From a1ccc18863ccb3acb348285149639e10ef8fdb67 Mon Sep 17 00:00:00 2001
From: serknight <chrisknight.mail@gmail.com>
Date: Mon, 3 May 2021 11:54:27 -0600
Subject: [PATCH] only validate on the initial callback, not on invoke of
 decoding a previously validated id or access token

---
 lib/xero-ruby/api_client.rb | 16 ++++++++++------
 lib/xero-ruby/version.rb    |  2 +-
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/xero-ruby/api_client.rb b/lib/xero-ruby/api_client.rb
index cbeee242..d11f3397 100644
--- a/lib/xero-ruby/api_client.rb
+++ b/lib/xero-ruby/api_client.rb
@@ -110,11 +110,11 @@ def id_token
     end
 
     def decoded_access_token
-      decode_jwt(@config.access_token)
+      decode_jwt(@config.access_token, false)
     end
 
     def decoded_id_token
-      decode_jwt(@config.id_token)
+      decode_jwt(@config.id_token, false)
     end
 
     def set_token_set(token_set)
@@ -166,10 +166,14 @@ def validate_state(params)
       return true
     end
 
-    def decode_jwt(tkn)
-      jwks_data = JSON.parse(Faraday.get('https://identity.xero.com/.well-known/openid-configuration/jwks').body)
-      jwk_set = JSON::JWK::Set.new(jwks_data)
-      JSON::JWT.decode(tkn, jwk_set)
+    def decode_jwt(tkn, verify=true)
+      if verify == true
+        jwks_data = JSON.parse(Faraday.get('https://identity.xero.com/.well-known/openid-configuration/jwks').body)
+        jwk_set = JSON::JWK::Set.new(jwks_data)
+        JSON::JWT.decode(tkn, jwk_set)
+      else
+        JSON::JWT.decode(tkn, :skip_verification)
+      end
     end
 
     def token_expired?
diff --git a/lib/xero-ruby/version.rb b/lib/xero-ruby/version.rb
index 5164d72b..d81132bb 100644
--- a/lib/xero-ruby/version.rb
+++ b/lib/xero-ruby/version.rb
@@ -11,5 +11,5 @@
 =end
 
 module XeroRuby
-  VERSION = '2.10.1'
+  VERSION = '2.10.2'
 end