jwt 0.1.5 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. data/Rakefile +1 -1
  2. data/jwt.gemspec +3 -3
  3. data/lib/jwt.rb +13 -2
  4. data/spec/jwt_spec.rb +30 -0
  5. metadata +46 -63
data/Rakefile CHANGED
@@ -2,7 +2,7 @@ require 'rubygems'
2
2
  require 'rake'
3
3
  require 'echoe'
4
4
 
5
- Echoe.new('jwt', '0.1.5') do |p|
5
+ Echoe.new('jwt', '0.1.6') do |p|
6
6
  p.description = "JSON Web Token implementation in Ruby"
7
7
  p.url = "http://github.com/progrium/ruby-jwt"
8
8
  p.author = "Jeff Lindsay"
data/jwt.gemspec CHANGED
@@ -2,11 +2,11 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = "jwt"
5
- s.version = "0.1.5"
5
+ s.version = "0.1.6"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Jeff Lindsay"]
9
- s.date = "2012-07-20"
9
+ s.date = "2013-03-05"
10
10
  s.description = "JSON Web Token implementation in Ruby"
11
11
  s.email = "progrium@gmail.com"
12
12
  s.extra_rdoc_files = ["lib/jwt.rb"]
@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
15
15
  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Jwt", "--main", "README.md"]
16
16
  s.require_paths = ["lib"]
17
17
  s.rubyforge_project = "jwt"
18
- s.rubygems_version = "1.8.24"
18
+ s.rubygems_version = "1.8.23"
19
19
  s.summary = "JSON Web Token implementation in Ruby"
20
20
 
21
21
  if s.respond_to? :specification_version then
data/lib/jwt.rb CHANGED
@@ -9,7 +9,7 @@ require "openssl"
9
9
  require "multi_json"
10
10
 
11
11
  module JWT
12
- class DecodeError < Exception; end
12
+ class DecodeError < StandardError; end
13
13
 
14
14
  def self.sign(algorithm, msg, key)
15
15
  if ["HS256", "HS384", "HS512"].include?(algorithm)
@@ -79,7 +79,7 @@ module JWT
79
79
 
80
80
  begin
81
81
  if ["HS256", "HS384", "HS512"].include?(algo)
82
- raise JWT::DecodeError.new("Signature verification failed") unless signature == sign_hmac(algo, signing_input, key)
82
+ raise JWT::DecodeError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key))
83
83
  elsif ["RS256", "RS384", "RS512"].include?(algo)
84
84
  raise JWT::DecodeError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
85
85
  else
@@ -92,4 +92,15 @@ module JWT
92
92
  payload
93
93
  end
94
94
 
95
+ # From devise
96
+ # constant-time comparison algorithm to prevent timing attacks
97
+ def self.secure_compare(a, b)
98
+ return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
99
+ l = a.unpack "C#{a.bytesize}"
100
+
101
+ res = 0
102
+ b.each_byte { |byte| res |= byte ^ l.shift }
103
+ res == 0
104
+ end
105
+
95
106
  end
data/spec/jwt_spec.rb CHANGED
@@ -70,6 +70,36 @@ describe JWT do
70
70
  decoded_payload.should == @payload
71
71
  end
72
72
 
