jwt-1.5.6/0000755000004100000410000000000012772730515012370 5ustar www-datawww-datajwt-1.5.6/Rakefile0000644000004100000410000000037212772730515014037 0ustar www-datawww-datarequire 'bundler/gem_tasks' begin require 'rspec/core/rake_task' RSpec::Core::RakeTask.new(:test) task default: :test rescue LoadError puts 'RSpec rake tasks not available. Please run "bundle install" to install missing dependencies.' end jwt-1.5.6/Gemfile0000644000004100000410000000007112772730515013661 0ustar www-datawww-data# encoding: utf-8 source 'https://rubygems.org' gemspec jwt-1.5.6/.rspec0000644000004100000410000000001012772730515013474 0ustar www-datawww-data--color jwt-1.5.6/spec/0000755000004100000410000000000012772730515013322 5ustar www-datawww-datajwt-1.5.6/spec/spec_helper.rb0000644000004100000410000000142612772730515016143 0ustar www-datawww-datarequire 'rspec' require 'simplecov' require 'simplecov-json' require 'codeclimate-test-reporter' SimpleCov.configure do root File.join(File.dirname(__FILE__), '..') project_name 'Ruby JWT - Ruby JSON Web Token implementation' SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter.new([ SimpleCov::Formatter::HTMLFormatter, SimpleCov::Formatter::JSONFormatter ]) add_filter 'spec' end SimpleCov.start if ENV['COVERAGE'] CodeClimate::TestReporter.start if ENV['CODECLIMATE_REPO_TOKEN'] CERT_PATH = File.join(File.dirname(__FILE__), 'fixtures', 'certs') RSpec.configure do |config| config.expect_with :rspec do |c| c.syntax = [:should, :expect] end config.run_all_when_everything_filtered = true config.filter_run :focus config.order = 'random' end jwt-1.5.6/spec/fixtures/0000755000004100000410000000000012772730515015173 5ustar www-datawww-datajwt-1.5.6/spec/fixtures/certs/0000755000004100000410000000000012772730515016313 5ustar www-datawww-datajwt-1.5.6/spec/fixtures/certs/rsa-2048-private.pem0000644000004100000410000000321712772730515021651 0ustar www-datawww-data-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA4GzZTLU48c4WbyvHi+QKrB71x+T0eq5hqDbQqnlYjhD1Ika7 io1iplsdJWJuyxfYbUkb2Ol0fj4koZ/GS6lgCZr4+8UHbr1qf0Eu5HZSpszs2YxY 8U5RHnrpw67co7hlgAR9HbyNf5XIYgLV9ldHH/eazwnc3F/hgNsV0xjScVilejgo cJ4zcsyymvW8t42lteM7bI867ZuJhGop/V+Y0HFyrMsPoQyLuCUpr6ulOfrkr7ZO dhAIG8r1HcjOp/AUjM15vfXcbUZjkM/VloifX1YitU3upMGJ8/DpFGffMOImrn5r 6BT494V8rRyN2qvQoAkLJpqZ0avLxwiR2lgVQQIDAQABAoIBAEH0Ozgr2fxWEInD V/VooypKPvjr9F1JejGxSkmPN9MocKIOH3dsbZ1uEXa3ItBUxan4XlK06SNgp+tH xULfF/Y6sQlsse59hBq50Uoa69dRShn1AP6JgZVvkduMPBNxUYL5zrs6emsQXb9Q DglDRQfEAJ7vyxSIqQDxYcyT8uSUF70dqFe+E9B2VE3D6ccHc98k41pJrAFAUFH1 wwvDhfyYr7/Ultut9wzpZvU1meF3Vna3GOUHfxrG6wu1G+WIWHGjouzThsc1qiVI BtMCJxuCt5fOXRbU4STbMqhB6sZHiOh6J/dZU6JwRYt+IS8FB6kCNFSEWZWQledJ XqtYSQECgYEA9nmnFTRj3fTBq9zMXfCRujkSy6X2bOb39ftNXzHFuc+I6xmv/3Bs P9tDdjueP/SnCb7i/9hXkpEIcxjrjiqgcvD2ym1hE4q+odMzRAXYMdnmzI34SVZE U5hYJcYsXNKrTTleba7QgqdORmyJ9FwqLO40udvmrZMY223XDwgRkOkCgYEA6RkO 5wjjrWWp/G1YN3KXZTS1m2/eGrUThohXKAfAjbWWiouNLW2msXrxEWsPRL6xKiHu X9cwZwzi3MstAgk+bphUGUVUkGKNDjWHJA25tDYjbPtkd6xbL4eCHsKpNL3HNYr9 N0CIvgn7qjaHRBem0iK7T6keY4axaSVddEwYapkCgYEA13K5qaB1F4Smcpt8DTWH vPe8xUUaZlFzOJLmLCsuwmB2N8Ppg2j7RspcaxJsH021YaB5ftjWm+ipMSr8ZPY/ 8JlPsNzxuYpTXtNmAbT2KYVm6THEch61dTk6/DIBf1YrpUJbl5by7vJeStL/uBmE SGgksL5XIyzs0opuLdaIvFkCgYAyBLWE8AxjFfCvAQuwAj/ocLITo6KmWnrRIIqL RXaVMgUWv7FQsTnW1cnK8g05tC2yG8vZ9wQk6Mf5lwOWb0NdWgSZ0528ydj41pWk L+nMeN2LMjqxz2NVxJ8wWJcUgTCxFZ0WcRumo9/D+6V1ABpE9zz4cBLcSnfhVypB nV6T6QKBgQCSZNCQ9HPxjAgYcsqc5sjNwuN1GHQZSav3Tye3k6zHENe1lsteT9K8 xciGIuhybKZBvB4yImIIHCtnH+AS+mHAGqHarjNDMfvjOq0dMibPx4+bkIiHdBIH Xz+j5kmntvFiUnzr0Z/Tcqo+r8FvyCo1YWgwqGP8XoFrswD7gy7cZw== -----END RSA PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-1024-private.pem0000644000004100000410000000157312772730515021645 0ustar www-datawww-data-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDO/ahgFDvniFoQ1dm+MdnkBi+Ts5W9AtQNgw4ZHIdPnqEzSgW7 0opKEu8hnlLqsIyU2BC2op/xOanipdbXObuFlA6bth1cYRI+YJlR3BbPGOIL6YbJ ud9m0gIsBlCDLm4e/E45ZS+emudISP7/SF7zxvxZlnr1z7HTm7nIIVBvuQIDAQAB AoGBAMzFQAccvU6GI6O4C5sOsiHUxMh3xtCftaxQVGgfQvVPVuXoeteep1Q0ewFl IV4vnkO5pH8pTtVTWG9x5KIy6QCql4qvr2jkOm4mo9uogrpNklvBl2lN4Lxubj0N mGRXaM3hckZl8+JT6uzfBfjy+pd8AOigJGPQCOZn4gmANW7pAkEA82Nh4wpj6ZRU NBiBq3ONZuH4xJm59MI2FWRJsGUFUYdSaFwyKKim52/13d8iUb7v9utWQFRatCXz Lqw9fQyVrwJBANm3dBOVxpUPrYEQsG0q2rdP+u6U3woylxwtQgJxImZKZmmJlPr8 9v23rhydvCe1ERPYe7EjF4RGWVPN3KLdExcCQDdzNfL3BApMS97OkoRQQC/nXbjU 2SPlN1MqVQuGCG8pqGG0V40h11y1CkvxMS10ldEojq77SOrwFnZUsXGS82sCQQC6 XdO7QCaxSq5XIRYlHN4EtS40NLOIYy3/LK6osHel4GIyTVd+UjSLk0QzssJxqwln V5TqWQO0cxPcLQiFUYEZAkEA2G84ilb9QXOgbNyoE1VifNk49hhodbSskLb86uwY Vgtzq1ZsqoPBCasr4WRiXt270n+mo5dNYRlZwiUn9lH78Q== -----END RSA PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec512-wrong-public.pem0000644000004100000410000000041412772730515022242 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAbRMVZ7lxnkNkjJ+7KysKhDJJM3F3 5pPyw8jGzHuZbpgFOy47qsSDHJ6B3YC7LjG2KTGnMq+ygxdHTb330Bq6zaMAC3/D GuGGvjUEM/gxXRvpmeBvvaGdrSlwaqK3k7JTwBs4lRn6t3KjBEaw5j5o9s7JWF01 ywR3FgLwZ0jIJAsELUc= -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/ec384-wrong-public.pem0000644000004100000410000000032712772730515022254 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEMF5MeARQRi1285ecla38Su3q/IUot/Ig xCtvu3Ha0dd+1p+SVJy+Fk8F085MlIHwTi97BzaM8H4FNNxg/xDlBCqs7CCYs9nG z2xQC3eIUvvE+LMwy1QvSZdVupNAgLZj -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/ec256-public.pem0000644000004100000410000000026212772730515021116 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc /DX1wuhIMu8dQzOLSt0tpqK9MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w== -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-4096-private.pem0000644000004100000410000000625312772730515021661 0ustar www-datawww-data-----BEGIN RSA PRIVATE KEY----- MIIJJwIBAAKCAgEAqETmgWBi5rCmb7euJplA/9xs65+bncc9Yvs5zjyycXSW82Jf RuyguGm0OvA2wog24dR4N2kT/87DcGtp5JqJWADVFNr+2V2r6i57/OMLruRpn3p2 r95dmo0COE+BxPFl7XEBT8JbH57ZtpgcB3/xkS14nLOWFf96hrXPlXJC+VMVKVZm A8k2LRh42vT5wUf4U0Doy/p7yFNSFFa6Q8wwe4TBy/z/f+rhFD1w8rxlYjallee/ ocm7bjZCwbJGMm7orLViqWfsFX3O35PeoJ5h/7uJ7iRwvTFERkTdwWP/0BeKBeIt BR3YFc2mut+V9W+WKRkMSL6Crc+oVSx3p8aB7j9SZFzQiRtes4BYETpX1xl2mgIq 5hvsFbLw7ESrlIodiwUMTrSIid2DQ6q80kv1zXPr4+Id6L0sJLxPCaXnTmNtasSw yedJJYxLjwhHJwtzFAeaq18H3O791YKhjAJ6YxK3zJ59jTE6Pkvqjq183f2PGHVR vgSN7aCmI6MBUUB5wDP2K8zX2sh40/uPDVSd6ei1vl3DpPk+h8iExx6AzbohfqZ+ 5RUUNx127L3MaQvOVC5TxV+R99gwKW++wzcVuO3m2KqVUj+K1uYBy3KBCUMBbckp EWGbN++jcdV5oJX6fsC66nOmKlntYwCL/pRww+oLsbzF8J3dxeDbKNF9JDsCAwEA AQKCAgBJF8TZJjlP5CQoGy227pNhkSpvH6HFY6qyuFZf09XfmrmHd4/Tiy41bRUx FO90iR7t8hFWYHqjf/k9eCtDdi164MGukYJqgVoQG6kYLLgCfI21DMlJk9otLFtu gnroRcP05EWhk9dpYONJgcGLMHSKj6n4x7nGTHe41HkbfcrB6ukiT7l4o4q5BAxb cFadMtoXr/ZvxJrIZgkddJ7snGHjBcP5DCkgM7MZy6aoilWv1/UNrOF9MdgNA9zz rrD3b136x7/XvqC6pS+bxuvJ8YK4R4qeu42NYT07GOcK/pk8lz0JWTodIt2eevqV 6lGFj7c2mv7PCpJRVgbVGL/RTVVap/+jbcRVLdnYKsII/dANG7iXnfwRgkLWet5D OOsPuvIuyiSaJIwcdRE3SSO+tZhKLt+gh/oLxBPw5Ex0FwsVTtYn3Q/X3EAx+Wph eFcRr3TVkDg0MfdWWkgk16DvYB5cWc29coTaH1g+2juadNHbtVAigwJorKc6sxH3 QGsW0WQJ8ZRZgJkSUuu3nr7QD3ZrgHptONQAh1RWGnIWi6OlMfaPdMo+SDnnL5SG mpOPjWadDc1XvMFnKQYMYB5GWU/ZNmnZmDLyg1Pc0Y+qRUc0s83nZFHN60KnUrSz 0MZDspSFtr0fMx0b2/EB4EbuXd3QjQURF6P6HtWBu6oFnzu1AQKCAQEA2R9BKJgJ vNP+DUu8NBzwmi0cKlAiaxt+w90i5DWq1XWPKgi+RVLkaQSJqHoYQVNgEwL/cWxp s2r3GCMNIdOrGdcm8dX/6UYFpRaFcViTycVEA7cwZOMppgqr2Q+ZYX42K7HObUVL JGvdEWWWfSsynUGsrG87DC1gl94ANxCdqkZdbW5d3X0w5v7M/1tlrmAeskZSZpeT 8BwwM6REb0U/B4/i8TLtLi/PGmMTOIxW41uKS/S6kq/gwyv+jNNO0ljhPt25iSbV K5ZHS4YuPKLl0tZMaOkPco9s6t4ES/Y317zQoTzUkAAkkFO4QPzRZL0ESqVBNR0h Ao7FLmFZzFHpoQKCAQEAxmZBn0UrJLXkD7bw66y4RwzjQYmxLlkEl3uvjrvVSuL1 mAHDW58aGIpFFZ8QSTtNewIBQYNifp/cdFHAagqtl/iMGEegaOpJAKu/ykrkfZUp 7mYDNng4ZWpypeKaGMAQoNzZiUpF+BDnqbeb/kgYu6sNlh9gRHR79rgAuZQxZ/1B tE8WcUFi4CnTq2QLqX4LwMuZHWXAJQoMoW3K5av+J544lIM6GdMJuIONtBBkKVQD ErrJ0bqYeykrFS6pKl/NBCZLGo5xFFRiYEdZ1GlA3uW3EGKppz6PS7194+x5UVts xZPUfkgdFjWCczkl4JDoWfaNn5sgXtiVbGh1n3gYWwKCAQB7vHEg1kyuXU4qe5/d PyTraIvlnVeQHNJIgy0QS3l5Pw8A0IzG6y+anehpqHNMP1zAWPQEytkOVAZPriIc xgl7p37dUa0PX0V2SPhxmR5YXeCeEXc197PTmb9H67jos8nhauqOoW/qaMJK2M9D tCubLUNf3eAT14R16CHNP93qnUE/TSeXQ3JsIofne0neb47u4F6zcuzvaNEbjSEn HJqID7sw5GoA6WQo0I+yqWAXICMXmHf/gtYfxGHEFeSUwexULH5BKG1R8sncw7J0 Ag3h8xkGrNON4SkcTLy8Iay/eS6YxRcKndo4mk2mU65tr77TX4xi3Z/jWkQLY5WO eJwhAoIBABO17wkSxyGDjJ/fDfpsE3bDmgRV2KuBHoqqOBvXH26sM7ghXLZKjT4o 5ooqXmTYJm91GIjYs71exnkr8hDW9L4nbEuxOgeSVyRg69H+NMshOaQ8sE8GDJxO wgsnAyY4Vq6UomwYW/E0RL/AxRezM/nZGaVzgo3qgLJXP4MwbOQm7hMq1FD2LQuW PDhH3Ty+kA5ca97W0Asd/3k+Pi0pNDvdZUOj8e7E369cKoTcKAdPGGsQ8aILhsCd q3EUTKwwDl8+KrH9utBJPejQzeTjfBVo/xH6q145QeVFcy9ku/zQN3M9p5vQMEuX j1lBMTkpTFw7uYBE2idyHw5BJoZsWQcCggEADfZTChqnOncItSflzGoaAACrr4/x KyT/4A+cPMCs11JN9J+EWsCezya2o1l/NF7YPcBR4qjCmFMEiq5GxH5fGLQp0aa7 V13mHA8XBQ25OW2K7BGJhMHdbuvTnl6jsOfC4+t7P2bUAYxoP6/ncxTzZ5OlBN5k aMv9firWl1kSKK75ww9DWn6j0rQ4dBetwX45EMcs+iKIdydg0fmJxR2EJ+uQsCFy xcWBEDqV7qLUi6UrAPL3v/DXUv9wKcKOTbKw/aNE8+YTWMUO330GCJ5cVU1eTL5t UrcNKOJkFIj7jJUCzv6vcy++hMJEbNXnnTVRnky6e9C2vwzMl33njntapg== -----END RSA PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec512-private.pem0000644000004100000410000000066412772730515021313 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BgUrgQQAIw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MIHcAgEBBEIB0/+ffxEj7j62xvGaB5pvzk888e412ESO/EK/K0QlS9dSF8+Rj1rG zqpRB8fvDnoe8xdmkW/W5GKzojMyv7YQYumgBwYFK4EEACOhgYkDgYYABAEw74Yw aTbPY6TtWmxx6LJDzCX2nKWCPnKdZcEH9Ncu8g5RjRBRq2yacja3OoS6nA2YeDng reBJxZr376P6Ns6XcQFWDA6K/MCTrEBCsPxXZNxd8KR9vMGWhgNtWRrcKzwJfQkr suyehZkbbYyFnAWyARKHZuV7VUXmeEmRS/f93MPqVA== -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-4096-public.pem0000644000004100000410000000144012772730515021456 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqETmgWBi5rCmb7euJplA /9xs65+bncc9Yvs5zjyycXSW82JfRuyguGm0OvA2wog24dR4N2kT/87DcGtp5JqJ WADVFNr+2V2r6i57/OMLruRpn3p2r95dmo0COE+BxPFl7XEBT8JbH57ZtpgcB3/x kS14nLOWFf96hrXPlXJC+VMVKVZmA8k2LRh42vT5wUf4U0Doy/p7yFNSFFa6Q8ww e4TBy/z/f+rhFD1w8rxlYjallee/ocm7bjZCwbJGMm7orLViqWfsFX3O35PeoJ5h /7uJ7iRwvTFERkTdwWP/0BeKBeItBR3YFc2mut+V9W+WKRkMSL6Crc+oVSx3p8aB 7j9SZFzQiRtes4BYETpX1xl2mgIq5hvsFbLw7ESrlIodiwUMTrSIid2DQ6q80kv1 zXPr4+Id6L0sJLxPCaXnTmNtasSwyedJJYxLjwhHJwtzFAeaq18H3O791YKhjAJ6 YxK3zJ59jTE6Pkvqjq183f2PGHVRvgSN7aCmI6MBUUB5wDP2K8zX2sh40/uPDVSd 6ei1vl3DpPk+h8iExx6AzbohfqZ+5RUUNx127L3MaQvOVC5TxV+R99gwKW++wzcV uO3m2KqVUj+K1uYBy3KBCUMBbckpEWGbN++jcdV5oJX6fsC66nOmKlntYwCL/pRw w+oLsbzF8J3dxeDbKNF9JDsCAwEAAQ== -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-1024-public.pem0000644000004100000410000000042012772730515021437 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO/ahgFDvniFoQ1dm+MdnkBi+T