Only verify with known algorithms

kylef · kylef · commit 5dc3eade1e18 · 2015-04-05T23:51:51.000+01:00
diff --git a/JWT/Decode.swift b/JWT/Decode.swift
@@ -9,9 +9,6 @@ public enum InvalidToken : Printable {
   /// The JWT uses an unsupported algorithm
   case InvalidAlgorithm
 
-  /// An invalid key was used when trying to validate a JWT
-  case InvalidKey
-
   /// The issued claim has expired
   case ExpiredSignature
 
@@ -43,9 +40,7 @@ public enum InvalidToken : Printable {
     case InvalidAudience:
       return "Invalid Audience"
     case InvalidAlgorithm:
-      return "Unsupported Algorithm"
-    case InvalidKey:
-      return "Invalid Key"
+      return "Unsupported algorithm or incorrect key"
     }
   }
 }
@@ -60,13 +55,12 @@ public enum DecodeResult {
   case Failure(InvalidToken)
 }
 
-
 /// Decode a JWT
-public func decode(jwt:String, key:String? = nil, verify:Bool = true, audience:String? = nil, issuer:String? = nil) -> DecodeResult {
+public func decode(jwt:String, algorithms:[Algorithm], verify:Bool = true, audience:String? = nil, issuer:String? = nil) -> DecodeResult {
   switch load(jwt) {
   case let .Success(header, payload, signature, signatureInput):
     if verify {
-      if let failure = validateClaims(payload, audience, issuer) ?? verifySignature(header, signatureInput, signature, key) {
+      if let failure = validateClaims(payload, audience, issuer) ?? verifySignature(algorithms, header, signatureInput, signature) {
         return .Failure(failure)
       }
     }
@@ -77,6 +71,11 @@ public func decode(jwt:String, key:String? = nil, verify:Bool = true, audience:S
   }
 }
 
+/// Decode a JWT
+public func decode(jwt:String, algorithm:Algorithm, verify:Bool = true, audience:String? = nil, issuer:String? = nil) -> DecodeResult {
+  return decode(jwt, [algorithm], verify: verify, audience: audience, issuer: issuer)
+}
+
 // MARK: Parsing a JWT
 
 enum LoadResult {
@@ -125,14 +124,13 @@ func load(jwt:String) -> LoadResult {
 
 // MARK: Signature Verification
 
-func verifySignature(header:Payload, signingInput:String, signature:NSData, key:String?) -> InvalidToken? {
+func verifySignature(algorithms:[Algorithm], header:Payload, signingInput:String, signature:NSData) -> InvalidToken? {
   if let alg = header["alg"] as? String {
-    if let algoritm = Algorithm.algorithm(alg, key: key) {
-      if algoritm.verify(signingInput, signature: signature) {
-        return nil
-      } else {
-        return .InvalidKey
-      }
+    let matchingAlgorithms = filter(algorithms) { algorithm in  algorithm.description == alg }
+    let results = map(matchingAlgorithms) { algorithm in algorithm.verify(signingInput, signature: signature) }
+    let successes = filter(results) { $0 }
+    if successes.count > 0 {
+      return nil
     }
 
     return .InvalidAlgorithm
diff --git a/JWTTests/JWTTests.swift b/JWTTests/JWTTests.swift
@@ -13,57 +13,58 @@ class JWTEncodeTests : XCTestCase {
 class JWTDecodeTests : XCTestCase {
   func testDecodingValidJWT() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS3lsZSJ9.zxm7xcp1eZtZhp4t-nlw09ATQnnFKIiSN83uG8u6cAg"
-    assertSuccess(decode(jwt, key:"secret")) { payload in
+    let result = JWT.decode(jwt, .HS256("secret"))
+    assertSuccess(result) { payload in
       XCTAssertEqual(payload as NSDictionary, ["name": "Kyle"])
     }
   }
 
   func testFailsToDecodeInvalidStringWithoutThreeSegments() {
-    assertDecodeError(decode("a.b"), "Not enough segments")
+    assertDecodeError(decode("a.b", .None), "Not enough segments")
   }
 
   // MARK: Disable verify
 
   func testDisablingVerify() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
-    assertSuccess(decode(jwt, verify:false, issuer:"fuller.li"))
+    assertSuccess(decode(jwt, .None, verify:false, issuer:"fuller.li"))
   }
 
