ruby-jwt
ruby-jwt copied to clipboard
Certain non-JWT but decodable strings cause "TypeError: no implicit conversion of String into Integer" on decode
This is a bit of an edge case, but it's caused some confusion for us.
If a string is given with segments that can be Base64.urlsafe_decode64
but doesn't match up to the expectation of a JWT, a TypeError: no implicit conversion of String into Integer
is raised instead of a JWT::DecodeError
.
An example string is Mw.x.x
-- the first segment is decoded as the number 3
for the header which later causes this line to raise the TypeError: no implicit conversion of String into Integer
:
https://github.com/jwt/ruby-jwt/blob/1fd5b7a8233ea56af03bafaa80ca02a3fc67ac61/lib/jwt/decode.rb#L37
I think we could be a little stricter on the type validation for the header.
Im guessing there is something in the JWT RFC saying the headers needs to be an object with a certain set of attributes.
Adding raise(JWT::IncorrectAlgorithm, 'Invalid header') unless header.is_a?(Hash)
somewhere maybe