jsonwebtoken
Advanced tools
jsonwebtoken - npm Package Compare versions
Comparing version 4.2.2 to 5.0.0
@@ -6,2 +6,27 @@ # Change Log | ||
| ## [4.2.2] - 2015-03-26 | ||
| ### Fixed | ||
| - [asymmetric-keys] Fix verify for RSAPublicKey formated keys (`jfromaniello - awlayton`) | ||
| https://github.com/auth0/node-jsonwebtoken/commit/402794663b9521bf602fcc6f2e811e7d3912f9dc | ||
| https://github.com/auth0/node-jsonwebtoken/commit/8df6aabbc7e1114c8fb3917931078254eb52c222 | ||
| ## [4.2.1] - 2015-03-17 | ||
| ### Fixed | ||
| - [asymmetric-keys] Fixed issue when public key starts with BEING PUBLIC KEY (https://github.com/auth0/node-jsonwebtoken/issues/70) (`jfromaniello`) | ||
| https://github.com/auth0/node-jsonwebtoken/commit/7017e74db9b194448ff488b3e16468ada60c4ee5 | ||
| ## [4.2.0] - 2015-03-16 | ||
| ### Security | ||
| - [asymmetric-keys] Making sure a token signed with an asymmetric key will be verified using a asymmetric key. | ||
| When the verification part was expecting a token digitally signed with an asymmetric key (RS/ES family) of algorithms an attacker could send a token signed with a symmetric algorithm (HS* family). | ||
| The issue was caused because the same signature was used to verify both type of tokens (`verify` method parameter: `secretOrPublicKey`). | ||
| This change adds a new parameter to the verify called `algorithms`. This can be used to specify a list of supported algorithms, but the default value depends on the secret used: if the secretOrPublicKey contains the string `BEGIN CERTIFICATE` the default is `[ 'RS256','RS384','RS512','ES256','ES384','ES512' ]` otherwise is `[ 'HS256','HS384','HS512' ]`. (`jfromaniello`) | ||
| https://github.com/auth0/node-jsonwebtoken/commit/c2bf7b2cd7e8daf66298c2d168a008690bc4bdd3 | ||
| https://github.com/auth0/node-jsonwebtoken/commit/1bb584bc382295eeb7ee8c4452a673a77a68b687 | ||
| ## [4.1.0] - 2015-03-10 | ||
@@ -21,2 +46,2 @@ ### Changed | ||
| - Fix wrong error message when the issuer doesn't match. [44e3c8d](https://github.com/auth0/node-jsonwebtoken/commit/44e3c8d757e6b4e2a57a69a035f26b4abec3e327) | ||
| - Fix wrong `iat` and `exp` values when signing with `noTimestamp`. [331b7bc](https://github.com/auth0/node-jsonwebtoken/commit/331b7bc9cc335561f8806f2c4558e105cb53e0a6) | ||
| - Fix wrong `iat` and `exp` values when signing with `noTimestamp`. [331b7bc](https://github.com/auth0/node-jsonwebtoken/commit/331b7bc9cc335561f8806f2c4558e105cb53e0a6) |
25
index.js
@@ -42,3 +42,3 @@ var jws = require('jws'); | ||
| if (!options.noTimestamp) { | ||
| payload.iat = timestamp; | ||
| payload.iat = payload.iat || timestamp; | ||
| } | ||
@@ -116,11 +116,23 @@ | ||
| ~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ? | ||
| [ 'RS256','RS384','RS512' ] : | ||
| [ 'HS256','HS384','HS512' ]; | ||
| [ 'RS256','RS384','RS512' ] : | ||
| [ 'HS256','HS384','HS512' ]; | ||
| } | ||
| var decodedToken = jws.decode(jwtString); | ||
| if (!decodedToken) { | ||
| return done(new JsonWebTokenError('invalid token')); | ||
| } | ||
| var header = decodedToken.header; | ||
| if (!~options.algorithms.indexOf(header.alg)) { | ||
| return done(new JsonWebTokenError('invalid algorithm')); | ||
| } | ||
| var valid; | ||
| try { | ||
| valid = jws.verify(jwtString, secretOrPublicKey); | ||
| valid = jws.verify(jwtString, header.alg, secretOrPublicKey); | ||
| } catch (e) { | ||
@@ -141,7 +153,2 @@ return done(e); | ||
| var header = jws.decode(jwtString).header; | ||
| if (!~options.algorithms.indexOf(header.alg)) { | ||
| return done(new JsonWebTokenError('invalid signature')); | ||
| } | ||
| if (typeof payload.exp !== 'undefined' && !options.ignoreExpiration) { | ||
@@ -148,0 +155,0 @@ if (typeof payload.exp !== 'number') { |
| { | ||
| "name": "jsonwebtoken", | ||
