jwt 0.1.8 → 0.1.10

data/Rakefile

@@ -2,7 +2,7 @@ require 'rubygems'
 require 'rake'
 require 'echoe'
 
-Echoe.new('jwt', '0.1.8') do |p|
+Echoe.new('jwt', '0.1.10') do |p|
   p.description    = "JSON Web Token implementation in Ruby"
   p.url            = "http://github.com/progrium/ruby-jwt"
   p.author         = "Jeff Lindsay"
@@ -10,6 +10,7 @@ Echoe.new('jwt', '0.1.8') do |p|
   p.ignore_pattern = ["tmp/*"]
   p.runtime_dependencies = ["multi_json >=1.5"]
   p.development_dependencies = ["echoe >=4.6.3"]
+  p.licenses       = "MIT"
 end
 
 task :test do

data/jwt.gemspec

@@ -2,17 +2,18 @@
 
 Gem::Specification.new do |s|
   s.name = "jwt"
-  s.version = "0.1.8"
+  s.version = "0.1.10"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Jeff Lindsay"]
-  s.date = "2013-03-14"
+  s.date = "2014-01-10"
   s.description = "JSON Web Token implementation in Ruby"
   s.email = "progrium@gmail.com"
   s.extra_rdoc_files = ["lib/jwt.rb"]
   s.files = ["Rakefile", "lib/jwt.rb", "spec/helper.rb", "spec/jwt_spec.rb", "Manifest", "jwt.gemspec"]
   s.homepage = "http://github.com/progrium/ruby-jwt"
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Jwt", "--main", "README.md"]
+  s.licenses = ["MIT"]
+  s.rdoc_options = ["--line-numbers", "--title", "Jwt", "--main", "README.md"]
   s.require_paths = ["lib"]
   s.rubyforge_project = "jwt"
   s.rubygems_version = "1.8.23"

data/lib/jwt.rb

@@ -11,7 +11,9 @@ require "multi_json"
 module JWT
   class DecodeError < StandardError; end
 
-  def self.sign(algorithm, msg, key)
+  module_function
+
+  def sign(algorithm, msg, key)
     if ["HS256", "HS384", "HS512"].include?(algorithm)
       sign_hmac(algorithm, msg, key)
     elsif ["RS256", "RS384", "RS512"].include?(algorithm)
@@ -21,57 +23,60 @@ module JWT
     end
   end
 
-  def self.sign_rsa(algorithm, msg, private_key)
-    private_key.sign(OpenSSL::Digest::Digest.new(algorithm.sub('RS', 'sha')), msg)
+  def sign_rsa(algorithm, msg, private_key)
+    private_key.sign(OpenSSL::Digest.new(algorithm.sub("RS", "sha")), msg)
   end
 
-  def self.verify_rsa(algorithm, public_key, signing_input, signature)
-    public_key.verify(OpenSSL::Digest::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+  def verify_rsa(algorithm, public_key, signing_input, signature)
+    public_key.verify(OpenSSL::Digest.new(algorithm.sub("RS", "sha")), signature, signing_input)
   end
 
-  def self.sign_hmac(algorithm, msg, key)
-    OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new(algorithm.sub('HS', 'sha')), key, msg)
+  def sign_hmac(algorithm, msg, key)
+    OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub("HS", "sha")), key, msg)
   end
 
-  def self.base64url_decode(str)
-    str += '=' * (4 - str.length.modulo(4))
-    Base64.decode64(str.gsub("-", "+").gsub("_", "/"))
+  def base64url_decode(str)
+    str += "=" * (4 - str.length.modulo(4))
+    Base64.decode64(str.tr("-_", "+/"))
   end
 
-  def self.base64url_encode(str)
-    Base64.encode64(str).gsub("+", "-").gsub("/", "_").gsub("\n", "").gsub('=', '')
+  def base64url_encode(str)
+    Base64.encode64(str).tr("-_", "+/").gsub(/[\n=]/, "")
   end
 
