jwt 1.2.1 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +1 -1
- data/jwt.gemspec +4 -4
- data/lib/jwt.rb +11 -4
- data/lib/jwt/json.rb +1 -1
- data/spec/helper.rb +0 -1
- data/spec/jwt_spec.rb +52 -10
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8f9090c3c5618d2e844c93a71d27b0fc09761f3b
|
4
|
+
data.tar.gz: c9207a0a342a524526ca808643717da32a369fd6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 94d6c47e835ba56c48afcac43912caa94c30ed83e4ba09a8cf0e94036f8c14d54c097931d732b5777f1fa45c09eca85735b9982c0ba8606f1d2da551d9d9fe90
|
7
|
+
data.tar.gz: 547492a234aa3f61299117ea2a770601710c9e36ed6d6df1f3e83b85d6e6693efa7da5c25ebb132ceff50998762229ae17649fd410df67f1d2ec92c8f63de28a
|
data/Rakefile
CHANGED
data/jwt.gemspec
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
# -*- encoding: utf-8 -*-
|
2
|
-
# stub: jwt 1.
|
2
|
+
# stub: jwt 1.3.0 ruby lib
|
3
3
|
|
4
4
|
Gem::Specification.new do |s|
|
5
5
|
s.name = "jwt"
|
6
|
-
s.version = "1.
|
6
|
+
s.version = "1.3.0"
|
7
7
|
|
8
8
|
s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
|
9
9
|
s.require_paths = ["lib"]
|
10
10
|
s.authors = ["Jeff Lindsay"]
|
11
|
-
s.date = "2015-
|
11
|
+
s.date = "2015-02-24"
|
12
12
|
s.description = "JSON Web Token implementation in Ruby"
|
13
13
|
s.email = "progrium@gmail.com"
|
14
14
|
s.extra_rdoc_files = ["lib/jwt.rb", "lib/jwt/json.rb"]
|
@@ -17,7 +17,7 @@ Gem::Specification.new do |s|
|
|
17
17
|
s.licenses = ["MIT"]
|
18
18
|
s.rdoc_options = ["--line-numbers", "--title", "Jwt", "--main", "README.md"]
|
19
19
|
s.rubyforge_project = "jwt"
|
20
|
-
s.rubygems_version = "2.
|
20
|
+
s.rubygems_version = "2.4.6"
|
21
21
|
s.summary = "JSON Web Token implementation in Ruby"
|
22
22
|
|
23
23
|
if s.respond_to? :specification_version then
|
data/lib/jwt.rb
CHANGED
@@ -10,7 +10,9 @@ require "jwt/json"
|
|
10
10
|
|
11
11
|
module JWT
|
12
12
|
class DecodeError < StandardError; end
|
13
|
+
class VerificationError < DecodeError; end
|
13
14
|
class ExpiredSignature < StandardError; end
|
15
|
+
class ImmatureSignature < StandardError; end
|
14
16
|
extend JWT::Json
|
15
17
|
|
16
18
|
module_function
|
@@ -102,6 +104,7 @@ module JWT
|
|
102
104
|
|
103
105
|
default_options = {
|
104
106
|
:verify_expiration => true,
|
107
|
+
:verify_not_before => true,
|
105
108
|
:leeway => 0
|
106
109
|
}
|
107
110
|
options = default_options.merge(options)
|
@@ -110,9 +113,13 @@ module JWT
|
|
110
113
|
algo, key = signature_algorithm_and_key(header, key, &keyfinder)
|
111
114
|
verify_signature(algo, key, signing_input, signature)
|
112
115
|
end
|
116
|
+
|
113
117
|
if options[:verify_expiration] && payload.include?('exp')
|
114
118
|
raise JWT::ExpiredSignature.new("Signature has expired") unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
|
115
119
|
end
|
120
|
+
if options[:verify_not_before] && payload.include?('nbf')
|
121
|
+
raise JWT::ImmatureSignature.new("Signature nbf has not been reached") unless payload['nbf'].to_i < (Time.now.to_i + options[:leeway])
|
122
|
+
end
|
116
123
|
return payload,header
|
117
124
|
end
|
118
125
|
|
@@ -126,14 +133,14 @@ module JWT
|
|
126
133
|
def verify_signature(algo, key, signing_input, signature)
