rubykube / jwt-multisig Goto Github PK

Multi Sig payload is generated via payload.to_json in JWT::Multisig#generate_jwt however the JWT gem has JWT::Encode#encoded_payload which uses JSON.generate(@payload)

The result is a slightly different datetime string but therefore a different payload and therefore an error when attempting to verify the signature from the multisig jwt.

This can be illustrated in a rails console via ..

>> now = Time.now.utc
2018-09-04 06:42:42 UTC
>> {time: now}.to_json
"{\"time\":\"2018-09-04T06:42:42.337Z\"}"
>> JSON.generate({time: now})
"{\"time\":\"2018-09-04 06:42:42 UTC\"}"

.. noting the difference in the timestamps.

What is the solution?
Either change jwt-multisig gem to use JSON.generate or have the author of the https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/encode.rb change code to use .to_json

When using with rails, I found it will have an error #<JWT::VerificationError: Signature verification raised> because jwt-multisig try to encode payload with not the same method when encoding signature.

Payload encoding relies on ActiveSupport::JSON.encode in rails ? which will escape HTML string in JSON body and it will not match to the signature which is not escaped. and also with DateTime as another issue #1

example payload raised an error

{
  "test_html_1": "&",
  "test_html_2": "<html string>",
  "test_datetime": Time.now
}

I think we have 2 solutions for this case

1. Add config.active_support.escape_html_entities_in_json = false in application.rb in rails. but it will affect the whole application (but still not fix for DateTime?).
2. Change payload encoding to be the same method as the signature. so it should be replaced base64_encode(payload.to_json) to be JWT::Base64.url_encode(JWT::JSON.generate(payload)) (same as signature encoding) or using JSON.dump can solve the issue also but it will not the same as signature encoded.