Browse Source

Merge branch 'sec_dojo_jwt_algo' into 'develop'

explicitely set algo used for jwt signatures

See merge request dojo/samourai-dojo!145
use-env-var-docker
kenshin-samourai 5 years ago
parent
commit
f3d22dc06b
  1. 23
      lib/auth/authorizations-manager.js

23
lib/auth/authorizations-manager.js

@ -23,6 +23,7 @@ class AuthorizationsManager {
constructor() {
try {
// Constants
this.JWT_ALGO = 'HS256'
this.ISS = 'Samourai Wallet backend'
this.TOKEN_TYPE_ACCESS = 'access-token'
this.TOKEN_TYPE_REFRESH = 'refresh-token'
@ -210,7 +211,10 @@ class AuthorizationsManager {
return jwt.sign(
claims,
this._secret,
{expiresIn: this.accessTokenExpires}
{
expiresIn: this.accessTokenExpires,
algorithm: this.JWT_ALGO
}
)
}
@ -239,7 +243,11 @@ class AuthorizationsManager {
* @returns {Object} payload of the json web token
*/
_verifyAccessToken(token) {
const payload = jwt.verify(token, this._secret, {})
const payload = jwt.verify(
token,
this._secret,
{algorithms: [this.JWT_ALGO]}
)
if (payload['type'] != this.TOKEN_TYPE_ACCESS)
throw errors.auth.INVALID_JWT
@ -263,7 +271,10 @@ class AuthorizationsManager {
return jwt.sign(
claims,
this._secret,
{expiresIn: this.refreshTokenExpires}
{
expiresIn: this.refreshTokenExpires,
algorithm: this.JWT_ALGO
}
)
}
@ -292,7 +303,11 @@ class AuthorizationsManager {
* @returns {Object} payload of the json web token
*/
_verifyRefreshToken(token) {
const payload = jwt.verify(token, this._secret, {})
const payload = jwt.verify(
token,
this._secret,
{algorithms: [this.JWT_ALGO]}
)
if (payload['type'] != this.TOKEN_TYPE_REFRESH)
throw errors.auth.INVALID_JWT

Loading…
Cancel
Save