Skip to content

Commit

Permalink
Fixes when integrating current main
Browse files Browse the repository at this point in the history
  • Loading branch information
@anakinj
anakinj committed Oct 14, 2023
1 parent 33f2002 commit 4d195fe
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 22 deletions.
2 changes: 1 addition & 1 deletion lib/jwt/version.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ module VERSION
def self.openssl_3?
return false if OpenSSL::OPENSSL_VERSION.include?('LibreSSL')

true if 3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
3 * 0x10000000 <= OpenSSL::OPENSSL_VERSION_NUMBER
end

def self.rbnacl?
Expand Down
2 changes: 1 addition & 1 deletion spec/jwt/jwa/ecdsa_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# frozen_string_literal: true

RSpec.describe JWT::Algos::Ecdsa do
RSpec.describe JWT::JWA::Ecdsa do
describe '.curve_by_name' do
subject { described_class.curve_by_name(curve_name) }

Expand Down
31 changes: 11 additions & 20 deletions spec/jwt_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -619,10 +619,9 @@
end

context 'when the alg value is given as a header parameter' do
it 'does not override the actual algorithm used' do
pending 'Breaking change in 3.0'
headers = JSON.parse(JWT::Base64.url_decode(JWT.encode('Hello World', 'secret', 'HS256', { alg: 'HS123' }).split('.').first))
expect(headers['alg']).to eq('HS256')
it 'overrides the actual algorithm used' do
headers = JSON.parse(Base64.urlsafe_decode64(JWT.encode('Hello World', 'secret', 'HS256', { alg: 'HS123' }).split('.').first))
expect(headers['alg']).to eq('HS123')
end

it 'should generate the same token' do
Expand Down Expand Up @@ -698,7 +697,7 @@
describe 'expiration claim validation' do
let(:token) { JWT.encode(payload, 'secret', 'HS256') }
let(:options) { {} }
subject(:decoded_token) { ::JWT.decode(token, 'secret', true, options) }
subject(:decoded_token) { JWT.decode(token, 'secret', true, options) }

context 'when exp is set in the past' do
let(:payload) { { 'exp' => (Time.now.to_i - 10) } }
Expand Down Expand Up @@ -727,7 +726,7 @@
describe 'subject claim validation' do
let(:token) { JWT.encode(payload, 'secret', 'HS256') }
let(:options) { { verify_sub: true, sub: 'expected_sub' } }
subject(:decoded_token) { ::JWT.decode(token, 'secret', true, options) }
subject(:decoded_token) { JWT.decode(token, 'secret', true, options) }

context 'when sub does not match' do
let(:payload) { { 'sub' => 'not_expected_sub' } }
Expand Down Expand Up @@ -763,7 +762,7 @@
describe 'issuer claim validation' do
let(:token) { JWT.encode(payload, 'secret', 'HS256') }
let(:options) { { verify_iss: true, iss: 'expected_iss' } }
subject(:decoded_token) { ::JWT.decode(token, 'secret', true, options) }
subject(:decoded_token) { JWT.decode(token, 'secret', true, options) }

context 'when iss does not match' do
let(:payload) { { 'iss' => 'not_expected_sub' } }
Expand All @@ -776,7 +775,7 @@
describe 'jti claim validation' do
let(:token) { JWT.encode(payload, 'secret', 'HS256') }
let(:options) { { verify_jti: true } }
subject(:decoded_token) { ::JWT.decode(token, 'secret', true, options) }
subject(:decoded_token) { JWT.decode(token, 'secret', true, options) }

context 'when jti does not exist' do
let(:payload) { {} }
Expand All @@ -796,7 +795,7 @@
expect(key_finder).to receive(:from).and_return(data[:rsa_public])
end

subject(:decoded_token) { ::JWT.decode(data[alg], nil, true, algorithm: alg, x5c: { root_certificates: root_certificates }) }
subject(:decoded_token) { JWT.decode(data[alg], nil, true, algorithm: alg, x5c: { root_certificates: root_certificates }) }

it 'calls X5cKeyFinder#from to verify the signature and return the payload' do
jwt_payload, header = decoded_token
Expand Down Expand Up @@ -852,26 +851,18 @@
end
end

describe 'when token signed with nil and decoded with nil' do
let(:no_key_token) { JWT.encode(payload, nil, 'HS512') }
it 'raises JWT::DecodeError' do
pending 'Different behaviour on OpenSSL 3.0 (https://github.com/openssl/openssl/issues/13089)' if JWT.openssl_3_hmac_empty_key_regression?
expect { JWT.decode(no_key_token, nil, true, algorithms: 'HS512') }.to raise_error(JWT::DecodeError, 'No verification key available')
end
end

context 'when token ends with a newline char' do
let(:token) { "#{JWT.encode(payload, 'secret', 'HS256')}\n" }
it 'ignores the newline and decodes the token' do
expect(JWT.decode(token, 'secret', true, algorithm: 'HS256')).to include(payload)
it 'raises an error' do
expect { JWT.decode(token, 'secret', true, algorithm: 'HS256') }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
end
end

context 'when multiple algorithms given' do
let(:token) { JWT.encode(payload, 'secret', 'HS256') }

it 'starts trying with the algorithm referred in the header' do
expect(::JWT::JWA::Rsa).not_to receive(:verify)
expect(JWT::JWA::Rsa).not_to receive(:verify)
JWT.decode(token, 'secret', true, algorithm: ['RS512', 'HS256'])
end
end
Expand Down

0 comments on commit 4d195fe

Please sign in to comment.