Added support for JWT alg: 'none'.

2014-08-25 18:35:23 +02:00 · 2014-08-25 18:35:23 +02:00 · 898fad4980
parent d37b13ee0f
commit 898fad4980
2 changed files with 24 additions and 16 deletions
--- a/js/common/modules/org/arangodb/crypto.js
+++ b/js/common/modules/org/arangodb/crypto.js
@ -163,18 +163,23 @@ function jwtUrlEncode(str) {

 exports.jwtEncode = function (key, message, algorithm) {
  'use strict';
-  if (algorithm) {
-    algorithm = algorithm.toUpperCase();
-  } else {
+  if (!algorithm) {
    algorithm = 'HS256';
-  }
-  if (algorithm !== 'HS256') {
-    throw new Error('Only HS256 is supported at this time!');
+  } else if (algorithm.toLowerCase() === 'none') {
+    algorithm = 'none';
+  } else if (algorithm.toUpperCase() === 'HS256') {
+    algorithm = 'HS256';
+  } else {
+    throw new Error('Only HS256 and none are supported at this time!');
  }
  var header = {typ: 'JWT', alg: algorithm}, segments = [];
  segments.push(jwtUrlEncode(new Buffer(JSON.stringify(header)).toString('base64')));
  segments.push(jwtUrlEncode(new Buffer(JSON.stringify(message)).toString('base64')));
-  segments.push(jwtUrlEncode(new Buffer(exports.hmac(key, segments.join('.'), 'sha256'), 'hex').toString('base64')));
+  if (algorithm === 'HS256') {
+    segments.push(jwtUrlEncode(new Buffer(exports.hmac(key, segments.join('.'), 'sha256'), 'hex').toString('base64')));
+  } else if (algorithm === 'none') {
+    segments.push('');
+  }
  return segments.join('.');
 };

@ -201,14 +206,15 @@ exports.jwtDecode = function (key, token, noVerify) {

  if (!noVerify) {
    var header = JSON.parse(headerSeg);
-    if (header.alg !== 'HS256') {
-      throw new Error('Only HS256 is supported at this time!');
-    }
-    if (!exports.constantEquals(
-      exports.hmac(key, segments.slice(0, 2).join('.'), 'sha256'),
-        segments[2]
-    )) {
-      throw new Error('Signature verification failed!');
+    if (header.alg.toUpperCase() === 'HS256') {
+      if (!exports.constantEquals(
+        exports.hmac(key, segments.slice(0, 2).join('.'), 'sha256'),
+          segments[2]
+      )) {
+        throw new Error('Signature verification failed!');
+      }
+    } else if (header.alg.toLowerCase() !== 'none') {
+      throw new Error('Only HS256 and none are supported at this time!');
    }
  }

--- a/js/common/tests/shell-crypto.js
+++ b/js/common/tests/shell-crypto.js
@ -237,7 +237,9 @@ function CryptoSuite () {
        [ "secret", "arangodb", "hs256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ImFyYW5nb2RiIg.pyWsjffR5WfVkRxtckXKwh-emE2kmKH0ZJRCCllqIYc" ],
        [ "secret", "Arangodb", "hs256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.IkFyYW5nb2RiIg.BjQqhHpWiGqi2RBeAjV1V0gkUBPNZHtKCu5rgeu9eno" ],
        [ "secret", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.tCZwaqnZ7Wj9BljBndyDtINYWmmvr0eLsq8bkmtXhg0" ],
-        [ "SECRET", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.oXcCBnmuv9GzqFc0_N2qFXLWKDjCKEmN015CccDAgfw" ]
+        [ "SECRET", {foxx: "roxx"}, "HS256", "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmb3h4Ijoicm94eCJ9.oXcCBnmuv9GzqFc0_N2qFXLWKDjCKEmN015CccDAgfw" ],
+        [ "secret", {foxx: "roxx"}, "none", "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJmb3h4Ijoicm94eCJ9." ],
+        [ "SECRET", {foxx: "roxx"}, "none", "eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJmb3h4Ijoicm94eCJ9." ]
      ];

      data.forEach(function (value) {