dimisus
commented
3 years ago Fun fact: I use the jsonwebtoken npm library to both sign and verify tokens in my backend. I came across an issue where I generate a jwt token which in the end has multiple '=' using jwt.sign(...), but I cannot verify the very same token with jwt.verify(...) without "manually" removing the paddings/equal signs.
panva
This library appears to have taken a hard-line stance that
=characters should not be allowed in the JWT encoding, per issue #49 and upstream at auth0/node-jsonwebtoken#607 - and it seems this is in keeping with the JWT spec.However, I'm working with a feature in AWS whereby you can have a load balancer authenticate users using Cognito and then pass JWTs in special headers to your service. I am trying to verify those JWTs. The tokens include
=characters (this is even documented here - "The JWT format includes a header, payload, and signature that are base64 URL encoded and includes padding characters at the end"). Although I realize these tokens are invalid, I'm not in a position to change their format.One would think a workaround would be to just strip these padding characters from the token, but if the token payload includes padding characters then removing these invalidates the signature.
Fundamentally, I think that in order to verify these tokens while still using the
jsonwebtokenlibrary, then this library would need to be changed. I think specifically this line in verify-stream.js.Would the maintainers of this library consider supporting padding characters in this regex? I'm not sure whether there would be negative security implications of universally supporting padding characters. If there are, perhaps this could be enabled behind a flag.
Thanks!