Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why doesn't the decode function use a default algorithm? #227

Closed
marcoadkins opened this issue Sep 5, 2017 · 5 comments
Closed

Why doesn't the decode function use a default algorithm? #227

marcoadkins opened this issue Sep 5, 2017 · 5 comments
Assignees
@excpt
Labels
documentation
Milestone
Version 2.1.0

Comments

@marcoadkins
Copy link

Upgraded to 2.0.0 and started seeing this error everywhere I was calling JWT.decode

expected JWT::VerificationError, got #<JWT::IncorrectAlgorithm: An algorithm must be specified>:

JWT.encode defaults to the HS256 algorithm, why not do the same for JWT.decode? It would be a simple change to the DEFAULT_OPTIONS.

module JWT
  module DefaultOptions
    DEFAULT_OPTIONS = {
      verify_expiration: true,
      verify_not_before: true,
      verify_iss: false,
      verify_iat: false,
      verify_jti: false,
      verify_aud: false,
      verify_sub: false,
      leeway: 0,
      algorithm: 'HS256'
    }.freeze
  end
end
@marcoadkins marcoadkins mentioned this issue Sep 5, 2017
Merged
@excpt excpt self-assigned this Sep 6, 2017
@excpt excpt added this to the Version 2.1.0 milestone Sep 6, 2017
@excpt excpt mentioned this issue Sep 6, 2017
Closed
@excpt
Copy link
Member

excpt commented Sep 6, 2017

The default algorithm was dropped with PR #184.

It is a security issue.

The documentation is wrong.

#226 addresses this issue.

@excpt excpt closed this as completed Sep 6, 2017
@excpt excpt added the won't fix label Sep 6, 2017
@marcoadkins
Copy link
Author

@excpt The default algorithm was not dropped in #184. #184 changed the behavior to check the header's algorithm against the one supplied in options. Why not allow people to easily make the decision to use the default algorithm for decode? I don't think requiring someone to type in a string really improves security. The security improvement came from checking the header's algorithm against the one in options. Whether or not that is coming from a default value or a a passed in string it still applies the same level of security.

@excpt excpt reopened this Sep 7, 2017
@excpt excpt removed the won't fix label Sep 7, 2017
@fabn
Copy link

fabn commented Oct 4, 2017

Got the same issue, if you wan't to provide that behaviour without changing all your codebase you can use this monkeypatch:

module JwtAlgorithmChooser
  # Default algorithm for decoding
  DEFAULT_ALGORITHM = 'HS256'
  # Automatically choose decoding algorithm when not given
  # @see https://github.com/jwt/ruby-jwt/issues/227
  def decode(jwt, key = nil, verify = true, custom_options = {}, &keyfinder)
    super(jwt, key, verify, custom_options.merge(algorithm: DEFAULT_ALGORITHM), &keyfinder)
  end
end
# Monkey patch the class until #227 is solved
# @see https://stackoverflow.com/a/32334444/518204
JWT.singleton_class.prepend(JwtAlgorithmChooser)

@excpt
Copy link
Member

excpt commented Oct 4, 2017

First of all: Sorry for the delay. I'm back from vacation.

@madkin10 I merged your PR.

I think I will get the 2.1.0 release ready until Friday.

Thanks for all the feedback and contribution.

@marcoadkins
Copy link
Author

@excpt No problem. Sounds good.

@excpt excpt removed the security label Oct 5, 2017
@excpt excpt closed this as completed Oct 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@excpt excpt

Labels
documentation
Projects
None yet
Milestone
Version 2.1.0
Development

No branches or pull requests
3 participants
@excpt @fabn @marcoadkins