jwt 2.0.0 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c63d3d103ec14f12ea2b51b95ae8f5407dd7ace9
-  data.tar.gz: f1de3f1e8ddfb79aa690a1f6d44492c70d037942
+  metadata.gz: 0fca109273d0c036454af123d30bb3eb75f0de39
+  data.tar.gz: 8848296d35465d3411f71d882da73ef05663f6a6
 SHA512:
-  metadata.gz: 3b19fcd5018d17e4277a49abc5787cee37ff3991fc8cbcc97dbb00f50c3878fc08062d97e18e07cdaf5f8f2f09cfbf5a8937e11859ae9b44d90a8d5a20caa021
-  data.tar.gz: f9df1adefd0f0d4525567372c8283e72639b2ee67320a893ef03d470bbbd6afd09a65725d3eb3153f8c68e7d40f693c7da3a5ed138ab766a23aa6ebbfe5c62f6
+  metadata.gz: 213d4ea31197a90be8b8cd08ea92dee4659f47b884bc3571440697db979cf98b04e3d1cf487bc94a7a8a8f3f29ee34ebf48d7cc5bd9cfa9f2ca65a092bb2c3d3
+  data.tar.gz: 530335d90320cdc5501cc1f67984502f79a390641b904567971ad4858a285128cc4702dbf54d505324bcb1ea3ecdf5675057c942e9709ecf0f17b4099229c04d

data/.ebert.yml

@@ -1,4 +1,4 @@
-styleguide: plataformatec/linters
+styleguide: excpt/linters
 engines:
   reek:
     enabled: true
@@ -6,6 +6,7 @@ engines:
     enabled: true
   rubocop:
     enabled: true
+    channel: rubocop-0-49
   duplication:
     config:
       languages:

data/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Change Log
 
+## [2.1.0](https://github.com/jwt/ruby-jwt/tree/2.1.0) (2017-10-06)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0...2.1.0)
+
+**Implemented enhancements:**
+
+- Ed25519 support planned? [\#217](https://github.com/jwt/ruby-jwt/issues/217)
+- Verify JTI Proc [\#207](https://github.com/jwt/ruby-jwt/issues/207)
+- Allow a list of algorithms for decode [\#241](https://github.com/jwt/ruby-jwt/pull/241) ([lautis](https://github.com/lautis))
+- verify takes 2 params, second being payload closes: \#207 [\#238](https://github.com/jwt/ruby-jwt/pull/238) ([ab320012](https://github.com/ab320012))
+- simplified logic for keyfinder [\#237](https://github.com/jwt/ruby-jwt/pull/237) ([ab320012](https://github.com/ab320012))
+- Show backtrace if rbnacl-libsodium not loaded [\#231](https://github.com/jwt/ruby-jwt/pull/231) ([buzztaiki](https://github.com/buzztaiki))
+- Support for ED25519 [\#229](https://github.com/jwt/ruby-jwt/pull/229) ([ab320012](https://github.com/ab320012))
+
+**Fixed bugs:**
+
+- JWT.encode failing on encode for string [\#235](https://github.com/jwt/ruby-jwt/issues/235)
+- The README says it uses an algorithm by default [\#226](https://github.com/jwt/ruby-jwt/issues/226)
+- Fix string payload issue [\#236](https://github.com/jwt/ruby-jwt/pull/236) ([excpt](https://github.com/excpt))
+
+**Closed issues:**
+
+- Change from 1.5.6 to 2.0.0 and appears a "Completed 401 Unauthorized" [\#240](https://github.com/jwt/ruby-jwt/issues/240)
+- Why doesn't the decode function use a default algorithm? [\#227](https://github.com/jwt/ruby-jwt/issues/227)
+
+**Merged pull requests:**
+
+- Update README.md [\#242](https://github.com/jwt/ruby-jwt/pull/242) ([excpt](https://github.com/excpt))
+- Update ebert configuration [\#232](https://github.com/jwt/ruby-jwt/pull/232) ([excpt](https://github.com/excpt))
+- added algos/strategy classes + structs for inputs [\#230](https://github.com/jwt/ruby-jwt/pull/230) ([ab320012](https://github.com/ab320012))
+- Add HS256 algorithm to decode default options [\#228](https://github.com/jwt/ruby-jwt/pull/228) ([madkin10](https://github.com/madkin10))
+
 ## [v2.0.0](https://github.com/jwt/ruby-jwt/tree/v2.0.0) (2017-09-03)
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0.beta1...v2.0.0)
 
@@ -18,6 +49,7 @@
 
 **Merged pull requests:**
 
+- Release 2.0.0 preparations :\) [\#225](https://github.com/jwt/ruby-jwt/pull/225) ([excpt](https://github.com/excpt))
 - Skip 'exp' claim validation for array payloads [\#224](https://github.com/jwt/ruby-jwt/pull/224) ([excpt](https://github.com/excpt))
 - Use a default leeway of 0 [\#223](https://github.com/jwt/ruby-jwt/pull/223) ([travisofthenorth](https://github.com/travisofthenorth))
 - Fix reported codesmells [\#221](https://github.com/jwt/ruby-jwt/pull/221) ([excpt](https://github.com/excpt))

data/README.md

@@ -61,9 +61,9 @@ decoded_token = JWT.decode token, nil, false
 puts decoded_token
 ```
 
-**HMAC** (default: HS256)
+**HMAC**
 
-* HS256 - HMAC using SHA-256 hash algorithm (default)
+* HS256 - HMAC using SHA-256 hash algorithm
 * HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
@@ -144,6 +144,35 @@ decoded_token = JWT.decode token, ecdsa_public, true, { :algorithm => 'ES256' }
 puts decoded_token
 ```
 
+**EDDSA**
+
+In order to use this algorithm you need to add the `RbNaCl` gem to you `Gemfile`.
+
+```ruby
+gem 'rbnacl'
+```
+
+For more detailed installation instruction check the official [repository](https://github.com/cryptosphere/rbnacl) on GitHub.
+
+* ED25519 
+
+```ruby 
+private_key = RbNaCl::Signatures::Ed25519::SigningKey.new("abcdefghijklmnopqrstuvwxyzABCDEF")
+public_key = private_key.verify_key
+token = JWT.encode payload, private_key, 'ED25519' 
+
+# eyJhbGciOiJFRDI1NTE5In0.eyJ0ZXN0IjoiZGF0YSJ9.-Ki0vxVOlsPXovPsYRT_9OXrLSgQd4RDAgCLY_PLmcP4q32RYy-yUUmX82ycegdekR9wo26me1wOzjmSU5nTCQ
+puts token
+
+decoded_token = JWT.decode token, public_key, true, {:algorithm => 'ED25519' } 
+# Array
+# [
+#  {"test"=>"data"}, # payload
+#  {"alg"=>"ED25519"} # header
+# ]
+
+```
+
 **RSASSA-PSS**
 
 Not implemented.

data/lib/jwt.rb

@@ -41,21 +41,23 @@ module JWT
   def decode_verify_signature(key, header, payload, signature, signing_input, options, &keyfinder)
     algo, key = signature_algorithm_and_key(header, payload, key, &keyfinder)
 
-    raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') unless options[:algorithm]
-    raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless algo == options[:algorithm]
+    raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms(options).empty?
+    raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless allowed_algorithms(options).include?(algo)
 
     Signature.verify(algo, key, signing_input, signature)
   end
 
   def signature_algorithm_and_key(header, payload, key, &keyfinder)
-    if keyfinder
-      key = if keyfinder.arity == 2
-        yield(header, payload)
-      else
-        yield(header)
-      end
-      raise JWT::DecodeError, 'No verification key available' unless key
-    end
+    key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header)) if keyfinder
+    raise JWT::DecodeError, 'No verification key available' unless key
     [header['alg'], key]
   end
+
+  def allowed_algorithms(options)
+    if options.key?(:algorithm)
+      [options[:algorithm]]
+    else
+      options[:algorithms] || []
+    end
+  end
 end

data/lib/jwt/algos/ecdsa.rb

@@ -0,0 +1,35 @@
+module JWT
+  module Algos
+    module Ecdsa
+      module_function
+
+      SUPPORTED = %(ES256 ES384 ES512).freeze
+      NAMED_CURVES = {
+        'prime256v1' => 'ES256',
+        'secp384r1' => 'ES384',
+        'secp521r1' => 'ES512'
+      }.freeze
+
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        key_algorithm = NAMED_CURVES[key.group.curve_name]
+        if algorithm != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
+        end
+
+        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+        SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
+      end
+
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+        if algorithm != key_algorithm
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
+        end
+        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+        public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
+      end
+    end
+  end
+end

data/lib/jwt/algos/eddsa.rb

@@ -0,0 +1,23 @@
+module JWT
+  module Algos
+    module Eddsa
+      module_function
+
+      SUPPORTED = %w[ED25519].freeze
+
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
+        key.sign(msg)
+      end
+
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
+        raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
+        public_key.verify(signature, signing_input)
+      end
+    end
+  end
+end

data/lib/jwt/algos/hmac.rb

@@ -0,0 +1,33 @@
+module JWT
+  module Algos
+    module Hmac
+      module_function
+
+      SUPPORTED = %w[HS256 HS512256 HS384 HS512].freeze
+
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
+        if authenticator && padded_key
+          authenticator.auth(padded_key, msg.encode('binary'))
+        else
+          OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+        end
+      end
+
+      def verify(to_verify)
+        algorithm, public_key, signing_input, signature = to_verify.values
+        authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
+        if authenticator && padded_key
+          begin
+            authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
+          rescue RbNaCl::BadAuthenticatorError
+            false
+          end
+        else
+          SecurityUtils.secure_compare(signature, sign(JWT::Signature::ToSign.new(algorithm, signing_input, public_key)))
+        end
+      end
+    end
+  end
+end

data/lib/jwt/algos/rsa.rb

@@ -0,0 +1,19 @@
+module JWT
+  module Algos
+    module Rsa
+      module_function
+
+      SUPPORTED = %w[RS256 RS384 RS512].freeze
+
+      def sign(to_sign)
+        algorithm, msg, key = to_sign.values
+        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
+        key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
+      end
+
+      def verify(to_verify)
+        SecurityUtils.verify_rsa(to_verify.algorithm, to_verify.public_key, to_verify.signing_input, to_verify.signature)
+      end
+    end
+  end
+end

data/lib/jwt/algos/unsupported.rb

@@ -0,0 +1,16 @@
+module JWT
+  module Algos
+    module Unsupported
+      module_function
+
+      SUPPORTED = Object.new.tap { |object| object.define_singleton_method(:include?) { |*| true } }
+      def verify(*)
+        raise JWT::VerificationError, 'Algorithm not supported'
+      end
+
+      def sign(*)
+        raise NotImplementedError, 'Unsupported signing method'
+      end
+    end
+  end
+end

data/lib/jwt/default_options.rb

@@ -8,7 +8,8 @@ module JWT
       verify_jti: false,
       verify_aud: false,
       verify_sub: false,
-      leeway: 0
+      leeway: 0,
+      algorithms: ['HS256']
     }.freeze
   end
 end

data/lib/jwt/encode.rb

@@ -28,7 +28,7 @@ module JWT
     end
 
     def encoded_payload
-      raise InvalidPayload, 'exp claim must be an integer' if @payload && !@payload.is_a?(Array) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
+      raise InvalidPayload, 'exp claim must be an integer' if @payload && @payload.is_a?(Hash) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
       Encode.base64url_encode(JSON.generate(@payload))
     end
 

data/lib/jwt/security_utils.rb

@@ -3,7 +3,6 @@ module JWT
   #
   # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
   module SecurityUtils
-
     module_function
 
     def secure_compare(left, right)

data/lib/jwt/signature.rb

@@ -2,10 +2,15 @@
 
 require 'jwt/security_utils'
 require 'openssl'
+require 'jwt/algos/hmac'
+require 'jwt/algos/eddsa'
+require 'jwt/algos/ecdsa'
+require 'jwt/algos/rsa'
+require 'jwt/algos/unsupported'
 begin
   require 'rbnacl'
-rescue LoadError => e
-  abort(e.message) if defined?(RbNaCl)
+rescue LoadError
+  raise if defined?(RbNaCl)
 end
 
 # JWT::Signature module
@@ -13,94 +18,33 @@ module JWT
   # Signature logic for JWT
   module Signature
     extend self
-
-    HMAC_ALGORITHMS = %w[HS256 HS512256 HS384 HS512].freeze
-    RSA_ALGORITHMS = %w[RS256 RS384 RS512].freeze
-    ECDSA_ALGORITHMS = %w[ES256 ES384 ES512].freeze
-
-    NAMED_CURVES = {
-      'prime256v1' => 'ES256',
-      'secp384r1' => 'ES384',
-      'secp521r1' => 'ES512'
-    }.freeze
+    ALGOS = [
+      Algos::Hmac,
+      Algos::Ecdsa,
+      Algos::Rsa,
+      Algos::Eddsa,
+      Algos::Unsupported
+    ].freeze
+    ToSign = Struct.new(:algorithm, :msg, :key)
+    ToVerify = Struct.new(:algorithm, :public_key, :signing_input, :signature)
 
     def sign(algorithm, msg, key)
-      if HMAC_ALGORITHMS.include?(algorithm)
-        sign_hmac(algorithm, msg, key)
-      elsif RSA_ALGORITHMS.include?(algorithm)
-        sign_rsa(algorithm, msg, key)
-      elsif ECDSA_ALGORITHMS.include?(algorithm)
-        sign_ecdsa(algorithm, msg, key)
-      else
-        raise NotImplementedError, 'Unsupported signing method'
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
       end
+      algo.sign ToSign.new(algorithm, msg, key)
     end
 
-    def verify(algo, key, signing_input, signature)
-      verified = if HMAC_ALGORITHMS.include?(algo)
-        verify_hmac(algo, key, signing_input, signature)
-      elsif RSA_ALGORITHMS.include?(algo)
-        SecurityUtils.verify_rsa(algo, key, signing_input, signature)
-      elsif ECDSA_ALGORITHMS.include?(algo)
-        verify_ecdsa(algo, key, signing_input, signature)
-      else
-        raise JWT::VerificationError, 'Algorithm not supported'
+    def verify(algorithm, key, signing_input, signature)
+      algo = ALGOS.find do |alg|
+        alg.const_get(:SUPPORTED).include? algorithm
       end
-
+      verified = algo.verify(ToVerify.new(algorithm, key, signing_input, signature))
       raise(JWT::VerificationError, 'Signature verification raised') unless verified
     rescue OpenSSL::PKey::PKeyError
       raise JWT::VerificationError, 'Signature verification raised'
     ensure
       OpenSSL.errors.clear
     end
-
-    private
-
-    def sign_rsa(algorithm, msg, private_key)
-      raise EncodeError, "The given key is a #{private_key.class}. It has to be an OpenSSL::PKey::RSA instance." if private_key.class == String
-      private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
-    end
-
-    def sign_ecdsa(algorithm, msg, private_key)
-      key_algorithm = NAMED_CURVES[private_key.group.curve_name]
-      if algorithm != key_algorithm
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
-      end
-
-      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      SecurityUtils.asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
-    end
-
-    def sign_hmac(algorithm, msg, key)
-      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
-      if authenticator && padded_key
-        authenticator.auth(padded_key, msg.encode('binary'))
-      else
-        OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
-      end
-    end
-
-    def verify_ecdsa(algorithm, public_key, signing_input, signature)
-      key_algorithm = NAMED_CURVES[public_key.group.curve_name]
-      if algorithm != key_algorithm
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
-      end
-
-      digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
-    end
-
-    def verify_hmac(algorithm, public_key, signing_input, signature)
-      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
-      if authenticator && padded_key
-        begin
-          authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
-        rescue RbNaCl::BadAuthenticatorError
-          false
-        end
-      else
-        SecurityUtils.secure_compare(signature, sign_hmac(algorithm, signing_input, public_key))
-      end
-    end
   end
 end

data/lib/jwt/verify.rb

@@ -52,9 +52,9 @@ module JWT
       return unless (options_iss = @options[:iss])
 
       iss = @payload['iss']
-      
+
       return if Array(options_iss).map(&:to_s).include?(iss.to_s)
-      
+
       raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
     end
 
