add algorithm to header and check during verification

clean up
2024-02-21 21:04:03 +01:00 · 2024-02-21 21:03:44 +01:00
2 changed files with 23 additions and 8 deletions
--- a/src/index.ts
+++ b/src/index.ts
@@ -1,10 +1,10 @@
 import {
-	textToArrayBuffer,
-	arrayBufferToBase64Url,
-	base64UrlToArrayBuffer,
-	textToBase64Url,
-	importKey,
-	decodePayload
+    textToArrayBuffer,
+    arrayBufferToBase64Url,
+    base64UrlToArrayBuffer,
+    textToBase64Url,
+    importKey,
+    decodePayload
 } from "./utils"

 if (typeof crypto === 'undefined' || !crypto.subtle)
@@ -34,6 +34,13 @@ export type JwtHeader<T = {}> = {
     * @default "JWT"
     */
    typ?: string
+
+    /**
+     * Algorithm (default: `"HS256"`)
+     *
+     * @default "HS256"
+     */
+    alg?: JwtAlgorithm
 } & T

 /**
@@ -196,7 +203,13 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
    if (!algorithm)
        throw new Error('algorithm not found')

-    const { payload } = decode(token)
+    const { header, payload } = decode(token)
+
+    if (header?.alg !== options.algorithm) {
+        if (options.throwError)
+            throw new Error('ALG_MISMATCH')
+        return false
+    }

    try {
        if (!payload)
@@ -214,7 +227,6 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
    } catch(err) {
        if (options.throwError)
            throw err
-
        return false
    }
 }
--- a/src/test.ts
+++ b/src/test.ts
@@ -0,0 +1,3 @@
+import { sign } from './index'
+
+console.log(await sign())
Author	SHA1	Message	Date
Toby	e6baf7ab75	add algorithm to header and check during verification	2024-02-21 21:04:03 +01:00
Toby	cf24b34f63	clean up	2024-02-21 21:03:44 +01:00