json_web_token 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d9c63b5c2fa2302f1cee322ac44cb54eddda7538
+  data.tar.gz: c2215846a69b4d8f3a4705dbedbbebfbb32253ae
+SHA512:
+  metadata.gz: a4eb15f1a8da6eded296e6165d1ed0ffe7d62b21f11116efc7108385f0202150511a0f87325fab3ec4b243318923759d241a607b3650126f83a5885a066c78df
+  data.tar.gz: 5be8f29d618889f7315230b94b1b0694eb6c80d78d0006aec65cea4835d783af66f23e13a7d5a5ede42971a4145a5c44e25c19aeee3340dd1f981fb5d60bc673

data/.gitignore

@@ -0,0 +1,35 @@
+# https://raw.githubusercontent.com/github/gitignore/master/Ruby.gitignore
+
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# custom
+/spec/examples.txt

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/Gemfile

@@ -0,0 +1,5 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'simplecov', '~> 0.10', require: false

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Gary Fleshman
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,70 @@
+# JSON Web Token
+
+## A JSON Web Token implementation for Ruby
+**Work in progress -- not yet ready for production**
+
+### Description
+A Ruby implementation of the JSON Web Token (JWT) Standards Track [RFC 7519][rfc7519]
+
+## Installation
+    gem install json_web_token
+
+### Philosophy & Design Goals
+* Minimal API surface area
+* Clear separation and conformance to underlying standards
+  - JSON Web Signature (JWS) Standards Track [RFC 7515][rfc7515]
+  - JSON Web Algorithms (JWA) Standards Track [RFC 7518][rfc7518]
+* Thorough test coverage
+* Modularity for comprehension and extensibility
+* Implement only the REQUIRED elements of the JWT standard (initially)
+
+### Intended Audience
+Token authentication of API requests to Rails via these popular gems
+
+- [Devise][devise]
+- [Doorkeeper][doorkeeper]
+- [OAuth2][oauth2]
+
+Secure Cross-Origin Resource Sharing ([CORS][cors]) using the [rack-cors][rack-cors] gem
+
+## Usage
+Create a JSON web token
+
+```ruby
+require 'json_web_token'
+
+JsonWebToken.create(claims, options)
+```
+
+Validate a JSON web token
+
+```ruby
+claims = JsonWebToken.validate(jwt, options)
+```
+### Supported encryption algorithms
+The 2 REQUIRED JWT algorithms
+
+- HMAC using SHA-256 per [RFC 2104][rfc2104]
+- 'none' (unsecured)
+
+### Supported Ruby Versions
+Ruby 2.1 and up
+
+### Limitations
+Future implementation may include these features:
+
+- RECOMMENDED or OPTIONAL encryption algorithms
+- Representation of a JWT as a JSON Web Encryption (JWE) [RFC 7516][rfc7516]
+- OPTIONAL nested JWTs
+
+[rfc2104]: http://tools.ietf.org/html/rfc2104
+[rfc7515]: http://tools.ietf.org/html/rfc7515
+[rfc7516]: http://tools.ietf.org/html/rfc7516
+[rfc7518]: http://tools.ietf.org/html/rfc7518
+[rfc7519]: http://tools.ietf.org/html/rfc7519
+
+[cors]: http://www.w3.org/TR/cors/
+[devise]: https://github.com/plataformatec/devise
+[doorkeeper]: https://github.com/doorkeeper-gem/doorkeeper
+[oauth2]: https://github.com/intridea/oauth2
+[rack-cors]: https://github.com/cyu/rack-cors

data/json_web_token.gemspec

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require 'json_web_token/version'
+
+Gem::Specification.new do |s|
+  s.author = 'Gary Fleshman'
+  s.email = 'gf4cl@verizon.net'
+  s.files = `git ls-files`.split("\n")
+  s.homepage = 'https://github.com/garyf/json_web_token'
+  s.name = 'json_web_token'
+  s.platform = Gem::Platform::RUBY
+  s.summary = 'JSON Web Token for Ruby'
+  s.version = JsonWebToken::VERSION
+  # recommended
+  s.license = 'MIT'
+  # optional
+  s.add_runtime_dependency 'json', '~> 1.8', '>= 1.8.3'
+  s.add_development_dependency 'pry-byebug', '~> 3.1'
+  s.add_development_dependency 'rspec', '~> 3.3'
+  s.description = 'Ruby implementation of the JSON Web Token Standard Track RFC 4627'
+end

data/lib/json_web_token.rb

@@ -0,0 +1,14 @@
+require 'json_web_token/jwt'
+
+module JsonWebToken
+
+  module_function
+
+  def create(claims, options = {})
+    Jwt.create(claims, options)
+  end
+
+  def validate(jwt, options = {})
+    Jwt.validate(jwt, options)
+  end
+end

data/lib/json_web_token/algorithm/hmac.rb

@@ -0,0 +1,47 @@
+require 'json_web_token/util'
+require 'openssl'
+
+module JsonWebToken
+  module Algorithm
+    module Hmac
+
+      SHA_BITS = [
+        '256',
+        '384',
+        '512'
+      ]
+
+      module_function
+
+      def signed(sha_bits, key, data)
+        validate_params(key, sha_bits)
+        OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha#{sha_bits}"), key, data)
+      end
+
+      def verified?(mac, sha_bits, key, data)
+        validate_params(key, sha_bits)
+        Util.constant_time_compare(mac, signed(sha_bits, key, data))
+      end
+
+      # private
+
+      def validate_params(key, sha_bits)
+        validate_sha_bits(sha_bits)
+        validate_key_size(key, sha_bits)
+      end
+
+      def validate_sha_bits(sha_bits)
+        fail('Invalid sha_bits') unless SHA_BITS.include?(sha_bits)
+      end
+
+      # http://tools.ietf.org/html/rfc7518#section-3.2
+      def validate_key_size(key, sha_bits)
+        fail('Invalid key') unless key && key.bytesize * 8 >= sha_bits.to_i
+      end
+
+      private_class_method :validate_params,
+        :validate_sha_bits,
+        :validate_key_size
+    end
+  end
+end

data/lib/json_web_token/format/base64_url.rb

@@ -0,0 +1,45 @@
+require 'base64'
+
+module JsonWebToken
+  module Format
+    module Base64Url
+
+      module_function
+
+      def encode(str)
+        url_safe_encode(str)
+      end
+
+      def decode(str)
+        url_safe_decode(str)
+      end
+
+      # private
+
+      # http://tools.ietf.org/html/rfc7515#appendix-C
+      def url_safe_encode(str)
+        remove_base64_padding(Base64.urlsafe_encode64 str)
+      end
+
+      def url_safe_decode(str)
+        Base64.urlsafe_decode64(add_base64_padding str)
+      end
+
+      def remove_base64_padding(encoded)
+        encoded.gsub(/[=]/, '')
+      end
+
+      def add_base64_padding(str)
+        mod = str.length % 4
+        return str if mod == 0
+        fail('Invalid base64 string') if mod == 1
+        "#{str}#{'=' * (4 - mod)}"
+      end
+
+      private_class_method :url_safe_encode,
+        :url_safe_decode,
+        :remove_base64_padding,
+        :add_base64_padding
+    end
+  end
+end

data/lib/json_web_token/jwa.rb

@@ -0,0 +1,52 @@
+require 'json_web_token/algorithm/hmac'
+
+module JsonWebToken
+  module Jwa
+
+    ALGORITHMS = /(HS)(256|384|512)?/i
+    ALG_LENGTH = 5
+
+    module_function
+
+    def signed(algorithm, key, data)
+      alg = validated_alg(algorithm)
+      sha_bits = alg[:sha_bits]
+      case alg[:kind]
+      when 'hs'
+        Algorithm::Hmac.signed(sha_bits, key, data)
+      else
+        fail('Unsupported algorithm')
+      end
+    end
+
+    def verified?(signature, algorithm, key, data)
+      alg = validated_alg(algorithm)
+      sha_bits = alg[:sha_bits]
+      case alg[:kind]
+      when 'hs'
+        Algorithm::Hmac.verified?(signature, sha_bits, key, data)
+      else
+        false
+      end
+    end
+
+    # private
+
+    def validated_alg(algorithm)
+      alg = destructured_alg(algorithm)
+      alg ? alg : fail('Unrecognized algorithm')
+    end
+
+    def destructured_alg(algorithm)
+      match = algorithm.match(ALGORITHMS)
+      return unless match && match[0].length == ALG_LENGTH
+      {
+        kind: match[1].downcase,
+        sha_bits: match[2]
+      }
+    end
+
+    private_class_method :validated_alg,
+      :destructured_alg
+  end
+end

data/lib/json_web_token/jws.rb

@@ -0,0 +1,75 @@
+require 'json'
+require 'json_web_token/format/base64_url'
+require 'json_web_token/jwa'
+require 'json_web_token/util'
+
+module JsonWebToken
+  module Jws
+
+    MESSAGE_SIGNATURE_PARTS = 3
+
+    module_function
+
+    # http://tools.ietf.org/html/rfc7515#page-15
+    def message_signature(header, payload, key)
+      alg = alg_parameter(header)
+      data = signing_input(header, payload)
+      "#{data}.#{signature(alg, key, data)}"
+    end
+
+    # http://tools.ietf.org/html/rfc7515#page-16
+    def validate(jws, algorithm, key = nil)
+      compare_alg(jws, algorithm)
+      return jws if algorithm == 'none'
+      signature_valid?(jws, algorithm, key) ? jws : 'Invalid'
+    end
+
+    # http://tools.ietf.org/html/rfc7515#page-47
+    def unsecured_jws(header, payload)
+      fail("Invalid 'alg' header parameter") unless alg_parameter(header) == 'none'
+      "#{signing_input(header, payload)}." # note trailing '.'
+    end
+
+    # private
+
+    def alg_parameter(header)
+      alg = Util.symbolize_keys(header)[:alg]
+      alg && !alg.empty? ? alg : fail("Missing required 'alg' header parameter")
+    end
+
+    def signing_input(header, payload)
+      "#{Format::Base64Url.encode header.to_json}.#{Format::Base64Url.encode payload}"
+    end
+
+    def signature(algorithm, key, data)
+      Format::Base64Url.encode(Jwa.signed algorithm, key, data)
+    end
+
+    # http://tools.ietf.org/html/rfc7515#section-4.1.1
+    def compare_alg(jws, algorithm)
+      header = decoded_header_json_to_hash(jws)
+      unless alg_parameter(header) == algorithm
+        fail("Algorithm not matching 'alg' header parameter")
+      end
+    end
+
+    def decoded_header_json_to_hash(jws)
+      JSON.parse(Format::Base64Url.decode jws.split('.')[0])
+    end
+
+    def signature_valid?(jws, algorithm, key)
+      ary = jws.split('.')
+      return unless key && ary.length == MESSAGE_SIGNATURE_PARTS
+      decoded_signature = Format::Base64Url.decode(ary[2])
+      payload = "#{ary[0]}.#{ary[1]}"
+      Jwa.verified?(decoded_signature, algorithm, key, payload)
+    end
+
+    private_class_method :alg_parameter,
+      :signing_input,
+      :signature,
+      :compare_alg,
+      :decoded_header_json_to_hash,
+      :signature_valid?
+  end
+end

data/lib/json_web_token/jwt.rb

@@ -0,0 +1,57 @@
+require 'json_web_token/jws'
+
+module JsonWebToken
+  module Jwt
+
+    ALGORITHM_DEFAULT = 'HS256'
+    HEADER_DEFAULT = {
+      typ: 'JWT',
+      alg: ALGORITHM_DEFAULT
+    }
+
+    module_function
+
+    # http://tools.ietf.org/html/rfc7519#page-12
+    def create(claims, options = {})
+      message = validated_message(claims)
+      key = options[:key]
+      header = config_header(options)
+      return Jws.unsecured_jws(header, message) if header[:alg] == 'none'
+      Jws.message_signature(header, message, key)
+    end
+
+    def validate(jwt, options = {})
+      alg = options[:alg] || ALGORITHM_DEFAULT
+      jws = Jws.validate(jwt, alg, options[:key])
+      jws == 'Invalid' ? jws : Util.symbolize_keys(decoded_message_json_to_hash jws)
+    end
+
+    # private
+
+    def validated_message(claims)
+      fail('Claims not provided') if !claims || claims.empty?
+      claims.to_json
+    end
+
+    def config_header(options)
+      HEADER_DEFAULT.merge(alg_parameter_required options)
+    end
+
+    def alg_parameter_required(options)
+      hsh = options.select { |k, _v| k == :alg } # filter unsupported keys
+      alg = hsh[:alg]
+      alg && !alg.empty? ? hsh : {}
+    end
+
+    def decoded_message_json_to_hash(jws)
+      ary = jws.split('.')
+      return jws unless ary.length > 1 # invalid
+      JSON.parse(Format::Base64Url.decode ary[1])
+    end
+
+    private_class_method :validated_message,
+      :config_header,
+      :alg_parameter_required,
+      :decoded_message_json_to_hash
+  end
+end

