Closed freakyfelt closed 2 years ago
Thanks for the detailed report of that bug. That's not the intended behavior.
Creating a fix PR, will get it posted momentarily
Unfortunate side-effect of using the built-in Base64.urlsafe_decode64
that internally uses the Base64.strict_decode64
(previously Base64.decode64
)
Now I'm a little unsure of what type of Base64 decoding you are supposed to use for a JWT token. The RFC only refers to Base64url
.
The Base64.strict_decode64
seems to be according to RFC 4648 whereas the Base64.decode64
is according to RFC 2045. Based on the String#unpack
documentation:
m | String | base64 encoded string (RFC 2045) (default)
| | base64 encoded string (RFC 4648) if followed by 0
I guess using the strict decoding is fine, just that when something invalid is given the behaviour is different as noticed here.
Calling JWT.decode(token) used to result in a JWT::DecodeError, however this is now raising an
ArgumentError
that must be caught separately