Warn about deprecations only if token decoding succeeds

CHANGELOG.md

@@ -10,8 +10,9 @@
 
 **Fixes and enhancements:**
 
+- Print deprecation warnings only on when token decoding succeeds [#600](https://github.com/jwt/ruby-jwt/pull/600) ([@anakinj](https://github.com/anakinj))
 - Your contribution here
--
+
 ## [v2.8.1](https://github.com/jwt/ruby-jwt/tree/v2.8.1) (2024-02-29)
 
 [Full Changelog](https://github.com/jwt/ruby-jwt/compare/v2.8.0...v2.8.1)

lib/jwt.rb

@@ -27,6 +27,8 @@ def encode(payload, key, algorithm = 'HS256', header_fields = {})
   end
 
   def decode(jwt, key = nil, verify = true, options = {}, &keyfinder) # rubocop:disable Style/OptionalBooleanParameter
-    Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    Deprecations.context do
+      Decode.new(jwt, key, verify, configuration.decode.to_h.merge(options), &keyfinder).decode_segments
+    end
   end
 end

lib/jwt/base64.rb

@@ -20,7 +20,7 @@ def url_decode(str)
         raise Base64DecodeError, 'Invalid base64 encoding' if JWT.configuration.strict_base64_decoding
 
         loose_urlsafe_decode64(str).tap do
-          Deprecations.warning('Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt')
+          Deprecations.warning('Invalid base64 input detected, could be because of invalid padding, trailing whitespaces or newline chars. Graceful handling of invalid input will be dropped in the next major version of ruby-jwt', only_if_valid: true)
         end
       end
 

lib/jwt/deprecations.rb

@@ -4,15 +4,34 @@ module JWT
   # Deprecations module to handle deprecation warnings in the gem
   module Deprecations
     class << self
-      def warning(message)
+      def context
+        yield.tap { emit_warnings }
+      ensure
+        Thread.current[:jwt_warning_store] = nil
+      end
+
+      def warning(message, only_if_valid: false)
+        method_name = only_if_valid ? :store : :warn
         case JWT.configuration.deprecation_warnings
-        when :warn
-          warn("[DEPRECATION WARNING] #{message}")
         when :once
           return if record_warned(message)
-
-          warn("[DEPRECATION WARNING] #{message}")
+        when :warn
+          # noop
+        else
+          return
         end
+
+        send(method_name, "[DEPRECATION WARNING] #{message}")
+      end
+
+      def store(message)
+        (Thread.current[:jwt_warning_store] ||= []) << message
+      end
+
+      def emit_warnings
+        return if Thread.current[:jwt_warning_store].nil?
+
+        Thread.current[:jwt_warning_store].each { |warning| warn(warning) }
       end
 
       private

spec/jwt/jwt_spec.rb

@@ -944,4 +944,36 @@ def valid_alg?(alg)
       end
     end
   end
+
+  context 'when invalid token is valid loose base64' do
+    it 'does not output deprecations warnings' do
+      expect {
+        begin
+          JWT.decode("#{JWT.encode('a', 'b')} 9", 'b')
+        rescue JWT::VerificationError
+          nil
+        end
+      }.not_to output(/DEPRECATION/).to_stderr
+    end
+  end
+
+  context 'when valid token is invalid strict base64 and decoded with the correct key' do
+    it 'does outputs deprecation warning' do
+      expect { JWT.decode("#{JWT.encode('payload', 'key')} ", 'key') }.to output(/DEPRECATION/).to_stderr
+    end
+  end
+
+  context 'when valid token is invalid strict base64 and decoded with the incorrect key' do
+    it 'does not output deprecation warning, even when decoded with the correct key' do
+      token = JWT.encode('payload', 'key')
+      expect {
+        begin
+          JWT.decode("#{token} ", 'incorrect')
+        rescue JWT::VerificationError
+          nil
+        end
+        JWT.decode(token, 'key')
+      }.not_to output(/DEPRECATION/).to_stderr
+    end
+  end
 end