Updating to jws@^3.0.0

pose · pose · commit 1e4623420159 · 2015-04-10T12:38:41.000-03:00
As `jws@3.0.0` changed the verify method signature to be `jws.verify(signature, algorithm, secretOrKey)`, the token header must be decoded first in order to make sure that the `alg` field matches one of the allowed `options.algorithms`. After that, the now validated `header.alg` is passed to `jws.verify`

As the order of steps has changed, the error that was thrown when the JWT was invalid is no longer the `jws` one:

{ [Error: Invalid token: no header in signature 'a.b.c'] code: 'MISSING_HEADER', signature: 'a.b.c' }

That old error (removed from jws) has been replaced by a `JsonWebTokenError` with message `invalid token`. That's why this change will bump be a major.
diff --git a/index.js b/index.js
@@ -112,15 +112,25 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
                          ~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?
                           [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] :
                          ~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?
-							[ 'RS256','RS384','RS512' ] :
-							[ 'HS256','HS384','HS512' ];
+                          [ 'RS256','RS384','RS512' ] :
+                          [ 'HS256','HS384','HS512' ];
 
   }
 
+  if (!jws.isValid(jwtString)) {
+    return done(new JsonWebTokenError('invalid token'));
+  }
+
+  var header = jws.decode(jwtString).header;
+
+  if (!~options.algorithms.indexOf(header.alg)) {
+    return done(new JsonWebTokenError('invalid signature'));
+  }
+
   var valid;
 
   try {
-    valid = jws.verify(jwtString, secretOrPublicKey);
+    valid = jws.verify(jwtString, header.alg, secretOrPublicKey);
   } catch (e) {
     return done(e);
   }
@@ -136,11 +146,6 @@ module.exports.verify = function(jwtString, secretOrPublicKey, options, callback
     return done(err);
   }
 
-  var header = jws.decode(jwtString).header;
-  if (!~options.algorithms.indexOf(header.alg)) {
-    return done(new JsonWebTokenError('invalid signature'));
-  }
-
   if (typeof payload.exp !== 'undefined' && !options.ignoreExpiration) {
     if (typeof payload.exp !== 'number') {
       return done(new JsonWebTokenError('invalid exp value'));
diff --git a/package.json b/package.json
@@ -19,12 +19,12 @@
     "url": "https://github.com/auth0/node-jsonwebtoken/issues"
   },
   "dependencies": {
-    "jws": "~2.0.0"
+    "jws": "^3.0.0"
   },
   "devDependencies": {
-    "atob": "~1.1.2",
-    "chai": "~1.10.0",
-    "mocha": "~2.1.0"
+    "atob": "^1.1.2",
+    "chai": "^1.10.0",
+    "mocha": "^2.1.0"
   },
   "engines": {
     "npm": ">=1.4.28"
diff --git a/test/jwt.rs.tests.js b/test/jwt.rs.tests.js
@@ -241,7 +241,7 @@ describe('RS256', function() {
       jwt.verify('fruit.fruit.fruit', pub, function(err, decoded) {
         assert.isUndefined(decoded);
         assert.isNotNull(err);
-        assert.equal(err.name, 'Error');
+        assert.equal(err.name, 'JsonWebTokenError');
         done();
       });
     });