73
+ it "does not use == to compare digests" do
74
+ secret = "secret"
75
+ jwt = JWT.encode(@payload, secret)
76
+ crypto_segment = jwt.split(".").last
77
+
78
+ signature = JWT.base64url_decode(crypto_segment)
79
+ signature.should_not_receive('==')
80
+ JWT.should_receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
81
+ JWT.should_receive(:base64url_decode).any_number_of_times.and_call_original
82
+
83
+ JWT.decode(jwt, secret)
84
+ end
85
+
86
+ describe "secure comparison" do
87
+ it "returns true if strings are equal" do
88
+ expect(JWT.secure_compare("Foo", "Foo")).to be_true
89
+ end
90
+
91
+ it "returns false if either input is nil or empty" do
92
+ [nil, ""].each do |bad|
93
+ expect(JWT.secure_compare(bad, "Foo")).to be_false
94
+ expect(JWT.secure_compare("Foo", bad)).to be_false
95
+ end
96
+ end
97
+
98
+ it "retuns falise of the strings are different" do
99
+ expect(JWT.secure_compare("Foo", "Bar")).to be_false
100
+ end
101
+ end
102
+
73
103
  it "raise exception on invalid signature" do
74
104
  pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
75
105
  -----BEGIN PUBLIC KEY-----
metadata CHANGED
@@ -1,62 +1,55 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: jwt
3
- version: !ruby/object:Gem::Version
4
- hash: 17
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.6
5
5
  prerelease:
6
- segments:
7
- - 0
8
- - 1
9
- - 5
10
- version: 0.1.5
11
6
  platform: ruby
12
- authors:
7
+ authors:
13
8
  - Jeff Lindsay
14
9
  autorequire:
15
10
  bindir: bin
16
11
  cert_chain: []
17
-
18
- date: 2012-07-20 00:00:00 Z
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
12
+ date: 2013-03-05 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
21
15
  name: multi_json
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: !ruby/object:Gem::Requirement
24
17
  none: false
25
- requirements:
26
- - - ">="
27
- - !ruby/object:Gem::Version
28
- hash: 15
29
- segments:
30
- - 1
31
- - 0
32
- version: "1.0"
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
21
+ version: '1.0'
33
22
  type: :runtime
34
- version_requirements: *id001
35
- - !ruby/object:Gem::Dependency
36
- name: echoe
37
23
  prerelease: false
38
- requirement: &id002 !ruby/object:Gem::Requirement
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ! '>='
28
+ - !ruby/object:Gem::Version
29
+ version: '1.0'
30
+ - !ruby/object:Gem::Dependency
31
+ name: echoe
32
+ requirement: !ruby/object:Gem::Requirement
39
33
  none: false
40
- requirements:
41
- - - ">="
42
- - !ruby/object:Gem::Version
43
- hash: 33
44
- segments:
45
- - 4
46
- - 6
47
- - 3
34
+ requirements:
35
+ - - ! '>='
36
+ - !ruby/object:Gem::Version
48
37
  version: 4.6.3
49
38
  type: :development
50
- version_requirements: *id002
39
+ prerelease: false
40
+ version_requirements: !ruby/object:Gem::Requirement
41
+ none: false
42
+ requirements:
43
+ - - ! '>='
44
+ - !ruby/object:Gem::Version
45
+ version: 4.6.3
51
46
  description: JSON Web Token implementation in Ruby
52
47
  email: progrium@gmail.com
53
48
  executables: []
54
-
55
49
  extensions: []
56
-
57
- extra_rdoc_files:
50
+ extra_rdoc_files:
58
51
  - lib/jwt.rb
59
- files:
52
+ files:
60
53
  - Rakefile
61
54
  - lib/jwt.rb
62
55
  - spec/helper.rb
@@ -65,42 +58,32 @@ files:
65
58
  - jwt.gemspec
66
59
  homepage: http://github.com/progrium/ruby-jwt
67
60
  licenses: []
68
-
69
61
  post_install_message:
70
- rdoc_options:
62
+ rdoc_options:
71
63
  - --line-numbers
72
64
  - --inline-source
73
65
  - --title
74
66
  - Jwt
75
67
  - --main
76
68
  - README.md
77
- require_paths:
69
+ require_paths:
78
70
  - lib
79
- required_ruby_version: !ruby/object:Gem::Requirement
71
+ required_ruby_version: !ruby/object:Gem::Requirement
80
72
  none: false
81
- requirements:
82
- - - ">="
83
- - !ruby/object:Gem::Version
84
- hash: 3
85
- segments:
86
- - 0
87
- version: "0"
88
- required_rubygems_version: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - ! '>='
75
+ - !ruby/object:Gem::Version
76
+ version: '0'
77
+ required_rubygems_version: !ruby/object:Gem::Requirement
89
78
  none: false
90
- requirements:
91
- - - ">="
92
- - !ruby/object:Gem::Version
93
- hash: 11
94
- segments:
95
- - 1
96
- - 2
97
- version: "1.2"
79
+ requirements:
80
+ - - ! '>='
81
+ - !ruby/object:Gem::Version
82
+ version: '1.2'
98
83
  requirements: []
99
-
100
84
  rubyforge_project: jwt
101
- rubygems_version: 1.8.24
85
+ rubygems_version: 1.8.23
102
86
  signing_key:
103
87
  specification_version: 3
104
88
  summary: JSON Web Token implementation in Ruby
105
89
  test_files: []
106
-