   // MARK: Issuer claim
 
   func testSuccessfulIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.d7B7PAQcz1E6oNhrlxmHxHXHgg39_k7X7wWeahl8kSQ"
-    assertSuccess(decode(jwt, key:"secret", issuer:"fuller.li")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"), issuer:"fuller.li")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["iss": "fuller.li"])
     }
   }
 
   func testIncorrectIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.wOhJ9_6lx-3JGJPmJmtFCDI3kt7uMAMmhHIslti7ryI"
-    assertFailure(decode(jwt, key:"secret", issuer:"querykit.org"))
+    assertFailure(decode(jwt, .HS256("secret"), issuer:"querykit.org"))
   }
 
   func testMissingIssuerValidation() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
-    assertFailure(decode(jwt, key:"secret", issuer:"fuller.li"))
+    assertFailure(decode(jwt, .HS256("secret"), issuer:"fuller.li"))
   }
 
   // MARK: Expiration claim
 
   func testExpiredClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MjgxODg0OTF9.cy6b2szsNkKnHFnz2GjTatGjoHBTs8vBKnPGZgpp91I"
-    assertFailure(decode(jwt, key:"secret"))
+    assertFailure(decode(jwt, .HS256("secret")))
   }
 
   func testInvalidExpiaryClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOlsiMTQyODE4ODQ5MSJdfQ.OwF-wd3THjxrEGUhh6IdnNhxQZ7ydwJ3Z6J_dfl9MBs"
-    assertFailure(decode(jwt, key:"secret"))
+    assertFailure(decode(jwt, .HS256("secret")))
   }
 
   func testUnexpiredClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjgxODg0OTF9.EW7k-8Mvnv0GpvOKJalFRLoCB3a3xGG3i7hAZZXNAz0"
-    assertSuccess(decode(jwt, key:"secret")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["exp": 1728188491])
     }
   }
@@ -72,81 +73,86 @@ class JWTDecodeTests : XCTestCase {
 
   func testNotBeforeClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0MjgxODk3MjB9.jFT0nXAJvEwyG6R7CMJlzNJb7FtZGv30QRZpYam5cvs"
-    assertSuccess(decode(jwt, key:"secret")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["nbf": 1428189720])
     }
   }
 
   func testInvalidNotBeforeClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOlsxNDI4MTg5NzIwXX0.PUL1FQubzzJa4MNXe2D3d5t5cMaqFr3kYlzRUzly-C8"
-    assertDecodeError(decode(jwt, key:"secret"), "Not before claim (nbf) must be an integer")
+    assertDecodeError(decode(jwt, .HS256("secret")), "Not before claim (nbf) must be an integer")
   }
 
   func testUnmetNotBeforeClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjgxODg0OTF9.Tzhu1tu-7BXcF5YEIFFE1Vmg4tEybUnaz58FR4PcblQ"
-    assertFailure(decode(jwt, key:"secret"))
+    assertFailure(decode(jwt, .HS256("secret")))
   }
 
   // MARK: Issued at claim
 
   func testIssuedAtClaimInThePast() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0MjgxODk3MjB9.I_5qjRcCUZVQdABLwG82CSuu2relSdIyJOyvXWUAJh4"
-    assertSuccess(decode(jwt, key:"secret")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"))) { payload in
       XCTAssertEqual(payload as NSDictionary, ["iat": 1428189720])
     }
   }
 
   func testIssuedAtClaimInTheFuture() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjgxODg0OTF9.owHiJyJmTcW1lBW5y_Rz3iBfSbcNiXlbZ2fY9qR7-aU"
-    assertFailure(decode(jwt, key:"secret"))
+    assertFailure(decode(jwt, .HS256("secret")))
   }
 
   func testInvalidIssuedAtClaim() {
     // If this just started failing, hello 2024!
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOlsxNzI4MTg4NDkxXX0.ND7QMWtLkXDXH38OaXM3SQgLo3Z5TNgF_pcfWHV_alQ"
-    assertDecodeError(decode(jwt, key:"secret"), "Issued at claim (iat) must be an integer")
+    assertDecodeError(decode(jwt, .HS256("secret")), "Issued at claim (iat) must be an integer")
   }
 
