jwt 2.0.0.beta1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f874da696e03e2c7f0ffe02942540825eb8a6314
-  data.tar.gz: d57f6842df5cc35d21bea1a1e511026faeb0aaa4
+  metadata.gz: c63d3d103ec14f12ea2b51b95ae8f5407dd7ace9
+  data.tar.gz: f1de3f1e8ddfb79aa690a1f6d44492c70d037942
 SHA512:
-  metadata.gz: 51acfa10b330d62022d463cd4c0d25eff3ceb642b29e2c625d4aab40cd1a4138ca5597e0e19d540232f3f3b2e76fdcf4b403566f5b54aa7e687ab7d8696186e6
-  data.tar.gz: b8d9b8f1485f4e0c74d189c1e7ba64d71ce89f4813b134dbaf28263c695403dd102f12ab9dddde0ee7990f6cbcfde5ab5941876919bb1540b4088349129d1baf
+  metadata.gz: 3b19fcd5018d17e4277a49abc5787cee37ff3991fc8cbcc97dbb00f50c3878fc08062d97e18e07cdaf5f8f2f09cfbf5a8937e11859ae9b44d90a8d5a20caa021
+  data.tar.gz: f9df1adefd0f0d4525567372c8283e72639b2ee67320a893ef03d470bbbd6afd09a65725d3eb3153f8c68e7d40f693c7da3a5ed138ab766a23aa6ebbfe5c62f6

data/.ebert.yml

@@ -0,0 +1,17 @@
+styleguide: plataformatec/linters
+engines:
+  reek:
+    enabled: true
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+  duplication:
+    config:
+      languages:
+      - ruby
+    enabled: true
+  remark-lint:
+    enabled: true
+exclude_paths:
+- spec

data/.reek.yml

@@ -0,0 +1,40 @@
+---
+TooManyStatements:
+  max_statements: 10
+UncommunicativeMethodName:
+  reject:
+  - !ruby/regexp /^[a-z]$/
+  - !ruby/regexp /[0-9]$/
+UncommunicativeParameterName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+  - !ruby/regexp /^_/
+UncommunicativeVariableName:
+  reject:
+  - !ruby/regexp /^.$/
+  - !ruby/regexp /[0-9]$/
+UtilityFunction:
+  enabled: false
+LongParameterList:
+  enabled: false
+DuplicateMethodCall:
+  max_calls: 2
+IrresponsibleModule:
+  enabled: false
+NestedIterators:
+  max_allowed_nesting: 2
+PrimaDonnaMethod:
+  enabled: false
+UnusedParameters:
+  enabled: false
+FeatureEnvy:
+  enabled: false
+ControlParameter:
+  enabled: false
+UnusedPrivateMethod:
+  enabled: false
+InstanceVariableAssumption:
+  exclude:
+    - !ruby/regexp /Controller$/
+    - !ruby/regexp /Mailer$/s

data/.rubocop.yml

@@ -1,5 +1,98 @@
 AllCops:
-  Excludes:
-    - spec/**/*
+  Exclude:
+    - 'bin/**/*'
+    - 'db/**/*'
+    - 'config/**/*'
+    - 'script/**/*'
+
+Rails:
+  Enabled: true
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/CaseIndentation:
+  EnforcedStyle: end
+
+Style/AsciiComments:
+  Enabled: false
+
+Style/IndentHash:
+  Enabled: false
+
+Style/CollectionMethods:
+  Enabled: true
+  PreferredMethods:
+      inject: 'inject'
+
+Style/Documentation:
+  Enabled: false
+
+Style/BlockDelimiters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/BracesAroundHashParameters:
+  Exclude:
+    - spec/**/*_spec.rb
+
+Style/GuardClause:
+  Enabled: false
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: false
+
+Style/Lambda:
+  Enabled: false
+
+Style/RaiseArgs:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 20
+
+Metrics/ClassLength:
+  Max: 100
+
+Metrics/ModuleLength:
+  Max: 100
+
 Metrics/LineLength:
   Enabled: false
+
+Metrics/MethodLength:
+  Max: 15
+
+Style/SingleLineBlockParams:
+  Enabled: false
+
+Lint/EndAlignment:
+  EnforcedStyleAlignWith: variable
+
+Style/FormatString:
+  Enabled: false
+
+Style/MultilineMethodCallIndentation:
+  EnforcedStyle: indented
+
+Style/MultilineOperationIndentation:
+  EnforcedStyle: indented
+
+Style/WordArray:
+  Enabled: false
+
+Style/RedundantSelf:
+  Enabled: false
+
+Style/AlignHash:
+  Enabled: true
+  EnforcedLastArgumentHashStyle: always_ignore
+
+Style/TrivialAccessors:
+  AllowPredicates: true

data/.travis.yml

@@ -1,5 +1,6 @@
 sudo: required
 cache: bundler
+dist: trusty
 language: ruby
 rvm:
   - 2.2.0

data/CHANGELOG.md

@@ -1,7 +1,39 @@
 # Change Log
 
-## [v2.0.0](https://github.com/jwt/ruby-jwt/tree/v2.0.0) (2017-02-27)
-[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.6...v2.0.0)
+## [v2.0.0](https://github.com/jwt/ruby-jwt/tree/v2.0.0) (2017-09-03)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.0.0.beta1...v2.0.0)
+
+**Fixed bugs:**
+
+- Support versions outside 2.1 [\#209](https://github.com/jwt/ruby-jwt/issues/209)
+- Verifying expiration without leeway throws exception [\#206](https://github.com/jwt/ruby-jwt/issues/206)
+- Ruby interpreter warning [\#200](https://github.com/jwt/ruby-jwt/issues/200)
+- TypeError: no implicit conversion of String into Integer [\#188](https://github.com/jwt/ruby-jwt/issues/188)
+- Fix JWT.encode\(nil\) [\#203](https://github.com/jwt/ruby-jwt/pull/203) ([tmm1](https://github.com/tmm1))
+
+**Closed issues:**
+
+- Possibility to disable claim verifications [\#222](https://github.com/jwt/ruby-jwt/issues/222)
+- Proper way to verify Firebase id tokens [\#216](https://github.com/jwt/ruby-jwt/issues/216)
+
+**Merged pull requests:**
+
+- Skip 'exp' claim validation for array payloads [\#224](https://github.com/jwt/ruby-jwt/pull/224) ([excpt](https://github.com/excpt))
+- Use a default leeway of 0 [\#223](https://github.com/jwt/ruby-jwt/pull/223) ([travisofthenorth](https://github.com/travisofthenorth))
+- Fix reported codesmells [\#221](https://github.com/jwt/ruby-jwt/pull/221) ([excpt](https://github.com/excpt))
+- Add fancy gem version badge [\#220](https://github.com/jwt/ruby-jwt/pull/220) ([excpt](https://github.com/excpt))
+- Add missing dist option to .travis.yml [\#219](https://github.com/jwt/ruby-jwt/pull/219) ([excpt](https://github.com/excpt))
+- Fix ruby version requirements in gemspec file [\#218](https://github.com/jwt/ruby-jwt/pull/218) ([excpt](https://github.com/excpt))
+- Fix a little typo in the readme [\#214](https://github.com/jwt/ruby-jwt/pull/214) ([RyanBrushett](https://github.com/RyanBrushett))
+- Update README.md [\#212](https://github.com/jwt/ruby-jwt/pull/212) ([zuzannast](https://github.com/zuzannast))
+- Fix typo in HS512256 algorithm description [\#211](https://github.com/jwt/ruby-jwt/pull/211) ([ojab](https://github.com/ojab))
+- Allow configuration of multiple acceptable issuers [\#210](https://github.com/jwt/ruby-jwt/pull/210) ([ojab](https://github.com/ojab))
+- Enforce `exp` to be an `Integer` [\#205](https://github.com/jwt/ruby-jwt/pull/205) ([lucasmazza](https://github.com/lucasmazza))
+- ruby 1.9.3 support message upd [\#204](https://github.com/jwt/ruby-jwt/pull/204) ([maokomioko](https://github.com/maokomioko))
+- Guard against partially loaded RbNaCl when failing to load libsodium [\#202](https://github.com/jwt/ruby-jwt/pull/202) ([Dorian](https://github.com/Dorian))
+
+## [v2.0.0.beta1](https://github.com/jwt/ruby-jwt/tree/v2.0.0.beta1) (2017-02-27)
+[Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.6...v2.0.0.beta1)
 
 **Implemented enhancements:**
 
@@ -36,6 +68,8 @@
 
 **Merged pull requests:**
 
+- Version bump 2.0.0.beta1 [\#199](https://github.com/jwt/ruby-jwt/pull/199) ([excpt](https://github.com/excpt))
+- Update CHANGELOG.md and minor fixes [\#198](https://github.com/jwt/ruby-jwt/pull/198) ([excpt](https://github.com/excpt))
 - Add Codacy coverage reporter [\#194](https://github.com/jwt/ruby-jwt/pull/194) ([excpt](https://github.com/excpt))
 - Add minimum required ruby version to gemspec [\#193](https://github.com/jwt/ruby-jwt/pull/193) ([excpt](https://github.com/excpt))
 - Code smell fixes [\#192](https://github.com/jwt/ruby-jwt/pull/192) ([excpt](https://github.com/excpt))
@@ -301,7 +335,6 @@
 
 **Closed issues:**
 
-- yanking of version 0.1.12 causes issues [\#39](https://github.com/jwt/ruby-jwt/issues/39)
 - Semantic versioning [\#37](https://github.com/jwt/ruby-jwt/issues/37)
 - Update gem to get latest changes [\#36](https://github.com/jwt/ruby-jwt/issues/36)
 

data/Gemfile

@@ -1,4 +1,3 @@
-# encoding: utf-8
 source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -1,5 +1,6 @@
 # JWT
 
+[![Gem Version](https://badge.fury.io/rb/jwt.svg)](https://badge.fury.io/rb/jwt)
 [![Build Status](https://travis-ci.org/jwt/ruby-jwt.svg)](https://travis-ci.org/jwt/ruby-jwt)
 [![Code Climate](https://codeclimate.com/github/jwt/ruby-jwt/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwt)
 [![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwt/badges/coverage.svg)](https://codeclimate.com/github/jwt/ruby-jwt/coverage)
@@ -11,7 +12,7 @@ If you have further questions related to development or usage, join us: [ruby-jw
 
 ## Announcements
 
-* Ruby 1.9.3 support will be dropped by December 31st, 2016.
+* Ruby 1.9.3 support was dropped at December 31st, 2016.
 * Version 1.5.3 yanked. See: [#132](https://github.com/jwt/ruby-jwt/issues/132) and [#133](https://github.com/jwt/ruby-jwt/issues/133)
 
 ## Installing
@@ -63,7 +64,7 @@ puts decoded_token
 **HMAC** (default: HS256)
 
 * HS256 - HMAC using SHA-256 hash algorithm (default)
-* HS512256 - HMAC using SHA-512/256 hash algorithm (only available with RbNaCl; see note below)
+* HS512256 - HMAC using SHA-512-256 hash algorithm (only available with RbNaCl; see note below)
 * HS384 - HMAC using SHA-384 hash algorithm
 * HS512 - HMAC using SHA-512 hash algorithm
 
@@ -85,7 +86,11 @@ decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' }
 puts decoded_token
 ```
 
-Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512/256, and HMAC-SHA512. RbNaCl enforces a maximum key size of 32 bytes for these algorithms.
+Note: If [RbNaCl](https://github.com/cryptosphere/rbnacl) is loadable, ruby-jwt will use it for HMAC-SHA256, HMAC-SHA512-256, and HMAC-SHA512. RbNaCl enforces a maximum key size of 32 bytes for these algorithms.
+
+[RbNaCl](https://github.com/cryptosphere/rbnacl) requires
+[libsodium](https://github.com/jedisct1/libsodium), it can be installed
+on MacOS with `brew install libsodium`.
 
 **RSA**
 
@@ -273,6 +278,8 @@ From [Oauth JSON Web Token 4.1.1. "iss" (Issuer) Claim](https://tools.ietf.org/h
 
 > The `iss` (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The `iss` value is a case-sensitive string containing a ***StringOrURI*** value. Use of this claim is OPTIONAL.
 
+You can pass multiple allowed issuers as an Array, verification will pass if one of them matches the `iss` value in the payload.
+
 ```ruby
 iss = 'My Awesome Company Inc. or https://my.awesome.website/'
 iss_payload = { :data => 'data', :iss => iss }

data/lib/jwt.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'base64'
 require 'jwt/decode'
 require 'jwt/default_options'
@@ -16,13 +17,6 @@ module JWT
 
   module_function
 
-  def decoded_segments(jwt, verify = true)
-    raise(JWT::DecodeError, 'Nil JSON web token') unless jwt
-
-    decoder = Decode.new jwt, verify
-    decoder.decode_segments
-  end
-
   def encode(payload, key, algorithm = 'HS256', header_fields = {})
     encoder = Encode.new payload, key, algorithm, header_fields
     encoder.segments
@@ -37,7 +31,7 @@ module JWT
     header, payload, signature, signing_input = decoder.decode_segments
     decode_verify_signature(key, header, payload, signature, signing_input, merged_options, &keyfinder) if verify
 
-    Verify.verify_claims(payload, merged_options)
+    Verify.verify_claims(payload, merged_options) if verify
 
     raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload
 
@@ -56,10 +50,10 @@ module JWT
   def signature_algorithm_and_key(header, payload, key, &keyfinder)
     if keyfinder
       key = if keyfinder.arity == 2
-              yield(header, payload)
-            else
-              yield(header)
-            end
+        yield(header, payload)
+      else
+        yield(header)
+      end
       raise JWT::DecodeError, 'No verification key available' unless key
     end
     [header['alg'], key]

data/lib/jwt/decode.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'json'
 
 # JWT::Decode module
@@ -15,10 +16,13 @@ module JWT
     def initialize(jwt, verify)
       @jwt = jwt
       @verify = verify
+      @header = ''
+      @payload = ''
+      @signature = ''
     end
 
     def decode_segments
-      header_segment, payload_segment, crypto_segment = raw_segments(@jwt, @verify)
+      header_segment, payload_segment, crypto_segment = raw_segments
       @header, @payload = decode_header_and_payload(header_segment, payload_segment)
       @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify
       signing_input = [header_segment, payload_segment].join('.')
@@ -27,9 +31,9 @@ module JWT
 
     private
 
-    def raw_segments(jwt, verify)
-      segments = jwt.split('.')
-      required_num_segments = verify ? [3] : [2, 3]
+    def raw_segments
+      segments = @jwt.split('.')
+      required_num_segments = @verify ? [3] : [2, 3]
       raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length
       segments
     end

data/lib/jwt/encode.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'json'
 
 # JWT::Encode module
@@ -21,31 +22,30 @@ module JWT
 
     private
 
-    def encoded_header(algorithm, header_fields)
-      header = { 'alg' => algorithm }.merge(header_fields)
+    def encoded_header
+      header = { 'alg' => @algorithm }.merge(@header_fields)
       Encode.base64url_encode(JSON.generate(header))
     end
 
-    def encoded_payload(payload)
-      raise InvalidPayload, 'exp claim must be an integer' if payload['exp'] && payload['exp'].is_a?(Time)
-      Encode.base64url_encode(JSON.generate(payload))
+    def encoded_payload
+      raise InvalidPayload, 'exp claim must be an integer' if @payload && !@payload.is_a?(Array) && @payload.key?('exp') && !@payload['exp'].is_a?(Integer)
+      Encode.base64url_encode(JSON.generate(@payload))
     end
 
-    def encoded_signature(signing_input, key, algorithm)
-      if algorithm == 'none'
+    def encoded_signature(signing_input)
+      if @algorithm == 'none'
         ''
       else
-        signature = JWT::Signature.sign(algorithm, signing_input, key)
+        signature = JWT::Signature.sign(@algorithm, signing_input, @key)
         Encode.base64url_encode(signature)
       end
     end
 
     def encode_segments
-      segments = []
-      segments << encoded_header(@algorithm, @header_fields)
-      segments << encoded_payload(@payload)
-      segments << encoded_signature(segments.join('.'), @key, @algorithm)
-      segments.join('.')
+      header = encoded_header
+      payload = encoded_payload
+      signature = encoded_signature([header, payload].join('.'))
+      [header, payload, signature].join('.')
     end
   end
 end

data/lib/jwt/error.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 module JWT
   class EncodeError < StandardError; end
   class DecodeError < StandardError; end

