Mismatch payload when compared to signature

[jengjeng]

When using with rails, I found it will have an error #<JWT::VerificationError: Signature verification raised> because jwt-multisig try to encode payload with not the same method when encoding signature.

Payload encoding relies on ActiveSupport::JSON.encode in rails ? which will escape HTML string in JSON body and it will not match to the signature which is not escaped. and also with DateTime as another issue #1

example payload raised an error

{
  "test_html_1": "&",
  "test_html_2": "<html string>",
  "test_datetime": Time.now
}

I think we have 2 solutions for this case

1. Add config.active_support.escape_html_entities_in_json = false in application.rb in rails. but it will affect the whole application (but still not fix for DateTime?).
2. Change payload encoding to be the same method as the signature. so it should be replaced base64_encode(payload.to_json) to be JWT::Base64.url_encode(JWT::JSON.generate(payload)) (same as signature encoding) or using JSON.dump can solve the issue also but it will not the same as signature encoded.

[calj]

We need to following the data processing flow here and find where we decode and re-encode between the signature and the verification.
The key is to make sure the json is NOT decoded and re-encoded.

PEATIO -> Signed message -> AMQP -> Mailer -> Verify the signature before decode