You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per auth0/node-jsonwebtoken#208, some users of your library are getting stuck on passing in a String as a secret. My initial response was "that's not base64, it should be throwing" however given the decoder used, that doesn't appear to be the case. I expect the experience would be much improved if a proper base64 decoder was used, which complained about invalid base64.
As an example, here's the difference between the current parseBase64Binary and Java 8's Base64:
As you can see, the current decoder skips over illegal characters, and then afterward doesn't require it be correctly sized (ignoring any remaining characters).
The text was updated successfully, but these errors were encountered:
Yes, we run into the same issue that javax.xml.bind.DatatypeConverter.parseBase64Binary decoded a Base64 encoded String not correctly. java.util.Base64.getDecoder().decode seems to work correctly.
Maybe I'm doing it wrong.
But let's assume I use a weak secret like 012345678901234567890123456789XY.
If I Base64 encode it, the result is MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIzNDU2Nzg5WFk.
When I decode this Base64 encoded String, I get two different results. See wrongBytes and correctBytes
When I convert the bytes back into a String (inside of the debugger view), you can see that wrongBytes seems to show a wrong secret?
As per auth0/node-jsonwebtoken#208, some users of your library are getting stuck on passing in a
String
as a secret. My initial response was "that's not base64, it should be throwing" however given the decoder used, that doesn't appear to be the case. I expect the experience would be much improved if a proper base64 decoder was used, which complained about invalid base64.As an example, here's the difference between the current
parseBase64Binary
and Java 8'sBase64
:As you can see, the current decoder skips over illegal characters, and then afterward doesn't require it be correctly sized (ignoring any remaining characters).
The text was updated successfully, but these errors were encountered: