Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug: Can't use multiple secrets with different algorithms

See original GitHub issue

Description Using a function with the secret option to express-jwt, I can provide different secrets for different requests. These secrets might require different algorithms to verify, e.g. HS256 and RS256.

This doesn’t work as expected: After one token has been verified by a middleware, only tokens with the same algorithm can be verified by that middleware. Verification of tokens with different algorithms fails with UnauthorizedError: invalid algorithm. See https://gist.github.com/bspot/319dd8c5458d24955842b400bd90b634 for a test case.

Reason

  1. The options argument to express-jwt is passed to jwt.verify on every request. (https://github.com/auth0/express-jwt/blob/master/lib/index.js#L99)
  2. As long as options.algorithms is empty, jsonwebtoken fills it with the list of applicable algorithms. (https://github.com/auth0/node-jsonwebtoken/blob/v6.2.0/index.js#L89)
  3. On subsequent requests, options.algorithms is filled and jsonwebtoken refuses to use any other algorithm.

Workaround Keep a reference to the options passed to express-jwt and

delete options.algorithms;

before each request. This can be done in the function passed as the secret.

Potential fix

  1. Either delete options.algorithms; in the express-jwt middleware on every request, or
  2. pass Object.assign({}, options) to jwt.verify.

Issue Analytics

  • State:closed
  • Created 7 years ago
  • Reactions:2
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
jfromaniellocommented, Apr 17, 2017

Updated jsonwebtoken in v5.3.0

0reactions
gillesdemeycommented, Apr 13, 2017

A workaround that worked for us is to create a new options object to pass to the JWT middleware on each request

const jwt = require('express-jwt')

function checkJWT (req, res, next) {    
  const options = Object.assign({}, { secret: getSecret })
  jwt(options)(req, res, next)
}

function getSecret (req, payload, callback) {
  return callback(null, 'some shared secret or RSA public key')
}
Read more comments on GitHub >

github_iconTop Results From Across the Web

The problems with secret algorithms in vulnerability ...
Many vulnerability prioritisation platforms use secret algorithms but a lack of transparency in ranking is risky. Here's why.
Read more >
Bug Attacks | SpringerLink
Section 4 presents attacks on several cryptosystems when exponentiations are computed using the LTOR algorithm, and Sect.
Read more >
Never Assuming That Your Secrets Are Safe - US-CERT - CISA
Top-secret algorithms need to be protected from competitors. These kinds of requirements are almost always high on the list, but turn out to ......
Read more >
Critical vulnerabilities in JSON Web Token libraries - Auth0
Anyone using a JWT implementation should make sure that tokens with a different signature type are guaranteed to be rejected. Some libraries ...
Read more >
Resolve Secrets Manager secret access errors after updating ...
"You can't access a secret from a different AWS account if you encrypt ... or "An unknown error occurred"; "Access to KMS is...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error with router

Next page

Expose token verification method in public API