Closed timyourivh closed 2 years ago
I'm afraid I don't quite understand the point of this Issue :/
I'm afraid I don't quite understand the point of this Issue :/
That's because it's an feature-request/enhancement, not an issue, bug or error. What I'm trying to say is: the JWT's are not validated with their signature (yet, or I missed something in the docs). Right now you could decode the token alter it encode it with a different signature and replace it in the app. This wouldn't be possible if the token was validated with the original (and secret) signature in the middle ware. The user would be logged out if the JWT is tampered with.
Right now I'm doing it manually in a middleware using jsonwebtoken:
import jwt from 'jsonwebtoken'
export default async ({ /* ... */ $config, $auth, error, /* ... */}) => {
// ...
const token = $auth.strategy.token.get().replace('Bearer ', '');
let tokenClaims;
try {
if (process.server && $config.jwtSignature !== undefined) {
// Validate token using signature
// $config.jwtSignature is only available on server since it contains the confidential signature
tokenClaims = jwt.verify(token, $config.jwtSignature)
} else {
tokenClaims = jwt.decode(token)
}
// Validate token claims
// Example: token issuer
if(tokenClaims['iss'] !== $config.issuer /* or 'mysite.com' */ ) {
error({statusCode: 401, message: "Invalid token issuer"})
}
} catch (error) {
// Handle error
}
// ...
}
This would strongly improve security
I said Issue because it is known on Github as Issue :) And now I understand it, thanks for the explanation.
I'm afraid I don't quite understand the point of this Issue :/
Yes it is a new feature request, but wouldn't it be nice to auth.JwtToken.Payload.UserName
Custom schemes could be used.
Is your feature request related to a problem? Please describe.
No, but this could be an awesome feature to have! :)
Describe the solution you'd like to see
Okay, so the package is still in "flux" but works great. I thought it would be great to addition to add a JWT signature validation to the middleware! (optional and only server-side of course). This could be easily implemented using jsonwebtoken or similar packages.
The config would look like this:
Describe alternatives you've considered
❌ No need to try any alternatives
Additional context
I may create a PR if possible 👷