Raise IncorrectAlgorithm if token has no alg header

jwt · Apr 26, 2021 · 3434f58 · 3434f58
1 parent 018fcc8
commit 3434f58
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
@@ -34,6 +34,7 @@ def decode_segments
 
     def verify_signature
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
+      raise(JWT::IncorrectAlgorithm, 'Token is missing alg header') unless header['alg']
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
 
       @key = find_key(&@keyfinder) if @keyfinder

diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
@@ -5,6 +5,7 @@
 
   let :data do
    data = {
+      :empty_token => 'e30K.e30K.e30K',
       :secret => 'My$ecretK3y',
       :rsa_private => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-private.pem'))),
       :rsa_public => OpenSSL::PKey.read(File.read(File.join(CERT_PATH, 'rsa-2048-public.pem'))),
@@ -411,6 +412,14 @@
           expect(jwt_payload).to eq payload
         end
       end
+
+      context 'token is missing algorithm' do
+        it 'should raise JWT::IncorrectAlgorithm' do
+          expect do
+            JWT.decode data[:empty_token]
+          end.to raise_error JWT::IncorrectAlgorithm
+        end
+      end
     end
 
     context 'issuer claim' do