verifyJWT error TypeError: Cannot read property 'alg' of undefined

[lukepayyapilli]

I tried following the docs:

// simple validation for HS256
isValid = KJUR.jws.JWS.verifyJWT("eyJhbG...", "616161", {alg: ["HS256"]}),

This is what I'm running:
const isValid = KJUR.jws.JWS.verifyJWT(token, jwtSecret, {alg: ["HS256"]});

but this throws an error:
TypeError: Cannot read property 'alg' of undefined

Please let me know what I'm missing. It seems like according to the docs this should work.

I'm using these versions:

"typescript": "5.0.4",
"jsrsasign": "11.1.0",
"jsrsasign-util": "1.0.5"

Thanks!

[kjur]

It doesn't seem your "token" value have an "alg" attribute with "HS256".
You can find an example at this site:
https://jwt.io/

[lukepayyapilli]

it does - I copied my token to the site and was able to properly verify it. I'm using the exact same token and getting this error when calling verifyJWT. I'm not sure if its an issue with typescript since its saying it is a type error.

Since this is local development(my secret I'm using is just super_secret), I'll provide an example of the log of values I'm passing to the function and the logic of my method:

My auth logic:

    logger.info(payload);
    const token = payload;
    const [encodedHeader, encodedPayload, encodedSignature] = token.split('.');
    try {
        const jwtSecret = ctx.env.JWT_VALUE;

        if (!jwtSecret) {
            logger.error("JWT secret not provided in environment variable");
            return JSON.stringify({ error: "JWT secret not provided" });
        }
        const decodedPayload = JSON.parse(KJUR.b64utoutf8(encodedPayload));
        logger.info("ENCODED HEADER: " + encodedHeader);
        logger.info("DECODED HEADER: " + KJUR.b64utoutf8(encodedHeader))
        logger.info("ENCODED SIGNATURE: " + encodedSignature);
        logger.info("DECODED PAYLOAD SUB: " + decodedPayload.sub);

        const currentTimestamp = Math.floor(Date.now() / 1000);

        if (decodedPayload.exp && decodedPayload.exp < currentTimestamp) {
            logger.error("JWT has expired");
            return JSON.stringify({ error: "JWT has expired" });
        }
        // TODO: Implement signature verification once this issue is resolved:
        // https://github.com/kjur/jsrsasign/issues/613
         const isValid = jsrsasign.KJUR.jws.JWS.verifyJWT(token, jwtSecret, {"alg": ["HS256"]});

         if (!isValid) {
             logger.error("JWT signature validation failed");
             return JSON.stringify({ error: "JWT signature validation failed" });
         }
      } catch (error) {
              logger.error(`JWT validation failed: ${error}`);
              return JSON.stringify({ error: `JWT validation failed: ${error}` });
          }
      }

Logs:

{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED HEADER: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED HEADER: {\"alg\":\"HS256\",\"typ\":\"JWT\"}"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"ENCODED SIGNATURE: vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg"}
{"level":"info","caller":"server/runtime_javascript_logger.go:74","msg":"DECODED PAYLOAD SUB: luke@luke.com"}
{"level":"error","caller":"server/runtime_javascript_logger.go:94","msg":"JWT validation failed: TypeError: Cannot read property 'alg' of undefined"}

[lukepayyapilli]

any ideas @kjur?

[kjur]

@lukepayyapilli , I tried verifyJWT and works fine for me. Could you provide the token and the secret which was failed? I can investigate further for it.

[lukepayyapilli]

@kjur it is included in the logs above:

secret: super_secret
token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJsdWtlQGx1a2UuY29tIiwicGVybWlzc2lvbnMiOiJ1c2VyIiwiZXhwIjoxNzEwMzQ0OTg4fQ.vrPkZ1Nh6_4qyRn7gQ3N7frpl-JS3XGhOc_gxQNc8zg

[lukepayyapilli]

Another interesting piece of information @kjur is that I'm using goja instead of node for my runtime with typescript. I'm not sure if that matters in this case but unfortunately I have to use goja.