JSON Web Token Prevents Upgrade to Angular 6

The Setup

This is a short episode of a software engineer’s experience with one node package bump-in-the-road upgrading to Angular 6. My team is building medical applications using Angular. Obviously, the application’s network transactions require a level of security. JSON Web Tokensor JWT, is a package we depend on for secure network transactions.

Here’s a brief overview of JWT. It was created by Auth0 (they still maintain it), and it uses an open standard (RFC 7519). It provides a secure method for transmitting data in JSON format. While it is capable of encryption, its focus is data integrity. It is digitally signed with a secret (HMAC) or public/private (RSA/ECSDA) key pair. Its primary use case, like on my project, is authorization.

In this system, once the user authenticates against the identity provider service with their user-id, password and two-factor authentication, the authorization service provides an access-token and refresh-token. When the access-token expires, the refresh-token will be used to get a new one until it expires, at which point the user must re-authenticate.

The Problem

Now to cut to the chase, we wanted to upgrade to Angular 6. I set about creating a git branch and downloading the new version, updating and such. Eventually the console spat out some red text complaining about the crypto library not being available.

Module not found: Error: Can’t resolve ‘crypto’

Crypto is a dependency about 2 layers down in jsonwebtokens. I then found that Angular 6 didn’t provide a method for enabling node crypto polyfill in webpack.config when I tried to npm install crypto. One dirty fix suggested, was to simply modify the node module file manually:

I’ve modified the below file

node_modules//src/angular-cli-files/models/webpack-configs/browser.js

at the bottom of the page:

node: false

Change to:

node: { crypto: true, stream: true, buffer: true }

And here’s a script that will perform the task for you!

The Solution

It worked alright, but we weren’t going to introduce a hack-fix into our application. Everything needed to be legit; it wasn’t a pet project. So I filed an issue on Auth0’s JSON Web Token GitHub repository asking them if they would fix it. They said that JSON Web Tokens was made for node and trying to support frontend projects would be way too much work. I could understand why they took that stance. Considering our options, it’s looking like we’ll have to use a different package for decrypting the JWTs. There are a few out there such as JWA, but the trick is finding one that has a solid-enough reputation for your project. So if you run into the same issue as I did, save yourself some time and just switch frontend packages if you can.