search

nuxt-community / auth-module

Zero-boilerplate authentication support for Nuxt 2
https://auth.nuxtjs.org
MIT License
1.93k stars 924 forks source link

JWT Signature validation #1677

Closed timyourivh closed 2 years ago

timyourivh commented 2 years ago

Is your feature request related to a problem? Please describe.

No, but this could be an awesome feature to have! :)

Describe the solution you'd like to see

Okay, so the package is still in "flux" but works great. I thought it would be great to addition to add a JWT signature validation to the middleware! (optional and only server-side of course). This could be easily implemented using jsonwebtoken or similar packages.

The config would look like this:

auth: {
  // ...
  strategies: {
    local: {
      scheme: 'refresh',
      tokenType: 'JWT',
      // Full config
      signature: {
        // Required
        key: './sig.pem', // Signature file
        // Optional
        algorithm: ["HS256", "HS384"],
        // Token attributes to validate (all optional)
        attributes: {
          issuer: 'example.com',
          audience: 'audience',
          jwtid: 'jwtid',
          subject: 'subject',
          cutomprop: 'maybe?',
        }
      },
      // OR simple default config
      signature: {
        key: process.env.JWT_SIGNATURE, // Signature string
      }
    }
    // ...
  }
}

Describe alternatives you've considered

No need to try any alternatives

Additional context

I may create a PR if possible 👷

Intevel commented 2 years ago

I'm afraid I don't quite understand the point of this Issue :/

timyourivh commented 2 years ago

I'm afraid I don't quite understand the point of this Issue :/

That's because it's an feature-request/enhancement, not an issue, bug or error. What I'm trying to say is: the JWT's are not validated with their signature (yet, or I missed something in the docs). Right now you could decode the token alter it encode it with a different signature and replace it in the app. This wouldn't be possible if the token was validated with the original (and secret) signature in the middle ware. The user would be logged out if the JWT is tampered with.

Right now I'm doing it manually in a middleware using jsonwebtoken:

import jwt from 'jsonwebtoken'

export default async ({ /* ... */ $config, $auth, error, /* ... */}) => {
  // ...
  const token = $auth.strategy.token.get().replace('Bearer ', '');
  let tokenClaims;
  try {
    if (process.server && $config.jwtSignature !== undefined) {
      // Validate token using signature
      // $config.jwtSignature is only available on server since it contains the confidential signature
      tokenClaims = jwt.verify(token, $config.jwtSignature)
    } else {
      tokenClaims = jwt.decode(token)
    }

    // Validate token claims
    // Example: token issuer
    if(tokenClaims['iss'] !== $config.issuer /* or 'mysite.com' */ ) {
      error({statusCode: 401, message: "Invalid token issuer"})
    }
  } catch (error) {
    // Handle error
  }
  // ...
}

This would strongly improve security

Intevel commented 2 years ago

I said Issue because it is known on Github as Issue :) And now I understand it, thanks for the explanation.

TomMiller-mas commented 2 years ago

I'm afraid I don't quite understand the point of this Issue :/

Yes it is a new feature request, but wouldn't it be nice to auth.JwtToken.Payload.UserName

timyourivh commented 2 years ago

Custom schemes could be used.