From 52fcf99a4b748aeb7e2bad2cce429eb06067d1f0 Mon Sep 17 00:00:00 2001 From: Yason Khaburzaniya Date: Wed, 3 Feb 2021 19:19:37 -0800 Subject: [PATCH 1/3] create tests for verify claims using options with values set to true and false --- spec/jwt/verify_spec.rb | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/spec/jwt/verify_spec.rb b/spec/jwt/verify_spec.rb index 960fdcd2..a42385d0 100644 --- a/spec/jwt/verify_spec.rb +++ b/spec/jwt/verify_spec.rb @@ -225,5 +225,30 @@ module JWT # rubocop:disable Metrics/ModuleLength Verify.verify_sub(base_payload.merge('sub' => sub), options.merge(sub: sub)) end end + + context '.verify_claims' do + let(:fail_verifications_options) { { iss: 'mismatched-issuer', aud: 'no-match', sub: 'some subject' } } + let(:fail_verifications_payload) { { + 'exp' => (Time.now.to_i - 50), + 'jti' => ' ', + 'iss' => 'some-issuer', + 'nbf' => (Time.now.to_i + 50), + 'iat' => 'not a number', + 'sub' => 'not-a-match' } } + + %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method| + let(:payload) { base_payload.merge(fail_verifications_payload) } + it "must skip verification when #{method} option is set to false" do + Verify.verify_claims(payload, options.merge("#{method}" => false)) + end + + it "must raise error when #{method} option is set to true" do + expect do + Verify.verify_claims(payload, options.merge("#{method}" => true).merge(fail_verifications_options)) + end.to raise_error + end + end + + end end end From 74f3b069edd8b216deec04653ab6cdd6283e5dea Mon Sep 17 00:00:00 2001 From: Yason Khaburzaniya Date: Wed, 3 Feb 2021 19:20:37 -0800 Subject: [PATCH 2/3] update docs to make it clear how to disable expiration claim verification and not before verification which are enabled by default --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 85b4cd48..0bf6a954 100644 --- a/README.md +++ b/README.md @@ -291,6 +291,12 @@ rescue JWT::ExpiredSignature end ``` +The Expiration Claim verification can be disabled. +```ruby +# Decode token without raising JWT::ExpiredSignature error +JWT.decode token, hmac_secret, true, { verify_expiration: false, algorithm: 'HS256' } +``` + **Adding Leeway** ```ruby @@ -331,6 +337,12 @@ rescue JWT::ImmatureSignature end ``` +The Not Before Claim verification can be disabled. +```ruby +# Decode token without raising JWT::ImmatureSignature error +JWT.decode token, hmac_secret, true, { verify_not_before: false, algorithm: 'HS256' } +``` + **Adding Leeway** ```ruby From ba8b31b3d7edb094d8252ae39dc42c8f37cd5fac Mon Sep 17 00:00:00 2001 From: Yason Khaburzaniya Date: Wed, 3 Feb 2021 19:37:28 -0800 Subject: [PATCH 3/3] fixing rubocop issues --- spec/jwt/verify_spec.rb | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/spec/jwt/verify_spec.rb b/spec/jwt/verify_spec.rb index a42385d0..a434a171 100644 --- a/spec/jwt/verify_spec.rb +++ b/spec/jwt/verify_spec.rb @@ -228,27 +228,29 @@ module JWT # rubocop:disable Metrics/ModuleLength context '.verify_claims' do let(:fail_verifications_options) { { iss: 'mismatched-issuer', aud: 'no-match', sub: 'some subject' } } - let(:fail_verifications_payload) { { - 'exp' => (Time.now.to_i - 50), - 'jti' => ' ', - 'iss' => 'some-issuer', - 'nbf' => (Time.now.to_i + 50), - 'iat' => 'not a number', - 'sub' => 'not-a-match' } } + let(:fail_verifications_payload) { + { + 'exp' => (Time.now.to_i - 50), + 'jti' => ' ', + 'iss' => 'some-issuer', + 'nbf' => (Time.now.to_i + 50), + 'iat' => 'not a number', + 'sub' => 'not-a-match' + } + } %w[verify_aud verify_expiration verify_iat verify_iss verify_jti verify_not_before verify_sub].each do |method| let(:payload) { base_payload.merge(fail_verifications_payload) } it "must skip verification when #{method} option is set to false" do - Verify.verify_claims(payload, options.merge("#{method}" => false)) + Verify.verify_claims(payload, options.merge(method => false)) end it "must raise error when #{method} option is set to true" do expect do - Verify.verify_claims(payload, options.merge("#{method}" => true).merge(fail_verifications_options)) + Verify.verify_claims(payload, options.merge(method => true).merge(fail_verifications_options)) end.to raise_error end end - end end end