Bad hmac value - only in certain files

Question

Bad hmac value - only in certain files

ZeroByter opened this issue 2 years ago · comments

ZeroByter commented 2 years ago

Support plan

is this issue currently blocking your project? (yes/no): yes
is this issue affecting a production system? (yes/no): no

Context

node version: 16.13.0
module version with issue: 6.0.0
last module version without issue: n/a
environment (e.g. node, browser, native): browser
used with (e.g. hapi application, another framework, standalone, ...): next.js
any other relevant information:

What are you trying to achieve or the steps to reproduce?

I am working on a NextJS website that uses Passport-Steam to authenticate users via the Steam platform.
Everything was working as expected until I tried to unseal the session token from inside a _middleware.js file.
The weird part about this bug is that the unseal function works fine in /api/ files, but no in the _middleware.js file.

The @hapi/iron code that I am using is based off this NextJS example

What was the result you got?

Code snippet of me getting the session data inside an API file

// /pages/api/steam/test.js
import { getLoginSession } from "../../../serverlib/auth"

export default async function handle(req, res){
    const session = await getLoginSession(req)

    res.status(200).send(session)
}

This above snippet works exactly as expected.

What result did you expect?

Code snippet of me getting the session data (using the exact same code and parameters!) inside an _middleware.js file

// /pages/admin/_middleware.js
import { NextResponse } from "next/server";
import { getLoginSession } from "../../serverlib/auth";

export async function middleware(req, ev) {
    const session = await getLoginSession(req)

    return NextResponse.next() //returning next just for debug purposes...
}

Above code returns an error: Bad hmac value.

What is this error? Why is it only occuring in _middleware.js despite using the exact same code and parameters as used in the API file (I double checked with console.logs, the parameters are identical)

Gil Pedersen · Answer 1 · Mon Jan 10 2022 19:02:41 GMT+0800 (China Standard Time)

This is not an issue with iron.

Vincent Voyer · Answer 2 · Mon Jan 10 2022 22:33:20 GMT+0800 (China Standard Time)

Note for the original poster, I use iron in https://github.com/vvo/iron-session/.
iron is not yet compatible with Next.js middleware because iron relies on timingSafeEqual which is not available in the webcrypto API.

You should continue the discussion here: vvo/iron-session#419