Token created/compressed with 0.10.6 can't be parsed with 0.10.7

[lkoe]

Simple testcase:

import java.time.LocalDate;
import java.time.ZoneOffset;
import java.util.Date;

import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

import io.jsonwebtoken.CompressionCodecs;
import io.jsonwebtoken.Jwt;
import io.jsonwebtoken.Jwts;

public class JjwtDeflateCompatibilityTest {

    @Test
    public void testJjwt0_10_6() {

        String jwt = Jwts.builder().setIssuer("me").setSubject("user")
                .setIssuedAt(Date.from(LocalDate.of(2000, 1, 1).atStartOfDay().toInstant(ZoneOffset.UTC)))
                .setExpiration(Date.from(LocalDate.of(2100, 1, 1).atStartOfDay().toInstant(ZoneOffset.UTC)))
                .compressWith(CompressionCodecs.DEFLATE).compact();

        Jwt<?, ?> parsed = Jwts.parser().parse(jwt);

        // Same token as above, but created with 0.10.6
        String jwt0_10_6 = "eyJhbGciOiJub25lIiwiemlwIjoiREVGIn0.eNqqVsosLlayUspNVdJRKi5NAjJLi1OLgJzMxBIlK0sTMzMLEwsDAx2l1IoCJSsTQwMjExOQQC0AAAD__w.";
        Jwt<?, ?> parsed2 = Jwts.parser().parse(jwt0_10_6);

        Assertions.assertEquals(parsed.toString(), parsed2.toString()); // fails currently
    }
}

Fails currently with:

io.jsonwebtoken.CompressionException: Unable to decompress bytes.
	at io.jsonwebtoken.impl.compression.AbstractCompressionCodec.decompress(AbstractCompressionCodec.java:114)
	at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:294)
...
Caused by: java.io.EOFException: Unexpected end of ZLIB input stream
	at java.util.zip.InflaterInputStream.fill(InflaterInputStream.java:240)
	at java.util.zip.InflaterInputStream.read(InflaterInputStream.java:158)
	at java.io.FilterInputStream.read(FilterInputStream.java:107)
	at io.jsonwebtoken.impl.compression.AbstractCompressionCodec.readAndClose(AbstractCompressionCodec.java:51)
	at io.jsonwebtoken.impl.compression.DeflateCompressionCodec.doDecompress(DeflateCompressionCodec.java:52)
	at io.jsonwebtoken.impl.compression.AbstractCompressionCodec.decompress(AbstractCompressionCodec.java:112)
	... 55 more

[lhazlewood]

Hi there - thanks for the issue!

Do you know if this has anything to do with the fact that the test JWT is not signed? Have you tried it with a signed JWT between 0.10.6 and 0.10.7? Just curious...

[lkoe]

Hi, the issue also happens with signed tokens - I just narrowed the reproducer down to the most simple case.
It seems as if the ZLIB compression implementation changed between 0.10.6 and 0.10.7 but I couldn't find any related issue attached to the version.

[lkoe]

Related question: would you recommend ZIP compression over DEF? Since clients of our token server might use older versions we need tokens to be stable across versions...

[lhazlewood]

@lkoe I don't have a particular recommendation really - my assumption is gzip is pretty-well ubiquitous so I'd probably default to that in my own projects, but that's just a personal preference - not something I can 'formally' recommend (if that makes sense). Cheers!

[lhazlewood]

@lkoe I dug into this more today, and unfortunately this issue came about as a side effect of fixing a memory leak in the DeflateCompressionCodec in 0.10.6 and earlier. It was fixed in the 0.10.7 release per #392

I've opened #556 to fix this particular issue to ensure backwards compatibility.

[lhazlewood]

P.S. even though this is a backwards compatible fix, those using DEFLATE on 0.10.6 should upgrade to 0.10.7 or 0.10.8 as soon as we release it to avoid the memory leak in DEFLATE <= 0.10.6.

[lkoe]

Thanks @lhazlewood much appreciated!