nov · Capncavedan · Mar 6, 2024
diff --git a/lib/json/jwt.rb b/lib/json/jwt.rb
@@ -108,7 +108,11 @@ def decode_compact_serialized(jwt_string, key_or_secret, algorithms = nil, encry
         when JWS::NUM_OF_SEGMENTS
           JWS.decode_compact_serialized jwt_string, key_or_secret, algorithms, allow_blank_payload
         when JWE::NUM_OF_SEGMENTS
-          JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods
+          if allow_blank_payload
+            raise InvalidFormat.new("JWE w/ blank payload is not supported.")
+          else
+            JWE.decode_compact_serialized jwt_string, key_or_secret, algorithms, encryption_methods
+          end
         else
           raise InvalidFormat.new("Invalid JWT Format. JWT should include #{JWS::NUM_OF_SEGMENTS} or #{JWE::NUM_OF_SEGMENTS} segments.")
         end

diff --git a/spec/json/jwt_spec.rb b/spec/json/jwt_spec.rb
@@ -504,6 +504,14 @@
         end
       end
     end
+
+    context 'when JWE format (5 segments) and allow_blank_payload is true' do
+      it do
+        expect do
+          JSON::JWT.decode 'one.two.three.four.five', 'secret', nil, nil, true
+        end.to raise_error JSON::JWT::InvalidFormat
+      end
+    end
   end
 
   describe '.pretty_generate' do