Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(auth): migrate to secure usage of jwt for token authentication #225

Merged
merged 1 commit into from
Dec 29, 2022
Merged

fix(auth): migrate to secure usage of jwt for token authentication #225

merged 1 commit into from
Dec 29, 2022

Conversation

dpopp07
Copy link
Member

@dpopp07 dpopp07 commented Dec 27, 2022

There is a vulnerability in v8 of the jsonwebtoken dependency. This commit upgrades to v9 to resolve the vulnerability. Additionally, they made an effort in this version to discourage the less secure "decode" method in favor of the more secure "verify" method. This commit also refactors the code and tests to use the "verify" method.

@dpopp07
fix(auth): migrate to secure usage of jwt for token authentication
bd527f5 
There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit
upgrades to v9 to resolve the vulnerability. Additionally, they made an effort
in this version to discourage the less secure "decode" method in favor of the
more secure "verify" method (1). This commit also refactors the code and tests to
use the "verify" method.

(1) See this PR for context: auth0/node-jsonwebtoken#741

Signed-off-by: Dustin Popp <dpopp07@gmail.com>
@dpopp07 dpopp07 mentioned this pull request Dec 27, 2022
Closed
@TannerS
Copy link

TannerS commented Dec 28, 2022

Thanks for this, please let us know an update, i think a lot of us have a short deadline to get this fixed, and this is a dep of another dep

@dpopp07 dpopp07 requested review from apaparazzi0329 and removed request for rmkeezer December 29, 2022 13:59
apaparazzi0329
apaparazzi0329 approved these changes Dec 29, 2022
View reviewed changes
Copy link
Member

@apaparazzi0329 apaparazzi0329 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There were no issues authenticating in the node sdk and the code looks good so you got my approval

padamstx
padamstx approved these changes Dec 29, 2022
View reviewed changes
Copy link
Member

@padamstx padamstx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dpopp07 dpopp07 merged commit 10e0728 into main Dec 29, 2022
@dpopp07 dpopp07 deleted the dp/upgrade-jwt branch December 29, 2022 18:22
ibm-devx-sdk pushed a commit that referenced this pull request Dec 29, 2022
@semantic-release-bot
chore(release): 4.0.1 [skip ci]
8bcc6a0 
## [4.0.1](v4.0.0...v4.0.1) (2022-12-29)

### Bug Fixes

* **auth:** migrate to secure usage of jwt for token authentication ([#225](#225)) ([10e0728](10e0728))
@ibm-devx-sdk
Copy link

🎉 This PR is included in version 4.0.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@padamstx padamstx padamstx approved these changes

@apaparazzi0329 apaparazzi0329 apaparazzi0329 approved these changes

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dpopp07 @TannerS @ibm-devx-sdk @padamstx @apaparazzi0329