Bumping jwt gem to 3.2 and addressing breaking changes + PR #112 by @karlnaden#116
Conversation
…nt of signatures being verified before accessing payloads
karlnaden
left a comment
There was a problem hiding this comment.
Looks good - one question on the signature error.
| encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key) | ||
| rescue StandardError => e | ||
| return e | ||
| return "Signature verification failed: #{e}" |
There was a problem hiding this comment.
Do you have a UI-based execution example where you were able to demonstrate this error? I'm interested to see it in the UI.
karlnaden
left a comment
There was a problem hiding this comment.
revert change to the signature verification error
| encoded_token.verify_signature!(algorithm: encoded_token.header['alg'], key: jwk.verify_key) | ||
| rescue StandardError => e | ||
| return "Signature verification failed: #{e}" | ||
| return e |
There was a problem hiding this comment.
reverted back to the raw signature verification error message
| parts = make_jwt(payload_invalid, header_invalid, 'RS384', parsed_jwks.keys[3]).split('.') | ||
| parts[2] = Base64.urlsafe_encode64(SecureRandom.bytes(256), padding: false) | ||
| parts.join('.') | ||
| end |
There was a problem hiding this comment.
• SecureRandom.bytes(256) generates the 256 random raw bytes
• Base64.urlsafe_encode64(..., padding: false) encodes those bytes into a valid base64 string
• parts[2] = … assigns that string as the signature segment of the JWT
| parts = make_jwt(payload_invalid, header_invalid, 'RS384', parsed_jwks.keys[3]).split('.') | ||
| parts[2] = Base64.urlsafe_encode64(SecureRandom.bytes(256), padding: false) | ||
| parts.join('.') | ||
| end |
There was a problem hiding this comment.
• SecureRandom.bytes(256) generates the 256 random raw bytes
• Base64.urlsafe_encode64(..., padding: false) encodes those bytes into a valid base64 string
• parts[2] = … assigns that string as the signature segment of the JWT

Summary
Bumping jwt from 2.6 to 3.2 comes with some breaking changes - jwt 3.2 now enforces the signature segment of the token in 'token_request_bsca_verification_test_spec.rb' to be verified before the payload is accessed. If the signature is not verified, the tests will crash. For our use, we want the ability to validate the payload without a valid signature so that we can give feedback on the payload even in the case of a bad signature. Therefore .payload has been changed to .unverified_payload in authentication_verification.rb:37 to bypass jwt 3.2's new signature enforcement.
This PR is an addition to PR ID-45: execution scripts #112 by @karlnaden