Current behavior
Currently when jwt.decode() get a noVerify argument with ANY value except for false the signature is not verified.
Issue
This could be a problem if a developer is confused and passes a value like 'HS256' (the algorithm) instead of the noVerify boolean value, e.g.
user = jwt.decode(token, secret, 'HS256')
In this case the signature is not being verified, which could lead to authentication bypass.
Suggested Behavior
Signature verification is only skipped if the value of noVerify is true and is not skipped for any other value, e.g. a string like 'HS256'.
Reproduction steps:
- Create a token
const jwt = require('jwt-simple');
const secretKey = process.env.JWT_SECRET;
const username = "test1";
const token = jwt.encode({ username }, secretKey,'HS256');
- Now try to decode with a different secret with the value of verify set to anything except
false. This will work allowing fake tokens to look like they were successfully verified
const decoded = jwt.decode(token, "wrong_secret", 'HS256');
Current behavior
Currently when
jwt.decode()get anoVerifyargument with ANY value except forfalsethe signature is not verified.Issue
This could be a problem if a developer is confused and passes a value like 'HS256' (the algorithm) instead of the
noVerifyboolean value, e.g.In this case the signature is not being verified, which could lead to authentication bypass.
Suggested Behavior
Signature verification is only skipped if the value of
noVerifyistrueand is not skipped for any other value, e.g. a string like 'HS256'.Reproduction steps:
false. This will work allowing fake tokens to look like they were successfully verified