Skip to content

Commit

Permalink
Handle invalid algorithm when decoding JWT
Browse files Browse the repository at this point in the history
  • Loading branch information
nataliastanko authored and anakinj committed May 2, 2023
1 parent cd75890 commit 62f5fdb
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@

**Fixes and enhancements:**

- Handle invalid algorithm when decoding JWT [#559](https://github.com/jwt/ruby-jwt/pull/559) - [@nataliastanko](https://github.com/nataliastanko)
- Your contribution here

## [v2.7.0](https://github.com/jwt/ruby-jwt/tree/v2.7.0) (2023-02-01)
Expand Down
2 changes: 1 addition & 1 deletion lib/jwt/algos/algo_wrapper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ def initialize(alg, cls)
end

def valid_alg?(alg_to_check)
alg.casecmp(alg_to_check)&.zero? == true
alg&.casecmp(alg_to_check)&.zero? == true
end

def sign(data:, signing_key:)
Expand Down
8 changes: 8 additions & 0 deletions spec/jwt_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -838,6 +838,14 @@
end
end

context 'when the alg is invalid' do
let(:token) { 'eyJhbGciOiJIUzI1NiJ9.eyJwYXkiOiJsb2FkIn0.ZpAhTTtuo-CmbgT6-95NaM_wFckKeyI157baZ29H41o' }

it 'raises JWT::IncorrectAlgorithm error' do
expect { JWT.decode(token, 'secret', true, algorithm: 'invalid-HS256') }.to raise_error(JWT::IncorrectAlgorithm, 'Expected a different algorithm')
end
end

context 'when algorithm is a custom class' do
let(:custom_algorithm) do
Class.new do
Expand Down

0 comments on commit 62f5fdb

Please sign in to comment.