RubyGems - jwt - Versions diffs - 1.5.1 → 2.1.0 - Mend

jwt 1.5.1 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

checksums.yaml +4 -4
data/.codeclimate.yml +20 -0
data/.ebert.yml +18 -0
data/.gitignore +11 -0
data/.reek.yml +40 -0
data/.rspec +1 -0
data/.rubocop.yml +98 -0
data/.travis.yml +14 -0
data/CHANGELOG.md +476 -0
data/Gemfile +3 -0
data/LICENSE +7 -0
data/Manifest +3 -1
data/README.md +478 -0
data/Rakefile +8 -15
data/lib/jwt/algos/ecdsa.rb +35 -0
data/lib/jwt/algos/eddsa.rb +23 -0
data/lib/jwt/algos/hmac.rb +33 -0
data/lib/jwt/algos/rsa.rb +19 -0
data/lib/jwt/algos/unsupported.rb +16 -0
data/lib/jwt/decode.rb +49 -0
data/lib/jwt/default_options.rb +15 -0
data/lib/jwt/encode.rb +51 -0
data/lib/jwt/error.rb +16 -0
data/lib/jwt/security_utils.rb +51 -0
data/lib/jwt/signature.rb +50 -0
data/lib/jwt/verify.rb +102 -0
data/lib/jwt/version.rb +24 -0
data/lib/jwt.rb +33 -203
data/ruby-jwt.gemspec +31 -0
data/spec/fixtures/certs/ec256-private.pem +8 -0
data/spec/fixtures/certs/ec256-public.pem +4 -0
data/spec/fixtures/certs/ec256-wrong-private.pem +8 -0
data/spec/fixtures/certs/ec256-wrong-public.pem +4 -0
data/spec/fixtures/certs/ec384-private.pem +9 -0
data/spec/fixtures/certs/ec384-public.pem +5 -0
data/spec/fixtures/certs/ec384-wrong-private.pem +9 -0
data/spec/fixtures/certs/ec384-wrong-public.pem +5 -0
data/spec/fixtures/certs/ec512-private.pem +10 -0
data/spec/fixtures/certs/ec512-public.pem +6 -0
data/spec/fixtures/certs/ec512-wrong-private.pem +10 -0
data/spec/fixtures/certs/ec512-wrong-public.pem +6 -0
data/spec/fixtures/certs/rsa-1024-private.pem +15 -0
data/spec/fixtures/certs/rsa-1024-public.pem +6 -0
data/spec/fixtures/certs/rsa-2048-private.pem +27 -0
data/spec/fixtures/certs/rsa-2048-public.pem +9 -0
data/spec/fixtures/certs/rsa-2048-wrong-private.pem +27 -0
data/spec/fixtures/certs/rsa-2048-wrong-public.pem +9 -0
data/spec/fixtures/certs/rsa-4096-private.pem +51 -0
data/spec/fixtures/certs/rsa-4096-public.pem +14 -0
data/spec/integration/readme_examples_spec.rb +202 -0
data/spec/jwt/verify_spec.rb +232 -0
data/spec/jwt_spec.rb +236 -384
data/spec/spec_helper.rb +28 -0
metadata +187 -26
data/jwt.gemspec +0 -34
data/lib/jwt/json.rb +0 -32
data/spec/helper.rb +0 -19

data/spec/jwt_spec.rb CHANGED Viewed

@@ -1,463 +1,315 @@
-# encoding: utf-8
-require 'helper'
+require 'spec_helper'
+require 'jwt'
+require 'jwt/encode'
+require 'jwt/decode'
 describe JWT do
-  before do
-    @payload = { 'foo' => 'bar', 'exp' => Time.now.to_i + 1, 'nbf' => Time.now.to_i - 1 }
-  end
-  it 'encodes and decodes JWTs' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    decoded_payload = JWT.decode(jwt, secret)
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'encodes and decodes JWTs for RSA signatures' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256')
-    decoded_payload = JWT.decode(jwt, private_key.public_key)
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'encodes and decodes JWTs for ECDSA P-256 signatures' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES256')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
+  let(:payload) { { 'user_id' => 'some@user.tld' } }
+  let :data do
+    {
+      :secret => 'My$ecretK3y',
+      :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
+      :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
+      :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))),
+      'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))),
+      'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))),
+      'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
+      'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
+      'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
+      'ED25519_private' =>  RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF'),
+      'ED25519_public' => RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF').verify_key,
+      'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
+      'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8',
+      'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA',
+      'HS384' => 'eyJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.VuV4j4A1HKhWxCNzEcwc9qVF3frrEu-BRLzvYPkbWO0LENRGy5dOiBQ34remM3XH',
+      'HS512' => 'eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.8zNtCBTJIZTHpZ-BkhR-6sZY1K85Nm5YCKqV3AxRdsBJDt_RR-REH2db4T3Y0uQwNknhrCnZGvhNHrvhDwV1kA',
+      'RS256' => 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.eSXvWP4GViiwUALj_-qTxU68I1oM0XjgDsCZBBUri2Ghh9d75QkVDoZ_v872GaqunN5A5xcnBK0-cOq-CR6OwibgJWfOt69GNzw5RrOfQ2mz3QI3NYEq080nF69h8BeqkiaXhI24Q51joEgfa9aj5Y-oitLAmtDPYTm7vTcdGufd6AwD3_3jajKBwkh0LPSeMtbe_5EyS94nFoEF9OQuhJYjUmp7agsBVa8FFEjVw5jEgVqkvERSj5hSY4nEiCAomdVxIKBfykyi0d12cgjhI7mBFwWkPku8XIPGZ7N8vpiSLdM68BnUqIK5qR7NAhtvT7iyLFgOqhZNUQ6Ret5VpQ',
+      'RS384' => 'eyJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Sfgk56moPghtsjaP4so6tOy3I553mgwX-5gByMC6dX8lpeWgsxSeAd_K8IyO7u4lwYOL0DSftnqO1HEOuN1AKyBbDvaTXz3u2xNA2x4NYLdW4AZA6ritbYcKLO5BHTXw5ueMbtA1jjGXP0zI_aK2iJTMBmB8SCF88RYBUH01Tyf4PlLj98pGL-v3prZd6kZkIeRJ3326h04hslcB5HQKmgeBk24QNLIoIC-CD329HPjJ7TtGx01lj-ehTBnwVbBGzYFAyoalV5KgvL_MDOfWPr1OYHnR5s_Fm6_3Vg4u6lBljvHOrmv4Nfx7d8HLgbo8CwH4qn1wm6VQCtuDd-uhRg',
+      'RS512' => 'eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.LIIAUEuCkGNdpYguOO5LoW4rZ7ED2POJrB0pmEAAchyTdIK4HKh1jcLxc6KyGwZv40njCgub3y72q6vcQTn7oD0zWFCVQRIDW1911Ii2hRNHuigiPUnrnZh1OQ6z65VZRU6GKs8omoBGU9vrClBU0ODqYE16KxYmE_0n4Xw2h3D_L1LF0IAOtDWKBRDa3QHwZRM9sHsHNsBuD5ye9KzDYN1YALXj64LBfA-DoCKfpVAm9NkRPOyzjR2X2C3TomOSJgqWIVHJucudKDDAZyEbO4RA5pI-UFYy1370p9bRajvtDyoBuLDCzoSkMyQ4L2DnLhx5CbWcnD7Cd3GUmnjjTA',
+      'ES256' => '',
+      'ES384' => '',
+      'ES512' => ''
+    }
+  end
+  after(:each) do
+    expect(OpenSSL.errors).to be_empty
   end
-  it 'encodes and decodes JWTs for ECDSA P-384 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp384r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES384')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+  context 'alg: NONE' do
+    let(:alg) { 'none' }
-  it 'encodes and decodes JWTs for ECDSA P-521 signatures' do
-    private_key = OpenSSL::PKey::EC.new('secp521r1')
-    private_key.generate_key
-    public_key = OpenSSL::PKey::EC.new(private_key)
-    public_key.private_key = nil
-    jwt = JWT.encode(@payload, private_key, 'ES512')
-    decoded_payload = JWT.decode(jwt, public_key)
-    expect(decoded_payload).to include(@payload)
-  end
+    it 'should generate a valid token' do
+      token = JWT.encode payload, nil, alg
-  it 'encodes and decodes JWTs with custom header fields' do
-    private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, private_key, 'RS256', 'kid' => 'default')
-    decoded_payload = JWT.decode(jwt) do |header|
-      expect(header['kid']).to eq('default')
-      private_key.public_key
+      expect(token).to eq data['NONE']
     end
-    expect(decoded_payload).to include(@payload)
-  end
-  it 'raises encode exception when ECDSA algorithm does not match key' do
-    private_key = OpenSSL::PKey::EC.new('prime256v1')
-    private_key.generate_key
-    expect do
-      JWT.encode(@payload, private_key, 'ES512')
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES512 but ES256 signing key was provided')
-  end
+    it 'should decode a valid token' do
+      jwt_payload, header = JWT.decode data['NONE'], nil, false
-  it 'decodes valid JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    decoded_payload = JWT.decode(example_jwt, example_secret)
-    expect(decoded_payload).to include(example_payload)
-  end
+      expect(header['alg']).to eq alg
+      expect(jwt_payload).to eq payload
+    end
-  it 'decodes valid ES512 JWTs' do
-    example_payload = { 'hello' => 'world' }
-    example_jwt = 'eyJhbGciOiJFUzUxMiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6IndvcmxkIn0.AQx1MqdTni6KuzfOoedg2-7NUiwe-b88SWbdmviz40GTwrM0Mybp1i1tVtmTSQ91oEXGXBdtwsN6yalzP9J-sp2YATX_Tv4h-BednbdSvYxZsYnUoZ--ZUdL10t7g8Yt3y9hdY_diOjIptcha6ajX8yzkDGYG42iSe3f5LywSuD6FO5c'
