Creating a signed payload using jsonwebtoken lib with PS256 algorithm yields tokens where nodejs (and browser, others?) fail to verify the signature. #17899
Description
What version of Bun is running?
1.2.4
What platform is your computer?
Microsoft Windows NT 10.0.26100.0 x64
What steps can reproduce the bug?
Got an issue with the jsonwebtokens package:
Creating a signed payload using PS256 algorithm yields tokens where nodejs (and browser, others?) fail to verify the signature.
import jwt from "jsonwebtoken";
const body = {
iat: Math.floor(Date.now() / 1000),
iss: "foo",
sub: "bar",
aud: "baz",
jti: String(Date.now()),
exp: Math.floor(Date.now() / 1000 + 3600),
};
const key = process.env["KEY"]!.replaceAll(/\\n/g, "\n");
const keyid = process.env["KEY_ID"]!;
const rs256signed = jwt.sign(body, key, { keyid, algorithm: "RS256" });
const ps256signed = jwt.sign(body, key, { keyid, algorithm: "PS256" });
console.log("\n\n\n");
console.log("rs256", rs256signed);
console.log("ps256", ps256signed);
console.log("\n\n\n");
console.log("verify rs256", jwt.verify(rs256signed, key, { algorithms: ["RS256"] }));
console.log("verify ps256", jwt.verify(ps256signed, key, { algorithms: ["PS256"] }));Calling jwt.verify does not yield errors, neither for node nor for bun.
But when I paste the token to jwt.io (along with the pem-formatted private key), the PS256-signed token produced by bun fails to be verified. The RS256-signed one is okay, and the ones produced by node are okay, too.
What is the expected behavior?
I expect bun to produce PS256-signed tokens which can be verified by other systems.
What do you see instead?
PS256-signed tokens produced by bun+jsonwebtoken fail verification in the browser and other systems.
Additional information
No response