data/lib/jwt/security_utils.rb

@@ -0,0 +1,52 @@
+module JWT
+  # Collection of security methods
+  #
+  # @see: https://github.com/rails/rails/blob/master/activesupport/lib/active_support/security_utils.rb
+  module SecurityUtils
+
+    module_function
+
+    def secure_compare(left, right)
+      left_bytesize = left.bytesize
+
+      return false unless left_bytesize == right.bytesize
+
+      unpacked_left = left.unpack "C#{left_bytesize}"
+      result = 0
+      right.each_byte { |byte| result |= byte ^ unpacked_left.shift }
+      result.zero?
+    end
+
+    def verify_rsa(algorithm, public_key, signing_input, signature)
+      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
+    end
+
+    def asn1_to_raw(signature, public_key)
+      byte_size = (public_key.group.degree + 7) / 8
+      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
+    end
+
+    def raw_to_asn1(signature, private_key)
+      byte_size = (private_key.group.degree + 7) / 8
+      sig_bytes = signature[0..(byte_size - 1)]
+      sig_char = signature[byte_size..-1] || ''
+      OpenSSL::ASN1::Sequence.new([sig_bytes, sig_char].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
+    end
+
+    def rbnacl_fixup(algorithm, key)
+      algorithm = algorithm.sub('HS', 'SHA').to_sym
+
+      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
+
+      authenticator = RbNaCl::HMAC.const_get(algorithm)
+
+      # Fall back to OpenSSL for keys larger than 32 bytes.
+      return [] if key.bytesize > authenticator.key_bytes
+
+      [
+        authenticator,
+        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
+      ]
+    end
+  end
+end

data/lib/jwt/signature.rb

@@ -1,8 +1,11 @@
 # frozen_string_literal: true
+
+require 'jwt/security_utils'
 require 'openssl'
 begin
   require 'rbnacl'
-rescue LoadError
+rescue LoadError => e
+  abort(e.message) if defined?(RbNaCl)
 end
 
 # JWT::Signature module
@@ -11,9 +14,9 @@ module JWT
   module Signature
     extend self
 
-    HMAC_ALGORITHMS = %w(HS256 HS512256 HS384 HS512).freeze
-    RSA_ALGORITHMS = %w(RS256 RS384 RS512).freeze
-    ECDSA_ALGORITHMS = %w(ES256 ES384 ES512).freeze
+    HMAC_ALGORITHMS = %w[HS256 HS512256 HS384 HS512].freeze
+    RSA_ALGORITHMS = %w[RS256 RS384 RS512].freeze
+    ECDSA_ALGORITHMS = %w[ES256 ES384 ES512].freeze
 
     NAMED_CURVES = {
       'prime256v1' => 'ES256',
@@ -35,14 +38,14 @@ module JWT
 
     def verify(algo, key, signing_input, signature)
       verified = if HMAC_ALGORITHMS.include?(algo)
-                   verify_hmac(algo, key, signing_input, signature)
-                 elsif RSA_ALGORITHMS.include?(algo)
-                   verify_rsa(algo, key, signing_input, signature)
-                 elsif ECDSA_ALGORITHMS.include?(algo)
-                   verify_ecdsa(algo, key, signing_input, signature)
-                 else
-                   raise JWT::VerificationError, 'Algorithm not supported'
-                 end
+        verify_hmac(algo, key, signing_input, signature)
+      elsif RSA_ALGORITHMS.include?(algo)
+        SecurityUtils.verify_rsa(algo, key, signing_input, signature)
+      elsif ECDSA_ALGORITHMS.include?(algo)
+        verify_ecdsa(algo, key, signing_input, signature)
+      else
+        raise JWT::VerificationError, 'Algorithm not supported'
+      end
 
       raise(JWT::VerificationError, 'Signature verification raised') unless verified
     rescue OpenSSL::PKey::PKeyError
@@ -65,11 +68,11 @@ module JWT
       end
 
       digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
+      SecurityUtils.asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key)
     end
 
     def sign_hmac(algorithm, msg, key)
-      authenticator, padded_key = rbnacl_fixup(algorithm, key)
+      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, key)
       if authenticator && padded_key
         authenticator.auth(padded_key, msg.encode('binary'))
       else
@@ -77,10 +80,6 @@ module JWT
       end
     end
 
