Claims containing URI String keys cannot be verified.

liquidz / clj-jwt

Clojure library for JSON Web Token(JWT)

118 stars 31 forks source link

Claims containing URI String keys cannot be verified. #5

Closed agarman closed 10 years ago

agarman commented 10 years ago

To reproduce bug:

(def claim {:iss "abc", :iat (now), "http://abc.net" true}) (def token (-> claim jwt (sign :HS256 "foo") to-str)) (verify (str->jwt token) "foo")

agarman commented 10 years ago

Here is a better minimal test: (-> {"i/s" "foo"} jwt ; :claims {"i/s" "foo"} (sign "abc") to-str str->jwt ; :claims {:i/s "foo"} (verify "abc")) ; fails because first claim is signed, not second.

liquidz commented 10 years ago

I fixed the bug. Please check ver 0.0.7

agarman commented 10 years ago

(-> {"i/s" "foo"} jwt ; :claims {"i/s" "foo"} (sign "abc") to-str str->jwt ; :claims {:/s "foo"} (verify "abc"))

This verifies, but the claim is wrong.

liquidz commented 10 years ago

fixed

(-> {"i/s" "foo"}
    jwt              ; #clj_jwt.core.JWT{:header {:alg "none", :typ "JWT"}, :claims {"i/s" "foo"}, :signature ""}
    (sign "abc")     ; #clj_jwt.core.JWT{:header {:alg "HS256", :typ "JWT"}, :claims {"i/s" "foo"}, :signature "iSJgf8MitAlJQz-CGeHcKKY0JTb1_FG4o6AE8Sp-Rgc"}
    to-str
    str->jwt         ; #clj_jwt.core.JWT{:header {:alg "HS256", :typ "JWT"}, :claims {"i/s" "foo"}, :signature "iSJgf8MitAlJQz-CGeHcKKY0JTb1_FG4o6AE8Sp-Rgc"}
    (verify "abc"))  ; true

agarman commented 10 years ago

Looks good.