jwt 2.2.3 → 2.4.0

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,84 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at antmanj@gmail.com. All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of actions.
+
+**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
+available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the FAQ at
+https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.

data/Gemfile

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec
 
-gem 'rubocop', '~> 0.52.0' # Same as codeclimate default
+gem 'rubocop', '~> 1.23.0' # Keep .codeclimate.yml channel in sync with this one

data/README.md

@@ -38,11 +38,11 @@ And run `bundle install`
 
 ## Algorithms and Usage
 
-The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). **It is strongly recommended that you hard code the algorithm, as you may leave yourself vulnerable by dynamically picking the algorithm**
+The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/). **It is strongly recommended that you hard code the algorithm, as you may leave yourself vulnerable by dynamically picking the algorithm**
 
 See: [ JSON Web Algorithms (JWA) 3.1. "alg" (Algorithm) Header Parameter Values for JWS](https://tools.ietf.org/html/rfc7518#section-3.1)
 
-**NONE**
+### **NONE**
 
 * none - unsigned token
 
@@ -68,7 +68,7 @@ decoded_token = JWT.decode token, nil, false
 puts decoded_token
 ```
 
-**HMAC**
+### **HMAC**
 
 * HS256 - HMAC using SHA-256 hash algorithm
 * HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
@@ -76,6 +76,7 @@ puts decoded_token
 * HS512 - HMAC using SHA-512 hash algorithm
 
 ```ruby
+# The secret must be a string. A JWT::DecodeError will be raised if it isn't provided.
 hmac_secret = 'my$ecretK3y'
 
 token = JWT.encode payload, hmac_secret, 'HS256'
@@ -85,21 +86,6 @@ puts token
 
 decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' }
 
-# Array
-# [
-#   {"data"=>"test"}, # payload
-#   {"alg"=>"HS256"} # header
-# ]
-puts decoded_token
-
-# Without secret key
-token = JWT.encode payload, nil, 'HS256'
-
-# eyJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.pVzcY2dX8JNM3LzIYeP2B1e1Wcpt1K3TWVvIYSF4x-o
-puts token
-
-decoded_token = JWT.decode token, nil, true, { algorithm: 'HS256' }
-
 # Array
 # [
 #   {"data"=>"test"}, # payload
@@ -114,7 +100,7 @@ Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt
 [libsodium](https://github.com/jedisct1/libsodium), it can be installed
 on MacOS with `brew install libsodium`.
 
-**RSA**
+### **RSA**
 
 * RS256 - RSA using SHA-256 hash algorithm
 * RS384 - RSA using SHA-384 hash algorithm
@@ -139,7 +125,7 @@ decoded_token = JWT.decode token, rsa_public, true, { algorithm: 'RS256' }
 puts decoded_token
 ```
 
-**ECDSA**
+### **ECDSA**
 
 * ES256 - ECDSA using P-256 and SHA-256
 * ES384 - ECDSA using P-384 and SHA-384
@@ -166,7 +152,7 @@ decoded_token = JWT.decode token, ecdsa_public, true, { algorithm: 'ES256' }
 puts decoded_token
 ```
 
-**EDDSA**
+### **EDDSA**
 
 In order to use this algorithm you need to add the `RbNaCl` gem to you `Gemfile`.
 
@@ -195,7 +181,7 @@ decoded_token = JWT.decode token, public_key, true, { algorithm: 'ED25519' }
 
 ```
 
-**RSASSA-PSS**
+### **RSASSA-PSS**
 
 In order to use this algorithm you need to add the `openssl` gem to you `Gemfile` with a version greater or equal to `2.1`.
 
@@ -384,6 +370,36 @@ rescue JWT::InvalidIssuerError
 end
 ```
 
+You can also pass a Regexp or Proc (with arity 1), verification will pass if the regexp matches or the proc returns truthy.
+On supported ruby versions (>= 2.5) you can also delegate to methods, on older versions you will have
+to convert them to proc (using `to_proc`)
+
+```ruby
+JWT.decode token, hmac_secret, true,
+           iss: %r'https://my.awesome.website/',
+           verify_iss: true,
+           algorithm: 'HS256'
+```
+
+```ruby
+JWT.decode token, hmac_secret, true,
+           iss: ->(issuer) { issuer.start_with?('My Awesome Company Inc') },
+           verify_iss: true,
+           algorithm: 'HS256'
+```
+
+```ruby
+JWT.decode token, hmac_secret, true,
+           iss: method(:valid_issuer?),
+           verify_iss: true,
+           algorithm: 'HS256'
+
+# somewhere in the same class:
+def valid_issuer?(issuer)
+  # custom validation
+end
+```
+
 ### Audience Claim
 
 From [Oauth JSON Web Token 4.1.3. "aud" (Audience) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.3):
@@ -474,12 +490,63 @@ rescue JWT::InvalidSubError
 end
 ```
 
+### Finding a Key
+
+To dynamically find the key for verifying the JWT signature, pass a block to the decode block. The block receives headers and the original payload as parameters. It should return with the key to verify the signature that was used to sign the JWT.
+
+```ruby
+issuers = %w[My_Awesome_Company1 My_Awesome_Company2]
+iss_payload = { data: 'data', iss: issuers.first }
+
+secrets = { issuers.first => hmac_secret, issuers.last => 'hmac_secret2' }
+
+token = JWT.encode iss_payload, hmac_secret, 'HS256'
+
+begin
+  # Add iss to the validation to check if the token has been manipulated
+  decoded_token = JWT.decode(token, nil, true, { iss: issuers, verify_iss: true, algorithm: 'HS256' }) do |_headers, payload|
+    secrets[payload['iss']]
+  end
+rescue JWT::InvalidIssuerError
+  # Handle invalid token, e.g. logout user or deny access
+end
+```
+
+### Required Claims
+
+You can specify claims that must be present for decoding to be successful. JWT::MissingRequiredClaim will be raised if any are missing
+```ruby
+# Will raise a JWT::MissingRequiredClaim error if the 'exp' claim is absent
+JWT.decode token, hmac_secret, true, { required_claims: ['exp'], algorithm: 'HS256' }
+```
+
+### X.509 certificates in x5c header
+
+A JWT signature can be verified using certificate(s) given in the `x5c` header. Before doing that, the trustworthiness of these certificate(s) must be established. This is done in accordance with RFC 5280 which (among other things) verifies the certificate(s) are issued by a trusted root certificate, the timestamps are valid, and none of the certificate(s) are revoked (i.e. being present in the root certificate's Certificate Revocation List).
+
+```ruby
+root_certificates = [] # trusted `OpenSSL::X509::Certificate` objects
+crl_uris = root_certificates.map(&:crl_uris)
+crls = crl_uris.map do |uri|
+  # look up cached CRL by `uri` and return it if found, otherwise continue
+  crl = Net::HTTP.get(uri)
+  crl = OpenSSL::X509::CRL.new(crl)
+  # cache `crl` using `uri` as the key, expiry set to `crl.next_update` timestamp
+end
+
+begin
+  JWT.decode(token, nil, true, { x5c: { root_certificates: root_certificates, crls: crls })
+rescue JWT::DecodeError
+  # Handle error, e.g. x5c header certificate revoked or expired
+end
+```
+
 ### JSON Web Key (JWK)
 
-JWK is a JSON structure representing a cryptographic key. Currently only supports RSA public keys.
+JWK is a JSON structure representing a cryptographic key. Currently only supports RSA, EC and HMAC keys.
 
 ```ruby
-jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048), "optional-kid")
 payload, headers = { data: 'data' }, { kid: jwk.kid }
 
 token = JWT.encode(payload, jwk.keypair, 'RS512', headers)
@@ -502,7 +569,7 @@ end
 or by passing JWK as a simple Hash
 
 ```
-jwks = { keys: [{ ... }] } # keys needs to be Symbol
+jwks = { keys: [{ ... }] } # keys accepts both of string and symbol
 JWT.decode(token, nil, true, { algorithms: ['RS512'], jwks: jwks})
 ```
 

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'bundler/setup'
 require 'bundler/gem_tasks'
 

data/lib/jwt/algos/ecdsa.rb

@@ -1,35 +1,53 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Ecdsa
       module_function
 
-      SUPPORTED = %w[ES256 ES384 ES512].freeze
       NAMED_CURVES = {
         'prime256v1' => 'ES256',
+        'secp256r1' => 'ES256', # alias for prime256v1
         'secp384r1' => 'ES384',
         'secp521r1' => 'ES512'
       }.freeze
 
+      SUPPORTED = NAMED_CURVES.values.uniq.freeze
+
       def sign(to_sign)
         algorithm, msg, key = to_sign.values
-        key_algorithm = NAMED_CURVES[key.group.curve_name]
+        curve_definition = curve_by_name(key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
           raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided"
         end
 
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+        digest = OpenSSL::Digest.new(curve_definition[:digest])
         SecurityUtils.asn1_to_raw(key.dsa_sign_asn1(digest.digest(msg)), key)
       end
 
       def verify(to_verify)
         algorithm, public_key, signing_input, signature = to_verify.values
-        key_algorithm = NAMED_CURVES[public_key.group.curve_name]
+        curve_definition = curve_by_name(public_key.group.curve_name)
+        key_algorithm = curve_definition[:algorithm]
         if algorithm != key_algorithm
           raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided"
         end
-        digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
+
+        digest = OpenSSL::Digest.new(curve_definition[:digest])
         public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
       end
+
+      def curve_by_name(name)
+        algorithm = NAMED_CURVES.fetch(name) do
+          raise UnsupportedEcdsaCurve, "The ECDSA curve '#{name}' is not supported"
+        end
+
+        {
+          algorithm: algorithm,
+          digest: algorithm.sub('ES', 'sha')
+        }
+      end
     end
   end
 end

data/lib/jwt/algos/eddsa.rb

@@ -1,21 +1,31 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Eddsa
       module_function
 
-      SUPPORTED = %w[ED25519].freeze
+      SUPPORTED = %w[ED25519 EdDSA].freeze
 
       def sign(to_sign)
         algorithm, msg, key = to_sign.values
-        raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey" if key.class != RbNaCl::Signatures::Ed25519::SigningKey
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"  if algorithm.downcase.to_sym != key.primitive
+        if key.class != RbNaCl::Signatures::Ed25519::SigningKey
+          raise EncodeError, "Key given is a #{key.class} but has to be an RbNaCl::Signatures::Ed25519::SigningKey"
+        end
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
+
         key.sign(msg)
       end
 
       def verify(to_verify)
         algorithm, public_key, signing_input, signature = to_verify.values
-        raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{public_key.primitive} verification key was provided" if algorithm.downcase.to_sym != public_key.primitive
+        unless SUPPORTED.map(&:downcase).map(&:to_sym).include?(algorithm.downcase.to_sym)
+          raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key.primitive} signing key was provided"
+        end
         raise DecodeError, "key given is a #{public_key.class} but has to be a RbNaCl::Signatures::Ed25519::VerifyKey" if public_key.class != RbNaCl::Signatures::Ed25519::VerifyKey
+
         public_key.verify(signature, signing_input)
       end
     end

data/lib/jwt/algos/hmac.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Hmac

data/lib/jwt/algos/none.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module None

data/lib/jwt/algos/ps.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Ps
@@ -29,9 +31,7 @@ module JWT
 
       def require_openssl!
         if Object.const_defined?('OpenSSL')
-          major, minor = OpenSSL::VERSION.split('.').first(2)
-
-          unless major.to_i >= 2 && minor.to_i >= 1
+          if ::Gem::Version.new(OpenSSL::VERSION) < ::Gem::Version.new('2.1')
             raise JWT::RequiredDependencyError, "You currently have OpenSSL #{OpenSSL::VERSION}. PS support requires >= 2.1"
           end
         else

data/lib/jwt/algos/rsa.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Rsa
@@ -7,7 +9,8 @@ module JWT
 
       def sign(to_sign)
         algorithm, msg, key = to_sign.values
-        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.class == String
+        raise EncodeError, "The given key is a #{key.class}. It has to be an OpenSSL::PKey::RSA instance." if key.instance_of?(String)
+
         key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg)
       end
 

data/lib/jwt/algos/unsupported.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module Algos
     module Unsupported

data/lib/jwt/claims_validator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require_relative './error'
 
 module JWT
@@ -9,7 +11,7 @@ module JWT
     ].freeze
 
     def initialize(payload)
-      @payload = payload.each_with_object({}) { |(k, v), h| h[k.to_sym] = v }
+      @payload = payload.transform_keys(&:to_sym)
     end
 
     def validate!

data/lib/jwt/decode.rb

@@ -4,12 +4,14 @@ require 'json'
 
 require 'jwt/signature'
 require 'jwt/verify'
+require 'jwt/x5c_key_finder'
 # JWT::Decode module
 module JWT
   # Decoding logic for JWT
   class Decode
     def initialize(jwt, key, verify, options, &keyfinder)
       raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
+
       @jwt = jwt
       @key = key
       @options = options
@@ -23,27 +25,50 @@ module JWT
       validate_segment_count!
       if @verify
         decode_crypto
+        verify_algo
+        set_key
         verify_signature
         verify_claims
       end
       raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
+
       [payload, header]
     end
 
     private
 
     def verify_signature
+      return unless @key || @verify
+
+      return if none_algorithm?
+
+      raise JWT::DecodeError, 'No verification key available' unless @key
+
+      return if Array(@key).any? { |key| verify_signature_for?(key) }
+
+      raise(JWT::VerificationError, 'Signature verification failed')
+    end
+
+    def verify_algo
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
+      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless algorithm
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
+    end
 
+    def set_key
       @key = find_key(&@keyfinder) if @keyfinder
       @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+      if (x5c_options = @options[:x5c])
+        @key = X5cKeyFinder.new(x5c_options[:root_certificates], x5c_options[:crls]).from(header['x5c'])
+      end
+    end
 
