Skip to content

Commit

Permalink
Merge pull request #113 from lwe/lwe-jti-validation-fix
Browse files Browse the repository at this point in the history 
Relax restrictions on "jti" claim verification
  • Loading branch information
@aj-michael
aj-michael committed Oct 30, 2015
2 parents 27c7412 + 320306b commit 6c84213
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 15 deletions.
5 changes: 2 additions & 3 deletions lib/jwt.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,9 +179,8 @@ def decode(jwt, key = nil, verify = true, options = {}, &keyfinder)
if options[:verify_sub] && options.include?(:sub)
fail(JWT::InvalidSubError, "Invalid subject. Expected #{options[:sub]}, received #{payload['sub'] || '<none>'}") unless payload['sub'].to_s == options[:sub].to_s
end
if options[:verify_jti] && payload.include?('jti')
fail(JWT::InvalidJtiError, 'need iat for verify jwt id') unless payload.include?('iat')
fail(JWT::InvalidJtiError, 'Not a uniq jwt id') unless options[:jti].to_s == Digest::MD5.hexdigest("#{key}:#{payload['iat']}")
if options[:verify_jti]
fail(JWT::InvalidJtiError, 'Missing jti') if payload['jti'].to_s == ''
end

[payload, header]
Expand Down
17 changes: 5 additions & 12 deletions spec/jwt_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -359,27 +359,21 @@

context 'jwt id claim' do
let :jti do
new_payload = payload.merge('iat' => Time.now.to_i)
key = data[:secret]
new_payload.merge('jti' => Digest::MD5.hexdigest("#{key}:#{new_payload['iat']}"))
payload.merge('jti' => 'some-random-uuid-or-whatever')
end

let(:token) { JWT.encode jti, data[:secret] }
let(:invalid_token) { JWT.encode payload, data[:secret] }

let :invalid_token do
jti.delete('iat')
JWT.encode jti, data[:secret]
end

it 'invalid jti should raise JWT::InvalidJtiError' do
it 'missing jti should raise JWT::InvalidJtiError' do
expect do
JWT.decode invalid_token, data[:secret], true, :verify_jti => true, 'jti' => jti['jti']
JWT.decode invalid_token, data[:secret], true, verify_jti: true
end.to raise_error JWT::InvalidJtiError
end

it 'valid jti should not raise JWT::InvalidJtiError' do
expect do
JWT.decode token, data[:secret], true, verify_jti: true, jti: jti['jti']
JWT.decode token, data[:secret], true, verify_jti: true
end.to_not raise_error
end
end
Expand Down Expand Up @@ -408,5 +402,4 @@
expect(JWT.secure_compare('Foo', 'Bar')).to eq false
end
end

end

0 comments on commit 6c84213

Please sign in to comment.