fix(verify)!: Remove default `none` support `verify` methods, and require it to be explicitly configured by jakelacey2012 · Pull Request #851 · auth0/node-jsonwebtoken (original) (raw)

Description

This PR removes default support for the none algorithm verify methods, now you have to specify none before you can sign and verify. This is to fix the issue raised in #711, but still allow users to use none if they wish to do so for development/testing.

BREAKING CHANGE: Removes fallback for none algorithm for the verify method.

References

RFC confrontation on "none" algo #711

Testing

Please download this version of the package and then run the following code examples, which you can do by running git@github.com:jakelacey2012/node-jsonwebtoken.git#IPS-2481.

Simple test to get some background, should not throw... should not be effected by this change.

var jwt = require('jsonwebtoken'); const decoded = jwt.verify(jwt.sign({ foo: 'bar' }, 'sshhhhhh'), 'sshhhhhh'); // should decode and not error.

Test sign method with algorithm `none` option, should not error and return unsigned token.

var jwt = require('jsonwebtoken'); const sign_none = jwt.sign({ foo: 'bar' }, undefined, { algorithm: 'none' }); // return unsigned token.

Test sign method with algorithm `none`, and not specify `none` in options.

var jwt = require('jsonwebtoken');

jwt.sign({ foo: 'bar' }, undefined, { }); // this returns an error secretOrPrivateKey must have a value

jwt.sign({ foo: 'bar' }, 'secret', { }); // no error returned but token returned is signed with HS256

Testing verifying without `none` specified, should throw error `please specify "none" in "algorithms" to verify unsigned tokens`

const unsigned = jwt.sign({ foo: 'bar' }, 'secret', { algorithm: 'none' }); const decoded = jwt.verify(unsigned, undefined, { algorithms: [] }); // should throw error 'please specify "none" in "algorithms" to verify unsigned tokens'

Testing verifying with `none` specified, should not throw and return a decoded token.

const unsigned = jwt.sign({ foo: 'bar' }, 'secret', { algorithm: 'none' }); const decoded = jwt.verify(unsigned, undefined, { algorithms: ['none'] }); // should not throw and return a decoded token.

Describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

Please include any manual steps for testing end-to-end or functionality not covered by unit/integration tests.

Also include details of the environment this PR was developed in (language/platform/browser version).

This change adds test coverage for new/changed/fixed functionality

Checklist

I have added documentation for new/changed functionality in this PR or in auth0.com/docs
All active GitHub checks for tests, formatting, and security are passing
The correct base branch is being used, if not the default branch

fix(verify)!: Remove default none support verify methods, and require it to be explicitly configured by jakelacey2012 · Pull Request #851 · auth0/node-jsonwebtoken (original) (raw)