   // MARK: Audience claims
 
   func testAudiencesClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsibWF4aW5lIiwia2F0aWUiXX0.-PKvdNLCClrWG7CvesHP6PB0-vxu-_IZcsYhJxBy5JM"
-    assertSuccess(decode(jwt, key:"secret", audience:"maxine")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"), audience:"maxine")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["aud": ["maxine", "katie"]])
     }
   }
 
   func testAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.dpgH4JOwueReaBoanLSxsGTc7AjKUvo7_M1sAfy_xVE"
-    assertSuccess(decode(jwt, key:"secret", audience:"kyle")) { payload in
+    assertSuccess(decode(jwt, .HS256("secret"), audience:"kyle")) { payload in
       XCTAssertEqual(payload as NSDictionary, ["aud": "kyle"])
     }
   }
 
   func testMismatchAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.VEB_n06pTSLlTXPFkc46ARADJ9HXNUBUPo3VhL9RDe4" // kyle
-    assertFailure(decode(jwt, key:"secret", audience:"maxine"))
+    assertFailure(decode(jwt, .HS256("secret"), audience:"maxine"))
   }
 
   func testMissingAudienceClaim() {
     let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"
-    assertFailure(decode(jwt, key:"secret", audience:"kyle"))
+    assertFailure(decode(jwt, .HS256("secret"), audience:"kyle"))
   }
 
   // MARK: Signature verification
 
   func testNoneAlgorithm() {
     let jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ0ZXN0IjoiaW5nIn0."
-    assertSuccess(decode(jwt)) { payload in
+    assertSuccess(decode(jwt, .None)) { payload in
       XCTAssertEqual(payload as NSDictionary, ["test": "ing"])
     }
   }
 
   func testNoneFailsWithSecretAlgorithm() {
     let jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ0ZXN0IjoiaW5nIn0."
-    assertFailure(decode(jwt, key:"secret"))
+    assertFailure(decode(jwt, .HS256("secret")))
+  }
+
+  func testMatchesAnyAlgorithm() {
+    let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w."
+    assertFailure(decode(jwt, [.HS256("anothersecret"), .HS256("secret")]))
   }
 }
 
diff --git a/README.md b/README.md
@@ -26,8 +26,16 @@ JWT.encode(["my": "payload"], .HS256("secret"))
 
 ### Decoding a JWT
 
+When decoding a JWT, you must supply one or more algorithms and keys.
+
+```swift
+JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w", .HS256("secret"))
+```
+
+When the JWT may be signed with one out of many algorithms or keys:
+
 ```swift
-JWT.decode("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w")
+JWT.decode("eyJh...5w", [.HS256("secret"), .HS256("secret2"), .HS512("secure")])
 ```
 