-    pubkey_pem = "-----BEGIN PUBLIC KEY-----\nMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAcpkss6wI7PPlxj3t7A1RqMH3nvL4\nL5Tzxze/XeeYZnHqxiX+gle70DlGRMqqOq+PJ6RYX7vK0PJFdiAIXlyPQq0B3KaU\ne86IvFeQSFrJdCc0K8NfiH2G1loIk3fiR+YLqlXk6FAeKtpXJKxR1pCQCAM+vBCs\nmZudf1zCUZ8/4eodlHU=\n-----END PUBLIC KEY-----"
-    pubkey = OpenSSL::PKey::EC.new pubkey_pem
-    decoded_payload = JWT.decode(example_jwt, pubkey)
-    expect(decoded_payload).to include(example_payload)
-  end
+    it 'should display a better error message if payload exp is_a?(Time)' do
+      payload['exp'] = Time.now
-  it 'decodes valid JWTs with iss' do
-    example_payload = { 'hello' => 'world', 'iss' => 'jwtiss' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwtiss')
-    expect(decoded_payload).to include(example_payload)
-  end
+      expect do
+        JWT.encode payload, nil, alg
+      end.to raise_error JWT::InvalidPayload
+    end
-  context 'issuer claim verifications' do
-    it 'raises invalid issuer when "iss" claim does not match' do
-      example_secret = 'secret'
+    it 'should display a better error message if payload exp is not an Integer' do
+      payload['exp'] = Time.now.to_i.to_s
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /Expected jwt_iss, received jwtiss/)
+      expect do
+        JWT.encode payload, nil, alg
+      end.to raise_error JWT::InvalidPayload
     end
+  end
-    it 'raises invalid issuer when "iss" claim is missing in payload' do
-      example_secret = 'secret'
+  %w[HS256 HS512256 HS384 HS512].each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:secret], alg
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.to raise_error(JWT::InvalidIssuerError, /received <none>/)
-    end
+        expect(token).to eq data[alg]
+      end
-    it 'does not raise invalid issuer when verify_iss is set to false (default option)' do
-      example_secret = 'secret'
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:secret], true, algorithm: alg
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0aXNzIn0.nTZkyYfpGUyKULaj45lXw_1gXXjHvGW4h5V7okHdUqQ'
-      expect { JWT.decode(example_jwt, example_secret, true, 'iss' => 'jwt_iss') }.not_to raise_error
-    end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-    it 'does not raise invalid issuer when correct "iss" is in payload' do
-      example_secret = 'secret'
+      it 'wrong secret should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret', true, algorithm: alg
+        end.to raise_error JWT::VerificationError
+      end
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaXNzIjoiand0X2lzcyJ9.mwbyRJJZJR1C5lBt8WOLg0ZMuwP9VGDf5HiQtFhd-eA'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_iss => true, 'iss' => 'jwt_iss') }.not_to raise_error
+      it 'wrong secret and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], 'wrong_secret', false
+        end.not_to raise_error
+      end
     end
   end
-  it 'decodes valid JWTs with iat' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209 }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5fQ.m4F-Ugo7aLnLunBBO3BeDidyWMx8T9eoJz6FW2rgQhU'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'iat' => true)
-    expect(decoded_payload).to include(example_payload)
-  end
+  %w[RS256 RS384 RS512].each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWT.encode payload, data[:rsa_private], alg
-  it 'raises decode exception when iat is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 'abc'}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoiMTQyNTkxNzIwOSJ9.Mn_vk61xWjIhbXFqAB0nFmNkDiCmfzUgl_LaCKRT6S8'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_iat => true, 'iat' => 1425917209) }.to raise_error(JWT::InvalidIatError)
-  end
+        expect(token).to eq data[alg]
+      end
-  it 'decodes valid JWTs with jti' do
-    example_payload = { 'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209') }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'jti' => Digest::MD5.hexdigest('secret:1425917209'))
-    expect(decoded_payload).to include(example_payload)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data[:rsa_public], true, algorithm: alg
-  it 'raises decode exception when jti is invalid' do
-    # example_payload = {'hello' => 'world', 'iat' => 1425917209, 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiaWF0IjoxNDI1OTE3MjA5LCJqdGkiOiI1NWM3NzZlMjFmN2NiZDg3OWMwNmZhYzAxOGRhYzQwMiJ9.ET0hb-VTUOL3M22oG13ofzvGPLMAncbF8rdNDIqo8tg'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
-    # expect{ JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::InvalidJtiError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises decode exception when jti without iat' do
-    # example_payload = {'hello' => 'world', 'jti' => Digest::MD5.hexdigest('secret:1425917209')}
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwianRpIjoiNTVjNzc2ZTIxZjdjYmQ4NzljMDZmYWMwMThkYWM0MDIifQ.n0foJCnCM_-_xUvG_TOmR9mYpL2y0UqZOD_gv33djeE'
-    expect { JWT.decode(example_jwt, example_secret, true, :verify_jti => true, 'jti' => Digest::MD5.hexdigest('secret:1425922032')) }.to raise_error(JWT::InvalidJtiError)
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
-  context 'aud claim verifications' do
-    it 'decodes valid JWTs with aud' do
-      example_payload = { 'hello' => 'world', 'aud' => 'url:pnd' }
-      example_payload2 = { 'hello' => 'world', 'aud' => ['url:pnd', 'aud:yes'] }
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      example_jwt2 = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjpbInVybDpwbmQiLCJhdWQ6eWVzIl19.qNPNcT4X9B5uI91rIwbW2bIPTsp8wbRYW3jkZkrmqbQ'
-      decoded_payload = JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      decoded_payload2 = JWT.decode(example_jwt2, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd')
-      expect(decoded_payload).to include(example_payload)
-      expect(decoded_payload2).to include(example_payload2)
-    end
+        expect do
+          JWT.decode data[alg], key, true, algorithm: alg
+        end.to raise_error JWT::DecodeError
+      end
-    it 'raises deode exception when aud is invalid' do
-      # example_payload = {'hello' => 'world', 'aud' => 'url:pnd'}
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwiYXVkIjoidXJsOnBuZCJ9._gT5veUtNiZD7wLEC6Gd0-nkQV3cl1z8G0zXq8qcd-8'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'wrong:aud') }.to raise_error(JWT::InvalidAudError)
-    end
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
-    it 'raises deode exception when aud is missing' do
-      # JWT.encode('hello' => 'world', 'secret')
-      example_secret = 'secret'
-      example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIn0.bqxXg9VwcbXKoiWtp-osd0WKPX307RjcN7EuXbdq-CE'
-      expect { JWT.decode(example_jwt, example_secret, true, :verify_aud => true, 'aud' => 'url:pnd') }.to raise_error(JWT::InvalidAudError)
+        expect do
+          JWT.decode data[alg], key, false
+        end.not_to raise_error
+      end
     end
   end
-  it 'decodes valid JWTs with sub' do
-    example_payload = { 'hello' => 'world', 'sub' => 'subject' }
-    example_secret = 'secret'
-    example_jwt = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJoZWxsbyI6IndvcmxkIiwic3ViIjoic3ViamVjdCJ9.QUnNVZm4SPB4vP2zY9m1LoUSOx-5oGXBhj7R89D_UtA'
-    decoded_payload = JWT.decode(example_jwt, example_secret, true, 'sub' => 'subject')
-    expect(decoded_payload).to include(example_payload)
-  end
-  it 'raise decode exception when the sub is invalid'
+  %w[ED25519].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
-  it 'raises decode exception when the token is invalid' do
-    example_secret = 'secret'
-    # Same as above exmaple with some random bytes replaced
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHiMomlwIjogIkJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.tvagLDLoaiJKxOKqpBXSEGy7SYSifZhjntgm9ctpyj8'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
-  it 'raises verification exception with wrong hmac key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt_message = JWT.encode(@payload, right_secret, 'HS256')
-    expect { JWT.decode(jwt_message, bad_secret) }.to raise_error(JWT::VerificationError)
-  end