-      Signature.verify(header['alg'], @key, signing_input, @signature)
+    def verify_signature_for?(key)
+      Signature.verify(algorithm, key, signing_input, @signature)
     end
 
     def options_includes_algo_in_header?
-      allowed_algorithms.any? { |alg| alg.casecmp(header['alg']).zero? }
+      allowed_algorithms.any? { |alg| alg.casecmp(algorithm).zero? }
     end
 
     def allowed_algorithms
@@ -64,18 +89,21 @@ module JWT
 
     def find_key(&keyfinder)
       key = (keyfinder.arity == 2 ? yield(header, payload) : yield(header))
-      raise JWT::DecodeError, 'No verification key available' unless key
-      key
+      # key can be of type [string, nil, OpenSSL::PKey, Array]
+      return key if key && !Array(key).empty?
+
+      raise JWT::DecodeError, 'No verification key available'
     end
 
     def verify_claims
       Verify.verify_claims(payload, @options)
+      Verify.verify_required_claims(payload, @options)
     end
 
     def validate_segment_count!
       return if segment_length == 3
       return if !@verify && segment_length == 2 # If no verifying required, the signature is not needed
-      return if segment_length == 2 && header['alg'] == 'none'
+      return if segment_length == 2 && none_algorithm?
 
       raise(JWT::DecodeError, 'Not enough or too many segments')
     end
@@ -84,8 +112,16 @@ module JWT
       @segments.count
     end
 
+    def none_algorithm?
+      algorithm.casecmp('none').zero?
+    end
+
     def decode_crypto
-      @signature = JWT::Base64.url_decode(@segments[2] || '')
+      @signature = Base64.urlsafe_decode64(@segments[2] || '')
+    end
+
+    def algorithm
+      header['alg']
     end
 
     def header
@@ -101,8 +137,8 @@ module JWT
     end
 
     def parse_and_decode(segment)
-      JWT::JSON.parse(JWT::Base64.url_decode(segment))
-    rescue ::JSON::ParserError
+      JWT::JSON.parse(Base64.urlsafe_decode64(segment))
+    rescue ::JSON::ParserError, ArgumentError
       raise JWT::DecodeError, 'Invalid segment encoding'
     end
   end

data/lib/jwt/default_options.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module JWT
   module DefaultOptions
     DEFAULT_OPTIONS = {
@@ -9,7 +11,8 @@ module JWT
       verify_aud: false,
       verify_sub: false,
       leeway: 0,
-      algorithms: ['HS256']
+      algorithms: ['HS256'],
+      required_claims: []
     }.freeze
   end
 end

data/lib/jwt/encode.rb

@@ -7,14 +7,14 @@ require_relative './claims_validator'
 module JWT
   # Encoding logic for JWT
   class Encode
-    ALG_NONE = 'none'.freeze
-    ALG_KEY  = 'alg'.freeze
+    ALG_NONE = 'none'
+    ALG_KEY  = 'alg'
 
     def initialize(options)
       @payload = options[:payload]
       @key = options[:key]
       _, @algorithm = Algos.find(options[:algorithm])
-      @headers = options[:headers].each_with_object({}) { |(key, value), headers| headers[key.to_s] = value }
+      @headers = options[:headers].transform_keys(&:to_s)
     end
 
     def segments
@@ -45,7 +45,7 @@ module JWT
     end
 
     def encode_payload
-      if @payload && @payload.is_a?(Hash)
+      if @payload.is_a?(Hash)
         ClaimsValidator.new(@payload).validate!
       end
 
@@ -55,11 +55,11 @@ module JWT
     def encode_signature
       return '' if @algorithm == ALG_NONE
 
-      JWT::Base64.url_encode(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key))
+      Base64.urlsafe_encode64(JWT::Signature.sign(@algorithm, encoded_header_and_payload, @key), padding: false)
     end
 
     def encode(data)
-      JWT::Base64.url_encode(JWT::JSON.generate(data))
+      Base64.urlsafe_encode64(JWT::JSON.generate(data), padding: false)
     end
 
     def combine(*parts)

data/lib/jwt/error.rb

@@ -10,11 +10,13 @@ module JWT
   class IncorrectAlgorithm < DecodeError; end
   class ImmatureSignature < DecodeError; end
   class InvalidIssuerError < DecodeError; end
+  class UnsupportedEcdsaCurve < IncorrectAlgorithm; end
   class InvalidIatError < DecodeError; end
   class InvalidAudError < DecodeError; end
   class InvalidSubError < DecodeError; end
   class InvalidJtiError < DecodeError; end
   class InvalidPayload < DecodeError; end
+  class MissingRequiredClaim < DecodeError; end
 
   class JWKError < DecodeError; end
 end