hi i just noticed while looking at your code, which is very helpful for workers btw, that there is no validation if the token algo is the same as the one specified in verify() which i would expect around here.
there is a nice writeup on the auth0 site where they explain why this could be a critical security vuln.
basically it boils down to the server checking the rs256 signature while an attacker sends a hs256 signature.
i could create a pull request to fix this if you want but it more or less boils down to if (header.alg != options.alg) throw new Error('ALG_MISMATCH')
hi i just noticed while looking at your code, which is very helpful for workers btw, that there is no validation if the token algo is the same as the one specified in
verify()
which i would expect around here.there is a nice writeup on the auth0 site where they explain why this could be a critical security vuln.
basically it boils down to the server checking the rs256 signature while an attacker sends a hs256 signature.
i could create a pull request to fix this if you want but it more or less boils down to
if (header.alg != options.alg) throw new Error('ALG_MISMATCH')