Skip to content

CognitoExpress.validate()'s callback parameter is optional, but is blindly invoked for error conditions #18

New issue
New issue
Closed
#21
Closed
CognitoExpress.validate()'s callback parameter is optional, but is blindly invoked for error conditions#18
#21
@robertbullen

Description

@robertbullen
robertbullen
opened on Jun 5, 2019

This means that the promisified code path in CognitoExpress.validate() is fundamentally broken for failure scenarios.

Here are the offending lines:

cognito-express/lib/strategy.js

Lines 52 to 63 in 86c7386

if (!decodedJwt) return callback(`Not a valid JWT token`, null);
if (decodedJwt.payload.iss !== this.iss)
return callback(`token is not from your User Pool`, null);
if (decodedJwt.payload.token_use !== this.tokenUse)
return callback(`Not an ${this.tokenUse} token`, null);
let kid = decodedJwt.header.kid;
let pem = this.pems[kid];
if (!pem) return callback(`Invalid ${this.tokenUse} token`, null);

Meanwhile, just a little further down callback is properly checked in two locations:

cognito-express/lib/strategy.js

Lines 72 to 89 in 86c7386

if (callback) {
jwtVerify(params, callback);
} else {
return new Promise((resolve, reject) => {
jwtVerify(params, (err, result) => {
if (err) {
reject(err);
} else {
resolve(result);
}
});
});
}
});
if (!callback) {
return p;
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions