token (algorithm is 'none')
+
+unsecured_jwt = 'eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt.'
+
+claims = JsonWebToken.validate(unsecured_jwt, alg: 'none')
+
 ```
 ### Supported encryption algorithms
-The 2 REQUIRED JWT algorithms
 
-- HMAC using SHA-256 per [RFC 2104][rfc2104]
-- 'none' (unsecured)
+alg Param Value | Digital Signature or MAC Algorithm
+------|------
+HS256 | HMAC using SHA-256 per [RFC 2104][rfc2104]
+HS384 | HMAC using SHA-384
+HS512 | HMAC using SHA-512
+RS256 | RSASSA-PKCS-v1_5 using SHA-256 per [RFC3447][rfc3447]
+RS384 | RSASSA-PKCS-v1_5 using SHA-384
+RS512 | RSASSA-PKCS-v1_5 using SHA-512
+none | No digital signature or MAC performed (unsecured)
 
 ### Supported Ruby Versions
-Ruby 2.1 and up
+Ruby 2.0 and up
 
 ### Limitations
 Future implementation may include these features:
 
-- RECOMMENDED or OPTIONAL encryption algorithms
-- Representation of a JWT as a JSON Web Encryption (JWE) [RFC 7516][rfc7516]
+- additional RECOMMENDED or OPTIONAL encryption algorithms
+- representation of a JWT as a JSON Web Encryption (JWE) [RFC 7516][rfc7516]
 - OPTIONAL nested JWTs
 
 [rfc2104]: http://tools.ietf.org/html/rfc2104
+[rfc3447]: http://tools.ietf.org/html/rfc3447
 [rfc7515]: http://tools.ietf.org/html/rfc7515
 [rfc7516]: http://tools.ietf.org/html/rfc7516
 [rfc7518]: http://tools.ietf.org/html/rfc7518

data/json_web_token.gemspec

@@ -4,7 +4,7 @@ require 'json_web_token/version'
 
 Gem::Specification.new do |s|
   s.author = 'Gary Fleshman'
-  s.email = 'gf4cl@verizon.net'
+  s.email = 'gfleshman@newforge-tech.com'
   s.files = `git ls-files`.split("\n")
   s.homepage = 'https://github.com/garyf/json_web_token'
   s.name = 'json_web_token'
@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
   s.license = 'MIT'
   # optional
   s.add_runtime_dependency 'json', '~> 1.8', '>= 1.8.3'
-  s.add_development_dependency 'pry-byebug', '~> 3.1'
   s.add_development_dependency 'rspec', '~> 3.3'
   s.description = 'Ruby implementation of the JSON Web Token Standard Track RFC 4627'
+  s.required_ruby_version = '>= 2.0.0'
 end

data/lib/json_web_token/algorithm/common.rb

@@ -0,0 +1,27 @@
+require 'openssl'
+
+module JsonWebToken
+  module Algorithm
+    module Common
+
+      SHA_BITS = [
+        '256',
+        '384',
+        '512'
+      ]
+
+      def validate_key(key, sha_bits)
+        validate_sha_bits(sha_bits)
+        validate_key_size(key, sha_bits)
+      end
+
+      def validate_sha_bits(sha_bits)
+        fail('Invalid sha_bits') unless SHA_BITS.include?(sha_bits)
+      end
+
+      def digest_new(sha_bits)
+        OpenSSL::Digest.new("sha#{sha_bits}")
+      end
+    end
+  end
+end

data/lib/json_web_token/algorithm/hmac.rb

@@ -1,47 +1,32 @@
+require 'json_web_token/algorithm/common'
 require 'json_web_token/util'
-require 'openssl'
 
 module JsonWebToken
   module Algorithm
     module Hmac
 
-      SHA_BITS = [
-        '256',
-        '384',
-        '512'
-      ]
+      extend JsonWebToken::Algorithm::Common
 
       module_function
 
       def signed(sha_bits, key, data)
-        validate_params(key, sha_bits)
-        OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha#{sha_bits}"), key, data)
+        validate_key(key, sha_bits)
+        OpenSSL::HMAC.digest(digest_new(sha_bits), key, data)
       end
 
       def verified?(mac, sha_bits, key, data)
-        validate_params(key, sha_bits)
+        validate_key(key, sha_bits)
         Util.constant_time_compare(mac, signed(sha_bits, key, data))
       end
 
       # private
 
-      def validate_params(key, sha_bits)
-        validate_sha_bits(sha_bits)
-        validate_key_size(key, sha_bits)
-      end
-
-      def validate_sha_bits(sha_bits)
-        fail('Invalid sha_bits') unless SHA_BITS.include?(sha_bits)
-      end
-
       # http://tools.ietf.org/html/rfc7518#section-3.2
       def validate_key_size(key, sha_bits)
         fail('Invalid key') unless key && key.bytesize * 8 >= sha_bits.to_i
       end
 
-      private_class_method :validate_params,
-        :validate_sha_bits,
-        :validate_key_size
+      private_class_method :validate_key_size
     end
   end
 end

data/lib/json_web_token/algorithm/rsa.rb

@@ -0,0 +1,34 @@
+require 'json_web_token/algorithm/common'
+
+module JsonWebToken
+  module Algorithm
+    module Rsa
+
+      extend JsonWebToken::Algorithm::Common
+
+      KEY_BITS_MIN = 2048
+
+      module_function
+
+      def signed(sha_bits, key, data)
+        validate_key(key, sha_bits)
+        key.sign(digest_new(sha_bits), data)
+      end
+
+      def verified?(signature, sha_bits, key, data)
+        validate_key(key, sha_bits)
+        key.verify(digest_new(sha_bits), signature, data)
+      end
+
+      # private
+
+      # http://tools.ietf.org/html/rfc7518#section-3.3
+      # https://github.com/ruby/openssl/issues/5
+      def validate_key_size(key, sha_bits)
+        fail('Invalid private key') unless key && key.n.num_bits >= KEY_BITS_MIN
+      end
+
+      private_class_method :validate_key_size
+    end
+  end
+end

data/lib/json_web_token/jwa.rb

@@ -1,33 +1,22 @@
 require 'json_web_token/algorithm/hmac'
+require 'json_web_token/algorithm/rsa'
 
 module JsonWebToken
   module Jwa
 
-    ALGORITHMS = /(HS)(256|384|512)?/i
+    ALGORITHMS = /(HS|RS)(256|384|512)?/i
     ALG_LENGTH = 5
 
     module_function
 
     def signed(algorithm, key, data)
       alg = validated_alg(algorithm)
-      sha_bits = alg[:sha_bits]
-      case alg[:kind]
-      when 'hs'
-        Algorithm::Hmac.signed(sha_bits, key, data)
-      else
-        fail('Unsupported algorithm')
-      end
+      alg[:constant].signed(alg[:sha_bits], key, data)
     end
 
     def verified?(signature, algorithm, key, data)
       alg = validated_alg(algorithm)
-      sha_bits = alg[:sha_bits]
-      case alg[:kind]
-      when 'hs'
-        Algorithm::Hmac.verified?(signature, sha_bits, key, data)
-      else
-        false
-      end
+      alg[:constant].verified?(signature, alg[:sha_bits], key, data)
     end
 
     # private
@@ -41,12 +30,21 @@ module JsonWebToken
       match = algorithm.match(ALGORITHMS)
       return unless match && match[0].length == ALG_LENGTH
       {
-        kind: match[1].downcase,
-        sha_bits: match[2]
+        constant: validated_constant(match[1].downcase),
+        sha_bits: match[2],
       }
     end
 
+    def validated_constant(str)
+      case str
+      when 'hs' then Algorithm::Hmac
+      when 'rs' then Algorithm::Rsa
+      else fail('Unsupported algorithm')
+      end
+    end
+
     private_class_method :validated_alg,
       :destructured_alg
+      :validated_constant
   end
 end

data/lib/json_web_token/jwt.rb

@@ -14,10 +14,9 @@ module JsonWebToken
     # http://tools.ietf.org/html/rfc7519#page-12
     def create(claims, options = {})
       message = validated_message(claims)
-      key = options[:key]
       header = config_header(options)
       return Jws.unsecured_jws(header, message) if header[:alg] == 'none'
-      Jws.message_signature(header, message, key)
+      Jws.message_signature(header, message, options[:key])
     end
 
     def validate(jwt, options = {})
@@ -29,7 +28,7 @@ module JsonWebToken
     # private
 
     def validated_message(claims)
-      fail('Claims not provided') if !claims || claims.empty?
+      fail('Claims blank') if !claims || claims.empty?
       claims.to_json
     end
 

data/lib/json_web_token/version.rb

@@ -1,3 +1,3 @@
 module JsonWebToken
-  VERSION = '0.0.1'
+  VERSION = '0.0.2'
 end

data/spec/json_web_token/algorithm/rsa_spec.rb

@@ -0,0 +1,126 @@
+require 'json_web_token/algorithm/rsa'
+
+module JsonWebToken
+  module Algorithm
+    describe Rsa do
+      context 'detect changed signing_input or MAC' do
+        let(:private_key) { OpenSSL::PKey::RSA.generate(Rsa::KEY_BITS_MIN) }
+        let(:public_key) { private_key.public_key }
+        let(:signing_input) { 'signing_input' }
+        let(:changed_signing_input) { 'changed_signing_input' }
+        shared_examples_for '#signed' do
+          it 'is #verified?' do
+            mac = Rsa.signed(sha_bits, private_key, signing_input)
+            expect(Rsa.verified? mac, sha_bits, public_key, signing_input).to be true
+            expect(Rsa.verified? mac, sha_bits, public_key, changed_signing_input).to be false
+
+            changed_mac = Rsa.signed(sha_bits, private_key, changed_signing_input)
+            expect(Rsa.verified? changed_mac, sha_bits, public_key, signing_input).to be false
+          end
+        end
+
+        context 'RS256' do
+          let(:sha_bits) { '256' }
+          it_behaves_like '#signed'
+
+          describe 'changed key' do
+            let(:changed_public_key) { OpenSSL::PKey::RSA.generate(Rsa::KEY_BITS_MIN).public_key }
+            let(:data) { 'data' }
+            it 'fails #verified?' do
+              mac = Rsa.signed(sha_bits, private_key, data)
+              expect(Rsa.verified? mac, sha_bits, public_key, data).to be true
+              expect(Rsa.verified? mac, sha_bits, changed_public_key, data).to be false
+            end
+          end
+        end
+
+        describe 'RS384' do
+          let(:sha_bits) { '384' }
+          it_behaves_like '#signed'
+        end
+
+        describe 'RS512' do
+          let(:sha_bits) { '512' }
+          it_behaves_like '#signed'
+        end
+      end
+
+      context 'param validation' do
+        let(:data) { 'data' }
+        shared_examples_for 'invalid private_key' do
+          it 'raises' do
+            expect { Rsa.signed(sha_bits, private_key, data) }.to raise_error(RuntimeError, 'Invalid private key')
+          end
+        end
+
+        context 'private_key bit size (2047) < KEY_BITS_MIN (2048)' do
+          let(:private_key) { OpenSSL::PKey::RSA.generate(Rsa::KEY_BITS_MIN - 1) }
+          describe 'w 256 sha_bits' do
+            let(:sha_bits) { '256' }
+            it_behaves_like 'invalid private_key'
+          end
+
+          describe 'w 384 sha_bits' do
+            let(:sha_bits) { '384' }
+            it_behaves_like 'invalid private_key'
+          end
+
+          describe 'w 512 sha_bits' do
+            let(:sha_bits) { '512' }
+            it_behaves_like 'invalid private_key'
+          end
+        end
+
+        shared_examples_for '2048 bit private_key' do
+          it 'returns a 256-byte MAC string' do
+            mac = Rsa.signed(sha_bits, private_key, data)
+            expect(mac.bytesize).to eql 256
+            expect(mac.class).to eql String
+          end
+        end
+
+        context 'private_key bits (2048) == KEY_BITS_MIN (2048)' do
+          let(:private_key) { OpenSSL::PKey::RSA.generate(Rsa::KEY_BITS_MIN) }
+          describe 'w 256 sha_bits' do
+            let(:sha_bits) { '256' }
+            it_behaves_like '2048 bit private_key'
+          end
+
+          describe 'w 384 sha_bits' do
+            let(:sha_bits) { '384' }
+            it_behaves_like '2048 bit private_key'
+          end
+
+          describe 'w 512 sha_bits' do
