jwt 1.5.2 → 1.5.4

data/lib/jwt/verify.rb

@@ -0,0 +1,98 @@
+require 'jwt/error'
+
+module JWT
+  # JWT verify methods
+  class Verify
+    class << self
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
+        define_method method_name do |payload, options|
+          new(payload, options).send(method_name)
+        end
+      end
+    end
+
+    def initialize(payload, options)
+      @payload = payload
+      @options = options
+    end
+
+    def verify_aud
+      return unless (options_aud = extract_option(:aud))
+
+      if @payload['aud'].is_a?(Array)
+        fail(
+          JWT::InvalidAudError,
+          'Invalid audience'
+        ) unless @payload['aud'].include?(options_aud.to_s)
+      else
+        fail(
+          JWT::InvalidAudError,
+          "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}"
+        ) unless @payload['aud'].to_s == options_aud.to_s
+      end
+    end
+
+    def verify_expiration
+      return unless @payload.include?('exp')
+
+      if @payload['exp'].to_i < (Time.now.to_i - leeway)
+        fail(JWT::ExpiredSignature, 'Signature has expired')
+      end
+    end
+
+    def verify_iat
+      return unless @payload.include?('iat')
+
+      if !(@payload['iat'].is_a?(Numeric)) || @payload['iat'].to_f > (Time.now.to_f + leeway)
+        fail(JWT::InvalidIatError, 'Invalid iat')
+      end
+    end
+
+    def verify_iss
+      return unless (options_iss = extract_option(:iss))
+
+      if @payload['iss'].to_s != options_iss.to_s
+        fail(
+          JWT::InvalidIssuerError,
+          "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}"
+        )
+      end
+    end
+
+    def verify_jti
+      options_verify_jti = extract_option(:verify_jti)
+      if options_verify_jti.respond_to?(:call)
+        fail(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
+      else
+        fail(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty?
+      end
+    end
+
+    def verify_not_before
+      return unless @payload.include?('nbf')
+
+      if @payload['nbf'].to_i > (Time.now.to_i + leeway)
+        fail(JWT::ImmatureSignature, 'Signature nbf has not been reached')
+      end
+    end
+
+    def verify_sub
+      return unless (options_sub = extract_option(:sub))
+
+      fail(
+        JWT::InvalidSubError,
+        "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}"
+      ) unless @payload['sub'].to_s == options_sub.to_s
+    end
+
+    private
+
+    def extract_option(key)
+      @options.values_at(key.to_sym, key.to_s).compact.first
+    end
+
+    def leeway
+      extract_option :leeway
+    end
+  end
+end

data/lib/jwt/version.rb

@@ -0,0 +1,23 @@
+# encoding: utf-8
+
+# Moments version builder module
+module JWT
+  def self.gem_version
+    Gem::Version.new VERSION::STRING
+  end
+
+  # Moments version builder module
+  module VERSION
+    # major version
+    MAJOR = 1
+    # minor version
+    MINOR = 5
+    # tiny version
+    TINY  = 4
+    # alpha, beta, etc. tag
+    PRE   = nil
+
+    # Build version string
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
+  end
+end

data/ruby-jwt.gemspec

@@ -0,0 +1,29 @@
+lib = File.expand_path('../lib/', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'jwt/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'jwt'
+  spec.version = JWT.gem_version
+  spec.authors = [
+    'Jeff Lindsay',
+    'Tim Rudat'
+  ]
+  spec.email = 'timrudat@gmail.com'
+  spec.summary = 'JSON Web Token implementation in Ruby'
+  spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
+  spec.homepage = 'http://github.com/jwt/ruby-jwt'
+  spec.license = 'MIT'
+
+  spec.files = `git ls-files -z`.split("\x0")
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = %w(lib)
+
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-json'
+  spec.add_development_dependency 'codeclimate-test-reporter'
+end

data/spec/fixtures/certs/ec256-private.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJmVse5uPfj6B4TcXrUAvf9/8pJh+KrKKYLNcmOnp/vPoAoGCCqGSM49
+AwEHoUQDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc/DX1wuhIMu8dQzOLSt0tpqK9
+MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w==
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec256-public.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc
+/DX1wuhIMu8dQzOLSt0tpqK9MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w==
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec256-wrong-private.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQACg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEICfA4AaomONdmPTzeyrx5U/jugYXTERyb5U3ETTv7Hx7oAcGBSuBBAAK
+oUQDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN6fwvUwOsxv7YnyoQ5/bpo64n
++Jp4slSl1aUNoCBF2oz9bS0iyBo3jg==
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec256-wrong-public.pem

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN
+6fwvUwOsxv7YnyoQ5/bpo64n+Jp4slSl1aUNoCBF2oz9bS0iyBo3jg==
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec384-private.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDxOljqUKw9YNhkluSJIBAYO1YXcNtS+vckd5hpTZ5toxsOlwbmyrnU
+Tn+D5Xma1m2gBwYFK4EEACKhZANiAASQwYTiRvXu1hMHceSosMs/8uf50sJI3jvK
+kdSkvuRAPxSzhtrUvCQDnVsThFq4aOdZZY1qh2ErJGtzmrx+pEsJvJnvfOTG3NGU
+KRalek+LQfVqAUSvDMKlxdkz2e67tso=
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec384-public.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkMGE4kb17tYTB3HkqLDLP/Ln+dLCSN47
+ypHUpL7kQD8Us4ba1LwkA51bE4RauGjnWWWNaodhKyRrc5q8fqRLCbyZ73zkxtzR
+lCkWpXpPi0H1agFErwzCpcXZM9nuu7bK
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec384-wrong-private.pem

@@ -0,0 +1,9 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIg==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAfZW47dSKnC5JkSVOk1ERxCIi/IJ1p1WBnVGx4hnrNHy+dxtaZJaF+
+YLInFQ/QbYegBwYFK4EEACKhZANiAAQwXkx4BFBGLXbzl5yVrfxK7er8hSi38iDE
+K2+7cdrR137Wn5JUnL4WTwXTzkyUgfBOL3sHNozwfgU03GD/EOUEKqzsIJiz2cbP
+bFALd4hS+8T4szDLVC9Jl1W6k0CAtmM=
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec384-wrong-public.pem

@@ -0,0 +1,5 @@
+-----BEGIN PUBLIC KEY-----
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMF5MeARQRi1285ecla38Su3q/IUot/Ig
+xCtvu3Ha0dd+1p+SVJy+Fk8F085MlIHwTi97BzaM8H4FNNxg/xDlBCqs7CCYs9nG
+z2xQC3eIUvvE+LMwy1QvSZdVupNAgLZj
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec512-private.pem

@@ -0,0 +1,10 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIB0/+ffxEj7j62xvGaB5pvzk888e412ESO/EK/K0QlS9dSF8+Rj1rG
+zqpRB8fvDnoe8xdmkW/W5GKzojMyv7YQYumgBwYFK4EEACOhgYkDgYYABAEw74Yw
+aTbPY6TtWmxx6LJDzCX2nKWCPnKdZcEH9Ncu8g5RjRBRq2yacja3OoS6nA2YeDng
+reBJxZr376P6Ns6XcQFWDA6K/MCTrEBCsPxXZNxd8KR9vMGWhgNtWRrcKzwJfQkr
+suyehZkbbYyFnAWyARKHZuV7VUXmeEmRS/f93MPqVA==
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec512-public.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBMO+GMGk2z2Ok7VpsceiyQ8wl9pyl
+gj5ynWXBB/TXLvIOUY0QUatsmnI2tzqEupwNmHg54K3gScWa9++j+jbOl3EBVgwO
+ivzAk6xAQrD8V2TcXfCkfbzBloYDbVka3Cs8CX0JK7LsnoWZG22MhZwFsgESh2bl
+e1VF5nhJkUv3/dzD6lQ=
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/ec512-wrong-private.pem

@@ -0,0 +1,10 @@
+-----BEGIN EC PARAMETERS-----
+BgUrgQQAIw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MIHbAgEBBEG/KbA2oCbiCT6L3V8XSz2WKBy0XhGvIFbl/ZkXIXnkYt+1B7wViSVo
+KCHuMFsi6xU/5nE1EuDG2UsQJmKeAMkIOKAHBgUrgQQAI6GBiQOBhgAEAG0TFWe5
+cZ5DZIyfuysrCoQySTNxd+aT8sPIxsx7mW6YBTsuO6rEgxyegd2Auy4xtikxpzKv
+soMXR02999Aaus2jAAt/wxrhhr41BDP4MV0b6Zngb72hna0pcGqit5OyU8AbOJUZ
++rdyowRGsOY+aPbOyVhdNcsEdxYC8GdIyCQLBC1H
+-----END EC PRIVATE KEY-----

data/spec/fixtures/certs/ec512-wrong-public.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAbRMVZ7lxnkNkjJ+7KysKhDJJM3F3
+5pPyw8jGzHuZbpgFOy47qsSDHJ6B3YC7LjG2KTGnMq+ygxdHTb330Bq6zaMAC3/D
+GuGGvjUEM/gxXRvpmeBvvaGdrSlwaqK3k7JTwBs4lRn6t3KjBEaw5j5o9s7JWF01
+ywR3FgLwZ0jIJAsELUc=
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/rsa-1024-private.pem

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDO/ahgFDvniFoQ1dm+MdnkBi+Ts5W9AtQNgw4ZHIdPnqEzSgW7
+0opKEu8hnlLqsIyU2BC2op/xOanipdbXObuFlA6bth1cYRI+YJlR3BbPGOIL6YbJ
+ud9m0gIsBlCDLm4e/E45ZS+emudISP7/SF7zxvxZlnr1z7HTm7nIIVBvuQIDAQAB
+AoGBAMzFQAccvU6GI6O4C5sOsiHUxMh3xtCftaxQVGgfQvVPVuXoeteep1Q0ewFl
+IV4vnkO5pH8pTtVTWG9x5KIy6QCql4qvr2jkOm4mo9uogrpNklvBl2lN4Lxubj0N
+mGRXaM3hckZl8+JT6uzfBfjy+pd8AOigJGPQCOZn4gmANW7pAkEA82Nh4wpj6ZRU
+NBiBq3ONZuH4xJm59MI2FWRJsGUFUYdSaFwyKKim52/13d8iUb7v9utWQFRatCXz
+Lqw9fQyVrwJBANm3dBOVxpUPrYEQsG0q2rdP+u6U3woylxwtQgJxImZKZmmJlPr8
+9v23rhydvCe1ERPYe7EjF4RGWVPN3KLdExcCQDdzNfL3BApMS97OkoRQQC/nXbjU
+2SPlN1MqVQuGCG8pqGG0V40h11y1CkvxMS10ldEojq77SOrwFnZUsXGS82sCQQC6
+XdO7QCaxSq5XIRYlHN4EtS40NLOIYy3/LK6osHel4GIyTVd+UjSLk0QzssJxqwln
+V5TqWQO0cxPcLQiFUYEZAkEA2G84ilb9QXOgbNyoE1VifNk49hhodbSskLb86uwY
+Vgtzq1ZsqoPBCasr4WRiXt270n+mo5dNYRlZwiUn9lH78Q==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/certs/rsa-1024-public.pem

@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO/ahgFDvniFoQ1dm+MdnkBi+T
+s5W9AtQNgw4ZHIdPnqEzSgW70opKEu8hnlLqsIyU2BC2op/xOanipdbXObuFlA6b
+th1cYRI+YJlR3BbPGOIL6YbJud9m0gIsBlCDLm4e/E45ZS+emudISP7/SF7zxvxZ
+lnr1z7HTm7nIIVBvuQIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/rsa-2048-private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA4GzZTLU48c4WbyvHi+QKrB71x+T0eq5hqDbQqnlYjhD1Ika7
+io1iplsdJWJuyxfYbUkb2Ol0fj4koZ/GS6lgCZr4+8UHbr1qf0Eu5HZSpszs2YxY
+8U5RHnrpw67co7hlgAR9HbyNf5XIYgLV9ldHH/eazwnc3F/hgNsV0xjScVilejgo
+cJ4zcsyymvW8t42lteM7bI867ZuJhGop/V+Y0HFyrMsPoQyLuCUpr6ulOfrkr7ZO
+dhAIG8r1HcjOp/AUjM15vfXcbUZjkM/VloifX1YitU3upMGJ8/DpFGffMOImrn5r
+6BT494V8rRyN2qvQoAkLJpqZ0avLxwiR2lgVQQIDAQABAoIBAEH0Ozgr2fxWEInD
+V/VooypKPvjr9F1JejGxSkmPN9MocKIOH3dsbZ1uEXa3ItBUxan4XlK06SNgp+tH
+xULfF/Y6sQlsse59hBq50Uoa69dRShn1AP6JgZVvkduMPBNxUYL5zrs6emsQXb9Q
+DglDRQfEAJ7vyxSIqQDxYcyT8uSUF70dqFe+E9B2VE3D6ccHc98k41pJrAFAUFH1
+wwvDhfyYr7/Ultut9wzpZvU1meF3Vna3GOUHfxrG6wu1G+WIWHGjouzThsc1qiVI
+BtMCJxuCt5fOXRbU4STbMqhB6sZHiOh6J/dZU6JwRYt+IS8FB6kCNFSEWZWQledJ
+XqtYSQECgYEA9nmnFTRj3fTBq9zMXfCRujkSy6X2bOb39ftNXzHFuc+I6xmv/3Bs
+P9tDdjueP/SnCb7i/9hXkpEIcxjrjiqgcvD2ym1hE4q+odMzRAXYMdnmzI34SVZE
+U5hYJcYsXNKrTTleba7QgqdORmyJ9FwqLO40udvmrZMY223XDwgRkOkCgYEA6RkO
+5wjjrWWp/G1YN3KXZTS1m2/eGrUThohXKAfAjbWWiouNLW2msXrxEWsPRL6xKiHu
+X9cwZwzi3MstAgk+bphUGUVUkGKNDjWHJA25tDYjbPtkd6xbL4eCHsKpNL3HNYr9
+N0CIvgn7qjaHRBem0iK7T6keY4axaSVddEwYapkCgYEA13K5qaB1F4Smcpt8DTWH
+vPe8xUUaZlFzOJLmLCsuwmB2N8Ppg2j7RspcaxJsH021YaB5ftjWm+ipMSr8ZPY/
+8JlPsNzxuYpTXtNmAbT2KYVm6THEch61dTk6/DIBf1YrpUJbl5by7vJeStL/uBmE
+SGgksL5XIyzs0opuLdaIvFkCgYAyBLWE8AxjFfCvAQuwAj/ocLITo6KmWnrRIIqL
+RXaVMgUWv7FQsTnW1cnK8g05tC2yG8vZ9wQk6Mf5lwOWb0NdWgSZ0528ydj41pWk
+L+nMeN2LMjqxz2NVxJ8wWJcUgTCxFZ0WcRumo9/D+6V1ABpE9zz4cBLcSnfhVypB
+nV6T6QKBgQCSZNCQ9HPxjAgYcsqc5sjNwuN1GHQZSav3Tye3k6zHENe1lsteT9K8
+xciGIuhybKZBvB4yImIIHCtnH+AS+mHAGqHarjNDMfvjOq0dMibPx4+bkIiHdBIH
+Xz+j5kmntvFiUnzr0Z/Tcqo+r8FvyCo1YWgwqGP8XoFrswD7gy7cZw==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/certs/rsa-2048-public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4GzZTLU48c4WbyvHi+QK
+rB71x+T0eq5hqDbQqnlYjhD1Ika7io1iplsdJWJuyxfYbUkb2Ol0fj4koZ/GS6lg
+CZr4+8UHbr1qf0Eu5HZSpszs2YxY8U5RHnrpw67co7hlgAR9HbyNf5XIYgLV9ldH
+H/eazwnc3F/hgNsV0xjScVilejgocJ4zcsyymvW8t42lteM7bI867ZuJhGop/V+Y
+0HFyrMsPoQyLuCUpr6ulOfrkr7ZOdhAIG8r1HcjOp/AUjM15vfXcbUZjkM/Vloif
+X1YitU3upMGJ8/DpFGffMOImrn5r6BT494V8rRyN2qvQoAkLJpqZ0avLxwiR2lgV
+QQIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/rsa-2048-wrong-private.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzHAVGaW9j4l3/b4ngcjjoIoIcnsQEWOMqErb5VhLZMGIq1gE
+O5qxPDAwooKsNotzcAOB3ZyLn7p5D+dmOrNUYkYWgYITNGeSifrnVqQugd5Fh1L8
+K7zOGltUo2UtjbN4uJ56tzxBMZp2wejs2/Qu0eu0xZK3To+YkDcWOk92rmNgmUSQ
+C/kNyIOj+yBvOo3wTk6HvbhoIarCgJ6Lay1v/hMLyQLzwRY/Qfty1FTIDyTv2dch
+47FsfkZ1KAL+MbUnHuCBPzGxRjXa8Iy9Z7YGxrYasUt1b0um64bscxoIiCu8yLL8
+jlg01Rwrjr/MTwKRhwXlMp8B7HTonwtaG6arJwIDAQABAoIBAGFR4dmJusl/qW1T
+fj8cQLAFxaupxaZhe24J5NAyzgEy2Dqo9ariIwkB78UM66ozjEqAgOvcP+NTw5m8
+kD/VapA1yTTxlO7XdzzUAhiOo80S4IphCMZRZNPLMmluGtdf3lIUr1pXBrn0TCBX
+H5o9jaREzpNXGof9d6T/dEdh2J9+uE/p1xE5GSxQfaPheZzCG7636La/DcArg/UR
++TusPqp62BEmk96pE/KKJRmEeH+WnPfSh6sMpLxi3hkEU7AynpliGT6Z6xV4csBI
+S/rdpkcj5DWpbnQzkwdrnL2Q+POEq/vlx5/NlezvtQPNLvQWDyY4yBCoMKGb3EbX
+xrxP7MECgYEA/kwe4P0Mqk+087IyhjDBGPfcMt8gfYc9nzNfIYSWdSwuSag/hqHq
+I4GwHQzUV9ix3iM6w5hin10yAzWxCYZg9hquV+lSvNNpGB76FX6oOqwuAhyQMRwv
+eW+VUyfFXeJugwL5JuIaNTvwPpQVDHYtELLifie+uzJ5HC6dhg/XchcCgYEAzc5/
++IXjOlExd/mBgFk/5Y87ifA0ZOgbaJXifYgU0aNSgz1piHxU3n2p4jJ9lSdwwCl2
+Fb5EN7666t20PL5QcXJ5ZdaTRLzRlYiqTWzfYHBgttbB1Jl3Ed9GsKuzRgaRqGFC
+ANJSqZlKG0NZ3keRtuKdFwq+IVOnsQr9g0TZiXECgYEAqUgtCiMKCloTIGMQpSnR
+cXiWWjsUmturls4Q1vQ3YHrvuVLKLyqb/dT4Uu5WcMAs765OESThCit0/pQAbVHK
+PCpYwubskAzAGjGM00BEZwJ1gixXhIm5xMIWCowgI7Z3ULlq+IptXeCvtkjHlksZ
+BtO+WLLGkkEwRCV38WWcSzMCgYA/Xxqgl/mD94RYAQgTUWgPc69Nph08BQyLg7ue
+E8z1UGkT6FEaqc4oRGGPOSTaTK63PQ0TXOb8k0pTD7l0CtYSWMFwzkXCoLGYbeCi
+vqd5tqDRLAe7QxYa9rl5pSUqptMrGeeNATZa6sya4H5Hp5oCyny8n54z/OJh7ZRq
+W0TwwQKBgQDDP7ksm2pcqadaVAmODdOlaDHbaEcxp8wN7YVz0lM3UpJth96ukbj7
+S39eJhXYWOn6oJQb/lN9fGOYqjg3y6IchGZDp67ATvWYvn/NY0R7mt4K4oHx5TuN
+rSQlP3WmOGv8Kemw892uRfW/jZyBEHhsfS213WDttVPn9F635GdNWw==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/certs/rsa-2048-wrong-public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzHAVGaW9j4l3/b4ngcjj
+oIoIcnsQEWOMqErb5VhLZMGIq1gEO5qxPDAwooKsNotzcAOB3ZyLn7p5D+dmOrNU
+YkYWgYITNGeSifrnVqQugd5Fh1L8K7zOGltUo2UtjbN4uJ56tzxBMZp2wejs2/Qu
+0eu0xZK3To+YkDcWOk92rmNgmUSQC/kNyIOj+yBvOo3wTk6HvbhoIarCgJ6Lay1v
+/hMLyQLzwRY/Qfty1FTIDyTv2dch47FsfkZ1KAL+MbUnHuCBPzGxRjXa8Iy9Z7YG
+xrYasUt1b0um64bscxoIiCu8yLL8jlg01Rwrjr/MTwKRhwXlMp8B7HTonwtaG6ar
+JwIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/certs/rsa-4096-private.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEAqETmgWBi5rCmb7euJplA/9xs65+bncc9Yvs5zjyycXSW82Jf
+RuyguGm0OvA2wog24dR4N2kT/87DcGtp5JqJWADVFNr+2V2r6i57/OMLruRpn3p2
+r95dmo0COE+BxPFl7XEBT8JbH57ZtpgcB3/xkS14nLOWFf96hrXPlXJC+VMVKVZm
+A8k2LRh42vT5wUf4U0Doy/p7yFNSFFa6Q8wwe4TBy/z/f+rhFD1w8rxlYjallee/
+ocm7bjZCwbJGMm7orLViqWfsFX3O35PeoJ5h/7uJ7iRwvTFERkTdwWP/0BeKBeIt
+BR3YFc2mut+V9W+WKRkMSL6Crc+oVSx3p8aB7j9SZFzQiRtes4BYETpX1xl2mgIq
+5hvsFbLw7ESrlIodiwUMTrSIid2DQ6q80kv1zXPr4+Id6L0sJLxPCaXnTmNtasSw
+yedJJYxLjwhHJwtzFAeaq18H3O791YKhjAJ6YxK3zJ59jTE6Pkvqjq183f2PGHVR
+vgSN7aCmI6MBUUB5wDP2K8zX2sh40/uPDVSd6ei1vl3DpPk+h8iExx6AzbohfqZ+
+5RUUNx127L3MaQvOVC5TxV+R99gwKW++wzcVuO3m2KqVUj+K1uYBy3KBCUMBbckp
+EWGbN++jcdV5oJX6fsC66nOmKlntYwCL/pRww+oLsbzF8J3dxeDbKNF9JDsCAwEA
+AQKCAgBJF8TZJjlP5CQoGy227pNhkSpvH6HFY6qyuFZf09XfmrmHd4/Tiy41bRUx
+FO90iR7t8hFWYHqjf/k9eCtDdi164MGukYJqgVoQG6kYLLgCfI21DMlJk9otLFtu
+gnroRcP05EWhk9dpYONJgcGLMHSKj6n4x7nGTHe41HkbfcrB6ukiT7l4o4q5BAxb
+cFadMtoXr/ZvxJrIZgkddJ7snGHjBcP5DCkgM7MZy6aoilWv1/UNrOF9MdgNA9zz
+rrD3b136x7/XvqC6pS+bxuvJ8YK4R4qeu42NYT07GOcK/pk8lz0JWTodIt2eevqV
+6lGFj7c2mv7PCpJRVgbVGL/RTVVap/+jbcRVLdnYKsII/dANG7iXnfwRgkLWet5D
+OOsPuvIuyiSaJIwcdRE3SSO+tZhKLt+gh/oLxBPw5Ex0FwsVTtYn3Q/X3EAx+Wph
+eFcRr3TVkDg0MfdWWkgk16DvYB5cWc29coTaH1g+2juadNHbtVAigwJorKc6sxH3
+QGsW0WQJ8ZRZgJkSUuu3nr7QD3ZrgHptONQAh1RWGnIWi6OlMfaPdMo+SDnnL5SG
+mpOPjWadDc1XvMFnKQYMYB5GWU/ZNmnZmDLyg1Pc0Y+qRUc0s83nZFHN60KnUrSz
+0MZDspSFtr0fMx0b2/EB4EbuXd3QjQURF6P6HtWBu6oFnzu1AQKCAQEA2R9BKJgJ
+vNP+DUu8NBzwmi0cKlAiaxt+w90i5DWq1XWPKgi+RVLkaQSJqHoYQVNgEwL/cWxp
+s2r3GCMNIdOrGdcm8dX/6UYFpRaFcViTycVEA7cwZOMppgqr2Q+ZYX42K7HObUVL
+JGvdEWWWfSsynUGsrG87DC1gl94ANxCdqkZdbW5d3X0w5v7M/1tlrmAeskZSZpeT
+8BwwM6REb0U/B4/i8TLtLi/PGmMTOIxW41uKS/S6kq/gwyv+jNNO0ljhPt25iSbV
+K5ZHS4YuPKLl0tZMaOkPco9s6t4ES/Y317zQoTzUkAAkkFO4QPzRZL0ESqVBNR0h
+Ao7FLmFZzFHpoQKCAQEAxmZBn0UrJLXkD7bw66y4RwzjQYmxLlkEl3uvjrvVSuL1
+mAHDW58aGIpFFZ8QSTtNewIBQYNifp/cdFHAagqtl/iMGEegaOpJAKu/ykrkfZUp
+7mYDNng4ZWpypeKaGMAQoNzZiUpF+BDnqbeb/kgYu6sNlh9gRHR79rgAuZQxZ/1B
+tE8WcUFi4CnTq2QLqX4LwMuZHWXAJQoMoW3K5av+J544lIM6GdMJuIONtBBkKVQD
+ErrJ0bqYeykrFS6pKl/NBCZLGo5xFFRiYEdZ1GlA3uW3EGKppz6PS7194+x5UVts
+xZPUfkgdFjWCczkl4JDoWfaNn5sgXtiVbGh1n3gYWwKCAQB7vHEg1kyuXU4qe5/d
+PyTraIvlnVeQHNJIgy0QS3l5Pw8A0IzG6y+anehpqHNMP1zAWPQEytkOVAZPriIc
+xgl7p37dUa0PX0V2SPhxmR5YXeCeEXc197PTmb9H67jos8nhauqOoW/qaMJK2M9D
+tCubLUNf3eAT14R16CHNP93qnUE/TSeXQ3JsIofne0neb47u4F6zcuzvaNEbjSEn
+HJqID7sw5GoA6WQo0I+yqWAXICMXmHf/gtYfxGHEFeSUwexULH5BKG1R8sncw7J0
+Ag3h8xkGrNON4SkcTLy8Iay/eS6YxRcKndo4mk2mU65tr77TX4xi3Z/jWkQLY5WO
+eJwhAoIBABO17wkSxyGDjJ/fDfpsE3bDmgRV2KuBHoqqOBvXH26sM7ghXLZKjT4o
+5ooqXmTYJm91GIjYs71exnkr8hDW9L4nbEuxOgeSVyRg69H+NMshOaQ8sE8GDJxO
+wgsnAyY4Vq6UomwYW/E0RL/AxRezM/nZGaVzgo3qgLJXP4MwbOQm7hMq1FD2LQuW
+PDhH3Ty+kA5ca97W0Asd/3k+Pi0pNDvdZUOj8e7E369cKoTcKAdPGGsQ8aILhsCd
+q3EUTKwwDl8+KrH9utBJPejQzeTjfBVo/xH6q145QeVFcy9ku/zQN3M9p5vQMEuX
+j1lBMTkpTFw7uYBE2idyHw5BJoZsWQcCggEADfZTChqnOncItSflzGoaAACrr4/x
+KyT/4A+cPMCs11JN9J+EWsCezya2o1l/NF7YPcBR4qjCmFMEiq5GxH5fGLQp0aa7
+V13mHA8XBQ25OW2K7BGJhMHdbuvTnl6jsOfC4+t7P2bUAYxoP6/ncxTzZ5OlBN5k
+aMv9firWl1kSKK75ww9DWn6j0rQ4dBetwX45EMcs+iKIdydg0fmJxR2EJ+uQsCFy
+xcWBEDqV7qLUi6UrAPL3v/DXUv9wKcKOTbKw/aNE8+YTWMUO330GCJ5cVU1eTL5t
+UrcNKOJkFIj7jJUCzv6vcy++hMJEbNXnnTVRnky6e9C2vwzMl33njntapg==
+-----END RSA PRIVATE KEY-----

