fix(auth): migrate to secure usage of jwt for token authentication

There is a vulnerability in v8 of the `jsonwebtoken` dependency. This commit
upgrades to v9 to resolve the vulnerability. Additionally, they made an effort
in this version to discourage the less secure "decode" method in favor of the
more secure "verify" method (1). This commit also refactors the code and tests to
use the "verify" method.

(1) See this PR for context: auth0/node-jsonwebtoken#741

Signed-off-by: Dustin Popp <[email protected]>

Author: dpopp07

auth/token-managers/jwt-token-manager.ts

@@ -16,7 +16,7 @@
  * limitations under the License.
  */
 
-import { decode } from 'jsonwebtoken';
+import { verify } from 'jsonwebtoken';
 import logger from '../../lib/logger';
 import { TokenManager, TokenManagerOptions } from './token-manager';
 
@@ -80,15 +80,26 @@ export class JwtTokenManager extends TokenManager {
       throw new Error(err);
     }
 
-    // the time of expiration is found by decoding the JWT access token
-    // exp is the time of expire and iat is the time of token retrieval
-    const decodedResponse = decode(this.accessToken);
+    let decodedResponse;
+    try {
+      decodedResponse = verify(this.accessToken);
+    } catch (e) {
+      // the token is either an invalid JWT or it could not be verified
+      logger.error('Failed to verify the JWT. See error message:');
+      logger.error(e);
+      throw new Error(e);
+    }
+
+    // the 'catch' method above should handle any verificiation/decoding issues but
+    // this check is here as a failsafe
     if (!decodedResponse) {
       const err = 'Access token recieved is not a valid JWT';
       logger.error(err);
       throw new Error(err);
     }
 
+    // the time of expiration is found by decoding the JWT access token
+    // 'exp' is the time of expire and 'iat' is the time of token retrieval
     const { exp, iat } = decodedResponse;
     // There are no required claims in JWT
     if (!exp || !iat) {

package-lock.json

@@ -85,7 +85,7 @@
     "file-type": "16.5.4",
     "form-data": "^2.3.3",
     "isstream": "~0.1.2",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "lodash.isempty": "^4.4.0",
     "mime-types": "~2.1.18",
     "object.omit": "~3.0.0",

package.json

@@ -21,7 +21,7 @@ const jwt = require('jsonwebtoken');
 jest.mock('../../dist/lib/request-wrapper');
 const { RequestWrapper } = require('../../dist/lib/request-wrapper');
 
-jwt.decode = jest.fn(() => ({ exp: 100, iat: 100 }));
+jwt.verify = jest.fn(() => ({ exp: 100, iat: 100 }));
 
 const { IamTokenManager } = require('../../dist/auth');