jwt 0.1.5 → 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. data/Rakefile +1 -1
  2. data/jwt.gemspec +3 -3
  3. data/lib/jwt.rb +13 -2
  4. data/spec/jwt_spec.rb +30 -0
  5. metadata +46 -63
data/Rakefile CHANGED
@@ -2,7 +2,7 @@ require 'rubygems'
2
2
  require 'rake'
3
3
  require 'echoe'
4
4
 
5
- Echoe.new('jwt', '0.1.5') do |p|
5
+ Echoe.new('jwt', '0.1.6') do |p|
6
6
  p.description = "JSON Web Token implementation in Ruby"
7
7
  p.url = "http://github.com/progrium/ruby-jwt"
8
8
  p.author = "Jeff Lindsay"
data/jwt.gemspec CHANGED
@@ -2,11 +2,11 @@
2
2
 
3
3
  Gem::Specification.new do |s|
4
4
  s.name = "jwt"
5
- s.version = "0.1.5"
5
+ s.version = "0.1.6"
6
6
 
7
7
  s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
8
8
  s.authors = ["Jeff Lindsay"]
9
- s.date = "2012-07-20"
9
+ s.date = "2013-03-05"
10
10
  s.description = "JSON Web Token implementation in Ruby"
11
11
  s.email = "progrium@gmail.com"
12
12
  s.extra_rdoc_files = ["lib/jwt.rb"]
@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
15
15
  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Jwt", "--main", "README.md"]
16
16
  s.require_paths = ["lib"]
17
17
  s.rubyforge_project = "jwt"
18
- s.rubygems_version = "1.8.24"
18
+ s.rubygems_version = "1.8.23"
19
19
  s.summary = "JSON Web Token implementation in Ruby"
20
20
 
21
21
  if s.respond_to? :specification_version then
data/lib/jwt.rb CHANGED
@@ -9,7 +9,7 @@ require "openssl"
9
9
  require "multi_json"
10
10
 
11
11
  module JWT
12
- class DecodeError < Exception; end
12
+ class DecodeError < StandardError; end
13
13
 
14
14
  def self.sign(algorithm, msg, key)
15
15
  if ["HS256", "HS384", "HS512"].include?(algorithm)
@@ -79,7 +79,7 @@ module JWT
79
79
 
80
80
  begin
81
81
  if ["HS256", "HS384", "HS512"].include?(algo)
82
- raise JWT::DecodeError.new("Signature verification failed") unless signature == sign_hmac(algo, signing_input, key)
82
+ raise JWT::DecodeError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key))
83
83
  elsif ["RS256", "RS384", "RS512"].include?(algo)
84
84
  raise JWT::DecodeError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
85
85
  else
@@ -92,4 +92,15 @@ module JWT
92
92
  payload
93
93
  end
94
94
 
95
+ # From devise
96
+ # constant-time comparison algorithm to prevent timing attacks
97
+ def self.secure_compare(a, b)
98
+ return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
99
+ l = a.unpack "C#{a.bytesize}"
100
+
101
+ res = 0
102
+ b.each_byte { |byte| res |= byte ^ l.shift }
103
+ res == 0
104
+ end
105
+
95
106
  end
data/spec/jwt_spec.rb CHANGED
@@ -70,6 +70,36 @@ describe JWT do
70
70
  decoded_payload.should == @payload
71
71
  end
72
72
 