|
127
134
|
begin
|
128
135
|
if ["HS256", "HS384", "HS512"].include?(algo)
|
129
|
-
raise JWT::
|
136
|
+
raise JWT::VerificationError.new("Signature verification failed") unless secure_compare(signature, sign_hmac(algo, signing_input, key))
|
130
137
|
elsif ["RS256", "RS384", "RS512"].include?(algo)
|
131
|
-
raise JWT::
|
138
|
+
raise JWT::VerificationError.new("Signature verification failed") unless verify_rsa(algo, key, signing_input, signature)
|
132
139
|
else
|
133
|
-
raise JWT::
|
140
|
+
raise JWT::VerificationError.new("Algorithm not supported")
|
134
141
|
end
|
135
142
|
rescue OpenSSL::PKey::PKeyError
|
136
|
-
raise JWT::
|
143
|
+
raise JWT::VerificationError.new("Signature verification failed")
|
137
144
|
ensure
|
138
145
|
OpenSSL.errors.clear
|
139
146
|
end
|
data/lib/jwt/json.rb
CHANGED
data/spec/helper.rb
CHANGED
data/spec/jwt_spec.rb
CHANGED
@@ -2,7 +2,7 @@ require 'helper'
|
|
2
2
|
|
3
3
|
describe JWT do
|
4
4
|
before do
|
5
|
-
@payload = {"foo" => "bar", "exp" => Time.now.to_i + 1}
|
5
|
+
@payload = {"foo" => "bar", "exp" => Time.now.to_i + 1, "nbf" => Time.now.to_i - 1 }
|
6
6
|
end
|
7
7
|
|
8
8
|
it "encodes and decodes JWTs" do
|
@@ -37,42 +37,42 @@ describe JWT do
|
|
37
37
|
expect(decoded_payload).to include(example_payload)
|
38
38
|
end
|
39
39
|
|
40
|
-
it "raises exception when the token is invalid" do
|
40
|
+
it "raises decode exception when the token is invalid" do
|
41
41
|
example_secret = 'secret'
|
42
42
|
# Same as above exmaple with some random bytes replaced
|
43
43
|
example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHiMomlwIjogIkJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
|
44
44
|
expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
|
45
45
|
end
|
46
46
|
|
47
|
-
it "raises exception with wrong hmac key" do
|
47
|
+
it "raises verification exception with wrong hmac key" do
|
48
48
|
right_secret = 'foo'
|
49
49
|
bad_secret = 'bar'
|
50
50
|
jwt_message = JWT.encode(@payload, right_secret, "HS256")
|
51
|
-
expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::
|
51
|
+
expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::VerificationError)
|
52
52
|
end
|
53
53
|
|
54
|
-
it "raises exception with wrong rsa key" do
|
54
|
+
it "raises verification exception with wrong rsa key" do
|
55
55
|
right_private_key = OpenSSL::PKey::RSA.generate(512)
|
56
56
|
bad_private_key = OpenSSL::PKey::RSA.generate(512)
|
57
57
|
jwt = JWT.encode(@payload, right_private_key, "RS256")
|
58
|
-
expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::
|
58
|
+
expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::VerificationError)
|
59
59
|
end
|
60
60
|
|
61
|
-
it "raises exception with invalid signature" do
|
61
|
+
it "raises decode exception with invalid signature" do
|
62
62
|
example_secret = 'secret'
|
63
63
|
example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
|
64
64
|
expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
|
65
65
|
end
|
66
66
|
|
67
|
-
it "raises exception with nonexistent header" do
|
67
|
+
it "raises decode exception with nonexistent header" do
|
68
68
|
expect { JWT.decode("..stuff") }.to raise_error(JWT::DecodeError)