 #### Supported claims

Original file line number	Diff line number	Diff line change
`@@ -13,57 +13,58 @@ class JWTEncodeTests : XCTestCase {`
`13`	`13`	`class JWTDecodeTests : XCTestCase {`
`14`	`14`	`func testDecodingValidJWT() {`
`15`	`15`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiS3lsZSJ9.zxm7xcp1eZtZhp4t-nlw09ATQnnFKIiSN83uG8u6cAg"`
`16`		`- assertSuccess(decode(jwt, key:"secret")) { payload in`
	`16`	`+ let result = JWT.decode(jwt, .HS256("secret"))`
	`17`	`+ assertSuccess(result) { payload in`
`17`	`18`	`XCTAssertEqual(payload as NSDictionary, ["name": "Kyle"])`
`18`	`19`	`}`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`func testFailsToDecodeInvalidStringWithoutThreeSegments() {`
`22`		`- assertDecodeError(decode("a.b"), "Not enough segments")`
	`23`	`+ assertDecodeError(decode("a.b", .None), "Not enough segments")`
`23`	`24`	`}`
`24`	`25`
`25`	`26`	`// MARK: Disable verify`
`26`	`27`
`27`	`28`	`func testDisablingVerify() {`
`28`	`29`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"`
`29`		`- assertSuccess(decode(jwt, verify:false, issuer:"fuller.li"))`
	`30`	`+ assertSuccess(decode(jwt, .None, verify:false, issuer:"fuller.li"))`
`30`	`31`	`}`
`31`	`32`
`32`	`33`	`// MARK: Issuer claim`
`33`	`34`
`34`	`35`	`func testSuccessfulIssuerValidation() {`
`35`	`36`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.d7B7PAQcz1E6oNhrlxmHxHXHgg39_k7X7wWeahl8kSQ"`
`36`		`- assertSuccess(decode(jwt, key:"secret", issuer:"fuller.li")) { payload in`
	`37`	`+ assertSuccess(decode(jwt, .HS256("secret"), issuer:"fuller.li")) { payload in`
`37`	`38`	`XCTAssertEqual(payload as NSDictionary, ["iss": "fuller.li"])`
`38`	`39`	`}`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`func testIncorrectIssuerValidation() {`
`42`	`43`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJmdWxsZXIubGkifQ.wOhJ9_6lx-3JGJPmJmtFCDI3kt7uMAMmhHIslti7ryI"`
`43`		`- assertFailure(decode(jwt, key:"secret", issuer:"querykit.org"))`
	`44`	`+ assertFailure(decode(jwt, .HS256("secret"), issuer:"querykit.org"))`
`44`	`45`	`}`
`45`	`46`
`46`	`47`	`func testMissingIssuerValidation() {`
`47`	`48`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"`
`48`		`- assertFailure(decode(jwt, key:"secret", issuer:"fuller.li"))`
	`49`	`+ assertFailure(decode(jwt, .HS256("secret"), issuer:"fuller.li"))`
`49`	`50`	`}`
`50`	`51`
`51`	`52`	`// MARK: Expiration claim`
`52`	`53`
`53`	`54`	`func testExpiredClaim() {`
`54`	`55`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MjgxODg0OTF9.cy6b2szsNkKnHFnz2GjTatGjoHBTs8vBKnPGZgpp91I"`
`55`		`- assertFailure(decode(jwt, key:"secret"))`
	`56`	`+ assertFailure(decode(jwt, .HS256("secret")))`
`56`	`57`	`}`
`57`	`58`
`58`	`59`	`func testInvalidExpiaryClaim() {`
`59`	`60`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOlsiMTQyODE4ODQ5MSJdfQ.OwF-wd3THjxrEGUhh6IdnNhxQZ7ydwJ3Z6J_dfl9MBs"`
`60`		`- assertFailure(decode(jwt, key:"secret"))`
	`61`	`+ assertFailure(decode(jwt, .HS256("secret")))`
`61`	`62`	`}`
`62`	`63`
`63`	`64`	`func testUnexpiredClaim() {`
`64`	`65`	`// If this just started failing, hello 2024!`
`65`	`66`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3MjgxODg0OTF9.EW7k-8Mvnv0GpvOKJalFRLoCB3a3xGG3i7hAZZXNAz0"`
`66`		`- assertSuccess(decode(jwt, key:"secret")) { payload in`
	`67`	`+ assertSuccess(decode(jwt, .HS256("secret"))) { payload in`
`67`	`68`	`XCTAssertEqual(payload as NSDictionary, ["exp": 1728188491])`
`68`	`69`	`}`
`69`	`70`	`}`
`@@ -72,81 +73,86 @@ class JWTDecodeTests : XCTestCase {`
`72`	`73`
`73`	`74`	`func testNotBeforeClaim() {`
`74`	`75`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0MjgxODk3MjB9.jFT0nXAJvEwyG6R7CMJlzNJb7FtZGv30QRZpYam5cvs"`
`75`		`- assertSuccess(decode(jwt, key:"secret")) { payload in`
	`76`	`+ assertSuccess(decode(jwt, .HS256("secret"))) { payload in`
`76`	`77`	`XCTAssertEqual(payload as NSDictionary, ["nbf": 1428189720])`
`77`	`78`	`}`
`78`	`79`	`}`
`79`	`80`
`80`	`81`	`func testInvalidNotBeforeClaim() {`
`81`	`82`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOlsxNDI4MTg5NzIwXX0.PUL1FQubzzJa4MNXe2D3d5t5cMaqFr3kYlzRUzly-C8"`
`82`		`- assertDecodeError(decode(jwt, key:"secret"), "Not before claim (nbf) must be an integer")`
	`83`	`+ assertDecodeError(decode(jwt, .HS256("secret")), "Not before claim (nbf) must be an integer")`
