search

hokaccha / node-jwt-simple

JWT(JSON Web Token) encode and decode module for node.js
MIT License
1.36k stars 136 forks source link

On ios device encoded string always have AAAAA in the end #61

Open Grundmanis opened 7 years ago

Grundmanis commented 7 years ago

Encoding example jwt.encode('test','some123kinda_!&salt?') [android] 'test' = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.InRlc3Qi.L4BH-TlaaPiRLvxtGHVNoJz7HkEreSeGt-k3sD7Koww {foo: 'bar'} = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIifQ.3VlOJdTsvJ8WIwFihdMMikTpAHcEpLzDd3itvzYVdJ0 ['Alex', 'Michael'] = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.WyJBbGV4IiwiTWljaGFlbCJd.AiLX5nrNY3CXemdQ26ISw_KLbHR1FYCDHgzFGJx6ex4 12345 =eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.MTIzNDU.6e4vozTjtPuaLlfFNZvEv3sJMKXnN_dn1oETZEFl71k

[ios] 'test' = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.InRlc3Qi.L4BH-TlaaPiRLvxtGHVNoJz7HkEreSeGt-k3sD7KowwAAAAA {foo: 'bar'} = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb28iOiJiYXIifQ.3VlOJdTsvJ8WIwFihdMMikTpAHcEpLzDd3itvzYVdJ0AAAAA ['Alex', 'Michael'] = eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.WyJBbGV4IiwiTWljaGFlbCJd.AiLX5nrNY3CXemdQ26ISw_KLbHR1FYCDHgzFGJx6ex4AAAAA 12345 =eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.MTIzNDU.6e4vozTjtPuaLlfFNZvEv3sJMKXnN_dn1oETZEFl71kAAAAA

Grundmanis commented 7 years ago

Any ideas?

zopthemop commented 7 years ago

This is happening for us in Edge too, but it seems to repeat the last 3 letters of the token before appending AAAAA.

Tokens generated in Edge:

jwt.encode({query: "foo"}, 'jwtform', 'HS256')
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJxdWVyeSI6ImZvbyJ9.tUOJCqukb5sibTdAH6WNjUSD4opowurJbeVJp6aZpe8pe8AAAAA"
jwt.encode({query: "fooz"}, 'jwtform', 'HS256')
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJxdWVyeSI6ImZvb3oifQ.rzoaVpnWK7LjxE5SPp1O_3Ov1FxD6J_1YfdC3ieD3KU3KUAAAAA"

Tokens generated in Chrome:

jwt.encode({query: "foo"}, 'jwtform', 'HS256')
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJxdWVyeSI6ImZvbyJ9.tUOJCqukb5sibTdAH6WNjUSD4opowurJbeVJp6aZpe8"
jwt.encode({query: "fooz"}, 'jwtform', 'HS256')
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJxdWVyeSI6ImZvb3oifQ.rzoaVpnWK7LjxE5SPp1O_3Ov1FxD6J_1YfdC3ieD3KU"

Hope this can be fixed, because right now we can't continue using the library without some really ugly hacks.

zopthemop commented 7 years ago

Seems to be due to a hard-to-reproduce bug in crypto-browserify/createHmac, see issue: https://github.com/crypto-browserify/createHmac/issues/12