data/spec/fixtures/certs/rsa-4096-public.pem

@@ -0,0 +1,14 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqETmgWBi5rCmb7euJplA
+/9xs65+bncc9Yvs5zjyycXSW82JfRuyguGm0OvA2wog24dR4N2kT/87DcGtp5JqJ
+WADVFNr+2V2r6i57/OMLruRpn3p2r95dmo0COE+BxPFl7XEBT8JbH57ZtpgcB3/x
+kS14nLOWFf96hrXPlXJC+VMVKVZmA8k2LRh42vT5wUf4U0Doy/p7yFNSFFa6Q8ww
+e4TBy/z/f+rhFD1w8rxlYjallee/ocm7bjZCwbJGMm7orLViqWfsFX3O35PeoJ5h
+/7uJ7iRwvTFERkTdwWP/0BeKBeItBR3YFc2mut+V9W+WKRkMSL6Crc+oVSx3p8aB
+7j9SZFzQiRtes4BYETpX1xl2mgIq5hvsFbLw7ESrlIodiwUMTrSIid2DQ6q80kv1
+zXPr4+Id6L0sJLxPCaXnTmNtasSwyedJJYxLjwhHJwtzFAeaq18H3O791YKhjAJ6
+YxK3zJ59jTE6Pkvqjq183f2PGHVRvgSN7aCmI6MBUUB5wDP2K8zX2sh40/uPDVSd
+6ei1vl3DpPk+h8iExx6AzbohfqZ+5RUUNx127L3MaQvOVC5TxV+R99gwKW++wzcV
+uO3m2KqVUj+K1uYBy3KBCUMBbckpEWGbN++jcdV5oJX6fsC66nOmKlntYwCL/pRw
+w+oLsbzF8J3dxeDbKNF9JDsCAwEAAQ==
+-----END PUBLIC KEY-----

