Issue #, if available: browser implementation regression of #6
Description of changes:
alg is optional per rfc7517, but required on RsaHashedImportParams used by SubtleCrypto.importKey. If the JWK does not have an alg we'll use the one from the JWT header instead. This is secure, as we only allow one of RS256, RS384 and RS512 anyway.
"Illegal invocation" error happening in SimplePenaltyBox.registerFailedAttempt in browser, likely caused by setTimeout binding - updated to window.setTimeout.bind(window)
added browser test case with example token and JWKS missing alg
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available: browser implementation regression of #6
Description of changes:
alg
we'll use the one from the JWT header instead. This is secure, as we only allow one of RS256, RS384 and RS512 anyway.setTimeout
binding - updated towindow.setTimeout.bind(window)
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.