joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Security upgrade jsonwebtoken to 9.0.0 (#8420)

Browse Source
This commit is contained in:
Daniel
2023-02-07 22:45:30 +11:00
committed by GitHub
parent 4450ecbc01
commit f5bfe4571e
8 changed files with 114 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/Adapters/Auth/google.js
View File

@@ -5,6 +5,7 @@ var Parse = require('parse/node').Parse;
const https = require('https');
const jwt = require('jsonwebtoken');
const authUtils = require('./utils');
const TOKEN_ISSUER = 'accounts.google.com';
const HTTPS_TOKEN_ISSUER = 'https://accounts.google.com';
@@ -51,22 +52,12 @@ function getGoogleKeyByKeyId(keyId) {
});
}
function getHeaderFromToken(token) {
const decodedToken = jwt.decode(token, { complete: true });
if (!decodedToken) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `provided token does not decode as JWT`);
}
return decodedToken.header;
}
async function verifyIdToken({ id_token: token, id }, { clientId }) {
if (!token) {
throw new Parse.Error(Parse.Error.OBJECT_NOT_FOUND, `id token is invalid for this user.`);
}
const { kid: keyId, alg: algorithm } = getHeaderFromToken(token);
const { kid: keyId, alg: algorithm } = authUtils.getHeaderFromToken(token);
let jwtClaims;
const googleKey = await getGoogleKeyByKeyId(keyId);