data/lib/json_web_token/util.rb

@@ -0,0 +1,37 @@
+module JsonWebToken
+  module Util
+
+    module_function
+
+    # https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-3.2
+    def constant_time_compare(a, b)
+      return false if a.nil? || b.nil? || a.empty? || b.empty?
+      secure_compare(a, b)
+    end
+
+    # cf. rails activesupport/lib/active_support/core_ext/hash/keys.rb
+    def symbolize_keys(hsh)
+      transform_keys(hsh) { |key| key.to_sym rescue key }
+    end
+
+    # private
+
+    # cf. rails activesupport/lib/active_support/security_utils.rb
+    def secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+      l = a.unpack "C#{a.bytesize}"
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+    def transform_keys(hsh)
+      result = Hash.new
+      hsh.keys.each { |k| result[yield(k)] = hsh[k] }
+      result
+    end
+
+    private_class_method :secure_compare,
+      :transform_keys
+  end
+end

data/lib/json_web_token/version.rb

@@ -0,0 +1,3 @@
+module JsonWebToken
+  VERSION = '0.0.1'
+end

data/spec/json_web_token/algorithm/hmac_spec.rb

@@ -0,0 +1,131 @@
+require 'json_web_token/algorithm/hmac'
+
+module JsonWebToken
+  module Algorithm
+    describe Hmac do
+      context 'detect changed signing_input or MAC' do
+        let(:signing_input) { 'signing_input' }
+        let(:changed_signing_input) { 'changed_signing_input' }
+        shared_examples_for '#signed' do
+          it 'is #verified?' do
+            mac = Hmac.signed(sha_bits, key, signing_input)
+            expect(Hmac.verified? mac, sha_bits, key, signing_input).to be true
+            expect(Hmac.verified? mac, sha_bits, key, changed_signing_input).to be false
+
+            changed_mac = Hmac.signed(sha_bits, key, changed_signing_input)
+            expect(Hmac.verified? changed_mac, sha_bits, key, signing_input).to be false
+          end
+        end
+
+        describe 'HS256' do
+          let(:sha_bits) { '256' }
+          let(:key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+          it_behaves_like '#signed'
+        end
+
+        describe 'HS384' do
+          let(:sha_bits) { '384' }
+          let(:key) { 'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS' }
+          it_behaves_like '#signed'
+        end
+
+        describe 'HS512' do
+          let(:sha_bits) { '512' }
+          let(:key) { 'ysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hc' }
+          it_behaves_like '#signed'
+        end
+      end
+
+      describe 'changed key' do
+        let(:sha_bits) { '256' }
+        let(:key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+        let(:changed_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9Z' }
+        let(:data) { 'data' }
+        it 'fails #verified?' do
+          mac = Hmac.signed(sha_bits, key, data)
+          expect(Hmac.verified? mac, sha_bits, key, data).to be true
+          expect(Hmac.verified? mac, sha_bits, changed_key, data).to be false
+        end
+      end
+
+      context 'param validation' do
+        let(:data) { 'data' }
+        shared_examples_for 'invalid key' do
+          it 'raises' do
+            expect { Hmac.signed(sha_bits, key, data) }.to raise_error(RuntimeError, 'Invalid key')
+          end
+        end
+
+        context 'w 256 sha_bits' do
+          let(:sha_bits) { '256' }
+          describe 'key nil' do
+            let(:key) { nil }
+            it_behaves_like 'invalid key'
+          end
+
+          describe "key 'empty string'" do
+            let(:key) { '' }
+            it_behaves_like 'invalid key'
+          end
+
+          describe 'key length (31) < MAC length (32)' do
+            let(:key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9' }
+            it_behaves_like 'invalid key'
+          end
+
+          describe 'key length (32) == MAC length (32)' do
+            let(:key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+            it 'returns a 32-byte MAC string' do
+              mac = Hmac.signed(sha_bits, key, data)
+              expect(mac.bytesize).to eql 32
+              expect(mac.class).to eql String
+            end
+          end
+        end
+
+        context 'w 384 sha_bits' do
+          let(:sha_bits) { '384' }
+          describe 'key length (47) < MAC length (48)' do
+            let(:key) { 'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1q' }
+            it_behaves_like 'invalid key'
+          end
+
+          describe 'key length (48) == MAC length (48)' do
+            let(:key) { 'AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS' }
+            it 'returns a 48-byte MAC string' do
+              mac = Hmac.signed(sha_bits, key, data)
+              expect(mac.bytesize).to eql 48
+              expect(mac.class).to eql String
+            end
+          end
+        end
+
+        context 'w 512 sha_bits' do
+          let(:sha_bits) { '512' }
+          describe 'key length (63) < MAC length (64)' do
+            let(:key) { 'ysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4h' }
+            it_behaves_like 'invalid key'
+          end
+
+          describe 'key length (64) == MAC length (64)' do
+            let(:key) { 'ysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hc' }
+            it 'returns a 64-byte MAC string' do
+              mac = Hmac.signed(sha_bits, key, data)
+              expect(mac.bytesize).to eql 64
+              expect(mac.class).to eql String
+            end
+          end
+        end
+
+        describe 'w unrecognized sha_bits' do
+          let(:sha_bits) { '257' }
+          let(:key) { 'ysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hc' }
+          it 'raises' do
+            expect { Hmac.signed(sha_bits, key, data) }
+              .to raise_error(RuntimeError, 'Invalid sha_bits')
+          end
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/format/base64_url_spec.rb