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises decode exception when ECDSA algorithm does not match key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    right_public_key = OpenSSL::PKey::EC.new(right_private_key)
-    right_public_key.private_key = nil
-    bad_private_key = OpenSSL::PKey::EC.new('secp384r1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect do
-      JWT.decode(jwt, bad_public_key)
-    end.to raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES256 but ES384 verification key was provided')
-  end
-  it 'raises verification exception with wrong rsa key' do
-    right_private_key = OpenSSL::PKey::RSA.generate(512)
-    bad_private_key = OpenSSL::PKey::RSA.generate(512)
-    jwt = JWT.encode(@payload, right_private_key, 'RS256')
-    expect { JWT.decode(jwt, bad_private_key.public_key) }.to raise_error(JWT::VerificationError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises verification exception with wrong ECDSA key' do
-    right_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    right_private_key.generate_key
-    bad_private_key = OpenSSL::PKey::EC.new('prime256v1')
-    bad_private_key.generate_key
-    bad_public_key = OpenSSL::PKey::EC.new(bad_private_key)
-    bad_public_key.private_key = nil
-    jwt = JWT.encode(@payload, right_private_key, 'ES256')
-    expect { JWT.decode(jwt, bad_public_key) }.to raise_error(JWT::VerificationError)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises decode exception with invalid signature' do
-    example_secret = 'secret'
-    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
-    expect { JWT.decode(example_jwt, example_secret) }.to raise_error(JWT::DecodeError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises decode exception with nonexistent header' do
-    expect { JWT.decode('..stuff') }.to raise_error(JWT::DecodeError)
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
-  it 'raises decode exception with nonexistent payload' do
-    expect { JWT.decode('eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9..stuff') }.to raise_error(JWT::DecodeError)
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
   end
+  %w[ES256 ES384 ES512].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
-  it 'raises decode exception with nil jwt' do
-    expect { JWT.decode(nil) }.to raise_error(JWT::DecodeError)
-  end
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
-  it 'allows decoding without key' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    decoded_payload = JWT.decode(jwt, bad_secret, false)
-    expect(decoded_payload).to include(@payload)
-  end
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'checks the key when verify is truthy' do
-    right_secret = 'foo'
-    bad_secret = 'bar'
-    jwt = JWT.encode(@payload, right_secret)
-    verify = 'yes' =~ /^y/i
-    expect { JWT.decode(jwt, bad_secret, verify) }.to raise_error(JWT::DecodeError)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'raises exception on unsupported crypto algorithm' do
-    expect { JWT.encode(@payload, 'secret', 'HS1024') }.to raise_error(NotImplementedError)
-  end
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
-  it 'raises exception when decoded with a different algorithm than it was encoded with' do
-    jwt = JWT.encode(@payload, 'foo', 'HS384')
-    expect { JWT.decode(jwt, 'foo', true, :algorithm => 'HS512') }.to raise_error(JWT::IncorrectAlgorithm)
-  end
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
-  it 'does not raise exception when encoded with the expected algorithm' do
-    jwt = JWT.encode(@payload, 'foo', 'HS512')
-    JWT.decode(jwt, 'foo', true, :algorithm => 'HS512')
-  end
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
-  it 'encodes and decodes plaintext JWTs' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    decoded_payload = JWT.decode(jwt, nil, nil)
-    expect(decoded_payload).to include(@payload)
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
   end
-  it 'requires a signature segment when verify is truthy' do
-    jwt = JWT.encode(@payload, nil, nil)
