Skip to content

Commit

Permalink
Merge pull request #84 from jwtk/op-OKTA-444793-vuln-uuid
Browse files Browse the repository at this point in the history
chore: bump uuid dependency to 8.x and enforce minimal node version
  • Loading branch information
oleksandrpravosudko-okta authored Dec 3, 2021
2 parents a473c84 + 4913f46 commit ce98cd4
Show file tree
Hide file tree
Showing 9 changed files with 56 additions and 44 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# nJwt Change Log

### 1.2.0

* [#84] (https://github.com/jwtk/njwt/pull/84) Resolves `uuid` vulnerability.

### 1.1.0

* [#77](https://github.com/jwtk/njwt/pull/77) Adds TypeScript type definitions.
Expand Down
7 changes: 5 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
{
"name": "njwt",
"version": "1.1.0",
"version": "1.2.0",
"description": "JWT Library for Node.js",
"engines": {
"node": ">=6.0"
},
"main": "index.js",
"types": "index.d.ts",
"scripts": {
Expand All @@ -28,7 +31,7 @@
"dependencies": {
"@types/node": "^15.0.1",
"ecdsa-sig-formatter": "^1.0.5",
"uuid": "^3.3.2"
"uuid": "^8.3.2"
},
"devDependencies": {
"@typescript-eslint/eslint-plugin": "^4.22.0",
Expand Down
10 changes: 5 additions & 5 deletions test/algs.js
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ var fs = require('fs');
var path = require('path');

function itShouldBeAValidJwt(jwt){
assert(nJwt.create({},uuid()) instanceof nJwt.Jwt);
assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt);
var nowUnix = Math.floor(new Date().getTime()/1000);
assert.equal(nJwt.create({},uuid()).body.iat , nowUnix);
assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix);
assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/));
}

function testHmacAlg(alg,done){
var key = uuid();
var claims = { hello: uuid(), debug: true };
var key = uuid.v4();
var claims = { hello: uuid.v4(), debug: true };
var jwt = nJwt.create(claims,key,alg);
var token = jwt.compact();

Expand All @@ -27,7 +27,7 @@ function testHmacAlg(alg,done){
}

function testKeyAlg(alg,keyPair,done){
var claims = { hello: uuid(), debug: true };
var claims = { hello: uuid.v4(), debug: true };
var jwt = nJwt.create(claims,keyPair.private,alg);
var token = jwt.compact();

Expand Down
16 changes: 8 additions & 8 deletions test/builder.js
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ describe('create()',function(){
});

it('should create a default token if the scret is the only value',function(){
assert(nJwt.create(uuid()) instanceof nJwt.Jwt);
assert(nJwt.create(uuid.v4()) instanceof nJwt.Jwt);
});

it('should throw if using defaults without a secret key',function(){
Expand All @@ -45,33 +45,33 @@ describe('create()',function(){
describe('with a signing key',function(){

it('should return a JWT',function(){
assert(nJwt.create({},uuid()) instanceof nJwt.Jwt);
assert(nJwt.create({},uuid.v4()) instanceof nJwt.Jwt);
});

it('should use HS256 by default',function(){
assert.equal(nJwt.create({},uuid()).header.alg,'HS256');
assert.equal(nJwt.create({},uuid.v4()).header.alg,'HS256');
});

it('should create the iat field',function(){
var nowUnix = Math.floor(new Date().getTime()/1000);
assert.equal(nJwt.create({},uuid()).body.iat , nowUnix);
assert.equal(nJwt.create({},uuid.v4()).body.iat , nowUnix);
});

it('should not overwrite a defined iat field',function(){
assert.equal(nJwt.create({iat: 1},uuid()).body.iat , 1);
assert.equal(nJwt.create({iat: 1},uuid.v4()).body.iat , 1);
});

it('should create the exp field, defaulted to 1 hour',function(){
var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow);
assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow);
});

it('should not overwrite a defined jti field',function(){
assert.equal(nJwt.create({jti: 1},uuid()).body.jti , 1);
assert.equal(nJwt.create({jti: 1},uuid.v4()).body.jti , 1);
});

it('should create the jti field',function(){
var jwt = nJwt.create({},uuid());
var jwt = nJwt.create({},uuid.v4());
assert(jwt.body.jti.match(/[a-zA-Z0-9]+[-]/));
});

