From 9a30b4ec68af798974d2365479ea2dc39f6a1c76 Mon Sep 17 00:00:00 2001 From: Joakim Antman Date: Sat, 28 Dec 2024 21:20:09 +0200 Subject: [PATCH] Allow alg header to be given --- CHANGELOG.md | 1 + lib/jwt/token.rb | 2 +- spec/jwt/encoded_token_spec.rb | 9 +++++++++ spec/jwt/jwt_spec.rb | 4 ++-- spec/jwt/token_spec.rb | 12 ++++++++++++ 5 files changed, 25 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e9b8977..222bce82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ Take a look at the [upgrade guide](UPGRADING.md) for more details. **Features:** - JWT::EncodedToken#verify! method that bundles signature and claim validation [#647](https://github.com/jwt/ruby-jwt/pull/647) ([@anakinj](https://github.com/anakinj)) +- Do not override the alg header if already given [#659](https://github.com/jwt/ruby-jwt/pull/659) ([@anakinj](https://github.com/anakinj)) - Your contribution here **Fixes and enhancements:** diff --git a/lib/jwt/token.rb b/lib/jwt/token.rb index 4f61c839..7bf5a104 100644 --- a/lib/jwt/token.rb +++ b/lib/jwt/token.rb @@ -95,7 +95,7 @@ def sign!(algorithm:, key:) raise ::JWT::EncodeError, 'Token already signed' if @signature JWA.resolve(algorithm).tap do |algo| - header.merge!(algo.header) + header.merge!(algo.header) { |_key, old, _new| old } @signature = algo.sign(data: signing_input, signing_key: key) end diff --git a/spec/jwt/encoded_token_spec.rb b/spec/jwt/encoded_token_spec.rb index 54ec9fea..d03f05f0 100644 --- a/spec/jwt/encoded_token_spec.rb +++ b/spec/jwt/encoded_token_spec.rb @@ -103,6 +103,15 @@ end end + context 'when header has invalid alg value' do + let(:header) { { 'alg' => 'HS123' } } + + it 'does not raise' do + expect(token.header).to eq(header) + expect(token.verify_signature!(algorithm: 'HS256', key: 'secret')).to eq(nil) + end + end + context 'when payload is detached' do let(:encoded_token) { detached_payload_token.jwt } diff --git a/spec/jwt/jwt_spec.rb b/spec/jwt/jwt_spec.rb index dd919498..d8690de5 100644 --- a/spec/jwt/jwt_spec.rb +++ b/spec/jwt/jwt_spec.rb @@ -586,9 +586,9 @@ end context 'when the alg value is given as a header parameter' do - it 'does not override the actual algorithm used' do + it 'overrides the actual algorithm used' do headers = JSON.parse(JWT::Base64.url_decode(JWT.encode('Hello World', 'secret', 'HS256', { alg: 'HS123' }).split('.').first)) - expect(headers['alg']).to eq('HS256') + expect(headers['alg']).to eq('HS123') end it 'should generate the same token' do diff --git a/spec/jwt/token_spec.rb b/spec/jwt/token_spec.rb index 20d2131f..00e47eb4 100644 --- a/spec/jwt/token_spec.rb +++ b/spec/jwt/token_spec.rb @@ -41,6 +41,18 @@ expect { token.jwt }.to raise_error(JWT::EncodeError) end end + + context 'when alg is given in header' do + let(:header) { { 'alg' => 'HS123' } } + + before do + token.sign!(algorithm: 'HS256', key: 'secret') + end + + it 'returns a signed and encoded token' do + expect(JWT::EncodedToken.new(token.jwt).header).to eq({ 'alg' => 'HS123' }) + end + end end describe '#detach_payload!' do