GithubHelp home page GithubHelp logo

Comments (8)

simoneb avatar simoneb commented on September 21, 2024

We have several tests covering RS512 and some seem to be also using RS256 (together with another algorithm so I'm not sure if RS256 is the one actually being tested). Can you see if you spot something in the tests that suggest that your case is different?

from fast-jwt.

kavishkagihan avatar kavishkagihan commented on September 21, 2024

There seem to be a couple but not with a public key for sure.

  t.strictSame(
    verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
      noTimestamp: true,
      algorithms: ['RS256', 'HS256']
    }),
    { a: 1 }
  )

  t.strictSame(
    verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
      noTimestamp: true,
      algorithms: ['RS256', 'HS256'],
      key: 'secret'
    }),
    { a: 1 }
  )

  t.strictSame(
    verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
      noTimestamp: true,
      algorithms: [
        'RS256',
        'RS384',
        'RS512',
        'HS256',
        'HS384',
        'HS512',
        'ES256',
        'ES384',
        'ES512',
        'PS256',
        'PS384',

PS: I tried the example given in the docs and it fails with the same error.

from fast-jwt.

simoneb avatar simoneb commented on September 21, 2024

Ok thanks for reporting. Would you be so kind as to create a PR? If you don't want to work on the fix, could you at least create a failing test case?

from fast-jwt.

kavishkagihan avatar kavishkagihan commented on September 21, 2024

Ok, so I was preparing the test case PR and noticed something. I think the verifier only works for the keys with the headers -----BEGIN PRIVATE KEY----- not -----BEGIN RSA PRIVATE KEY-----.

# with -----BEGIN PRIVATE KEY-----
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxLCJpYXQiOjE3MDExODQyODR9.acouVH2kUzUiBW534e-5ysLEuvBj_8U30W8nt4VXgU-avwYPjqPemNWekDKoFYRCDBYju-Ozy9ZnjTNOqrfQOuU6ezdzf1CHIlEj1D1059s_a7iEuEwlRkyXA49e9vyoP7-0Xbiiua17slZHQixJwbDrCyr3B6wezvedTJlxoK6JWv3zrSeQ0P6hTX8DtVxWLQFFwrH-4Mvibbe8oSUPZ6SH1apRH_8PF0XcoDadAtpMCc5agGf8-Y1mKhl82FFpoMa2P8w8sHmqGXDvNvG_t6PBHu-bB8KJ15_99R3C7YUu-bMWpdOs4T0TgSWGviyBUI4bjounbSKYgWUPsWDOgw
{ a: 1, iat: 1701184284 }

Then I looked at the commits and found this. I thought this was the reason why it didn't work before. But again this was implemented in v3.3.2 but yet I was testing it in v3.3.0.

The key headers were the only thing that was different from my previous test.

Although, as per this advisory, both headers should work in versions which are < 3.3.1

from fast-jwt.

simoneb avatar simoneb commented on September 21, 2024

I'm not sure what to make of this though. The relevant line is this, which shows that BEGIN RSA PRIVATE KEY should be supported. 15a6e92#diff-0ea128c6a526ed8106ac0088dc7d2f94c0d351cc8edd06e24e79b8e5ae4c44a4R28

from fast-jwt.

kavishkagihan avatar kavishkagihan commented on September 21, 2024

At this point, I am pretty sure that is the root cause. Just not sure why that would happen.

