Allow alg header to be given

anakinj · Dec 28, 2024 · 0a24395 · 0a24395
1 parent f9fac27
commit 0a24395
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/lib/jwt/token.rb b/lib/jwt/token.rb
@@ -95,7 +95,7 @@ def sign!(algorithm:, key:)
       raise ::JWT::EncodeError, 'Token already signed' if @signature
 
       JWA.resolve(algorithm).tap do |algo|
-        header.merge!(algo.header)
+        header.merge!(algo.header) { |_key, old, _new| old }
         @signature = algo.sign(data: signing_input, signing_key: key)
       end
 

diff --git a/spec/jwt/encoded_token_spec.rb b/spec/jwt/encoded_token_spec.rb
@@ -103,6 +103,15 @@
       end
     end
 
+    context 'when header has invalid alg value' do
+      let(:header) { { 'alg' => 'HS123' } }
+
+      it 'does not raise' do
+        expect(token.header).to eq(header)
+        expect(token.verify_signature!(algorithm: 'HS256', key: 'secret')).to eq(nil)
+      end
+    end
+
     context 'when payload is detached' do
       let(:encoded_token) { detached_payload_token.jwt }
 

diff --git a/spec/jwt/token_spec.rb b/spec/jwt/token_spec.rb
@@ -41,6 +41,18 @@
         expect { token.jwt }.to raise_error(JWT::EncodeError)
       end
     end
+
+    context 'when alg is given in header' do
+      let(:header) { { 'alg' => 'HS123' } }
+
+      before do
+        token.sign!(algorithm: 'HS256', key: 'secret')
+      end
+
+      it 'returns a signed and encoded token' do
+        expect(JWT::EncodedToken.new(token.jwt).header).to eq({ 'alg' => 'HS123' })
+      end
+    end
   end
 
   describe '#detach_payload!' do