jwt 2.0.0 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (57) hide show
  1. checksums.yaml +5 -5
  2. data/.ebert.yml +2 -1
  3. data/.gitignore +1 -1
  4. data/.travis.yml +18 -3
  5. data/AUTHORS +84 -0
  6. data/Appraisals +18 -0
  7. data/CHANGELOG.md +223 -18
  8. data/README.md +136 -81
  9. data/lib/jwt.rb +9 -40
  10. data/lib/jwt/algos/ecdsa.rb +35 -0
  11. data/lib/jwt/algos/eddsa.rb +23 -0
  12. data/lib/jwt/algos/hmac.rb +34 -0
  13. data/lib/jwt/algos/ps.rb +43 -0
  14. data/lib/jwt/algos/rsa.rb +19 -0
  15. data/lib/jwt/algos/unsupported.rb +16 -0
  16. data/lib/jwt/base64.rb +19 -0
  17. data/lib/jwt/claims_validator.rb +33 -0
  18. data/lib/jwt/decode.rb +83 -25
  19. data/lib/jwt/default_options.rb +2 -1
  20. data/lib/jwt/encode.rb +42 -25
  21. data/lib/jwt/error.rb +4 -0
  22. data/lib/jwt/json.rb +18 -0
  23. data/lib/jwt/jwk.rb +31 -0
  24. data/lib/jwt/jwk/key_finder.rb +57 -0
  25. data/lib/jwt/jwk/rsa.rb +54 -0
  26. data/lib/jwt/security_utils.rb +6 -1
  27. data/lib/jwt/signature.rb +27 -79
  28. data/lib/jwt/verify.rb +5 -8
  29. data/lib/jwt/version.rb +2 -2
  30. data/ruby-jwt.gemspec +7 -4
  31. metadata +54 -63
  32. data/.reek.yml +0 -40
  33. data/Manifest +0 -8
  34. data/spec/fixtures/certs/ec256-private.pem +0 -8
  35. data/spec/fixtures/certs/ec256-public.pem +0 -4
  36. data/spec/fixtures/certs/ec256-wrong-private.pem +0 -8
  37. data/spec/fixtures/certs/ec256-wrong-public.pem +0 -4
  38. data/spec/fixtures/certs/ec384-private.pem +0 -9
  39. data/spec/fixtures/certs/ec384-public.pem +0 -5
  40. data/spec/fixtures/certs/ec384-wrong-private.pem +0 -9
  41. data/spec/fixtures/certs/ec384-wrong-public.pem +0 -5
  42. data/spec/fixtures/certs/ec512-private.pem +0 -10
  43. data/spec/fixtures/certs/ec512-public.pem +0 -6
  44. data/spec/fixtures/certs/ec512-wrong-private.pem +0 -10
  45. data/spec/fixtures/certs/ec512-wrong-public.pem +0 -6
  46. data/spec/fixtures/certs/rsa-1024-private.pem +0 -15
  47. data/spec/fixtures/certs/rsa-1024-public.pem +0 -6
  48. data/spec/fixtures/certs/rsa-2048-private.pem +0 -27
  49. data/spec/fixtures/certs/rsa-2048-public.pem +0 -9
  50. data/spec/fixtures/certs/rsa-2048-wrong-private.pem +0 -27
  51. data/spec/fixtures/certs/rsa-2048-wrong-public.pem +0 -9
  52. data/spec/fixtures/certs/rsa-4096-private.pem +0 -51
  53. data/spec/fixtures/certs/rsa-4096-public.pem +0 -14
  54. data/spec/integration/readme_examples_spec.rb +0 -202
  55. data/spec/jwt/verify_spec.rb +0 -219
  56. data/spec/jwt_spec.rb +0 -257
  57. data/spec/spec_helper.rb +0 -28
@@ -1,219 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'spec_helper'
4
- require 'jwt/verify'
5
-
6
- module JWT
7
- RSpec.describe Verify do
8
- let(:base_payload) { { 'user_id' => 'some@user.tld' } }
9
- let(:options) { { leeway: 0 } }
10
-
11
- context '.verify_aud(payload, options)' do
12
- let(:scalar_aud) { 'ruby-jwt-aud' }
13
- let(:array_aud) { %w[ruby-jwt-aud test-aud ruby-ruby-ruby] }
14
- let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
15
- let(:array_payload) { base_payload.merge('aud' => array_aud) }
16
-
17
- it 'must raise JWT::InvalidAudError when the singular audience does not match' do
18
- expect do
19
- Verify.verify_aud(scalar_payload, options.merge(aud: 'no-match'))
20
- end.to raise_error JWT::InvalidAudError
21
- end
22
-
23
- it 'must raise JWT::InvalidAudError when the payload has an array and none match the supplied value' do
24
- expect do
25
- Verify.verify_aud(array_payload, options.merge(aud: 'no-match'))
26
- end.to raise_error JWT::InvalidAudError
27
- end
28
-
29
- it 'must allow a matching singular audience to pass' do
30
- Verify.verify_aud(scalar_payload, options.merge(aud: scalar_aud))
31
- end
32
-
33
- it 'must allow an array with any value matching the one in the options' do
34
- Verify.verify_aud(array_payload, options.merge(aud: array_aud.first))
35
- end
36
-
37
- it 'must allow an array with any value matching any value in the options array' do
38
- Verify.verify_aud(array_payload, options.merge(aud: array_aud))
39
- end
40
-
41
- it 'must allow a singular audience payload matching any value in the options array' do
42
- Verify.verify_aud(scalar_payload, options.merge(aud: array_aud))
43
- end
44
- end
45
-
46
- context '.verify_expiration(payload, options)' do
47
- let(:payload) { base_payload.merge('exp' => (Time.now.to_i - 5)) }
48
-
49
- it 'must raise JWT::ExpiredSignature when the token has expired' do
50
- expect do
51
- Verify.verify_expiration(payload, options)
52
- end.to raise_error JWT::ExpiredSignature
53
- end
54
-
55
- it 'must allow some leeway in the expiration when global leeway is configured' do
56
- Verify.verify_expiration(payload, options.merge(leeway: 10))
57
- end
58
-
59
- it 'must allow some leeway in the expiration when exp_leeway is configured' do
60
- Verify.verify_expiration(payload, options.merge(exp_leeway: 10))
61
- end
62
-
63
- it 'must be expired if the exp claim equals the current time' do
64
- payload['exp'] = Time.now.to_i
65
-
66
- expect do
67
- Verify.verify_expiration(payload, options)
68
- end.to raise_error JWT::ExpiredSignature
69
- end
70
-
71
- context 'when leeway is not specified' do
72
- let(:options) { {} }
73
-
74
- it 'used a default leeway of 0' do
75
- expect do
76
- Verify.verify_expiration(payload, options)
77
- end.to raise_error JWT::ExpiredSignature
78
- end
79
- end
80
- end
81
-
82
- context '.verify_iat(payload, options)' do
83
- let(:iat) { Time.now.to_f }
84
- let(:payload) { base_payload.merge('iat' => iat) }
85
-
86
- it 'must allow a valid iat' do
87
- Verify.verify_iat(payload, options)
88
- end
89
-
90
- it 'must allow configured leeway' do
91
- Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70))
92
- end
93
-
94
- it 'must allow configured iat_leeway' do
95
- Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(iat_leeway: 70))
96
- end
97
-
98
- it 'must properly handle integer times' do
99
- Verify.verify_iat(payload.merge('iat' => Time.now.to_i), options)
100
- end
101
-
102
- it 'must raise JWT::InvalidIatError when the iat value is not Numeric' do
103
- expect do
104
- Verify.verify_iat(payload.merge('iat' => 'not a number'), options)
105
- end.to raise_error JWT::InvalidIatError
106
- end
107
-
108
- it 'must raise JWT::InvalidIatError when the iat value is in the future' do
109
- expect do
110
- Verify.verify_iat(payload.merge('iat' => (iat + 120)), options)
111
- end.to raise_error JWT::InvalidIatError
112
- end
113
- end
114
-
115
- context '.verify_iss(payload, options)' do
116
- let(:iss) { 'ruby-jwt-gem' }
117
- let(:payload) { base_payload.merge('iss' => iss) }
118
-
119
- let(:invalid_token) { JWT.encode base_payload, payload[:secret] }
120
-
121
- context 'when iss is a String' do
122
- it 'must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer' do
123
- expect do
124
- Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer'))
125
- end.to raise_error JWT::InvalidIssuerError
126
- end
127
-
128
- it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
129
- expect do
130
- Verify.verify_iss(base_payload, options.merge(iss: iss))
131
- end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
132
- end
133
-
134
- it 'must allow a matching issuer to pass' do
135
- Verify.verify_iss(payload, options.merge(iss: iss))
136
- end
137
- end
138
- context 'when iss is an Array' do
139
- it 'must raise JWT::InvalidIssuerError when no matching issuers in array' do
140
- expect do
141
- Verify.verify_iss(payload, options.merge(iss: %w[first second]))
142
- end.to raise_error JWT::InvalidIssuerError
143
- end
144
-
145
- it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
146
- expect do
147
- Verify.verify_iss(base_payload, options.merge(iss: %w[first second]))
148
- end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
149
- end
150
-
151
- it 'must allow an array with matching issuer to pass' do
152
- Verify.verify_iss(payload, options.merge(iss: ['first', iss, 'third']))
153
- end
154
- end
155
- end
156
-
157
- context '.verify_jti(payload, options)' do
158
- let(:payload) { base_payload.merge('jti' => 'some-random-uuid-or-whatever') }
159
-
160
- it 'must allow any jti when the verfy_jti key in the options is truthy but not a proc' do
161
- Verify.verify_jti(payload, options.merge(verify_jti: true))
162
- end
163
-
164
- it 'must raise JWT::InvalidJtiError when the jti is missing' do
165
- expect do
166
- Verify.verify_jti(base_payload, options)
167
- end.to raise_error JWT::InvalidJtiError, /missing/i
168
- end
169
-
170
- it 'must raise JWT::InvalidJtiError when the jti is an empty string' do
171
- expect do
172
- Verify.verify_jti(base_payload.merge('jti' => ' '), options)
173
- end.to raise_error JWT::InvalidJtiError, /missing/i
174
- end
175
-
176
- it 'must raise JWT::InvalidJtiError when verify_jti proc returns false' do
177
- expect do
178
- Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { false }))
179
- end.to raise_error JWT::InvalidJtiError, /invalid/i
180
- end
181
-
182
- it 'true proc should not raise JWT::InvalidJtiError' do
183
- Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { true }))
184
- end
185
- end
186
-
187
- context '.verify_not_before(payload, options)' do
188
- let(:payload) { base_payload.merge('nbf' => (Time.now.to_i + 5)) }
189
-
190
- it 'must raise JWT::ImmatureSignature when the nbf in the payload is in the future' do
191
- expect do
192
- Verify.verify_not_before(payload, options)
193
- end.to raise_error JWT::ImmatureSignature
194
- end
195
-
196
- it 'must allow some leeway in the token age when global leeway is configured' do
197
- Verify.verify_not_before(payload, options.merge(leeway: 10))
198
- end
199
-
200
- it 'must allow some leeway in the token age when nbf_leeway is configured' do
201
- Verify.verify_not_before(payload, options.merge(nbf_leeway: 10))
202
- end
203
- end
204
-
205
- context '.verify_sub(payload, options)' do
206
- let(:sub) { 'ruby jwt subject' }
207
-
208
- it 'must raise JWT::InvalidSubError when the subjects do not match' do
209
- expect do
210
- Verify.verify_sub(base_payload.merge('sub' => 'not-a-match'), options.merge(sub: sub))
211
- end.to raise_error JWT::InvalidSubError
212
- end
213
-
214
- it 'must allow a matching sub' do
215
- Verify.verify_sub(base_payload.merge('sub' => sub), options.merge(sub: sub))
216
- end
217
- end
218
- end
219
- end
@@ -1,257 +0,0 @@
1
- require 'spec_helper'
2
- require 'jwt'
3
- require 'jwt/encode'
4
- require 'jwt/decode'
5
-
6
- describe JWT do
7
- let(:payload) { { 'user_id' => 'some@user.tld' } }
8
-
9
- let :data do
10
- {
11
- :secret => 'My$ecretK3y',
12
- :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
13
- :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
14
- :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
15
- :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
16
- 'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))),
17
- 'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))),
18
- 'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))),
19
- 'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
20
- 'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
21
- 'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
22
- 'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
23
- 'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8',
24
- 'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA',
25
- 'HS384' => 'eyJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.VuV4j4A1HKhWxCNzEcwc9qVF3frrEu-BRLzvYPkbWO0LENRGy5dOiBQ34remM3XH',
26
- 'HS512' => 'eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.8zNtCBTJIZTHpZ-BkhR-6sZY1K85Nm5YCKqV3AxRdsBJDt_RR-REH2db4T3Y0uQwNknhrCnZGvhNHrvhDwV1kA',
27
- 'RS256' => 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.eSXvWP4GViiwUALj_-qTxU68I1oM0XjgDsCZBBUri2Ghh9d75QkVDoZ_v872GaqunN5A5xcnBK0-cOq-CR6OwibgJWfOt69GNzw5RrOfQ2mz3QI3NYEq080nF69h8BeqkiaXhI24Q51joEgfa9aj5Y-oitLAmtDPYTm7vTcdGufd6AwD3_3jajKBwkh0LPSeMtbe_5EyS94nFoEF9OQuhJYjUmp7agsBVa8FFEjVw5jEgVqkvERSj5hSY4nEiCAomdVxIKBfykyi0d12cgjhI7mBFwWkPku8XIPGZ7N8vpiSLdM68BnUqIK5qR7NAhtvT7iyLFgOqhZNUQ6Ret5VpQ',
28
- 'RS384' => 'eyJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Sfgk56moPghtsjaP4so6tOy3I553mgwX-5gByMC6dX8lpeWgsxSeAd_K8IyO7u4lwYOL0DSftnqO1HEOuN1AKyBbDvaTXz3u2xNA2x4NYLdW4AZA6ritbYcKLO5BHTXw5ueMbtA1jjGXP0zI_aK2iJTMBmB8SCF88RYBUH01Tyf4PlLj98pGL-v3prZd6kZkIeRJ3326h04hslcB5HQKmgeBk24QNLIoIC-CD329HPjJ7TtGx01lj-ehTBnwVbBGzYFAyoalV5KgvL_MDOfWPr1OYHnR5s_Fm6_3Vg4u6lBljvHOrmv4Nfx7d8HLgbo8CwH4qn1wm6VQCtuDd-uhRg',
29
- 'RS512' => 'eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.LIIAUEuCkGNdpYguOO5LoW4rZ7ED2POJrB0pmEAAchyTdIK4HKh1jcLxc6KyGwZv40njCgub3y72q6vcQTn7oD0zWFCVQRIDW1911Ii2hRNHuigiPUnrnZh1OQ6z65VZRU6GKs8omoBGU9vrClBU0ODqYE16KxYmE_0n4Xw2h3D_L1LF0IAOtDWKBRDa3QHwZRM9sHsHNsBuD5ye9KzDYN1YALXj64LBfA-DoCKfpVAm9NkRPOyzjR2X2C3TomOSJgqWIVHJucudKDDAZyEbO4RA5pI-UFYy1370p9bRajvtDyoBuLDCzoSkMyQ4L2DnLhx5CbWcnD7Cd3GUmnjjTA',
30
- 'ES256' => '',
31
- 'ES384' => '',
32
- 'ES512' => ''
33
- }
34
- end
35
-
36
- after(:each) do
37
- expect(OpenSSL.errors).to be_empty
38
- end
39
-
40
- context 'alg: NONE' do
41
- let(:alg) { 'none' }
42
-
43
- it 'should generate a valid token' do
44
- token = JWT.encode payload, nil, alg
45
-
46
- expect(token).to eq data['NONE']
47
- end
48
-
49
- it 'should decode a valid token' do
50
- jwt_payload, header = JWT.decode data['NONE'], nil, false
51
-
52
- expect(header['alg']).to eq alg
53
- expect(jwt_payload).to eq payload
54
- end
55
-
56
- it 'should display a better error message if payload exp is_a?(Time)' do
57
- payload['exp'] = Time.now
58
-
59
- expect do
60
- JWT.encode payload, nil, alg
61
- end.to raise_error JWT::InvalidPayload
62
- end
63
-
64
- it 'should display a better error message if payload exp is not an Integer' do
65
- payload['exp'] = Time.now.to_i.to_s
66
-
67
- expect do
68
- JWT.encode payload, nil, alg
69
- end.to raise_error JWT::InvalidPayload
70
- end
71
- end
72
-
73
- %w[HS256 HS512256 HS384 HS512].each do |alg|
74
- context "alg: #{alg}" do
75
- it 'should generate a valid token' do
76
- token = JWT.encode payload, data[:secret], alg
77
-
78
- expect(token).to eq data[alg]
79
- end
80
-
81
- it 'should decode a valid token' do
82
- jwt_payload, header = JWT.decode data[alg], data[:secret], true, algorithm: alg
83
-
84
- expect(header['alg']).to eq alg
85
- expect(jwt_payload).to eq payload
86
- end
87
-
88
- it 'wrong secret should raise JWT::DecodeError' do
89
- expect do
90
- JWT.decode data[alg], 'wrong_secret', true, algorithm: alg
91
- end.to raise_error JWT::VerificationError
92
- end
93
-
94
- it 'wrong secret and verify = false should not raise JWT::DecodeError' do
95
- expect do
96
- JWT.decode data[alg], 'wrong_secret', false
97
- end.not_to raise_error
98
- end
99
- end
100
- end
101
-
102
- %w[RS256 RS384 RS512].each do |alg|
103
- context "alg: #{alg}" do
104
- it 'should generate a valid token' do
105
- token = JWT.encode payload, data[:rsa_private], alg
106
-
107
- expect(token).to eq data[alg]
108
- end
109
-
110
- it 'should decode a valid token' do
111
- jwt_payload, header = JWT.decode data[alg], data[:rsa_public], true, algorithm: alg
112
-
113
- expect(header['alg']).to eq alg
114
- expect(jwt_payload).to eq payload
115
- end
116
-
117
- it 'wrong key should raise JWT::DecodeError' do
118
- key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
119
-
120
- expect do
121
- JWT.decode data[alg], key, true, algorithm: alg
122
- end.to raise_error JWT::DecodeError
123
- end
124
-
125
- it 'wrong key and verify = false should not raise JWT::DecodeError' do
126
- key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
127
-
128
- expect do
129
- JWT.decode data[alg], key, false
130
- end.not_to raise_error
131
- end
132
- end
133
- end
134
-
135
- %w[ES256 ES384 ES512].each do |alg|
136
- context "alg: #{alg}" do
137
- before(:each) do
138
- data[alg] = JWT.encode payload, data["#{alg}_private"], alg
139
- end
140
-
141
- let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
142
-
143
- it 'should generate a valid token' do
144
- jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
145
-
146
- expect(header['alg']).to eq alg
147
- expect(jwt_payload).to eq payload
148
- end
149
-
150
- it 'should decode a valid token' do
