When a JSON Web Token (JWT) is created, it needs to be signed by the issuer using a strong cipher algorithm. Without a signature, the authenticity and integrity of the token cannot be verified.
The signature is created using the header and payload segments, a signing algorithm, and a secret or public key. Any changes to the JWT should render the signature invalid. This allows the recipient of the token to verify that the token received has all of the information encoded by the issuer in its original form, unaltered.
This issue is raised when the sign
function of jsonwebtoken
package is used to create a JWT with none
as the algorithm
value.
const jwt = require('jsonwebtoken');
// The JWT is not signed when `algorithm` is assigned with value `none`
const token = jwt.sign({ user: 'xyz' }, key, { algorithm: 'none' });
const jwt = require('jsonwebtoken');
// Approach 1: By default the token will be signed using `HS256` algorithm when `algorithm` is not assigned any value
const token = jwt.sign({ user: 'xyz' }, key);
// Approach 2: Explicitly use a supported signing algorithm to sign the token
const token = jwt.sign({ user: 'xyz' }, key, { algorithm: 'HS256' });