From 3de80835da68267d90d93a8f4c43fbc57f301e96 Mon Sep 17 00:00:00 2001
From: jb08 <jason.brown@checkr.com>
Date: Sat, 22 Feb 2020 08:40:59 -0700
Subject: [PATCH 1/2] verifies algorithm before evaluating keyfinder

issue 343
---
 lib/jwt/decode.rb |  6 +++---
 spec/jwt_spec.rb  | 10 ++++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/lib/jwt/decode.rb b/lib/jwt/decode.rb
index c44f755f..784f6719 100644
--- a/lib/jwt/decode.rb
+++ b/lib/jwt/decode.rb
@@ -33,12 +33,12 @@ def decode_segments
     private
 
     def verify_signature
-      @key = find_key(&@keyfinder) if @keyfinder
-      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
-
       raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
       raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
 
+      @key = find_key(&@keyfinder) if @keyfinder
+      @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]
+
       Signature.verify(header['alg'], @key, signing_input, @signature)
     end
 
diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index 0fd5e64b..5f2cc4d4 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -299,6 +299,16 @@
         end.not_to raise_error
       end
 
+      it 'should raise JWT::IncorrectAlgorithm on mismatch prior to kid public key network call' do
+        token = JWT.encode payload, data[:rsa_private], 'RS256'
+
+        expect do
+          JWT.decode(token, nil, true, { algorithms: ['RS384'] }) do |_,_|
+            # unsuccessful keyfinder public key network call
+          end
+        end.to raise_error JWT::IncorrectAlgorithm
+      end
+
       it 'should raise JWT::IncorrectAlgorithm when algorithms array does not contain algorithm' do
         token = JWT.encode payload, data[:secret], 'HS512'
 

From 8534290d978b2a0295466c52e7c65e006fbe50bd Mon Sep 17 00:00:00 2001
From: jb08 <jason.brown@checkr.com>
Date: Mon, 24 Feb 2020 11:00:07 -0700
Subject: [PATCH 2/2] re-kick off CI

---
 spec/jwt_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index 5f2cc4d4..0941f2c4 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -304,7 +304,7 @@
 
         expect do
           JWT.decode(token, nil, true, { algorithms: ['RS384'] }) do |_,_|
-            # unsuccessful keyfinder public key network call
+            # unsuccessful keyfinder public key network call here
           end
         end.to raise_error JWT::IncorrectAlgorithm
       end