@@ -0,0 +1,84 @@
+require 'json_web_token/format/base64_url'
+
+module JsonWebToken
+  module Format
+    describe Base64Url do
+      context '#encode' do
+        shared_examples_for 'w #decode' do
+          it 'matches' do
+            encoded = Base64Url.encode(str)
+            expect(Base64Url.decode encoded).to eql str
+          end
+        end
+
+        describe 'typical' do
+          let(:str) { '{"typ":"JWT", "alg":"HS256"}' }
+          it_behaves_like 'w #decode'
+        end
+
+        describe 'w whitespace' do
+          let(:str) { '{"typ" :"JWT" ,  "alg" :"HS256"   }' }
+          it_behaves_like 'w #decode'
+        end
+
+        describe 'w line feed and carriage return' do
+          let(:str) { '{"typ":"JWT",/n "a/rlg":"HS256"}' }
+          it_behaves_like 'w #decode'
+        end
+
+        shared_examples_for 'given encoding' do
+          it 'matches' do
+            expect(Base64Url.encode str).to eql encoded
+            expect(Base64Url.decode encoded).to eql str
+          end
+        end
+
+        describe 'w no padding char' do
+          let(:str) { '{"typ":"JWT", "alg":"none"}' }
+          let(:encoded) { 'eyJ0eXAiOiJKV1QiLCAiYWxnIjoibm9uZSJ9'}
+          it_behaves_like 'given encoding'
+        end
+
+        context 'w 1 padding char' do
+          let(:str) { '{"typ":"JWT", "alg":"algorithm"}' }
+
+          describe 'present' do
+            let(:encoded) { 'eyJ0eXAiOiJKV1QiLCAiYWxnIjoiYWxnb3JpdGhtIn0='}
+            it 'matches' do
+              expect(Base64Url.decode encoded).to eql str
+            end
+          end
+
+          describe 'removed' do
+            let(:encoded) { 'eyJ0eXAiOiJKV1QiLCAiYWxnIjoiYWxnb3JpdGhtIn0'}
+            it_behaves_like 'given encoding'
+          end
+        end
+
+        context 'w 2 padding char' do
+          let(:str) { '{"typ":"JWT", "alg":"HS256"}' }
+
+          describe 'present' do
+            let(:encoded) { 'eyJ0eXAiOiJKV1QiLCAiYWxnIjoiSFMyNTYifQ=='}
+            it 'matches' do
+              expect(Base64Url.decode encoded).to eql str
+            end
+          end
+
+          describe 'removed' do
+            let(:encoded) { 'eyJ0eXAiOiJKV1QiLCAiYWxnIjoiSFMyNTYifQ'}
+            it_behaves_like 'given encoding'
+          end
+        end
+
+        describe 'invalid encoding' do
+          let(:encoded) { 'InR5cCI6IkpXVCIsICJhbGciOiJub25lI'}
+          it 'raises' do
+            expect { Base64Url.decode(encoded) }
+              .to raise_error(RuntimeError, 'Invalid base64 string')
+          end
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/jwa_spec.rb

