fix: reject JWTs with b64: false

As per https://tools.ietf.org/html/rfc7797 abstract This specification updates RFC 7519 by stating that JSON Web Tokens (JWTs) MUST NOT use the unencoded payload option defined by this specification.
panva · Dec 6, 2020 · 691b44a · 691b44a
1 parent ee6d725
commit 691b44a
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/src/jwt/verify.ts b/src/jwt/verify.ts
@@ -10,6 +10,7 @@ import type {
  JWTVerifyResult,
 } from '../types.d'
 import jwtPayload from '../lib/jwt_claims_set.js'
+import { JWTInvalid } from '../util/errors.js'
 
 /**
  * Combination of JWS Verification options and JWT Claims Set verification options.
@@ -69,6 +70,9 @@ export default async function jwtVerify(
  options?: JWTVerifyOptions,
 ): Promise<JWTVerifyResult> {
  const verified = await verify(jwt, key, options)
+ if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {
+ throw new JWTInvalid('JWTs MUST NOT use unencoded payload')
+ }
  const payload = jwtPayload(verified.protectedHeader, verified.payload, options)
  return { payload, protectedHeader: verified.protectedHeader }
 }

diff --git a/test/jwt/verify.test.mjs b/test/jwt/verify.test.mjs
@@ -374,6 +374,16 @@ Promise.all([
  for (const claim of ['iat', 'nbf', 'exp']) {
  test(numericDateNumber, claim);
  }
+
+ test('Signed JWTs cannot use unencoded payload', async (t) => {
+ await t.throwsAsync(
+ jwtVerify(
+ 'eyJhbGciOiJIUzI1NiIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19.foo.VklKdp4tVYD61VNPDBTqxqdEQcUL3JK-D4dGXu9NvWs',
+ t.context.secret,
+ ),
+ { code: 'ERR_JWT_INVALID', message: 'JWTs MUST NOT use unencoded payload' },
+ );
+ });
  },
  (err) => {
  test('failed to import', (t) => {