| "version": "4.2.2", | ||
| "version": "5.0.0", | ||
| "description": "JSON Web Token implementation (symmetric and asymmetric)", | ||
@@ -22,8 +22,8 @@ "main": "index.js", | ||
| "dependencies": { | ||
| "jws": "~2.0.0" | ||
| "jws": "^3.0.0" | ||
| }, | ||
| "devDependencies": { | ||
| "atob": "~1.1.2", | ||
| "chai": "~1.10.0", | ||
| "mocha": "~2.1.0" | ||
| "atob": "^1.1.2", | ||
| "chai": "^1.10.0", | ||
| "mocha": "^2.1.0" | ||
| }, | ||
@@ -30,0 +30,0 @@ "engines": { |
@@ -78,2 +78,3 @@ # jsonwebtoken [](http://travis-ci.org/auth0/node-jsonwebtoken) | ||
| * `algorithms`: List of strings with the names of the allowed algorithms. For instance, `["HS256", "HS384"]`. | ||
| * `audience`: if you want to check audience (`aud`), provide a value here | ||
@@ -123,2 +124,8 @@ * `issuer`: if you want to check issuer (`iss`), provide a value here | ||
| // alg mismatch | ||
| var cert = fs.readFileSync('public.pem'); // get public key | ||
| jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) { | ||
| // if token alg != RS256, err == invalid signature | ||
| }); | ||
| ``` | ||
@@ -125,0 +132,0 @@ |
@@ -244,3 +244,3 @@ var jwt = require('../index'); | ||
| assert.isNotNull(err); | ||
| assert.equal(err.name, 'Error'); | ||
| assert.equal(err.name, 'JsonWebTokenError'); | ||
| done(); | ||
@@ -247,0 +247,0 @@ }); |
@@ -14,8 +14,30 @@ var fs = require('fs'); | ||
| describe('signing with pub key as symmetric', function () { | ||
| it('should not verify', function () { | ||
| expect(function () { | ||
| jwt.verify(TOKEN, pub); | ||
| }).to.throw(JsonWebTokenError, /invalid signature/); | ||
| describe('when setting a wrong `header.alg`', function () { | ||
| describe('signing with pub key as symmetric', function () { | ||
| it('should not verify', function () { | ||
| expect(function () { | ||
| jwt.verify(TOKEN, pub); | ||
| }).to.throw(JsonWebTokenError, /invalid algorithm/); | ||
| }); | ||
| }); | ||
| }); | ||
| describe('signing with pub key as HS256 and whitelisting only RS256', function () { | ||
| it('should not verify', function () { | ||
| expect(function () { | ||
| jwt.verify(TOKEN, pub, {algorithms: ['RS256']}); | ||
| }).to.throw(JsonWebTokenError, /invalid algorithm/); | ||
| }); | ||
| }); | ||
| describe('signing with HS256 and checking with HS384', function () { | ||
| it('should not verify', function () { | ||
| expect(function () { | ||
| var token = jwt.sign({foo: 'bar'}, 'secret', {algorithm: 'HS256'}); | ||
| jwt.verify(token, 'some secret', {algorithms: ['HS384']}); | ||
| }).to.throw(JsonWebTokenError, /invalid algorithm/); | ||
| }); | ||
| }); | ||
| }); |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Deprecated
MaintenanceThe maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by7.22%
43032
- Lines of code
- increased by3.61%
632
- Number of medium maintenance alerts
- decreased by-100%
0
- Number of lines in readme file
- increased by3.11%
232
Dependency changes
+ Addedjwa@1.4.1(transitive)
+ Addedjws@3.2.2(transitive)
- Removedbase64url@0.0.61.0.6(transitive)
- Removedcamelcase@1.2.1(transitive)
- Removedcamelcase-keys@1.0.0(transitive)
- Removedconcat-stream@1.4.11(transitive)
- Removedcore-util-is@1.0.3(transitive)
- Removedget-stdin@4.0.1(transitive)
- Removedindent-string@1.2.2(transitive)
- Removedinherits@2.0.4(transitive)
- Removedis-finite@1.1.0(transitive)
- Removedisarray@0.0.1(transitive)
- Removedjwa@1.0.2(transitive)
- Removedjws@2.0.0(transitive)
- Removedmap-obj@1.0.1(transitive)
- Removedmeow@2.0.0(transitive)
- Removedminimist@1.2.8(transitive)
- Removedobject-assign@1.0.0(transitive)
- Removedreadable-stream@1.1.14(transitive)
- Removedrepeating@1.1.3(transitive)
- Removedstring_decoder@0.10.31(transitive)
- Removedtypedarray@0.0.7(transitive)
Updatedjws@^3.0.0