search

okta / okta-jwt-verifier-js

okta-jwt-verifier-js
https://github.com/okta/okta-jwt-verifier-js
Other
16 stars 9 forks source link

TypeError: Cannot assign to read only property 'setClaim' of object '[object Object]' #44

Closed Steve-Groner closed 3 months ago

Steve-Groner commented 3 months ago

Describe the bug

I upgraded to NodeJS 22.3.0 and I am receiving

/Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241 jwt[methodName] = method.bind({ body: jwtBodyProxy }); ^ TypeError: Cannot assign to read only property 'setClaim' of object '[object Object]' at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241:29 at Array.forEach (<anonymous>) at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:238:30 at /Users/username/Documents/repos/application/src/bff_api/node_modules/njwt/index.js:63:7 at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

Source Code in my api:

const oktaJwtVerifier = new OktaJwtVerifier({ issuer: inputOktaIssuer })

` verifyToken: async function verifyToken (req, res, next) { const authHeader = req.headers.authorization // ['authorization'] const token = authHeader && authHeader.split(' ')[1]

if (!token) {
  return res.status(401).json({ message: 'No token provided' })
}

// Passing a string for expectedAud
await oktaJwtVerifier.verifyAccessToken(token, 'api://default')
  .then((jwt) => {
    next()
  })
  .catch((err) => {
    return res.status(403).json({ message: `Invalid token - ${err}` })
  })

} `

Reproduction Steps?

I make an API call from my frontend app to my backend api, which verifies the Okta token. When using nodejs 18.x it worked fine, but now with this version it fails with the above error. I discovered this because my docker pull for base image must have upgraded to a new version of Node and it started failing.

SDK Versions

System: OS: macOS 14.5 CPU: (16) x64 Intel(R) Core(TM) i7-10700K CPU @ 3.80GHz Memory: 21.12 GB / 72.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 22.3.0 - ~/.nvm/versions/node/v22.3.0/bin/node npm: 10.8.1 - ~/.nvm/versions/node/v22.3.0/bin/npm Browsers: Chrome: 125.0.6422.144 Safari: 17.5 npmPackages: @okta/jwt-verifier: ^3.2.0 => 3.2.0

Additional Information

No response

vincent-caraccio commented 3 months ago

Facing the exact same issue using node v20.14.0/Ubuntu.

Edit: after some investigations, I noticed that the "njwt" dependency got updated from "2.0.0" to "2.0.1". One temporary solution is to add "njwt": "2.0.0" to force that version in your package.json

jaydenseric commented 3 months ago

It's because of the njwt dependency updating from v2.0.0 to v2.0.1:

https://github.com/jwtk/njwt/blob/master/CHANGELOG.md#201

To fix a CVE, they are now freezing all their classes and their prototypes:

https://github.com/jwtk/njwt/pull/107/files#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346R435-R449

raphaelkabo commented 3 months ago

We're also being affected by this at @guardian. This hit us because our production builds use pnpm install --node-linker=hoisted, which appears to create a new lockfile in the build directory, which in turn pulls in njwt@2.0.1 rather than njwt@2.0.0 in our existing lockfile. We're copying the lockfile into the build directory to avoid this, but Okta should probably be pinning njwt to a specific version.

jaredperreault-okta commented 3 months ago

Thanks for the report, I am looking into this

jaredperreault-okta commented 3 months ago

I just published 3.2.1 which freezes the njwt dependency to mitigate the impact. I'll work on bumping the njwt version next

jaredperreault-okta commented 3 months ago

46 resolves the CVE (and this issue), released as 3.2.2