search

julianlam / nodebb-plugin-session-sharing

Allows login sessions from your app to persist in NodeBB
MIT License
88 stars 65 forks source link

Unsafe token validation #86

Open revilwang opened 4 years ago

revilwang commented 4 years ago

According to Validating a JWT,

there is a risk of algorithm substitution attacks, in which an attacker can use an existing digital signature value with a different signature algorithm to make it appear that a signer has signed something that it has not

But no algorithm configuration found. The jsonwebtoken has an example to validate against the algorithm.

// alg mismatch
var cert = fs.readFileSync('public.pem'); // get public key
jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {
  // if token alg != RS256,  err == invalid signature
});

Hope this is supported.

julianlam commented 4 years ago

We use the jsonwebtoken package quite transparently, so yes, this is possible. Just a thought, though... in that if you were to substitute a different signature, wouldn't you still have to know the secret to do so?

Nevertheless, I'll add in the option to specify allowed algorithms in the ACP (defaulting to... either all of them, or HS256)