-    expect(jwt.split('.').length).to eq(2)
-    expect { JWT.decode(jwt, nil, true) }.to raise_error(JWT::DecodeError)
-  end
+  context 'Invalid' do
+    it 'algorithm should raise NotImplementedError' do
+      expect do
+        JWT.encode payload, 'secret', 'HS255'
+      end.to raise_error NotImplementedError
+    end
-  it 'does not use == to compare digests' do
-    secret = 'secret'
-    jwt = JWT.encode(@payload, secret)
-    crypto_segment = jwt.split('.').last
+    it 'ECDSA curve_name should raise JWT::IncorrectAlgorithm' do
+      key = OpenSSL::PKey::EC.new 'secp256k1'
+      key.generate_key
-    signature = JWT.base64url_decode(crypto_segment)
-    expect(signature).not_to receive('==')
-    expect(JWT).to receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
-    expect(JWT).to receive(:base64url_decode).at_least(:once).and_call_original
+      expect do
+        JWT.encode payload, key, 'ES256'
+      end.to raise_error JWT::IncorrectAlgorithm
-    JWT.decode(jwt, secret)
-  end
+      token = JWT.encode payload, data['ES256_private'], 'ES256'
+      key.private_key = nil
-  it 'raises error when expired' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
+      expect do
+        JWT.decode token, key
+      end.to raise_error JWT::IncorrectAlgorithm
+    end
   end
-  it 'raise ExpiredSignature even when exp claims is a string' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ExpiredSignature)
-  end
+  context 'Verify' do
+    context 'algorithm' do
+      it 'should raise JWT::IncorrectAlgorithm on mismatch' do
+        token = JWT.encode payload, data[:secret], 'HS256'
-  it 'performs normal decode with skipped expiration check' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 1
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(expired_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS384'
+        end.to raise_error JWT::IncorrectAlgorithm
-  it 'performs normal decode using leeway' do
-    expired_payload = @payload.clone
-    expired_payload['exp'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(expired_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(expired_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithm: 'HS256'
+        end.not_to raise_error
+      end
-  it 'raises error when before nbf' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 1
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+      it 'should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm' do
+        token = JWT.encode payload, data[:secret], 'HS512'
-  it 'doesnt raise error when after nbf' do
-    mature_payload = @payload.clone
-    secret = 'secret'
-    jwt = JWT.encode(mature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_expiration => false)
-    expect(decoded_payload).to include(mature_payload)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithms: ['HS384']
+        end.to raise_error JWT::IncorrectAlgorithm
-  it 'raise ImmatureSignature even when nbf claim is a string' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = (Time.now.to_i).to_s
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    expect { JWT.decode(jwt, secret) }.to raise_error(JWT::ImmatureSignature)
-  end
+        expect do
+          JWT.decode token, data[:secret], true, algorithms: ['HS512', 'HS384']
+        end.not_to raise_error
+      end
-  it 'performs normal decode with skipped not before check' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i + 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :verify_not_before => false)
-    expect(decoded_payload).to include(immature_payload)
-  end
+      context 'no algorithm provided' do
+        it 'should use the default decode algorithm' do
+          token = JWT.encode payload, data[:rsa_public].to_s
-  it 'performs normal decode using leeway' do
-    immature_payload = @payload.clone
-    immature_payload['nbf'] = Time.now.to_i - 2
-    secret = 'secret'
-    jwt = JWT.encode(immature_payload, secret)
-    decoded_payload = JWT.decode(jwt, secret, true, :leeway => 3)
-    expect(decoded_payload).to include(immature_payload)
