jwt 1.5.1 → 1.5.2

data/lib/jwt.rb

@@ -7,7 +7,7 @@ require 'jwt/json'
 # JSON Web Token implementation
 #
 # Should be up to date with the latest spec:
-# http://self-issued.info/docs/draft-jones-json-web-token-06.html
+# https://tools.ietf.org/html/rfc7519#section-4.1.5
 module JWT
   class DecodeError < StandardError; end
   class VerificationError < DecodeError; end
@@ -30,14 +30,14 @@ module JWT
   module_function
 
   def sign(algorithm, msg, key)
-    if ['HS256', 'HS384', 'HS512'].include?(algorithm)
+    if %w(HS256 HS384 HS512).include?(algorithm)
       sign_hmac(algorithm, msg, key)
-    elsif ['RS256', 'RS384', 'RS512'].include?(algorithm)
+    elsif %w(RS256 RS384 RS512).include?(algorithm)
       sign_rsa(algorithm, msg, key)
-    elsif ['ES256', 'ES384', 'ES512'].include?(algorithm)
+    elsif %w(ES256 ES384 ES512).include?(algorithm)
       sign_ecdsa(algorithm, msg, key)
     else
-      fail NotImplementedError.new('Unsupported signing method')
+      fail NotImplementedError, 'Unsupported signing method'
     end
   end
 
@@ -48,7 +48,7 @@ module JWT
   def sign_ecdsa(algorithm, msg, private_key)
     key_algorithm = NAMED_CURVES[private_key.group.curve_name]
     if algorithm != key_algorithm
-      fail IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided")
+      fail IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
     end
 
     digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
@@ -62,7 +62,7 @@ module JWT
   def verify_ecdsa(algorithm, public_key, signing_input, signature)
     key_algorithm = NAMED_CURVES[public_key.group.curve_name]
     if algorithm != key_algorithm
-      fail IncorrectAlgorithm.new("payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided")
+      fail IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
     end
 
     digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
@@ -82,7 +82,7 @@ module JWT
     Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '')
   end
 
-  def encoded_header(algorithm='HS256', header_fields={})
+  def encoded_header(algorithm = 'HS256', header_fields = {})
     header = { 'typ' => 'JWT', 'alg' => algorithm }.merge(header_fields)
     base64url_encode(encode_json(header))
   end
@@ -100,7 +100,7 @@ module JWT
     end
   end
 
-  def encode(payload, key, algorithm='HS256', header_fields={})
+  def encode(payload, key, algorithm = 'HS256', header_fields = {})
     algorithm ||= 'none'
     segments = []
     segments << encoded_header(algorithm, header_fields)
@@ -109,10 +109,10 @@ module JWT
     segments.join('.')
   end
 
-  def raw_segments(jwt, verify=true)
+  def raw_segments(jwt, verify = true)
     segments = jwt.split('.')
     required_num_segments = verify ? [3] : [2, 3]
-    fail JWT::DecodeError.new('Not enough or too many segments') unless required_num_segments.include? segments.length
+    fail(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
     segments
   end
 
@@ -122,7 +122,7 @@ module JWT
     [header, payload]
   end
 
-  def decoded_segments(jwt, verify=true)
+  def decoded_segments(jwt, verify = true)
     header_segment, payload_segment, crypto_segment = raw_segments(jwt, verify)
     header, payload = decode_header_and_payload(header_segment, payload_segment)
     signature = base64url_decode(crypto_segment.to_s) if verify
@@ -130,21 +130,21 @@ module JWT
     [header, payload, signature, signing_input]
   end
 
-  def decode(jwt, key=nil, verify=true, options={}, &keyfinder)
-    fail JWT::DecodeError.new('Nil JSON web token') unless jwt
+  def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
+    fail(JWT::DecodeError, 'Nil JSON web token') unless jwt
 
     header, payload, signature, signing_input = decoded_segments(jwt, verify)
-    fail JWT::DecodeError.new('Not enough or too many segments') unless header && payload
+    fail(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
     default_options = {
-      :verify_expiration => true,
-      :verify_not_before => true,
-      :verify_iss => false,
-      :verify_iat => false,
-      :verify_jti => false,
-      :verify_aud => false,
-      :verify_sub => false,
-      :leeway => 0
+      verify_expiration: true,
+      verify_not_before: true,
+      verify_iss: false,
+      verify_iat: false,
+      verify_jti: false,
+      verify_aud: false,
+      verify_sub: false,
+      leeway: 0
     }
 
     options = default_options.merge(options)
@@ -152,36 +152,36 @@ module JWT
     if verify
       algo, key = signature_algorithm_and_key(header, key, &keyfinder)
       if options[:algorithm] && algo != options[:algorithm]
-        fail JWT::IncorrectAlgorithm.new('Expected a different algorithm')
+        fail JWT::IncorrectAlgorithm, 'Expected a different algorithm'
       end
       verify_signature(algo, key, signing_input, signature)
     end
 
     if options[:verify_expiration] && payload.include?('exp')
-      fail JWT::ExpiredSignature.new('Signature has expired') unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
+      fail(JWT::ExpiredSignature, 'Signature has expired') unless payload['exp'].to_i > (Time.now.to_i - options[:leeway])
     end
     if options[:verify_not_before] && payload.include?('nbf')
-      fail JWT::ImmatureSignature.new('Signature nbf has not been reached') unless payload['nbf'].to_i < (Time.now.to_i + options[:leeway])
+      fail(JWT::ImmatureSignature, 'Signature nbf has not been reached') unless payload['nbf'].to_i <= (Time.now.to_i + options[:leeway])
     end
-    if options[:verify_iss] && options['iss']
-      fail JWT::InvalidIssuerError.new("Invalid issuer. Expected #{options['iss']}, received #{payload['iss'] || '<none>'}") unless payload['iss'].to_s == options['iss'].to_s
+    if options[:verify_iss] && options[:iss]
+      fail(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options[:iss]}, received #{payload['iss'] || '<none>'}") unless payload['iss'].to_s == options[:iss].to_s
     end
     if options[:verify_iat] && payload.include?('iat')
-      fail JWT::InvalidIatError.new('Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= Time.now.to_i
+      fail(JWT::InvalidIatError, 'Invalid iat') unless payload['iat'].is_a?(Integer) && payload['iat'].to_i <= (Time.now.to_i + options[:leeway])
     end
-    if options[:verify_aud] && options['aud']
-      if payload['aud'].is_a?(Array)
-        fail JWT::InvalidAudError.new('Invalid audience') unless payload['aud'].include?(options['aud'].to_s)
+    if options[:verify_aud] && options[:aud]
+      if payload[:aud].is_a?(Array)
+        fail(JWT::InvalidAudError, 'Invalid audience') unless payload['aud'].include?(options[:aud].to_s)
       else
-        fail JWT::InvalidAudError.new("Invalid audience. Expected #{options['aud']}, received #{payload['aud'] || '<none>'}") unless payload['aud'].to_s == options['aud'].to_s
+        fail(JWT::InvalidAudError, "Invalid audience. Expected #{options[:aud]}, received #{payload['aud'] || '<none>'}") unless payload['aud'].to_s == options[:aud].to_s
       end
     end
-    if options[:verify_sub] && payload.include?('sub')
-      fail JWT::InvalidSubError.new("Invalid subject. Expected #{options['sub']}, received #{payload['sub']}") unless payload['sub'].to_s == options['sub'].to_s
+    if options[:verify_sub] && options.include?(:sub)
+      fail(JWT::InvalidSubError, "Invalid subject. Expected #{options[:sub]}, received #{payload['sub'] || '<none>'}") unless payload['sub'].to_s == options[:sub].to_s
     end
     if options[:verify_jti] && payload.include?('jti')
-      fail JWT::InvalidJtiError.new('need iat for verify jwt id') unless payload.include?('iat')
-      fail JWT::InvalidJtiError.new('Not a uniq jwt id') unless options['jti'].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}")
+      fail(JWT::InvalidJtiError, 'need iat for verify jwt id') unless payload.include?('iat')
+      fail(JWT::InvalidJtiError, 'Not a uniq jwt id') unless options[:jti].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}")
     end
 
