Crypto - KeyObject is undefined for Node V14 - "jsonwebtoken": "9.0.0"

[josephnvn]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

KeyObject from Crypto is undefined. I am using Node 14.10.1. 

Reproduction

NODE v14.10.1
jwt.sign({email: "bar@foo"}, "PRIVATE_KEY", { algorithm: 'HS512' })

Throws an error
webpack-internal:///…ebtoken/sign.js:173 Uncaught (in promise) TypeError: Right-hand side of 'instanceof' is not an object
at module.exports [as sign] (sign.js:108:1)
if (secretOrPrivateKey != null && !(secretOrPrivateKey instanceof KeyObject)) {

Environment

Please provide the following:

• Version of this library used: 9.0.0
• Version of the platform or framework used, if applicable: any platform
• Other relevant versions (language, server software, OS, browser):
• Other modules/plugins/libraries that might be involved:

[declaresub]

I tripped over the same issue. I believe the problem is that KeyObject belongs to node Crypto, and so does not exist in the browser environment.

[panva]

Indeed, KeyObject is present in Node.js v14.10.1. This library's use outside of Node.js runtime was never intended.

Versions before 9.0.0 could use webpack's polyfill of the Node.js built-in modules. This most likely a) relied on slow js cryptography that isn't maintained anymore and lacks feature parity with Node's crypto and b) increased your js bundle size considerably. FWIW webpack 5 also no longer defaults to using these questionable crypto polyfills anymore.

It is better to rely on JWT modules made to be consumed in browser or generic javascript environments. You can discover such modules on jwt.io under "JavaScript" libraries.

[dhwang]

Node 15 implementation adds WebCrypto and CryptoKey
and has implementation for both isCryptoKey and isKeyObject

What blocks jsonwebtoken from creating similar isCryptoKey and isKeyObject and test both?

This library has been is much smaller package for its purpose and we like to keep using it instead of the alternatives.

[fandrusi]

Running into this same issue. "crypto" is undefined for jsonwebtoken's calls, so all references fail:

[siraj-iconcile]

Is this repo even being maintained?
I see multiple issues open for that one thing and no resolution left. 8.x version has vulnerabilities. And 9.x giving this error.