fix web encoding, fix validation of signatures when no signature present

Author: DorianGray

jwt-0.2-0.rockspec renamed to jwt-0.2-1.rockspec

@@ -1,5 +1,5 @@
 package = "jwt"
-version = "0.2-0"
+version = "0.2-1"
 source = {
   url = "https://github.com/Olivine-Labs/lua-jwt/archive/v0.2.tar.gz",
   dir = "lua-jwt-0.2"

spec/jwt_spec.lua

@@ -58,6 +58,16 @@ describe("JWT spec", function()
     assert.are.same(claims, decodedClaims)
   end)
 
+  it("it cannot decode a token without a signature but with a key specified", function()
+    local claims = {
+      test = "test",
+    }
+    local keyPair = crypto.pkey.generate("rsa", 512)
+    local token, err = jwt.encode(claims, {alg = "RS256"})
+    local decodedClaims = jwt.decode(token, {keys = {public = keyPair}})
+    assert.are.same(decodedClaims, nil)
+  end)
+
   it("it cannot encode/decode a signed plain text token with alg=RS256 and an incorrect key", function()
     local claims = {
       test = "test",
@@ -68,6 +78,7 @@ describe("JWT spec", function()
     local decodedClaims = jwt.decode(token, {keys = {public = badPair}})
     assert.has_error(function() assert.are.same(claims, decodedClaims) end)
   end)
+
   it("can verify a signature", function()
     local token = "eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhOGZjZTFkZi1iNGFlLTRjNDEtYmFjNi1iNWJiZjI4MGMyOWMiLCJzdWIiOiI3YmZjNThlYy03N2RkLTQ4NzQtYmViZC1iYTg0MTAzMDEyNzkiLCJzY29wZSI6WyJvYXV0aC5hcHByb3ZhbHMiLCJvcGVuaWQiXSwiY2xpZW50X2lkIjoibG9naW4iLCJjaWQiOiJsb2dpbiIsImdyYW50X3R5cGUiOiJwYXNzd29yZCIsInVzZXJfaWQiOiI3YmZjNThlYy03N2RkLTQ4NzQtYmViZC1iYTg0MTAzMDEyNzkiLCJ1c2VyX25hbWUiOiJhZG1pbkBmb3Jpby5jb20iLCJlbWFpbCI6ImFkbWluQGZvcmlvLmNvbSIsImlhdCI6MTM5ODkwNjcyNywiZXhwIjoxMzk4OTQ5OTI3LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Ojk3NjMvdWFhL29hdXRoL3Rva2VuIiwiYXVkIjpbIm9hdXRoIiwib3BlbmlkIl19.xOa5ZpXksgoaA_XJ3yHMjlLcbSoM6XJy-e60zfyP7bRmu0EKEGZdZrl2iJVh6OTIn8z6UuvcY282C1A5LtRgpir4wqhIrphd-Mi9gfxra0pJvtydd4XqVpuNdW7GDaC43VXpvUtetmfn-YAo2jkD9G22mUuT2sFdt5NqFL7Rk4tVRILes73OWxfQpuoReWvRBik-sJXxC9ADmTuzR36OvomIrso42R8aufU2ku_zPve8IhYLvn3vHmYCt0zNZkX-jSV8YtGodr9V-dKs9na41YvGp2UxkBcV7LKoGSRELSSNJ8JLF-bjO3zYSSbT42-yeHeKfoWAeP6R7S_0c_AYRA"
     local key = [[-----BEGIN PUBLIC KEY-----

src/jwt.lua

@@ -45,7 +45,7 @@ function data.encode(claims, options)
   local header    = header(options)
   local token, err = jwt:encode(header, claims, options)
   if not token then return nil, err end
-  return token
+  return token:gsub('+','-'):gsub('/','_')
 end
 
 function data.decode(str, options)

src/jwt/jws.lua

@@ -25,9 +25,13 @@ function data:encode(header, claims, options)
   if not options then error("options are required") end
   local claims    = json.encode(claims)
   local envelope  = basexx.to_base64(json.encode(header)).."."..basexx.to_base64(claims)
-  local signature, err = self.sign[header.alg](envelope, options.keys.private)
-  if not signature then return nil, err end
-  return envelope .. "." .. basexx.to_base64(signature)
+  local signature
+  if options.keys then
+    local err
+    signature, err = self.sign[header.alg](envelope, options.keys.private)
+    if not signature then return nil, err end
+  end
+  return envelope .. "." .. (signature and basexx.to_base64(signature) or "")
 end
 
 function data:decode(header, str, options)
@@ -43,6 +47,9 @@ function data:decode(header, str, options)
       signature     = basexx.from_base64(str:sub(dotSecond+1))
     end
   else
+    if options and options.keys and options.keys.public then
+      return nil, "Invalid token"
+    end
     bodyStr = str
   end