+            let(:sha_bits) { '512' }
+            it_behaves_like '2048 bit private_key'
+          end
+        end
+
+        context 'blank private_key' do
+          let(:sha_bits) { '256' }
+          describe 'nil' do
+            let(:private_key) { nil }
+            it_behaves_like 'invalid private_key'
+          end
+
+          describe 'empty string' do
+            let(:private_key) { '' }
+            it 'raises' do
+              expect { Rsa.signed(sha_bits, private_key, data) }.to raise_error(NoMethodError)
+            end
+          end
+        end
+
+        describe 'w unrecognized sha_bits' do
+          let(:sha_bits) { '257' }
+          let(:private_key) { 'private_key' }
+          it 'raises' do
+            expect { Rsa.signed(sha_bits, private_key, data) }
+              .to raise_error(RuntimeError, 'Invalid sha_bits')
+          end
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/jwa_spec.rb

@@ -22,6 +22,13 @@ module JsonWebToken
         let(:verifying_key) { signing_key }
         it_behaves_like '#signed'
       end
+
+      describe 'RS256' do
+        let(:algorithm) { 'RS256' }
+        let(:signing_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:verifying_key) { signing_key.public_key }
+        it_behaves_like '#signed'
+      end
     end
 
     context 'param validation' do
@@ -47,6 +54,16 @@ module JsonWebToken
           end
         end
       end
+
+      describe 'RS256' do
+        let(:private_key) { OpenSSL::PKey::RSA.generate(2048) }
+        let(:algorithm) { 'RS256' }
+        it 'returns a 256-byte MAC string' do
+          mac = Jwa.signed(algorithm, private_key, data)
+          expect(mac.bytesize).to eql 256
+          expect(mac.class).to eql String
+        end
+      end
     end
   end
 end

data/spec/json_web_token/jws_spec.rb

@@ -39,6 +39,18 @@ module JsonWebToken
             end
           end
         end
+
+        context 'w RS256 keys' do
+          let(:signing_key) { OpenSSL::PKey::RSA.generate(2048) }
+          let(:verifying_key) { signing_key.public_key }
+          context "w RS256 'alg' header parameter" do
+            let(:header) { {alg: 'RS256'} }
+            describe 'w passing a matching algorithm to #validate' do
+              let(:algorithm) { 'RS256' }
+              it_behaves_like 'w #validate'
+            end
+          end
+        end
       end
 
       context 'header validation' do

data/spec/json_web_token/jwt_spec.rb

@@ -6,86 +6,112 @@ module JsonWebToken
     context '#create' do
       shared_examples_for 'w #validate' do
         it 'verified' do
-          jwt = Jwt.create(claims, options)
-          expect(Jwt.validate jwt, options).to include(claims)
+          jwt = Jwt.create(claims, create_options)
+          expect(Jwt.validate jwt, validate_options).to include(claims)
         end
       end
 
       shared_examples_for 'return message signature' do
         it 'plausible' do
-          serialized_output = Jwt.create(claims, options)
-          expect(plausible_message_signature? serialized_output).to be true
-        end
-      end
-
-      shared_examples_for 'return unsecured jws' do
-        it 'plausible' do
-          serialized_output = Jwt.create(claims, options)
-          expect(plausible_unsecured_jws? serialized_output).to be true
+          jwt = Jwt.create(claims, create_options)
+          expect(plausible_message_signature? jwt).to be true
         end
       end
 
       context 'w claims' do
         let(:claims) { {exp: 'tomorrow'} }
-        context 'w key' do
-          let(:key) { 'this_a_32_character_private_key!' }
+        context 'w HS256 keys' do
