search

auth0 / express-jwt

connect/express middleware that validates a JsonWebToken (JWT) and set the req.user with the attributes
MIT License
4.49k stars 444 forks source link

Multi-Tenancy Documentation is Incorrect #233

Open Californian opened 4 years ago

Californian commented 4 years ago

Description

The section at https://github.com/auth0/express-jwt#multi-tenancy describes the function signature of the (poorly-named, in the case of RSA-256 verification) "secret" function signature as req, payload, done, but, in usage, I found the signature to actually be req, header, payload, callback. I didn't dig into the code too much, so I'm not sure what that arity check is actually doing, but this seems to be the default behavior when I used it so it would be good to at least call this out as a possibility.

Reproduction

You should just have to follow the documentation; I don't think I appreciably deviated from it.

Environment

Latest versions of all of express-jwt, jwks-rsa, etc (tried updating them all as a first fix attempt). I'm using an RSA-256 keypair.

HyperCharlie commented 3 years ago

Interestingly the typescript types have a SecretCallback, which matches the documentation, and a SecretCallbackLong, which has the header in it. It's setup as a union type, which makes no sense because the two functions would conflict.