@fastify/jwt integration example unsafe?

[Ricki-BumbleDev]

In the README there is this @fastify/jwt integration example:

const fastify = Fastify()
const getJwks = buildGetJwks()

fastify.register(fjwt, {
  decode: { complete: true },
  secret: (request, token, callback) => {
    const {
      header: { kid, alg },
      payload: { iss },
    } = token
    getJwks
      .getPublicKey({ kid, domain: iss, alg })
      .then(publicKey => callback(null, publicKey), callback)
  },
})

I could see someone blindly copy-pasting this without checking the issuer.

(AFAICT fetching the JWKS from the domain supplied by the client in the iss field of the JWT payload without validating is unsafe. An attacker could craft a JWT with a fake iss pointing to a domain they control? They could set up a JWKS endpoint that provides a public key of their choosing. This would allow the attacker to generate and sign a token that the server would then consider valid.)

I think the issuersWhitelist property should explicitly be added in the example to emphasise its importance and avoid this pitfall.

const getJwks = buildGetJwks({ issuersWhitelist: ['...'] })

[simoneb]

@ilteoood in case you want to take a look at this one too