fix security bug. JWT with alg none should fail if secretOrPulblicKey…

… is passed
auth0 · Jul 14, 2014 · dfddaa4 · dfddaa4
1 parent 708c4d8
commit dfddaa4
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/index.js b/index.js
@@ -34,6 +34,13 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
   if ((typeof options === 'function') && !callback) callback = options;
   if (!options) options = {};
 
+  var parts = jwtString.split('.');
+  if (parts.length < 3)
+    return callback(new Error('jwt malformed'));
+
+  if (parts[2].trim() === '' && secretOrPublicKey)
+    return callback(new Error('jwt signature is required'));
+
   var valid;
   try {
     valid = jws.verify(jwtString, secretOrPublicKey);

diff --git a/test/jwt.hs.tests.js b/test/jwt.hs.tests.js
@@ -31,5 +31,15 @@ describe('HS256', function() {
       });
     });
 
+    it('should throw with secret and token not signed', function(done) {
+      var signed = jwt.sign({ foo: 'bar' }, secret, { algorithm: 'none' });
+      var unsigned = signed.split('.')[0] + '.' + signed.split('.')[1] + '.';
+      jwt.verify(unsigned, 'secret', function(err, decoded) {
+        assert.isUndefined(decoded);
+        assert.isNotNull(err);
+        done();
+      });
+    });
+
   });
 });