     [payload, header]
@@ -193,17 +193,17 @@ module JWT
   end
 
   def verify_signature(algo, key, signing_input, signature)
-    if ['HS256', 'HS384', 'HS512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
-    elsif ['RS256', 'RS384', 'RS512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless verify_rsa(algo, key, signing_input, signature)
-    elsif ['ES256', 'ES384', 'ES512'].include?(algo)
-      fail JWT::VerificationError.new('Signature verification failed') unless verify_ecdsa(algo, key, signing_input, signature)
+    if %w(HS256 HS384 HS512).include?(algo)
+      fail(JWT::VerificationError, 'Signature verification raiseed') unless secure_compare(signature, sign_hmac(algo, signing_input, key))
+    elsif %w(RS256 RS384 RS512).include?(algo)
+      fail(JWT::VerificationError, 'Signature verification raiseed') unless verify_rsa(algo, key, signing_input, signature)
+    elsif %w(ES256 ES384 ES512).include?(algo)
+      fail(JWT::VerificationError, 'Signature verification raiseed') unless verify_ecdsa(algo, key, signing_input, signature)
     else
-      fail JWT::VerificationError.new('Algorithm not supported')
+      fail JWT::VerificationError, 'Algorithm not supported'
     end
   rescue OpenSSL::PKey::PKeyError
-    raise JWT::VerificationError.new('Signature verification failed')
+    raise JWT::VerificationError, 'Signature verification raised'
   ensure
     OpenSSL.errors.clear
   end

data/lib/jwt/json.rb

@@ -8,7 +8,7 @@ module JWT
       def decode_json(encoded)
         JSON.parse(encoded)
       rescue JSON::ParserError
-        raise JWT::DecodeError.new('Invalid segment encoding')
+        raise JWT::DecodeError, 'Invalid segment encoding'
       end
 
       def encode_json(raw)
@@ -21,7 +21,7 @@ module JWT
       def decode_json(encoded)
         MultiJson.decode(encoded)
       rescue MultiJson::LoadError
-        raise JWT::DecodeError.new('Invalid segment encoding')
+        raise JWT::DecodeError, 'Invalid segment encoding'
       end
 
       def encode_json(raw)

data/spec/jwt_spec.rb

@@ -1,463 +1,412 @@
-# encoding: utf-8
-require 'helper'
+require 'spec_helper'
+require 'jwt'
 
 describe JWT do
-  before do
-    @payload = { 'foo' => 'bar', 'exp' => Time.now.to_i + 1, 'nbf' => Time.now.to_i - 1 }
+  let(:payload) { { 'user_id' => 'some@user.tld' } }
+
+  let :data do
+    {
+      :secret => 'My$ecretK3y',
+      :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
+      :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
+      :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))),
+      'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))),
+      'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))),
+      'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
+      'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
+      'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
+      'NONE' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
+      'HS256' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.tCGvlClld0lbQ3NZaH8y53n5RSBr3zlS4Oy5bXqvzZQ',
+      'HS384' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.sj1gc01SawlJSrPZgmveifJ8CzZRYAWjejWm4FRaGaAISESJ9Ncf12fCz2vHrITm',
+      'HS512' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.isjhsWMZpRQOWw6LKtlY4L6tMDNkLr0qZ3bQe_xRFXWhzVvJlkclTbLVa1J6Dlj2WyZ_I1jEobTaFMDoXPzwWg',
+      'RS256' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.u82QrhjZTtwve5akvfWS_4LPywbkb1Yp0nUwZJWtTW0ID7dY9rRiQF5KGj2UDLZotqRlUjyNQgE_hB5BBzICDQdCjQHQoYWE5n_D2wV4PMu7Qg3FVKoBFbf8ee6irodu10fgYxpUIZtvbWw52_6k6A9IoSLSzx_lCcxoVGdW90dUuKhBcZkDtY5WNuQg7MiDthupSL1-V4Y1jmT_7o8tLNGFiocyZfGNw4yGpEOGNvD5WePNit0xsnbj6dEquovUvSFKsMaQXp2PVDEkLOiLMcyk0RrHqrHw2eNSCquWTH8PhX5Up-CVmjQM5zF9ibkaiq8NyPtsy-7rgtbyVMqXBQ',
+      'RS384' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.2_jPwOsUWJ-3r6lXMdJGPdhLNJQSSEmY2mrDXCwNJk-2YhMIqKAzJJCbyso_A1hS7BVkXmHt54RCcNJXroZBOgmGavCcYTPMaT6sCvVVvJJ_wn7jzKHNAJfL5nWeynTQIBWmL-m_v9QpZAgPALdeqjPRv4JHePZm23kvrUgQOxef2ldXv1l6IB3zfF72uEbk9T5pKBvgeeeQ46xm_HtkpXqMdqcTHawUXeXhuiWxuWfy9pAvhm8ivxwJhiQ15-sQNBlS9lG1_gQz1xaZ_Ou_n1nhNfGwpK5HeS0AgmqsqyCOvaGHeAuAOPZ_dSC3cFKu2AP7kc6_AKBgwJzh4agkXg',
+      'RS512' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.abwof7BqTvuLkN69OhEuFTP7vjGzfvAvooQdwIRne_a88MsjCq31n4UPvyIlY9_8u69rpU79RbMsrq_UZ6L85zP83EcyYI-HOfFZgYDAL3DJ7biBD99JTzyOsH_2i_E6yCkevjEX6uL_Am_C7jpWyePJQkYzTFni6mW4W1T9UobiVGA1tIZ-XOJDPHHxZkGu6W8lKW0UCsr9Ge2SCSlTs_LDSOa34gqMC5GP89unhLqSMqEMJ_Nm6Rj0rnmk87wBZM-b04LLteWuEU59QDNa4nMTjfXW74U4hX9n5EECDPQdQMecgxlUbFunAfZaoNzP4m7H4vux2FzYkjkXhdqnnw',
+      'ES256' => '',
+      'ES384' => '',
+      'ES512' => ''
+    }
+  end
+
+  after(:each) do
+    expect(OpenSSL.errors).to be_empty
   end
 
-  it 'encodes and decodes JWTs' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    decoded_payload = JWT.decode(jwt, secret)
-    expect(decoded_payload).to include(@payload)
-  end
+  context 'alg: NONE' do
+    let(:alg) { 'none' }
 
-  it 'encodes and decodes JWTs for RSA signatures' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256')
-    decoded_payload = JWT.decode(jwt, private_key.public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+    it 'should generate a valid token' do
+      token = JWT.encode payload, nil, alg
 
-  it 'encodes and decodes JWTs for ECDSA P-256 signatures' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES256')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+      expect(token).to eq data['NONE']
+    end
 
-  it 'encodes and decodes JWTs for ECDSA P-384 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp384r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES384')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+    it 'should decode a valid token' do
+      jwt_payload, header = JWT.decode data['NONE'], nil, false
 
-  it 'encodes and decodes JWTs for ECDSA P-521 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp521r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES512')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
+      expect(header['alg']).to eq alg
+      expect(jwt_payload).to eq payload
+    end
   end
 
-  it 'encodes and decodes JWTs with custom header fields' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256', 'kid' => 'default')
-    decoded_payload = JWT.decode(jwt) do |header|
-      expect(header['kid']).to eq('default')
-      private_key.public_key
+  %w(HS256 HS384 HS512).each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:secret], alg
+
+        expect(token).to eq data[alg]
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:secret]
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong secret should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret'
+        end.to raise_error JWT::DecodeError
+      end
+
+      it 'wrong secret and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret', false
+        end.not_to raise_error
+      end
     end
-    expect(decoded_payload).to include(@payload)
   end
 
-  it 'raises encode exception when ECDSA algorithm does not match key' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    expect do
-      JWT.encode(@payload, private_key, 'ES512')
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES512 but ES256 signing key was provided')
-  end
+  %w(RS256 RS384 RS512).each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:rsa_private], alg
 
-  it 'decodes valid JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    decoded_payload = JWT.decode(example_jwt, example_secret)
-    expect(decoded_payload).to include(example_payload)
-  end
+        expect(token).to eq data[alg]
+      end
 
-  it 'decodes valid ES512 JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_jwt = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtmTSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZUdL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'
-    pubkey_pem = "-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4\nL5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU\ne86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs\nmZudf1zCUZ8/4eodlHU=\n-----END PUBLIC KEY-----"
-    pubkey = OpenSSL::PKey::EC.new pubkey_pem
-    decoded_payload = JWT.decode(example_jwt, pubkey)
-    expect(decoded_payload).to include(example_payload)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:rsa_public]
 
-  it 'decodes valid JWTs with iss' do
-    example_payload = { 'hello' => 'world', 'iss' => 'jwtiss' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwtiss')
-    expect(decoded_payload).to include(example_payload)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
 
-  context 'issuer claim verifications' do
-    it 'raises invalid issuer when "iss" claim does not match' do
-      example_secret = 'secret'
+      it 'wrong key should raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
 
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /Expected jwt_iss, received jwtiss/)
-    end
+        expect do
+          JWT.decode data[alg], key
+        end.to raise_error JWT::DecodeError
+      end
 
-    it 'raises invalid issuer when "iss" claim is missing in payload' do
-      example_secret = 'secret'
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
 
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /received <none>/)
+        expect do
+          JWT.decode data[alg], key, false
+        end.not_to raise_error
+      end
     end
+  end
 
-    it 'does not raise invalid issuer when verify_iss is set to false (default option)' do
-      example_secret = 'secret'
+  %w(ES256 ES384 ES512).each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
 
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwt_iss') }.not_to raise_error
-    end
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
 
