From 76d69e6995ae2d72ed270f793ff8fc6ae443ad92 Mon Sep 17 00:00:00 2001 From: georgejmx Date: Sun, 9 Jun 2024 16:22:53 +0100 Subject: [PATCH 1/2] feat: allow verifying already decoded tokens --- README.md | 19 +++++++++++++-- lib/InvalidPayloadError.js | 12 ++++++++++ test/payload_callback.test.js | 44 +++++++++++++++++++++++++++++++++++ verify.js | 15 +++++++++--- 4 files changed, 85 insertions(+), 5 deletions(-) create mode 100644 lib/InvalidPayloadError.js create mode 100644 test/payload_callback.test.js diff --git a/README.md b/README.md index 4e20dd9..36d5233 100644 --- a/README.md +++ b/README.md @@ -123,13 +123,13 @@ jwt.sign({ }, 'secret', { expiresIn: '1h' }); ``` -### jwt.verify(token, secretOrPublicKey, [options, callback]) +### jwt.verify(token, secretOrPublicKey, [options, callback, payloadCallback]) (Asynchronous) If a callback is supplied, function acts asynchronously. The callback is called with the decoded payload if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will be called with the error. (Synchronous) If a callback is not supplied, function acts synchronously. Returns the payload decoded if the signature is valid and optional expiration, audience, or issuer are valid. If not, it will throw the error. -> __Warning:__ When the token comes from an untrusted source (e.g. user input or external requests), the returned decoded payload should be treated like any other user input; please make sure to sanitize and only work with properties that are expected +> __Warning:__ When the token comes from an untrusted source (e.g. user input or external requests) and a payloadCallback is not specified, the returned decoded payload should be treated like any other user input; please make sure to sanitize and only work with properties that are expected `token` is the JsonWebToken string @@ -162,6 +162,10 @@ As mentioned in [this comment](https://github.com/auth0/node-jsonwebtoken/issues * `nonce`: if you want to check `nonce` claim, provide a string value here. It is used on Open ID for the ID Tokens. ([Open ID implementation notes](https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes)) * `allowInvalidAsymmetricKeyTypes`: if true, allows asymmetric keys which do not match the specified algorithm. This option is intended only for backwards compatability and should be avoided. +`payloadCallback` + +A function to specify custom validation of the token payload obtained from decoding the token. This function is applied before token verification. Throwing an error in this function will throw an error in `jwt.verify` before the token is verified, allowing sanitizing the token payload without needing to manually call `jwt.decode` before or after validation + ```js // verify a token symmetric - synchronous var decoded = jwt.verify(token, 'shhhhh'); @@ -221,6 +225,17 @@ jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) { // if token alg != RS256, err == invalid signature }); +// alo verify token payload +var cert = fs.readFileSync('public.pem'); // get public key +jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) { + // if token alg != RS256, err == invalid signature +}, function (payload) { + // specify custom payload schema validation here without needing to decode separately + if (payload.foo !== 'bar' || typeof payload.userId !== 'number') { + throw new Error('token does not have the correct schema'); + } +}); + // Verify using getKey callback // Example uses https://github.com/auth0/node-jwks-rsa as a way to fetch the keys. var jwksClient = require('jwks-rsa'); diff --git a/lib/InvalidPayloadError.js b/lib/InvalidPayloadError.js new file mode 100644 index 0000000..1fc63d6 --- /dev/null +++ b/lib/InvalidPayloadError.js @@ -0,0 +1,12 @@ +const JsonWebTokenError = require("./JsonWebTokenError"); + +const InvalidPayloadError = function (message, date) { + JsonWebTokenError.call(this, message); + this.name = "InvalidFormatError"; + this.date = date; +}; + +InvalidPayloadError.prototype = Object.create(JsonWebTokenError.prototype); +InvalidPayloadError.prototype.constructor = InvalidPayloadError; + +module.exports = InvalidPayloadError; diff --git a/test/payload_callback.test.js b/test/payload_callback.test.js new file mode 100644 index 0000000..9406908 --- /dev/null +++ b/test/payload_callback.test.js @@ -0,0 +1,44 @@ +'use strict'; + +const jwt = require('../index'); +const assert = require('chai').assert; +const expect = require('chai').expect; + +describe('payload callback', function() { + const KEY = 'somethingSECRET'; + const TEST_ERROR_MESSAGE = 'bar not car!'; + let testPayloadCallback; + + beforeEach(function() { + testPayloadCallback = function (payload) { + if (payload.foo !