SkyLothar
Eliminate header? Can this be an option?
RE https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
Apologies if this has already been covered. I am not expert enough with LUA to read the code and be sure I have understood.
If I understand the issue, I am not immediately vulnerable, because my usage is internal (I have a secret key, do not use third-parties and public keys). Cf comment from José Romaniello
But still, my preference would be to remove the header all together. Make for a shorter transmission, and remove any clue about which algorithm was used. Cf comment from Federico Rampazzo
I do not yet have the lua mojo to attempt this. Nor do I ask for it.
Thank you for sharing this ! I am excited to be discovering the world of lua+nginx.
Hmm... I don't like the idea of dropping all header personally. It's not proper RFC JWT when you eliminate headers.
But I think I can put raw_payload into the jwtObj when signing, so you can easily drop headers by adding few lines.
it's not working for now
-- sign
local raw_header = jwt:jwt_encode({typ="JWT", alg="HS256"})
local jwtObj = {raw_header=raw_header, payload={id=1}}
local fullJwt = jwt.sign("secret", jwtObj)
-- or you can split full jwt and replace header with "{}"
local withoutHeader = table.concat({"{}", jwtObj.raw_payload, jwtObj.signature}, ".")
-- verify
jwt.verify("secret", raw_header .. "." .. withoutHeader)
Thoughts?
I don't think you should do anything on my account, thank you. I agree about remaining "proper". The code provides enough for me to customize for my use case without affecting others. Meantime I think you've done great as is. Thank you.
