Open diegonc opened 7 years ago
When the payload (or any other part I guess) encoded string contains the character - (or / according to the spec) an error is produced, listed below, that triggers a 401 response even if the token is valid:
-
/
[lua] nginx-jwt.lua:49: auth(): Invalid token: invalid jwt string
Here's a token with such character (HS256, secret is secret):
secret
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhYXo-IiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.uOUJ2GqqczYSZIYYLEtyMLzfz8AuOCatlAyPY9fc1P0
I fixed this issue by applying the following patch to release 1.0.1:
diff --git a/resty/jwt.lua b/resty/jwt.lua index cf26bae..b047cdf 100644 --- a/resty/jwt.lua +++ b/resty/jwt.lua @@ -55,6 +55,9 @@ end function _M.jwt_decode(self, b64_str, json_decode) + -- convert from base64url to base64 + b64_str = b64_str:gsub("[-_]", {["-"]="+",["_"]="/"}) + local reminder = #b64_str % 4 if reminder > 0 then b64_str = b64_str .. string.rep("=", 4 - reminder)
Is this approach correct?
When the payload (or any other part I guess) encoded string contains the character
-
(or/
according to the spec) an error is produced, listed below, that triggers a 401 response even if the token is valid:Here's a token with such character (HS256, secret is
secret
):I fixed this issue by applying the following patch to release 1.0.1:
Is this approach correct?