Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allowInsecureKeySizes flag not present among TS types. #969

Open
toabm opened this issue May 16, 2024 · 1 comment
Open

allowInsecureKeySizes flag not present among TS types. #969

toabm opened this issue May 16, 2024 · 1 comment

Comments

@toabm
Copy link

toabm commented May 16, 2024

Description

I updated from version 8 to 9, and since my RSA keys were not long enough I got the error: "secretOrPrivateKey has a minimum key size of 2048 bits for RS256"

I do not want to change all RSA keys in every environment so I decided to use the flag allowInsecureKeySizes to bypass that new check.

My project is buillt with typescript and if I use that flag with in the options of jwt.sign() method I will see this error:

"TS2769: No overload matches this cal"

Reproduction

jwt.sign({}, privateKey, {
issuer: 'streetcrowd',
subject: provider,
algorithm: 'RS256',
allowInsecureKeySizes: true
});

This is the definition of SignOptions, as you can see, the required flag is missing:

export interface SignOptions {
algorithm?: Algorithm | undefined;
keyid?: string | undefined;
expiresIn?: string | number | undefined;
notBefore?: string | number | undefined;
audience?: string | string[] | undefined;
subject?: string | undefined;
issuer?: string | undefined;
jwtid?: string | undefined;
mutatePayload?: boolean | undefined;
noTimestamp?: boolean | undefined;
header?: JwtHeader | undefined;
encoding?: string | undefined;
}

image

Environment

  • jsonwebtoken 9.0.2
  • Node 18
@ankit-orion
Copy link

The error you're encountering (TS2769: No overload matches this call) occurs because the allowInsecureKeySizes option is not part of the SignOptions interface provided by the jsonwebtoken package. This option isn't officially supported in the TypeScript typings for the library, which causes TypeScript to throw an error when you attempt to use it.

Workaround
To bypass this TypeScript error, you can extend the SignOptions interface to include the allowInsecureKeySizes flag or use a type assertion to inform TypeScript that the object being passed is compatible.

`import jwt, { SignOptions } from 'jsonwebtoken';

// Extend the SignOptions to add allowInsecureKeySizes
interface CustomSignOptions extends SignOptions {
allowInsecureKeySizes?: boolean;
}

// Use the extended interface with the additional option
const token = jwt.sign({}, privateKey, {
issuer: 'streetcrowd',
subject: provider,
algorithm: 'RS256',
allowInsecureKeySizes: true, // Now TypeScript won't complain
} as CustomSignOptions);
`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants