jwtb 2.0.0.beta2.bsk1

data/spec/jwtb/verify_spec.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+require 'spec_helper'
+require 'jwtb/verify'
+
+module JWTB
+  RSpec.describe Verify do
+    let(:base_payload) { { 'user_id' => 'some@user.tld' } }
+    let(:options) { { leeway: 0 } }
+
+    context '.verify_aud(payload, options)' do
+      let(:scalar_aud) { 'ruby-jwt-aud' }
+      let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) }
+      let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) }
+      let(:array_payload) { base_payload.merge('aud' => array_aud) }
+
+      it 'must raise JWTB::InvalidAudError when the singular audience does not match' do
+        expect do
+          Verify.verify_aud(scalar_payload, options.merge(aud: 'no-match'))
+        end.to raise_error JWTB::InvalidAudError
+      end
+
+      it 'must raise JWTB::InvalidAudError when the payload has an array and none match the supplied value' do
+        expect do
+          Verify.verify_aud(array_payload, options.merge(aud: 'no-match'))
+        end.to raise_error JWTB::InvalidAudError
+      end
+
+      it 'must allow a matching singular audience to pass' do
+        Verify.verify_aud(scalar_payload, options.merge(aud: scalar_aud))
+      end
+
+      it 'must allow an array with any value matching the one in the options' do
+        Verify.verify_aud(array_payload, options.merge(aud: array_aud.first))
+      end
+
+      it 'must allow an array with any value matching any value in the options array' do
+        Verify.verify_aud(array_payload, options.merge(aud: array_aud))
+      end
+
+      it 'must allow a singular audience payload matching any value in the options array' do
+        Verify.verify_aud(scalar_payload, options.merge(aud: array_aud))
+      end
+    end
+
+    context '.verify_expiration(payload, options)' do
+      let(:leeway) { 10 }
+      let(:payload) { base_payload.merge('exp' => (Time.now.to_i - 5)) }
+
+      it 'must raise JWTB::ExpiredSignature when the token has expired' do
+        expect do
+          Verify.verify_expiration(payload, options)
+        end.to raise_error JWTB::ExpiredSignature
+      end
+
+      it 'must allow some leeway in the expiration when global leeway is configured' do
+        Verify.verify_expiration(payload, options.merge(leeway: 10))
+      end
+
+      it 'must allow some leeway in the expiration when exp_leeway is configured' do
+        Verify.verify_expiration(payload, options.merge(exp_leeway: 10))
+      end
+
+      it 'must be expired if the exp claim equals the current time' do
+        payload['exp'] = Time.now.to_i
+
+        expect do
+          Verify.verify_expiration(payload, options)
+        end.to raise_error JWTB::ExpiredSignature
+      end
+    end
+
+    context '.verify_iat(payload, options)' do
+      let(:iat) { Time.now.to_f }
+      let(:payload) { base_payload.merge('iat' => iat) }
+
+      it 'must allow a valid iat' do
+        Verify.verify_iat(payload, options)
+      end
+
+      it 'must allow configured leeway' do
+        Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70))
+      end
+
+      it 'must allow configured iat_leeway' do
+        Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(iat_leeway: 70))
+      end
+
+      it 'must properly handle integer times' do
+        Verify.verify_iat(payload.merge('iat' => Time.now.to_i), options)
+      end
+
+      it 'must raise JWTB::InvalidIatError when the iat value is not Numeric' do
+        expect do
+          Verify.verify_iat(payload.merge('iat' => 'not a number'), options)
+        end.to raise_error JWTB::InvalidIatError
+      end
+
+      it 'must raise JWTB::InvalidIatError when the iat value is in the future' do
+        expect do
+          Verify.verify_iat(payload.merge('iat' => (iat + 120)), options)
+        end.to raise_error JWTB::InvalidIatError
+      end
+    end
+
+    context '.verify_iss(payload, options)' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:payload) { base_payload.merge('iss' => iss) }
