Added a note on secret transformation before token verification

refs #9865 - Added some clarificatoin around why secret used for token verification has to be transformed binary decoded from hex
2025-01-20 22:42:53 -05:00 · 2019-02-01 14:04:25 +00:00 · 2019-02-01 14:04:25 +00:00 · 3274138ff3
commit 3274138ff3
parent 11c910ec8c
1 changed files with 4 additions and 0 deletions
--- a/core/server/services/auth/api-key/admin.js
+++ b/core/server/services/auth/api-key/admin.js
@ -84,6 +84,10 @@ const authenticate = (req, res, next) => {
            }));
        }

+        // Decoding from hex and transforming into bytes is here to
+        // keep comparison of the bytes that are stored in the secret.
+        // Useful context:
+        // https://github.com/auth0/node-jsonwebtoken/issues/208#issuecomment-231861138
        const secret = Buffer.from(apiKey.get('secret'), 'hex');

        // ensure the token was meant for this endpoint