Infrastructure/verdaccio
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-01-20 22:52:46 -05:00
Code Issues Activity

fix: potential issue on sign new jwt tokens

Browse source 
If the user was already loged, we were unwraping the token and signing a new token, passing through previous payload props to new token, this might causes https://github.com/auth0/node-jsonwebtoken/issues/326#issuecomment-288124020
This commit ensure the new token will be based on sign options defined on config file.
This commit is contained in:
Juan Picado @jotadeveloper 2019-03-30 09:42:46 +01:00
parent 9af62c3ad2
commit 265849eaa9
No known key found for this signature in database
GPG key ID: 18AC54485952D158
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/lib/auth.js
View file

@ -411,10 +411,13 @@ class Auth implements IAuth {
}
async jwtEncrypt(user: RemoteUser, signOptions: JWTSignOptions): string {
const { real_groups } = user;
const { real_groups, name, groups } = user;
const realGroupsValidated = _.isNil(real_groups) ? [] : real_groups;
const groupedGroups = _.isNil(groups) ? real_groups : groups.concat(realGroupsValidated);
const payload: RemoteUser = {
...user,
group: real_groups && real_groups.length ? real_groups : undefined,
real_groups: realGroupsValidated,
name,
groups: groupedGroups,
};
const token: string = await signPayload(payload, this.secret, signOptions);