16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
54 lines
1.4 KiB
Plaintext
54 lines
1.4 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:
|
|
|
|
[source,javascript]
|
|
----
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)
|
|
|
|
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:
|
|
|
|
[source,javascript]
|
|
----
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant
|
|
|
|
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
=== Highlighting
|
|
|
|
* primary location: the call to sign/verify method
|
|
* secondary location: on the incorrect option argument (third argument)
|
|
** message: 'The "algorithms" option should be defined and should not contain 'none'.'
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|