+          let(:signing_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+          let(:verifying_key) { signing_key }
+          let(:validate_options) { {key: verifying_key} }
           describe 'default header' do
-            let(:options) { {key: key} }
+            let(:create_options) { {key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
           describe 'passing header parameters' do
-            let(:options) { {typ: 'JWT', alg: 'HS256', key: key} }
+            let(:create_options) { {typ: 'JWT', alg: 'HS256', key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
-          describe "w 'alg':'none' header parameter" do
-            let(:options) { {typ: 'JWT', alg: 'none', key: key} }
-            it_behaves_like 'w #validate'
-            it_behaves_like 'return unsecured jws'
-          end
-
           describe "w 'alg':'nil' header parameter" do
-            let(:options) { {alg: nil, key: key} }
+            let(:create_options) { {alg: nil, key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
 
           describe "w 'alg':'' header parameter" do
-            let(:options) { {alg: nil, key: key} }
+            let(:create_options) { {alg: '', key: signing_key} }
             it_behaves_like 'w #validate'
             it_behaves_like 'return message signature'
           end
-        end
 
-        context 'w/o key' do
-          let(:options) { {typ: 'JWT', alg: 'none'} }
           describe "w 'alg':'none' header parameter" do
+            let(:create_options) { {typ: 'JWT', alg: 'none', key: signing_key} }
+            it 'raises' do
+              jwt = Jwt.create(claims, create_options)
+              expect { Jwt.validate(jwt) }
+                .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
+            end
+          end
+        end
+
+        context 'w RS256 keys' do
+          let(:signing_key) { OpenSSL::PKey::RSA.generate(2048) }
+          let(:verifying_key) { signing_key.public_key }
+          let(:validate_options) { {alg: 'RS256', key: verifying_key} }
+          describe 'passing header parameters' do
+            let(:create_options) { {typ: 'JWT', alg: 'RS256', key: signing_key} }
             it_behaves_like 'w #validate'
-            it_behaves_like 'return unsecured jws'
+            it 'plausible' do
+              jwt = Jwt.create(claims, create_options)
+              expect(plausible_message_signature? jwt, 256).to be true
+            end
           end
         end
-      end
 
-      shared_examples_for 'claims not provided' do
-        it 'raises' do
-          expect { Jwt.create(claims, options) }
-            .to raise_error(RuntimeError, 'Claims not provided')
+        context 'w/o key' do
+          context "w alg 'none' header parameter" do
+            let(:create_options) { {typ: 'JWT', alg: 'none'} }
+            describe "w validate alg 'none'" do
+              let(:validate_options) { {alg: 'none'} }
+              it 'validates a plausible unsecured jws' do
+                jwt = Jwt.create(claims, create_options)
+                expect(Jwt.validate jwt, validate_options).to include(claims)
+                expect(plausible_unsecured_jws? jwt).to be true
+              end
+            end
+
+            describe "w default validate alg" do
+              it 'raises' do
+                jwt = Jwt.create(claims, create_options)
+                expect { Jwt.validate(jwt) }
+                  .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
+              end
+            end
+          end
         end
       end
 
-      context 'w secret' do
-        let(:options) { {key: 'secret'} }
+      context 'param validation' do
+        let(:options) { {key: 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C'} }
