Merge pull request #86 from mark-adams/fix_alg_case_sensitivity

Fix alg header parameter case sensitivity
jpadilla · Jan 25, 2015 · a4c5236 · a4c5236
2 parents f7a6b5f + eb4bb53
commit a4c5236
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/jwt/algorithms.py b/jwt/algorithms.py
@@ -74,8 +74,8 @@ def prepare_key(self, key):
     def sign(self, msg, key):
         return b''
 
-    def verify(self, msg, key):
-        return True
+    def verify(self, msg, key, sig):
+        return False
 
 
 class HMACAlgorithm(Algorithm):

diff --git a/jwt/api.py b/jwt/api.py
@@ -144,7 +144,7 @@ def verify_signature(payload, signing_input, header, signature, key='',
         raise TypeError('audience must be a string or None')
 
     try:
-        alg_obj = _algorithms[header['alg'].upper()]
+        alg_obj = _algorithms[header['alg']]
         key = alg_obj.prepare_key(key)
 
         if not alg_obj.verify(signing_input, key, signature):

diff --git a/tests/test_jwt.py b/tests/test_jwt.py
@@ -14,6 +14,8 @@
     _algorithms as jwt_algorithms
 )
 
+from jwt.exceptions import DecodeError
+
 if sys.version_info >= (2, 7):
     import unittest
 else:
@@ -68,6 +70,28 @@ def test_encode_bad_type(self):
         for t in types:
             self.assertRaises(TypeError, lambda: jwt.encode(t, 'secret'))
 
+    def test_encode_algorithm_param_should_be_case_sensitive(self):
+        payload = {'hello': 'world'}
+
+        jwt.encode(payload, 'secret', algorithm='HS256')
+
+        with self.assertRaises(NotImplementedError) as context:
+            jwt.encode(payload, None, algorithm='hs256')
+
+        exception = context.exception
+        self.assertEquals(str(exception), 'Algorithm not supported')
+
+    def test_decode_algorithm_param_should_be_case_sensitive(self):
+        example_jwt = ('eyJhbGciOiJoczI1NiIsInR5cCI6IkpXVCJ9' # alg = hs256
+                       '.eyJoZWxsbyI6IndvcmxkIn0'
+                       '.5R_FEPE7SW2dT9GgIxPgZATjFGXfUDOSwo7TtO_Kd_g')
+
+        with self.assertRaises(DecodeError) as context:
+            jwt.decode(example_jwt, 'secret')
+
+        exception = context.exception
+        self.assertEquals(str(exception), 'Algorithm not supported')
+
     def test_encode_datetime(self):
         secret = 'secret'
         current_datetime = datetime.utcnow()