s5W9AtQNgw4ZHIdPnqEzSgW70opKEu8hnlLqsIyU2BC2op/xOanipdbXObuFlA6b th1cYRI+YJlR3BbPGOIL6YbJud9m0gIsBlCDLm4e/E45ZS+emudISP7/SF7zxvxZ lnr1z7HTm7nIIVBvuQIDAQAB -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-2048-wrong-public.pem0000644000004100000410000000070312772730515022604 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzHAVGaW9j4l3/b4ngcjj oIoIcnsQEWOMqErb5VhLZMGIq1gEO5qxPDAwooKsNotzcAOB3ZyLn7p5D+dmOrNU YkYWgYITNGeSifrnVqQugd5Fh1L8K7zOGltUo2UtjbN4uJ56tzxBMZp2wejs2/Qu 0eu0xZK3To+YkDcWOk92rmNgmUSQC/kNyIOj+yBvOo3wTk6HvbhoIarCgJ6Lay1v /hMLyQLzwRY/Qfty1FTIDyTv2dch47FsfkZ1KAL+MbUnHuCBPzGxRjXa8Iy9Z7YG xrYasUt1b0um64bscxoIiCu8yLL8jlg01Rwrjr/MTwKRhwXlMp8B7HTonwtaG6ar JwIDAQAB -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/ec256-wrong-private.pem0000644000004100000410000000044612772730515022450 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BgUrgQQACg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHQCAQEEICfA4AaomONdmPTzeyrx5U/jugYXTERyb5U3ETTv7Hx7oAcGBSuBBAAK oUQDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN6fwvUwOsxv7YnyoQ5/bpo64n +Jp4slSl1aUNoCBF2oz9bS0iyBo3jg== -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec384-public.pem0000644000004100000410000000032712772730515021122 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEkMGE4kb17tYTB3HkqLDLP/Ln+dLCSN47 ypHUpL7kQD8Us4ba1LwkA51bE4RauGjnWWWNaodhKyRrc5q8fqRLCbyZ73zkxtzR lCkWpXpPi0H1agFErwzCpcXZM9nuu7bK -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/ec384-private.pem0000644000004100000410000000054712772730515021322 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BgUrgQQAIg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDDxOljqUKw9YNhkluSJIBAYO1YXcNtS+vckd5hpTZ5toxsOlwbmyrnU Tn+D5Xma1m2gBwYFK4EEACKhZANiAASQwYTiRvXu1hMHceSosMs/8uf50sJI3jvK kdSkvuRAPxSzhtrUvCQDnVsThFq4aOdZZY1qh2ErJGtzmrx+pEsJvJnvfOTG3NGU KRalek+LQfVqAUSvDMKlxdkz2e67tso= -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec384-wrong-private.pem0000644000004100000410000000054712772730515022454 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BgUrgQQAIg== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MIGkAgEBBDAfZW47dSKnC5JkSVOk1ERxCIi/IJ1p1WBnVGx4hnrNHy+dxtaZJaF+ YLInFQ/QbYegBwYFK4EEACKhZANiAAQwXkx4BFBGLXbzl5yVrfxK7er8hSi38iDE K2+7cdrR137Wn5JUnL4WTwXTzkyUgfBOL3sHNozwfgU03GD/EOUEKqzsIJiz2cbP bFALd4hS+8T4szDLVC9Jl1W6k0CAtmM= -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec256-private.pem0000644000004100000410000000045612772730515021317 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEIJmVse5uPfj6B4TcXrUAvf9/8pJh+KrKKYLNcmOnp/vPoAoGCCqGSM49 AwEHoUQDQgAEAr+WbDE5VtIDGhtYMxvEc6cMsDBc/DX1wuhIMu8dQzOLSt0tpqK9 MVfXbVfrKdayVFgoWzs8MilcYq0QIhKx/w== -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-2048-wrong-private.pem0000644000004100000410000000321712772730515023003 0ustar www-datawww-data-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEAzHAVGaW9j4l3/b4ngcjjoIoIcnsQEWOMqErb5VhLZMGIq1gE O5qxPDAwooKsNotzcAOB3ZyLn7p5D+dmOrNUYkYWgYITNGeSifrnVqQugd5Fh1L8 K7zOGltUo2UtjbN4uJ56tzxBMZp2wejs2/Qu0eu0xZK3To+YkDcWOk92rmNgmUSQ C/kNyIOj+yBvOo3wTk6HvbhoIarCgJ6Lay1v/hMLyQLzwRY/Qfty1FTIDyTv2dch 47FsfkZ1KAL+MbUnHuCBPzGxRjXa8Iy9Z7YGxrYasUt1b0um64bscxoIiCu8yLL8 jlg01Rwrjr/MTwKRhwXlMp8B7HTonwtaG6arJwIDAQABAoIBAGFR4dmJusl/qW1T fj8cQLAFxaupxaZhe24J5NAyzgEy2Dqo9ariIwkB78UM66ozjEqAgOvcP+NTw5m8 kD/VapA1yTTxlO7XdzzUAhiOo80S4IphCMZRZNPLMmluGtdf3lIUr1pXBrn0TCBX H5o9jaREzpNXGof9d6T/dEdh2J9+uE/p1xE5GSxQfaPheZzCG7636La/DcArg/UR +TusPqp62BEmk96pE/KKJRmEeH+WnPfSh6sMpLxi3hkEU7AynpliGT6Z6xV4csBI S/rdpkcj5DWpbnQzkwdrnL2Q+POEq/vlx5/NlezvtQPNLvQWDyY4yBCoMKGb3EbX xrxP7MECgYEA/kwe4P0Mqk+087IyhjDBGPfcMt8gfYc9nzNfIYSWdSwuSag/hqHq I4GwHQzUV9ix3iM6w5hin10yAzWxCYZg9hquV+lSvNNpGB76FX6oOqwuAhyQMRwv eW+VUyfFXeJugwL5JuIaNTvwPpQVDHYtELLifie+uzJ5HC6dhg/XchcCgYEAzc5/ +IXjOlExd/mBgFk/5Y87ifA0ZOgbaJXifYgU0aNSgz1piHxU3n2p4jJ9lSdwwCl2 Fb5EN7666t20PL5QcXJ5ZdaTRLzRlYiqTWzfYHBgttbB1Jl3Ed9GsKuzRgaRqGFC ANJSqZlKG0NZ3keRtuKdFwq+IVOnsQr9g0TZiXECgYEAqUgtCiMKCloTIGMQpSnR cXiWWjsUmturls4Q1vQ3YHrvuVLKLyqb/dT4Uu5WcMAs765OESThCit0/pQAbVHK PCpYwubskAzAGjGM00BEZwJ1gixXhIm5xMIWCowgI7Z3ULlq+IptXeCvtkjHlksZ BtO+WLLGkkEwRCV38WWcSzMCgYA/Xxqgl/mD94RYAQgTUWgPc69Nph08BQyLg7ue E8z1UGkT6FEaqc4oRGGPOSTaTK63PQ0TXOb8k0pTD7l0CtYSWMFwzkXCoLGYbeCi vqd5tqDRLAe7QxYa9rl5pSUqptMrGeeNATZa6sya4H5Hp5oCyny8n54z/OJh7ZRq W0TwwQKBgQDDP7ksm2pcqadaVAmODdOlaDHbaEcxp8wN7YVz0lM3UpJth96ukbj7 S39eJhXYWOn6oJQb/lN9fGOYqjg3y6IchGZDp67ATvWYvn/NY0R7mt4K4oHx5TuN rSQlP3WmOGv8Kemw892uRfW/jZyBEHhsfS213WDttVPn9F635GdNWw== -----END RSA PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec512-wrong-private.pem0000644000004100000410000000066012772730515022441 0ustar www-datawww-data-----BEGIN EC PARAMETERS----- BgUrgQQAIw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MIHbAgEBBEG/KbA2oCbiCT6L3V8XSz2WKBy0XhGvIFbl/ZkXIXnkYt+1B7wViSVo KCHuMFsi6xU/5nE1EuDG2UsQJmKeAMkIOKAHBgUrgQQAI6GBiQOBhgAEAG0TFWe5 cZ5DZIyfuysrCoQySTNxd+aT8sPIxsx7mW6YBTsuO6rEgxyegd2Auy4xtikxpzKv soMXR02999Aaus2jAAt/wxrhhr41BDP4MV0b6Zngb72hna0pcGqit5OyU8AbOJUZ +rdyowRGsOY+aPbOyVhdNcsEdxYC8GdIyCQLBC1H -----END EC PRIVATE KEY----- jwt-1.5.6/spec/fixtures/certs/ec256-wrong-public.pem0000644000004100000410000000025612772730515022253 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEPmuXZT3jpJnEMVPOW6RMsmxeGLOCE1PN 6fwvUwOsxv7YnyoQ5/bpo64n+Jp4slSl1aUNoCBF2oz9bS0iyBo3jg== -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/rsa-2048-public.pem0000644000004100000410000000070312772730515021452 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4GzZTLU48c4WbyvHi+QK rB71x+T0eq5hqDbQqnlYjhD1Ika7io1iplsdJWJuyxfYbUkb2Ol0fj4koZ/GS6lg CZr4+8UHbr1qf0Eu5HZSpszs2YxY8U5RHnrpw67co7hlgAR9HbyNf5XIYgLV9ldH H/eazwnc3F/hgNsV0xjScVilejgocJ4zcsyymvW8t42lteM7bI867ZuJhGop/V+Y 0HFyrMsPoQyLuCUpr6ulOfrkr7ZOdhAIG8r1HcjOp/AUjM15vfXcbUZjkM/Vloif X1YitU3upMGJ8/DpFGffMOImrn5r6BT494V8rRyN2qvQoAkLJpqZ0avLxwiR2lgV QQIDAQAB -----END PUBLIC KEY----- jwt-1.5.6/spec/fixtures/certs/ec512-public.pem0000644000004100000410000000041412772730515021110 0ustar www-datawww-data-----BEGIN PUBLIC KEY----- MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBMO+GMGk2z2Ok7VpsceiyQ8wl9pyl gj5ynWXBB/TXLvIOUY0QUatsmnI2tzqEupwNmHg54K3gScWa9++j+jbOl3EBVgwO ivzAk6xAQrD8V2TcXfCkfbzBloYDbVka3Cs8CX0JK7LsnoWZG22MhZwFsgESh2bl e1VF5nhJkUv3/dzD6lQ= -----END PUBLIC KEY----- jwt-1.5.6/spec/integration/0000755000004100000410000000000012772730515015645 5ustar www-datawww-datajwt-1.5.6/spec/integration/readme_examples_spec.rb0000644000004100000410000001225212772730515022341 0ustar www-datawww-data# frozen_string_literal: true require_relative '../spec_helper' require 'jwt' describe 'README.md code test' do context 'algorithm usage' do let(:payload) { { data: 'test' } } it 'NONE' do token = JWT.encode payload, nil, 'none' decoded_token = JWT.decode token, nil, false expect(token).to eq 'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJkYXRhIjoidGVzdCJ9.' expect(decoded_token).to eq [ { 'data' => 'test' }, { 'typ' => 'JWT', 'alg' => 'none' } ] end it 'HMAC' do token = JWT.encode payload, 'my$ecretK3y', 'HS256' decoded_token = JWT.decode token, 'my$ecretK3y', false expect(token).to eq 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.ZxW8go9hz3ETCSfxFxpwSkYg_602gOPKearsf6DsxgY' expect(decoded_token).to eq [ { 'data' => 'test' }, { 'typ' => 'JWT', 'alg' => 'HS256' } ] end it 'RSA' do rsa_private = OpenSSL::PKey::RSA.generate 2048 rsa_public = rsa_private.public_key token = JWT.encode payload, rsa_private, 'RS256' decoded_token = JWT.decode token, rsa_public, true, algorithm: 'RS256' expect(decoded_token).to eq [ { 'data' => 'test' }, { 'typ' => 'JWT', 'alg' => 'RS256' } ] end it 'ECDSA' do ecdsa_key = OpenSSL::PKey::EC.new 'prime256v1' ecdsa_key.generate_key ecdsa_public = OpenSSL::PKey::EC.new ecdsa_key ecdsa_public.private_key = nil token = JWT.encode payload, ecdsa_key, 'ES256' decoded_token = JWT.decode token, ecdsa_public, true, algorithm: 'ES256' expect(decoded_token).to eq [ { 'data' => 'test' }, { 'typ' => 'JWT', 'alg' => 'ES256' } ] end end context 'claims' do let(:hmac_secret) { 'MyP4ssW0rD' } context 'exp' do it 'without leeway' do exp = Time.now.to_i + 4 * 3600 exp_payload = { data: 'data', exp: exp } token = JWT.encode exp_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, algorithm: 'HS256' end.not_to raise_error end it 'with leeway' do exp = Time.now.to_i - 10 leeway = 30 # seconds exp_payload = { data: 'data', exp: exp } token = JWT.encode exp_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, leeway: leeway, algorithm: 'HS256' end.not_to raise_error end end context 'nbf' do it 'without leeway' do nbf = Time.now.to_i - 3600 nbf_payload = { data: 'data', nbf: nbf } token = JWT.encode nbf_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, algorithm: 'HS256' end.not_to raise_error end it 'with leeway' do nbf = Time.now.to_i + 10 leeway = 30 nbf_payload = { data: 'data', nbf: nbf } token = JWT.encode nbf_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, leeway: leeway, algorithm: 'HS256' end.not_to raise_error end end it 'iss' do iss = 'My Awesome Company Inc. or https://my.awesome.website/' iss_payload = { data: 'data', iss: iss } token = JWT.encode iss_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, iss: iss, algorithm: 'HS256' end.not_to raise_error end context 'aud' do it 'array' do aud = %w(Young Old) aud_payload = { data: 'data', aud: aud } token = JWT.encode aud_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, aud: %w(Old Young), verify_aud: true, algorithm: 'HS256' end.not_to raise_error end it 'string' do expect do end.not_to raise_error end end it 'jti' do iat = Time.now.to_i hmac_secret = 'test' jti_raw = [hmac_secret, iat].join(':').to_s jti = Digest::MD5.hexdigest(jti_raw) jti_payload = { data: 'data', iat: iat, jti: jti } token = JWT.encode jti_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, verify_jti: true, algorithm: 'HS256' end.not_to raise_error end context 'iat' do it 'without leeway' do iat = Time.now.to_i iat_payload = { data: 'data', iat: iat } token = JWT.encode iat_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, verify_iat: true, algorithm: 'HS256' end.not_to raise_error end it 'with leeway' do iat = Time.now.to_i - 7 iat_payload = { data: 'data', iat: iat, leeway: 10 } token = JWT.encode iat_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, verify_iat: true, algorithm: 'HS256' end.not_to raise_error end end it 'sub' do sub = 'Subject' sub_payload = { data: 'data', sub: sub } token = JWT.encode sub_payload, hmac_secret, 'HS256' expect do JWT.decode token, hmac_secret, true, 'sub' => sub, :verify_sub => true, :algorithm => 'HS256' end.not_to raise_error end end end jwt-1.5.6/spec/jwt_spec.rb0000644000004100000410000002142012772730515015464 0ustar www-datawww-datarequire 'spec_helper' require 'jwt' require 'jwt/decode' describe JWT do let(:payload) { { 'user_id' => 'some@user.tld' } } let :data do { :secret => 'My$ecretK3y', :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))), :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))), :wrong_rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))), :wrong_rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem'))), 'ES256_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-private.pem'))), 'ES256_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-public.pem'))), 'ES384_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-private.pem'))), 'ES384_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec384-public.pem'))), 'ES512_private' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-private.pem'))), 'ES512_public' => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec512-public.pem'))), 'NONE' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.', 'HS256' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.tCGvlClld0lbQ3NZaH8y53n5RSBr3zlS4Oy5bXqvzZQ', 'HS384' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.sj1gc01SawlJSrPZgmveifJ8CzZRYAWjejWm4FRaGaAISESJ9Ncf12fCz2vHrITm', 'HS512' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.isjhsWMZpRQOWw6LKtlY4L6tMDNkLr0qZ3bQe_xRFXWhzVvJlkclTbLVa1J6Dlj2WyZ_I1jEobTaFMDoXPzwWg', 'RS256' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.u82QrhjZTtwve5akvfWS_4LPywbkb1Yp0nUwZJWtTW0ID7dY9rRiQF5KGj2UDLZotqRlUjyNQgE_hB5BBzICDQdCjQHQoYWE5n_D2wV4PMu7Qg3FVKoBFbf8ee6irodu10fgYxpUIZtvbWw52_6k6A9IoSLSzx_lCcxoVGdW90dUuKhBcZkDtY5WNuQg7MiDthupSL1-V4Y1jmT_7o8tLNGFiocyZfGNw4yGpEOGNvD5WePNit0xsnbj6dEquovUvSFKsMaQXp2PVDEkLOiLMcyk0RrHqrHw2eNSCquWTH8PhX5Up-CVmjQM5zF9ibkaiq8NyPtsy-7rgtbyVMqXBQ', 'RS384' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzM4NCJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.2_jPwOsUWJ-3r6lXMdJGPdhLNJQSSEmY2mrDXCwNJk-2YhMIqKAzJJCbyso_A1hS7BVkXmHt54RCcNJXroZBOgmGavCcYTPMaT6sCvVVvJJ_wn7jzKHNAJfL5nWeynTQIBWmL-m_v9QpZAgPALdeqjPRv4JHePZm23kvrUgQOxef2ldXv1l6IB3zfF72uEbk9T5pKBvgeeeQ46xm_HtkpXqMdqcTHawUXeXhuiWxuWfy9pAvhm8ivxwJhiQ15-sQNBlS9lG1_gQz1xaZ_Ou_n1nhNfGwpK5HeS0AgmqsqyCOvaGHeAuAOPZ_dSC3cFKu2AP7kc6_AKBgwJzh4agkXg', 'RS512' => 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzUxMiJ9.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.abwof7BqTvuLkN69OhEuFTP7vjGzfvAvooQdwIRne_a88MsjCq31n4UPvyIlY9_8u69rpU79RbMsrq_UZ6L85zP83EcyYI-HOfFZgYDAL3DJ7biBD99JTzyOsH_2i_E6yCkevjEX6uL_Am_C7jpWyePJQkYzTFni6mW4W1T9UobiVGA1tIZ-XOJDPHHxZkGu6W8lKW0UCsr9Ge2SCSlTs_LDSOa34gqMC5GP89unhLqSMqEMJ_Nm6Rj0rnmk87wBZM-b04LLteWuEU59QDNa4nMTjfXW74U4hX9n5EECDPQdQMecgxlUbFunAfZaoNzP4m7H4vux2FzYkjkXhdqnnw', 'ES256' => '', 'ES384' => '', 'ES512' => '' } end after(:each) do expect(OpenSSL.errors).to be_empty end context 'alg: NONE' do let(:alg) { 'none' } it 'should generate a valid token' do token = JWT.encode payload, nil, alg expect(token).to eq data['NONE'] end it 'should decode a valid token' do jwt_payload, header = JWT.decode data['NONE'], nil, false expect(header['alg']).to eq alg expect(jwt_payload).to eq payload end it 'should display a better error message if payload exp is_a?(Time)' do payload['exp'] = Time.now expect do JWT.encode payload, nil, alg end.to raise_error JWT::InvalidPayload end end %w(HS256 HS384 HS512).each do |alg| context "alg: #{alg}" do it 'should generate a valid token' do token = JWT.encode payload, data[:secret], alg expect(token).to eq data[alg] end it 'should decode a valid token' do jwt_payload, header = JWT.decode data[alg], data[:secret] expect(header['alg']).to eq alg expect(jwt_payload).to eq payload end it 'wrong secret should raise JWT::DecodeError' do expect do JWT.decode data[alg], 'wrong_secret' end.to raise_error JWT::DecodeError end it 'wrong secret and verify = false should not raise JWT::DecodeError' do expect do JWT.decode data[alg], 'wrong_secret', false end.not_to raise_error end end end %w(RS256 RS384 RS512).each do |alg| context "alg: #{alg}" do it 'should generate a valid token' do token = JWT.encode payload, data[:rsa_private], alg expect(token).to eq data[alg] end it 'should decode a valid token' do jwt_payload, header = JWT.decode data[alg], data[:rsa_public] expect(header['alg']).to eq alg expect(jwt_payload).to eq payload end it 'wrong key should raise JWT::DecodeError' do key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem')) expect do JWT.decode data[alg], key end.to raise_error JWT::DecodeError end it 'wrong key and verify = false should not raise JWT::DecodeError' do key = OpenSSL::PKey.read File.read(File.join(CERT_PATH, 'rsa-2048-wrong-public.pem')) expect do JWT.decode data[alg], key, false end.not_to raise_error end end end %w(ES256 ES384 ES512).each do |alg| context "alg: #{alg}" do before(:each) do data[alg] = JWT.encode payload, data["#{alg}_private"], alg end let(:wrong_key) { OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'ec256-wrong-public.pem'))) } it 'should generate a valid token' do jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"] expect(header['alg']).to eq alg expect(jwt_payload).to eq payload end it 'should decode a valid token' do jwt_payload, header = JWT.decode data[alg], data["#{alg}_public"] expect(header['alg']).to eq alg expect(jwt_payload).to eq payload end it 'wrong key should raise JWT::DecodeError' do expect do JWT.decode data[alg], wrong_key end.to raise_error JWT::DecodeError end it 'wrong key and verify = false should not raise JWT::DecodeError' do expect do JWT.decode data[alg], wrong_key, false end.not_to raise_error end end end context 'Invalid' do it 'algorithm should raise NotImplementedError' do expect do JWT.encode payload, 'secret', 'HS255' end.to raise_error NotImplementedError end it 'ECDSA curve_name should raise JWT::IncorrectAlgorithm' do key = OpenSSL::PKey::EC.new 'secp256k1' key.generate_key expect do JWT.encode payload, key, 'ES256' end.to raise_error JWT::IncorrectAlgorithm token = JWT.encode payload, data['ES256_private'], 'ES256' key.private_key = nil expect do JWT.decode token, key end.to raise_error JWT::IncorrectAlgorithm end end context 'Verify' do context 'algorithm' do it 'should raise JWT::IncorrectAlgorithm on missmatch' do token = JWT.encode payload, data[:secret], 'HS512' expect do JWT.decode token, data[:secret], true, algorithm: 'HS384' end.to raise_error JWT::IncorrectAlgorithm expect do JWT.decode token, data[:secret], true, algorithm: 'HS512' end.not_to raise_error end end context 'issuer claim' do let(:iss) { 'ruby-jwt-gem' } let(:invalid_token) { JWT.encode payload, data[:secret] } let :token do iss_payload = payload.merge(iss: iss) JWT.encode iss_payload, data[:secret] end it 'if verify_iss is set to false (default option) should not raise JWT::InvalidIssuerError' do expect do JWT.decode token, data[:secret], true, iss: iss end.not_to raise_error end end end context 'Base64' do it 'urlsafe replace + / with - _' do allow(Base64).to receive(:encode64) { 'string+with/non+url-safe/characters_' } expect(JWT.base64url_encode('foo')).to eq('string-with_non-url-safe_characters_') end end describe 'secure comparison' do it 'returns true if strings are equal' do expect(JWT.secure_compare('Foo', 'Foo')).to eq true end it 'returns false if either input is nil or empty' do [nil, ''].each do |bad| expect(JWT.secure_compare(bad, 'Foo')).to eq false expect(JWT.secure_compare('Foo', bad)).to eq false end end it 'retuns false if the strings are different' do expect(JWT.secure_compare('Foo', 'Bar')).to eq false end end end jwt-1.5.6/spec/jwt/0000755000004100000410000000000012772730515014126 5ustar www-datawww-datajwt-1.5.6/spec/jwt/verify_spec.rb0000644000004100000410000001566212772730515017003 0ustar www-datawww-data# frozen_string_literal: true require 'spec_helper' require 'jwt/verify' module JWT RSpec.describe Verify do let(:base_payload) { { 'user_id' => 'some@user.tld' } } let(:options) { { leeway: 0 } } context '.verify_aud(payload, options)' do let(:scalar_aud) { 'ruby-jwt-audience' } let(:array_aud) { %w(ruby-jwt-aud test-aud ruby-ruby-ruby) } let(:scalar_payload) { base_payload.merge('aud' => scalar_aud) } let(:array_payload) { base_payload.merge('aud' => array_aud) } it 'must raise JWT::InvalidAudError when the singular audience does not match' do expect do Verify.verify_aud(scalar_payload, options.merge(aud: 'no-match')) end.to raise_error JWT::InvalidAudError end it 'must raise JWT::InvalidAudError when the payload has an array and none match the supplied value' do expect do Verify.verify_aud(array_payload, options.merge(aud: 'no-match')) end.to raise_error JWT::InvalidAudError end it 'must raise JWT::InvalidAudError when the singular audience does not match and the options aud key is a string' do expect do Verify.verify_aud(scalar_payload, options.merge('aud' => 'no-match')) end.to raise_error JWT::InvalidAudError end it 'must allow a matching singular audience to pass' do Verify.verify_aud(scalar_payload, options.merge(aud: scalar_aud)) end it 'must allow a matching audence to pass when the options key is a string' do Verify.verify_aud(scalar_payload, options.merge('aud' => scalar_aud)) end it 'must allow an array with any value matching the one in the options' do Verify.verify_aud(array_payload, options.merge(aud: array_aud.first)) end it 'must allow an array with any value matching the one in the options with a string options key' do Verify.verify_aud(array_payload, options.merge('aud' => array_aud.first)) end it 'should allow strings or symbolds in options array' do options['aud'] = [ 'ruby-jwt-aud', 'test-aud', 'ruby-ruby-ruby', :test ] array_payload['aud'].push('test') Verify.verify_aud(array_payload, options) end end context '.verify_expiration(payload, options)' do let(:leeway) { 10 } let(:payload) { base_payload.merge('exp' => (Time.now.to_i - 5)) } it 'must raise JWT::ExpiredSignature when the token has expired' do expect do Verify.verify_expiration(payload, options) end.to raise_error JWT::ExpiredSignature end it 'must allow some leeway in the expiration when configured' do Verify.verify_expiration(payload, options.merge(leeway: 10)) end it 'must be expired if the exp claim equals the current time' do payload['exp'] = Time.now.to_i