jsonwebtoken - npm Package Compare versions

Comparing version 7.4.2 to 7.4.3

CHANGELOG.md

@@ -7,2 +7,6 @@ # Change Log
 
+## 7.4.3 - 2017-08-17
+
+ - Fix breaking change on 7.4.2 for empty secret + "none" algorithm (sync code style) ([PR 386](https://github.com/auth0/node-jsonwebtoken/pull/386))
+
 ## 7.4.2 - 2017-08-04
@@ -9,0 +13,0 @@

package.json

 {
   "name": "jsonwebtoken",
-  "version": "7.4.2",
+  "version": "7.4.3",
   "description": "JSON Web Token implementation (symmetric and asymmetric)",
@@ -5,0 +5,0 @@ "main": "index.js",

sign.js

@@ -69,3 +69,3 @@ var Joi = require('joi');
 
-  if (!secretOrPrivateKey) {
+  if (!secretOrPrivateKey && options.algorithm !== 'none') {
     return failure(new Error('secretOrPrivateKey must have a value'));
@@ -72,0 +72,0 @@ }

test/async_sign.tests.js

@@ -35,2 +35,20 @@ var jwt = require('../index');
 
+    it('should work with none algorithm where secret is set', function(done) {
+      jwt.sign({ foo: 'bar' }, 'secret', { algorithm: 'none' }, function(err, token) {
+        expect(token).to.be.a('string');
+        expect(token.split('.')).to.have.length(3);
+        done();
+      });
+    });
+
+    //Known bug: https://github.com/brianloveswords/node-jws/issues/62
+    //If you need this use case, you need to go for the non-callback-ish code style.
+    it.skip('should work with none algorithm where secret is falsy', function(done) {
+      jwt.sign({ foo: 'bar' }, undefined, { algorithm: 'none' }, function(err, token) {
+        expect(token).to.be.a('string');
+        expect(token.split('.')).to.have.length(3);
+        done();
+      });
+    });
+
     it('should return error when secret is not a cert for RS256', function(done) {
@@ -70,3 +88,3 @@ //this throw an error because the secret is not a cert and RS256 requires a cert.
       [undefined, '', 0].forEach(function(secret){
-        it('should return an error if the secret is falsy: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) {
+        it('should return an error if the secret is falsy and algorithm is not set to none: ' + (typeof secret === 'string' ? '(empty string)' : secret), function(done) {
         // This is needed since jws will not answer for falsy secrets
@@ -73,0 +91,0 @@ jwt.sign('string', secret, {}, function(err, token) {

test/jwt.hs.tests.js

@@ -54,2 +54,12 @@ var jwt = require('../index');
 
+    it('should work with falsy secret and token not signed', function(done) {
+      var signed = jwt.sign({ foo: 'bar' }, null, { algorithm: 'none' });
+      var unsigned = signed.split('.')[0] + '.' + signed.split('.')[1] + '.';
+      jwt.verify(unsigned, 'secret', function(err, decoded) {
+        assert.isUndefined(decoded);
+        assert.isNotNull(err);
+        done();
+      });
+    });
+
     it('should throw when verifying null', function(done) {
@@ -56,0 +66,0 @@ jwt.verify(null, 'secret', function(err, decoded) {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1249377

increased by13.32%

Number of package files

324

increased by2.53%

Lines of code

23243

increased by2.28%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes