From 977ece1fc576f65ed9da67a83bacf57992ebc9ce Mon Sep 17 00:00:00 2001
From: David Zuckerman <dzuckerm@berkeley.edu>
Date: Tue, 21 Apr 2026 12:21:02 -0700
Subject: [PATCH] Alma JWT is using ES256 and not RS256 algorithm

changed spec to accommodate alma using ES256 instead of RS256 algorithm
---
 app/controllers/concerns/alma_jwt_validator.rb |  2 +-
 .../concerns/alma_jwt_validator_spec.rb        | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/app/controllers/concerns/alma_jwt_validator.rb b/app/controllers/concerns/alma_jwt_validator.rb
index d87ae023..fd739397 100644
--- a/app/controllers/concerns/alma_jwt_validator.rb
+++ b/app/controllers/concerns/alma_jwt_validator.rb
@@ -18,7 +18,7 @@ def jwk_set
 
   def decode_and_verify_jwt(token)
     options = {
-      algorithm: 'RS256',
+      algorithm: 'ES256',
       verify_expiration: true,
       verify_aud: false,
       verify_iss: true,
diff --git a/spec/controllers/concerns/alma_jwt_validator_spec.rb b/spec/controllers/concerns/alma_jwt_validator_spec.rb
index 131829a0..90281558 100644
--- a/spec/controllers/concerns/alma_jwt_validator_spec.rb
+++ b/spec/controllers/concerns/alma_jwt_validator_spec.rb
@@ -8,25 +8,25 @@
   let(:jwks_url) { "https://api-na.hosted.exlibrisgroup.com/auth/#{alma_institution_code}/jwks.json" }
   let(:expected_iss) { 'Prima' }
 
-  # Generate an RSA key pair for testing
-  let(:rsa_key) { OpenSSL::PKey::RSA.new(2048) }
+  # Generate an EC key pair for testing
+  let(:ec_key) { OpenSSL::PKey::EC.generate('prime256v1') }
   let(:kid) { 'test-key-id' }
   let(:test_payload) { { 'userName' => '10335026', 'iss' => expected_iss } }
 
-  # Helper to create JWK hash from RSA key using JWT::JWK
+  # Helper to create JWK hash from EC key using JWT::JWK
   def create_jwk_hash(key, kid)
     jwk = JWT::JWK.new(key, kid: kid)
     jwk.export
   end
 
   # Helper to generate a valid JWT
-  def generate_jwt(payload, key, kid, algorithm = 'RS256')
+  def generate_jwt(payload, key, kid, algorithm = 'ES256')
     header = { 'kid' => kid, 'alg' => algorithm }
     JWT.encode(payload, key, algorithm, header)
   end
 
   before do
-    jwk = create_jwk_hash(rsa_key, kid)
+    jwk = create_jwk_hash(ec_key, kid)
 
     stub_request(:get, jwks_url)
       .to_return(
@@ -39,7 +39,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
   describe '.decode_and_verify_jwt' do
     context 'with a valid JWT' do
       it 'returns the decoded payload' do
-        token = generate_jwt(test_payload, rsa_key, kid)
+        token = generate_jwt(test_payload, ec_key, kid)
         result = AlmaJwtValidator.decode_and_verify_jwt(token)
 
         expect(result).to be_an(Array)
@@ -51,7 +51,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
     context 'with an invalid signature' do
       it 'raises JWT::DecodeError' do
         # Generate a token with a different key
-        different_key = OpenSSL::PKey::RSA.new(2048)
+        different_key = OpenSSL::PKey::EC.generate('prime256v1')
         token = generate_jwt(test_payload, different_key, kid)
 
         expect do
@@ -62,7 +62,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
 
     context 'with an unknown key id' do
       it 'raises JWT::DecodeError' do
-        token = generate_jwt(test_payload, rsa_key, 'unknown-kid')
+        token = generate_jwt(test_payload, ec_key, 'unknown-kid')
 
         expect do
           AlmaJwtValidator.decode_and_verify_jwt(token)
@@ -81,7 +81,7 @@ def generate_jwt(payload, key, kid, algorithm = 'RS256')
     context 'when JWKS endpoint is unreachable' do
       it 'raises an error' do
         stub_request(:get, jwks_url).to_return(status: 500)
-        token = generate_jwt(test_payload, rsa_key, kid)
+        token = generate_jwt(test_payload, ec_key, kid)
 
         expect do
           AlmaJwtValidator.decode_and_verify_jwt(token)