Changed header's alg parameter to be case sensitive per the JWT spec.

Author: mark-adams

jwt/algorithms.py

@@ -75,7 +75,7 @@ def sign(self, msg, key):
         return b''
 
     def verify(self, msg, key, sig):
-        return True
+        return False
 
 
 class HMACAlgorithm(Algorithm):

jwt/api.py

@@ -144,7 +144,7 @@ def verify_signature(payload, signing_input, header, signature, key='',
         raise TypeError('audience must be a string or None')
 
     try:
-        alg_obj = _algorithms[header['alg'].upper()]
+        alg_obj = _algorithms[header['alg']]
         key = alg_obj.prepare_key(key)
 
         if not alg_obj.verify(signing_input, key, signature):

tests/test_jwt.py

@@ -14,6 +14,8 @@
     _algorithms as jwt_algorithms
 )
 
+from jwt.exceptions import DecodeError
+
 if sys.version_info >= (2, 7):
     import unittest
 else:
@@ -68,6 +70,28 @@ def test_encode_bad_type(self):
         for t in types:
             self.assertRaises(TypeError, lambda: jwt.encode(t, 'secret'))
 
+    def test_encode_algorithm_param_should_be_case_sensitive(self):
+        payload = {'hello': 'world'}
+
+        jwt.encode(payload, 'secret', algorithm='HS256')
+
+        with self.assertRaises(NotImplementedError) as context:
+            jwt.encode(payload, None, algorithm='hs256')
+
+        exception = context.exception
+        self.assertEquals(str(exception), 'Algorithm not supported')
+
+    def test_decode_algorithm_param_should_be_case_sensitive(self):
+        example_jwt = ('eyJhbGciOiJoczI1NiIsInR5cCI6IkpXVCJ9' # alg = hs256
+                       '.eyJoZWxsbyI6IndvcmxkIn0'
+                       '.5R_FEPE7SW2dT9GgIxPgZATjFGXfUDOSwo7TtO_Kd_g')
+
+        with self.assertRaises(DecodeError) as context:
+            jwt.decode(example_jwt, 'secret')
+
+        exception = context.exception
+        self.assertEquals(str(exception), 'Algorithm not supported')
+
     def test_encode_datetime(self):
         secret = 'secret'
         current_datetime = datetime.utcnow()