auth-module icon indicating copy to clipboard operation
auth-module copied to clipboard

Published 20 hours ago verified publisher icon nuxt-community

JWT Signature validation

Open sneakylenny opened this issue 3 years ago • 4 comments

Is your feature request related to a problem? Please describe.

No, but this could be an awesome feature to have! :)

Describe the solution you'd like to see

Okay, so the package is still in "flux" but works great. I thought it would be great to addition to add a JWT signature validation to the middleware! (optional and only server-side of course). This could be easily implemented using jsonwebtoken or similar packages.

The config would look like this:

auth: {
  // ...
  strategies: {
    local: {
      scheme: 'refresh',
      tokenType: 'JWT',
      // Full config
      signature: {
        // Required
        key: './sig.pem', // Signature file
        // Optional
        algorithm: ["HS256", "HS384"],
        // Token attributes to validate (all optional)
        attributes: {
          issuer: 'example.com',
          audience: 'audience',
          jwtid: 'jwtid',
          subject: 'subject',
          cutomprop: 'maybe?',
        }
      },
      // OR simple default config
      signature: {
        key: process.env.JWT_SIGNATURE, // Signature string
      }
    }
    // ...
  }
}

Describe alternatives you've considered

No need to try any alternatives

Additional context

I may create a PR if possible 👷

sneakylenny avatar Feb 22 '22 15:02 sneakylenny

I'm afraid I don't quite understand the point of this Issue :/

Intevel avatar Feb 24 '22 09:02 Intevel

I'm afraid I don't quite understand the point of this Issue :/

That's because it's an feature-request/enhancement, not an issue, bug or error. What I'm trying to say is: the JWT's are not validated with their signature (yet, or I missed something in the docs). Right now you could decode the token alter it encode it with a different signature and replace it in the app. This wouldn't be possible if the token was validated with the original (and secret) signature in the middle ware. The user would be logged out if the JWT is tampered with.

Right now I'm doing it manually in a middleware using jsonwebtoken:

import jwt from 'jsonwebtoken'

export default async ({ /* ... */ $config, $auth, error, /* ... */}) => {
  // ...
  const token = $auth.strategy.token.get().replace('Bearer ', '');
  let tokenClaims;
  try {
    if (process.server && $config.jwtSignature !== undefined) {
      // Validate token using signature
      // $config.jwtSignature is only available on server since it contains the confidential signature
      tokenClaims = jwt.verify(token, $config.jwtSignature)
    } else {
      tokenClaims = jwt.decode(token)
    }
    
    // Validate token claims
    // Example: token issuer
    if(tokenClaims['iss'] !== $config.issuer /* or 'mysite.com' */ ) {
      error({statusCode: 401, message: "Invalid token issuer"})
    }
  } catch (error) {
    // Handle error
  }
  // ...
}

This would strongly improve security

sneakylenny avatar Feb 24 '22 10:02 sneakylenny

I said Issue because it is known on Github as Issue :) And now I understand it, thanks for the explanation.

Intevel avatar Feb 24 '22 10:02 Intevel

I'm afraid I don't quite understand the point of this Issue :/

Yes it is a new feature request, but wouldn't it be nice to auth.JwtToken.Payload.UserName

TomMiller-mas avatar Mar 11 '22 03:03 TomMiller-mas

Custom schemes could be used.

sneakylenny avatar Aug 17 '22 07:08 sneakylenny