fix(auth): migrate to secure usage of jwt for token authentication

There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit upgrades to v9 to resolve the vulnerability. Additionally, they made an effort in this version to discourage the less secure "decode" method in favor of the more secure "verify" method (1). This commit also refactors the code and tests to use the "verify" method. (1) See this PR for context: auth0/node-jsonwebtoken#741 Signed-off-by: Dustin Popp <[email protected]>
IBM · Dec 27, 2022 · bd527f5 · bd527f5
1 parent f0aa9e5
commit bd527f5
Show file tree

Hide file tree

Showing 5 changed files with 78 additions and 122 deletions.
diff --git a/auth/token-managers/jwt-token-manager.ts b/auth/token-managers/jwt-token-manager.ts
@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-import { decode } from 'jsonwebtoken';
+import { verify } from 'jsonwebtoken';
 import logger from '../../lib/logger';
 import { TokenManager, TokenManagerOptions } from './token-manager';
 
@@ -80,15 +80,26 @@ export class JwtTokenManager extends TokenManager {
       throw new Error(err);
     }
 
-    // the time of expiration is found by decoding the JWT access token
-    // exp is the time of expire and iat is the time of token retrieval
-    const decodedResponse = decode(this.accessToken);
+    let decodedResponse;
+    try {
+      decodedResponse = verify(this.accessToken);
+    } catch (e) {
+      // the token is either an invalid JWT or it could not be verified
+      logger.error('Failed to verify the JWT. See error message:');
+      logger.error(e);
+      throw new Error(e);
+    }
+
+    // the 'catch' method above should handle any verificiation/decoding issues but
+    // this check is here as a failsafe
     if (!decodedResponse) {
       const err = 'Access token recieved is not a valid JWT';
       logger.error(err);
       throw new Error(err);
     }
 
+    // the time of expiration is found by decoding the JWT access token
+    // 'exp' is the time of expire and 'iat' is the time of token retrieval
     const { exp, iat } = decodedResponse;
     // There are no required claims in JWT
     if (!exp || !iat) {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -85,7 +85,7 @@
     "file-type": "16.5.4",
     "form-data": "^2.3.3",
     "isstream": "~0.1.2",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "lodash.isempty": "^4.4.0",
     "mime-types": "~2.1.18",
     "object.omit": "~3.0.0",

diff --git a/test/unit/iam-token-manager.test.js b/test/unit/iam-token-manager.test.js
@@ -21,7 +21,7 @@ const jwt = require('jsonwebtoken');
 jest.mock('../../dist/lib/request-wrapper');
 const { RequestWrapper } = require('../../dist/lib/request-wrapper');
 
-jwt.decode = jest.fn(() => ({ exp: 100, iat: 100 }));
+jwt.verify = jest.fn(() => ({ exp: 100, iat: 100 }));
 
 const { IamTokenManager } = require('../../dist/auth');