-    it 'does not raise invalid issuer when correct "iss" is in payload' do
-      example_secret = 'secret'
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"]
 
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0X2lzcyJ9.mwbyRJJZJR1C5lBt8WOLg0ZMuwP9VGDf5HiQtFhd-eA'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.not_to raise_error
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"]
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
+
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
     end
   end
 
-  it 'decodes valid JWTs with iat' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209 }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5fQ.m4F-Ugo7aLnLunBBO3BeDidyWMx8T9eoJz6FW2rgQhU'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iat' => true)
-    expect(decoded_payload).to include(example_payload)
-  end
+  context 'Invalid' do
+    it 'algorithm should raise NotImplementedError' do
+      expect do
+        JWT.encode payload, 'secret', 'HS255'
+      end.to raise_error NotImplementedError
+    end
 
-  it 'raises decode exception when iat is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 'abc'}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoiMTQyNTkxNzIwOSJ9.Mn_vk61xWjIhbXFqAB0nFmNkDiCmfzUgl_LaCKRT6S8'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_iat => true, 'iat' => 1425917209) }.to raise_error(JWT::InvalidIatError)
-  end
+    it 'ECDSA curve_name should raise JWT::IncorrectAlgorithm' do
+      key = OpenSSL::PKey::EC.new 'secp256k1'
+      key.generate_key
 
-  it 'decodes valid JWTs with jti' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209') }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'jti' => Digest::MD5.hexdigest('secret:1425917209'))
-    expect(decoded_payload).to include(example_payload)
-  end
+      expect do
+        JWT.encode payload, key, 'ES256'
+      end.to raise_error JWT::IncorrectAlgorithm
 
-  it 'raises decode exception when jti is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
-    # expect{ JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::InvalidJtiError)
-  end
+      token = JWT.encode payload, data['ES256_private'], 'ES256'
+      key.private_key = nil
 
-  it 'raises decode exception when jti without iat' do
-    # example_payload = {'hello' => 'world', 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwianRpIjoiNTVjNzc2ZTIxZjdjYmQ4NzljMDZmYWMwMThkYWM0MDIifQ.n0foJCnCM_-_xUvG_TOmR9mYpL2y0UqZOD_gv33djeE'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
+      expect do
+        JWT.decode token, key
+      end.to raise_error JWT::IncorrectAlgorithm
+    end
   end
 
-  context 'aud claim verifications' do
-    it 'decodes valid JWTs with aud' do
-      example_payload = { 'hello' => 'world', 'aud' => 'url:pnd' }
-      example_payload2 = { 'hello' => 'world', 'aud' => ['url:pnd', 'aud:yes'] }
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      example_jwt2 = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjpbInVybDpwbmQiLCJhdWQ6eWVzIl19.qNPNcT4X9B5uI91rIwbW2bIPTsp8wbRYW3jkZkrmqbQ'
-      decoded_payload = JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      decoded_payload2 = JWT.decode(example_jwt2, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      expect(decoded_payload).to include(example_payload)
-      expect(decoded_payload2).to include(example_payload2)
-    end
+  context 'Verify' do
+    context 'algorithm' do
+      it 'should raise JWT::IncorrectAlgorithm on missmatch' do
+        token = JWT.encode payload, data[:secret], 'HS512'
+
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS384'
+        end.to raise_error JWT::IncorrectAlgorithm
 
-    it 'raises deode exception when aud is invalid' do
-      # example_payload = {'hello' => 'world', 'aud' => 'url:pnd'}
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'wrong:aud') }.to raise_error(JWT::InvalidAudError)
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS512'
+        end.not_to raise_error
+      end
     end
 
-    it 'raises deode exception when aud is missing' do
-      # JWT.encode('hello' => 'world', 'secret')
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd') }.to raise_error(JWT::InvalidAudError)
+    context 'expiration claim' do
+      let(:exp) { Time.now.to_i - 5 }
+      let(:leeway) { 10 }
+
+      let :token do
+        payload.merge!(exp: exp)
+
+        JWT.encode payload, data[:secret]
+      end
+
+      it 'old token should raise JWT::ExpiredSignature' do
+        expect do
+          JWT.decode token, data[:secret]
+        end.to raise_error JWT::ExpiredSignature
+      end
+
+      it 'should handle leeway' do
+        expect do
+          JWT.decode token, data[:secret], true, leeway: leeway
+        end.not_to raise_error
+      end
     end
-  end
 
