Comments (8)
We have several tests covering RS512 and some seem to be also using RS256 (together with another algorithm so I'm not sure if RS256 is the one actually being tested). Can you see if you spot something in the tests that suggest that your case is different?
from fast-jwt.
There seem to be a couple but not with a public key for sure.
t.strictSame(
verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
noTimestamp: true,
algorithms: ['RS256', 'HS256']
}),
{ a: 1 }
)
t.strictSame(
verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
noTimestamp: true,
algorithms: ['RS256', 'HS256'],
key: 'secret'
}),
{ a: 1 }
)
t.strictSame(
verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
noTimestamp: true,
algorithms: [
'RS256',
'RS384',
'RS512',
'HS256',
'HS384',
'HS512',
'ES256',
'ES384',
'ES512',
'PS256',
'PS384',
PS: I tried the example given in the docs and it fails with the same error.
from fast-jwt.
Ok thanks for reporting. Would you be so kind as to create a PR? If you don't want to work on the fix, could you at least create a failing test case?
from fast-jwt.
Ok, so I was preparing the test case PR and noticed something. I think the verifier only works for the keys with the headers -----BEGIN PRIVATE KEY-----
not -----BEGIN RSA PRIVATE KEY-----
.
# with -----BEGIN PRIVATE KEY-----
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxLCJpYXQiOjE3MDExODQyODR9.acouVH2kUzUiBW534e-5ysLEuvBj_8U30W8nt4VXgU-avwYPjqPemNWekDKoFYRCDBYju-Ozy9ZnjTNOqrfQOuU6ezdzf1CHIlEj1D1059s_a7iEuEwlRkyXA49e9vyoP7-0Xbiiua17slZHQixJwbDrCyr3B6wezvedTJlxoK6JWv3zrSeQ0P6hTX8DtVxWLQFFwrH-4Mvibbe8oSUPZ6SH1apRH_8PF0XcoDadAtpMCc5agGf8-Y1mKhl82FFpoMa2P8w8sHmqGXDvNvG_t6PBHu-bB8KJ15_99R3C7YUu-bMWpdOs4T0TgSWGviyBUI4bjounbSKYgWUPsWDOgw
{ a: 1, iat: 1701184284 }
Then I looked at the commits and found this. I thought this was the reason why it didn't work before. But again this was implemented in v3.3.2
but yet I was testing it in v3.3.0
.
The key headers were the only thing that was different from my previous test.
Although, as per this advisory, both headers should work in versions which are < 3.3.1
from fast-jwt.
I'm not sure what to make of this though. The relevant line is this, which shows that BEGIN RSA PRIVATE KEY
should be supported. 15a6e92#diff-0ea128c6a526ed8106ac0088dc7d2f94c0d351cc8edd06e24e79b8e5ae4c44a4R28
from fast-jwt.
At this point, I am pretty sure that is the root cause. Just not sure why that would happen.
