Algorithm handling to token class

anakinj · Sep 29, 2024 · 0a6d1f0 · 0a6d1f0
1 parent fe7a3a3
commit 0a6d1f0
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 15 deletions.
diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
@@ -38,7 +38,7 @@ def verify_signature
 
       raise JWT::DecodeError, 'No verification key available' unless @key
 
-      token.verify!(algorithms: allowed_and_valid_algorithms, verification_keys: @key)
+      token.verify_signature!(algorithms: allowed_and_valid_algorithms, verification_keys: @key)
     end
 
     def verify_algo
@@ -78,16 +78,7 @@ def allowed_algorithms
     end
 
     def resolve_allowed_algorithms
-      algs = given_algorithms.map { |alg| JWA.resolve(alg) }
-
-      sort_by_alg_header(algs)
-    end
-
-    # Move algorithms matching the JWT alg header to the beginning of the list
-    def sort_by_alg_header(algs)
-      return algs if algs.size <= 1
-
-      algs.partition { |alg| alg.valid_alg?(alg_in_header) }.flatten
+      given_algorithms.map { |alg| JWA.resolve(alg) }
     end
 
     def find_key(&keyfinder)

diff --git a/lib/jwt/jwa.rb b/lib/jwt/jwa.rb
@@ -40,6 +40,11 @@ def resolve(algorithm)
 
         algorithm
       end
+
+      def resolve_and_sort(algorithms:, preferred_algorithm:)
+        algs = Array(algorithms).map { |alg| JWA.resolve(alg) }
+        algs.partition { |alg| alg.valid_alg?(preferred_algorithm) }.flatten
+      end
     end
   end
 end
diff --git a/lib/jwt/token.rb b/lib/jwt/token.rb
@@ -30,14 +30,18 @@ def signing_input
       segments.first(2).join('.')
     end
 
-    def verify!(algorithms:, verification_keys:)
-      return if Array(algorithms).any? do |algorithm|
+    def verify_signature!(algorithms:, verification_keys:)
+      return if valid_signature?(algorithms: algorithms, verification_keys: verification_keys)
+
+      raise JWT::VerificationError, 'Signature verification failed'
+    end
+
+    def valid_signature?(algorithms:, verification_keys:)
+      Array(JWA.resolve_and_sort(algorithms: algorithms, preferred_algorithm: header['alg'])).any? do |algorithm|
         Array(verification_keys).any? do |verification_key|
           algorithm.verify(data: signing_input, signature: signature, verification_key: verification_key)
         end
       end
-
-      raise JWT::VerificationError, 'Signature verification failed'
     end
 
     def parse_and_decode(segment)

diff --git a/spec/spec_support/token.rb b/spec/spec_support/token.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module SpecSupport
   Token = Struct.new(:payload, keyword_init: true)
 end