Open lukepayyapilli opened 6 months ago
It doesn't seem your "token" value have an "alg" attribute with "HS256". You can find an example at this site: https://jwt.io/
it does - I copied my token to the site and was able to properly verify it. I'm using the exact same token and getting this error when calling verifyJWT
. I'm not sure if its an issue with typescript since its saying it is a type error.
Since this is local development(my secret I'm using is just super_secret
), I'll provide an example of the log of values I'm passing to the function and the logic of my method:
My auth logic:
logger.info(payload);
const token = payload;
const [encodedHeader, encodedPayload, encodedSignature] = token.split('.');
try {
const jwtSecret = ctx.env.JWT_VALUE;
if (!jwtSecret) {
logger.error("JWT secret not provided in environment variable");
return JSON.stringify({ error: "JWT secret not provided" });
}
const decodedPayload = JSON.parse(KJUR.b64utoutf8(encodedPayload));
logger.info("ENCODED HEADER: " + encodedHeader);
logger.info("DECODED HEADER: " + KJUR.b64utoutf8(encodedHeader))
logger.info("ENCODED SIGNATURE: " + encodedSignature);
logger.info("DECODED PAYLOAD SUB: " + decodedPayload.sub);
const currentTimestamp = Math.floor(Date.now() / 1000);
if (decodedPayload.exp && decodedPayload.exp < currentTimestamp) {
logger.error("JWT has expired");
return JSON.stringify({ error: "JWT has expired" });
}
// TODO: Implement signature verification once this issue is resolved:
// https://github.com/kjur/jsrsasign/issues/613
const isValid = jsrsasign.KJUR.jws.JWS.verifyJWT(token, jwtSecret, {"alg": ["HS256"]});
if (!isValid) {
logger.error("JWT signature validation failed");
return JSON.stringify({ error: "JWT signature validation failed" });
}
} catch (error) {
logger.error(`JWT validation failed: ${error}`);
return JSON.stringify({ error: `JWT validation failed: ${error}` });
}
}
Logs:
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED HEADER: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED HEADER: {\"alg\":\"HS256\",\"typ\":\"JWT\"}"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED SIGNATURE: vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED PAYLOAD SUB: luke@luke.com"}
{"level":"error","caller":"server/runtime_javascript_logger.go:94","msg":"JWT validation failed: TypeError: Cannot read property 'alg' of undefined"}
any ideas @kjur?
@lukepayyapilli , I tried verifyJWT and works fine for me. Could you provide the token and the secret which was failed? I can investigate further for it.
@kjur it is included in the logs above:
secret: super_secret
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg
Another interesting piece of information @kjur is that I'm using goja instead of node for my runtime with typescript. I'm not sure if that matters in this case but unfortunately I have to use goja.
I tried following the docs:
This is what I'm running:
const isValid = KJUR.jws.JWS.verifyJWT(token, jwtSecret, {alg: ["HS256"]});
but this throws an error:
TypeError: Cannot read property 'alg' of undefined
Please let me know what I'm missing. It seems like according to the docs this should work.
I'm using these versions:
Thanks!