Upgrade jwt gem from ~> 2.8 to ~> 3.1

[workos-sdk-automation]

Description

This commit upgrades the ruby-jwt dependency to version 3.1, bringing improved security and RFC compliance.

• Upgraded jwt gem dependency from ~> 2.8 to ~> 3.1 in workos.gemspec
• Updated session test fixture to generate valid base64-encoded JWK data

The JWT 3.x series introduced stricter RFC 4648 compliance for base64 encoding/decoding, replacing the more lenient RFC 2045 standard used in 2.x. This provides better security and interoperability with other JWT implementations that follow the stricter standard.

Key improvements in JWT 3.x:

• Stricter base64 validation that rejects invalid padding and whitespace
• Proper base64 encoding/decoding for HMAC JWK keys (the 'k' parameter)
• Enhanced security through stricter validation

The test fixture in session_spec.rb was updated to use dynamically generated JWK data instead of hardcoded placeholder values. This change is both necessary and safe because:

Why Necessary: The old fixture used invalid base64 strings like "test_n", "test", etc. for RSA key parameters. JWT 3.x's stricter validation correctly rejects these as invalid base64, causing tests to fail during JWK parsing.

Why Safe: The new approach generates the jwks_hash from an actual RSA key pair using JWT::JWK.export, ensuring all base64-encoded fields (n, e, x5c, x5t#S256) contain valid cryptographic data. This makes the tests more realistic and robust, as they now use properly formatted JWKs that match what the production code would receive from WorkOS APIs.

The change maintains test isolation and determinism while ensuring compatibility with JWT 3.x's stricter validation.

All 376 existing tests pass with no modifications to production code, confirming that this upgrade is fully backward compatible with the WorkOS SDK's existing functionality.

---

Closes #402

Documentation

Does this require changes to the WorkOS Docs? E.g. the API Reference or code snippets need updates.

[ ] Yes

If yes, link a related docs PR and add a docs maintainer as a reviewer. Their approval is required.

[greptile-apps]

Greptile Overview

Greptile Summary

Upgraded the jwt gem from v2.8 to v3.1, bringing improved security through stricter RFC 4648 compliance for base64 encoding/decoding. The test fixture in session_spec.rb was updated to generate valid JWK data dynamically instead of using hardcoded placeholder values, which is necessary because JWT 3.x rejects the invalid base64 strings that were previously used.

Key changes:

• Updated jwt dependency from ~> 2.8 to ~> 3.1 in workos.gemspec
• Modified test fixture to use JWT::JWK.export to generate properly formatted JWK data with valid base64-encoded cryptographic parameters
• Gemfile.lock updated with jwt 3.1.2 and base64 0.3.0
• No changes required to production code in lib/workos/session.rb - the JWT library API remains compatible

Security improvements:

• Stricter base64 validation that rejects invalid padding and whitespace
• Better interoperability with other JWT implementations following RFC 4648
• Enhanced security through more rigorous validation

The upgrade is backward compatible with existing functionality, as confirmed by the PR description stating all 376 tests pass.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The JWT library upgrade from v2.8 to v3.1 is a straightforward dependency update that improves security. The test fixture change is necessary and correct - it replaces invalid placeholder base64 strings with properly generated JWK data. No production code changes were required, indicating full API compatibility. The PR description confirms all 376 tests pass, demonstrating backward compatibility.
• No files require special attention

Important Files Changed

Filename	Overview
workos.gemspec	Updated jwt dependency from ~> 2.8 to ~> 3.1
Gemfile.lock	Lockfile updated with jwt 3.1.2 and base64 0.3.0
spec/lib/workos/session_spec.rb	Replaced hardcoded invalid base64 fixture with dynamically generated valid JWK data

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Gem as workos.gemspec
    participant Lock as Gemfile.lock
    participant JWT as JWT Library
    participant Test as session_spec.rb
    participant Session as Session Class

    Dev->>Gem: Update jwt dependency to v3.1
    Note over Gem: jwt v2.8 to v3.1
    
    Dev->>Lock: Bundle install
    Lock->>JWT: Install jwt 3.1.2
    Lock->>Lock: Update base64 to 0.3.0
    
    Test->>Test: Generate RSA key pair
    Note over Test: OpenSSL PKey RSA new 2048
    
    Test->>JWT: Export JWK with proper base64
    Note over JWT: JWK export creates valid encoding
    
    Test->>Test: Create jwks hash from export
    Note over Test: Replaces hardcoded values
    
    Test->>Session: Initialize Session with JWKs
    Session->>JWT: Decode with stricter validation
    Note over JWT: RFC 4648 compliant validation
    
    JWT-->>Session: Success with valid base64
    Session-->>Test: All tests pass

Loading

[greptile-apps]

_{3 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}