@@ -0,0 +1,52 @@
+require 'json_web_token/jwa'
+
+module JsonWebToken
+  describe Jwa do
+    context 'detect changed signing_input or MAC' do
+      let(:signing_input) { 'signing_input' }
+      let(:changed_signing_input) { 'changed_signing_input' }
+      shared_examples_for '#signed' do
+        it 'is #verified?' do
+          mac = Jwa.signed(algorithm, signing_key, signing_input)
+          expect(Jwa.verified? mac, algorithm, verifying_key, signing_input).to be true
+          expect(Jwa.verified? mac, algorithm, verifying_key, changed_signing_input).to be false
+
+          changed_mac = Jwa.signed(algorithm, signing_key, changed_signing_input)
+          expect(Jwa.verified? changed_mac, algorithm, verifying_key, signing_input).to be false
+        end
+      end
+
+      describe 'HS256' do
+        let(:algorithm) { 'HS256' }
+        let(:signing_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+        let(:verifying_key) { signing_key }
+        it_behaves_like '#signed'
+      end
+    end
+
+    context 'param validation' do
+      let(:data) { 'data' }
+      context 'w HS256 key' do
+        let(:key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+        describe 'unrecognized algorithm' do
+          ['HT256', 'HS257', '', nil].each do |elt|
+            let(:algorithm) { "#{elt}" }
+            it 'raises' do
+              expect { Jwa.signed(algorithm, key, data) }
+                .to raise_error(RuntimeError, 'Unrecognized algorithm')
+            end
+          end
+        end
+
+        describe 'HS256' do
+          let(:algorithm) { 'HS256' }
+          it 'returns a 32-byte MAC string' do
+            mac = Jwa.signed(algorithm, key, data)
+            expect(mac.bytesize).to eql 32
+            expect(mac.class).to eql String
+          end
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/jws_spec.rb

@@ -0,0 +1,95 @@
+require 'json_web_token/jws'
+
+module JsonWebToken
+  describe Jws do
+    context 'w payload' do
+      let(:payload) { 'payload' }
+      context '#message_signature' do
+        shared_examples_for 'w #validate' do
+          it 'verified' do
+            jws = Jws.message_signature(header, payload, signing_key)
+            expect(Jws.validate jws, algorithm, verifying_key).to eql jws
+          end
+        end
+
+        context 'w HS256 keys' do
+          let(:signing_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+          let(:verifying_key) { signing_key }
+          context "w HS256 'alg' header parameter" do
+            let(:header) { {alg: 'HS256'} }
+            describe 'w passing a matching algorithm to #validate' do
+              let(:algorithm) { 'HS256' }
+              it_behaves_like 'w #validate'
+
+              describe 'w/o passing key to #validate' do
+                it "returns 'Invalid'" do
+                  jws = Jws.message_signature(header, payload, signing_key)
+                  expect(Jws.validate jws, algorithm, nil).to eql 'Invalid'
+                end
+              end
+            end
+
+            describe 'w/o passing a matching algorithm to #validate' do
+              let(:algorithm) { 'RS256' }
+              it 'raises' do
+                jws = Jws.message_signature(header, payload, signing_key)
+                expect { Jws.validate(jws, algorithm, verifying_key) }
+                  .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
+              end
+            end
+          end
+        end
+      end
+
+      context 'header validation' do
+        let(:signing_key) { 'signing_key' }
+        describe "w/o a recognized 'alg' header parameter" do
+          let(:header) { {alg: 'HS257'} }
+          it 'raises' do
+            expect { Jws.message_signature(header, payload, signing_key) }
+              .to raise_error(RuntimeError, 'Unrecognized algorithm')
+          end
+        end
+
+        describe "w/o a required 'alg' header parameter" do
+          let(:header) { {typ: 'JWT'} }
+          it 'raises' do
+            expect { Jws.message_signature(header, payload, signing_key) }
+              .to raise_error(RuntimeError, "Missing required 'alg' header parameter")
+          end
+        end
+      end
+
+      context '#unsecured_jws' do
+        context 'w valid header' do
+          let(:header) { {alg: 'none'} }
+          describe 'w passing a matching algorithm to #validate' do
+            let(:algorithm) { 'none' }
+            it 'is verified' do
+              jws = Jws.unsecured_jws(header, payload)
+              expect(Jws.validate jws, algorithm).to eql jws
+            end
+          end
+
+          describe 'w/o passing a matching algorithm to #validate' do
+            let(:algorithm) { 'HS256' }
+            let(:verifying_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+            it 'raises' do
+              jws = Jws.unsecured_jws(header, payload)
+              expect { Jws.validate(jws, algorithm, verifying_key) }
+                .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
+            end
+          end
+        end
+
+        describe 'w invalid header' do
+          let(:header) { {alg: 'HS256'} }
+          it 'raises' do
+            expect { Jws.unsecured_jws(header, payload) }
+              .to raise_error(RuntimeError, "Invalid 'alg' header parameter")
+          end
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/jwt_spec.rb

@@ -0,0 +1,93 @@
+require 'json_web_token/jwt'
+require 'support/plausible_jwt'
+
+module JsonWebToken
+  describe Jwt do
+    context '#create' do
+      shared_examples_for 'w #validate' do
+        it 'verified' do
+          jwt = Jwt.create(claims, options)
+          expect(Jwt.validate jwt, options).to include(claims)
+        end
+      end
+
+      shared_examples_for 'return message signature' do
+        it 'plausible' do
+          serialized_output = Jwt.create(claims, options)
+          expect(plausible_message_signature? serialized_output).to be true
+        end
+      end
+
+      shared_examples_for 'return unsecured jws' do
+        it 'plausible' do
+          serialized_output = Jwt.create(claims, options)
+          expect(plausible_unsecured_jws? serialized_output).to be true
+        end
+      end
+
+      context 'w claims' do
+        let(:claims) { {exp: 'tomorrow'} }
+        context 'w key' do
+          let(:key) { 'this_a_32_character_private_key!' }
+          describe 'default header' do
+            let(:options) { {key: key} }
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return message signature'
+          end
+
+          describe 'passing header parameters' do
+            let(:options) { {typ: 'JWT', alg: 'HS256', key: key} }
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return message signature'
+          end
+
+          describe "w 'alg':'none' header parameter" do
+            let(:options) { {typ: 'JWT', alg: 'none', key: key} }
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return unsecured jws'
+          end
+
+          describe "w 'alg':'nil' header parameter" do
+            let(:options) { {alg: nil, key: key} }
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return message signature'
+          end
+
+          describe "w 'alg':'' header parameter" do
+            let(:options) { {alg: nil, key: key} }
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return message signature'
+          end
+        end
+
+        context 'w/o key' do
+          let(:options) { {typ: 'JWT', alg: 'none'} }
+          describe "w 'alg':'none' header parameter" do
+            it_behaves_like 'w #validate'
+            it_behaves_like 'return unsecured jws'
+          end
+        end
+      end
+
+      shared_examples_for 'claims not provided' do
+        it 'raises' do
+          expect { Jwt.create(claims, options) }
+            .to raise_error(RuntimeError, 'Claims not provided')
+        end
+      end
+
+      context 'w secret' do
+        let(:options) { {key: 'secret'} }
+        describe 'w claims nil' do
+          let(:claims) { nil }
+          it_behaves_like 'claims not provided'
+        end
+
+        describe "w claims ''" do
+          let(:claims) { '' }
+          it_behaves_like 'claims not provided'
+        end
+      end
+    end
+  end
+end

data/spec/json_web_token/util_spec.rb

@@ -0,0 +1,24 @@
+require 'json_web_token/util'
+
+module JsonWebToken
+  describe Util do
+    describe '#constant_time_compare' do
+      it 'guards against empty or nil strings' do
+        expect(Util.constant_time_compare 'a', 'a').to be true
+
+        expect(Util.constant_time_compare 'a', 'b').to be false
+        expect(Util.constant_time_compare 'a', 'A').to be false
+        expect(Util.constant_time_compare '', '').to be false
+        expect(Util.constant_time_compare nil, nil).to be false
+      end
+    end
+
+    describe '#symbolize_keys' do
+      it 'returns a new hash with all keys converted to symbols' do
+        original = {'a': 0, 'b': '2', c: '3'}
+        expect(Util.symbolize_keys original).to include({a: 0, b: '2', c: '3'})
+        expect(original).to eql original
+      end
+    end
+  end
+end

data/spec/json_web_token_spec.rb

@@ -0,0 +1,62 @@
+require 'json_web_token'
+
+describe JsonWebToken do
+  context '#create' do
+    let(:claims) { {exp: 'tomorrow'} }
+    shared_examples_for 'w #validate' do
+      it 'is verified' do
+        jwt = JsonWebToken.create(claims, create_options)
+        expect(JsonWebToken.validate jwt, validate_options).to include(claims)
+      end
+    end
+
+    context 'w HS256 keys' do
+      let(:signing_key) { 'gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr9C' }
+      let(:verifying_key) { signing_key }
+
+      describe 'default alg' do
+        let(:create_options) { {key: signing_key} }
+        let(:validate_options) { {key: verifying_key} }
+        it_behaves_like 'w #validate'
+      end
+
+      context "w 'alg' option" do
+        describe 'HS256' do
+          let(:create_options) { {alg: 'HS256', key: signing_key} }
+          let(:validate_options) { {alg: 'HS256', key: verifying_key} }
+          it_behaves_like 'w #validate'
+        end
+
+        describe "w alg 'none'" do
+          let(:create_options) { {alg: 'none', key: signing_key} }
+          let(:validate_options) { {alg: 'none', key: verifying_key} }
+          it_behaves_like 'w #validate'
+        end
+      end
+    end
+
+    context 'w/o key' do
+      context "w create alg 'none'" do
+        let(:create_options) { {alg: 'none'} }
+        describe "w validate alg 'none'" do
+          let(:validate_options) { {alg: 'none'} }
+          it_behaves_like 'w #validate'
+        end
+
+        describe "w default validate alg" do
+          it 'raises' do
+            jwt = JsonWebToken.create(claims, create_options)
+            expect { JsonWebToken.validate(jwt) }
+              .to raise_error(RuntimeError, "Algorithm not matching 'alg' header parameter")
+          end
+        end
+      end
+
+      describe 'w default create alg' do
+        it 'raises' do
+          expect { JsonWebToken.create(claims) }.to raise_error(RuntimeError, 'Invalid key')
+        end
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,85 @@
+require 'simplecov'
+SimpleCov.start
+
+# Conventionally, all specs live under a `spec` directory, which RSpec adds to
+# the `$LOAD_PATH`. The generated `.rspec` file contains `--require spec_helper`
+# which will cause this file to always be loaded, without a need to explicitly
+# require it in any files.
+#
+# Given that it is always loaded, you are encouraged to keep this file as
+# light-weight as possible. Requiring heavyweight dependencies from this file
+# will add to the boot time of your test suite on EVERY test run, even for an
+# individual file that may not need all of that loaded. Instead, consider
+# making a separate helper file that requires the additional dependencies and
+# performs the additional setup, and require it from the spec files that
+# actually need it.
+#
+# The `.rspec` file also contains a few flags that are not defaults but that
+# users commonly want.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+
+  # These two settings work together to allow you to limit a spec run to
+  # individual examples or groups you care about by tagging them with `:focus`
+  # metadata. When nothing is tagged with `:focus`, all examples get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support the
+  # `--only-failures` and `--next-failure` CLI options. We recommend you
+  # configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  # config.disable_monkey_patching!
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output, unless a formatter
+    # has already been configured (e.g. via a command-line flag)
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the end of the spec
+  # run, to help surface which specs are running particularly slowly.
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+end

data/spec/support/plausible_jwt.rb

@@ -0,0 +1,11 @@
+def plausible_message_signature?(str)
+  _parts_count(str) == 3
+end
+
+def plausible_unsecured_jws?(str)
+  _parts_count(str) == 2
+end
+
+def _parts_count(str)
+  str.split('.').length
+end

metadata

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: json_web_token
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Gary Fleshman
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-07-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.8.3
+- !ruby/object:Gem::Dependency
+  name: pry-byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+description: Ruby implementation of the JSON Web Token Standard Track RFC 4627
+email: gf4cl@verizon.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE
+- README.md
+- json_web_token.gemspec
+- lib/json_web_token.rb
+- lib/json_web_token/algorithm/hmac.rb
+- lib/json_web_token/format/base64_url.rb
+- lib/json_web_token/jwa.rb
+- lib/json_web_token/jws.rb
+- lib/json_web_token/jwt.rb
+- lib/json_web_token/util.rb
+- lib/json_web_token/version.rb
+- spec/json_web_token/algorithm/hmac_spec.rb
+- spec/json_web_token/format/base64_url_spec.rb
+- spec/json_web_token/jwa_spec.rb
+- spec/json_web_token/jws_spec.rb
+- spec/json_web_token/jwt_spec.rb
+- spec/json_web_token/util_spec.rb
+- spec/json_web_token_spec.rb
+- spec/spec_helper.rb
+- spec/support/plausible_jwt.rb
+homepage: https://github.com/garyf/json_web_token
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: JSON Web Token for Ruby
+test_files: []