Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verify expects a specific jwtid? #581

Closed
bencmbrook opened this issue Feb 22, 2019 · 2 comments · Fixed by #704
Closed

verify expects a specific jwtid? #581

bencmbrook opened this issue Feb 22, 2019 · 2 comments · Fixed by #704
Labels
documentation

Comments

@bencmbrook
Copy link

This module seems to expect the verifier to know what the "jti" is beforehand. I understand "jti" to be primarily used as a nonce to prevent replay attacks, or keeping a revocation list. The verify step, however, seems to just check that the provided jwtid matches a specific string.

"jti" reference
@bencmbrook
Copy link
Author

bencmbrook commented Feb 22, 2019
edited
Loading

I suppose this could act as a valid use-case, and it's good that if the option isn't passed, the token isn't rejected. Maybe it should just be documented that passing the option is only useful when you expect a specific jwtid?

@bencmbrook bencmbrook changed the title jwtid being treated as a password? verify expects a specific jwtid? Feb 22, 2019
@ziluvatar
Copy link
Contributor

Yeah, probably not too useful, good catch, would you like to go ahead and document it clear for others?

@hiramatsutaku hiramatsutaku mentioned this issue Mar 20, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: add jwtid to options of jwt.verify hiramatsutaku/node-jsonwebtoken
2 participants
@ziluvatar @bencmbrook