fix(auth): revert to using decode instead verify for jwt #227
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The move to `verify` was a bit shortsighted. It requires a public key or secret as an argument to verify the signed token. Typical usage of IBM's IAM service doesn't lend itself to this flow and the tokens returned don't have valid JWT signatures. This led to a runtime error everytime the core made an IAM request - a bit of a showstopping bug. Additionally, we never had a goal of performing client-side validation of these tokens, we only decode them to determine the expiration time for usage in our refresh logic. The `decode` method is perfectly sufficient for that and indeed is called within the `verify` method anyways. Perhaps this flow will change in the future but this is all we need for now. This reverts the logic to what we were using before but still using the safe version of the dependency. The new version makes the `decode` function read-only so I had to adjust our approach to mocking in the unit tests. Signed-off-by: Dustin Popp <dpopp07@gmail.com>
dpopp07
force-pushed
the
dp/fix-regressions
branch
from
b064ca4 to
749e1cc
Compare
apaparazzi0329
approved these changes
Dec 30, 2022
ibm-devx-sdk
pushed a commit
that referenced
this pull request
Dec 30, 2022
## [4.0.2](v4.0.1...v4.0.2) (2022-12-30) ### Bug Fixes * **auth:** revert to using decode instead verify for jwt ([#227](#227)) ([cf3d641](cf3d641))
|
🎉 This PR is included in version 4.0.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The move to
verifywas a bit shortsighted. It requires a public key or secret as an argument to verify the signed token. Typical usage of IBM's IAM service doesn't lend itself to this flow and the tokens returned don't have valid JWT signatures. This led to a runtime error everytime the core made an IAM request - a bit of a showstopping bug.Additionally, we never had a goal of performing client-side validation of these tokens, we only decode them to determine the expiration time for usage in our refresh logic. The
decodemethod is perfectly sufficient for that and indeed is called within theverifymethod anyways. Perhaps this flow will change in the future but this is all we need for now.This reverts the logic to what we were using before but still using the safe version of the dependency. The new version makes the
decodefunction read-only so I had to adjust our approach to mocking in the unit tests.