fix: Security upgrade jsonwebtoken to 9.0.0 (#8420)

src/Adapters/Auth/apple.js

@@ -5,6 +5,7 @@ const Parse = require('parse/node').Parse;
 const jwksClient = require('jwks-rsa');
 const util = require('util');
 const jwt = require('jsonwebtoken');
+const authUtils = require('./utils');
 
 const TOKEN_ISSUER = 'https://appleid.apple.com';
 
@@ -30,21 +31,12 @@ const getAppleKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {
   return key;
 };
 
-const getHeaderFromToken = token => {
-  const decodedToken = jwt.decode(token, { complete: true });
-  if (!decodedToken) {
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
-  }
-
-  return decodedToken.header;
-};
-
 const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => {
   if (!token) {
     throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`);
   }
 
-  const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);
+  const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
   const ONE_HOUR_IN_MS = 3600000;
   let jwtClaims;
 

src/Adapters/Auth/facebook.js

@@ -5,6 +5,7 @@ const jwksClient = require('jwks-rsa');
 const util = require('util');
 const jwt = require('jsonwebtoken');
 const httpsRequest = require('./httpsRequest');
+const authUtils = require('./utils');
 
 const TOKEN_ISSUER = 'https://facebook.com';
 
@@ -73,21 +74,12 @@ const getFacebookKeyByKeyId = async (keyId, cacheMaxEntries, cacheMaxAge) => {
   return key;
 };
 
-const getHeaderFromToken = token => {
-  const decodedToken = jwt.decode(token, { complete: true });
-  if (!decodedToken) {
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'provided token does not decode as JWT');
-  }
-
-  return decodedToken.header;
-};
-
 const verifyIdToken = async ({ token, id }, { clientId, cacheMaxEntries, cacheMaxAge }) => {
   if (!token) {
     throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, 'id token is invalid for this user.');
   }
 
-  const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);
+  const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
   const ONE_HOUR_IN_MS = 3600000;
   let jwtClaims;
 

src/Adapters/Auth/google.js

@@ -5,6 +5,7 @@ var Parse = require('parse/node').Parse;
 
 const https = require('https');
 const jwt = require('jsonwebtoken');
+const authUtils = require('./utils');
 
 const TOKEN_ISSUER = 'accounts.google.com';
 const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com';
@@ -51,22 +52,12 @@ function getGoogleKeyByKeyId(keyId) {
   });
 }
 
-function getHeaderFromToken(token) {
-  const decodedToken = jwt.decode(token, { complete: true });
-
-  if (!decodedToken) {
-    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
-  }
-
-  return decodedToken.header;
-}
-
 async function verifyIdToken({ id_token: token, id }, { clientId }) {
   if (!token) {
     throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`);
   }
 
-  const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);
+  const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
   let jwtClaims;
   const googleKey = await getGoogleKeyByKeyId(keyId);
 

src/Adapters/Auth/utils.js

@@ -0,0 +1,13 @@
+const jwt = require('jsonwebtoken');
+const Parse = require('parse/node').Parse;
+const getHeaderFromToken = token => {
+  const decodedToken = jwt.decode(token, { complete: true });
+  if (!decodedToken) {
+    throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
+  }
+
+  return decodedToken.header;
+};
+module.exports = {
+  getHeaderFromToken,
+};