From 46acc627a8d6f1c68e0a5fafefc28af119a0e08f Mon Sep 17 00:00:00 2001 From: CVSz Date: Fri, 3 Apr 2026 10:00:23 +0700 Subject: [PATCH] Mitigate fast-jwt whitespace-prefixed public key confusion --- patches/fast-jwt@6.1.0.patch | 23 +++++++++++++++++++++++ pnpm-lock.yaml | 9 +++++++-- pnpm-workspace.yaml | 13 ++++++++----- 3 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 patches/fast-jwt@6.1.0.patch diff --git a/patches/fast-jwt@6.1.0.patch b/patches/fast-jwt@6.1.0.patch new file mode 100644 index 0000000..36b8a7e --- /dev/null +++ b/patches/fast-jwt@6.1.0.patch @@ -0,0 +1,23 @@ +diff --git a/src/crypto.js b/src/crypto.js +index 3896ada0c606beb9f9b77faa5831114a12a2214a..1581ea805d0845b6336f1d1481de8b05d603afb9 100644 +--- a/src/crypto.js ++++ b/src/crypto.js +@@ -124,14 +124,15 @@ function performDetectPrivateKeyAlgorithm(key) { + } + + function performDetectPublicKeyAlgorithms(key) { +- const publicKeyPemMatch = key.match(publicKeyPemMatcher) ++ const normalizedKey = key.trimStart() ++ const publicKeyPemMatch = normalizedKey.match(publicKeyPemMatcher) + +- if (key.match(privateKeyPemMatcher)) { ++ if (normalizedKey.match(privateKeyPemMatcher)) { + throw new TokenError(TokenError.codes.invalidKey, 'Private keys are not supported for verifying.') + } else if (publicKeyPemMatch && publicKeyPemMatch[1] === 'RSA') { + // pkcs1 format - Can only be RSA key + return rsaAlgorithms +- } else if (!publicKeyPemMatch && !key.includes(publicKeyX509CertMatcher)) { ++ } else if (!publicKeyPemMatch && !normalizedKey.includes(publicKeyX509CertMatcher)) { + // Not a PEM, assume a plain secret + return hsAlgorithms + } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 5e3330f..05e28ea 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,11 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +patchedDependencies: + fast-jwt@6.1.0: + hash: 19c75932c277444db6226d379adc628fcb597222a1d910f9e60f82e9e116087a + path: patches/fast-jwt@6.1.0.patch + importers: .: @@ -778,7 +783,7 @@ snapshots: dependencies: '@fastify/error': 4.2.0 '@lukeed/ms': 2.0.2 - fast-jwt: 6.1.0 + fast-jwt: 6.1.0(patch_hash=19c75932c277444db6226d379adc628fcb597222a1d910f9e60f82e9e116087a) fastify-plugin: 5.1.0 steed: 1.1.3 @@ -950,7 +955,7 @@ snapshots: json-schema-ref-resolver: 3.0.0 rfdc: 1.4.1 - fast-jwt@6.1.0: + fast-jwt@6.1.0(patch_hash=19c75932c277444db6226d379adc628fcb597222a1d910f9e60f82e9e116087a): dependencies: '@lukeed/ms': 2.0.2 asn1.js: 5.4.1 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index f4e82ba..e1a7399 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -1,6 +1,9 @@ packages: - - "apps/*" - - "packages/*" - - "services/*" - - "modules/*" - - "factory/*" + - apps/* + - packages/* + - services/* + - modules/* + - factory/* + +patchedDependencies: + fast-jwt@6.1.0: patches/fast-jwt@6.1.0.patch