From d34d808a36293ccc421f9e054cd041e129bb2185 Mon Sep 17 00:00:00 2001
From: Joakim Antman <antmanj@gmail.com>
Date: Fri, 11 Nov 2022 18:19:08 +0200
Subject: [PATCH] Tests for missing and empty token header

---
 spec/jwt_spec.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/spec/jwt_spec.rb b/spec/jwt_spec.rb
index ce3668ce..da5ba034 100644
--- a/spec/jwt_spec.rb
+++ b/spec/jwt_spec.rb
@@ -781,6 +781,21 @@
     end
   end
 
+  context 'when token is missing the alg header' do
+    let(:token) { 'e30.eyJ1c2VyX2lkIjoic29tZUB1c2VyLnRsZCJ9.DIKUOt1lwwzWSPBf508IYqk0KzC2PL97OZc6pECzE1I' }
+
+    it 'raises JWT::IncorrectAlgorithm error' do
+      expect { JWT.decode(token, 'secret', true, algorithm: 'HS256') }.to raise_error(JWT::IncorrectAlgorithm, 'Token is missing alg header')
+    end
+  end
+
+  context 'when token has null as the alg header' do
+    let(:token) { 'eyJhbGciOm51bGx9.eyJwYXkiOiJsb2FkIn0.pizVPWJMK-GUuXXEcQD_faZGnZqz_6wKZpoGO4RdqbY' }
+    it 'raises JWT::IncorrectAlgorithm error' do
+      expect { JWT.decode(token, 'secret', true, algorithm: 'HS256') }.to raise_error(JWT::IncorrectAlgorithm, 'Token is missing alg header')
+    end
+  end
+
   context 'when algorithm is a custom class' do
     let(:custom_algorithm) do
       Class.new do