+        shared_examples_for 'w/o claims' do
+          it 'raises' do
+            expect { Jwt.create(claims, options) }
+              .to raise_error(RuntimeError, 'Claims blank')
+          end
+        end
+
         describe 'w claims nil' do
           let(:claims) { nil }
-          it_behaves_like 'claims not provided'
+          it_behaves_like 'w/o claims'
         end
 
         describe "w claims ''" do
           let(:claims) { '' }
-          it_behaves_like 'claims not provided'
+          it_behaves_like 'w/o claims'
         end
       end
     end

data/spec/json_web_token_spec.rb

@@ -35,27 +35,9 @@ describe JsonWebToken do
       end
     end
 
-    context 'w/o key' do
-      context "w create alg 'none'" do
-        let(:create_options) { {alg: 'none'} }
-        describe "w validate alg 'none'" do
-          let(:validate_options) { {alg: 'none'} }
-          it_behaves_like 'w #validate'
-        end
-
-        describe "w default validate alg" do
-          it 'raises' do
-            jwt = JsonWebToken.create(claims, create_options)
-            expect { JsonWebToken.validate(jwt) }
-              .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
-          end
-        end
-      end
-
-      describe 'w default create alg' do
-        it 'raises' do
-          expect { JsonWebToken.create(claims) }.to raise_error(RuntimeError, 'Invalid key')
-        end
+    describe 'w/o key w default header alg' do
+      it 'raises' do
+        expect { JsonWebToken.create(claims) }.to raise_error(RuntimeError, 'Invalid key')
       end
     end
   end

data/spec/support/plausible_jwt.rb

@@ -1,11 +1,15 @@
-def plausible_message_signature?(str)
-  _parts_count(str) == 3
-end
+require 'json_web_token/format/base64_url'
 
-def plausible_unsecured_jws?(str)
-  _parts_count(str) == 2
+include JsonWebToken::Format::Base64Url
+
+def plausible_message_signature?(str, bytesize = 32)
+  parts = str.split('.')
+  return false unless parts.length == 3
+  mac = decode(parts[2])
+  mac.bytesize == bytesize && mac.class == String
 end
 
-def _parts_count(str)
-  str.split('.').length
+def plausible_unsecured_jws?(str)
+  return false unless str.end_with?('.')
+  str.split('.').length == 2
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: json_web_token
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Gary Fleshman
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-10 00:00:00.000000000 Z
+date: 2015-07-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -30,20 +30,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.8.3
-- !ruby/object:Gem::Dependency
-  name: pry-byebug
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.1'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -59,19 +45,22 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.3'
 description: Ruby implementation of the JSON Web Token Standard Track RFC 4627
-email: gf4cl@verizon.net
+email: gfleshman@newforge-tech.com
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
 - ".rspec"
+- CHANGELOG.md
 - Gemfile
 - LICENSE
 - README.md
 - json_web_token.gemspec
 - lib/json_web_token.rb
+- lib/json_web_token/algorithm/common.rb
 - lib/json_web_token/algorithm/hmac.rb
+- lib/json_web_token/algorithm/rsa.rb
 - lib/json_web_token/format/base64_url.rb
 - lib/json_web_token/jwa.rb
 - lib/json_web_token/jws.rb
@@ -79,6 +68,7 @@ files:
 - lib/json_web_token/util.rb
 - lib/json_web_token/version.rb
 - spec/json_web_token/algorithm/hmac_spec.rb
+- spec/json_web_token/algorithm/rsa_spec.rb
 - spec/json_web_token/format/base64_url_spec.rb
 - spec/json_web_token/jwa_spec.rb
 - spec/json_web_token/jws_spec.rb
@@ -99,7 +89,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="