@@ -63,7 +63,8 @@ module JWT
       jti = @payload['jti']
 
       if options_verify_jti.respond_to?(:call)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(jti)
+        verified = options_verify_jti.arity == 2 ? options_verify_jti.call(jti, @payload) : options_verify_jti.call(jti)
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless verified
       elsif jti.to_s.strip.empty?
         raise(JWT::InvalidJtiError, 'Missing jti')
       end

data/lib/jwt/version.rb

@@ -12,7 +12,7 @@ module JWT
     # major version
     MAJOR = 2
     # minor version
-    MINOR = 0
+    MINOR = 1
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag

data/spec/jwt/verify_spec.rb

@@ -182,6 +182,19 @@ module JWT
       it 'true proc should not raise JWT::InvalidJtiError' do
         Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { true }))
       end
+
+      it 'it should not throw arguement error with 2 args' do
+        expect do
+          Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti, pl) {
+            true
+          }))
+        end.to_not raise_error
+      end
+      it 'should have payload as second param in proc' do
+        Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti, pl) {
+          expect(pl).to eq(payload)
+        }))
+      end
     end
 
     context '.verify_not_before(payload, options)' do

data/spec/jwt_spec.rb

@@ -19,6 +19,8 @@ describe JWT do
       'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
       'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
       'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
+      'ED25519_private' =>  RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF'),
+      'ED25519_public' => RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF').verify_key,
       'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
       'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8',
       'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA',
@@ -132,6 +134,41 @@ describe JWT do
     end
   end
 
+  %w[ED25519].each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWT.encode payload, data["#{alg}_private"], alg
+      end
+
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
+
+      it 'should generate a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong key should raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key
+        end.to raise_error JWT::DecodeError
+      end
+
+      it 'wrong key and verify = false should not raise JWT::DecodeError' do
+        expect do
+          JWT.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
+  end
   %w[ES256 ES384 ES512].each do |alg|
     context "alg: #{alg}" do
       before(:each) do
@@ -194,24 +231,39 @@ describe JWT do
 
   context 'Verify' do
     context 'algorithm' do
-      it 'should raise JWT::IncorrectAlgorithm on missmatch' do
-        token = JWT.encode payload, data[:secret], 'HS512'
+      it 'should raise JWT::IncorrectAlgorithm on mismatch' do
+        token = JWT.encode payload, data[:secret], 'HS256'
 
         expect do
           JWT.decode token, data[:secret], true, algorithm: 'HS384'
         end.to raise_error JWT::IncorrectAlgorithm
 
         expect do
-          JWT.decode token, data[:secret], true, algorithm: 'HS512'
+          JWT.decode token, data[:secret], true, algorithm: 'HS256'
         end.not_to raise_error
       end
 
-      it 'should raise JWT::IncorrectAlgorithm if no algorithm is provided' do
-        token = JWT.encode payload, data[:rsa_public].to_s, 'HS256'
+      it 'should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm' do
+        token = JWT.encode payload, data[:secret], 'HS512'
 
         expect do
-          JWT.decode token, data[:rsa_public], true
+          JWT.decode token, data[:secret], true, algorithms: ['HS384']
         end.to raise_error JWT::IncorrectAlgorithm
+
+        expect do
+          JWT.decode token, data[:secret], true, algorithms: ['HS512', 'HS384']
+        end.not_to raise_error
+      end
+
+      context 'no algorithm provided' do
+        it 'should use the default decode algorithm' do
+          token = JWT.encode payload, data[:rsa_public].to_s
+
+          jwt_payload, header = JWT.decode token, data[:rsa_public].to_s
+
+          expect(header['alg']).to eq 'HS256'
+          expect(jwt_payload).to eq payload
+        end
       end
     end
 
@@ -254,4 +306,10 @@ describe JWT do
       JWT.encode(['my', 'payload'], 'secret')
     end.not_to raise_error
   end
+
+  it 'should encode string payloads' do
+    expect do
+      JWT.encode 'Hello World', 'secret'
+    end.not_to raise_error
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 2.1.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-09-03 00:00:00.000000000 Z
+date: 2017-10-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -143,6 +143,11 @@ files:
 - README.md
 - Rakefile
 - lib/jwt.rb
+- lib/jwt/algos/ecdsa.rb
+- lib/jwt/algos/eddsa.rb
+- lib/jwt/algos/hmac.rb
+- lib/jwt/algos/rsa.rb
+- lib/jwt/algos/unsupported.rb
 - lib/jwt/decode.rb
 - lib/jwt/default_options.rb
 - lib/jwt/encode.rb