Expand Down
18 changes: 9 additions & 9 deletions test/jwt.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,28 +10,28 @@ describe('Jwt',function() {

describe('.setClaim()',function(){
it('should set a claim on the claims body',function(){
var myClaim = uuid();
var myClaim = uuid.v4();
assert.equal(nJwt.Jwt().setClaim('myClaim', myClaim).body.myClaim,myClaim);
});
});

describe('.setHeader()',function(){
it('should set a header param on the header',function(){
var kid = uuid();
var kid = uuid.v4();
assert.equal(nJwt.Jwt().setHeader('kid', kid).header.kid,kid);
});
});

describe('.setSubject()',function(){
it('should set the sub claim',function(){
var sub = uuid();
var sub = uuid.v4();
assert.equal(nJwt.Jwt().setSubject(sub).body.sub,sub);
});
});

describe('.setIssuer()',function(){
it('should set the iss claim',function(){
var iss = uuid();
var iss = uuid.v4();
assert.equal(nJwt.Jwt().setIssuer(iss).body.iss,iss);
});
});
Expand All @@ -52,9 +52,9 @@ describe('Jwt',function() {
);
});
it('should allow me to remove the exp field',function(){
var jwt = nJwt.create({},uuid());
var jwt = nJwt.create({},uuid.v4());
var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
assert.equal(nJwt.create({},uuid()).body.exp , oneHourFromNow);
assert.equal(nJwt.create({},uuid.v4()).body.exp , oneHourFromNow);
assert.equal(jwt.setExpiration().body.exp, undefined);
assert.equal(jwt.setExpiration(false).body.exp, undefined);
assert.equal(jwt.setExpiration(null).body.exp, undefined);
Expand All @@ -79,9 +79,9 @@ describe('Jwt',function() {
);
});
it('should allow me to remove the nbf field',function(){
var jwt = nJwt.create({},uuid());
var jwt = nJwt.create({},uuid.v4());
var oneHourFromNow = Math.floor(new Date().getTime()/1000) + (60*60);
assert.equal(nJwt.create({},uuid()).body.nbf , undefined);
assert.equal(nJwt.create({},uuid.v4()).body.nbf , undefined);
assert.equal(jwt.setNotBefore().body.nbf, undefined);
assert.equal(jwt.setNotBefore(false).body.nbf, undefined);
assert.equal(jwt.setNotBefore(null).body.nbf, undefined);
Expand All @@ -107,7 +107,7 @@ describe('Jwt',function() {
});
describe('.toString()',function(){
it('should return the compacted JWT string',function(){
var jwt = nJwt.create({},uuid());
var jwt = nJwt.create({},uuid.v4());
assert.equal(jwt.compact(),jwt.toString());
});
});
Expand Down
2 changes: 1 addition & 1 deletion test/key-resolver.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ describe('Verifier', function() {
beforeEach(function() {
callCount = 0;
keyKid = '123';
signingKey = uuid();
signingKey = uuid.v4();
keyResolver = function(kid, cb) {
callCount++;
assert(kid === keyKid);
Expand Down
16 changes: 8 additions & 8 deletions test/others.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ var jwtSimple = require('jwt-simple');

describe('this library',function () {
it('should generate tokens that can be verified by jsonwebtoken',function(done){
var key = uuid();
var claims = {hello:uuid()};
var key = uuid.v4();
var claims = {hello:uuid.v4()};
var jwt = nJwt.create(claims,key);
var token = jwt.compact();
assert.doesNotThrow(function(){
Expand All @@ -23,8 +23,8 @@ describe('this library',function () {
});

it('should be able to verify tokens from jsonwebtoken',function(done){
var claims = {hello:uuid()};
var key = uuid();
var claims = {hello:uuid.v4()};
var key = uuid.v4();
var token = jsonwebtoken.sign(claims, key);
nJwt.verify(token,key,function(err,jwt){
assert.isNull(err,'An unexpcted error was returned');
Expand All @@ -34,8 +34,8 @@ describe('this library',function () {
});

it('should generate tokens that can be verified by jwt-simple',function(done){
var key = uuid();
var claims = {hello:uuid()};
var key = uuid.v4();
var claims = {hello:uuid.v4()};
var jwt = nJwt.create(claims,key);
var token = jwt.compact();
var decoded;
Expand All @@ -51,8 +51,8 @@ describe('this library',function () {
});

it('should be able to verify tokens from jwt-simple',function(done){
var claims = {hello:uuid()};
var key = uuid();
var claims = {hello:uuid.v4()};
var key = uuid.v4();
var token = jwtSimple.encode(claims, key);
nJwt.verify(token,key,function(err,jwt){
assert.isNull(err,'An unexpcted error was returned');
Expand Down
22 changes: 11 additions & 11 deletions test/verifier.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,15 @@ describe('.verify()',function(){
});