+
+      let(:invalid_token) { JWTB.encode base_payload, payload[:secret] }
+
+      it 'must raise JWTB::InvalidIssuerError when the configured issuer does not match the payload issuer' do
+        expect do
+          Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer'))
+        end.to raise_error JWTB::InvalidIssuerError
+      end
+
+      it 'must raise JWTB::InvalidIssuerError when the payload does not include an issuer' do
+        expect do
+          Verify.verify_iss(base_payload, options.merge(iss: iss))
+        end.to raise_error(JWTB::InvalidIssuerError, /received <none>/)
+      end
+
+      it 'must allow a matching issuer to pass' do
+        Verify.verify_iss(payload, options.merge(iss: iss))
+      end
+    end
+
+    context '.verify_jti(payload, options)' do
+      let(:payload) { base_payload.merge('jti' => 'some-random-uuid-or-whatever') }
+
+      it 'must allow any jti when the verfy_jti key in the options is truthy but not a proc' do
+        Verify.verify_jti(payload, options.merge(verify_jti: true))
+      end
+
+      it 'must raise JWTB::InvalidJtiError when the jti is missing' do
+        expect do
+          Verify.verify_jti(base_payload, options)
+        end.to raise_error JWTB::InvalidJtiError, /missing/i
+      end
+
+      it 'must raise JWTB::InvalidJtiError when the jti is an empty string' do
+        expect do
+          Verify.verify_jti(base_payload.merge('jti' => '   '), options)
+        end.to raise_error JWTB::InvalidJtiError, /missing/i
+      end
+
+      it 'must raise JWTB::InvalidJtiError when verify_jti proc returns false' do
+        expect do
+          Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { false }))
+        end.to raise_error JWTB::InvalidJtiError, /invalid/i
+      end
+
+      it 'true proc should not raise JWTB::InvalidJtiError' do
+        Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { true }))
+      end
+    end
+
+    context '.verify_not_before(payload, options)' do
+      let(:payload) { base_payload.merge('nbf' => (Time.now.to_i + 5)) }
+
+      it 'must raise JWTB::ImmatureSignature when the nbf in the payload is in the future' do
+        expect do
+          Verify.verify_not_before(payload, options)
+        end.to raise_error JWTB::ImmatureSignature
+      end
+
+      it 'must allow some leeway in the token age when global leeway is configured' do
+        Verify.verify_not_before(payload, options.merge(leeway: 10))
+      end
+
+      it 'must allow some leeway in the token age when nbf_leeway is configured' do
+        Verify.verify_not_before(payload, options.merge(nbf_leeway: 10))
+      end
+    end
+
+    context '.verify_sub(payload, options)' do
+      let(:sub) { 'ruby jwt subject' }
+
+      it 'must raise JWTB::InvalidSubError when the subjects do not match' do
+        expect do
+          Verify.verify_sub(base_payload.merge('sub' => 'not-a-match'), options.merge(sub: sub))
+        end.to raise_error JWTB::InvalidSubError
+      end
+
+      it 'must allow a matching sub' do
+        Verify.verify_sub(base_payload.merge('sub' => sub), options.merge(sub: sub))
+      end
+    end
+  end
+end

data/spec/jwtb_spec.rb

@@ -0,0 +1,233 @@
+require 'spec_helper'
+require 'jwtb'
+require 'jwtb/encode'
+require 'jwtb/decode'
+
+describe JWTB do
+  let(:payload) { { 'user_id' => 'some@user.tld' } }
+
+  let :data do
+    {
+      :secret => 'My$ecretK3y',
+      :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
+      :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
+      :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))),
+      'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))),
+      'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))),
+      'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))),
+      'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))),
+      'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))),
+      'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))),
