kjur
commented
6 months ago It doesn't seem your "token" value have an "alg" attribute with "HS256". You can find an example at this site: https://jwt.io/
Open lukepayyapilli opened 6 months ago
kjur
commented
6 months ago It doesn't seem your "token" value have an "alg" attribute with "HS256". You can find an example at this site: https://jwt.io/
lukepayyapilli
commented
6 months ago it does - I copied my token to the site and was able to properly verify it. I'm using the exact same token and getting this error when calling verifyJWT. I'm not sure if its an issue with typescript since its saying it is a type error.
Since this is local development(my secret I'm using is just super_secret), I'll provide an example of the log of values I'm passing to the function and the logic of my method:
My auth logic:
logger.info(payload);
const token = payload;
const [encodedHeader, encodedPayload, encodedSignature] = token.split('.');
try {
const jwtSecret = ctx.env.JWT_VALUE;
if (!jwtSecret) {
logger.error("JWT secret not provided in environment variable");
return JSON.stringify({ error: "JWT secret not provided" });
}
const decodedPayload = JSON.parse(KJUR.b64utoutf8(encodedPayload));
logger.info("ENCODED HEADER: " + encodedHeader);
logger.info("DECODED HEADER: " + KJUR.b64utoutf8(encodedHeader))
logger.info("ENCODED SIGNATURE: " + encodedSignature);
logger.info("DECODED PAYLOAD SUB: " + decodedPayload.sub);
const currentTimestamp = Math.floor(Date.now() / 1000);
if (decodedPayload.exp && decodedPayload.exp < currentTimestamp) {
logger.error("JWT has expired");
return JSON.stringify({ error: "JWT has expired" });
}
// TODO: Implement signature verification once this issue is resolved:
// https://github.com/kjur/jsrsasign/issues/613
const isValid = jsrsasign.KJUR.jws.JWS.verifyJWT(token, jwtSecret, {"alg": ["HS256"]});
if (!isValid) {
logger.error("JWT signature validation failed");
return JSON.stringify({ error: "JWT signature validation failed" });
}
} catch (error) {
logger.error(`JWT validation failed: ${error}`);
return JSON.stringify({ error: `JWT validation failed: ${error}` });
}
}Logs:
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED HEADER: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED HEADER: {\"alg\":\"HS256\",\"typ\":\"JWT\"}"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED SIGNATURE: vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED PAYLOAD SUB: luke@luke.com"}
{"level":"error","caller":"server/runtime_javascript_logger.go:94","msg":"JWT validation failed: TypeError: Cannot read property 'alg' of undefined"}any ideas @kjur?
kjur
commented
5 months ago @lukepayyapilli , I tried verifyJWT and works fine for me. Could you provide the token and the secret which was failed? I can investigate further for it.
lukepayyapilli
commented
5 months ago @kjur it is included in the logs above:
secret: super_secret
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg
lukepayyapilli
commented
5 months ago Another interesting piece of information @kjur is that I'm using goja instead of node for my runtime with typescript. I'm not sure if that matters in this case but unfortunately I have to use goja.
I tried following the docs:
This is what I'm running:
const isValid = KJUR.jws.JWS.verifyJWT(token, jwtSecret, {alg: ["HS256"]});but this throws an error:
TypeError: Cannot read property 'alg' of undefinedPlease let me know what I'm missing. It seems like according to the docs this should work.
I'm using these versions:
Thanks!