it('should not alter the JWT, it should be compact-able as the same token',function(){
var orignalJwt = new nJwt.Jwt({hello: uuid()}, false).setSigningAlgorithm('none');
var orignalJwt = new nJwt.Jwt({hello: uuid.v4()}, false).setSigningAlgorithm('none');
var originalToken = orignalJwt.compact();
var verifiedJwt = nJwt.verify(originalToken);
assert.equal(originalToken, verifiedJwt.compact());
});

describe('if given only a token',function(){
it('should verify tokens that are alg none',function(){
var claims = {hello: uuid()};
var claims = {hello: uuid.v4()};
var token = new nJwt.Jwt(claims)
.setSigningAlgorithm('none')
.compact();
Expand All @@ -58,8 +58,8 @@ describe('.verify()',function(){
});
});
it('should reject tokens that specify an alg',function(){
var claims = {hello: uuid()};
var key = uuid();
var claims = {hello: uuid.v4()};
var key = uuid.v4();
var token = new nJwt.create(claims,key)
.compact();
assert.throws(function(){
Expand Down Expand Up @@ -90,7 +90,7 @@ describe('.verify()',function(){
});

it('should give me the parsed header on the error object if the body fails',function(done){
var header = nJwt.JwtHeader({typ:'JWT',alg:uuid()});
var header = nJwt.JwtHeader({typ:'JWT',alg:uuid.v4()});
var invalidJwt = header.compact()+'.notavalidbody';
nJwt.verify(invalidJwt,function(err){
assert.equal(err.jwtString, invalidJwt);
Expand All @@ -106,7 +106,7 @@ describe('Verifier().verify() ',function(){
it('should support sync usage',function(){
var verifier = new nJwt.Verifier()
.setSigningAlgorithm('none');
var claims = {hello: uuid()};
var claims = {hello: uuid.v4()};
var token = new nJwt.Jwt(claims).compact();
var verifiedToken;
assert.doesNotThrow(function(){
Expand All @@ -123,7 +123,7 @@ describe('Verifier().verify() ',function(){
});

it('should return the jwt string, header and body on error objects',function(done){
var jwt = new nJwt.Jwt({expiredToken:uuid()})
var jwt = new nJwt.Jwt({expiredToken:uuid.v4()})
.setExpiration(new Date().getTime()-1000);
var token = jwt.compact();
nJwt.verify(token,function(err){
Expand All @@ -136,7 +136,7 @@ describe('Verifier().verify() ',function(){
});

it('should return the jwt string, header and body on error objects with not active message',function(done){
var jwt = new nJwt.Jwt({notActiveToken:uuid()})
var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()})
.setNotBefore(new Date().getTime()+1000);
var token = jwt.compact();
nJwt.verify(token,function(err){
Expand All @@ -149,7 +149,7 @@ describe('Verifier().verify() ',function(){
});

it('should return the jwt string, header and body with null error objects',function(done){
var jwt = new nJwt.Jwt({notActiveToken:uuid()});
var jwt = new nJwt.Jwt({notActiveToken:uuid.v4()});
var token = jwt.compact();
nJwt.verify(token,function(err){
assert.isNull(err);
Expand All @@ -162,7 +162,7 @@ describe('Verifier().verify() ',function(){
var verifier = new nJwt.Verifier()
.setSigningAlgorithm('none');

var claims = {hello: uuid()};
var claims = {hello: uuid.v4()};

describe('and given an unsigned token',function(){
var result;
Expand Down Expand Up @@ -273,7 +273,7 @@ describe('Verifier().verify() ',function(){
.setSigningAlgorithm('HS256')
.setSigningKey(key);

var claims = {hello:uuid()};
var claims = {hello:uuid.v4()};

describe('and given a token that was signed with the same key',function(){
var result;
Expand Down
5 changes: 5 additions & 0 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2792,6 +2792,11 @@ uuid@^3.3.2:
resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.4.0.tgz#b23e4358afa8a202fe7a100af1f5f883f02007ee"
integrity sha512-HjSDRw6gZE5JMggctHBcjVak08+KEVhSIiDzFnT9S9aegmp85S/bReBVTb4QTFaRNptJ9kuYaNhnbNEOkbKb/A==

uuid@^8.3.2:
version "8.3.2"
resolved "https://registry.yarnpkg.com/uuid/-/uuid-8.3.2.tgz#80d5b5ced271bb9af6c445f21a1a04c606cefbe2"
integrity sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==

v8-compile-cache@^2.0.3:
version "2.3.0"
resolved "https://registry.yarnpkg.com/v8-compile-cache/-/v8-compile-cache-2.3.0.tgz#2de19618c66dc247dcfb6f99338035d8245a2cee"
Expand Down

0 comments on commit ce98cd4

Please sign in to comment.