search

tsndr / cloudflare-worker-jwt

A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.
MIT License
680 stars 55 forks source link

fix for base64 secrets #16

Closed badoge closed 2 years ago

badoge commented 2 years ago

fixes #15

I was still having the same issue with 1.4.1 but I played around with it and replacing https://github.com/tsndr/cloudflare-worker-jwt/blob/594cdd6c05e2b0f137a7d0b53340cd212a9e9ba5/index.js#L114 and https://github.com/tsndr/cloudflare-worker-jwt/blob/594cdd6c05e2b0f137a7d0b53340cd212a9e9ba5/index.js#L77

with keyData = Base64URL.parse(secret) fixed the issue for me but I also needed to add a check for non base64 secrets.

tsndr commented 2 years ago

Can you please verify if this is still the case with v2.0.0?

badoge commented 2 years ago

Issue is still there on 2.0.0

tsndr commented 2 years ago

Unfortunatly, those changes make the test fail.

Screen Shot 2022-06-30 at 11 54 49 AM
tsndr commented 2 years ago

So if you can implement it without breaking HSxxx I will merge it :)

badoge commented 2 years ago

I updated the PR to use the 2.0.0 source, but I'm not confident that it will be reliable and was instead thinking of adding an extra parameter to sign() and verify() to indicate that the secret is base64 encoded