search

tsndr / cloudflare-worker-jwt

A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.
MIT License
649 stars 51 forks source link

Not handling tokens correctly (or at least discrepant) #72

Closed KTibow closed 6 months ago

KTibow commented 6 months ago

Token generated with jwt.io and a short secret (should be valid):

> await verify("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.NL-qcPsdJp2ZWDksf0Y3P5sA6SM3eCUdbah1QrqN4TI", "ZQ==")
false // should be true!

Token generated with this library is invalid according to jwt.io:

> await sign({payload: "sus"}, "ZQ==")
'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJwYXlsb2FkIjoic3VzIiwiaWF0IjoxNzA5NjA2MzU3fQ.ImBbIc-hOM8jR-TvLueXJF1ubExnz4w3dM1U-66Kmks' // this library thinks it's fine, but jwt.io says invalid signature

This problem isn't present at version 2.2.5.

widavies commented 6 months ago

I have the same problem, 2.2.5 works for me but not the latest. verify fails on a valid token created with sign.

My secret isn't short either.

KTibow commented 6 months ago

@tsndr explain why you're decodeURI, encodeURIComponenting all secrets passed in. this means that we can't use any secrets with = in them.