-    def verify_rsa(algorithm, public_key, signing_input, signature)
-      public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input)
-    end
-
     def verify_ecdsa(algorithm, public_key, signing_input, signature)
       key_algorithm = NAMED_CURVES[public_key.group.curve_name]
       if algorithm != key_algorithm
@@ -88,11 +87,11 @@ module JWT
       end
 
       digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha'))
-      public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key))
+      public_key.dsa_verify_asn1(digest.digest(signing_input), SecurityUtils.raw_to_asn1(signature, public_key))
     end
 
     def verify_hmac(algorithm, public_key, signing_input, signature)
-      authenticator, padded_key = rbnacl_fixup(algorithm, public_key)
+      authenticator, padded_key = SecurityUtils.rbnacl_fixup(algorithm, public_key)
       if authenticator && padded_key
         begin
           authenticator.verify(padded_key, signature.encode('binary'), signing_input.encode('binary'))
@@ -100,46 +99,8 @@ module JWT
           false
         end
       else
-        secure_compare(signature, sign_hmac(algorithm, signing_input, public_key))
+        SecurityUtils.secure_compare(signature, sign_hmac(algorithm, signing_input, public_key))
       end
     end
-
-    def asn1_to_raw(signature, public_key)
-      byte_size = (public_key.group.degree + 7) / 8
-      OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join
-    end
-
-    def raw_to_asn1(signature, private_key)
-      byte_size = (private_key.group.degree + 7) / 8
-      r = signature[0..(byte_size - 1)]
-      s = signature[byte_size..-1] || ''
-      OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der
-    end
-
-    def rbnacl_fixup(algorithm, key)
-      algorithm = algorithm.sub('HS', 'SHA').to_sym
-
-      return [] unless defined?(RbNaCl) && RbNaCl::HMAC.constants(false).include?(algorithm)
-
-      authenticator = RbNaCl::HMAC.const_get(algorithm)
-
-      # Fall back to OpenSSL for keys larger than 32 bytes.
-      return [] if key.bytesize > authenticator.key_bytes
-
-      [
-        authenticator,
-        key.bytes.fill(0, key.bytesize...authenticator.key_bytes).pack('C*')
-      ]
-    end
-
-    # From devise
-    # constant-time comparison algorithm to prevent timing attacks
-    def secure_compare(a, b)
-      return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize
-      l = a.unpack "C#{a.bytesize}"
-      res = 0
-      b.each_byte { |byte| res |= byte ^ l.shift }
-      res.zero?
-    end
   end
 end

data/lib/jwt/verify.rb

@@ -1,11 +1,16 @@
 # frozen_string_literal: true
+
 require 'jwt/error'
 
 module JWT
   # JWT verify methods
   class Verify
+    DEFAULTS = {
+      leeway: 0
+    }.freeze
+
     class << self
-      %w(verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub).each do |method_name|
+      %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method_name|
         define_method method_name do |payload, options|
           new(payload, options).send(method_name)
         end
@@ -21,12 +26,14 @@ module JWT
 
     def initialize(payload, options)
       @payload = payload
-      @options = options
+      @options = DEFAULTS.merge(options)
     end
 
     def verify_aud
       return unless (options_aud = @options[:aud])
-      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || '<none>'}") if ([*@payload['aud']] & [*options_aud]).empty?
+
+      aud = @payload['aud']
+      raise(JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{aud || '<none>'}") if ([*aud] & [*options_aud]).empty?
     end
 
     def verify_expiration
@@ -36,19 +43,28 @@ module JWT
 
     def verify_iat
       return unless @payload.include?('iat')
-      raise(JWT::InvalidIatError, 'Invalid iat') if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + iat_leeway)
+
+      iat = @payload['iat']
+      raise(JWT::InvalidIatError, 'Invalid iat') if !iat.is_a?(Numeric) || iat.to_f > (Time.now.to_f + iat_leeway)
     end
 
     def verify_iss
       return unless (options_iss = @options[:iss])
-      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || '<none>'}") if @payload['iss'].to_s != options_iss.to_s
+
+      iss = @payload['iss']
+      
+      return if Array(options_iss).map(&:to_s).include?(iss.to_s)
+      
+      raise(JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{iss || '<none>'}")
     end
 
     def verify_jti
       options_verify_jti = @options[:verify_jti]
+      jti = @payload['jti']
+
       if options_verify_jti.respond_to?(:call)
-        raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti'])
-      elsif @payload['jti'].to_s.strip.empty?
+        raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(jti)
+      elsif jti.to_s.strip.empty?
         raise(JWT::InvalidJtiError, 'Missing jti')
       end
     end
@@ -60,7 +76,8 @@ module JWT
 
     def verify_sub
       return unless (options_sub = @options[:sub])
-      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || '<none>'}") unless @payload['sub'].to_s == options_sub.to_s
+      sub = @payload['sub']
+      raise(JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{sub || '<none>'}") unless sub.to_s == options_sub.to_s
     end
 
     private

data/lib/jwt/version.rb

@@ -16,7 +16,7 @@ module JWT
     # tiny version
     TINY  = 0
     # alpha, beta, etc. tag
-    PRE   = 'beta1'.freeze
+    PRE   = nil
 
     # Build version string
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

data/ruby-jwt.gemspec

@@ -13,12 +13,12 @@ Gem::Specification.new do |spec|
   spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.'
   spec.homepage = 'http://github.com/jwt/ruby-jwt'
   spec.license = 'MIT'
-  spec.required_ruby_version = '~> 2.1'
+  spec.required_ruby_version = '>= 2.1'
 
   spec.files = `git ls-files -z`.split("\x0")
   spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = %w(lib)
+  spec.require_paths = %w[lib]
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'

data/spec/integration/readme_examples_spec.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require_relative '../spec_helper'
 require 'jwt'
 
@@ -122,13 +123,13 @@ describe 'README.md code test' do
 
     context 'aud' do
       it 'array' do
-        aud = %w(Young Old)
+        aud = %w[Young Old]
         aud_payload = { data: 'data', aud: aud }
 
         token = JWT.encode aud_payload, hmac_secret, 'HS256'
 
         expect do
-          JWT.decode token, hmac_secret, true, aud: %w(Old Young), verify_aud: true, algorithm: 'HS256'
+          JWT.decode token, hmac_secret, true, aud: %w[Old Young], verify_aud: true, algorithm: 'HS256'
         end.not_to raise_error
       end
 

data/spec/jwt/verify_spec.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require 'spec_helper'
 require 'jwt/verify'
 
@@ -9,7 +10,7 @@ module JWT
 
     context '.verify_aud(payload, options)' do
       let(:scalar_aud) { 'ruby-jwt-aud' }
-      let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
+      let(:array_aud) { %w[ruby-jwt-aud test-aud ruby-ruby-ruby] }
       let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
       let(:array_payload) { base_payload.merge('aud' => array_aud) }
 
@@ -43,7 +44,6 @@ module JWT
     end
 
     context '.verify_expiration(payload, options)' do
-      let(:leeway) { 10 }
       let(:payload) { base_payload.merge('exp' => (Time.now.to_i - 5)) }
 
       it 'must raise JWT::ExpiredSignature when the token has expired' do
@@ -67,6 +67,16 @@ module JWT
           Verify.verify_expiration(payload, options)
         end.to raise_error JWT::ExpiredSignature
       end
+
+      context 'when leeway is not specified' do
+        let(:options) { {} }
+
+        it 'used a default leeway of 0' do
+          expect do
+            Verify.verify_expiration(payload, options)
+          end.to raise_error JWT::ExpiredSignature
+        end
+      end
     end
 
     context '.verify_iat(payload, options)' do
@@ -108,20 +118,39 @@ module JWT
 
       let(:invalid_token) { JWT.encode base_payload, payload[:secret] }
 
-      it 'must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer' do
-        expect do
-          Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer'))
-        end.to raise_error JWT::InvalidIssuerError
-      end
-
-      it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
-        expect do
-          Verify.verify_iss(base_payload, options.merge(iss: iss))
-        end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
-      end
-
-      it 'must allow a matching issuer to pass' do
-        Verify.verify_iss(payload, options.merge(iss: iss))
+      context 'when iss is a String' do
+        it 'must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer' do
+          expect do
+            Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer'))
+          end.to raise_error JWT::InvalidIssuerError
+        end
+
+        it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
+          expect do
+            Verify.verify_iss(base_payload, options.merge(iss: iss))
+          end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
+        end
+
+        it 'must allow a matching issuer to pass' do
+          Verify.verify_iss(payload, options.merge(iss: iss))
+        end
+      end
+      context 'when iss is an Array' do
+        it 'must raise JWT::InvalidIssuerError when no matching issuers in array' do
+          expect do
+            Verify.verify_iss(payload, options.merge(iss: %w[first second]))
+          end.to raise_error JWT::InvalidIssuerError
+        end
+
+        it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do
+          expect do
+            Verify.verify_iss(base_payload, options.merge(iss: %w[first second]))
+          end.to raise_error(JWT::InvalidIssuerError, /received <none>/)
+        end
+
+        it 'must allow an array with matching issuer to pass' do
+          Verify.verify_iss(payload, options.merge(iss: ['first', iss, 'third']))
+        end
       end
     end
 

data/spec/jwt_spec.rb

@@ -60,9 +60,17 @@ describe JWT do
         JWT.encode payload, nil, alg
       end.to raise_error JWT::InvalidPayload
     end
+
+    it 'should display a better error message if payload exp is not an Integer' do
+      payload['exp'] = Time.now.to_i.to_s
+
+      expect do
+        JWT.encode payload, nil, alg
+      end.to raise_error JWT::InvalidPayload
+    end
   end
 
-  %w(HS256 HS512256 HS384 HS512).each do |alg|
+  %w[HS256 HS512256 HS384 HS512].each do |alg|
     context "alg: #{alg}" do
       it 'should generate a valid token' do
         token = JWT.encode payload, data[:secret], alg
@@ -91,7 +99,7 @@ describe JWT do
     end
   end
 
-  %w(RS256 RS384 RS512).each do |alg|
+  %w[RS256 RS384 RS512].each do |alg|
     context "alg: #{alg}" do
       it 'should generate a valid token' do
         token = JWT.encode payload, data[:rsa_private], alg
@@ -124,7 +132,7 @@ describe JWT do
     end
   end
 
-  %w(ES256 ES384 ES512).each do |alg|
+  %w[ES256 ES384 ES512].each do |alg|
     context "alg: #{alg}" do
       before(:each) do
         data[alg] = JWT.encode payload, data["#{alg}_private"], alg
@@ -230,4 +238,20 @@ describe JWT do
       expect(JWT::Encode.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
     end
   end
+
+  it 'should not verify token even if the payload has claims' do
+    head = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9'
+    load = 'eyJ1c2VyX2lkIjo1NCwiZXhwIjoxNTA0MzkwODA0fQ'
+    sign = 'Skpi6FfYMbZ-DwW9ocyRIosNMdPMAIWRLYxRO68GTQk'
+
+    expect do
+      JWT.decode([head, load, sign].join('.'), '', false)
+    end.not_to raise_error
+  end
+
+  it 'should not raise InvalidPayload exception if payload is an array' do
+    expect do
+      JWT.encode(['my', 'payload'], 'secret')
+    end.not_to raise_error
+  end
 end

data/spec/spec_helper.rb

@@ -18,7 +18,7 @@ CERT_PATH = File.join(File.dirname(__FILE__), 'fixtures', 'certs')
 
 RSpec.configure do |config|
   config.expect_with :rspec do |c|
-    c.syntax = [:should, :expect]
+    c.syntax = %i[should expect]
   end
 
   config.run_all_when_everything_filtered = true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt
 version: !ruby/object:Gem::Version
-  version: 2.0.0.beta1
+  version: 2.0.0
 platform: ruby
 authors:
 - Tim Rudat
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-02-27 00:00:00.000000000 Z
+date: 2017-09-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -130,7 +130,9 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
+- ".ebert.yml"
 - ".gitignore"
+- ".reek.yml"
 - ".rspec"
 - ".rubocop.yml"
 - ".travis.yml"
@@ -145,6 +147,7 @@ files:
 - lib/jwt/default_options.rb
 - lib/jwt/encode.rb
 - lib/jwt/error.rb
+- lib/jwt/security_utils.rb
 - lib/jwt/signature.rb
 - lib/jwt/verify.rb
 - lib/jwt/version.rb
@@ -183,17 +186,17 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - "~>"
+  - - ">="
     - !ruby/object:Gem::Version
       version: '2.1'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.13
 signing_key: 
 specification_version: 4
 summary: JSON Web Token implementation in Ruby