`83`	`84`	`}`
`84`	`85`
`85`	`86`	`func testUnmetNotBeforeClaim() {`
`86`	`87`	`// If this just started failing, hello 2024!`
`87`	`88`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjgxODg0OTF9.Tzhu1tu-7BXcF5YEIFFE1Vmg4tEybUnaz58FR4PcblQ"`
`88`		`- assertFailure(decode(jwt, key:"secret"))`
	`89`	`+ assertFailure(decode(jwt, .HS256("secret")))`
`89`	`90`	`}`
`90`	`91`
`91`	`92`	`// MARK: Issued at claim`
`92`	`93`
`93`	`94`	`func testIssuedAtClaimInThePast() {`
`94`	`95`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE0MjgxODk3MjB9.I_5qjRcCUZVQdABLwG82CSuu2relSdIyJOyvXWUAJh4"`
`95`		`- assertSuccess(decode(jwt, key:"secret")) { payload in`
	`96`	`+ assertSuccess(decode(jwt, .HS256("secret"))) { payload in`
`96`	`97`	`XCTAssertEqual(payload as NSDictionary, ["iat": 1428189720])`
`97`	`98`	`}`
`98`	`99`	`}`
`99`	`100`
`100`	`101`	`func testIssuedAtClaimInTheFuture() {`
`101`	`102`	`// If this just started failing, hello 2024!`
`102`	`103`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE3MjgxODg0OTF9.owHiJyJmTcW1lBW5y_Rz3iBfSbcNiXlbZ2fY9qR7-aU"`
`103`		`- assertFailure(decode(jwt, key:"secret"))`
	`104`	`+ assertFailure(decode(jwt, .HS256("secret")))`
`104`	`105`	`}`
`105`	`106`
`106`	`107`	`func testInvalidIssuedAtClaim() {`
`107`	`108`	`// If this just started failing, hello 2024!`
`108`	`109`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOlsxNzI4MTg4NDkxXX0.ND7QMWtLkXDXH38OaXM3SQgLo3Z5TNgF_pcfWHV_alQ"`
`109`		`- assertDecodeError(decode(jwt, key:"secret"), "Issued at claim (iat) must be an integer")`
	`110`	`+ assertDecodeError(decode(jwt, .HS256("secret")), "Issued at claim (iat) must be an integer")`
`110`	`111`	`}`
`111`	`112`
`112`	`113`	`// MARK: Audience claims`
`113`	`114`
`114`	`115`	`func testAudiencesClaim() {`
`115`	`116`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsibWF4aW5lIiwia2F0aWUiXX0.-PKvdNLCClrWG7CvesHP6PB0-vxu-_IZcsYhJxBy5JM"`
`116`		`- assertSuccess(decode(jwt, key:"secret", audience:"maxine")) { payload in`
	`117`	`+ assertSuccess(decode(jwt, .HS256("secret"), audience:"maxine")) { payload in`
`117`	`118`	`XCTAssertEqual(payload as NSDictionary, ["aud": ["maxine", "katie"]])`
`118`	`119`	`}`
`119`	`120`	`}`
`120`	`121`
`121`	`122`	`func testAudienceClaim() {`
`122`	`123`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.dpgH4JOwueReaBoanLSxsGTc7AjKUvo7_M1sAfy_xVE"`
`123`		`- assertSuccess(decode(jwt, key:"secret", audience:"kyle")) { payload in`
	`124`	`+ assertSuccess(decode(jwt, .HS256("secret"), audience:"kyle")) { payload in`
`124`	`125`	`XCTAssertEqual(payload as NSDictionary, ["aud": "kyle"])`
`125`	`126`	`}`
`126`	`127`	`}`
`127`	`128`
`128`	`129`	`func testMismatchAudienceClaim() {`
`129`	`130`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJreWxlIn0.VEB_n06pTSLlTXPFkc46ARADJ9HXNUBUPo3VhL9RDe4" // kyle`
`130`		`- assertFailure(decode(jwt, key:"secret", audience:"maxine"))`
	`131`	`+ assertFailure(decode(jwt, .HS256("secret"), audience:"maxine"))`
`131`	`132`	`}`
`132`	`133`
`133`	`134`	`func testMissingAudienceClaim() {`
`134`	`135`	`let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w"`
`135`		`- assertFailure(decode(jwt, key:"secret", audience:"kyle"))`
	`136`	`+ assertFailure(decode(jwt, .HS256("secret"), audience:"kyle"))`
`136`	`137`	`}`
`137`	`138`
`138`	`139`	`// MARK: Signature verification`
`139`	`140`
`140`	`141`	`func testNoneAlgorithm() {`
`141`	`142`	`let jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ0ZXN0IjoiaW5nIn0."`
`142`		`- assertSuccess(decode(jwt)) { payload in`
	`143`	`+ assertSuccess(decode(jwt, .None)) { payload in`
`143`	`144`	`XCTAssertEqual(payload as NSDictionary, ["test": "ing"])`
`144`	`145`	`}`
`145`	`146`	`}`
`146`	`147`
`147`	`148`	`func testNoneFailsWithSecretAlgorithm() {`
`148`	`149`	`let jwt = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ0ZXN0IjoiaW5nIn0."`
`149`		`- assertFailure(decode(jwt, key:"secret"))`
	`150`	`+ assertFailure(decode(jwt, .HS256("secret")))`
	`151`	`+ }`
	`152`	`+`
	`153`	`+ func testMatchesAnyAlgorithm() {`
	`154`	`+ let jwt = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.2_8pWJfyPup0YwOXK7g9Dn0cF1E3pdn299t4hSeJy5w."`
	`155`	`+ assertFailure(decode(jwt, [.HS256("anothersecret"), .HS256("secret")]))`
`150`	`156`	`}`
`151`	`157`	`}`
`152`	`158`