frbuceta / restify-jwt-community Goto Github PK

Hi guys,

It looks like the NPM package contains your .git folder in version 1.0.10 which is preventing npm install from running after the newest version of your package is installed.

To test, run npm install on a repo that includes this package. Once installed, run npm install again. You will see something similar to the following:

npm ERR! path /Users/zachary/Talage-Code/Code-API/node_modules/restify-jwt-community
npm ERR! code EISGIT
npm ERR! git /Users/zachary/Talage-Code/Code-API/node_modules/restify-jwt-community: Appears to be a git repo or submodule.
npm ERR! git     /Users/zachary/Talage-Code/Code-API/node_modules/restify-jwt-community
npm ERR! git Refusing to remove it. Update manually,
npm ERR! git or move it out of the way first.

This will cause npm install to fail.

server.use(rJwt({
    "secret" : fs.readFileSync(config.app.jwt_pub, 'utf8')
}).unless({
    path: ['/path']
}));

Is their a way we can add multiple public key in secret option

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): update dependency eslint to v9
• chore(deps): update dependency husky to v9
• fix(deps): lock file maintenance
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): pin dependencies (restify, restify-errors)
• chore(deps): update commitlint monorepo to v17.8.1 (@commitlint/cli, @commitlint/config-conventional)
• chore(deps): update dependency @types/restify-errors to v4.3.9
• chore(deps): update dependency semantic-release to v22.0.12
• chore(deps): update dependency eslint to v8.57.0
• chore(deps): update actions/checkout action to v4
• chore(deps): update actions/setup-node action to v4
• chore(deps): update commitlint monorepo to v19 (major) (@commitlint/cli, @commitlint/config-conventional)
• chore(deps): update dependency semantic-release to v23
• chore(deps): update github/codeql-action action to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Describe the bug
Hi, I'm trying update to restify 11.0.0. But when I put the restify-jwt-community middleware I start to get on all request this error:
Error [ERR_HTTP_HEADERS_SENT]: Cannot render headers after they are sent to the client
Even if the request is on the unless path.
If I comment server.use(rjwt({ secret: config.JWT_SECRET }).unless({path: ['/auth/token']})); the requests that don't use jwt token start to work fine.

UPDATE NOTE:
If remove the unless works fine.
As alternative to unless I did this:

server.use(rjwt({ secret: config.JWT_SECRET }), function (err, req, res, next) {
    if (err) {
        var path = [
            '/path1',
            '/path2',
        ];
        var matches = path.filter(function (pattern) {
            return new RegExp(pattern).test(req.url);
        });
        // If url match some path
        if (matches.length > 0) {
            return next();
        }
        return next(err);
    }
    
    return next();
});

To Reproduce

const rjwt = require('restify-jwt-community');
server.use(rjwt({ secret: config.JWT_SECRET }).unless({path: ['/auth/token']}));

Expected behavior
This code on restify 8.5.1 works fine.

System:

• OS: Docker node:16-alpine
• Restify JWT Community version 1.1.29

When tempering with the second part of the JWT we get a SyntaxError: Unexpected token in JSON at position 28 causing a crash which could cause a malicious user to utillize that as a DoS attack.

REPRO:

when we have a JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

And add some random noise to the payload part:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIrandomnoiseMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

it results in the following stacktrace:

users_1           | SyntaxError: Unexpected token  in JSON at position 28
users_1           |     at JSON.parse (<anonymous>)
users_1           |     at Object.jwsDecode [as decode] (/usr/src/services/users/node_modules/jws/lib/verify-stream.js:71:20)
users_1           |     at Object.module.exports [as decode] (/usr/src/services/users/node_modules/jsonwebtoken/decode.js:5:21)
users_1           |     at middleware (/usr/src/services/users/node_modules/restify-jwt-community/lib/index.js:70:24)
users_1           |     at Server.<anonymous> (/usr/src/services/users/node_modules/express-unless/index.js:47:5)
users_1           |     at next (/usr/src/services/users/node_modules/restify/lib/server.js:992:30)
users_1           |     at f (/usr/src/services/users/node_modules/once/once.js:36:25)
users_1           |     at Server.parseQueryString (/usr/src/services/users/node_modules/restify/lib/plugins/query.js:28:20)
users_1           |     at next (/usr/src/services/users/node_modules/restify/lib/server.js:992:30)
users_1           |     at f (/usr/src/services/users/node_modules/once/once.js:36:25)

What i would have expected was a TokenInvalid response or something

Describe the bug

I using Postman to check if Route was protected or not. If i use nodemon index.js all routes protected. But if i use docker-compose up all routes not protected.

My Dockerfile

FROM node:lts
WORKDIR /app
COPY package.json ./app
RUN npm install
RUN apk update && apk add inotify-tools
COPY . ./app
CMD [ "nodemon -L index.js" ]

My docker-compose.yml

version: "2"
services:
  web:
    build: .
    ports:
    - "3000:3000"
    depends_on:
    - mongo
  mongo:
    image: mongo
    ports:
    - "27017:27017"

System:

• OS: [Ubuntu 18.04]
• Restify JWT Community version [1.1.2]

🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two Factor Authentication for your account, set its level to "Authorization only" in your account settings. semantic-release cannot publish with the default "
Authorization and writes" level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

What is the Shared Secret that is mentioned in the usage examples?

I don't understand how the shared secret is specified or used.

Any insight is appreciated.

🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

No npm token specified.

An npm token must be created and set in the NPM_TOKEN environment variable on your CI environment.

Please make sure to create an npm token and to set it in the NPM_TOKEN environment variable on your CI environment. The token must allow to publish to the registry https://registry.npmjs.org/.

Good luck with your project ✨

Your semantic-release bot 📦🚀

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