Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update to node-jws 3.0.0 #76

Closed
gitawego opened this issue Apr 8, 2015 · 3 comments
Closed

update to node-jws 3.0.0 #76

gitawego opened this issue Apr 8, 2015 · 3 comments

Comments

@gitawego
Copy link

gitawego commented Apr 8, 2015

jws is updated to 3.0.0 to mitigate a critical security flaw, hope you can update jws asap.

https://github.com/brianloveswords/node-jws/blob/master/CHANGELOG.md

thx a lot
@jfromaniello
Copy link
Member

If you look at the link in that changelog you will see that it is our own blog post.

We fixed this library (and many others) before we even published the blog post.

We are validating the alg in the verify method in this library already here:
https://github.com/auth0/node-jsonwebtoken/blob/master/index.js#L140-L142

If you don't specify algorithms to the verify method, we do some heuristic in the secret you provide:

https://github.com/auth0/node-jsonwebtoken/blob/master/index.js#L110-L118

@gitawego
Copy link
Author

gitawego commented Apr 8, 2015

wow, nice. thx a lot :)

@gitawego gitawego closed this as completed Apr 8, 2015
@dschenkelman dschenkelman mentioned this issue Apr 9, 2015
Closed
@dschenkelman
Copy link
Member

Thanks for taking the time to report 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jfromaniello @gitawego @dschenkelman