Merge branch 'master' of github.com:SermoDigital/jose

commit: 5d7fcbc3e492ba754c75700fbfa18bc498a705db [log] [tgz]
author: Eric Lagergren <ericscottlagergren@gmail.com> Mon Sep 05 01:33:44 2016 -0700
committer: Eric Lagergren <ericscottlagergren@gmail.com> Mon Sep 05 01:33:44 2016 -0700
tree: 727f86cce59329bb919d62cbb2be56703d8bffd5
parent: 389fea327ef076853db8fae03a0f38e30e6092ab [diff]
parent: fa74c9f8b6a7bf513e12d9447b1669f68991198c [diff]
diff --git a/jws/jws.go b/jws/jws.go
index 29ae67c..c8c9ca4 100644
--- a/jws/jws.go
+++ b/jws/jws.go

@@ -414,7 +414,7 @@
 }
 
 func fromHeader(req *http.Request) ([]byte, bool) {
-	if ah := req.Header.Get("Authorization"); ah != "" && len(ah) > 6 && strings.EqualFold(ah[0:6], "BEARER") {
+	if ah := req.Header.Get("Authorization"); len(ah) > 7 && strings.EqualFold(ah[0:7], "BEARER ") {
 		return []byte(ah[7:]), true
 	}
 	return nil, false

diff --git a/jws/jws_validate.go b/jws/jws_validate.go
index d064113..e5e3abd 100644
--- a/jws/jws_validate.go
+++ b/jws/jws_validate.go

@@ -196,7 +196,7 @@
 }
 
 func (s *sigHead) verify(pl []byte, key interface{}, method crypto.SigningMethod) error {
-	if s.method != method {
+	if s.method.Alg() != method.Alg() || s.method.Hasher() != method.Hasher() {
 		return ErrMismatchedAlgorithms
 	}
 	return method.Verify(format(s.Protected, pl), s.Signature, key)

diff --git a/jws/jwt_test.go b/jws/jwt_test.go
index 5ea4a9b..c0056c3 100644
--- a/jws/jwt_test.go
+++ b/jws/jwt_test.go

@@ -2,6 +2,7 @@
 
 import (
 	"errors"
+	"net/http"
 	"testing"
 	"time"
 
@@ -82,3 +83,49 @@
 		t.Error(err)
 	}
 }
+
+func TestFromHeader(t *testing.T) {
+	header := http.Header{}
+	req := &http.Request{
+		Header: header,
+	}
+
+	_, ok := fromHeader(req)
+	if ok {
+		t.Errorf("fromHeader should return !ok when request doesn't have an authorization header")
+	}
+
+	header.Set("Authorization", "invalid")
+	_, ok = fromHeader(req)
+	if ok {
+		t.Errorf("fromHeader should return !ok when Authorization header value is invalid")
+	}
+
+	header.Set("Authorization", "bearer")
+	_, ok = fromHeader(req)
+	if ok {
+		t.Errorf("fromHeader should return !ok when Authorization header value doesn't contain any value for a token")
+	}
+
+	header.Set("Authorization", "bearer ")
+	_, ok = fromHeader(req)
+	if ok {
+		t.Errorf("fromHeader should return !ok when Authorization header value doesn't contain any value for a token")
+	}
+
+	header.Set("Authorization", "BEARER ")
+	_, ok = fromHeader(req)
+	if ok {
+		t.Errorf("fromHeader should return !ok when Authorization header value doesn't contain any value for a token")
+	}
+
+	header.Set("Authorization", "BEARER t")
+	token, ok := fromHeader(req)
+	if !ok {
+		t.Errorf("fromHeader should return ok when Authorization header contains a value for a token")
+	}
+
+	if string(token) != "t" {
+		t.Errorf("fromHeader should return the value set as token in the Auhorization header")
+	}
+}
commit	5d7fcbc3e492ba754c75700fbfa18bc498a705db	[log] [tgz]
author	Eric Lagergren <ericscottlagergren@gmail.com>	Mon Sep 05 01:33:44 2016 -0700
committer	Eric Lagergren <ericscottlagergren@gmail.com>	Mon Sep 05 01:33:44 2016 -0700
tree	727f86cce59329bb919d62cbb2be56703d8bffd5
parent	389fea327ef076853db8fae03a0f38e30e6092ab [diff]
parent	fa74c9f8b6a7bf513e12d9447b1669f68991198c [diff]