Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: outdated/wrong algorithm argument passed to jsonwebtoken #907

Merged
merged 2 commits into from
Feb 6, 2024
Merged

fix: outdated/wrong algorithm argument passed to jsonwebtoken #907

merged 2 commits into from
Feb 6, 2024

Conversation

Ymirke
Copy link
Contributor

@Ymirke Ymirke commented Jan 28, 2024

@vonage/jwt VerifySignature defaults to RS256.

My best guess is that it's to accommodate a previous version of the authentication/authorization setup vonage had.

Either way, there is no reason for it, as JWTs contain the algorithm in the header.

Additionally, the JWTs I receive from Vonage are HS256. Meaning that this is breaking and verifyToken does not work.

There is another question as to wether this should be provided by the Vonage SDK, but that's up to you guys!

Description

Removed RS256 argument passed to verify function from jsonwebtoken.

Motivation and Context

My webhooks recieve HS256 tokens, not RS256 from Vonage. Either way it shouldn't be defaulted as the algorithm is contained in the JWT header.

Testing Details

No test run done, should pass though.

--

--

Example Output or Screenshots (if appropriate)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@Ymirke
Fixed outdated/wrong algorithm argument passed to jsonwebtoken
95ff7ce 
@vonage/jwt VerifySignature defaults to RS256. 

My best guess is that it's to accommodate a previous version of the authentication/authorization setup vonage had.

Either way, there is no reason for it, as JWTs contain the algorithm in the header.

Additionally, the JWTs I receive from Vonage are HS256. Meaning that this is breaking and verifyToken does not work.

There is another question as to wether this should be provided by the Vonage SDK, but that's up to you guys!
@manchuck
Copy link
Contributor

@Ymirke sorry about that. Do you mind updating the algorithm instead of removing it? We want to be explicit in what we accept

@manchuck manchuck changed the title Fixed outdated/wrong algorithm argument passed to jsonwebtoken fix: outdated/wrong algorithm argument passed to jsonwebtoken Feb 5, 2024
@manchuck manchuck merged commit d5adb68 into Vonage:3.x Feb 6, 2024
1 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manchuck manchuck manchuck approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Ymirke @manchuck