refactored jwt signature validation to use more built in jwt methods

davezuckerman · davezuckerman · commit a626e32aec8c · 2026-04-15T12:36:06.000-07:00
diff --git a/app/controllers/concerns/alma_jwt_validator.rb b/app/controllers/concerns/alma_jwt_validator.rb
@@ -18,32 +18,18 @@ def jwk_set
 
   # rubocop:disable Metrics/MethodLength
   def decode_and_verify_jwt(token)
-    # Decode header to get the 'kid'
-    header = JWT.decode(token, nil, false).last
-    kid = header['kid']
-
-    # Find the key from the JWK set
-    jwk = jwk_set.keys.find { |key| key.kid == kid }
-    raise JWT::VerificationError, 'Key not found in JWKS' unless jwk
-
-    public_key = jwk.public_key
-
     options = {
       algorithm: 'RS256',
       verify_expiration: true,
       verify_aud: false,
       verify_iss: true,
-      iss: EXPECTED_ISS
+      iss: EXPECTED_ISS,
+      jwks: jwk_set
     }
 
-    # Returns [payload, header] array if valid
-    JWT.decode(token, public_key, true, options)
-  rescue JWT::ExpiredSignature
-    raise JWT::VerificationError, 'Token has expired'
-  rescue JWT::InvalidIssuerError
-    raise JWT::VerificationError, 'Token issuer mismatch'
+    JWT.decode(token, nil, true, options)
   rescue JWT::DecodeError => e
-    raise JWT::VerificationError, "Invalid JWT: #{e.message}"
+    raise JWT::VerificationError, e.message
   end
   # rubocop:enable Metrics/MethodLength
 end
diff --git a/spec/controllers/concerns/alma_jwt_validator_spec.rb b/spec/controllers/concerns/alma_jwt_validator_spec.rb
@@ -13,18 +13,10 @@
   let(:kid) { 'test-key-id' }
   let(:test_payload) { { 'userName' => '10335026', 'iss' => expected_iss } }
 
-  # Helper to create JWK from RSA public key
-  def create_jwk(public_key, kid)
-    n = Base64.urlsafe_encode64(public_key.n.to_s(2)).gsub(/=+$/, '')
-    e = Base64.urlsafe_encode64(public_key.e.to_s(2)).gsub(/=+$/, '')
-    {
-      'kty' => 'RSA',
-      'kid' => kid,
-      'use' => 'sig',
-      'alg' => 'RS256',
-      'n' => n,
-      'e' => e
-    }
+  # Helper to create JWK hash from RSA key using JWT::JWK
+  def create_jwk_hash(key, kid)
+    jwk = JWT::JWK.new(key, kid: kid)
+    jwk.export
   end
 
   # Helper to generate a valid JWT
@@ -34,7 +26,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
   end
 
   before do
-    jwk = create_jwk(rsa_key.public_key, kid)
+    jwk = create_jwk_hash(rsa_key, kid)
 
     stub_request(:get, jwks_url)
       .to_return(
@@ -79,10 +71,10 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
     end
 
     context 'with a malformed JWT' do
-      it 'raises JWT::DecodeError' do
+      it 'raises JWT::VerificationError' do
         expect do
           AlmaJwtValidator.decode_and_verify_jwt('not.a.jwt')
-        end.to raise_error(JWT::DecodeError)
+        end.to raise_error(JWT::VerificationError)
       end
     end
 
