From 3c9718da3da85fa2044c7685c6f60a9925a2930e Mon Sep 17 00:00:00 2001 From: Owen Smith Date: Mon, 13 Jun 2016 09:33:04 -0400 Subject: [PATCH 1/5] sign: dont convert input buffers to utf8 strings binary payloads would get mangled due to the unnecessary string conversion, which should go the other way around Fixes: https://github.com/brianloveswords/node-jws/issues/50 --- lib/sign-stream.js | 6 +++--- lib/to-buffer.js | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 lib/to-buffer.js diff --git a/lib/sign-stream.js b/lib/sign-stream.js index e24576f..a7bb2d5 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -3,13 +3,13 @@ var base64url = require('base64url'); var DataStream = require('./data-stream'); var jwa = require('jwa'); var Stream = require('stream'); -var toString = require('./tostring'); +var toBuffer = require('./to-buffer'); var util = require('util'); function jwsSecuredInput(header, payload, encoding) { encoding = encoding || 'utf8'; - var encodedHeader = base64url(toString(header), 'binary'); - var encodedPayload = base64url(toString(payload), encoding); + var encodedHeader = base64url(toBuffer(header)); + var encodedPayload = base64url(toBuffer(payload, encoding)); return util.format('%s.%s', encodedHeader, encodedPayload); } diff --git a/lib/to-buffer.js b/lib/to-buffer.js new file mode 100644 index 0000000..efb9231 --- /dev/null +++ b/lib/to-buffer.js @@ -0,0 +1,19 @@ +'use strict'; + +var Buffer = require('safe-buffer').Buffer; + +module.exports = function toBuffer(val, encoding) { + if (Buffer.isBuffer(val)) { + return val; + } + if (typeof val === 'string') { + return Buffer.from(val, encoding || 'utf8'); + } + if (typeof val === 'number') { + // This won't work for very large or very small numbers, but is consistent + // with previous behaviour at least + val = val.toString(); + return Buffer.from(val, 'utf8'); + } + return Buffer.from(JSON.stringify(val), 'utf8'); +}; From 1364b5963cd680e48f1d10aef491db62cb989be7 Mon Sep 17 00:00:00 2001 From: Owen Smith Date: Wed, 29 Jun 2016 23:39:18 -0400 Subject: [PATCH 2/5] test: add test for buffer payload input --- test/jws.test.js | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/test/jws.test.js b/test/jws.test.js index 7f53d6f..da725eb 100644 --- a/test/jws.test.js +++ b/test/jws.test.js @@ -330,3 +330,16 @@ test('jws.isValid', function (t) { t.same(jws.isValid(valid), true); t.end(); }); + +test('#50 mangled binary payload', function(t) { + const sig = jws.sign({ + header: { + alg: 'HS256' + }, + payload: new Buffer('TkJyotZe8NFpgdfnmgINqg==', 'base64'), + secret: new Buffer('8NRxgIkVxP8LyyXSL4b1dg==', 'base64') + }); + + t.same(sig, 'eyJhbGciOiJIUzI1NiJ9.TkJyotZe8NFpgdfnmgINqg.9XilaLN_sXqWFtlUCdAlGI85PCEbJZSIQpakyAle-vo'); + t.end(); +}); From 9e4fbe3128a89417c7b827c818248fad4061bc3f Mon Sep 17 00:00:00 2001 From: MMDF Date: Sun, 6 Aug 2017 22:44:56 +0300 Subject: [PATCH 3/5] Fix typo in code example Just put some curly braces as JS doesn't have such syntax (yet). --- readme.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/readme.md b/readme.md index e4200b8..a67e532 100644 --- a/readme.md +++ b/readme.md @@ -116,9 +116,9 @@ jws.createSign({ }); // is equivilant to this: -const signer = jws.createSign( +const signer = jws.createSign({ header: { alg: 'RS256' }, -); +}); privateKeyStream.pipe(signer.privateKey); payloadStream.pipe(signer.payload); signer.on('done', function(signature) { From 61f2bb9b883343c89fcb28b7ef4ed1d692110ee4 Mon Sep 17 00:00:00 2001 From: Owen Smith Date: Mon, 14 May 2018 10:01:53 -0400 Subject: [PATCH 4/5] deps: replace base64url with inline definition --- lib/sign-stream.js | 9 ++++++++- lib/verify-stream.js | 6 +++--- package.json | 1 - 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/lib/sign-stream.js b/lib/sign-stream.js index a7bb2d5..9198457 100644 --- a/lib/sign-stream.js +++ b/lib/sign-stream.js @@ -1,11 +1,18 @@ /*global module*/ -var base64url = require('base64url'); var DataStream = require('./data-stream'); var jwa = require('jwa'); var Stream = require('stream'); var toBuffer = require('./to-buffer'); var util = require('util'); +function base64url(buf) { + return buf + .toString('base64') + .replace(/=/g, '') + .replace(/\+/g, '-') + .replace(/\//g, '_'); +} + function jwsSecuredInput(header, payload, encoding) { encoding = encoding || 'utf8'; var encodedHeader = base64url(toBuffer(header)); diff --git a/lib/verify-stream.js b/lib/verify-stream.js index d9bfa2b..39f7c73 100644 --- a/lib/verify-stream.js +++ b/lib/verify-stream.js @@ -1,5 +1,5 @@ /*global module*/ -var base64url = require('base64url'); +var Buffer = require('safe-buffer').Buffer; var DataStream = require('./data-stream'); var jwa = require('jwa'); var Stream = require('stream'); @@ -20,7 +20,7 @@ function safeJsonParse(thing) { function headerFromJWS(jwsSig) { var encodedHeader = jwsSig.split('.', 1)[0]; - return safeJsonParse(base64url.decode(encodedHeader, 'binary')); + return safeJsonParse(Buffer.from(encodedHeader, 'base64').toString('binary')); } function securedInputFromJWS(jwsSig) { @@ -34,7 +34,7 @@ function signatureFromJWS(jwsSig) { function payloadFromJWS(jwsSig, encoding) { encoding = encoding || 'utf8'; var payload = jwsSig.split('.')[1]; - return base64url.decode(payload, encoding); + return Buffer.from(payload, 'base64').toString(encoding); } function isValidJws(string) { diff --git a/package.json b/package.json index 2236e76..bc5e69e 100644 --- a/package.json +++ b/package.json @@ -24,7 +24,6 @@ "readmeFilename": "readme.md", "gitHead": "c0f6b27bcea5a2ad2e304d91c2e842e4076a6b03", "dependencies": { - "base64url": "^2.0.0", "jwa": "^1.1.5", "safe-buffer": "^5.0.1" }, From 4a3e14a9c67023959ad0700a8e3b175d9afa65a4 Mon Sep 17 00:00:00 2001 From: Alec Fenichel Date: Wed, 11 Jul 2018 12:43:44 -0400 Subject: [PATCH 5/5] Stringify JSON deterministically --- lib/to-buffer.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/to-buffer.js b/lib/to-buffer.js index efb9231..4716f62 100644 --- a/lib/to-buffer.js +++ b/lib/to-buffer.js @@ -15,5 +15,5 @@ module.exports = function toBuffer(val, encoding) { val = val.toString(); return Buffer.from(val, 'utf8'); } - return Buffer.from(JSON.stringify(val), 'utf8'); + return Buffer.from(JSON.stringify(val, Object.keys(val).sort()), 'utf8'); };