RubyGems - jwt - Versions diffs - 1.5.1 → 2.1.0 - Mend

jwt 1.5.1 → 2.1.0

Files changed (57) hide show

checksums.yaml +4 -4
data/.codeclimate.yml +20 -0
data/.ebert.yml +18 -0
data/.gitignore +11 -0
data/.reek.yml +40 -0
data/.rspec +1 -0
data/.rubocop.yml +98 -0
data/.travis.yml +14 -0
data/CHANGELOG.md +476 -0
data/Gemfile +3 -0
data/LICENSE +7 -0
data/Manifest +3 -1
data/README.md +478 -0
data/Rakefile +8 -15
data/lib/jwt/algos/ecdsa.rb +35 -0
data/lib/jwt/algos/eddsa.rb +23 -0
data/lib/jwt/algos/hmac.rb +33 -0
data/lib/jwt/algos/rsa.rb +19 -0
data/lib/jwt/algos/unsupported.rb +16 -0
data/lib/jwt/decode.rb +49 -0
data/lib/jwt/default_options.rb +15 -0
data/lib/jwt/encode.rb +51 -0
data/lib/jwt/error.rb +16 -0
data/lib/jwt/security_utils.rb +51 -0
data/lib/jwt/signature.rb +50 -0
data/lib/jwt/verify.rb +102 -0
data/lib/jwt/version.rb +24 -0
data/lib/jwt.rb +33 -203
data/ruby-jwt.gemspec +31 -0
data/spec/fixtures/certs/ec256-private.pem +8 -0
data/spec/fixtures/certs/ec256-public.pem +4 -0
data/spec/fixtures/certs/ec256-wrong-private.pem +8 -0
data/spec/fixtures/certs/ec256-wrong-public.pem +4 -0
data/spec/fixtures/certs/ec384-private.pem +9 -0
data/spec/fixtures/certs/ec384-public.pem +5 -0
data/spec/fixtures/certs/ec384-wrong-private.pem +9 -0
data/spec/fixtures/certs/ec384-wrong-public.pem +5 -0
data/spec/fixtures/certs/ec512-private.pem +10 -0
data/spec/fixtures/certs/ec512-public.pem +6 -0
data/spec/fixtures/certs/ec512-wrong-private.pem +10 -0
data/spec/fixtures/certs/ec512-wrong-public.pem +6 -0
data/spec/fixtures/certs/rsa-1024-private.pem +15 -0
data/spec/fixtures/certs/rsa-1024-public.pem +6 -0
data/spec/fixtures/certs/rsa-2048-private.pem +27 -0
data/spec/fixtures/certs/rsa-2048-public.pem +9 -0
data/spec/fixtures/certs/rsa-2048-wrong-private.pem +27 -0
data/spec/fixtures/certs/rsa-2048-wrong-public.pem +9 -0
data/spec/fixtures/certs/rsa-4096-private.pem +51 -0
data/spec/fixtures/certs/rsa-4096-public.pem +14 -0
data/spec/integration/readme_examples_spec.rb +202 -0
data/spec/jwt/verify_spec.rb +232 -0
data/spec/jwt_spec.rb +236 -384
data/spec/spec_helper.rb +28 -0
metadata +187 -26
data/jwt.gemspec +0 -34
data/lib/jwt/json.rb +0 -32
data/spec/helper.rb +0 -19

data/spec/jwt_spec.rb CHANGED Viewed

@@ -1,463 +1,315 @@
-# encoding: utf-8
-require 'helper'
+require 'spec_helper'
+require 'jwt'
+require 'jwt/encode'
+require 'jwt/decode'
 describe JWT do
-  before do
-    @payload = { 'foo' => 'bar', 'exp' => Time.now.to_i + 1, 'nbf' => Time.now.to_i - 1 }
-  end
-  it 'encodes and decodes JWTs' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    decoded_payload = JWT.decode(jwt, secret)
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'encodes and decodes JWTs for RSA signatures' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256')
-    decoded_payload = JWT.decode(jwt, private_key.public_key)
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'encodes and decodes JWTs for ECDSA P-256 signatures' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES256')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
+  let(:payload) { { 'user_id' => 'some@user.tld' } }
+  let :data do
+    {
+      :secret => 'My$ecretK3y',
+      :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
+      :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
+      :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))),
+      'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))),
+      'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))),
+      'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
+      'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
+      'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
+      'ED25519_private' =>  RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF'),
+      'ED25519_public' => RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF').verify_key,
+      'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
+      'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8',
+      'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA',
+      'HS384' => 'eyJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.VuV4j4A1HKhWxCNzEcwc9qVF3frrEu-BRLzvYPkbWO0LENRGy5dOiBQ34remM3XH',
