Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(auth): migrate to secure usage of jwt for token authentication #225

Merged
merged 1 commit into from
Dec 29, 2022
+78 −122
Merged

fix(auth): migrate to secure usage of jwt for token authentication #225

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 15 additions & 4 deletions auth/token-managers/jwt-token-manager.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
* limitations under the License.
*/

import { decode } from 'jsonwebtoken';
import { verify } from 'jsonwebtoken';
import logger from '../../lib/logger';
import { TokenManager, TokenManagerOptions } from './token-manager';

Expand Down Expand Up @@ -80,15 +80,26 @@ export class JwtTokenManager extends TokenManager {
throw new Error(err);
}

// the time of expiration is found by decoding the JWT access token
// exp is the time of expire and iat is the time of token retrieval
const decodedResponse = decode(this.accessToken);
let decodedResponse;
try {
decodedResponse = verify(this.accessToken);
} catch (e) {
// the token is either an invalid JWT or it could not be verified
logger.error('Failed to verify the JWT. See error message:');
logger.error(e);
throw new Error(e);
}

// the 'catch' method above should handle any verificiation/decoding issues but
// this check is here as a failsafe
if (!decodedResponse) {
const err = 'Access token recieved is not a valid JWT';
logger.error(err);
throw new Error(err);
}

// the time of expiration is found by decoding the JWT access token
// 'exp' is the time of expire and 'iat' is the time of token retrieval
const { exp, iat } = decodedResponse;
// There are no required claims in JWT
if (!exp || !iat) {
Expand Down
137 changes: 41 additions & 96 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@
"file-type": "16.5.4",
"form-data": "^2.3.3",
"isstream": "~0.1.2",
"jsonwebtoken": "^8.5.1",
"jsonwebtoken": "^9.0.0",
"lodash.isempty": "^4.4.0",
"mime-types": "~2.1.18",
"object.omit": "~3.0.0",
Expand Down
2 changes: 1 addition & 1 deletion test/unit/iam-token-manager.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const jwt = require('jsonwebtoken');
jest.mock('../../dist/lib/request-wrapper');
const { RequestWrapper } = require('../../dist/lib/request-wrapper');

jwt.decode = jest.fn(() => ({ exp: 100, iat: 100 }));
jwt.verify = jest.fn(() => ({ exp: 100, iat: 100 }));

const { IamTokenManager } = require('../../dist/auth');

Expand Down
Loading