throwError does not throw on invalid signature

[stephent]

The readme states:

throws

If options.throwError is true and the token is invalid, an error will be thrown.

But the verify method does not throw if the following line returns false, even if throwError is true:

cloudflare-worker-jwt/src/index.ts

Line 232 in 8a75c24

return await crypto.subtle.verify(algorithm, key, base64UrlToArrayBuffer(tokenParts[2]), textToArrayBuffer(`${tokenParts[0]}.${tokenParts[1]}`))

This could result in invalid JWTs being mistakenly accepted, if the caller assumes they can simply try/catch with throwError passed as true and don't also check the return value.

[stephent]

See also #76 - the code shown there appears to make exactly this incorrect assumption.

[chamini2]

what about

cloudflare-worker-jwt/src/index.ts

Lines 234 to 236 in 8a75c24

	if (options.throwError)
	throw err
	return false

[stephent]

@chamini2 what about it? That doesn't change anything about the reported issue...

[chamini2]

Can you share an example of this that should have failed

[stephent]

A JWT with an invalid signature will simply return false and won't throw even if throwError is set to true. crypto.subtle.verify doesn't always throw, per the docs (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/verify#return_value).

I think it would be fine either throw an error if throwError is true and verify returns false`, or alternatively to update the documentation along the lines of

If options.throwError is true, any errors encountered while validating the token will be rethrown, however callers must always check the method return value to confirm token validity, as an invalid token does not necessarily result in a thrown error.