From 8b4c000662fd2dfd84e4b1f3377ed5eda981fe3e Mon Sep 17 00:00:00 2001 From: Vartan Simonian Date: Tue, 13 Oct 2015 20:50:43 -0700 Subject: [PATCH 1/2] Use new jsrsasign/jsjws API for JWK verification --- lib/JWT.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/JWT.js b/lib/JWT.js index d965348..860194d 100644 --- a/lib/JWT.js +++ b/lib/JWT.js @@ -413,11 +413,11 @@ JWT.decode = function (token, secret) { // exposed in the node version of jsrsasign so we can't access it. // // Using jsjws is stopgap until there's a cleaner way. - var jws = new jsrsasign.jws.JWS() var hN = base64url.decode(secret.n, 'hex') var hE = base64url.decode(secret.e, 'hex') + var pubkey = jsrsasign.KEYUTIL.getKey({ n: hN, e: hE }) - verified = jws.verifyJWSByNE(token, hN, hE) + verified = jsrsasign.jws.JWS.verify(token, pubkey) } if (!verified) { From bbc1121b6f10b3d4ff3467ed9a79768f3c0f6f18 Mon Sep 17 00:00:00 2001 From: Vartan Simonian Date: Tue, 13 Oct 2015 20:50:56 -0700 Subject: [PATCH 2/2] Update jsrsasign dependency --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index eac8300..1205a90 100644 --- a/package.json +++ b/package.json @@ -44,7 +44,7 @@ "dependencies": { "lodash": "^3.10.1", "base64url": "^1.0.4", - "jsrsasign": "^4.8.3", + "jsrsasign": "^5.0.0", "jwa": "^1.0.0", "valid-url": "^1.0.9" }