expect do Verify.verify_expiration(payload, options) end.to raise_error JWT::ExpiredSignature end end context '.verify_iat(payload, options)' do let(:iat) { Time.now.to_f } let(:payload) { base_payload.merge('iat' => iat) } it 'must allow a valid iat' do Verify.verify_iat(payload, options) end it 'must allow configured leeway' do Verify.verify_iat(payload.merge('iat' => (iat + 60)), options.merge(leeway: 70)) end it 'must properly handle integer times' do Verify.verify_iat(payload.merge('iat' => Time.now.to_i), options) end it 'must raise JWT::InvalidIatError when the iat value is not Numeric' do expect do Verify.verify_iat(payload.merge('iat' => 'not a number'), options) end.to raise_error JWT::InvalidIatError end it 'must raise JWT::InvalidIatError when the iat value is in the future' do expect do Verify.verify_iat(payload.merge('iat' => (iat + 120)), options) end.to raise_error JWT::InvalidIatError end end context '.verify_iss(payload, options)' do let(:iss) { 'ruby-jwt-gem' } let(:payload) { base_payload.merge('iss' => iss) } let(:invalid_token) { JWT.encode base_payload, payload[:secret] } it 'must raise JWT::InvalidIssuerError when the configured issuer does not match the payload issuer' do expect do Verify.verify_iss(payload, options.merge(iss: 'mismatched-issuer')) end.to raise_error JWT::InvalidIssuerError end it 'must raise JWT::InvalidIssuerError when the payload does not include an issuer' do expect do Verify.verify_iss(base_payload, options.merge(iss: iss)) end.to raise_error(JWT::InvalidIssuerError, /received /) end it 'must allow a matching issuer to pass' do Verify.verify_iss(payload, options.merge(iss: iss)) end end context '.verify_jti(payload, options)' do let(:payload) { base_payload.merge('jti' => 'some-random-uuid-or-whatever') } it 'must allow any jti when the verfy_jti key in the options is truthy but not a proc' do Verify.verify_jti(payload, options.merge(verify_jti: true)) end it 'must raise JWT::InvalidJtiError when the jti is missing' do expect do Verify.verify_jti(base_payload, options) end.to raise_error JWT::InvalidJtiError, /missing/i end it 'must raise JWT::InvalidJtiError when the jti is an empty string' do expect do Verify.verify_jti(base_payload.merge('jti' => ' '), options) end.to raise_error JWT::InvalidJtiError, /missing/i end it 'must raise JWT::InvalidJtiError when verify_jti proc returns false' do expect do Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { false })) end.to raise_error JWT::InvalidJtiError, /invalid/i end it 'true proc should not raise JWT::InvalidJtiError' do Verify.verify_jti(payload, options.merge(verify_jti: ->(_jti) { true })) end end context '.verify_not_before(payload, options)' do let(:payload) { base_payload.merge('nbf' => (Time.now.to_i + 5)) } it 'must raise JWT::ImmatureSignature when the nbf in the payload is in the future' do expect do Verify.verify_not_before(payload, options) end.to raise_error JWT::ImmatureSignature end it 'must allow some leeway in the token age when configured' do Verify.verify_not_before(payload, options.merge(leeway: 10)) end end context '.verify_sub(payload, options)' do let(:sub) { 'ruby jwt subject' } it 'must raise JWT::InvalidSubError when the subjects do not match' do expect do Verify.verify_sub(base_payload.merge('sub' => 'not-a-match'), options.merge(sub: sub)) end.to raise_error JWT::InvalidSubError end it 'must allow a matching sub' do Verify.verify_sub(base_payload.merge('sub' => sub), options.merge(sub: sub)) end end end end jwt-1.5.6/.travis.yml0000644000004100000410000000034612772730515014504 0ustar www-datawww-datasudo: false cache: bundler language: ruby rvm: - 1.9.3 - 2.0.0 - 2.1.0 - 2.2.0 - 2.3.0 script: "bundle exec rspec" addons: code_climate: repo_token: e87b175db123ab42ca2ca4420abaa13c0dc2085608402b9a25f08a83ca3ba202 jwt-1.5.6/lib/0000755000004100000410000000000012772730515013136 5ustar www-datawww-datajwt-1.5.6/lib/jwt.rb0000644000004100000410000001453512772730515014277 0ustar www-datawww-data# frozen_string_literal: true require 'base64' require 'openssl' require 'jwt/decode' require 'jwt/error' require 'jwt/json' # JSON Web Token implementation # # Should be up to date with the latest spec: # https://tools.ietf.org/html/rfc7519#section-4.1.5 module JWT extend JWT::Json NAMED_CURVES = { 'prime256v1' => 'ES256', 'secp384r1' => 'ES384', 'secp521r1' => 'ES512' }.freeze DEFAULT_OPTIONS = { verify_expiration: true, verify_not_before: true, verify_iss: false, verify_iat: false, verify_jti: false, verify_aud: false, verify_sub: false, leeway: 0 }.freeze module_function def sign(algorithm, msg, key) if %w(HS256 HS384 HS512).include?(algorithm) sign_hmac(algorithm, msg, key) elsif %w(RS256 RS384 RS512).include?(algorithm) sign_rsa(algorithm, msg, key) elsif %w(ES256 ES384 ES512).include?(algorithm) sign_ecdsa(algorithm, msg, key) else raise NotImplementedError, 'Unsupported signing method' end end def sign_rsa(algorithm, msg, private_key) private_key.sign(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), msg) end def sign_ecdsa(algorithm, msg, private_key) key_algorithm = NAMED_CURVES[private_key.group.curve_name] if algorithm != key_algorithm raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} signing key was provided" end digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha')) asn1_to_raw(private_key.dsa_sign_asn1(digest.digest(msg)), private_key) end def verify_rsa(algorithm, public_key, signing_input, signature) public_key.verify(OpenSSL::Digest.new(algorithm.sub('RS', 'sha')), signature, signing_input) end def verify_ecdsa(algorithm, public_key, signing_input, signature) key_algorithm = NAMED_CURVES[public_key.group.curve_name] if algorithm != key_algorithm raise IncorrectAlgorithm, "payload algorithm is #{algorithm} but #{key_algorithm} verification key was provided" end digest = OpenSSL::Digest.new(algorithm.sub('ES', 'sha')) public_key.dsa_verify_asn1(digest.digest(signing_input), raw_to_asn1(signature, public_key)) end def sign_hmac(algorithm, msg, key) OpenSSL::HMAC.digest(OpenSSL::Digest.new(algorithm.sub('HS', 'sha')), key, msg) end def base64url_encode(str) Base64.encode64(str).tr('+/', '-_').gsub(/[\n=]/, '') end def encoded_header(algorithm = 'HS256', header_fields = {}) header = { 'typ' => 'JWT', 'alg' => algorithm }.merge(header_fields) base64url_encode(encode_json(header)) end def encoded_payload(payload) raise InvalidPayload, 'exp claim must be an integer' if payload['exp'] && payload['exp'].is_a?(Time) base64url_encode(encode_json(payload)) end def encoded_signature(signing_input, key, algorithm) if algorithm == 'none' '' else signature = sign(algorithm, signing_input, key) base64url_encode(signature) end end def encode(payload, key, algorithm = 'HS256', header_fields = {}) algorithm ||= 'none' segments = [] segments << encoded_header(algorithm, header_fields) segments << encoded_payload(payload) segments << encoded_signature(segments.join('.'), key, algorithm) segments.join('.') end def decoded_segments(jwt, key = nil, verify = true, custom_options = {}, &keyfinder) raise(JWT::DecodeError, 'Nil JSON web token') unless jwt merged_options = DEFAULT_OPTIONS.merge(custom_options) decoder = Decode.new jwt, key, verify, merged_options, &keyfinder decoder.decode_segments end def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder) raise(JWT::DecodeError, 'Nil JSON web token') unless jwt merged_options = DEFAULT_OPTIONS.merge(custom_options) decoder = Decode.new jwt, key, verify, merged_options, &keyfinder header, payload, signature, signing_input = decoder.decode_segments decode_verify_signature(key, header, signature, signing_input, merged_options, &keyfinder) if verify decoder.verify raise(JWT::DecodeError, 'Not enough or too many segments') unless header && payload [payload, header] end def decode_verify_signature(key, header, signature, signing_input, options, &keyfinder) algo, key = signature_algorithm_and_key(header, key, &keyfinder) if options[:algorithm] && algo != options[:algorithm] raise JWT::IncorrectAlgorithm, 'Expected a different algorithm' end verify_signature(algo, key, signing_input, signature) end def signature_algorithm_and_key(header, key, &keyfinder) key = yield(header) if keyfinder [header['alg'], key] end def verify_signature(algo, key, signing_input, signature) verify_signature_algo(algo, key, signing_input, signature) rescue OpenSSL::PKey::PKeyError raise JWT::VerificationError, 'Signature verification raised' ensure OpenSSL.errors.clear end def verify_signature_algo(algo, key, signing_input, signature) if %w(HS256 HS384 HS512).include?(algo) raise(JWT::VerificationError, 'Signature verification raised') unless secure_compare(signature, sign_hmac(algo, signing_input, key)) elsif %w(RS256 RS384 RS512).include?(algo) raise(JWT::VerificationError, 'Signature verification raised') unless verify_rsa(algo, key, signing_input, signature) elsif %w(ES256 ES384 ES512).include?(algo) raise(JWT::VerificationError, 'Signature verification raised') unless verify_ecdsa(algo, key, signing_input, signature) else raise JWT::VerificationError, 'Algorithm not supported' end end # From devise # constant-time comparison algorithm to prevent timing attacks def secure_compare(a, b) return false if a.nil? || b.nil? || a.empty? || b.empty? || a.bytesize != b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res.zero? end def raw_to_asn1(signature, private_key) byte_size = (private_key.group.degree + 7) / 8 r = signature[0..(byte_size - 1)] s = signature[byte_size..