Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jsonwebtoken v9 verify function doesn't work in typescript #881

Closed
akkadaya opened this issue Jan 15, 2023 · 7 comments
Closed

jsonwebtoken v9 verify function doesn't work in typescript #881

akkadaya opened this issue Jan 15, 2023 · 7 comments

Comments

@akkadaya
Copy link

akkadaya commented Jan 15, 2023
edited

After upgrading jsonwebtoken to v9, React-Native app written in Typescript can't verify the JWT and throws an error

[TypeError: right operand of 'instanceof' is not an object]
import jwt from 'jsonwebtoken'
...
try {
    return !!jwt.verify(token, publicKey)
} catch (error) {
    console.log(error)
    return false
}

But in a JavaScript file run by node it works fine!
@Uzlopak
Copy link

Uzlopak commented Jan 15, 2023

KeyObject is probably missing in browserify crypto

@panva
Copy link
Contributor

panva commented Jan 17, 2023

jsonwebtoken is a Node.js module, always was, its use in a browser or React-Native environments was never intended. Versions before 9.0.0 could use webpack's polyfill of the Node.js built-in modules. This most likely a) relied on slow js cryptography that isn't maintained anymore and lacks feature parity with Node's crypto and b) increased your js bundle size considerably. FWIW webpack 5 also no longer defaults to using these questionable crypto polyfills anymore.

It is better to rely on JWT modules made to be consumed in browser or generic javascript environments. You can discover such modules on jwt.io under "JavaScript" libraries.

@ZumelzuR

This comment was marked as resolved.

Sign in to view
@panva

This comment was marked as resolved.

Sign in to view
@ZumelzuR

This comment was marked as resolved.

Sign in to view
@tiffanyiong
Copy link

I also had this error when I used node v 12.16.1 and jwt 9.0.0
installing node@12.19 or above will solve the problem.

I believe the error we saw refers to the KeyObject that is coming from this line of code in verify.js file (from jsonwebtoken@9.0.0):
if (secretOrPublicKey != null && !(secretOrPublicKey instanceof KeyObject))

there's a big change in the KeyObject class from node@12.19 in this PR : nodejs/node#33360
(jsonwebtoken uses crypto module from node, and KeyObject is in that module)

Originally (before this PR), this KeyObject was not exposed to users. instead, users could use other functions to construct the key objects
so node@12.16.1 that I used didn't include the changes (expose to users) in the PR, so the KeyObject won't work for jsonwebtoken@9.0.0, which means verify() won't work

for jsonwebtoken v.8.5.1, its verify() function doesn't use KeyObject, so it should work with the node version that's below node@12.19

@dhwang
Copy link

dhwang commented Feb 21, 2023

Node 15 implementation adds WebCrypto and CryptoKey
and has implementation for both isCryptoKey and isKeyObject
Latest has addition of utility method for the same So...

What blocks jsonwebtoken from creating similar isCryptoKey and isKeyObject and test both?

This library has been is much smaller package for its purpose and we like to keep using it instead of the alternatives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@panva @akkadaya @dhwang @ZumelzuR @Uzlopak @tiffanyiong