+      'NONE' => 'eyJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.',
+      'HS256' => 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.kWOVtIOpWcG7JnyJG0qOkTDbOy636XrrQhMm_8JrRQ8',
+      'HS512256' => 'eyJhbGciOiJIUzUxMjI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Ds_4ibvf7z4QOBoKntEjDfthy3WJ-3rKMspTEcHE2bA',
+      'HS384' => 'eyJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.VuV4j4A1HKhWxCNzEcwc9qVF3frrEu-BRLzvYPkbWO0LENRGy5dOiBQ34remM3XH',
+      'HS512' => 'eyJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.8zNtCBTJIZTHpZ-BkhR-6sZY1K85Nm5YCKqV3AxRdsBJDt_RR-REH2db4T3Y0uQwNknhrCnZGvhNHrvhDwV1kA',
+      'RS256' => 'eyJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.eSXvWP4GViiwUALj_-qTxU68I1oM0XjgDsCZBBUri2Ghh9d75QkVDoZ_v872GaqunN5A5xcnBK0-cOq-CR6OwibgJWfOt69GNzw5RrOfQ2mz3QI3NYEq080nF69h8BeqkiaXhI24Q51joEgfa9aj5Y-oitLAmtDPYTm7vTcdGufd6AwD3_3jajKBwkh0LPSeMtbe_5EyS94nFoEF9OQuhJYjUmp7agsBVa8FFEjVw5jEgVqkvERSj5hSY4nEiCAomdVxIKBfykyi0d12cgjhI7mBFwWkPku8XIPGZ7N8vpiSLdM68BnUqIK5qR7NAhtvT7iyLFgOqhZNUQ6Ret5VpQ',
+      'RS384' => 'eyJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.Sfgk56moPghtsjaP4so6tOy3I553mgwX-5gByMC6dX8lpeWgsxSeAd_K8IyO7u4lwYOL0DSftnqO1HEOuN1AKyBbDvaTXz3u2xNA2x4NYLdW4AZA6ritbYcKLO5BHTXw5ueMbtA1jjGXP0zI_aK2iJTMBmB8SCF88RYBUH01Tyf4PlLj98pGL-v3prZd6kZkIeRJ3326h04hslcB5HQKmgeBk24QNLIoIC-CD329HPjJ7TtGx01lj-ehTBnwVbBGzYFAyoalV5KgvL_MDOfWPr1OYHnR5s_Fm6_3Vg4u6lBljvHOrmv4Nfx7d8HLgbo8CwH4qn1wm6VQCtuDd-uhRg',
+      'RS512' => 'eyJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.LIIAUEuCkGNdpYguOO5LoW4rZ7ED2POJrB0pmEAAchyTdIK4HKh1jcLxc6KyGwZv40njCgub3y72q6vcQTn7oD0zWFCVQRIDW1911Ii2hRNHuigiPUnrnZh1OQ6z65VZRU6GKs8omoBGU9vrClBU0ODqYE16KxYmE_0n4Xw2h3D_L1LF0IAOtDWKBRDa3QHwZRM9sHsHNsBuD5ye9KzDYN1YALXj64LBfA-DoCKfpVAm9NkRPOyzjR2X2C3TomOSJgqWIVHJucudKDDAZyEbO4RA5pI-UFYy1370p9bRajvtDyoBuLDCzoSkMyQ4L2DnLhx5CbWcnD7Cd3GUmnjjTA',
+      'ES256' => '',
+      'ES384' => '',
+      'ES512' => ''
+    }
+  end
+
+  after(:each) do
+    expect(OpenSSL.errors).to be_empty
+  end
+
+  context 'alg: NONE' do
+    let(:alg) { 'none' }
+
+    it 'should generate a valid token' do
+      token = JWTB.encode payload, nil, alg
+
+      expect(token).to eq data['NONE']
+    end
+
+    it 'should decode a valid token' do
+      jwt_payload, header = JWTB.decode data['NONE'], nil, false
+
+      expect(header['alg']).to eq alg
+      expect(jwt_payload).to eq payload
+    end
+
+    it 'should display a better error message if payload exp is_a?(Time)' do
+      payload['exp'] = Time.now
+
+      expect do
+        JWTB.encode payload, nil, alg
+      end.to raise_error JWTB::InvalidPayload
+    end
+  end
+
+  %w(HS256 HS512256 HS384 HS512).each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWTB.encode payload, data[:secret], alg
+
+        expect(token).to eq data[alg]
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWTB.decode data[alg], data[:secret], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong secret should raise JWTB::DecodeError' do
+        expect do
+          JWTB.decode data[alg], 'wrong_secret', true, algorithm: alg
+        end.to raise_error JWTB::VerificationError
+      end
+
+      it 'wrong secret and verify = false should not raise JWTB::DecodeError' do
+        expect do
+          JWTB.decode data[alg], 'wrong_secret', false
+        end.not_to raise_error
+      end
+    end
+  end
+
+  %w(RS256 RS384 RS512).each do |alg|
+    context "alg: #{alg}" do
+      it 'should generate a valid token' do
+        token = JWTB.encode payload, data[:rsa_private], alg
+
+        expect(token).to eq data[alg]
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWTB.decode data[alg], data[:rsa_public], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong key should raise JWTB::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
+
+        expect do
+          JWTB.decode data[alg], key, true, algorithm: alg
+        end.to raise_error JWTB::DecodeError
+      end
+