-1] OpenSSL::ASN1::Sequence.new([r, s].map { |int| OpenSSL::ASN1::Integer.new(OpenSSL::BN.new(int, 2)) }).to_der end def asn1_to_raw(signature, public_key) byte_size = (public_key.group.degree + 7) / 8 OpenSSL::ASN1.decode(signature).value.map { |value| value.value.to_s(2).rjust(byte_size, "\x00") }.join end def base64url_decode(str) Decode.base64url_decode(str) end end jwt-1.5.6/lib/jwt/0000755000004100000410000000000012772730515013742 5ustar www-datawww-datajwt-1.5.6/lib/jwt/decode.rb0000644000004100000410000000317412772730515015517 0ustar www-datawww-data# frozen_string_literal: true require 'jwt/json' require 'jwt/verify' # JWT::Decode module module JWT extend JWT::Json # Decoding logic for JWT class Decode attr_reader :header, :payload, :signature def initialize(jwt, key, verify, options, &keyfinder) @jwt = jwt @key = key @verify = verify @options = options @keyfinder = keyfinder end def decode_segments header_segment, payload_segment, crypto_segment = raw_segments(@jwt, @verify) @header, @payload = decode_header_and_payload(header_segment, payload_segment) @signature = Decode.base64url_decode(crypto_segment.to_s) if @verify signing_input = [header_segment, payload_segment].join('.') [@header, @payload, @signature, signing_input] end def raw_segments(jwt, verify) segments = jwt.split('.') required_num_segments = verify ? [3] : [2, 3] raise(JWT::DecodeError, 'Not enough or too many segments') unless required_num_segments.include? segments.length segments end private :raw_segments def decode_header_and_payload(header_segment, payload_segment) header = JWT.decode_json(Decode.base64url_decode(header_segment)) payload = JWT.decode_json(Decode.base64url_decode(payload_segment)) [header, payload] end private :decode_header_and_payload def self.base64url_decode(str) str += '=' * (4 - str.length.modulo(4)) Base64.decode64(str.tr('-_', '+/')) end def verify @options.each do |key, val| next unless key.to_s =~ /verify/ Verify.send(key, payload, @options) if val end end end end jwt-1.5.6/lib/jwt/json.rb0000644000004100000410000000052012772730515015235 0ustar www-datawww-data# frozen_string_literal: true require 'json' module JWT # JSON fallback implementation or ruby 1.8.x module Json def decode_json(encoded) JSON.parse(encoded) rescue JSON::ParserError raise JWT::DecodeError, 'Invalid segment encoding' end def encode_json(raw) JSON.generate(raw) end end end jwt-1.5.6/lib/jwt/verify.rb0000644000004100000410000000563512772730515015604 0ustar www-datawww-data# frozen_string_literal: true require 'jwt/error' module JWT # JWT verify methods class Verify class << self %w(verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub).each do |method_name| define_method method_name do |payload, options| new(payload, options).send(method_name) end end end def initialize(payload, options) @payload = payload @options = options end def verify_aud return unless (options_aud = extract_option(:aud)) if @payload['aud'].is_a?(Array) verify_aud_array(@payload['aud'], options_aud) else raise( JWT::InvalidAudError, "Invalid audience. Expected #{options_aud}, received #{@payload['aud'] || ''}" ) unless @payload['aud'].to_s == options_aud.to_s end end def verify_aud_array(audience, options_aud) if options_aud.is_a?(Array) options_aud.each do |aud| raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(aud.to_s) end else raise(JWT::InvalidAudError, 'Invalid audience') unless audience.include?(options_aud.to_s) end end def verify_expiration return unless @payload.include?('exp') if @payload['exp'].to_i <= (Time.now.to_i - leeway) raise(JWT::ExpiredSignature, 'Signature has expired') end end def verify_iat return unless @payload.include?('iat') if !@payload['iat'].is_a?(Numeric) || @payload['iat'].to_f > (Time.now.to_f + leeway) raise(JWT::InvalidIatError, 'Invalid iat') end end def verify_iss return unless (options_iss = extract_option(:iss)) if @payload['iss'].to_s != options_iss.to_s raise( JWT::InvalidIssuerError, "Invalid issuer. Expected #{options_iss}, received #{@payload['iss'] || ''}" ) end end def verify_jti options_verify_jti = extract_option(:verify_jti) if options_verify_jti.respond_to?(:call) raise(JWT::InvalidJtiError, 'Invalid jti') unless options_verify_jti.call(@payload['jti']) else raise(JWT::InvalidJtiError, 'Missing jti') if @payload['jti'].to_s.strip.empty? end end def verify_not_before return unless @payload.include?('nbf') if @payload['nbf'].to_i > (Time.now.to_i + leeway) raise(JWT::ImmatureSignature, 'Signature nbf has not been reached') end end def verify_sub return unless (options_sub = extract_option(:sub)) raise( JWT::InvalidSubError, "Invalid subject. Expected #{options_sub}, received #{@payload['sub'] || ''}" ) unless @payload['sub'].to_s == options_sub.to_s end private def extract_option(key) @options.values_at(key.to_sym, key.to_s).compact.first end def leeway extract_option :leeway end end end jwt-1.5.6/lib/jwt/version.rb0000644000004100000410000000070412772730515015755 0ustar www-datawww-data# encoding: utf-8 # frozen_string_literal: true # Moments version builder module module JWT def self.gem_version Gem::Version.new VERSION::STRING end # Moments version builder module module VERSION # major version MAJOR = 1 # minor version MINOR = 5 # tiny version TINY = 6 # alpha, beta, etc. tag PRE = nil # Build version string STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.') end end jwt-1.5.6/lib/jwt/error.rb0000644000004100000410000000101612772730515015416 0ustar www-datawww-data# frozen_string_literal: true module JWT class DecodeError < StandardError; end class VerificationError < DecodeError; end class ExpiredSignature < DecodeError; end class IncorrectAlgorithm < DecodeError; end class ImmatureSignature < DecodeError; end class InvalidIssuerError < DecodeError; end class InvalidIatError < DecodeError; end class InvalidAudError < DecodeError; end class InvalidSubError < DecodeError; end class InvalidJtiError < DecodeError; end class InvalidPayload < DecodeError; end end jwt-1.5.6/.rubocop.yml0000644000004100000410000000004512772730515014641 0ustar www-datawww-dataMetrics/LineLength: Enabled: false jwt-1.5.6/.gitignore0000644000004100000410000000015212772730515014356 0ustar www-datawww-data.idea/ jwt.gemspec pkg Gemfile.lock coverage/ .DS_Store .rbenv-gemsets .ruby-version .vscode/ .bundle bin/jwt-1.5.6/Manifest0000644000004100000410000000014412772730515014060 0ustar www-datawww-dataRakefile README.md LICENSE lib/jwt.rb lib/jwt/json.rb spec/spec_helper.rb spec/jwt_spec.rb Manifest jwt-1.5.6/ruby-jwt.gemspec0000644000004100000410000000210612772730515015517 0ustar www-datawww-datalib = File.expand_path('../lib/', __FILE__) $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib) require 'jwt/version' Gem::Specification.new do |spec| spec.name = 'jwt' spec.version = JWT.gem_version spec.authors = [ 'Jeff Lindsay', 'Tim Rudat' ] spec.email = 'timrudat@gmail.com' spec.summary = 'JSON Web Token implementation in Ruby' spec.description = 'A pure ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard.' spec.homepage = 'http://github.com/jwt/ruby-jwt' spec.license = 'MIT' spec.files = `git ls-files -z`.split("\x0") spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) } spec.test_files = spec.files.grep(%r{^(test|spec|features)/}) spec.require_paths = %w(lib) spec.add_development_dependency 'bundler' spec.add_development_dependency 'rake' spec.add_development_dependency 'json', '< 2.0' spec.add_development_dependency 'rspec' spec.add_development_dependency 'simplecov' spec.add_development_dependency 'simplecov-json' spec.add_development_dependency 'codeclimate-test-reporter' end jwt-1.5.6/LICENSE0000644000004100000410000000204012772730515013371 0ustar www-datawww-dataCopyright (c) 2011 Jeff Lindsay Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. jwt-1.5.6/CHANGELOG.md0000644000004100000410000005340712772730515014212 0ustar www-datawww-data# Change Log ## [v1.5.6](https://github.com/jwt/ruby-jwt/tree/v1.5.6) (2016-09-19) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.5...v1.5.6) **Fixed bugs:** - Fix missing symbol handling in aud verify code [\#166](https://github.com/jwt/ruby-jwt/pull/166) ([excpt](https://github.com/excpt)) **Merged pull requests:** - Fix rubocop code smells [\#167](https://github.com/jwt/ruby-jwt/pull/167) ([excpt](https://github.com/excpt)) ## [v1.5.5](https://github.com/jwt/ruby-jwt/tree/v1.5.5) (2016-09-16) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.4...v1.5.5) **Implemented enhancements:** - JWT.decode always raises JWT::ExpiredSignature for tokens created with Time objects passed as the `exp` parameter [\#148](https://github.com/jwt/ruby-jwt/issues/148) **Fixed bugs:** - expiration check does not give "Signature has expired" error for the exact time of expiration [\#157](https://github.com/jwt/ruby-jwt/issues/157) - JTI claim broken? [\#152](https://github.com/jwt/ruby-jwt/issues/152) - Audience Claim broken? [\#151](https://github.com/jwt/ruby-jwt/issues/151) - 1.5.3 breaks compatibility with 1.5.2 [\#133](https://github.com/jwt/ruby-jwt/issues/133) - Version 1.5.3 breaks 1.9.3 compatibility, but not documented as such [\#132](https://github.com/jwt/ruby-jwt/issues/132) - Fix: exp claim check [\#161](https://github.com/jwt/ruby-jwt/pull/161) ([excpt](https://github.com/excpt)) **Closed issues:** - Rendering Json Results in JWT::DecodeError [\#162](https://github.com/jwt/ruby-jwt/issues/162) - PHP Libraries [\#154](https://github.com/jwt/ruby-jwt/issues/154) - \[security\] Signature verified after expiration/sub/iss checks [\#153](https://github.com/jwt/ruby-jwt/issues/153) - Is ruby-jwt thread-safe? [\#150](https://github.com/jwt/ruby-jwt/issues/150) - JWT 1.5.3 [\#143](https://github.com/jwt/ruby-jwt/issues/143) - gem install v 1.5.3 returns error [\#141](https://github.com/jwt/ruby-jwt/issues/141) - Adding a CHANGELOG [\#140](https://github.com/jwt/ruby-jwt/issues/140) **Merged pull requests:** - Bump version [\#165](https://github.com/jwt/ruby-jwt/pull/165) ([excpt](https://github.com/excpt)) - Improve error message for exp claim in payload [\#164](https://github.com/jwt/ruby-jwt/pull/164) ([excpt](https://github.com/excpt)) - Fix \#151 and code refactoring [\#163](https://github.com/jwt/ruby-jwt/pull/163) ([excpt](https://github.com/excpt)) - Signature validation before claim verification [\#160](https://github.com/jwt/ruby-jwt/pull/160) ([excpt](https://github.com/excpt)) - Create specs for README.md examples [\#159](https://github.com/jwt/ruby-jwt/pull/159) ([excpt](https://github.com/excpt)) - Tiny Readme Improvement [\#156](https://github.com/jwt/ruby-jwt/pull/156) ([b264](https://github.com/b264)) - Added test execution to Rakefile [\#147](https://github.com/jwt/ruby-jwt/pull/147) ([jabbrwcky](https://github.com/jabbrwcky)) - Add more bling bling to the site [\#146](https://github.com/jwt/ruby-jwt/pull/146) ([excpt](https://github.com/excpt)) - Bump version [\#145](https://github.com/jwt/ruby-jwt/pull/145) ([excpt](https://github.com/excpt)) - Add first content and basic layout [\#144](https://github.com/jwt/ruby-jwt/pull/144) ([excpt](https://github.com/excpt)) - Add a changelog file [\#142](https://github.com/jwt/ruby-jwt/pull/142) ([excpt](https://github.com/excpt)) - Return decoded\_segments [\#139](https://github.com/jwt/ruby-jwt/pull/139) ([akostrikov](https://github.com/akostrikov)) ## [v1.5.4](https://github.com/jwt/ruby-jwt/tree/v1.5.4) (2016-03-24) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v1.5.3...v1.5.4) **Closed