Version 9.0.0 - `sign` function throws error on frontend (in browser)

auth0 / node-jsonwebtoken

JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

MIT License

17.75k stars 1.23k forks source link

Version 9.0.0 - `sign` function throws error on frontend (in browser) #863

Open dawidreedsy opened 1 year ago

dawidreedsy commented 1 year ago

Description

When trying to use jsonwebtoken sign function on the frontend it throws error:

    TypeError: Right-hand side of 'instanceof' is not an object
        at module.exports [as sign] (webpack://@jwtcreator/creator/./node_modules/jsonwebtoken/sign.js?:109:58)

it looks like this is this if:

  if (secretOrPrivateKey != null && !(secretOrPrivateKey instanceof KeyObject))

Reproduction

Just call sign function in the browser

Environment

"jsonwebtoken": "^9.0.0" Chrome version: Version 108.0.5359.124 (Official Build) (arm64)

panva commented 1 year ago

jsonwebtoken is a Node.js module, its use in a browser was never intended. Versions before 9.0.0 could use webpack's polyfill of the Node.js built-in modules. This most likely a) relied on slow js cryptography that isn't maintained anymore and lacks feature parity with Node's crypto and b) increased your js bundle size considerably. FWIW webpack 5 also no longer defaults to using these questionable crypto polyfills anymore.

It is better to rely on JWT modules made to be consumed in browser environments. You can discover such modules on jwt.io under "JavaScript" libraries.

garypotato commented 1 year ago

I had the same issue that's because I am using Node.js v8, which doesn't include KeyObject in 'crypto' module. There are two ways to fix this issue: 1) update your node version to above v11; 2) don't use the latest version of jsonwebtoken.

Earle-Poole commented 1 year ago

I'm seeing a similar error after upgrading from 8.5.1 to 9.0.0 in my test suite. I think it's because I'm using a signing method that's not listed in the table at the bottom here: https://github.com/auth0/node-jsonwebtoken/wiki/Migration-Notes:-v8-to-v9

I'll report back once I try moving over to a listed one

DaphneChang commented 1 year ago

**Update Node verson to v12.0.0+ works for me, hope it can help you

Uzlopak commented 1 year ago

KeyObject is part of node 12 crypto library. The polyfills dont have that Object.

darioackermann commented 1 year ago

Update Node verson to V12.0+ works for me, hope it can help you

In addition to this, when using node with version 18, jsonwebtoken v.9 will not work anymore in browsers. At least not in Edge/Chrome

bornkiraupgrade commented 1 year ago

Update Node verson to V12.0+ works for me, hope it can help you

In addition to this, node with version 18 will not work anymore in browsers. At least not in Edge/Chrome

So, does that mean if I am using node 18+ version, I cannot use msal-node library and have to look for an alternative? Kindly suggest if that is the case.

darioackermann commented 1 year ago

I have edited my comment to avoid confusion.

Update Node verson to V12.0+ works for me, hope it can help you

In addition to this, node with version 18 will not work anymore in browsers. At least not in Edge/Chrome

So, does that mean if I am using node 18+ version, I cannot use msal-node library and have to look for an alternative? Kindly suggest if that is the case.

I have edited my comment to avoid confusion. As far as I see, msal-node is not using jsonwebtoken.

bornkiraupgrade commented 1 year ago

It is using jsonwebtoken. Pasting the error which has the stack trace to show msal-node calling jsonwebtoken files :

TypeError: Right-hand side of 'instanceof' is not an object 2023-02-24T12:15:51.8277499Z at Object.module.exports [as sign] (D:\a_tasks\EsrpRelease_be2a31a6-134a-482d-a926-deef3349ffca\4.0.12\node_modules\jsonwebtoken\sign.js:108:58) 2023-02-24T12:15:51.8278567Z at ClientAssertion.createJwt (D:\a_tasks\EsrpRelease_be2a31a6-134a-482d-a926-deef3349ffca\4.0.12\node_modules\@azure\msal-node\dist\msal-node.cjs.development.js:2255:29) 2023-02-24T12:15:51.8279942Z at ClientAssertion.getJwt (D:\a_tasks\EsrpRelease_be2a31a6-134a-482d-a926-deef3349ffca\4.0.12\node_modules\@azure\msal-node\dist\msal-node.cjs.development.js:2219:19) 2023-02-24T12:15:51.8281354Z at ConfidentialClientApplication.getClientAssertion (D:\a_tasks\EsrpRelease_be2a31a6-134a-482d-a926-deef3349ffca\4.0.12\node_modules\@azure\msal-node\dist\msal-node.cjs.development.js:1924:39) 2023-02-24T12:15:51.8282834Z at ConfidentialClientApplication.buildOauthClientConfiguration (D:\a_tasks\EsrpRelease_be2a31a6-134a-482d-a926-deef3349ffca\4.0.12\node_modules\@azure\msal-node\dist\msal-node.cjs.development.js:1908:54) 2023-02-24T12:15:51.8283947Z at process._tickCallback (internal/process/next_tick.js:68:7)

Neiz-Kap commented 1 year ago

I found this option here and this's helped me! Use:


const jwt = require('jsonwebtoken'); 
// instead of 
import jwt from 'jsonwebtoken'

lakshmankashyap commented 1 year ago

This help me npm i jwt-decode