From fc0be423e7be629d0c18b37ec15c0a5aff54eccc Mon Sep 17 00:00:00 2001 From: kenshin-samourai Date: Wed, 1 Jul 2020 14:03:05 +0200 Subject: [PATCH] explicitely set algo used for jwt signatures --- lib/auth/authorizations-manager.js | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/lib/auth/authorizations-manager.js b/lib/auth/authorizations-manager.js index 82cbc41..fb830a9 100644 --- a/lib/auth/authorizations-manager.js +++ b/lib/auth/authorizations-manager.js @@ -23,6 +23,7 @@ class AuthorizationsManager { constructor() { try { // Constants + this.JWT_ALGO = 'HS256' this.ISS = 'Samourai Wallet backend' this.TOKEN_TYPE_ACCESS = 'access-token' this.TOKEN_TYPE_REFRESH = 'refresh-token' @@ -210,7 +211,10 @@ class AuthorizationsManager { return jwt.sign( claims, this._secret, - {expiresIn: this.accessTokenExpires} + { + expiresIn: this.accessTokenExpires, + algorithm: this.JWT_ALGO + } ) } @@ -239,7 +243,11 @@ class AuthorizationsManager { * @returns {Object} payload of the json web token */ _verifyAccessToken(token) { - const payload = jwt.verify(token, this._secret, {}) + const payload = jwt.verify( + token, + this._secret, + {algorithms: [this.JWT_ALGO]} + ) if (payload['type'] != this.TOKEN_TYPE_ACCESS) throw errors.auth.INVALID_JWT @@ -263,7 +271,10 @@ class AuthorizationsManager { return jwt.sign( claims, this._secret, - {expiresIn: this.refreshTokenExpires} + { + expiresIn: this.refreshTokenExpires, + algorithm: this.JWT_ALGO + } ) } @@ -292,7 +303,11 @@ class AuthorizationsManager { * @returns {Object} payload of the json web token */ _verifyRefreshToken(token) { - const payload = jwt.verify(token, this._secret, {}) + const payload = jwt.verify( + token, + this._secret, + {algorithms: [this.JWT_ALGO]} + ) if (payload['type'] != this.TOKEN_TYPE_REFRESH) throw errors.auth.INVALID_JWT