issues:** - 404 at https://rubygems.global.ssl.fastly.net/gems/jwt-1.5.3.gem [\#137](https://github.com/jwt/ruby-jwt/issues/137) **Merged pull requests:** - Update README.md [\#138](https://github.com/jwt/ruby-jwt/pull/138) ([excpt](https://github.com/excpt)) - Fix base64url\_decode [\#136](https://github.com/jwt/ruby-jwt/pull/136) ([excpt](https://github.com/excpt)) - Fix ruby 1.9.3 compatibility [\#135](https://github.com/jwt/ruby-jwt/pull/135) ([excpt](https://github.com/excpt)) - iat can be a float value [\#134](https://github.com/jwt/ruby-jwt/pull/134) ([llimllib](https://github.com/llimllib)) ## [v1.5.3](https://github.com/jwt/ruby-jwt/tree/v1.5.3) (2016-02-24) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.2...v1.5.3) **Implemented enhancements:** - Refactor obsolete code for ruby 1.8 support [\#120](https://github.com/jwt/ruby-jwt/issues/120) - Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#106](https://github.com/jwt/ruby-jwt/issues/106) - Fix "Rubocop/Metrics/CyclomaticComplexity" issue in lib/jwt.rb [\#105](https://github.com/jwt/ruby-jwt/issues/105) - Allow a proc to be passed for JTI verification [\#126](https://github.com/jwt/ruby-jwt/pull/126) ([yahooguntu](https://github.com/yahooguntu)) - Relax restrictions on "jti" claim verification [\#113](https://github.com/jwt/ruby-jwt/pull/113) ([lwe](https://github.com/lwe)) **Closed issues:** - Verifications not functioning in latest release [\#128](https://github.com/jwt/ruby-jwt/issues/128) - Base64 is generating invalid length base64 strings - cross language interop [\#127](https://github.com/jwt/ruby-jwt/issues/127) - Digest::Digest is deprecated; use Digest [\#119](https://github.com/jwt/ruby-jwt/issues/119) - verify\_rsa no method 'verify' for class String [\#115](https://github.com/jwt/ruby-jwt/issues/115) - Add a changelog [\#111](https://github.com/jwt/ruby-jwt/issues/111) **Merged pull requests:** - Drop ruby 1.9.3 support [\#131](https://github.com/jwt/ruby-jwt/pull/131) ([excpt](https://github.com/excpt)) - Allow string hash keys in validation configurations [\#130](https://github.com/jwt/ruby-jwt/pull/130) ([tpickett66](https://github.com/tpickett66)) - Add ruby 2.3.0 for travis ci testing [\#123](https://github.com/jwt/ruby-jwt/pull/123) ([excpt](https://github.com/excpt)) - Remove obsolete json code [\#122](https://github.com/jwt/ruby-jwt/pull/122) ([excpt](https://github.com/excpt)) - Add fancy badges to README.md [\#118](https://github.com/jwt/ruby-jwt/pull/118) ([excpt](https://github.com/excpt)) - Refactor decode and verify functionality [\#117](https://github.com/jwt/ruby-jwt/pull/117) ([excpt](https://github.com/excpt)) - Drop echoe dependency for gem releases [\#116](https://github.com/jwt/ruby-jwt/pull/116) ([excpt](https://github.com/excpt)) - Updated readme for iss/aud options [\#114](https://github.com/jwt/ruby-jwt/pull/114) ([ryanmcilmoyl](https://github.com/ryanmcilmoyl)) - Fix error misspelling [\#112](https://github.com/jwt/ruby-jwt/pull/112) ([kat3kasper](https://github.com/kat3kasper)) ## [jwt-1.5.2](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.2) (2015-10-27) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.1...jwt-1.5.2) **Implemented enhancements:** - Must we specify algorithm when calling decode to avoid vulnerabilities? [\#107](https://github.com/jwt/ruby-jwt/issues/107) - Code review: Rspec test refactoring [\#85](https://github.com/jwt/ruby-jwt/pull/85) ([excpt](https://github.com/excpt)) **Fixed bugs:** - aud verifies if aud is passed in, :sub does not [\#102](https://github.com/jwt/ruby-jwt/issues/102) - iat check does not use leeway so nbf could pass, but iat fail [\#83](https://github.com/jwt/ruby-jwt/issues/83) **Closed issues:** - Test ticket from Code Climate [\#104](https://github.com/jwt/ruby-jwt/issues/104) - Test ticket from Code Climate [\#100](https://github.com/jwt/ruby-jwt/issues/100) - Is it possible to decode the payload without validating the signature? [\#97](https://github.com/jwt/ruby-jwt/issues/97) - What is audience? [\#96](https://github.com/jwt/ruby-jwt/issues/96) - Options hash uses both symbols and strings as keys. [\#95](https://github.com/jwt/ruby-jwt/issues/95) **Merged pull requests:** - Fix incorrect `iat` examples [\#109](https://github.com/jwt/ruby-jwt/pull/109) ([kjwierenga](https://github.com/kjwierenga)) - Update docs to include instructions for the algorithm parameter. [\#108](https://github.com/jwt/ruby-jwt/pull/108) ([aarongray](https://github.com/aarongray)) - make sure :sub check behaves like :aud check [\#103](https://github.com/jwt/ruby-jwt/pull/103) ([skippy](https://github.com/skippy)) - Change hash syntax [\#101](https://github.com/jwt/ruby-jwt/pull/101) ([excpt](https://github.com/excpt)) - Include LICENSE and README.md in gem [\#99](https://github.com/jwt/ruby-jwt/pull/99) ([bkeepers](https://github.com/bkeepers)) - Remove unused variable in the sample code. [\#98](https://github.com/jwt/ruby-jwt/pull/98) ([hypermkt](https://github.com/hypermkt)) - Fix iat claim example [\#94](https://github.com/jwt/ruby-jwt/pull/94) ([larrylv](https://github.com/larrylv)) - Fix wrong description in README.md [\#93](https://github.com/jwt/ruby-jwt/pull/93) ([larrylv](https://github.com/larrylv)) - JWT and JWA are now RFC. [\#92](https://github.com/jwt/ruby-jwt/pull/92) ([aj-michael](https://github.com/aj-michael)) - Update README.md [\#91](https://github.com/jwt/ruby-jwt/pull/91) ([nsarno](https://github.com/nsarno)) - Fix missing verify parameter in docs [\#90](https://github.com/jwt/ruby-jwt/pull/90) ([ernie](https://github.com/ernie)) - Iat check uses leeway. [\#89](https://github.com/jwt/ruby-jwt/pull/89) ([aj-michael](https://github.com/aj-michael)) - nbf check allows exact time matches. [\#88](https://github.com/jwt/ruby-jwt/pull/88) ([aj-michael](https://github.com/aj-michael)) ## [jwt-1.5.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.1) (2015-06-22) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.5.0...jwt-1.5.1) **Implemented enhancements:** - Fix either README or source code [\#78](https://github.com/jwt/ruby-jwt/issues/78) - Validate against draft 20 [\#38](https://github.com/jwt/ruby-jwt/issues/38) **Fixed bugs:** - ECDSA signature verification fails for valid tokens [\#84](https://github.com/jwt/ruby-jwt/issues/84) - Shouldn't verification of additional claims, like iss, aud etc. be enforced when in options? [\#81](https://github.com/jwt/ruby-jwt/issues/81) - Fix either README or source code [\#78](https://github.com/jwt/ruby-jwt/issues/78) - decode fails with 'none' algorithm and verify [\#75](https://github.com/jwt/ruby-jwt/issues/75) **Closed issues:** - Doc mismatch: uninitialized constant JWT::ExpiredSignature [\#79](https://github.com/jwt/ruby-jwt/issues/79) - TypeError when specifying a wrong algorithm [\#77](https://github.com/jwt/ruby-jwt/issues/77) - jti verification doesn't prevent replays [\#73](https://github.com/jwt/ruby-jwt/issues/73) **Merged pull requests:** - Correctly sign ECDSA JWTs [\#87](https://github.com/jwt/ruby-jwt/pull/87) ([jurriaan](https://github.com/jurriaan)) - fixed results of decoded tokens in readme [\#86](https://github.com/jwt/ruby-jwt/pull/86) ([piscolomo](https://github.com/piscolomo)) - Force verification of "iss" and "aud" claims [\#82](https://github.com/jwt/ruby-jwt/pull/82) ([lwe](https://github.com/lwe)) ## [jwt-1.5.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.5.0) (2015-05-09) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.1...jwt-1.5.0) **Implemented enhancements:** - Needs to support asymmetric key signatures over shared secrets [\#46](https://github.com/jwt/ruby-jwt/issues/46) - Implement Elliptic Curve Crypto Signatures [\#74](https://github.com/jwt/ruby-jwt/pull/74) ([jtdowney](https://github.com/jtdowney)) - Add an option to verify the signature on decode [\#71](https://github.com/jwt/ruby-jwt/pull/71) ([javawizard](https://github.com/javawizard)) **Closed issues:** - Check JWT vulnerability [\#76](https://github.com/jwt/ruby-jwt/issues/76) **Merged pull requests:** - Fixed some examples to make them copy-pastable [\#72](https://github.com/jwt/ruby-jwt/pull/72) ([jer](https://github.com/jer)) ## [jwt-1.4.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.1) (2015-03-12) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.4.0...jwt-1.4.1) **Fixed bugs:** - jti verification not working per the spec [\#68](https://github.com/jwt/ruby-jwt/issues/68) - Verify ISS should be off by default [\#66](https://github.com/jwt/ruby-jwt/issues/66) **Merged pull requests:** - Fix \#66 \#68 [\#69](https://github.com/jwt/ruby-jwt/pull/69) ([excpt](https://github.com/excpt)) - When throwing errors, mention expected/received values [\#65](https://github.com/jwt/ruby-jwt/pull/65) ([rolodato](https://github.com/rolodato)) ## [jwt-1.4.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.4.0) (2015-03-10) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.3.0...jwt-1.4.0) **Closed issues:** - The behavior using 'json' differs from 'multi\_json' [\#41](https://github.com/jwt/ruby-jwt/issues/41) **Merged pull requests:** - Release 1.4.0 [\#64](https://github.com/jwt/ruby-jwt/pull/64) ([excpt](https://github.com/excpt)) - Update README.md and remove dead code [\#63](https://github.com/jwt/ruby-jwt/pull/63) ([excpt](https://github.com/excpt)) - Add 'iat/ aud/ sub/ jti' support for ruby-jwt [\#62](https://github.com/jwt/ruby-jwt/pull/62) ([ZhangHanDong](https://github.com/ZhangHanDong)) - Add 'iss' support for ruby-jwt [\#61](https://github.com/jwt/ruby-jwt/pull/61) ([ZhangHanDong](https://github.com/ZhangHanDong)) - Clarify .encode API in README [\#60](https://github.com/jwt/ruby-jwt/pull/60) ([jbodah](https://github.com/jbodah)) ## [jwt-1.3.