151
- jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"], true, algorithm: alg
152
-
153
- expect(header['alg']).to eq alg
154
- expect(jwt_payload).to eq payload
155
- end
156
-
157
- it 'wrong key should raise JWT::DecodeError' do
158
- expect do
159
- JWT.decode data[alg], wrong_key
160
- end.to raise_error JWT::DecodeError
161
- end
162
-
163
- it 'wrong key and verify = false should not raise JWT::DecodeError' do
164
- expect do
165
- JWT.decode data[alg], wrong_key, false
166
- end.not_to raise_error
167
- end
168
- end
169
- end
170
-
171
- context 'Invalid' do
172
- it 'algorithm should raise NotImplementedError' do
173
- expect do
174
- JWT.encode payload, 'secret', 'HS255'
175
- end.to raise_error NotImplementedError
176
- end
177
-
178
- it 'ECDSA curve_name should raise JWT::IncorrectAlgorithm' do
179
- key = OpenSSL::PKey::EC.new 'secp256k1'
180
- key.generate_key
181
-
182
- expect do
183
- JWT.encode payload, key, 'ES256'
184
- end.to raise_error JWT::IncorrectAlgorithm
185
-
186
- token = JWT.encode payload, data['ES256_private'], 'ES256'
187
- key.private_key = nil
188
-
189
- expect do
190
- JWT.decode token, key
191
- end.to raise_error JWT::IncorrectAlgorithm
192
- end
193
- end
194
-
195
- context 'Verify' do
196
- context 'algorithm' do
197
- it 'should raise JWT::IncorrectAlgorithm on missmatch' do
198
- token = JWT.encode payload, data[:secret], 'HS512'
199
-
200
- expect do
201
- JWT.decode token, data[:secret], true, algorithm: 'HS384'
202
- end.to raise_error JWT::IncorrectAlgorithm
203
-
204
- expect do
205
- JWT.decode token, data[:secret], true, algorithm: 'HS512'
206
- end.not_to raise_error
207
- end
208
-
209
- it 'should raise JWT::IncorrectAlgorithm if no algorithm is provided' do
210
- token = JWT.encode payload, data[:rsa_public].to_s, 'HS256'
211
-
212
- expect do
213
- JWT.decode token, data[:rsa_public], true
214
- end.to raise_error JWT::IncorrectAlgorithm
215
- end
216
- end
217
-
218
- context 'issuer claim' do
219
- let(:iss) { 'ruby-jwt-gem' }
220
- let(:invalid_token) { JWT.encode payload, data[:secret] }
221
-
222
- let :token do
223
- iss_payload = payload.merge(iss: iss)
224
- JWT.encode iss_payload, data[:secret]
225
- end
226
-
227
- it 'if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError' do
228
- expect do
229
- JWT.decode token, data[:secret], true, iss: iss, algorithm: 'HS256'
230
- end.not_to raise_error
231
- end
232
- end
233
- end
234
-
235
- context 'Base64' do
236
- it 'urlsafe replace + / with - _' do
237
- allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
238
- expect(JWT::Encode.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
239
- end
240
- end
241
-
242
- it 'should not verify token even if the payload has claims' do
243
- head = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9'
244
- load = 'eyJ1c2VyX2lkIjo1NCwiZXhwIjoxNTA0MzkwODA0fQ'
245
- sign = 'Skpi6FfYMbZ-DwW9ocyRIosNMdPMAIWRLYxRO68GTQk'
246
-
247
- expect do
248
- JWT.decode([head, load, sign].join('.'), '', false)
249
- end.not_to raise_error
250
- end
251
-
252
- it 'should not raise InvalidPayload exception if payload is an array' do
253
- expect do
254
- JWT.encode(['my', 'payload'], 'secret')
255
- end.not_to raise_error
256
- end
257
- end