search

tsndr / cloudflare-worker-jwt

A lightweight JWT implementation with ZERO dependencies for Cloudflare Workers.
MIT License
649 stars 51 forks source link

`throwError` does not throw on invalid signature #80

Open stephent opened 3 months ago

stephent commented 3 months ago

The readme states:

throws

If options.throwError is true and the token is invalid, an error will be thrown.

But the verify method does not throw if the following line returns false, even if throwError is true:

https://github.com/tsndr/cloudflare-worker-jwt/blob/8a75c24253af770fc27b8cb9ff25adf2eaa3291c/src/index.ts#L232

This could result in invalid JWTs being mistakenly accepted, if the caller assumes they can simply try/catch with throwError passed as true and don't also check the return value.

stephent commented 3 months ago

See also #76 - the code shown there appears to make exactly this incorrect assumption.