Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rename 'decode' to 'unsafeDecode' #741

Closed
wants to merge 1 commit into from

Conversation

punmechanic
Copy link

@punmechanic punmechanic commented Sep 2, 2020

Description

'decode' is often reached to by well-meaning developers who assume that the call is safe. Unfortunately, this leads to untrusted JWTs being accepted as otherwise acceptable input.

Renaming 'decode' to 'unsafeDecode' signals to the end user that the method they are calling is indeed unsafe without them having to remember the difference between 'decode' and 'verify'.

This is a breaking change as it changes the public API and as such should be a major version bump. Ultimately this PR more serves to highlight this issue - I don't have a problem if this PR is not accepted as long as it starts a discussion on whether or not being able to decode a JWT without actually verifying it should be part of the public API of this library.

Should this PR be accepted, I would recommend a deprecation warning on the next minor (patch?) version bump with the rename taking place on the next major version bump.

References

Prompted by https://news.ycombinator.com/item?id=24347519 (thanks @deadmonstor) and experiencing this issue myself a few times over the past few weeks when reviewing code at my company.

Testing

It's a method rename, so all that needs to be done is run the existing tests (They all pass)

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@punmechanic
Copy link
Author

Ah, it appears my auto-formatter was a bit overzealous, I'll fix that

'decode' is often reached to by well-meaning developers who assume that the call is safe. Unfortunately, this leads to untrusted JWTs being accepted as otherwise acceptable input.

Renaming 'decode' to 'unsafeDecode' signals to the end user that the method they are calling is indeed unsafe without them having to remember the difference between 'decode' and 'verify'.
@deadmonstor
Copy link

I think this is the HackerNews link you are looking for

@punmechanic
Copy link
Author

It is! thank you

@mcastany
Copy link

mcastany commented Sep 4, 2020

Hi @danpantry,

First, big thank you for kicking off this conversation. After an internal discussion, which included inspecting the adjacent library space, we believe the decode function name serves a purpose and should remain. That said, this conversation has surfaced some changes that we believe would make the distinction of verify and decode much clearer and easier to discover. Here is our thinking.

“Decode” is a widely adopted term that is used to describe translating data from one (encoded) format into something readable. Decoding is commonly used with Base64, URLs, SAML Tokens and in all of these contexts it has the same meaning. There’s no relationship between decoding and security.

We recognize that it's possible for a developer to misinterpret "decode" as a function that should be called, when in most cases "verify" is more appropriate. So we looked at the ways API methods are discovered and checked to ensure that both our API documentation and the DefinitelyTyped documentation actually explicitly mention that “decode” does not verify the token.

In addition, we are going to put more structure into our API documentation, making it less likely a developer stumbles upon “decode” rather than “verify.” We will put more emphasis on “decode” not doing verification.

Lastly, we plan to make the “decode” function non-enumerable just in case REPL is ever the means of method discovery.

Thank you again to our awesome developer community, and keep the feedback coming.

panva added a commit that referenced this pull request Sep 4, 2020
panva added a commit that referenced this pull request Sep 4, 2020
@punmechanic
Copy link
Author

punmechanic commented Sep 4, 2020 via email

mcastany pushed a commit that referenced this pull request Sep 10, 2020
mcastany pushed a commit that referenced this pull request Sep 10, 2020
dpopp07 added a commit to IBM/node-sdk-core that referenced this pull request Dec 27, 2022
There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit
upgrades to v9 to resolve the vulnerability. Additionally, they made an effort
in this version to discourage the less secure "decode" method in favor of the
more secure "verify" method (1). This commit also refactors the code and tests to
use the "verify" method.

(1) See this PR for context: auth0/node-jsonwebtoken#741

Signed-off-by: Dustin Popp <[email protected]>
dpopp07 added a commit to IBM/node-sdk-core that referenced this pull request Dec 29, 2022
)

There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit
upgrades to v9 to resolve the vulnerability. Additionally, they made an effort
in this version to discourage the less secure "decode" method in favor of the
more secure "verify" method (1). This commit also refactors the code and tests to
use the "verify" method.

(1) See this PR for context: auth0/node-jsonwebtoken#741

Signed-off-by: Dustin Popp <[email protected]>
NirvanaNimbusa added a commit to NirvanaNimbusa/node-jsonwebtoken that referenced this pull request Jul 28, 2024
see auth0#741

By submitting a PR to this repository, you agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). Please see the [contributing guidelines](https://github.com/auth0/.github/blob/master/CONTRIBUTING.md) for how to create and submit a high-quality PR for this repo.

### Description

> Describe the purpose of this PR along with any background information and the impacts of the proposed change. For the benefit of the community, please do not assume prior context.
>
> Provide details that support your chosen implementation, including: breaking changes, alternatives considered, changes to the API, etc.
>
> If the UI is being changed, please provide screenshots.

### References

> Include any links supporting this change such as a:
>
> - GitHub Issue/PR number addressed or fixed
> - Auth0 Community post
> - StackOverflow post
> - Support forum thread
> - Related pull requests/issues from other repos
>
> If there are no references, simply delete this section.

### Testing

> Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.
>
> Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.
>
> Also include details of the environment this PR was developed in (language/platform/browser version).

- [ ] This change adds test coverage for new/changed/fixed functionality

### Checklist

- [ ] I have added documentation for new/changed functionality in this PR or in auth0.com/docs
- [ ] All active GitHub checks for tests, formatting, and security are passing
- [ ] The correct base branch is being used, if not the default branch
@NirvanaNimbusa NirvanaNimbusa mentioned this pull request Jul 28, 2024
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants