Hono
hono jwt helper type #4628
-
|
It looks like the JWT helper alg is no longer optional. Expected 3 arguments, but got 2.ts(2554)
jwt.d.ts(62, 71): An argument for 'algOrOptions' was not provided.from docs verify(
token: string,
secret: string,
alg?: 'HS256';
issuer?: string | RegExp;
): Promise<any>;from jwt.d.ts export declare const verify: (token: string, publicKey: SignatureKey, algOrOptions: SignatureAlgorithm | import("../../utils/jwt/jwt").VerifyOptionsWithAlg) => Promise<import("../../utils/jwt/types").JWTPayload>;it is however still optional with sign function export declare const sign: (payload: import("../../utils/jwt/types").JWTPayload, privateKey: SignatureKey, alg?: SignatureAlgorithm) => Promise<string>;``` |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
@merthanmerter this is intentional, not a docs bug. it was a security fix in v4.11.4 to prevent JWT algorithm confusion attacks (GHSA-f67f-6cw9-8mq4). the fix: import { verify } from 'hono/jwt'
const payload = await verify(token, secret, 'HS256')
// or with options:
const payload = await verify(token, secret, {
alg: 'HS256',
iss: 'my-app',
})the current docs page already shows |
Beta Was this translation helpful? Give feedback.
@merthanmerter this is intentional, not a docs bug. it was a security fix in v4.11.4 to prevent JWT algorithm confusion attacks (GHSA-f67f-6cw9-8mq4).
the
algparam inverify()went from optional to required insrc/utils/jwt/jwt.ts. without it, an attacker could forge tokens by exploiting the default HS256 fallback with asymmetric keys.sign()wasn't changed (defaults to HS256), which is why onlyverifybroke.fix:
the current docs page already shows
algas required. you were probably seeing cached ty…