Do not raise error when verifying bad HMAC signature

[hieuk09]

Currently, if user inputs token with incorrect signature (example: a part of signature is missing because it was truncated), an error is raised. It can be reproduced using the code below:

data = 'a string to be encoded'
key = 'a secret'
token = JWT.encode(data, key, 'HS256')
new_token = token[0..-2]
JWT.decode(new_token, key, true, algorithm: 'HS256') # raise error Provided authenticator was 31 bytes (Expected 32) (RbNaCl::LengthError)

It would be great if Signature verification failed (JWT::VerificationError) is raised in this case

[anakinj]

The change looks great.

But the plan for the next major version is to drop the RbNaCl for HMAC signatures. Is there any reason for you using it or is it just in use because of the behaviour of the gem currently replaces the hmac algorithm handling with RbNaCl if the rbnacl gem is available?

[hieuk09]

because of the behaviour of the gem currently replaces the hmac algorithm handling with RbNaCl if the rbnacl gem is available?

Yes, this is the reason

[anakinj]

Ok that is good to hear, think the behaviour is a bit strange currently. Until 3.x lets fix the problem like this first. Could you be so kind and create a changelog entry for this PR?

[hieuk09]

Great, thank you. I'll create a changelog entry for it.

[anakinj]

Thank you for the effort of fixing this