-  it 'decodes valid JWTs with sub' do
-    example_payload = { 'hello' => 'world', 'sub' => 'subject' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwic3ViIjoic3ViamVjdCJ9.QUnNVZm4SPB4vP2zY9m1LoUSOx-5oGXBhj7R89D_UtA'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'sub' => 'subject')
-    expect(decoded_payload).to include(example_payload)
-  end
+    context 'not before claim' do
+      let(:nbf) { Time.now.to_i + 5 }
+      let(:leeway) { 10 }
 
-  it 'raise decode exception when the sub is invalid'
+      let :token do
+        payload.merge!(nbf: nbf)
 
-  it 'raises decode exception when the token is invalid' do
-    example_secret = 'secret'
-    # Same as above exmaple with some random bytes replaced
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHiMomlwIjogIkJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+        JWT.encode payload, data[:secret]
+      end
 
-  it 'raises verification exception with wrong hmac key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt_message = JWT.encode(@payload, right_secret, 'HS256')
-    expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::VerificationError)
-  end
+      it 'future token should raise JWT::ImmatureSignature' do
+        expect do
+          JWT.decode token, data[:secret]
+        end.to raise_error JWT::ImmatureSignature
+      end
 
-  it 'raises decode exception when ECDSA algorithm does not match key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    right_public_key = OpenSSL::PKey::EC.new(right_private_key)
-    right_public_key.private_key = nil
-    bad_private_key = OpenSSL::PKey::EC.new('secp384r1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect do
-      JWT.decode(jwt, bad_public_key)
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES256 but ES384 verification key was provided')
-  end
+      it 'should handle leeway' do
+        expect do
+          JWT.decode token, data[:secret], true, leeway: leeway
+        end.not_to raise_error
+      end
+    end
 
-  it 'raises verification exception with wrong rsa key' do
-    right_private_key = OpenSSL::PKey::RSA.generate(512)
-    bad_private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, right_private_key, 'RS256')
-    expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::VerificationError)
-  end
+    context 'issuer claim' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:invalid_token) { JWT.encode payload, data[:secret] }
 
-  it 'raises verification exception with wrong ECDSA key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    bad_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect { JWT.decode(jwt, bad_public_key) }.to raise_error(JWT::VerificationError)
-  end
+      let :token do
+        iss_payload = payload.merge(iss: iss)
+        JWT.encode iss_payload, data[:secret]
+      end
 
-  it 'raises decode exception with invalid signature' do
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+      it 'if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError' do
+        expect do
+          JWT.decode token, data[:secret], true, iss: iss
+        end.not_to raise_error
+      end
 
-  it 'raises decode exception with nonexistent header' do
-    expect { JWT.decode('..stuff') }.to raise_error(JWT::DecodeError)
-  end
+      it 'invalid iss should raise JWT::InvalidIssuerError' do
+        expect do
+          JWT.decode token, data[:secret], true, iss: 'wrong-issuer', verify_iss: true
+        end.to raise_error JWT::InvalidIssuerError
+      end
 
-  it 'raises decode exception with nonexistent payload' do
-    expect { JWT.decode('eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9..stuff') }.to raise_error(JWT::DecodeError)
-  end
+      it 'with missing iss claim should raise JWT::InvalidIssuerError' do
+        missing_iss_claim_token = JWT.encode payload, data[:secret]
 
-  it 'raises decode exception with nil jwt' do
-    expect { JWT.decode(nil) }.to raise_error(JWT::DecodeError)
-  end
+        expect do
+          JWT.decode missing_iss_claim_token, data[:secret], true, verify_iss: true, iss: iss
+        end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
+      end
 
-  it 'allows decoding without key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    decoded_payload = JWT.decode(jwt, bad_secret, false)
-    expect(decoded_payload).to include(@payload)
-  end
+      it 'valid iss should not raise JWT::InvalidIssuerError' do
+        expect do
+          JWT.decode token, data[:secret], true, iss: iss, verify_iss: true
+        end.not_to raise_error
+      end
+    end
 
-  it 'checks the key when verify is truthy' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    verify = 'yes' =~ /^y/i
-    expect { JWT.decode(jwt, bad_secret, verify) }.to raise_error(JWT::DecodeError)
-  end
+    context 'issued at claim' do
+      let(:iat) { Time.now.to_i }
+      let(:new_payload) { payload.merge(iat: iat) }
+      let(:token) { JWT.encode new_payload, data[:secret] }
+      let(:invalid_token) { JWT.encode new_payload.merge('iat' => iat + 60), data[:secret] }
+      let(:leeway) { 30 }
+
+      it 'invalid iat should raise JWT::InvalidIatError' do
+        expect do
+          JWT.decode invalid_token, data[:secret], true, verify_iat: true
+        end.to raise_error JWT::InvalidIatError
+      end
 
