search

elysiajs / elysia-jwt

Plugin for Elysia for using JWT Authentication
MIT License
38 stars 16 forks source link

Schema Validator Security Fix #3

Closed deadlinecode closed 1 year ago

deadlinecode commented 1 year ago

The schema was joined with a Untion from typebox which means either the schema is valid or the optional properties of the jwt payload.

This is not right since validating a invalid token will come out as valid since it matches with the other union of all optional parameters of the jwt payload.

For example giving following use call...

new Elysia().use(
    jwt({
        name: "jwt",
        schema: t.Object({
            user: t.String(),
        })
    })
)

...a token with the following payload would pass as valid:

{
    "notUser": "lol"
}

A Intersect should be used (like implemented in this PR) which means the schema needs to valid and the optional properties

deadlinecode commented 1 year ago

@SaltyAom