Header typ check (#40)

* skip header typ check * change to checktyp * fix lint * add normalize and verify * improve check
nearform · Sep 8, 2020 · 3df64d6 · 3df64d6
1 parent 18c56b0
commit 3df64d6
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -76,6 +76,7 @@ async function test() {
 Create a decoder function by calling `createDecoder` and providing one or more of the following options:
 
 - `complete`: Return an object with the decoded header, payload, signature and input (the token part before the signature), instead of just the content of the payload. Default is `false`.
+- `checkTyp`: When validating the decoded header, setting this option forces the check of the `typ` property against this value. Example: `checkTyp: 'JWT'`. Default is `undefined`.
 
 The decoder is a function which accepts a token (as Buffer or string) and returns the payload or the sections of the token.
 

diff --git a/src/decoder.js b/src/decoder.js
@@ -2,7 +2,7 @@
 
 const TokenError = require('./error')
 
-function decode({ complete }, token) {
+function decode({ complete, checkTyp }, token) {
   // Make sure the token is a string or a Buffer - Other cases make no sense to even try to validate
   if (token instanceof Buffer) {
     token = token.toString('utf-8')
@@ -22,8 +22,8 @@ function decode({ complete }, token) {
   let validHeader = false
   try {
     const header = JSON.parse(Buffer.from(token.slice(0, firstSeparator), 'base64').toString('utf-8'))
-    if (header.typ !== 'JWT') {
-      throw new TokenError(TokenError.codes.invalidType, 'The type must be JWT.', { header })
+    if (checkTyp && header.typ !== checkTyp) {
+      throw new TokenError(TokenError.codes.invalidType, `The type must be "${checkTyp}".`, { header })
     }
     validHeader = true
 
@@ -54,6 +54,7 @@ function decode({ complete }, token) {
 
 module.exports = function createDecoder(options = {}) {
   const complete = options.complete || false
+  const checkTyp = options.checkTyp
 
-  return decode.bind(null, { complete })
+  return decode.bind(null, { complete, checkTyp })
 }
diff --git a/src/signer.js b/src/signer.js
@@ -62,6 +62,7 @@ function sign(
     expiresIn,
     notBefore,
     kid,
+    typ,
     isAsync,
     additionalHeader,
     fixedPayload
@@ -79,7 +80,7 @@ function sign(
   // Prepare the header
   const header = {
     alg: algorithm,
-    typ: 'JWT',
+    typ: typ || 'JWT',
     kid,
     ...additionalHeader
   }
@@ -180,6 +181,7 @@ module.exports = function createSigner(options) {
     sub,
     nonce,
     kid,
+    typ,
     header: additionalHeader
   } = { clockTimestamp: 0, ...options }
 
@@ -281,6 +283,7 @@ module.exports = function createSigner(options) {
     expiresIn,
     notBefore,
     kid,
+    typ,
     isAsync: keyType === 'function',
     additionalHeader,
     fixedPayload

diff --git a/src/verifier.js b/src/verifier.js
@@ -157,7 +157,7 @@ function validateClaimValue(value, modifier, now, greater, errorCode, errorVerb)
 function verifyToken(
   key,
   { input, header, payload, signature },
-  { validators, allowedAlgorithms, clockTimestamp, clockTolerance }
+  { validators, allowedAlgorithms, checkTyp, clockTimestamp, clockTolerance }
 ) {
   // Verify the key
   /* istanbul ignore next */
@@ -171,6 +171,14 @@ function verifyToken(
 
   validateAlgorithmAndSignature(input, header, signature, key, allowedAlgorithms)
 
+  // Verify typ
+  if (checkTyp) {
+    const headerTyp = (header.typ || '').toLowerCase().replace(/^application\//, '')
+    if (checkTyp !== headerTyp) {
+      throw new TokenError(TokenError.codes.invalidType, 'Invalid typ.')
+    }
+  }
+
   // Verify the payload
   const now = (clockTimestamp || Date.now()) + clockTolerance
 
