当前位置：文江博客话题详情

在 Node.js 中验证 JWT

发布于 2024-12-26 16:18:06 字数 1367 浏览 3 评论 0 原文

我正在尝试根据此示例（在.NET中编写）解析和验证node.js中的JWT令牌： https://github.com/liveservices/LiveSDK/blob/master/Samples/Asp.net/AuthenticationTokenSample/JsonWebToken.cs

这是我验证令牌的节点 js javascript：

var validateSignature = function(key, claims, envelope, signature) {
    var hasher = crypto.createHash('sha256');
    hasher.update(key + "JWTSig");
    var key = hasher.digest('binary');
    var hmac = crypto.createHmac('sha256', key);
    hmac.update(envelope + '.' + claims);
    var out = hmac.digest('base64');
    console.log(out);
    console.log(signature);
    console.log(out === signature);
}

现在，非常奇怪的是——它几乎可以工作。这是三个 console.log 语句的输出：

pEwNPJ+LUHBdvNx631UzdyVhPFUOvFY8jG3x/cP81FE=
pEwNPJ-LUHBdvNx631UzdyVhPFUOvFY8jG3x_cP81FE
false

我觉得可疑的是，除了 +-/_= 之外，哈希值都是相同的

有人发现我的错误吗？与我的 base64 编码有关。

更新

我又玩了一些，这里的 base64 编码似乎有些奇怪。 Node js 中的以下代码：

console.log(signature);
var b = new Buffer(signature, 'base64');
console.log(b.toString('base64'));

Yields:

pEwNPJ-LUHBdvNx631UzdyVhPFUOvFY8jG3x_cP81FE
pEwNPJLUHBdvNx631UzdyVhPFUOvFY8jG3xcP81F

这看起来很奇怪，对吧？

原文

I'm trying to parse and validate a JWT token in node.js based on this sample (authored in .NET): https://github.com/liveservices/LiveSDK/blob/master/Samples/Asp.net/AuthenticationTokenSample/JsonWebToken.cs

Here is my node js javascript that validates the token:

var validateSignature = function(key, claims, envelope, signature) {
    var hasher = crypto.createHash('sha256');
    hasher.update(key + "JWTSig");
    var key = hasher.digest('binary');
    var hmac = crypto.createHmac('sha256', key);
    hmac.update(envelope + '.' + claims);
    var out = hmac.digest('base64');
    console.log(out);
    console.log(signature);
    console.log(out === signature);
}

Now, the very weird thing is - it almost works. Here's the output of the three console.log statements:

pEwNPJ+LUHBdvNx631UzdyVhPFUOvFY8jG3x/cP81FE=
pEwNPJ-LUHBdvNx631UzdyVhPFUOvFY8jG3x_cP81FE
false

It seems suspicious to me that the hashes are both the same except for the +-/_=

Anybody spot my mistake? Something to do with my base64 encoding.

UPDATE

I played some more and there seems to be something funky going on with base64 encoding here. The following code in node js:

console.log(signature);
var b = new Buffer(signature, 'base64');
console.log(b.toString('base64'));

yields:

pEwNPJ-LUHBdvNx631UzdyVhPFUOvFY8jG3x_cP81FE
pEwNPJLUHBdvNx631UzdyVhPFUOvFY8jG3xcP81F

Which seems very odd, right?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

窝囊感情。 2025-01-02 16:18:06

感谢蒂莫西·米德的评论并推动我走向正确的方向。

Node 的 Buffer 类型使用 +、/ 和 = 生成标准 Base64

有一个 URL 安全的 Base64 编码，如下所述： http: //en.wikipedia.org/wiki/Base64

它将 + 替换为 -，/ 替换为 _，= 是可选的。在 QueryString (d'uh) 上传递的令牌是 URL 安全版本。因此存在差异。

代码通过一个简单的修复：

out = out.replace('+','-').replace('/','_').replace('=','');

Thanks to Timothy Meade for commenting and pushing me in the right direction.

