search

auth0 / node-jsonwebtoken

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
MIT License
17.72k stars 1.23k forks source link

Malformed token error with base64 encoded secret #783

Open revjtanton opened 3 years ago

revjtanton commented 3 years ago

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

Using a base64 encoded secret with an HS256 token generates a Malformed token error. A full output of the error is as follows:

app_1  | Error: Malformed token
app_1  |     at /usr/src/app/.build/src/auth/authController.js:54:27
app_1  |     at step (/usr/src/app/.build/src/auth/authController.js:33:23)
app_1  |     at Object.next (/usr/src/app/.build/src/auth/authController.js:14:53)
app_1  |     at /usr/src/app/.build/src/auth/authController.js:8:71
app_1  |     at new Promise (<anonymous>)
app_1  |     at __awaiter (/usr/src/app/.build/src/auth/authController.js:4:12)
app_1  |     at exports.handler (/usr/src/app/.build/src/auth/authController.js:47:45)
app_1  |     at InProcessRunner.run (/usr/src/app/node_modules/serverless-offline/dist/lambda/handler-runner/in-process-runner/InProcessRunner.js:190:16)
app_1  |     at processTicksAndRejections (internal/process/task_queues.js:97:5)
app_1  |     at async LambdaFunction.runHandler (/usr/src/app/node_modules/serverless-offline/dist/lambda/LambdaFunction.js:355:20)
app_1  |     at async Object.authenticate (/usr/src/app/node_modules/serverless-offline/dist/events/http/createAuthScheme.js:101:24)
app_1  |     at async module.exports.internals.Manager.execute (/usr/src/app/node_modules/@hapi/hapi/lib/toolkit.js:45:28)
app_1  |     at async module.exports.internals.Auth._authenticate (/usr/src/app/node_modules/@hapi/hapi/lib/auth.js:256:30)
app_1  |     at async Request._lifecycle (/usr/src/app/node_modules/@hapi/hapi/lib/request.js:312:32)
app_1  |     at async Request._execute (/usr/src/app/node_modules/@hapi/hapi/lib/request.js:221:9)
app_1  | offline: Authorization function returned an error response: (λ: auth)

Reproduction

  1. Generate a token and key from here: https://java.jsonwebtoken.io/ or https://jwt.io and set the secret to base64 encoded
  2. Add the secret key to your project.
  3. Pass a request with the generated JWT and watch it error out. Code as follows: 
      const valid = jwt.verify(
    token,
    Buffer.from(process.env.JWT_KEY, 'base64'),
    { algorithms: ['HS256'] }
  )

Environment

Please provide the following:

revjtanton commented 3 years ago

I guess nobody else is having this issue? I have been unable to find any workaround.

Jeff-Tian commented 3 years ago

Met the same issue with HS256, without 'base64'. But it only occurs sometimes, not always. :-(

KevsRepos commented 3 years ago

Got the same issue. This is driving me crazy.

Amer-Jabar commented 2 years ago

I generated the token with Spring Boots jws library and verified it with jsonwebtoken in a nodejs server without any issues. If you try to verify it without setting to base64 it will not verify the token (at least for when signing it with base64 as in my case).

toymachiner62 commented 2 years ago

Shouldn't

Buffer.from(process.env.JWT_KEY, 'base64'),

actually be 

Buffer.from(process.env.JWT_KEY).toString('base64')

?