@@ -202,6 +210,7 @@ function verify(
     allowedAlgorithms,
     complete,
     cacheTTL,
+    checkTyp,
     clockTimestamp,
     clockTolerance,
     ignoreExpiration,
@@ -259,7 +268,7 @@ function verify(
 
   const { header, payload, signature } = decoded
   cacheContext.payload = payload
-  const validationContext = { validators, allowedAlgorithms, clockTimestamp, clockTolerance }
+  const validationContext = { validators, allowedAlgorithms, checkTyp, clockTimestamp, clockTolerance }
 
   // We have the key
   if (!callback) {
@@ -324,6 +333,7 @@ module.exports = function createVerifier(options) {
     complete,
     cache: cacheSize,
     cacheTTL,
+    checkTyp,
     clockTimestamp,
     clockTolerance,
     ignoreExpiration,
@@ -411,11 +421,17 @@ module.exports = function createVerifier(options) {
     validators.push({ type: 'string', claim: 'nonce', allowed: ensureStringClaimMatcher(allowedNonce) })
   }
 
+  let normalizedTyp = null
+  if (checkTyp) {
+    normalizedTyp = checkTyp.toLowerCase().replace(/^application\//, '')
+  }
+
   const context = {
     key,
     allowedAlgorithms,
     complete,
     cacheTTL,
+    checkTyp: normalizedTyp,
     clockTimestamp,
     clockTolerance,
     ignoreExpiration,

diff --git a/test/decoder.spec.js b/test/decoder.spec.js
@@ -6,6 +6,7 @@ const { createDecoder } = require('../src')
 
 const defaultDecoder = createDecoder()
 // const rawDecoder = createDecoder({ json: false })
+const typDecoder = createDecoder({ checkTyp: 'JWT' })
 const completeDecoder = createDecoder({ complete: true })
 
 const token =
@@ -54,7 +55,7 @@ test('invalid header', t => {
 
   t.throws(() => defaultDecoder('Zm9v.b.c'), { message: 'The token header is not a valid base64url serialized JSON.' })
 
-  t.throws(() => defaultDecoder(nonJwtToken), { message: 'The type must be JWT.' })
+  t.throws(() => typDecoder(nonJwtToken), { message: 'The type must be "JWT".' })
 
   t.end()
 })

diff --git a/test/verifier.spec.js b/test/verifier.spec.js
@@ -53,11 +53,31 @@ test('it correctly verifies a token - sync', t => {
     { a: 1, iat: 2000000000, exp: 2100000000 }
   )
 
-  t.throws(() => {
-    verify('eyJhbGciOiJIUzI1NiJ9.MTIz.UqiZ2LDYZqYB3xJgkHaihGQnJ_WPTz3hERDpA7bWYjA', { noTimestamp: true })
-  }, {
-    code: 'FAST_JWT_INVALID_TYPE'
-  })
+  t.strictDeepEqual(
+    verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {
+      checkTyp: 'jwt',
+      noTimestamp: true
+    }),
+    { a: 1 }
+  )
+
+  t.strictDeepEqual(
+    verify('eyJhbGciOiJIUzI1NiIsInR5cCI6ImFwcGxpY2F0aW9uL2p3dCJ9.eyJhIjoxfQ.1ptuaNj5R0owE-5663LpMknK3eRgZVDHkMkOKkxlteM', {
+      checkTyp: 'jwt'
+    }),
+    { a: 1 }
+  )
+
+  t.throws(
+    () =>
+      verify(
+        'eyJhbGciOiJIUzI1NiJ9.eyJhIjoxfQ.LrlPmSL4FxrzAHJSYbKzsA997COXdYCeFKlt3zt5DIY',
+        { checkTyp: 'test' }
+      ),
+    {
+      message: 'Invalid typ.'
+    }
+  )
 
   t.strictDeepEqual(
     verify('eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhIjoxfQ.57TF7smP9XDhIexBqPC-F1toZReYZLWb_YRU5tv0sxM', {