-  def self.encode(payload, key, algorithm='HS256', header_fields={})
+  def encode(payload, key, algorithm="HS256", header_fields={})
     algorithm ||= "none"
     segments = []
     header = {"typ" => "JWT", "alg" => algorithm}.merge(header_fields)
     segments << base64url_encode(MultiJson.encode(header))
     segments << base64url_encode(MultiJson.encode(payload))
-    signing_input = segments.join('.')
-    if algorithm != "none"
+    signing_input = segments.join(".")
+    if algorithm == "none"
+      segments << ""
+    else
       signature = sign(algorithm, signing_input, key)
       segments << base64url_encode(signature)
-    else
-      segments << ""
     end
-    segments.join('.')
+    segments.join(".")
   end
 
-  def self.decode(jwt, key=nil, verify=true, &keyfinder)
-    segments = jwt.split('.')
+  def decode(jwt, key=nil, verify=true, &keyfinder)
+    segments = jwt.split(".")
     raise JWT::DecodeError.new("Not enough or too many segments") unless [2,3].include? segments.length
     header_segment, payload_segment, crypto_segment = segments
-    signing_input = [header_segment, payload_segment].join('.')
+    signing_input = [header_segment, payload_segment].join(".")
     begin
       header = MultiJson.decode(base64url_decode(header_segment))
       payload = MultiJson.decode(base64url_decode(payload_segment))
-      signature = base64url_decode(crypto_segment) if verify
-    rescue MultiJson::LoadError => e
+      signature = base64url_decode(crypto_segment.to_s) if verify
+    rescue MultiJson::LoadError
       raise JWT::DecodeError.new("Invalid segment encoding")
     end
+
+    raise JWT::DecodeError.new("Not enough or too many segments") unless header && payload
+
     if verify
-      algo = header['alg']
+      algo = header["alg"]
 
       if keyfinder
         key = keyfinder.call(header)
@@ -87,6 +92,8 @@ module JWT
         end
       rescue OpenSSL::PKey::PKeyError
         raise JWT::DecodeError.new("Signature verification failed")
+      ensure
+        OpenSSL.errors.clear
       end
     end
     payload
@@ -94,7 +101,7 @@ module JWT
 
   # From devise
   # constant-time comparison algorithm to prevent timing attacks
-  def self.secure_compare(a, b)
+  def secure_compare(a, b)
     return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
     l = a.unpack "C#{a.bytesize}"
 

data/spec/jwt_spec.rb

@@ -58,6 +58,21 @@ describe JWT do
     lambda { JWT.decode(jwt, bad_private_key.public_key) }.should raise_error(JWT::DecodeError)
   end
 
+  it "raises exception with invalid signature" do
+    example_payload = {"hello" => "world"}
+    example_secret = 'secret'
+    example_jwt = 'eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJoZWxsbyI6ICJ3b3JsZCJ9.'
+    lambda { JWT.decode(example_jwt, example_secret) }.should raise_error(JWT::DecodeError)
+  end
+
+  it "raises exception with nonexistent header" do
+    lambda { JWT.decode("..stuff") }.should raise_error(JWT::DecodeError)
+  end
+
+  it "raises exception with nonexistent payload" do
+    lambda { JWT.decode("eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9..stuff") }.should raise_error(JWT::DecodeError)
+  end
+
   it "allows decoding without key" do
     right_secret = 'foo'
     bad_secret = 'bar'
@@ -93,7 +108,7 @@ describe JWT do
     signature = JWT.base64url_decode(crypto_segment)
     signature.should_not_receive('==')
     JWT.should_receive(:base64url_decode).with(crypto_segment).once.and_return(signature)
-    JWT.should_receive(:base64url_decode).any_number_of_times.and_call_original
+    JWT.should_receive(:base64url_decode).at_least(:once).and_call_original
 
     JWT.decode(jwt, secret)
   end
@@ -115,6 +130,11 @@ describe JWT do
     end
   end
 
+  # no method should leave OpenSSL.errors populated
+  after do
+    OpenSSL.errors.should be_empty
+  end
+
   it "raise exception on invalid signature" do
     pubkey = OpenSSL::PKey::RSA.new(<<-PUBKEY)
 -----BEGIN PUBLIC KEY-----

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 0.1.8
+  version: 0.1.10
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-03-14 00:00:00.000000000 Z
+date: 2014-01-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -57,11 +57,11 @@ files:
 - Manifest
 - jwt.gemspec
 homepage: http://github.com/progrium/ruby-jwt
-licenses: []
+licenses:
+- MIT
 post_install_message: 
 rdoc_options:
 - --line-numbers
-- --inline-source
 - --title
 - Jwt
 - --main