Merge branch 'sec_dojo_jwt_algo' into 'develop'

explicitely set algo used for jwt signatures

See merge request dojo/samourai-dojo!145

lib/auth/authorizations-manager.js

@@ -23,6 +23,7 @@ class AuthorizationsManager {
   constructor() {
     try {
       // Constants
+      this.JWT_ALGO = 'HS256'
       this.ISS = 'Samourai Wallet backend'
       this.TOKEN_TYPE_ACCESS = 'access-token'
       this.TOKEN_TYPE_REFRESH = 'refresh-token'
@@ -210,7 +211,10 @@ class AuthorizationsManager {
     return jwt.sign(
       claims,
       this._secret,
-      {expiresIn: this.accessTokenExpires}
+      {
+        expiresIn: this.accessTokenExpires,
+        algorithm: this.JWT_ALGO
+      }
     )
   }
 
@@ -239,7 +243,11 @@ class AuthorizationsManager {
    * @returns {Object} payload of the json web token
    */
   _verifyAccessToken(token) {
-    const payload = jwt.verify(token, this._secret, {})
+    const payload = jwt.verify(
+      token,
+      this._secret,
+      {algorithms: [this.JWT_ALGO]}
+    )
 
     if (payload['type'] != this.TOKEN_TYPE_ACCESS)
       throw errors.auth.INVALID_JWT
@@ -263,7 +271,10 @@ class AuthorizationsManager {
     return jwt.sign(
       claims,
       this._secret,
-      {expiresIn: this.refreshTokenExpires}
+      {
+        expiresIn: this.refreshTokenExpires,
+        algorithm: this.JWT_ALGO
+      }
     )
   }
 
@@ -292,7 +303,11 @@ class AuthorizationsManager {
    * @returns {Object} payload of the json web token
    */
   _verifyRefreshToken(token) {
-    const payload = jwt.verify(token, this._secret, {})
+    const payload = jwt.verify(
+      token,
+      this._secret,
+      {algorithms: [this.JWT_ALGO]}
+    )
 
     if (payload['type'] != this.TOKEN_TYPE_REFRESH)
       throw errors.auth.INVALID_JWT