tsndr / cloudflare-worker-jwt

A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.
MIT License
680 stars 55 forks source link

algo validation missing #68

Closed Complexicon closed 8 months ago

Complexicon commented 8 months ago

hi i just noticed while looking at your code, which is very helpful for workers btw, that there is no validation if the token algo is the same as the one specified in verify() which i would expect around here.

there is a nice writeup on the auth0 site where they explain why this could be a critical security vuln.

basically it boils down to the server checking the rs256 signature while an attacker sends a hs256 signature.

i could create a pull request to fix this if you want but it more or less boils down to if (header.alg != options.alg) throw new Error('ALG_MISMATCH')

tsndr commented 8 months ago

Should be fixed with v2.4.7, please reopen otherwise :)