Node's Buffer type generates standard Base64 with +, / and =

There is a URL safe base64 encoding as mentioned here: http://en.wikipedia.org/wiki/Base64

It replaces + with -, / with _ and = is optional. The token that is passed on the QueryString (d'uh) is a URL safe version. Hence the difference.

Code was fixed by a simple:

out = out.replace('+','-').replace('/','_').replace('=','');

回复收藏 0 原文

执妄 2025-01-02 16:18:06

我不久前写了这个库，我想你可以使用其中的一些代码。它应该在 Node.js 和现代浏览器中运行。

JavaScript 的 JWT 库

回复收藏 0 原文

江湖正好 2025-01-02 16:18:06

这不是您尝试使用的确切方法，但我相信这是在 NodeJS 中验证 JWT 的首选方法。请注意，我使用 NPM base64url 库在 base64Url（JWT 的默认编码）和 base64 （NodeJS 验证功能所需的编码）之间进行转换。

另请注意，您需要公钥和私钥对分别进行签名和验证。我在这篇文章的底部包含了用于签名和验证此 JWT 的私钥和公钥。

const base64 = require('base64url');
const crypto = require('crypto');
const verifyFunction = crypto.createVerify('RSA-SHA256');
const fs = require('fs');

// The sample JWT from https://jwt.io/
const JWT = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA';

// This just gets the value of the public key (same as the one at bottom of this post)
const PUB_KEY = fs.readFileSync(__dirname + '/id_rsa_pub.pem', 'utf8');

// Split the JWT by `.` to get each part
const jwtHeader = JWT.split('.')[0];
const jwtPayload = JWT.split('.')[1];
const jwtSignature = JWT.split('.')[2];

// We only need the first two pieces to verify
verifyFunction.write(jwtHeader + '.' + jwtPayload);
verifyFunction.end();

// IMPORTANT: NodeJS expects base64 format, not base64url format!
const jwtSignatureBase64 = base64.toBase64(jwtSignature);

// IMPORTANT: You need to specify that the `jwtSignatureBase64` data is base64 format, 
// otherwise, it will default to Buffer format and return false
const signatureIsValid = verifyFunction.verify(PUB_KEY, jwtSignatureBase64, 'base64');

console.log(signatureIsValid); // true

下面的键来自此处提到的示例 JWT。

私钥：

公钥：

This is not the exact method that you were trying to use, but I believe it is the preferred way to validate a JWT in NodeJS. Note that I am using the NPM base64url library to convert between base64Url (the default encoding for a JWT) and base64 (what NodeJS expects for the verification function).

Also note, you need a public and private keypair to sign and verify respectively. I have included the private and public keys that were used to sign and verify this JWT at the bottom of this post.

const base64 = require('base64url');
const crypto = require('crypto');
const verifyFunction = crypto.createVerify('RSA-SHA256');
const fs = require('fs');

// The sample JWT from https://jwt.io/
const JWT = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA';

// This just gets the value of the public key (same as the one at bottom of this post)
const PUB_KEY = fs.readFileSync(__dirname + '/id_rsa_pub.pem', 'utf8');

// Split the JWT by `.` to get each part
const jwtHeader = JWT.split('.')[0];
const jwtPayload = JWT.split('.')[1];
const jwtSignature = JWT.split('.')[2];

// We only need the first two pieces to verify
verifyFunction.write(jwtHeader + '.' + jwtPayload);
verifyFunction.end();

// IMPORTANT: NodeJS expects base64 format, not base64url format!
const jwtSignatureBase64 = base64.toBase64(jwtSignature);

// IMPORTANT: You need to specify that the `jwtSignatureBase64` data is base64 format, 
// otherwise, it will default to Buffer format and return false
const signatureIsValid = verifyFunction.verify(PUB_KEY, jwtSignatureBase64, 'base64');

console.log(signatureIsValid); // true

The keys below are from the example JWT mentioned here.

Private Key:

Public Key:

回复收藏 0 原文

~没有更多了~