Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to jws@^3.0.0 #78

Merged
merged 3 commits into from
Apr 10, 2015
Merged

Update to jws@^3.0.0 #78

merged 3 commits into from
Apr 10, 2015

Conversation

pose
Copy link
Contributor

@pose pose commented Apr 10, 2015

As jws@3.0.0 changed the verify method signature to be jws.verify(signature, algorithm, secretOrKey), the token header must be decoded first in order to make sure that the alg field matches one of the allowed options.algorithms. After that, the now validated header.alg is passed to jws.verify

As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the jws one:

{ [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' }

That old error (removed from jws) has been replaced by a JsonWebTokenError with message invalid token. That's why this change will bump be a major.

@pose
Updating to jws@^3.0.0
1e46234 
As `jws@3.0.0` changed the verify method signature to be `jws.verify(signature, algorithm, secretOrKey)`, the token header must be decoded first in order to make sure that the `alg` field matches one of the allowed `options.algorithms`. After that, the now validated `header.alg` is passed to `jws.verify`

As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the `jws` one:

{ [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' }

That old error (removed from jws) has been replaced by a `JsonWebTokenError` with message `invalid token`. That's why this change will bump be a major.
dschenkelman
dschenkelman reviewed Apr 10, 2015
View reviewed changes
index.js
return done(new JsonWebTokenError('invalid token'));
}

var header = jws.decode(jwtString).header;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense to check validity and decode? What if we decode and handle the failure?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, you are right. If I do jws.decode and check for null is the same.

@dschenkelman
Copy link
Member

@pose couple of questions:

  • Do we need more tests for this change?
  • Are there any other things we would like to get in for the next major that would also break the API?

@pose
Copy link
Contributor Author

pose commented Apr 10, 2015

Do we need more tests for this change?

We have a couple of tests of invalid tokens: https://github.com/auth0/node-jsonwebtoken/blob/update-to-jws-3/test/jwt.rs.tests.js#L239-L278 Do you have any additional test in mind?

Are there any other things we would like to get in for the next major that would also break the API?

No that I'm aware of. I've taken a look at the PRs and issues.

dschenkelman
dschenkelman reviewed Apr 10, 2015
View reviewed changes
index.js
var header = decodedToken.header;

if (!~options.algorithms.indexOf(header.alg)) {
return done(new JsonWebTokenError('invalid signature'));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jfromaniello @pose should this be 'invalid header' or 'invalid "alg" claim'?

dschenkelman added a commit that referenced this pull request Apr 10, 2015
@dschenkelman
Merge pull request #78 from auth0/update-to-jws-3
634b8ed 
Update to jws@^3.0.0
@dschenkelman dschenkelman merged commit 634b8ed into master Apr 10, 2015
@dschenkelman dschenkelman deleted the update-to-jws-3 branch April 10, 2015 18:02
@lillem4n lillem4n mentioned this pull request Jan 10, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pose @dschenkelman