Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RemoteJWKSetOptions timeout not working #277

Closed
2 tasks done
bondyr opened this issue Oct 6, 2021 · 4 comments
Closed
2 tasks done

RemoteJWKSetOptions timeout not working #277

bondyr opened this issue Oct 6, 2021 · 4 comments
Labels
bug Something isn't working

Comments

@bondyr
Copy link

bondyr commented Oct 6, 2021

What happened?

What happens:
When jwtVerify is called with a function created by createRemoteJWKSet as an argument, and server is irresponsive, there's no timeout. Request keeps hanging until server shuts down the connection.

What is expected:
Request times out after RemoteJWKSetOptions.timeoutDuration period and exception is thrown.

Other:
The issue happens for both default and specified manually value of RemoteJWKSetOptions.timeoutDuration

Why:
It seems that timeout event is emitted by ClientRequest, but there's no listener function added so it's ignored in fetch_jwks.js

Where:

jose/dist/node/cjs/runtime/fetch_jwks.js
jose/dist/node/esm/runtime/fetch_jwks.js

Browser version seems to be working fine (I haven't tested it though, just telling by code analysis)
jose/dist/browser/runtime/fetch_jwks.js

Fix proposal:
In jose/dist/node/cjs/runtime/fetch_jwks.js and jose/dist/node/esm/runtime/fetch_jwks.js files:

    req.on('timeout', () => {
        req.abort();
    });

Version

3.14.3, 3.19.0

Runtime

Node.js

Runtime Details

node v14.15.4, Win10 + WSL2

Code to reproduce

// client side
const { createRemoteJWKSet } = require('jose/jwks/remote')
const { jwtVerify } = require('jose/jwt/verify')
const jwksUrl = 'http:https://localhost:3000'
const bearerToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c'

const jwks = createRemoteJWKSet(new URL(jwksUrl), {
    timeoutDuration: 1000
})

jwtVerify(bearerToken, jwks, {})
  .then(() => console.log('Done.'))
  .catch(err => console.log('Error: ', err))





// server side
const express = require('express')
const app = express()
const port = 3000

app.get('/', (req, res) => {
  // don't send any response
})

app.listen(port, () => {
  console.log(`Example app listening at http:https://localhost:${port}`)
})

  • I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
  • I agree to follow this project's Code of Conduct
@bondyr bondyr added the triage label Oct 6, 2021
@panva
Copy link
Owner

panva commented Oct 6, 2021

@bondyr thank you for the issue description, this is a helpful find!

@panva panva added bug Something isn't working and removed triage labels Oct 6, 2021
@bondyr
Copy link
Author

bondyr commented Oct 6, 2021

@panva Do you have any rough estimate when it might get fixed?

@panva
Copy link
Owner

panva commented Oct 6, 2021
edited
Loading

@bondyr When I have the time to look into it myself or someone swoops in and magically offers their time and energy.

j/k of course free open source gets fixed ASAP.

panva added a commit that referenced this issue Oct 6, 2021
@panva
fix: proper createRemoteJWKSet timeoutDuration handling
ca710ea 
fixes #277
panva added a commit that referenced this issue Oct 6, 2021
@panva
fix: proper createRemoteJWKSet timeoutDuration handling
e3020d9 
fixes #277
@bondyr
Copy link
Author

bondyr commented Oct 7, 2021

It was damn fast magic, thanks a lot!

@github-actions github-actions bot locked and limited conversation to collaborators Jan 5, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@panva @bondyr