== 'bar') { + throw new Error(TEST_ERROR_MESSAGE); + } + } + }); + + it('should check that the payload satisfies the provided callback', function () { + const token = jwt.sign({ foo: 'bar' }, KEY); + const result = jwt.verify(token, KEY, undefined, undefined, testPayloadCallback); + expect(result.foo).to.equal('bar'); + }); + + it('should be compatible with async token verification', function () { + const testCallback = function (err, decoded) { + if (err) { + assert.fail(err.message); + } + expect(decoded.foo).to.equal('bar'); + } + + const token = jwt.sign({ foo: 'bar' }, KEY); + jwt.verify(token, KEY, {}, testCallback, testPayloadCallback); + }); + + it('should throw when the payload callback rejects', function () { + const token = jwt.sign({ foo: 'car' }, KEY); + expect(function () { + jwt.verify(token, KEY, undefined, undefined, testPayloadCallback) + }).to.throw(TEST_ERROR_MESSAGE); + }) +}) \ No newline at end of file diff --git a/verify.js b/verify.js index cdbfdc4..76faf34 100644 --- a/verify.js +++ b/verify.js @@ -1,6 +1,7 @@ const JsonWebTokenError = require('./lib/JsonWebTokenError'); const NotBeforeError = require('./lib/NotBeforeError'); const TokenExpiredError = require('./lib/TokenExpiredError'); +const InvalidPayloadError = require('./lib/InvalidPayloadError'); const decode = require('./decode'); const timespan = require('./lib/timespan'); const validateAsymmetricKey = require('./lib/validateAsymmetricKey'); @@ -18,7 +19,7 @@ if (PS_SUPPORTED) { RSA_KEY_ALGS.splice(RSA_KEY_ALGS.length, 0, 'PS256', 'PS384', 'PS512'); } -module.exports = function (jwtString, secretOrPublicKey, options, callback) { +module.exports = function (jwtString, secretOrPublicKey, options, callback, payloadCallback) { if ((typeof options === 'function') && !callback) { callback = options; options = {}; @@ -159,6 +160,16 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { } } + const payload = decodedToken.payload; + if (typeof payloadCallback === 'function') { + try { + payloadCallback(payload); + } catch (e) { + const message = e instanceof Error ? e.message : 'invalid token payload'; + return done(new InvalidPayloadError(message)); + } + } + let valid; try { @@ -171,8 +182,6 @@ module.exports = function (jwtString, secretOrPublicKey, options, callback) { return done(new JsonWebTokenError('invalid signature')); } - const payload = decodedToken.payload; - if (typeof payload.nbf !== 'undefined' && !options.ignoreNotBefore) { if (typeof payload.nbf !== 'number') { return done(new JsonWebTokenError('invalid nbf value')); From e3c9b623cc31d712fdb2f4dbac8b41a36c03f139 Mon Sep 17 00:00:00 2001 From: georgejmx Date: Sun, 9 Jun 2024 17:35:18 +0100 Subject: [PATCH 2/2] chore: error cleanup and docs --- README.md | 24 ++++++++++++++++++++++++ lib/InvalidPayloadError.js | 5 ++--- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 36d5233..0c950d5 100644 --- a/README.md +++ b/README.md @@ -366,6 +366,30 @@ jwt.verify(token, 'shhhhh', function(err, decoded) { }); ``` +### InvalidPayloadError +Thrown if the payload validation callback failed. The error message will be inherited from the error thrown in the `payloadCallback` or defaults to *'invalid token payload'* if for example a number was thrown and not an error + +Error object example: + +* name: 'InvalidPayloadError' +* message: 'invalid token payload' + +```js +jwt.verify(token, 'shhhhh', function(err, decoded) { + if (err) { + /* + err = { + name: 'InvalidPayloadError', + message: 'foo property not equal to bar', + } + */ + } +}, function (payload) { + if (payload.foo !== 'bar') { + throw new Error('foo property not equal to bar'); + } +}); +``` ## Algorithms supported diff --git a/lib/InvalidPayloadError.js b/lib/InvalidPayloadError.js index 1fc63d6..af4fc96 100644 --- a/lib/InvalidPayloadError.js +++ b/lib/InvalidPayloadError.js @@ -1,9 +1,8 @@ const JsonWebTokenError = require("./JsonWebTokenError"); -const InvalidPayloadError = function (message, date) { +const InvalidPayloadError = function (message) { JsonWebTokenError.call(this, message); - this.name = "InvalidFormatError"; - this.date = date; + this.name = "InvalidPayloadError"; }; InvalidPayloadError.prototype = Object.create(JsonWebTokenError.prototype);