data/spec/jwt/verify_spec.rb

@@ -0,0 +1,175 @@
+require 'spec_helper'
+require 'jwt/verify'
+
+module JWT
+  RSpec.describe Verify do
+    let(:base_payload) { { 'user_id' => 'some@user.tld' } }
+    let(:options) {  { leeway: 0} }
+
+    context '.verify_aud(payload, options)' do
+      let(:scalar_aud) { 'ruby-jwt-audience' }
+      let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
+      let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
+      let(:array_payload) { base_payload.merge('aud' => array_aud) }
+
+      it 'must raise JWT::InvalidAudError when the singular audience does not match' do
+        expect do
+          Verify.verify_aud(scalar_payload, options.merge(aud: 'no-match'))
+        end.to raise_error JWT::InvalidAudError
+      end
+
+      it 'must raise JWT::InvalidAudError when the payload has an array and none match the supplied value' do
+        expect do
+          Verify.verify_aud(array_payload, options.merge(aud: 'no-match'))
+        end.to raise_error JWT::InvalidAudError
+      end
+
+      it 'must raise JWT::InvalidAudError when the singular audience does not match and the options aud key is a string' do
+        expect do
+          Verify.verify_aud(scalar_payload, options.merge('aud' => 'no-match'))
+        end.to raise_error JWT::InvalidAudError
+      end
+
+      it 'must allow a matching singular audience to pass' do
+        Verify.verify_aud(scalar_payload, options.merge(aud: scalar_aud))
+      end
+
+      it 'must allow a matching audence to pass when the options key is a string' do
+        Verify.verify_aud(scalar_payload, options.merge('aud' => scalar_aud))
+      end
+
+      it 'must allow an array with any value matching the one in the options' do
+        Verify.verify_aud(array_payload, options.merge(aud: array_aud.first))
+      end
+
+      it 'must allow an array with any value matching the one in the options with a string options key' do
+        Verify.verify_aud(array_payload, options.merge('aud' => array_aud.first))
+      end
+    end
+
+    context '.verify_expiration(payload, options)' do
+      let(:leeway) { 10 }
+      let(:payload) { base_payload.merge('exp' => (Time.now.to_i - 5)) }
+
+      it 'must raise JWT::ExpiredSignature when the token has expired' do
+        expect do
+          Verify.verify_expiration(payload, options)
+        end.to raise_error JWT::ExpiredSignature
+      end
+
+      it 'must allow some leeway in the expiration when configured' do
+        Verify.verify_expiration(payload, options.merge(leeway: 10))
+      end
+    end
+
+    context '.verify_iat(payload, options)' do
+      let(:iat) { Time.now.to_f }
+      let(:payload) { base_payload.merge('iat' => iat) }
+
+      it 'must allow a valid iat' do
+        Verify.verify_iat(payload, options)
+      end
+
+      it 'must allow configured leeway' do
+        Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70))
+      end
+
+      it 'must properly handle integer times' do
+        Verify.verify_iat(payload.merge('iat' => Time.now.to_i), options)
+      end
+
+      it 'must raise JWT::InvalidIatError when the iat value is not Numeric' do
+        expect do
+          Verify.verify_iat(payload.merge('iat' => 'not a number'), options)
+        end.to raise_error JWT::InvalidIatError
+      end
+
+      it 'must raise JWT::InvalidIatError when the iat value is in the future' do
+        expect do
+          Verify.verify_iat(payload.merge('iat' => (iat + 120)), options)
+        end.to raise_error JWT::InvalidIatError
+      end
+    end
+
+    context '.verify_iss(payload, options)' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:payload) { base_payload.merge('iss' => iss) }
+
+      let(:invalid_token) { JWT.encode base_payload, payload[:secret] }
+
+      it 'must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer' do
+        expect do
+          Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer'))
+        end.to raise_error JWT::InvalidIssuerError
+      end
+
+      it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
+        expect do
+          Verify.verify_iss(base_payload, options.merge(iss: iss))
+        end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
+      end
+
+      it 'must allow a matching issuer to pass' do
+        Verify.verify_iss(payload, options.merge(iss: iss))
+      end
+    end
+
+    context '.verify_jti(payload, options)' do
+      let(:payload) { base_payload.merge('jti' => 'some-random-uuid-or-whatever') }
+
+      it 'must allow any jti when the verfy_jti key in the options is truthy but not a proc' do
+        Verify.verify_jti(payload, options.merge(verify_jti: true))
+      end
+
+      it 'must raise JWT::InvalidJtiError when the jti is missing' do
+        expect do
+          Verify.verify_jti(base_payload, options)
+        end.to raise_error JWT::InvalidJtiError, /missing/i
+      end
+
+      it 'must raise JWT::InvalidJtiError when the jti is an empty string' do
+        expect do
+          Verify.verify_jti(base_payload.merge('jti' => '   '), options)
+        end.to raise_error JWT::InvalidJtiError, /missing/i
+      end
+
+      it 'must raise JWT::InvalidJtiError when verify_jti proc returns false' do
+        expect do
+          Verify.verify_jti(payload, options.merge(verify_jti: ->(jti) { false }))
+        end.to raise_error JWT::InvalidJtiError, /invalid/i
+      end
+
+      it 'true proc should not raise JWT::InvalidJtiError' do
+        Verify.verify_jti(payload, options.merge(verify_jti: ->(jti) { true }))
+      end
+    end
+
+    context '.verify_not_before(payload, options)' do
+      let(:payload) { base_payload.merge('nbf' => (Time.now.to_i + 5)) }
+
+      it 'must raise JWT::ImmatureSignature when the nbf in the payload is in the future' do
+        expect do
+          Verify.verify_not_before(payload, options)
+        end.to raise_error JWT::ImmatureSignature
+      end
+
+      it 'must allow some leeway in the token age when configured' do
+        Verify.verify_not_before(payload, options.merge(leeway: 10))
+      end
+    end
+
+    context '.verify_sub(payload, options)' do
+      let(:sub) { 'ruby jwt subject' }
+
+      it 'must raise JWT::InvalidSubError when the subjects do not match' do
+        expect do
+          Verify.verify_sub(base_payload.merge('sub' => 'not-a-match'), options.merge(sub: sub))
+        end.to raise_error JWT::InvalidSubError
+      end
+
+      it 'must allow a matching sub' do
+        Verify.verify_sub(base_payload.merge('sub' => sub), options.merge(sub: sub))
+      end
+    end
+  end
+end