From ffa5dd3bbac3d02cd3fa7e4a0f2c969ac87b2426 Mon Sep 17 00:00:00 2001
From: Paul Battley <pbattley@gmail.com>
Date: Wed, 13 Mar 2013 17:33:10 +0000
Subject: [PATCH] Verify if verify is truthy (not just true)

Previously, verification was carried out only if verify was true, rather
than any non-false, non-nil value, as is conventional in Ruby.

This made it perilously easy to skip verification by accident.
---
 lib/jwt.rb       | 2 +-
 spec/jwt_spec.rb | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/jwt.rb b/lib/jwt.rb
index 9f730916..da2285e8 100644
--- a/lib/jwt.rb
+++ b/lib/jwt.rb
@@ -70,7 +70,7 @@ def self.decode(jwt, key=nil, verify=true, &keyfinder)
     rescue MultiJson::LoadError => e
       raise JWT::DecodeError.new("Invalid segment encoding")
     end
-    if verify == true
+    if verify
       algo = header['alg']
 
       if keyfinder
diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index 05ce6d2b..e567bb46 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -66,6 +66,14 @@
     decoded_payload.should == @payload
   end
 
+  it "checks the key when verify is truthy" do
+    right_secret = 'foo'
+    bad_secret = 'bar'
+    jwt = JWT.encode(@payload, right_secret)
+    verify = "yes" =~ /^y/i
+    lambda { JWT.decode(jwt, bad_secret, verify) }.should raise_error(JWT::DecodeError)
+  end
+
   it "raises exception on unsupported crypto algorithm" do
     lambda { JWT.encode(@payload, "secret", 'HS1024') }.should raise_error(NotImplementedError)
   end