New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret callback revisited #480
Changes from 1 commit
96cb28b
798b033
8d96f89
ddb1736
7d60544
6199e60
7a39153
fdfb2ef
e67f5d3
2e27e84
f83432f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,22 +43,6 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { | |
return done(new JsonWebTokenError('jwt must be a string')); | ||
} | ||
|
||
var parts = jwtString.split('.'); | ||
|
||
if (parts.length !== 3){ | ||
return done(new JsonWebTokenError('jwt malformed')); | ||
} | ||
|
||
var hasSignature = parts[2].trim() !== ''; | ||
|
||
if (!hasSignature && secretOrPublicKey){ | ||
return done(new JsonWebTokenError('jwt signature is required')); | ||
} | ||
|
||
if (hasSignature && !secretOrPublicKey) { | ||
return done(new JsonWebTokenError('secret or public key must be provided')); | ||
} | ||
|
||
var decodedToken; | ||
try { | ||
decodedToken = decode(jwtString, { complete: true }); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's mostly the same, however, our decode implementation tries to parse always the JSON (if string), the |
||
|
@@ -70,8 +54,6 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { | |
return done(new JsonWebTokenError('invalid token')); | ||
} | ||
|
||
var header = decodedToken.header; | ||
|
||
var getSecret; | ||
|
||
if(typeof secretOrPublicKey === 'function') { | ||
|
@@ -82,16 +64,32 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { | |
getSecret = secretOrPublicKey; | ||
} | ||
else { | ||
getSecret = function(header, secretCallback) { | ||
getSecret = function(decodedToken, secretCallback) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. even if it is not used, can you rename it back to There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @JacoKoster I saw your last commit after this comment, but that commit does not address this (not sure if you realized about it) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah, yes, i forgot this one. |
||
return secretCallback(null, secretOrPublicKey); | ||
}; | ||
} | ||
|
||
return getSecret(header, function(err, secretOrPublicKey) { | ||
return getSecret(decodedToken, function(err, secretOrPublicKey) { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🤔 why do you pass all the decoded token now?, I think it was fine passing just the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Because we will be using both the header and the payload of the token now There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Oh, wait, yes. that is wrong. |
||
if(err) { | ||
return done(new JsonWebTokenError('error in secret or public key callback: ' + err.message)); | ||
} | ||
|
||
var parts = jwtString.split('.'); | ||
|
||
if (parts.length !== 3){ | ||
return done(new JsonWebTokenError('jwt malformed')); | ||
} | ||
|
||
var hasSignature = parts[2].trim() !== ''; | ||
|
||
if (!hasSignature && secretOrPublicKey){ | ||
return done(new JsonWebTokenError('jwt signature is required')); | ||
} | ||
|
||
if (hasSignature && !secretOrPublicKey) { | ||
return done(new JsonWebTokenError('secret or public key must be provided')); | ||
} | ||
|
||
if (!hasSignature && !options.algorithms) { | ||
options.algorithms = ['none']; | ||
} | ||
|
@@ -106,28 +104,22 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { | |
|
||
} | ||
|
||
if (!~options.algorithms.indexOf(header.alg)) { | ||
if (!~options.algorithms.indexOf(decodedToken.header.alg)) { | ||
return done(new JsonWebTokenError('invalid algorithm')); | ||
} | ||
|
||
var valid; | ||
|
||
try { | ||
valid = jws.verify(jwtString, header.alg, secretOrPublicKey); | ||
valid = jws.verify(jwtString, decodedToken.header.alg, secretOrPublicKey); | ||
} catch (e) { | ||
return done(e); | ||
} | ||
|
||
if (!valid) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. please be consistent on the braces usage. A few lines above this one, another one liner if clause uses them. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Noticed this as well, but because it was already on master this way. I was planning to add eslint and fixing it in one go. |
||
return done(new JsonWebTokenError('invalid signature')); | ||
|
||
var payload; | ||
|
||
try { | ||
payload = decode(jwtString); | ||
} catch (err) { | ||
return done(err); | ||
} | ||
var payload = decodedToken.payload; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ❤️ |
||
|
||
if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) { | ||
if (typeof payload.nbf !== 'number') { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be kept here, it refers to the token format, not secret related, there is no need to potentially call the
getSecret
function if the jwt is a malformed