-  it 'raises exception on unsupported crypto algorithm' do
-    expect { JWT.encode(@payload, 'secret', 'HS1024') }.to raise_error(NotImplementedError)
-  end
+      it 'should accept leeway' do
+        expect do
+          JWT.decode invalid_token, data[:secret], true, verify_iat: true, leeway: 70
+        end.to_not raise_error
+      end
 
-  it 'raises exception when decoded with a different algorithm than it was encoded with' do
-    jwt = JWT.encode(@payload, 'foo', 'HS384')
-    expect { JWT.decode(jwt, 'foo', true, :algorithm => 'HS512') }.to raise_error(JWT::IncorrectAlgorithm)
-  end
+      it 'valid iat should not raise JWT::InvalidIatError' do
+        expect do
+          JWT.decode token, data[:secret], true, verify_iat: true
+        end.to_not raise_error
+      end
+    end
 
-  it 'does not raise exception when encoded with the expected algorithm' do
-    jwt = JWT.encode(@payload, 'foo', 'HS512')
-    JWT.decode(jwt, 'foo', true, :algorithm => 'HS512')
-  end
+    context 'audience claim' do
+      let(:simple_aud) { 'ruby-jwt-audience' }
+      let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
 
-  it 'encodes and decodes plaintext JWTs' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    decoded_payload = JWT.decode(jwt, nil, nil)
-    expect(decoded_payload).to include(@payload)
-  end
+      let :simple_token do
+        new_payload = payload.merge('aud' => simple_aud)
+        JWT.encode new_payload, data[:secret]
+      end
 
-  it 'requires a signature segment when verify is truthy' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    expect { JWT.decode(jwt, nil, true) }.to raise_error(JWT::DecodeError)
-  end
+      let :array_token do
+        new_payload = payload.merge('aud' => array_aud)
+        JWT.encode new_payload, data[:secret]
+      end
 
-  it 'does not use == to compare digests' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    crypto_segment = jwt.split('.').last
+      it 'invalid aud should raise JWT::InvalidAudError' do
+        expect do
+          JWT.decode simple_token, data[:secret], true, aud: 'wrong audience', verify_aud: true
+        end.to raise_error JWT::InvalidAudError
 
-    signature = JWT.base64url_decode(crypto_segment)
-    expect(signature).not_to receive('==')
-    expect(JWT).to receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
-    expect(JWT).to receive(:base64url_decode).at_least(:once).and_call_original
+        expect do
+          JWT.decode array_token, data[:secret], true, aud: %w(wrong audience), verify_aud: true
+        end.to raise_error JWT::InvalidAudError
+      end
 
-    JWT.decode(jwt, secret)
-  end
+      it 'valid aud should not raise JWT::InvalidAudError' do
+        expect do
+          JWT.decode simple_token, data[:secret], true, 'aud' => simple_aud, :verify_aud => true
+        end.to_not raise_error
 
-  it 'raises error when expired' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
-  end
+        expect do
+          JWT.decode array_token, data[:secret], true, 'aud' => array_aud.first, :verify_aud => true
+        end.to_not raise_error
+      end
+    end
 
-  it 'raise ExpiredSignature even when exp claims is a string' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
-  end
+    context 'subject claim' do
+      let(:sub) { 'ruby jwt subject' }
 
-  it 'performs normal decode with skipped expiration check' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(expired_payload)
-  end
+      let :token do
+        new_payload = payload.merge('sub' => sub)
+        JWT.encode new_payload, data[:secret]
+      end
 
-  it 'performs normal decode using leeway' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(expired_payload)
-  end
+      let :invalid_token do
+        new_payload = payload.merge('sub' => 'we are not the druids you are looking for')
+        JWT.encode new_payload, data[:secret]
+      end
 
-  it 'raises error when before nbf' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 1
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+      it 'invalid sub should raise JWT::InvalidSubError' do
+        expect do
+          JWT.decode invalid_token, data[:secret], true, sub: sub, verify_sub: true
+        end.to raise_error JWT::InvalidSubError
+      end
 