73
+ it "does not use == to compare digests" do
74
+ secret = "secret"
75
+ jwt = JWT.encode(@payload, secret)
76
+ crypto_segment = jwt.split(".").last
77
+
78
+ signature = JWT.base64url_decode(crypto_segment)
79
+ signature.should_not_receive('==')
80
+ JWT.should_receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
81
+ JWT.should_receive(:base64url_decode).any_number_of_times.and_call_original
82
+
83
+ JWT.decode(jwt, secret)
84
+ end
85
+
86
+ describe "secure comparison" do
87
+ it "returns true if strings are equal" do
88
+ expect(JWT.secure_compare("Foo", "Foo")).to be_true
89
+ end
90
+
91
+ it "returns false if either input is nil or empty" do
92
+ [nil, ""].each do |bad|
93
+ expect(JWT.secure_compare(bad, "Foo")).to be_false
94
+ expect(JWT.secure_compare("Foo", bad)).to be_false
95
+ end
96
+ end
97
+
98
+ it "retuns falise of the strings are different" do
99
+ expect(JWT.secure_compare("Foo", "Bar")).to be_false
100
+ end
101
+ end
102
+
73
103
  it "raise exception on invalid signature" do
74
104
  pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
75
105
  -----BEGIN PUBLIC KEY-----
metadata CHANGED
@@ -1,62 +1,55 @@
1
- --- !ruby/object:Gem::Specification
1
+ --- !ruby/object:Gem::Specification
2
2
  name: jwt
3
- version: !ruby/object:Gem::Version
4
- hash: 17
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.6
5
5
  prerelease:
6
- segments:
7
- - 0
8
- - 1
9
- - 5
10
- version: 0.1.5
11
6
  platform: ruby
12
- authors:
7
+ authors:
13
8
  - Jeff Lindsay
14
9
  autorequire:
15
10
  bindir: bin
16
11
  cert_chain: []
17
-
18
- date: 2012-07-20 00:00:00 Z
19
- dependencies:
20
- - !ruby/object:Gem::Dependency
12
+ date: 2013-03-05 00:00:00.000000000 Z
13
+ dependencies:
14
+ - !ruby/object:Gem::Dependency
21
15
  name: multi_json
22
- prerelease: false
23
- requirement: &id001 !ruby/object:Gem::Requirement
16
+ requirement: !ruby/object:Gem::Requirement
24
17
  none: false
25
- requirements:
26
- - - ">="
27
- - !ruby/object:Gem::Version
28
- hash: 15
29
- segments:
30
- - 1
31
- - 0
32
- version: "1.0"
18
+ requirements:
19
+ - - ! '>='
20
+ - !ruby/object:Gem::Version
21
+ version: '1.0'
33
22
  type: :runtime
34
- version_requirements: *id001
35
- - !ruby/object:Gem::Dependency
36
- name: echoe
37
23
  prerelease: false
38
- requirement: &id002 !ruby/object:Gem::Requirement
24
+ version_requirements: !ruby/object:Gem::Requirement
25
+ none: false
26
+ requirements:
27
+ - - ! '>='
28
+ - !ruby/object:Gem::Version
29
+ version: '1.0'
30
+ - !ruby/object:Gem::Dependency
31
+ name: echoe
32
+ requirement: !ruby/object:Gem::Requirement
39
33
  none: false
40
- requirements:
41
- - - ">="
42
- - !ruby/object:Gem::Version
43
- hash: 33
44
- segments:
45
- - 4
46
- - 6
47
- - 3
34
+ requirements:
35
+ - - ! '>='
36
+ - !ruby/object:Gem::Version
48
37
  version: 4.6.3
49
38
  type: :development
50
- version_requirements: *id002
39
+ prerelease: false
40
+ version_requirements: !ruby/object:Gem::Requirement
41
+ none: false
42
+ requirements:
43
+ - - ! '>='
44
+ - !ruby/object:Gem::Version
45
+ version: 4.6.3
51
46
  description: JSON Web Token implementation in Ruby
52
47
  email: progrium@gmail.com
53
48
  executables: []
54
-
55
49
  extensions: []
56
-
57
- extra_rdoc_files:
50
+ extra_rdoc_files:
58
51
  - lib/jwt.rb
59
- files:
52
+ files:
60
53
  - Rakefile
61
54
  - lib/jwt.rb
62
55
  - spec/helper.rb
@@ -65,42 +58,32 @@ files:
65
58
  - jwt.gemspec
66
59
  homepage: http://github.com/progrium/ruby-jwt
67
60
  licenses: []
68
-
69
61
  post_install_message:
70
- rdoc_options:
62
+ rdoc_options:
71
63
  - --line-numbers
72
64
  - --inline-source
73
65
  - --title
74
66
  - Jwt
75
67
  - --main
76
68
  - README.md
77
- require_paths:
69
+ require_paths:
78
70
  - lib
79
- required_ruby_version: !ruby/object:Gem::Requirement
71
+ required_ruby_version: !ruby/object:Gem::Requirement
80
72
  none: false
81
- requirements:
82
- - - ">="
83
- - !ruby/object:Gem::Version
84
- hash: 3
85
- segments:
86
- - 0
87
- version: "0"
88
- required_rubygems_version: !ruby/object:Gem::Requirement
73
+ requirements:
74
+ - - ! '>='
75
+ - !ruby/object:Gem::Version
76
+ version: '0'
77
+ required_rubygems_version: !ruby/object:Gem::Requirement
89
78
  none: false
90
- requirements:
91
- - - ">="
92
- - !ruby/object:Gem::Version
93
- hash: 11
94
- segments:
95
- - 1
96
- - 2
97
- version: "1.2"
79
+ requirements:
80
+ - - ! '>='
81
+ - !ruby/object:Gem::Version
82
+ version: '1.2'
98
83
  requirements: []
99
-
100
84
  rubyforge_project: jwt
101
- rubygems_version: 1.8.24
85
+ rubygems_version: 1.8.23
102
86
  signing_key:
103
87
  specification_version: 3
104
88
  summary: JSON Web Token implementation in Ruby
105
89
  test_files: []
106
-