Skip to content

Commit

Permalink
fix: Compact JWS verification handles a zero-length payload string
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Nov 12, 2021
1 parent d927d4e commit 7c70e7b
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 6 deletions.
6 changes: 1 addition & 5 deletions src/jws/compact/verify.ts
Original file line number Diff line number Diff line change
Expand Up @@ -72,11 +72,7 @@ export async function compactVerify(
}

const verified = await flattenedVerify(
{
payload: <string>(payload || undefined),
protected: protectedHeader || undefined,
signature: <string>(signature || undefined),
},
{ payload, protected: protectedHeader, signature },
<Parameters<typeof flattenedVerify>[1]>key,
options,
)
Expand Down
18 changes: 17 additions & 1 deletion test/jws/compact.verify.test.mjs
Original file line number Diff line number Diff line change
@@ -1,9 +1,25 @@
import test from 'ava'
import * as crypto from 'crypto'

const root = !('WEBCRYPTO' in process.env) ? '#dist' : '#dist/webcrypto'
const { compactVerify } = await import(root)
const { compactVerify, CompactSign } = await import(root)

test.before(async (t) => {
t.context.secret = crypto.randomFillSync(new Uint8Array(32))
})

test('JWS format validation', async (t) => {
{
await t.notThrowsAsync(async () => {
await compactVerify(
await new CompactSign(new Uint8Array())
.setProtectedHeader({ alg: 'HS256' })
.sign(t.context.secret),
t.context.secret,
)
})
}

await t.throwsAsync(compactVerify(null, new Uint8Array(0)), {
message: 'Compact JWS must be a string or Uint8Array',
code: 'ERR_JWS_INVALID',
Expand Down
11 changes: 11 additions & 0 deletions test/jws/flattened.verify.test.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,17 @@ test('JWS format validation', async (t) => {
})
}

{
await t.notThrowsAsync(async () => {
await flattenedVerify(
await new FlattenedSign(new Uint8Array())
.setProtectedHeader({ alg: 'HS256' })
.sign(t.context.secret),
t.context.secret,
)
})
}

{
const jws = { ...fullJws }
delete jws.signature
Expand Down
12 changes: 12 additions & 0 deletions test/jws/general.test.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,18 @@ test('General JWS verify format validation', async (t) => {

const generalJws = await sig.sign()

{
await t.notThrowsAsync(async () => {
await generalVerify(
await new GeneralSign(new Uint8Array())
.addSignature(t.context.secret)
.setProtectedHeader({ alg: 'HS256' })
.sign(),
t.context.secret,
)
})
}

{
await t.throwsAsync(generalVerify(null, t.context.secret), {
message: 'General JWS must be an object',
Expand Down

0 comments on commit 7c70e7b

Please sign in to comment.