┌──(kali__kali)-[~/NEW]
└─$ cat public_key.pem|head
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoxxtE32WroZX5LpgGDQ6
B/LmBBpSAjeQ3ak4t8f1jVCuvfk3RoIGD4nOznGXL1SjKo1exYIpG/EnaWkIXo37
MUlZ/StEmXRWwDZtbrrNJrdj/4qam7527jwjhFESigj95bQ4ndMNqwIfptLt3mm2
t5QdTADy0eHdPdZ7fUuYeGj3BN9fKOnqXZkBRq7C2yB9RoWB0IU7hzHsf11ODbK7
Om4v3dlBm9fiH2dTMbJAxTloeIrMd1OXu/PM5d7qgDjC2TyDmqPgLKGvlfm18LTU
9w+r52qCjAUV0EIK3Ai/ACx4hLfwnb478ZvZfdXDgUhFOrKx92Jp+oejuHqWxPRE
xQIDAQAB
-----END PUBLIC KEY-----
┌──(kali__kali)-[~/NEW]
└─$ node test.js
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.dvQmAf8QruptEU1nqwuIHjuE90gftfKNnkOP6i0ErVByjwCij99WLM_6Xbq__OUVjJXwdGYlP71j6-pTrqr6ue8vT6KE-1oPChnc5WyCKZBvpjAuAHG8jF-M899CcHuYUFDQ-UJV0eaRf26ilvngIQE6RMKtdavsFoR3XpiUCXobMJbgZDNvzG5j36M10FccB68C-6Y4F75sid47jfKHKSEYiqJHo6jqSredLVjNNEbVAo3ee4oafLByzEDW6F1-MA3vJZZl522EwXFBv7MnFwvP5QJVOMGxL1R5tmbbOvLKy25v6uAO_VXKPciw4ZCr-BBzeUhuFzSsCauoDZJBhA
{ a: 1 }
┌──(kali__kali)-[~/NEW]
└─$ cat public_key.pem|head
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApNkAKU4ap1AWiQaeDvPXbLNcd8UElPIK9hYLoTUDD8CCx1YSs8Rr
ACSDlyRtFkwEiplsIvlh8wj/BvkUE9lgQOzO6mcMx7bcqJ2GKaANANBCI/T+r7+D
jeq9jH0pv49eMZzO4Ye5TapVkJEiq4SR/FkLigRVP1lM16IQGqxpjDr4/nHhZ7SF
98F8TC0Suh/F4wgZaN4qrzUaBJJ5ysA3DySLlQkraJpfje5bXFbH3flys8m2SNZf
otRjrMwBrzIvW0kz9qKkbkTUJX2k8hcGkWN6GeoKABx6+v3QXARap740u8lfFYVh
skeeAXg/WhrTIr6EHAIbnJlCWqzLFh9hNQIDAQAB
-----END RSA PUBLIC KEY-----
┌──(kali__kali)-[~/NEW]
└─$ node test.js
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.H-e_0TykHbQZfy91O-1CNo4DCIYnCpv2WEP_KPLAfsLKTY3-h27WxO6B2HS1MI23IipAFF5dBHjPTGyUx2GZUDKBqtny9D95DhAQOUYlBK3Z4B3Pg-YBTHWge--Iv0xyNCEHZuSHi7_vDlGl2dEqYH78m88Dh4PPinK22CUbn8WvWhdkGPAFbYmXMSKkypwiazmuAPG_rdltjNxRFBZeNg3-iRqrdFTTG64ZAVHE31v78V_hTyJj-4z8A5mGglMaGrf2WntXpR6vp5SWIFYG3-jrBoeZHpV0rIJQlzhvzobtmuJytMoPQTnUX6yoCc-qgkVCUou1369WUiXFe17gnA
/home/kali/NEW/node_modules/fast-jwt/src/verifier.js:322
throw cacheSet(cacheContext, e)
^
TokenError: The token algorithm is invalid.
Also, it seems you had no problems with this before because the ssh-keygen
commands you have mentioned in the advisory are the same ones I used to create mine (with -----BEGIN RSA PUBLIC KEY-----
header ).
from fast-jwt.
@kavishkagihan can you please check if #415 fixes the issue for you?
from fast-jwt.
🎉 This issue has been resolved in version 3.3.3 🎉
The release is available on:
Your optic bot 📦🚀
from fast-jwt.
Related Issues (20)
- Release pending!
- Inconsistent releases to npm HOT 1
- Release pending! HOT 1
- [type] `expriesIn` can be a string HOT 1
- Release pending!
- Release pending!
- TokenValidationErrorCode types do not overlap with TOKEN_ERROR_CODES from source HOT 1
- Security Issue - Request For Contact Details HOT 1
- TypeScript issue with verifier KeyFetcher HOT 5
- Release pending! HOT 1
- Wrong type for DecodedJwt.payload HOT 1
- Release pending! HOT 1
- Release pending!
- Shared memory caching with cluster mode HOT 1
- requiredClaims: Not all claims are checked HOT 5
- Node 22 support HOT 6
- Release pending!
- Add creating a certificate instructions to README HOT 1
- `nbf` field in payload is ignored HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fast-jwt.