Skip to content

Commit

Permalink
fix: "typ" content-type validation, case insensitive and handled prefix
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Apr 27, 2020
1 parent 7389bee commit 0691586
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
3 changes: 2 additions & 1 deletion lib/jwt/verify.js
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ const isStringOrArrayOfStrings = (value, label, required = false) => {
}

const isNotArrayOfStrings = val => !Array.isArray(val) || val.length === 0 || val.some(isNotString)
const normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, '')

const validateOptions = ({
algorithms, audience, clockTolerance, complete = false, crit, ignoreExp = false,
Expand Down Expand Up @@ -254,7 +255,7 @@ module.exports = (token, key, options = {}) => {
throw new JWTClaimInvalid('unexpected "aud" claim value', 'aud', 'check_failed')
}

if (typ && decoded.header.typ !== typ) {
if (typ && normalizeTyp(decoded.header.typ) !== normalizeTyp(typ)) {
throw new JWTClaimInvalid('unexpected "typ" JWT header value', 'typ', 'check_failed')
}

Expand Down
22 changes: 20 additions & 2 deletions test/jwt/verify.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -199,8 +199,26 @@ test('option.typ validation fails', t => {
})

test('option.typ validation success', t => {
const token = JWT.sign({}, key, { header: { typ: 'foo' } })
JWT.verify(token, key, { typ: 'foo' })
{
const token = JWT.sign({}, key, { header: { typ: 'foo' } })
JWT.verify(token, key, { typ: 'foo' })
}
{
const token = JWT.sign({}, key, { header: { typ: 'application/foo' } })
JWT.verify(token, key, { typ: 'foo' })
}
{
const token = JWT.sign({}, key, { header: { typ: 'foo' } })
JWT.verify(token, key, { typ: 'application/foo' })
}
{
const token = JWT.sign({}, key, { header: { typ: 'foO' } })
JWT.verify(token, key, { typ: 'application/foo' })
}
{
const token = JWT.sign({}, key, { header: { typ: 'application/foo' } })
JWT.verify(token, key, { typ: 'fOo' })
}
t.pass()
})

Expand Down

0 comments on commit 0691586

Please sign in to comment.