+      'HS512' => 'eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.8zNtCBTJIZTHpZ-BkhR-6sZY1K85Nm5YCKqV3AxRdsBJDt_RR-REH2db4T3Y0uQwNknhrCnZGvhNHrvhDwV1kA',
+      'RS256' => 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.eSXvWP4GViiwUALj_-qTxU68I1oM0XjgDsCZBBUri2Ghh9d75QkVDoZ_v872GaqunN5A5xcnBK0-cOq-CR6OwibgJWfOt69GNzw5RrOfQ2mz3QI3NYEq080nF69h8BeqkiaXhI24Q51joEgfa9aj5Y-oitLAmtDPYTm7vTcdGufd6AwD3_3jajKBwkh0LPSeMtbe_5EyS94nFoEF9OQuhJYjUmp7agsBVa8FFEjVw5jEgVqkvERSj5hSY4nEiCAomdVxIKBfykyi0d12cgjhI7mBFwWkPku8XIPGZ7N8vpiSLdM68BnUqIK5qR7NAhtvT7iyLFgOqhZNUQ6Ret5VpQ',
+      'RS384' => 'eyJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Sfgk56moPghtsjaP4so6tOy3I553mgwX-5gByMC6dX8lpeWgsxSeAd_K8IyO7u4lwYOL0DSftnqO1HEOuN1AKyBbDvaTXz3u2xNA2x4NYLdW4AZA6ritbYcKLO5BHTXw5ueMbtA1jjGXP0zI_aK2iJTMBmB8SCF88RYBUH01Tyf4PlLj98pGL-v3prZd6kZkIeRJ3326h04hslcB5HQKmgeBk24QNLIoIC-CD329HPjJ7TtGx01lj-ehTBnwVbBGzYFAyoalV5KgvL_MDOfWPr1OYHnR5s_Fm6_3Vg4u6lBljvHOrmv4Nfx7d8HLgbo8CwH4qn1wm6VQCtuDd-uhRg',
+      'RS512' => 'eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.LIIAUEuCkGNdpYguOO5LoW4rZ7ED2POJrB0pmEAAchyTdIK4HKh1jcLxc6KyGwZv40njCgub3y72q6vcQTn7oD0zWFCVQRIDW1911Ii2hRNHuigiPUnrnZh1OQ6z65VZRU6GKs8omoBGU9vrClBU0ODqYE16KxYmE_0n4Xw2h3D_L1LF0IAOtDWKBRDa3QHwZRM9sHsHNsBuD5ye9KzDYN1YALXj64LBfA-DoCKfpVAm9NkRPOyzjR2X2C3TomOSJgqWIVHJucudKDDAZyEbO4RA5pI-UFYy1370p9bRajvtDyoBuLDCzoSkMyQ4L2DnLhx5CbWcnD7Cd3GUmnjjTA',
+      'ES256' => '',
+      'ES384' => '',
+      'ES512' => ''
+    }
+  end
+  after(:each) do
+    expect(OpenSSL.errors).to be_empty
   end
-  it 'encodes and decodes JWTs for ECDSA P-384 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp384r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES384')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+  context 'alg: NONE' do
+    let(:alg) { 'none' }
-  it 'encodes and decodes JWTs for ECDSA P-521 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp521r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES512')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+    it 'should generate a valid token' do
+      token = JWT.encode payload, nil, alg
-  it 'encodes and decodes JWTs with custom header fields' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256', 'kid' => 'default')
-    decoded_payload = JWT.decode(jwt) do |header|
-      expect(header['kid']).to eq('default')
-      private_key.public_key
+      expect(token).to eq data['NONE']
     end
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'raises encode exception when ECDSA algorithm does not match key' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    expect do
-      JWT.encode(@payload, private_key, 'ES512')
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES512 but ES256 signing key was provided')
-  end
+    it 'should decode a valid token' do
+      jwt_payload, header = JWT.decode data['NONE'], nil, false
-  it 'decodes valid JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    decoded_payload = JWT.decode(example_jwt, example_secret)
-    expect(decoded_payload).to include(example_payload)
-  end
+      expect(header['alg']).to eq alg
+      expect(jwt_payload).to eq payload
+    end
-  it 'decodes valid ES512 JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_jwt = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtmTSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZUdL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'
-    pubkey_pem = "-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4\nL5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU\ne86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs\nmZudf1zCUZ8/4eodlHU=\n-----END PUBLIC KEY-----"
-    pubkey = OpenSSL::PKey::EC.new pubkey_pem
-    decoded_payload = JWT.decode(example_jwt, pubkey)
-    expect(decoded_payload).to include(example_payload)
-  end
+    it 'should display a better error message if payload exp is_a?(Time)' do
+      payload['exp'] = Time.now
-  it 'decodes valid JWTs with iss' do
-    example_payload = { 'hello' => 'world', 'iss' => 'jwtiss' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwtiss')
-    expect(decoded_payload).to include(example_payload)
-  end
