Moving from 6.1.2 to 7.4.2 breaks

Question

Moving from 6.1.2 to 7.4.2 breaks

nsshunt opened this issue 2 years ago · comments

When I upgraded from v 6.1.2 to 7.4.2 I get this error;

TypeError: cb is not a function

Error occurs within expressJwtSecret @ highlighted line

module.exports.expressJwtSecret = function (options) {
if (options === null || options === undefined) {
throw new ArgumentError('An options object must be provided when initializing expressJwtSecret');
}

const client = new JwksClient(options);
const onError = options.handleSigningKeyError || handleSigningKeyError;

return function secretProvider(req, header, payload, cb) {
if (!header || !supportedAlg.includes(header.alg)) {
### return cb(null, null);
}

client.getSigningKey(header.kid)
  .then(key => {
    cb(null, key.publicKey || key.rsaPublicKey);
  }).catch(err => {
    onError(err, (newError) => cb(newError, null));
  });

};
};

nsshunt · Answer 1 · Thu Apr 21 2022 11:04:39 GMT+0800 (China Standard Time)

In 7.2.1, the secretProvider(req, header, payload, cb) gets;
req - ok (appears to be the req object)
header - this is actually the decoded token
payload = undefined
cd = undefined

So the caller is passing the wrong parameters.

Further, the caller is using 'option 3' when invoking this function.

Jack Clackett · Answer 2 · Thu Apr 21 2022 16:07:57 GMT+0800 (China Standard Time)

Can confirm that it also breaks for me too after simply upgrading (and changing the imports). I just get a "expired token" error every time

José F. Romaniello · Answer 3 · Thu Apr 21 2022 19:43:15 GMT+0800 (China Standard Time)

The doc was outdated in 7.2.1, sorry about that. I made a major version (v7) because there are breaking changes. I fixed the readme arround 7.4

The secret function receives two parameters only:

req: the express.js request
token: contains payload and header

https://github.com/auth0/express-jwt#retrieve-key-dynamically

in your case, your function can be replaced to this:

module.exports.expressJwtSecret = function (options) {
  if (options === null || options === undefined) {
    throw new ArgumentError('An options object must be provided when initializing expressJwtSecret');
  }

  const client = new JwksClient(options);
  const onError = options.handleSigningKeyError || handleSigningKeyError;

  return function secretProvider(req, token) {
    const { header } = token;
    if (!header || !supportedAlg.includes(header.alg)) {
      return;
    }
    return client.getSigningKey(header.kid)
      .then(key => {
        return key.publicKey || key.rsaPublicKey;
      }).catch(err => {
        return new Promise((resolve, reject) => {
          onError(err, (newError) => reject(newError));
        });
      });
  }
};

nsshunt · Answer 4 · Fri Apr 22 2022 06:51:28 GMT+0800 (China Standard Time)

Hi. Thanks for update. I have not been able to get this to work. The function in question (not mine) is part of another Auth0 library - jwks-rsa. auth0/node-jwks-rsa: A library to retrieve RSA public keys from a JWKS (JSON Web Key Set) endpoint. (github.com) <https://github.com/auth0/node-jwks-rsa> I have tried to cut and paste (hack) the code together without success. So this "integration" is broken. Going back to the older version until Auth0 resolve the broken integration.

…

On Thu, Apr 21, 2022 at 9:43 PM José F. Romaniello ***@***.***> wrote: The doc was outdated in 7.2.1, sorry about that. I made a major version (v7) because there are breaking changes. I fixed the readme arround 7.4 The secret function receives two parameters only: - req: the express.js request - token: contains payload and header https://github.com/auth0/express-jwt#retrieve-key-dynamically in your case, your function can be replaced to this: module.exports.expressJwtSecret = function (options) { if (options === null || options === undefined) { throw new ArgumentError('An options object must be provided when initializing expressJwtSecret'); } const client = new JwksClient(options); const onError = options.handleSigningKeyError || handleSigningKeyError; return function secretProvider(req, token) { const { header } = token; if (!header || !supportedAlg.includes(header.alg)) { return; } return client.getSigningKey(header.kid) .then(key => { return key.publicKey || key.rsaPublicKey; }).catch(err => { return new Promise((resolve, reject) => { onError(err, (newError) => reject(newError)); }); }); }}; — Reply to this email directly, view it on GitHub <#281 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AB4ARPSZGFI6NUUTLEFIX4LVGE5N3ANCNFSM5T5VHAFA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

Kevin Rutherford · Answer 5 · Mon Apr 25 2022 19:10:40 GMT+0800 (China Standard Time)

+1, rolled back until this integration is fixed

Rene Hamburger · Answer 6 · Mon Apr 25 2022 19:34:38 GMT+0800 (China Standard Time)

The following rough replacement works for us for now until the integration is fixed. (I removed the options check and onError callback, as neither are needed in our case.)

import { GetVerificationKey } from 'express-jwt';
import { Jwt, Secret } from 'jsonwebtoken';
import { ExpressJwtOptions, JwksClient } from 'jwks-rsa';

export function expressJwtSecret(options: ExpressJwtOptions): GetVerificationKey {
  const supportedAlg = require('jwks-rsa/src/integrations/config.js') as string[];
  const client = new JwksClient(options);
  return async function secretProvider(_req, token: Jwt | undefined): Promise<Secret> {
    if (token) {
      const { header } = token;
      if (header && supportedAlg.includes(header.alg)) {
        const key = await client.getSigningKey(token.header.kid);
        return key.getPublicKey();
      }
    }
    return '';
  };
}

We're currently on:

  "express-jwt": "7.4.3",
  "jsonwebtoken": "8.5.1",
  "jwks-rsa": "2.0.5",
  "@types/jsonwebtoken": "8.5.8",

José F. Romaniello · Answer 7 · Mon Apr 25 2022 22:07:01 GMT+0800 (China Standard Time)

thanks for the heads up. I will try to fix jwks-rsa

José F. Romaniello · Answer 8 · Mon Apr 25 2022 23:17:17 GMT+0800 (China Standard Time)

I just send a PR, you can use npm i "jfromaniello/node-jwks-rsa#express_jwt_7" until it gets merged.

José F. Romaniello · Answer 9 · Tue Apr 26 2022 23:39:01 GMT+0800 (China Standard Time)

Fixed in jwks-rsa@2.1

Rene Hamburger · Answer 10 · Wed Apr 27 2022 14:58:55 GMT+0800 (China Standard Time)

Thanks a lot for the fix, José!

Rene Hamburger · Answer 11 · Wed Apr 27 2022 15:18:51 GMT+0800 (China Standard Time)

@jfromaniello, there is a small typing issue. The newest versions of express-jwt use GetVerificationKey as the type of this callback. SecretCallbackLong seems to be the interface that was used by @types/express-jwt up to express-jwt@7.

José F. Romaniello · Answer 12 · Thu Apr 28 2022 01:19:15 GMT+0800 (China Standard Time)

@rene-leanix I don't understand this.. Where is that SecretCallbackLong ? Thanks!

Rene Hamburger · Answer 13 · Mon May 02 2022 19:27:13 GMT+0800 (China Standard Time)

@jfromaniello, it's being imported here and used here. This should be changed to GetVerificationKey. (SecretCallback may also need to be replaced.)

Missing interface definitions are just interpreted as any, so shouldn't lead to TS errors. In our case, ESLint picked this up as we've got a rule to avoid assignments of any types. A temporary workaround was to cast it to GetVerificationKey.

José F. Romaniello · Answer 14 · Mon May 02 2022 23:34:05 GMT+0800 (China Standard Time)

@rene-leanix you are absolutely right. I was able to reproduce the issue ,but as I wanted to leave jwks-rsa compatible with the previous version of express-jwt , I added a type alias for SecretCallback and SecretCallbackLong.

So, the fix the issue just install express-jwt@7.6.