Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

throwError does not throw on invalid signature #80

Open
stephent opened this issue Jun 9, 2024 · 1 comment
Open

throwError does not throw on invalid signature #80

stephent opened this issue Jun 9, 2024 · 1 comment

Comments

@stephent
Copy link

stephent commented Jun 9, 2024

The readme states:

throws

If options.throwError is true and the token is invalid, an error will be thrown.

But the verify method does not throw if the following line returns false, even if throwError is true:

cloudflare-worker-jwt/src/index.ts

Line 232 in 8a75c24

return await crypto.subtle.verify(algorithm, key, base64UrlToArrayBuffer(tokenParts[2]), textToArrayBuffer(`${tokenParts[0]}.${tokenParts[1]}`))

This could result in invalid JWTs being mistakenly accepted, if the caller assumes they can simply try/catch with throwError passed as true and don't also check the return value.
@stephent stephent changed the title throwsError does not throw on invalid signature throwError does not throw on invalid signature Jun 9, 2024
@stephent
Copy link
Author

stephent commented Jun 9, 2024

See also #76 - the code shown there appears to make exactly this incorrect assumption.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stephent