Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change to a more secure behavior of the noVerify argument of the decode function #106

Open
mohamed-osama-aboelkheir opened this issue Mar 9, 2024 · 0 comments
Open

Change to a more secure behavior of the noVerify argument of the decode function #106

mohamed-osama-aboelkheir opened this issue Mar 9, 2024 · 0 comments

Comments

@mohamed-osama-aboelkheir
Copy link

Current behavior

Currently when jwt.decode() get a noVerify argument with ANY value except for false the signature is not verified.

Issue

This could be a problem if a developer is confused and passes a value like 'HS256' (the algorithm) instead of the noVerify boolean value, e.g.

user = jwt.decode(token, secret, 'HS256')

In this case the signature is not being verified, which could lead to authentication bypass.

Suggested Behavior

Signature verification is only skipped if the value of noVerify is true and is not skipped for any other value, e.g. a string like 'HS256'.

Reproduction steps:

  1. Create a token
const jwt = require('jwt-simple');
const secretKey = process.env.JWT_SECRET;
const username = "test1";
const token = jwt.encode({ username }, secretKey,'HS256');
  1. Now try to decode with a different secret with the value of verify set to anything except false. This will work allowing fake tokens to look like they were successfully verified
const decoded = jwt.decode(token, "wrong_secret", 'HS256');
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mohamed-osama-aboelkheir