-  end
+          jwt_payload, header = JWT.decode token, data[:rsa_public].to_s
-  describe 'secure comparison' do
-    it 'returns true if strings are equal' do
-      expect(JWT.secure_compare('Foo', 'Foo')).to be true
+          expect(header['alg']).to eq 'HS256'
+          expect(jwt_payload).to eq payload
+        end
+      end
     end
-    it 'returns false if either input is nil or empty' do
-      [nil, ''].each do |bad|
-        expect(JWT.secure_compare(bad, 'Foo')).to be false
-        expect(JWT.secure_compare('Foo', bad)).to be false
+    context 'issuer claim' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:invalid_token) { JWT.encode payload, data[:secret] }
+      let :token do
+        iss_payload = payload.merge(iss: iss)
+        JWT.encode iss_payload, data[:secret]
       end
-    end
-    it 'retuns false if the strings are different' do
-      expect(JWT.secure_compare('Foo', 'Bar')).to be false
+      it 'if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError' do
+        expect do
+          JWT.decode token, data[:secret], true, iss: iss, algorithm: 'HS256'
+        end.not_to raise_error
+      end
     end
   end
-  # no method should leave OpenSSL.errors populated
-  after do
-    expect(OpenSSL.errors).to be_empty
+  context 'Base64' do
+    it 'urlsafe replace + / with - _' do
+      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
+      expect(JWT::Encode.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
+    end
   end
-  it 'raise exception on invalid signature' do
-    pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
------BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxCaY7425h964bjaoLeUm
-SlZ8sK7VtVk9zHbGmZh2ygGYwfuUf2bmMye2Ofv99yDE/rd4loVIAcu7RVvDRgHq
-3/CZTnIrSvHsiJQsHBNa3d+F1ihPfzURzf1M5k7CFReBj2SBXhDXd57oRfBQj12w
-CVhhwP6kGTAWuoppbIIIBfNF2lE/Nvm7lVVYQqL9xOrP/AQ4xRbpQlB8Ll9sO9Or
-SvbWhCDa/LMOWxHdmrcJi6XoSg1vnOyCoKbyAoauTt/XqdkHbkDdQ6HFbJieu9il
-LDZZNliPhfENuKeC2MCGVXTEu8Cqhy1w6e4axavLlXoYf4laJIZ/e7au8SqDbY0B
-xwIDAQAB
------END PUBLIC KEY-----
-PUBKEY
-    jwt = (
-      'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY' \
-      'XVkIjoiMTA2MDM1Nzg5MTY4OC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSI' \
-      'sImNpZCI6IjEwNjAzNTc4OTE2ODguYXBwcy5nb29nbGV1c2VyY29udGVudC5jb' \
-      '20iLCJpZCI6IjExNjQ1MjgyNDMwOTg1Njc4MjE2MyIsInRva2VuX2hhc2giOiJ' \
-      '0Z2hEOUo4bjhWME4ydmN3NmVNaWpnIiwiaWF0IjoxMzIwNjcwOTc4LCJleHAiO' \
-      'jEzMjA2NzQ4Nzh9.D8x_wirkxDElqKdJBcsIws3Ogesk38okz6MN7zqC7nEAA7' \
-      'wcy1PxsROY1fmBvXSer0IQesAqOW-rPOCNReSn-eY8d53ph1x2HAF-AzEi3GOl' \
-      '6hFycH8wj7Su6JqqyEbIVLxE7q7DkAZGaMPkxbTHs1EhSd5_oaKQ6O4xO3ZnnT4'
-    )
-    expect { JWT.decode(jwt, pubkey, true) }.to raise_error(JWT::DecodeError)
+  it 'should not verify token even if the payload has claims' do
+    head = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9'
+    load = 'eyJ1c2VyX2lkIjo1NCwiZXhwIjoxNTA0MzkwODA0fQ'
+    sign = 'Skpi6FfYMbZ-DwW9ocyRIosNMdPMAIWRLYxRO68GTQk'
+    expect do
+      JWT.decode([head, load, sign].join('.'), '', false)
+    end.not_to raise_error
   end
-  describe 'urlsafe base64 encoding' do
-    it 'replaces + and / with - and _' do
-      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
-      expect(JWT.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
-    end
+  it 'should not raise InvalidPayload exception if payload is an array' do
+    expect do
+      JWT.encode(['my', 'payload'], 'secret')
+    end.not_to raise_error
   end
-  describe 'decoded_segments' do
-    it 'allows access to the decoded header and payload' do
-      secret = 'secret'
-      jwt = JWT.encode(@payload, secret)
-      decoded_segments = JWT.decoded_segments(jwt)
-      expect(decoded_segments.size).to eq(4)
-      expect(decoded_segments[0]).to eq('typ' => 'JWT', 'alg' => 'HS256')
-      expect(decoded_segments[1]).to eq(@payload)
-    end
+  it 'should encode string payloads' do
+    expect do
+      JWT.encode 'Hello World', 'secret'
+    end.not_to raise_error
   end
 end