fix signature has expired error if payload is a string #555
Conversation
There was a problem hiding this comment.
Im wondering if this is too big of a change for a minor version. This will require the @payload to be a Hash or an object responding to has_key?. I would also argue that it's totally fine to pass a string as the payload. The RFC states JWTs encode claims to be transmitted as a JSON [RFC7159] object that is used as the payload of a JSON Web Signature
@anakinj |
lib/jwt/verify.rb
Outdated
| @@ -38,12 +38,12 @@ def verify_aud | |||
| end | |||
|
|
|||
| def verify_expiration | |||
| return unless @payload.include?('exp') | |||
| return unless @payload.key?('exp') | |||
There was a problem hiding this comment.
What if there would be a method on this class, something like
def contains_key?(payload, key)
payload.respond_to?(:key?) && payload.key?(key)
end
Then this row would be
return unless contains_key?(@payload, 'exp')
|
I think the proposed changes are great but we need to support the case when the passed payload is not responding to the To my understanding passing a string as the payload is not prohibited. What comes to the expiry, the ´exp´ claim (header) is optional for a JWT token. Added a little suggestion on how we could handle such cases. |
|
Great work and thanks for you patience |
currently it's possible to encode a string payload and decode it but decoding a string containing "exp" throws signature has expired payload which could be misleading as the payload has to be a hash inorder for this to work properly.
Possible before this PR:
Reason for making this PR is has_key will atleast throw undefined method error so that the error won't go unnoticed in production if the payload is a string by mistake.