-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rename 'decode' to 'unsafeDecode' #741
Conversation
Ah, it appears my auto-formatter was a bit overzealous, I'll fix that |
'decode' is often reached to by well-meaning developers who assume that the call is safe. Unfortunately, this leads to untrusted JWTs being accepted as otherwise acceptable input. Renaming 'decode' to 'unsafeDecode' signals to the end user that the method they are calling is indeed unsafe without them having to remember the difference between 'decode' and 'verify'.
I think this is the HackerNews link you are looking for |
It is! thank you |
Hi @danpantry, First, big thank you for kicking off this conversation. After an internal discussion, which included inspecting the adjacent library space, we believe the decode function name serves a purpose and should remain. That said, this conversation has surfaced some changes that we believe would make the distinction of “Decode” is a widely adopted term that is used to describe translating data from one (encoded) format into something readable. Decoding is commonly used with Base64, URLs, SAML Tokens and in all of these contexts it has the same meaning. There’s no relationship between decoding and security. We recognize that it's possible for a developer to misinterpret "decode" as a function that should be called, when in most cases "verify" is more appropriate. So we looked at the ways API methods are discovered and checked to ensure that both our API documentation and the DefinitelyTyped documentation actually explicitly mention that “decode” does not verify the token. In addition, we are going to put more structure into our API documentation, making it less likely a developer stumbles upon “decode” rather than “verify.” We will put more emphasis on “decode” not doing verification. Lastly, we plan to make the “decode” function non-enumerable just in case REPL is ever the means of method discovery. Thank you again to our awesome developer community, and keep the feedback coming. |
Hey Marcos,
Thanks for the reply.
My concern is that many people are just going to download the package
through npm, boot up $TEXTEDITOR, use autocomplete to come across decode()
and then use that.
Obviously, there's a certain limit to how much you should protect someone
from themselves, but I still don't know if I agree that improving
documentation will help that much here; The documentation is already quite
explicit that decode **does not** verify tokens.
That said, I think this is still a step in the right direction, especially
as we hear of more high-profile exploits that utilise this exact
vulnerability in other software of a similar nature
<https://krystalgamer.github.io/avengers-emulator/>.
…On Fri, Sep 4, 2020 at 8:52 PM Marcos Castany ***@***.***> wrote:
Hi @danpantry <https://github.com/danpantry>,
First, big thank you for kicking off this conversation. After an internal
discussion, which included inspecting the adjacent library space, we
believe the decode function name serves a purpose and should remain. That
said, this conversation has surfaced some changes that we believe would
make the distinction of verify and decode much clearer and easier to
discover. Here is our thinking.
“Decode” is a widely adopted term that is used to describe translating
data from one (encoded) format into something readable. Decoding is
commonly used with Base64, URLs, SAML Tokens and in all of these contexts
it has the same meaning. There’s no relationship between decoding and
security.
We recognize that it's possible for a developer to misinterpret "decode"
as a function that should be called, when in most cases "verify" is more
appropriate. So we looked at the ways API methods are discovered and
checked to ensure that both our API documentation
<https://github.com/auth0/node-jsonwebtoken#jwtdecodetoken--options> and
the DefinitelyTyped documentation
<https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/jsonwebtoken/index.d.ts#L203-L210>
actually explicitly mention that “decode” does not verify the token.
In addition, we are going to put more structure into our API
documentation, making it less likely a developer stumbles upon “decode”
rather than “verify.” We will put more emphasis on “decode” not doing
verification.
Lastly, we plan to make the “decode” function non-enumerable just in case
REPL is ever the means of method discovery.
Thank you again to our awesome developer community, and keep the feedback
coming.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#741 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAWNSJMOMRRU7CQ4DTFJEO3SEFAPDANCNFSM4QS3BGUA>
.
|
There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit upgrades to v9 to resolve the vulnerability. Additionally, they made an effort in this version to discourage the less secure "decode" method in favor of the more secure "verify" method (1). This commit also refactors the code and tests to use the "verify" method. (1) See this PR for context: auth0/node-jsonwebtoken#741 Signed-off-by: Dustin Popp <[email protected]>
) There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit upgrades to v9 to resolve the vulnerability. Additionally, they made an effort in this version to discourage the less secure "decode" method in favor of the more secure "verify" method (1). This commit also refactors the code and tests to use the "verify" method. (1) See this PR for context: auth0/node-jsonwebtoken#741 Signed-off-by: Dustin Popp <[email protected]>
see auth0#741 By submitting a PR to this repository, you agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). Please see the [contributing guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md) for how to create and submit a high-quality PR for this repo. ### Description > Describe the purpose of this PR along with any background information and the impacts of the proposed change. For the benefit of the community, please do not assume prior context. > > Provide details that support your chosen implementation, including: breaking changes, alternatives considered, changes to the API, etc. > > If the UI is being changed, please provide screenshots. ### References > Include any links supporting this change such as a: > > - GitHub Issue/PR number addressed or fixed > - Auth0 Community post > - StackOverflow post > - Support forum thread > - Related pull requests/issues from other repos > > If there are no references, simply delete this section. ### Testing > Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors. > > Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests. > > Also include details of the environment this PR was developed in (language/platform/browser version). - [ ] This change adds test coverage for new/changed/fixed functionality ### Checklist - [ ] I have added documentation for new/changed functionality in this PR or in auth0.com/docs - [ ] All active GitHub checks for tests, formatting, and security are passing - [ ] The correct base branch is being used, if not the default branch
Description
'decode' is often reached to by well-meaning developers who assume that the call is safe. Unfortunately, this leads to untrusted JWTs being accepted as otherwise acceptable input.
Renaming 'decode' to 'unsafeDecode' signals to the end user that the method they are calling is indeed unsafe without them having to remember the difference between 'decode' and 'verify'.
This is a breaking change as it changes the public API and as such should be a major version bump. Ultimately this PR more serves to highlight this issue - I don't have a problem if this PR is not accepted as long as it starts a discussion on whether or not being able to decode a JWT without actually verifying it should be part of the public API of this library.
Should this PR be accepted, I would recommend a deprecation warning on the next minor (patch?) version bump with the rename taking place on the next major version bump.
References
Prompted by https://news.ycombinator.com/item?id=24347519 (thanks @deadmonstor) and experiencing this issue myself a few times over the past few weeks when reviewing code at my company.
Testing
It's a method rename, so all that needs to be done is run the existing tests (They all pass)
Checklist
master