┌──(kali__kali)-[~/NEW]
└─$ cat public_key.pem|head
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoxxtE32WroZX5LpgGDQ6
B/LmBBpSAjeQ3ak4t8f1jVCuvfk3RoIGD4nOznGXL1SjKo1exYIpG/EnaWkIXo37
MUlZ/StEmXRWwDZtbrrNJrdj/4qam7527jwjhFESigj95bQ4ndMNqwIfptLt3mm2
t5QdTADy0eHdPdZ7fUuYeGj3BN9fKOnqXZkBRq7C2yB9RoWB0IU7hzHsf11ODbK7
Om4v3dlBm9fiH2dTMbJAxTloeIrMd1OXu/PM5d7qgDjC2TyDmqPgLKGvlfm18LTU
9w+r52qCjAUV0EIK3Ai/ACx4hLfwnb478ZvZfdXDgUhFOrKx92Jp+oejuHqWxPRE
xQIDAQAB
-----END PUBLIC KEY-----


┌──(kali__kali)-[~/NEW]
└─$ node test.js
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.dvQmAf8QruptEU1nqwuIHjuE90gftfKNnkOP6i0ErVByjwCij99WLM_6Xbq__OUVjJXwdGYlP71j6-pTrqr6ue8vT6KE-1oPChnc5WyCKZBvpjAuAHG8jF-M899CcHuYUFDQ-UJV0eaRf26ilvngIQE6RMKtdavsFoR3XpiUCXobMJbgZDNvzG5j36M10FccB68C-6Y4F75sid47jfKHKSEYiqJHo6jqSredLVjNNEbVAo3ee4oafLByzEDW6F1-MA3vJZZl522EwXFBv7MnFwvP5QJVOMGxL1R5tmbbOvLKy25v6uAO_VXKPciw4ZCr-BBzeUhuFzSsCauoDZJBhA
{ a: 1 }
┌──(kali__kali)-[~/NEW]
└─$ cat public_key.pem|head
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApNkAKU4ap1AWiQaeDvPXbLNcd8UElPIK9hYLoTUDD8CCx1YSs8Rr
ACSDlyRtFkwEiplsIvlh8wj/BvkUE9lgQOzO6mcMx7bcqJ2GKaANANBCI/T+r7+D
jeq9jH0pv49eMZzO4Ye5TapVkJEiq4SR/FkLigRVP1lM16IQGqxpjDr4/nHhZ7SF
98F8TC0Suh/F4wgZaN4qrzUaBJJ5ysA3DySLlQkraJpfje5bXFbH3flys8m2SNZf
otRjrMwBrzIvW0kz9qKkbkTUJX2k8hcGkWN6GeoKABx6+v3QXARap740u8lfFYVh
skeeAXg/WhrTIr6EHAIbnJlCWqzLFh9hNQIDAQAB
-----END RSA PUBLIC KEY-----

┌──(kali__kali)-[~/NEW]
└─$ node test.js
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.H-e_0TykHbQZfy91O-1CNo4DCIYnCpv2WEP_KPLAfsLKTY3-h27WxO6B2HS1MI23IipAFF5dBHjPTGyUx2GZUDKBqtny9D95DhAQOUYlBK3Z4B3Pg-YBTHWge--Iv0xyNCEHZuSHi7_vDlGl2dEqYH78m88Dh4PPinK22CUbn8WvWhdkGPAFbYmXMSKkypwiazmuAPG_rdltjNxRFBZeNg3-iRqrdFTTG64ZAVHE31v78V_hTyJj-4z8A5mGglMaGrf2WntXpR6vp5SWIFYG3-jrBoeZHpV0rIJQlzhvzobtmuJytMoPQTnUX6yoCc-qgkVCUou1369WUiXFe17gnA
/home/kali/NEW/node_modules/fast-jwt/src/verifier.js:322
      throw cacheSet(cacheContext, e)
      ^

TokenError: The token algorithm is invalid.

Also, it seems you had no problems with this before because the ssh-keygen commands you have mentioned in the advisory are the same ones I used to create mine (with -----BEGIN RSA PUBLIC KEY----- header ).

from fast-jwt.

simoneb avatar simoneb commented on September 21, 2024

@kavishkagihan can you please check if #415 fixes the issue for you?

from fast-jwt.

github-actions avatar github-actions commented on September 21, 2024

🎉 This issue has been resolved in version 3.3.3 🎉

The release is available on:

Your optic bot 📦🚀

from fast-jwt.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.