49 lines
1.2 KiB
Plaintext
49 lines
1.2 KiB
Plaintext
== Why is this an issue?
|
|
|
|
include::../description.adoc[]
|
|
|
|
=== Noncompliant code example
|
|
|
|
https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:
|
|
|
|
[source,javascript]
|
|
----
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'none' }); // Noncompliant: 'none' cipher doesn't sign the JWT (no signature will be included)
|
|
|
|
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['RS256', 'none'] }, callbackcheck); // Noncompliant: 'none' cipher should not be used when verifying JWT signature
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
https://www.npmjs.com/package/jsonwebtoken[jsonwebtoken] library:
|
|
|
|
[source,javascript]
|
|
----
|
|
const jwt = require('jsonwebtoken');
|
|
|
|
let token = jwt.sign({ foo: 'bar' }, key, { algorithm: 'HS256' }); // Compliant
|
|
|
|
jwt.verify(token, key, { expiresIn: 360000 * 5, algorithms: ['HS256'] }, callbackcheck); // Compliant
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
include::highlighting.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|