joye-backend-utility 7.4.1 → 8.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/jwt.js
CHANGED
|
@@ -7,6 +7,7 @@ const path = require('path');
|
|
|
7
7
|
const folderPath = path.resolve(`${__dirname}`);
|
|
8
8
|
const JWT_PRIVATE_KEY = fs.readFileSync(`${folderPath}/jwtKeys/jwtRS256.key`, 'utf8');
|
|
9
9
|
const JWT_PUBLIC_KEY = fs.readFileSync(`${folderPath}/jwtKeys/jwtRS256.key.pub`, 'utf8');
|
|
10
|
+
const ALLOWED_JWT_ALGORITHMS = ['RS256'];
|
|
10
11
|
const createToken = async (payload, expiresIn) => {
|
|
11
12
|
const token = jwt.sign(payload, { key: JWT_PRIVATE_KEY.replace(/\\n/gm, '\n'), passphrase: process.env.JWT_SECRET }, {
|
|
12
13
|
expiresIn,
|
|
@@ -16,7 +17,12 @@ const createToken = async (payload, expiresIn) => {
|
|
|
16
17
|
};
|
|
17
18
|
exports.createToken = createToken;
|
|
18
19
|
const jwtVerify = async (token) => new Promise(resolve => {
|
|
19
|
-
|
|
20
|
+
var _a;
|
|
21
|
+
const decodedHeader = jwt.decode(token, { complete: true });
|
|
22
|
+
if (!((_a = decodedHeader === null || decodedHeader === void 0 ? void 0 : decodedHeader.header) === null || _a === void 0 ? void 0 : _a.alg) || decodedHeader.header.alg === 'none') {
|
|
23
|
+
return resolve(new Error('Invalid token algorithm'));
|
|
24
|
+
}
|
|
25
|
+
jwt.verify(token, JWT_PUBLIC_KEY.replace(/\\n/gm, '\n'), { algorithms: ALLOWED_JWT_ALGORITHMS }, async (err, decoded) => {
|
|
20
26
|
if (err) {
|
|
21
27
|
return resolve(err);
|
|
22
28
|
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
const assert = require("assert");
|
|
4
|
+
const jwt = require('jsonwebtoken');
|
|
5
|
+
const jwt_1 = require("../jwt");
|
|
6
|
+
const run = async () => {
|
|
7
|
+
const payload = {
|
|
8
|
+
userId: 'security-test-user',
|
|
9
|
+
email: 'security-test@example.com',
|
|
10
|
+
};
|
|
11
|
+
const noneToken = jwt.sign(payload, null, { algorithm: 'none' });
|
|
12
|
+
const noneResult = await (0, jwt_1.jwtVerify)(noneToken);
|
|
13
|
+
assert.ok(noneResult instanceof Error, 'Expected alg=none token to be rejected');
|
|
14
|
+
const hsToken = jwt.sign(payload, 'not-rs256-key', { algorithm: 'HS256' });
|
|
15
|
+
const hsResult = await (0, jwt_1.jwtVerify)(hsToken);
|
|
16
|
+
assert.ok(hsResult instanceof Error, 'Expected HS256 token to be rejected');
|
|
17
|
+
console.log('JWT algorithm validation tests passed.');
|
|
18
|
+
};
|
|
19
|
+
run().catch(error => {
|
|
20
|
+
console.error('JWT algorithm validation tests failed:', error);
|
|
21
|
+
process.exit(1);
|
|
22
|
+
});
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "joye-backend-utility",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "8.0.0",
|
|
4
4
|
"description": "Joye backend utility for db functions and common functions",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -13,6 +13,7 @@
|
|
|
13
13
|
"scripts": {
|
|
14
14
|
"build": "tsc && yarn copy-files",
|
|
15
15
|
"test": "echo \"Error: no test specified\"",
|
|
16
|
+
"test:jwt-algorithm": "ts-node lib/tests/jwtAlgorithmValidation.test.ts",
|
|
16
17
|
"postinstall": "npm run build",
|
|
17
18
|
"lint": "eslint --ignore-path .gitignore --ext .ts .",
|
|
18
19
|
"lint:fix": "npm run lint -- --fix",
|