+      it 'wrong key and verify = false should not raise JWTB::DecodeError' do
+        key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))
+
+        expect do
+          JWTB.decode data[alg], key, false
+        end.not_to raise_error
+      end
+    end
+  end
+
+  %w(ES256 ES384 ES512).each do |alg|
+    context "alg: #{alg}" do
+      before(:each) do
+        data[alg] = JWTB.encode payload, data["#{alg}_private"], alg
+      end
+
+      let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) }
+
+      it 'should generate a valid token' do
+        jwt_payload, header = JWTB.decode data[alg], data["#{alg}_public"], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'should decode a valid token' do
+        jwt_payload, header = JWTB.decode data[alg], data["#{alg}_public"], true, algorithm: alg
+
+        expect(header['alg']).to eq alg
+        expect(jwt_payload).to eq payload
+      end
+
+      it 'wrong key should raise JWTB::DecodeError' do
+        expect do
+          JWTB.decode data[alg], wrong_key
+        end.to raise_error JWTB::DecodeError
+      end
+
+      it 'wrong key and verify = false should not raise JWTB::DecodeError' do
+        expect do
+          JWTB.decode data[alg], wrong_key, false
+        end.not_to raise_error
+      end
+    end
+  end
+
+  context 'Invalid' do
+    it 'algorithm should raise NotImplementedError' do
+      expect do
+        JWTB.encode payload, 'secret', 'HS255'
+      end.to raise_error NotImplementedError
+    end
+
+    it 'ECDSA curve_name should raise JWTB::IncorrectAlgorithm' do
+      key = OpenSSL::PKey::EC.new 'secp256k1'
+      key.generate_key
+
+      expect do
+        JWTB.encode payload, key, 'ES256'
+      end.to raise_error JWTB::IncorrectAlgorithm
+
+      token = JWTB.encode payload, data['ES256_private'], 'ES256'
+      key.private_key = nil
+
+      expect do
+        JWTB.decode token, key
+      end.to raise_error JWTB::IncorrectAlgorithm
+    end
+  end
+
+  context 'Verify' do
+    context 'algorithm' do
+      it 'should raise JWTB::IncorrectAlgorithm on missmatch' do
+        token = JWTB.encode payload, data[:secret], 'HS512'
+
+        expect do
+          JWTB.decode token, data[:secret], true, algorithm: 'HS384'
+        end.to raise_error JWTB::IncorrectAlgorithm
+
+        expect do
+          JWTB.decode token, data[:secret], true, algorithm: 'HS512'
+        end.not_to raise_error
+      end
+
+      it 'should raise JWTB::IncorrectAlgorithm if no algorithm is provided' do
+        token = JWTB.encode payload, data[:rsa_public].to_s, 'HS256'
+
+        expect do
+          JWTB.decode token, data[:rsa_public], true
+        end.to raise_error JWTB::IncorrectAlgorithm
+      end
+    end
+
+    context 'issuer claim' do
+      let(:iss) { 'ruby-jwt-gem' }
+      let(:invalid_token) { JWTB.encode payload, data[:secret] }
+
+      let :token do
+        iss_payload = payload.merge(iss: iss)
+        JWTB.encode iss_payload, data[:secret]
+      end
+
+      it 'if verify_iss is set to false (default option) should not raise JWTB::InvalidIssuerError' do
+        expect do
+          JWTB.decode token, data[:secret], true, iss: iss, algorithm: 'HS256'
+        end.not_to raise_error
+      end
+    end
+  end
+
+  context 'Base64' do
+    it 'urlsafe replace + / with - _' do
+      allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' }
+      expect(JWTB::Encode.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,28 @@
+require 'rspec'
+require 'simplecov'
+require 'simplecov-json'
+require 'codeclimate-test-reporter'
+require 'codacy-coverage'
+
+Codacy::Reporter.start
+
+SimpleCov.configure do
+  root File.join(File.dirname(__FILE__), '..')
+  project_name 'Ruby JWT - Ruby JSON Web Token implementation'
+  add_filter 'spec'
+end
+
+SimpleCov.start if ENV['COVERAGE']
+
+CERT_PATH = File.join(File.dirname(__FILE__), 'fixtures', 'certs')
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = [:should, :expect]
+  end
+
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.order = 'random'
+end