The Wayback Machine - https://web.archive.org/web/20200906101556/https://github.com/jwt/ruby-jwt/issues/170/
Skip to content

/ ruby-jwt

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify_iss: true is raising JWT::DecodeError instead of JWT::InvalidIssuerError #170

Closed
scalp42 opened this issue Sep 21, 2016 · 5 comments
Closed

verify_iss: true is raising JWT::DecodeError instead of JWT::InvalidIssuerError #170

scalp42 opened this issue Sep 21, 2016 · 5 comments
Milestone
Version 2.0.0

Comments

@scalp42
Copy link

@scalp42 scalp42 commented Sep 21, 2016
edited

When trying to encode/decode payloads, if I change the iss value with something else and setting verify_iss: true, I'm getting the wrong kind of error:

class JwtAuth

  def initialize app
    @app = app
  end

  def call env
    begin
      options = { algorithm: 'HS256', iss: 'test', verify_iss: true }
      bearer = env.fetch('HTTP_AUTHORIZATION', '').slice(7..-1)
      payload, header = JWT.decode bearer, 'secret', true, options

      env[:scopes] = payload['scopes']
      env[:user] = payload['user']

      @app.call env
    rescue JWT::DecodeError
      [401, { 'Content-Type' => 'text/plain' }, ['A token must be passed.']]
    rescue JWT::ExpiredSignature
      [403, { 'Content-Type' => 'text/plain' }, ['The token has expired.']]
    rescue JWT::InvalidIssuerError
      [403, { 'Content-Type' => 'text/plain' }, ['The token does not have a valid issuer.']]
    rescue JWT::InvalidIatError
      [403, { 'Content-Type' => 'text/plain' }, ['The token does not have a valid "issued at" time.']]
    end
  end

end

Now using jwt.io with the secret secret:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NzQ0MzQ2MjAsImlhdCI6MTQ3NDQzMTAyMCwiaXNzIjoidGVzdCIsInNjb3BlcyI6WyJhZGRfbW9uZXkiLCJyZW1vdmVfbW9uZXkiLCJ2aWV3X21vbmV5Il0sInVzZXIiOnsidXNlcm5hbWUiOiJzY2FscCJ9fQ.1L-2GgdhziszR1UAo3G900CcI1MrqvmjlH5BQ0r8Pms

{
  "exp": 1474434620,
  "iat": 1474431020,
  "iss": "test",
  "scopes": [
    "add_money",
    "remove_money",
    "view_money"
  ],
  "user": {
    "username": "scalp"
  }
}

If I change iss in the payload to whatever for example, I would expect to see JWT::InvalidIssuerError happening but it doesn't appear to be the case in my code.

With iss being set to secret in the payload:

With iss being set to whatever in the payload:

With my code, I would have expected to see 'The token does not have a valid issuer.'.

Any idea ?

Thanks in advance!
@excpt excpt added the bug label Sep 21, 2016
@scalp42
Copy link
Author

@scalp42 scalp42 commented Sep 21, 2016

Actually, changing the exp key to something expired or removing iss key for example are leading to JWT::DecodeError instead of the specific ones if it helps.
@excpt excpt added this to the Version 1.6.0 milestone Sep 21, 2016
@excpt
Copy link
Member

@excpt excpt commented Oct 3, 2016

I wrote a spec for the issue:

require 'spec_helper'
require 'jwt'
require 'jwt/decode'

describe JWT do
    it 'should throw a JWT::InvalidIssuerError' do
        payload = {
            "exp": Time.now.to_i + 120,
            "iat": Time.now.to_i - 120,
            "iss": "wrong",
            "scopes": [
                "add_money",
                "remove_money",
                "view_money"
            ],
            "user": {
                "username": "scalp"
                }
            }

        token = JWT.encode payload, 'secret', 'HS256'

        expect do
            JWT.decode token, 'secret', true, { algorithm: 'HS256', iss: 'test', verify_iss: true }
        end.to raise_error JWT::InvalidIssuerError
    end
end

I get the correct error. Which version are you using?
@excpt excpt added documentation and removed bug labels Oct 5, 2016
@excpt
Copy link
Member

@excpt excpt commented Oct 5, 2016

Just change your rescue block to:

    rescue JWT::ExpiredSignature
      [403, { 'Content-Type' => 'text/plain' }, ['The token has expired.']]
    rescue JWT::InvalidIssuerError
      [403, { 'Content-Type' => 'text/plain' }, ['The token does not have a valid issuer.']]
    rescue JWT::InvalidIatError
      [403, { 'Content-Type' => 'text/plain' }, ['The token does not have a valid "issued at" time.']]
    rescue JWT::DecodeError
      [401, { 'Content-Type' => 'text/plain' }, ['A token must be passed.']]
    end

All JWT errors derive from JWT::DecodeError that's why your code behaves in a "strange" way.
@excpt excpt removed the documentation label Oct 5, 2016
@scalp42
Copy link
Author

@scalp42 scalp42 commented Oct 5, 2016

@excpt I see the issue now, thanks a lot for the help and sorry for opening this 🍶
@scalp42 scalp42 closed this Oct 5, 2016
@yamitcar
Copy link

@yamitcar yamitcar commented May 26, 2017

Hi! i removed the slice on:
env.fetch('HTTP_AUTHORIZATION', '').slice(7..-1)

and works for me :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 2.0.0
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
@excpt @yamitcar @scalp42
You can’t perform that action at this time.