|
69
69
|
end
|
70
70
|
|
71
|
-
it "raises exception with nonexistent payload" do
|
71
|
+
it "raises decode exception with nonexistent payload" do
|
72
72
|
expect { JWT.decode("eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9..stuff") }.to raise_error(JWT::DecodeError)
|
73
73
|
end
|
74
74
|
|
75
|
-
it "raises exception with nil jwt" do
|
75
|
+
it "raises decode exception with nil jwt" do
|
76
76
|
expect { JWT.decode(nil) }.to raise_error(JWT::DecodeError)
|
77
77
|
end
|
78
78
|
|
@@ -156,6 +156,48 @@ describe JWT do
|
|
156
156
|
expect(decoded_payload).to include(expired_payload)
|
157
157
|
end
|
158
158
|
|
159
|
+
it "raises error when before nbf" do
|
160
|
+
immature_payload = @payload.clone
|
161
|
+
immature_payload['nbf'] = Time.now.to_i + 1
|
162
|
+
secret = "secret"
|
163
|
+
jwt = JWT.encode(immature_payload, secret)
|
164
|
+
expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
|
165
|
+
end
|
166
|
+
|
167
|
+
it "doesnt raise error when after nbf" do
|
168
|
+
mature_payload = @payload.clone
|
169
|
+
secret = "secret"
|
170
|
+
jwt = JWT.encode(mature_payload, secret)
|
171
|
+
decoded_payload = JWT.decode(jwt, secret, true, {:verify_expiration => false})
|
172
|
+
expect(decoded_payload).to include(mature_payload)
|
173
|
+
end
|
174
|
+
|
175
|
+
it "raise ImmatureSignature even when nbf claim is a string" do
|
176
|
+
immature_payload = @payload.clone
|
177
|
+
immature_payload['nbf'] = (Time.now.to_i).to_s
|
178
|
+
secret = "secret"
|
179
|
+
jwt = JWT.encode(immature_payload, secret)
|
180
|
+
expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
|
181
|
+
end
|
182
|
+
|
183
|
+
it "performs normal decode with skipped not before check" do
|
184
|
+
immature_payload = @payload.clone
|
185
|
+
immature_payload['nbf'] = Time.now.to_i + 2
|
186
|
+
secret = "secret"
|
187
|
+
jwt = JWT.encode(immature_payload, secret)
|
188
|
+
decoded_payload = JWT.decode(jwt, secret, true, {:verify_not_before => false})
|
189
|
+
expect(decoded_payload).to include(immature_payload)
|
190
|
+
end
|
191
|
+
|
192
|
+
it "performs normal decode using leeway" do
|
193
|
+
immature_payload = @payload.clone
|
194
|
+
immature_payload['nbf'] = Time.now.to_i - 2
|
195
|
+
secret = "secret"
|
196
|
+
jwt = JWT.encode(immature_payload, secret)
|
197
|
+
decoded_payload = JWT.decode(jwt, secret, true, {:leeway => 3})
|
198
|
+
expect(decoded_payload).to include(immature_payload)
|
199
|
+
end
|
200
|
+
|
159
201
|
describe "secure comparison" do
|
160
202
|
it "returns true if strings are equal" do
|
161
203
|
expect(JWT.secure_compare("Foo", "Foo")).to be true
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jeff Lindsay
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-
|
11
|
+
date: 2015-02-24 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: echoe
|
@@ -64,7 +64,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
64
64
|
version: '1.2'
|
65
65
|
requirements: []
|
66
66
|
rubyforge_project: jwt
|
67
|
-
rubygems_version: 2.
|
67
|
+
rubygems_version: 2.4.6
|
68
68
|
signing_key:
|
69
69
|
specification_version: 4
|
70
70
|
summary: JSON Web Token implementation in Ruby
|