+      expect do
+        JWT.encode payload, nil, alg
+      end.to raise_error JWT::InvalidPayload
+    end
-  context 'issuer claim verifications' do
-    it 'raises invalid issuer when "iss" claim does not match' do
-      example_secret = 'secret'
+    it 'should display a better error message if payload exp is not an Integer' do
+      payload['exp'] = Time.now.to_i.to_s
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /Expected jwt_iss, received jwtiss/)
+      expect do
+        JWT.encode payload, nil, alg
+      end.to raise_error JWT::InvalidPayload
     end
+  end
-    it 'raises invalid issuer when "iss" claim is missing in payload' do
-      example_secret = 'secret'
+  %w[HS256 HS512256 HS384 HS512].each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:secret], alg
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /received <none>/)
-    end
+        expect(token).to eq data[alg]
+      end
-    it 'does not raise invalid issuer when verify_iss is set to false (default option)' do
-      example_secret = 'secret'
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:secret], true, algorithm: alg
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwt_iss') }.not_to raise_error
-    end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-    it 'does not raise invalid issuer when correct "iss" is in payload' do
-      example_secret = 'secret'
+      it 'wrong secret should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret', true, algorithm: alg
+        end.to raise_error JWT::VerificationError
+      end
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0X2lzcyJ9.mwbyRJJZJR1C5lBt8WOLg0ZMuwP9VGDf5HiQtFhd-eA'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.not_to raise_error
+      it 'wrong secret and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret', false
+        end.not_to raise_error
+      end
     end
   end
-  it 'decodes valid JWTs with iat' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209 }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5fQ.m4F-Ugo7aLnLunBBO3BeDidyWMx8T9eoJz6FW2rgQhU'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iat' => true)
-    expect(decoded_payload).to include(example_payload)
-  end
+  %w[RS256 RS384 RS512].each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:rsa_private], alg
-  it 'raises decode exception when iat is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 'abc'}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoiMTQyNTkxNzIwOSJ9.Mn_vk61xWjIhbXFqAB0nFmNkDiCmfzUgl_LaCKRT6S8'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_iat => true, 'iat' => 1425917209) }.to raise_error(JWT::InvalidIatError)
-  end
+        expect(token).to eq data[alg]
+      end
-  it 'decodes valid JWTs with jti' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209') }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'jti' => Digest::MD5.hexdigest('secret:1425917209'))
-    expect(decoded_payload).to include(example_payload)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:rsa_public], true, algorithm: alg
-  it 'raises decode exception when jti is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
-    # expect{ JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::InvalidJtiError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises decode exception when jti without iat' do
-    # example_payload = {'hello' => 'world', 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwianRpIjoiNTVjNzc2ZTIxZjdjYmQ4NzljMDZmYWMwMThkYWM0MDIifQ.n0foJCnCM_-_xUvG_TOmR9mYpL2y0UqZOD_gv33djeE'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
-  context 'aud claim verifications' do
-    it 'decodes valid JWTs with aud' do
-      example_payload = { 'hello' => 'world', 'aud' => 'url:pnd' }
-      example_payload2 = { 'hello' => 'world', 'aud' => ['url:pnd', 'aud:yes'] }
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      example_jwt2 = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjpbInVybDpwbmQiLCJhdWQ6eWVzIl19.qNPNcT4X9B5uI91rIwbW2bIPTsp8wbRYW3jkZkrmqbQ'
-      decoded_payload = JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      decoded_payload2 = JWT.decode(example_jwt2, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      expect(decoded_payload).to include(example_payload)
-      expect(decoded_payload2).to include(example_payload2)
-    end
+        expect do
+          JWT.decode data[alg], key, true, algorithm: alg
+        end.to raise_error JWT::DecodeError
+      end
-    it 'raises deode exception when aud is invalid' do
-      # example_payload = {'hello' => 'world', 'aud' => 'url:pnd'}
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'wrong:aud') }.to raise_error(JWT::InvalidAudError)
-    end
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
-    it 'raises deode exception when aud is missing' do
-      # JWT.encode('hello' => 'world', 'secret')
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd') }.to raise_error(JWT::InvalidAudError)
+        expect do
+          JWT.decode data[alg], key, false
+        end.not_to raise_error
+      end
     end
   end
-  it 'decodes valid JWTs with sub' do
-    example_payload = { 'hello' => 'world', 'sub' => 'subject' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwic3ViIjoic3ViamVjdCJ9.QUnNVZm4SPB4vP2zY9m1LoUSOx-5oGXBhj7R89D_UtA'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'sub' => 'subject')
-    expect(decoded_payload).to include(example_payload)
-  end
-  it 'raise decode exception when the sub is invalid'
+  %w[ED25519].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
-  it 'raises decode exception when the token is invalid' do
-    example_secret = 'secret'
-    # Same as above exmaple with some random bytes replaced
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHiMomlwIjogIkJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
-  it 'raises verification exception with wrong hmac key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt_message = JWT.encode(@payload, right_secret, 'HS256')
-    expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::VerificationError)
-  end
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises decode exception when ECDSA algorithm does not match key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    right_public_key = OpenSSL::PKey::EC.new(right_private_key)
-    right_public_key.private_key = nil
-    bad_private_key = OpenSSL::PKey::EC.new('secp384r1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect do
-      JWT.decode(jwt, bad_public_key)
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES256 but ES384 verification key was provided')
-  end
-  it 'raises verification exception with wrong rsa key' do
-    right_private_key = OpenSSL::PKey::RSA.generate(512)
-    bad_private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, right_private_key, 'RS256')
-    expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::VerificationError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises verification exception with wrong ECDSA key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    bad_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect { JWT.decode(jwt, bad_public_key) }.to raise_error(JWT::VerificationError)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises decode exception with invalid signature' do
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises decode exception with nonexistent header' do
-    expect { JWT.decode('..stuff') }.to raise_error(JWT::DecodeError)
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
-  it 'raises decode exception with nonexistent payload' do
-    expect { JWT.decode('eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9..stuff') }.to raise_error(JWT::DecodeError)
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
   end
+  %w[ES256 ES384 ES512].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
-  it 'raises decode exception with nil jwt' do
-    expect { JWT.decode(nil) }.to raise_error(JWT::DecodeError)
-  end
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
-  it 'allows decoding without key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    decoded_payload = JWT.decode(jwt, bad_secret, false)
-    expect(decoded_payload).to include(@payload)
-  end
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'checks the key when verify is truthy' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    verify = 'yes' =~ /^y/i
-    expect { JWT.decode(jwt, bad_secret, verify) }.to raise_error(JWT::DecodeError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises exception on unsupported crypto algorithm' do
-    expect { JWT.encode(@payload, 'secret', 'HS1024') }.to raise_error(NotImplementedError)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises exception when decoded with a different algorithm than it was encoded with' do
-    jwt = JWT.encode(@payload, 'foo', 'HS384')
-    expect { JWT.decode(jwt, 'foo', true, :algorithm => 'HS512') }.to raise_error(JWT::IncorrectAlgorithm)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'does not raise exception when encoded with the expected algorithm' do
-    jwt = JWT.encode(@payload, 'foo', 'HS512')
-    JWT.decode(jwt, 'foo', true, :algorithm => 'HS512')
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
-  it 'encodes and decodes plaintext JWTs' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    decoded_payload = JWT.decode(jwt, nil, nil)
-    expect(decoded_payload).to include(@payload)
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
   end
-  it 'requires a signature segment when verify is truthy' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    expect { JWT.decode(jwt, nil, true) }.to raise_error(JWT::DecodeError)
-  end
+  context 'Invalid' do
+    it 'algorithm should raise NotImplementedError' do
+      expect do
+        JWT.encode payload, 'secret', 'HS255'
+      end.to raise_error NotImplementedError
+    end
-  it 'does not use == to compare digests' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    crypto_segment = jwt.split('.').last
+    it 'ECDSA curve_name should raise JWT::IncorrectAlgorithm' do
+      key = OpenSSL::PKey::EC.new 'secp256k1'
+      key.generate_key
-    signature = JWT.base64url_decode(crypto_segment)
-    expect(signature).not_to receive('==')
-    expect(JWT).to receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
-    expect(JWT).to receive(:base64url_decode).at_least(:once).and_call_original
+      expect do
+        JWT.encode payload, key, 'ES256'
+      end.to raise_error JWT::IncorrectAlgorithm
-    JWT.decode(jwt, secret)
-  end
+      token = JWT.encode payload, data['ES256_private'], 'ES256'
+      key.private_key = nil
-  it 'raises error when expired' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
+      expect do
+        JWT.decode token, key
+      end.to raise_error JWT::IncorrectAlgorithm
+    end
   end
-  it 'raise ExpiredSignature even when exp claims is a string' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
-  end
+  context 'Verify' do
+    context 'algorithm' do
+      it 'should raise JWT::IncorrectAlgorithm on mismatch' do
+        token = JWT.encode payload, data[:secret], 'HS256'
-  it 'performs normal decode with skipped expiration check' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(expired_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS384'
+        end.to raise_error JWT::IncorrectAlgorithm
-  it 'performs normal decode using leeway' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(expired_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS256'
+        end.not_to raise_error
+      end
-  it 'raises error when before nbf' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 1
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+      it 'should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm' do
+        token = JWT.encode payload, data[:secret], 'HS512'
-  it 'doesnt raise error when after nbf' do
-    mature_payload = @payload.clone
-    secret = 'secret'
-    jwt = JWT.encode(mature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(mature_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithms: ['HS384']
+        end.to raise_error JWT::IncorrectAlgorithm
-  it 'raise ImmatureSignature even when nbf claim is a string' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithms: ['HS512', 'HS384']
+        end.not_to raise_error
+      end
-  it 'performs normal decode with skipped not before check' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_not_before => false)
-    expect(decoded_payload).to include(immature_payload)
