Open stephent opened 3 months ago
The readme states:
throws If options.throwError is true and the token is invalid, an error will be thrown.
throws
If options.throwError is true and the token is invalid, an error will be thrown.
options.throwError
true
But the verify method does not throw if the following line returns false, even if throwError is true:
verify
throwError
https://github.com/tsndr/cloudflare-worker-jwt/blob/8a75c24253af770fc27b8cb9ff25adf2eaa3291c/src/index.ts#L232
This could result in invalid JWTs being mistakenly accepted, if the caller assumes they can simply try/catch with throwError passed as true and don't also check the return value.
See also #76 - the code shown there appears to make exactly this incorrect assumption.
The readme states:
But the
verify
method does not throw if the following line returns false, even ifthrowError
is true:https://github.com/tsndr/cloudflare-worker-jwt/blob/8a75c24253af770fc27b8cb9ff25adf2eaa3291c/src/index.ts#L232
This could result in invalid JWTs being mistakenly accepted, if the caller assumes they can simply try/catch with
throwError
passed astrue
and don't also check the return value.