-  it 'doesnt raise error when after nbf' do
-    mature_payload = @payload.clone
-    secret = 'secret'
-    jwt = JWT.encode(mature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(mature_payload)
-  end
+      it 'valid sub should not raise JWT::InvalidSubError' do
+        expect do
+          JWT.decode token, data[:secret], true, 'sub' => sub, :verify_sub => true
+        end.to_not raise_error
+      end
+    end
 
-  it 'raise ImmatureSignature even when nbf claim is a string' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+    context 'jwt id claim' do
+      let :jti do
+        new_payload = payload.merge('iat' => Time.now.to_i)
+        key = data[:secret]
+        new_payload.merge('jti' => Digest::MD5.hexdigest("#{key}:#{new_payload['iat']}"))
+      end
+
+      let(:token) { JWT.encode jti, data[:secret] }
+
+      let :invalid_token do
+        jti.delete('iat')
+        JWT.encode jti, data[:secret]
+      end
 
-  it 'performs normal decode with skipped not before check' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_not_before => false)
-    expect(decoded_payload).to include(immature_payload)
+      it 'invalid jti should raise JWT::InvalidJtiError' do
+        expect do
+          JWT.decode invalid_token, data[:secret], true, :verify_jti => true, 'jti' => jti['jti']
+        end.to raise_error JWT::InvalidJtiError
+      end
+
+      it 'valid jti should not raise JWT::InvalidJtiError' do
+        expect do
+          JWT.decode token, data[:secret], true, verify_jti: true, jti: jti['jti']
+        end.to_not raise_error
+      end
+    end
   end
 
-  it 'performs normal decode using leeway' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(immature_payload)
+  context 'Base64' do
+    it 'urlsafe replace + / with - _' do
+      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
+      expect(JWT.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
+    end
   end
 
   describe 'secure comparison' do
     it 'returns true if strings are equal' do
-      expect(JWT.secure_compare('Foo', 'Foo')).to be true
+      expect(JWT.secure_compare('Foo', 'Foo')).to eq true
     end
 
     it 'returns false if either input is nil or empty' do
       [nil, ''].each do |bad|
-        expect(JWT.secure_compare(bad, 'Foo')).to be false
-        expect(JWT.secure_compare('Foo', bad)).to be false
+        expect(JWT.secure_compare(bad, 'Foo')).to eq false
+        expect(JWT.secure_compare('Foo', bad)).to eq false
       end
     end
 
     it 'retuns false if the strings are different' do
-      expect(JWT.secure_compare('Foo', 'Bar')).to be false
+      expect(JWT.secure_compare('Foo', 'Bar')).to eq false
     end
   end
 
-  # no method should leave OpenSSL.errors populated
-  after do
-    expect(OpenSSL.errors).to be_empty
-  end
-
-  it 'raise exception on invalid signature' do
-    pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCaY7425h964bjaoLeUm
-SlZ8sK7VtVk9zHbGmZh2ygGYwfuUf2bmMye2Ofv99yDE/rd4loVIAcu7RVvDRgHq
-3/CZTnIrSvHsiJQsHBNa3d+F1ihPfzURzf1M5k7CFReBj2SBXhDXd57oRfBQj12w
-CVhhwP6kGTAWuoppbIIIBfNF2lE/Nvm7lVVYQqL9xOrP/AQ4xRbpQlB8Ll9sO9Or
-SvbWhCDa/LMOWxHdmrcJi6XoSg1vnOyCoKbyAoauTt/XqdkHbkDdQ6HFbJieu9il
-LDZZNliPhfENuKeC2MCGVXTEu8Cqhy1w6e4axavLlXoYf4laJIZ/e7au8SqDbY0B
-xwIDAQAB
------END PUBLIC KEY-----
-PUBKEY
-    jwt = (
-      'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY' \
-      'XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI' \
-      'sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb' \
-      '20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ' \
-      '0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO' \
-      'jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7' \
-      'wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl' \
-      '6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4'
-    )
-    expect { JWT.decode(jwt, pubkey, true) }.to raise_error(JWT::DecodeError)
-  end
-
-  describe 'urlsafe base64 encoding' do
-    it 'replaces + and / with - and _' do
-      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
-      expect(JWT.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
-    end
-  end
-
-  describe 'decoded_segments' do
-    it 'allows access to the decoded header and payload' do
-      secret = 'secret'
-      jwt = JWT.encode(@payload, secret)
-      decoded_segments = JWT.decoded_segments(jwt)
-      expect(decoded_segments.size).to eq(4)
-      expect(decoded_segments[0]).to eq('typ' => 'JWT', 'alg' => 'HS256')
-      expect(decoded_segments[1]).to eq(@payload)
-    end
-  end
 end