-  end
+      context 'no algorithm provided' do
+        it 'should use the default decode algorithm' do
+          token = JWT.encode payload, data[:rsa_public].to_s
-  it 'performs normal decode using leeway' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(immature_payload)
-  end
+          jwt_payload, header = JWT.decode token, data[:rsa_public].to_s
-  describe 'secure comparison' do
-    it 'returns true if strings are equal' do
-      expect(JWT.secure_compare('Foo', 'Foo')).to be true
+          expect(header['alg']).to eq 'HS256'
+          expect(jwt_payload).to eq payload
+        end
+      end
     end
-    it 'returns false if either input is nil or empty' do
-      [nil, ''].each do |bad|
-        expect(JWT.secure_compare(bad, 'Foo')).to be false
-        expect(JWT.secure_compare('Foo', bad)).to be false
+    context 'issuer claim' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:invalid_token) { JWT.encode payload, data[:secret] }
+      let :token do
+        iss_payload = payload.merge(iss: iss)
+        JWT.encode iss_payload, data[:secret]
       end
-    end
-    it 'retuns false if the strings are different' do
-      expect(JWT.secure_compare('Foo', 'Bar')).to be false
+      it 'if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError' do
+        expect do
+          JWT.decode token, data[:secret], true, iss: iss, algorithm: 'HS256'
+        end.not_to raise_error
+      end
     end
   end
-  # no method should leave OpenSSL.errors populated
-  after do
-    expect(OpenSSL.errors).to be_empty
+  context 'Base64' do
+    it 'urlsafe replace + / with - _' do
+      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
+      expect(JWT::Encode.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
+    end
   end
-  it 'raise exception on invalid signature' do
-    pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCaY7425h964bjaoLeUm
-SlZ8sK7VtVk9zHbGmZh2ygGYwfuUf2bmMye2Ofv99yDE/rd4loVIAcu7RVvDRgHq
-3/CZTnIrSvHsiJQsHBNa3d+F1ihPfzURzf1M5k7CFReBj2SBXhDXd57oRfBQj12w
-CVhhwP6kGTAWuoppbIIIBfNF2lE/Nvm7lVVYQqL9xOrP/AQ4xRbpQlB8Ll9sO9Or
-SvbWhCDa/LMOWxHdmrcJi6XoSg1vnOyCoKbyAoauTt/XqdkHbkDdQ6HFbJieu9il
-LDZZNliPhfENuKeC2MCGVXTEu8Cqhy1w6e4axavLlXoYf4laJIZ/e7au8SqDbY0B
-xwIDAQAB
------END PUBLIC KEY-----
-PUBKEY
-    jwt = (
-      'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY' \
-      'XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI' \
-      'sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb' \
-      '20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ' \
-      '0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO' \
-      'jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7' \
-      'wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl' \
-      '6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4'
-    )
-    expect { JWT.decode(jwt, pubkey, true) }.to raise_error(JWT::DecodeError)
+  it 'should not verify token even if the payload has claims' do
+    head = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9'
+    load = 'eyJ1c2VyX2lkIjo1NCwiZXhwIjoxNTA0MzkwODA0fQ'
+    sign = 'Skpi6FfYMbZ-DwW9ocyRIosNMdPMAIWRLYxRO68GTQk'
+    expect do
+      JWT.decode([head, load, sign].join('.'), '', false)
+    end.not_to raise_error
   end
-  describe 'urlsafe base64 encoding' do
-    it 'replaces + and / with - and _' do
-      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
-      expect(JWT.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
-    end
+  it 'should not raise InvalidPayload exception if payload is an array' do
+    expect do
+      JWT.encode(['my', 'payload'], 'secret')
+    end.not_to raise_error
   end
-  describe 'decoded_segments' do
-    it 'allows access to the decoded header and payload' do
-      secret = 'secret'
-      jwt = JWT.encode(@payload, secret)
-      decoded_segments = JWT.decoded_segments(jwt)
-      expect(decoded_segments.size).to eq(4)
-      expect(decoded_segments[0]).to eq('typ' => 'JWT', 'alg' => 'HS256')
-      expect(decoded_segments[1]).to eq(@payload)
-    end
+  it 'should encode string payloads' do
+    expect do
+      JWT.encode 'Hello World', 'secret'
+    end.not_to raise_error
   end
 end