ziluvatar
commented
5 years ago I think all those points are nice improvements:
- Document error
- Document default behavior
- Refactor the algorithm inference
Good catch, if you have time be free to open a PR
Open amir-bio opened 5 years ago
ziluvatar
commented
5 years ago I think all those points are nice improvements:
Good catch, if you have time be free to open a PR
The 'invalid algorithm' generated from https://github.com/auth0/node-jsonwebtoken/blob/master/verify.js#L121 is not documented, so when users of the library encounter it they may need to look at the source code. (Seeing https://github.com/auth0/node-jsonwebtoken#errors--codes gave me the impression that all errors messages would be documented there)
Since it looks like other Errors are documented, I think this error should also be documented for completeness.
Additionally, the default behavior when no algorithm is provided in the options doesn't seem to be documented. This has caused issues for others before who have opened issues.
Related to this, From https://github.com/auth0/node-jsonwebtoken/blob/master/verify.js#L114 with the current logic if the key contains
BEGIN CERTIFICATEorBEGIN PUBLIC KEY, the default algorithms option's array is set to['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512']..Is this expected behaviour? Do both of them imply the same set of algorithms? [If the code were to change it would be great to make the precedence of the
||explicit, i.e. add parenthesis around it. Even better would be to replace it with a switch and avoid nested ternaries.)