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.3.0) (2015-02-24) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.1...jwt-1.3.0) **Closed issues:** - Signature Verification to Return Verification Error rather than decode error [\#57](https://github.com/jwt/ruby-jwt/issues/57) - Incorrect readme for leeway [\#55](https://github.com/jwt/ruby-jwt/issues/55) - What is the reason behind stripping the = in base64 encoding? [\#54](https://github.com/jwt/ruby-jwt/issues/54) - Preperations for version 2.x [\#50](https://github.com/jwt/ruby-jwt/issues/50) - Release a new version [\#47](https://github.com/jwt/ruby-jwt/issues/47) - Catch up for ActiveWhatever 4.1.1 series [\#40](https://github.com/jwt/ruby-jwt/issues/40) **Merged pull requests:** - raise verification error for signiture verification [\#58](https://github.com/jwt/ruby-jwt/pull/58) ([punkle](https://github.com/punkle)) - Added support for not before claim verification [\#56](https://github.com/jwt/ruby-jwt/pull/56) ([punkle](https://github.com/punkle)) - Preperations for version 2.x [\#49](https://github.com/jwt/ruby-jwt/pull/49) ([excpt](https://github.com/excpt)) ## [jwt-1.2.1](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.1) (2015-01-22) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.2.0...jwt-1.2.1) **Closed issues:** - JWT.encode\({"exp": 10}, "secret"\) [\#52](https://github.com/jwt/ruby-jwt/issues/52) - JWT.encode\({"exp": 10}, "secret"\) [\#51](https://github.com/jwt/ruby-jwt/issues/51) **Merged pull requests:** - Accept expiration claims as string [\#53](https://github.com/jwt/ruby-jwt/pull/53) ([yarmand](https://github.com/yarmand)) ## [jwt-1.2.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.2.0) (2014-11-24) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.13...jwt-1.2.0) **Closed issues:** - set token to expire [\#42](https://github.com/jwt/ruby-jwt/issues/42) **Merged pull requests:** - Added support for `exp` claim [\#45](https://github.com/jwt/ruby-jwt/pull/45) ([zshannon](https://github.com/zshannon)) - rspec 3 breaks passing tests [\#44](https://github.com/jwt/ruby-jwt/pull/44) ([zshannon](https://github.com/zshannon)) ## [jwt-0.1.13](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.13) (2014-05-08) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-1.0.0...jwt-0.1.13) **Closed issues:** - yanking of version 0.1.12 causes issues [\#39](https://github.com/jwt/ruby-jwt/issues/39) - Semantic versioning [\#37](https://github.com/jwt/ruby-jwt/issues/37) - Update gem to get latest changes [\#36](https://github.com/jwt/ruby-jwt/issues/36) ## [jwt-1.0.0](https://github.com/jwt/ruby-jwt/tree/jwt-1.0.0) (2014-05-07) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.11...jwt-1.0.0) **Closed issues:** - API request - JWT::decoded\_header\(\) [\#26](https://github.com/jwt/ruby-jwt/issues/26) **Merged pull requests:** - return header along with playload after decoding [\#35](https://github.com/jwt/ruby-jwt/pull/35) ([sawyerzhang](https://github.com/sawyerzhang)) - Raise JWT::DecodeError on nil token [\#34](https://github.com/jwt/ruby-jwt/pull/34) ([tjmw](https://github.com/tjmw)) - Make MultiJson optional for Ruby 1.9+ [\#33](https://github.com/jwt/ruby-jwt/pull/33) ([petergoldstein](https://github.com/petergoldstein)) - Allow access to header and payload without signature verification [\#32](https://github.com/jwt/ruby-jwt/pull/32) ([petergoldstein](https://github.com/petergoldstein)) - Update specs to use RSpec 3.0.x syntax [\#31](https://github.com/jwt/ruby-jwt/pull/31) ([petergoldstein](https://github.com/petergoldstein)) - Travis - Add Ruby 2.0.0, 2.1.0, Rubinius [\#30](https://github.com/jwt/ruby-jwt/pull/30) ([petergoldstein](https://github.com/petergoldstein)) ## [jwt-0.1.11](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.11) (2014-01-17) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.10...jwt-0.1.11) **Closed issues:** - url safe encode and decode [\#28](https://github.com/jwt/ruby-jwt/issues/28) - Release [\#27](https://github.com/jwt/ruby-jwt/issues/27) **Merged pull requests:** - fixed urlsafe base64 encoding [\#29](https://github.com/jwt/ruby-jwt/pull/29) ([tobscher](https://github.com/tobscher)) ## [jwt-0.1.10](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.10) (2014-01-10) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.8...jwt-0.1.10) **Closed issues:** - change to signature of JWT.decode method [\#14](https://github.com/jwt/ruby-jwt/issues/14) **Merged pull requests:** - Fix warning: assigned but unused variable - e [\#25](https://github.com/jwt/ruby-jwt/pull/25) ([sferik](https://github.com/sferik)) - Echoe doesn't define a license= method [\#24](https://github.com/jwt/ruby-jwt/pull/24) ([sferik](https://github.com/sferik)) - Use OpenSSL::Digest instead of deprecated OpenSSL::Digest::Digest [\#23](https://github.com/jwt/ruby-jwt/pull/23) ([JuanitoFatas](https://github.com/JuanitoFatas)) - Handle some invalid JWTs [\#22](https://github.com/jwt/ruby-jwt/pull/22) ([steved](https://github.com/steved)) - Add MIT license to gemspec [\#21](https://github.com/jwt/ruby-jwt/pull/21) ([nycvotes-dev](https://github.com/nycvotes-dev)) - Tweaks and improvements [\#20](https://github.com/jwt/ruby-jwt/pull/20) ([threedaymonk](https://github.com/threedaymonk)) - Don't leave errors in OpenSSL.errors when there is a decoding error. [\#19](https://github.com/jwt/ruby-jwt/pull/19) ([lowellk](https://github.com/lowellk)) ## [jwt-0.1.8](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.8) (2013-03-14) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.7...jwt-0.1.8) **Merged pull requests:** - Contrib and update [\#18](https://github.com/jwt/ruby-jwt/pull/18) ([threedaymonk](https://github.com/threedaymonk)) - Verify if verify is truthy \(not just true\) [\#17](https://github.com/jwt/ruby-jwt/pull/17) ([threedaymonk](https://github.com/threedaymonk)) ## [jwt-0.1.7](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.7) (2013-03-07) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.6...jwt-0.1.7) **Merged pull requests:** - Catch MultiJson::LoadError and reraise as JWT::DecodeError [\#16](https://github.com/jwt/ruby-jwt/pull/16) ([rwygand](https://github.com/rwygand)) ## [jwt-0.1.6](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.6) (2013-03-05) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.5...jwt-0.1.6) **Merged pull requests:** - Fixes a theoretical timing attack [\#15](https://github.com/jwt/ruby-jwt/pull/15) ([mgates](https://github.com/mgates)) - Use StandardError as parent for DecodeError [\#13](https://github.com/jwt/ruby-jwt/pull/13) ([Oscil8](https://github.com/Oscil8)) ## [jwt-0.1.5](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.5) (2012-07-20) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.4...jwt-0.1.5) **Closed issues:** - Unable to specify signature header fields [\#7](https://github.com/jwt/ruby-jwt/issues/7) **Merged pull requests:** - MultiJson dependency uses ~\> but should be \>= [\#12](https://github.com/jwt/ruby-jwt/pull/12) ([sporkmonger](https://github.com/sporkmonger)) - Oops. :-\) [\#11](https://github.com/jwt/ruby-jwt/pull/11) ([sporkmonger](https://github.com/sporkmonger)) - Fix issue with signature verification in JRuby [\#10](https://github.com/jwt/ruby-jwt/pull/10) ([sporkmonger](https://github.com/sporkmonger)) - Depend on MultiJson [\#9](https://github.com/jwt/ruby-jwt/pull/9) ([lautis](https://github.com/lautis)) - Allow for custom headers on encode and decode [\#8](https://github.com/jwt/ruby-jwt/pull/8) ([dgrijalva](https://github.com/dgrijalva)) - Missing development dependency for echoe gem. [\#6](https://github.com/jwt/ruby-jwt/pull/6) ([sporkmonger](https://github.com/sporkmonger)) ## [jwt-0.1.4](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.4) (2011-11-11) [Full Changelog](https://github.com/jwt/ruby-jwt/compare/jwt-0.1.3...jwt-0.1.4) **Merged pull requests:** - Fix for RSA verification [\#5](https://github.com/jwt/ruby-jwt/pull/5) ([jordan-brough](https://github.com/jordan-brough)) ## [jwt-0.1.3](https://github.com/jwt/ruby-jwt/tree/jwt-0.1.3) (2011-06-30) **Closed issues:** - signatures calculated incorrectly \(hexdigest instead of digest\) [\#1](https://github.com/jwt/ruby-jwt/issues/1) **Merged pull requests:** - Bumped a version and added a .gemspec using rake build\_gemspec [\#3](https://github.com/jwt/ruby-jwt/pull/3) ([zhitomirskiyi](https://github.com/zhitomirskiyi)) - Added RSA support [\#2](https://github.com/jwt/ruby-jwt/pull/2) ([zhitomirskiyi](https://github.com/zhitomirskiyi)) \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)*jwt-1.5.6/.codeclimate.yml0000644000004100000410000000036612772730515015447 0ustar www-datawww-dataengines: rubocop: enabled: true golint: enabled: false gofmt: enabled: false eslint: enabled: false csslint: enabled: false ratings: paths: - lib/** - "**.rb" exclude_paths: - spec/**/* - vendor/**/* jwt-1.5.6/README.md0000644000004100000410000003552412772730515013660 0ustar www-datawww-data# JWT [![Build Status](https://travis-ci.org/jwt/ruby-jwt.svg)](https://travis-ci.org/jwt/ruby-jwt) [![Code Climate](https://codeclimate.com/github/jwt/ruby-jwt/badges/gpa.svg)](https://codeclimate.com/github/jwt/ruby-jwt) [![Test Coverage](https://codeclimate.com/github/jwt/ruby-jwt/badges/coverage.svg)](https://codeclimate.com/github/jwt/ruby-jwt/coverage) [![Issue Count](https://codeclimate.com/github/jwt/ruby-jwt/badges/issue_count.svg)](https://codeclimate.com/github/jwt/ruby-jwt) A pure ruby implementation of the [RFC 7519 OAuth JSON Web Token (JWT)](https://tools.ietf.org/html/rfc7519) standard. If you have further questions releated to development or usage, join us: [ruby-jwt google group](https://groups.google.com/forum/#!forum/ruby-jwt). ## Announcements * Ruby 1.9.3 support will be dropped by December 31st, 2016. * Version 1.5.3 yanked. See: [#132](https://github.com/jwt/ruby-jwt/issues/132) and [#133](https://github.com/jwt/ruby-jwt/issues/133) ## Installing ### Using Rubygems: ```bash sudo gem install jwt ``` ### Using Bundler: Add the following to your Gemfile ``` gem 'jwt' ``` And run `bundle install` ## Algorithms and Usage The JWT spec supports NONE, HMAC, RSASSA, ECDSA and RSASSA-PSS algorithms for cryptographic signing. Currently the jwt gem supports NONE, HMAC, RSASSA and ECDSA. If you are using cryptographic signing, you need to specify the algorithm in the options hash whenever you call JWT.decode to ensure that an attacker [cannot bypass the algorithm verification step](https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/). See: [ JSON Web Algorithms (JWA) 3.1. "alg" (Algorithm) Header Parameter Values for JWS](https://tools.ietf.org/html/rfc7518#section-3.1) **NONE** * none - unsigned token ```ruby require 'jwt' payload = {:data => 'test'} # IMPORTANT: set nil as password parameter token = JWT.encode payload, nil, 'none' # eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJkYXRhIjoidGVzdCJ9. puts token # Set password to nil and validation to false otherwise this won't work decoded_token = JWT.decode token, nil, false # Array # [ # {"data"=>"test"}, # payload # {"typ"=>"JWT", "alg"=>"none"} # header # ] puts decoded_token ``` **HMAC** (default: HS256) * HS256 - HMAC using SHA-256 hash algorithm (default) * HS384 - HMAC using SHA-384 hash algorithm * HS512 - HMAC using SHA-512 hash algorithm ```ruby hmac_secret = 'my$ecretK3y' token = JWT.encode payload, hmac_secret, 'HS256' # eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoidGVzdCJ9.ZxW8go9hz3ETCSfxFxpwSkYg_602gOPKearsf6DsxgY puts token decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' } # Array # [ # {"data"=>"test"}, # payload # {"typ"=>"JWT", "alg"=>"HS256"} # header # ] puts decoded_token ``` **RSA** * RS256 - RSA using SHA-256 hash algorithm * RS384 - RSA using SHA-384 hash algorithm * RS512 - RSA using SHA-512 hash algorithm ```ruby rsa_private = OpenSSL::PKey::RSA.generate 2048 rsa_public = rsa_private.public_key token = JWT.encode payload, rsa_private, 'RS256' # eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJ0ZXN0IjoiZGF0YSJ9.c2FynXNyi6_PeKxrDGxfS3OLwQ8lTDbWBWdq7oMviCy2ZfFpzvW2E_odCWJrbLof-eplHCsKzW7MGAntHMALXgclm_Cs9i2Exi6BZHzpr9suYkrhIjwqV1tCgMBCQpdeMwIq6SyKVjgH3L51ivIt0-GDDPDH1Rcut3jRQzp3Q35bg3tcI2iVg7t3Msvl9QrxXAdYNFiS5KXH22aJZ8X_O2HgqVYBXfSB1ygTYUmKTIIyLbntPQ7R22rFko1knGWOgQCoYXwbtpuKRZVFrxX958L2gUWgb4jEQNf3fhOtkBm1mJpj-7BGst00o8g_3P2zHy-3aKgpPo1XlKQGjRrrxA puts token decoded_token = JWT.decode token, rsa_public, true, { :algorithm => 'RS256' } # Array # [ # {"data"=>"test"}, # payload # {"typ"=>"JWT", "alg"=>"RS256"} # header # ] puts decoded_token ``` **ECDSA** * ES256 - ECDSA using P-256 and SHA-256 * ES384 - ECDSA using P-384 and SHA-384 * ES512 - ECDSA using P-521 and SHA-512 ```ruby ecdsa_key = OpenSSL::PKey::EC.new 'prime256v1' ecdsa_key.generate_key ecdsa_public = OpenSSL::PKey::EC.new ecdsa_key ecdsa_public.private_key = nil token = JWT.encode payload, ecdsa_key, 'ES256' # eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJ0ZXN0IjoiZGF0YSJ9.MEQCIAtShrxRwP1L9SapqaT4f7hajDJH4t_rfm-YlZcNDsBNAiB64M4-JRfyS8nRMlywtQ9lHbvvec9U54KznzOe1YxTyA puts token decoded_token = JWT.decode token, ecdsa_public, true, { :algorithm => 'ES256' } # Array # [ # {"test"=>"data"}, # payload # {"typ"=>"JWT", "alg"=>"ES256"} # header # ] puts decoded_token ``` **RSASSA-PSS** Not implemented. ## Support for reserved claim names JSON Web Token defines some reserved claim names and defines how they should be used. JWT supports these reserved claim names: - 'exp' (Expiration Time) Claim - 'nbf' (Not Before Time) Claim - 'iss' (Issuer) Claim - 'aud' (Audience) Claim - 'jti' (JWT ID) Claim - 'iat' (Issued At) Claim - 'sub' (Subject) Claim ### Expiration Time Claim From [Oauth JSON Web Token 4.1.4. "exp" (Expiration Time) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.4): > The `exp` (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the `exp` claim requires that the current date/time MUST be before the expiration date/time listed in the `exp` claim. Implementers MAY provide for some small `leeway`, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a ***NumericDate*** value. Use of this claim is OPTIONAL. **Handle Expiration Claim** ```ruby exp = Time.now.to_i + 4 * 3600 exp_payload = { :data => 'data', :exp => exp } token = JWT.encode exp_payload, hmac_secret, 'HS256' begin decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' } rescue JWT::ExpiredSignature # Handle expired token, e.g. logout user or deny access end ``` **Adding Leeway** ```ruby exp = Time.now.to_i - 10 leeway = 30 # seconds exp_payload = { :data => 'data', :exp => exp } # build expired token token = JWT.encode exp_payload, hmac_secret, 'HS256' begin # add leeway to ensure the token is still accepted decoded_token = JWT.decode token, hmac_secret, true, { :leeway => leeway, :algorithm => 'HS256' } rescue JWT::ExpiredSignature # Handle expired token, e.g. logout user or deny access end ``` ### Not Before Time Claim From [Oauth JSON Web Token 4.1.5. "nbf" (Not Before) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.5): > The `nbf` (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the `nbf` claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the `nbf` claim. Implementers MAY provide for some small `leeway`, usually no more than a few minutes, to account for clock skew. Its value MUST be a number containing a ***NumericDate*** value. Use of this claim is OPTIONAL. **Handle Not Before Claim** ```ruby nbf = Time.now.to_i - 3600 nbf_payload = { :data => 'data', :nbf => nbf } token = JWT.encode nbf_payload, hmac_secret, 'HS256' begin decoded_token = JWT.decode token, hmac_secret, true, { :algorithm => 'HS256' } rescue JWT::ImmatureSignature # Handle invalid token, e.g. logout user or deny access end ``` **Adding Leeway** ```ruby nbf = Time.now.to_i + 10 leeway = 30 nbf_payload = { :data => 'data', :nbf => nbf } # build expired token token = JWT.encode nbf_payload, hmac_secret, 'HS256' begin # add leeway to ensure the token is valid decoded_token = JWT.decode token, hmac_secret, true, { :leeway => leeway, :algorithm => 'HS256' } rescue JWT::ImmatureSignature # Handle invalid token, e.g. logout user or deny access end ``` ### Issuer Claim From [Oauth JSON Web Token 4.1.1. "iss" (Issuer) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.1): > The `iss` (issuer) claim identifies the principal that issued the JWT. The processing of this claim is generally application specific. The `iss` value is a case-sensitive string containing a ***StringOrURI*** value. Use of this claim is OPTIONAL. ```ruby iss = 'My Awesome Company Inc. or https://my.awesome.website/' iss_payload = { :data => 'data', :iss => iss } token = JWT.encode iss_payload, hmac_secret, 'HS256' begin # Add iss to the validation to check if the token has been manipulated decoded_token = JWT.decode token, hmac_secret, true, { :iss => iss, :verify_iss => true, :algorithm => 'HS256' } rescue JWT::InvalidIssuerError # Handle invalid token, e.g. logout user or deny access end ``` ### Audience Claim From [Oauth JSON Web Token 4.1.3. "aud" (Audience) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.3): > The `aud` (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the `aud` claim when this claim is present, then the JWT MUST be rejected. In the general case, the `aud` value is an array of case-sensitive strings, each containing a ***StringOrURI*** value. In the special case when the JWT has one audience, the `aud` value MAY be a single case-sensitive string containing a ***StringOrURI*** value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL. ```ruby aud = ['Young', 'Old'] aud_payload = { :data => 'data', :aud => aud } token = JWT.encode aud_payload, hmac_secret, 'HS256' begin # Add aud to the validation to check if the token has been manipulated decoded_token = JWT.decode token, hmac_secret, true, { :aud => aud, :verify_aud => true, :algorithm => 'HS256' } rescue JWT::InvalidAudError # Handle invalid token, e.g. logout user or deny access puts 'Audience Error' end ``` ### JWT ID Claim From [Oauth JSON Web Token 4.1.7. "jti" (JWT ID) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.7): > The `jti` (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well. The `jti` claim can be used to prevent the JWT from being replayed. The `jti` value is a case-sensitive string. Use of this claim is OPTIONAL. ```ruby # Use the secret and iat to create a unique key per request to prevent replay attacks jti_raw = [hmac_secret, iat].join(':').to_s jti = Digest::MD5.hexdigest(jti_raw) jti_payload = { :data => 'data', :iat => iat, :jti => jti } token = JWT.encode jti_payload, hmac_secret, 'HS256' begin # If :verify_jti is true, validation will pass if a JTI is present #decoded_token = JWT.decode token, hmac_secret, true, { :verify_jti => true, :algorithm => 'HS256' } # Alternatively, pass a proc with your own code to check if the JTI has already been used decoded_token = JWT.decode token, hmac_secret, true, { :verify_jti => proc { |jti| my_validation_method(jti) }, :algorithm => 'HS256' } rescue JWT::InvalidJtiError # Handle invalid token, e.g. logout user or deny access puts 'Error' end ``` ### Issued At Claim From [Oauth JSON Web Token 4.1.6. "iat" (Issued At) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.6): > The `iat` (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a ***NumericDate*** value. Use of this claim is OPTIONAL. ```ruby iat = Time.now.to_i iat_payload = { :data => 'data', :iat => iat } token = JWT.encode iat_payload, hmac_secret, 'HS256' begin # Add iat to the validation to check if the token has been manipulated decoded_token = JWT.decode token, hmac_secret, true, { :verify_iat => true, :algorithm => 'HS256' } rescue JWT::InvalidIatError # Handle invalid token, e.g. logout user or deny access end ``` ### Subject Claim From [Oauth JSON Web Token 4.1.2. "sub" (Subject) Claim](https://tools.ietf.org/html/rfc7519#section-4.1.2): > The `sub` (subject) claim identifies the principal that is the subject of the JWT. The Claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The sub value is a case-sensitive string containing a ***StringOrURI*** value. Use of this claim is OPTIONAL. ```ruby sub = 'Subject' sub_payload = { :data => 'data', :sub => sub } token = JWT.encode sub_payload, hmac_secret, 'HS256' begin # Add sub to the validation to check if the token has been manipulated decoded_token = JWT.decode token, hmac_secret, true, { 'sub' => sub, :verify_sub => true, :algorithm => 'HS256' } rescue JWT::InvalidSubError # Handle invalid token, e.g. logout user or deny access end ``` # Development and Tests We depend on [Bundler](http://rubygems.org/gems/bundler) for defining gemspec and performing releases to rubygems.org, which can be done with ```bash rake release ``` The tests are written with rspec. Given you have installed the dependencies via bundler, you can run tests with ```bash bundle exec rspec ``` **If you want a release cut with your PR, please include a version bump according to [Semantic Versioning](http://semver.org/)** ## Contributors * Jordan Brough * Ilya Zhitomirskiy * Daniel Grippi * Jeff Lindsay * Bob Aman * Micah Gates * Rob Wygand * Ariel Salomon (Oscil8) * Paul Battley * Zane Shannon [@zshannon](https://github.com/zshannon) * Brian Fletcher [@punkle](https://github.com/punkle) * Alex [@ZhangHanDong](https://github.com/ZhangHanDong) * John Downey [@jtdowney](https://github.com/jtdowney) * Adam Greene [@skippy](https://github.com/skippy) * Tim Rudat [@excpt](https://github.com/excpt) - Maintainer ## License MIT Copyright (c) 2011 Jeff Lindsay Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.