Skip to content

Bumping jwt gem to 3.2 and addressing breaking changes + PR #112 by @karlnaden#116

Merged
karlnaden merged 18 commits into
inferno-framework:mainfrom
FlexonyoPizza:LeonsBranch
May 22, 2026
Merged

Bumping jwt gem to 3.2 and addressing breaking changes + PR #112 by @karlnaden#116
karlnaden merged 18 commits into
inferno-framework:mainfrom
FlexonyoPizza:LeonsBranch

Conversation

@FlexonyoPizza

@FlexonyoPizza FlexonyoPizza commented May 20, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumping jwt from 2.6 to 3.2 comes with some breaking changes - jwt 3.2 now enforces the signature segment of the token in 'token_request_bsca_verification_test_spec.rb' to be verified before the payload is accessed. If the signature is not verified, the tests will crash. For our use, we want the ability to validate the payload without a valid signature so that we can give feedback on the payload even in the case of a bad signature. Therefore .payload has been changed to .unverified_payload in authentication_verification.rb:37 to bypass jwt 3.2's new signature enforcement.

  • This PR is an addition to PR ID-45: execution scripts #112 by @karlnaden

@karlnaden karlnaden left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good - one question on the signature error.

encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key)
rescue StandardError => e
return e
return "Signature verification failed: #{e}"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a UI-based execution example where you were able to demonstrate this error? I'm interested to see it in the UI.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like the error text is already "Signature verification failed", so let's remove this
image

@karlnaden karlnaden left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revert change to the signature verification error

encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key)
rescue StandardError => e
return "Signature verification failed: #{e}"
return e

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reverted back to the raw signature verification error message

parts = make_jwt(payload_invalid, header_invalid, 'RS384', parsed_jwks.keys[3]).split('.')
parts[2] = Base64.urlsafe_encode64(SecureRandom.bytes(256), padding: false)
parts.join('.')
end

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

• SecureRandom.bytes(256) generates the 256 random raw bytes
• Base64.urlsafe_encode64(..., padding: false) encodes those bytes into a valid base64 string
• parts[2] = … assigns that string as the signature segment of the JWT

parts = make_jwt(payload_invalid, header_invalid, 'RS384', parsed_jwks.keys[3]).split('.')
parts[2] = Base64.urlsafe_encode64(SecureRandom.bytes(256), padding: false)
parts.join('.')
end

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

• SecureRandom.bytes(256) generates the 256 random raw bytes
• Base64.urlsafe_encode64(..., padding: false) encodes those bytes into a valid base64 string
• parts[2] = … assigns that string as the signature segment of the JWT

@FlexonyoPizza FlexonyoPizza requested a review from karlnaden May 22, 2026 18:48
@karlnaden karlnaden merged commit 5678d93 into inferno-framework:main May 22, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants