JWT hashes change between dependency changes

[Profpatsch]

Our testsuite caught a concerning problem: The JWTs changed between two environments of our dependency tree, while haskell-jwt stayed the same version.

  test/UserSpec.hs:61:7:
  1) User.buildToken builds a JWT token as Text containing the data from Tokencontent
       expected: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEyMzU0Nzg5NTIsImlzcyI6IlRlc3RrdW5kZSJ9.oIDvf-oaEEFSvmudzaWylebw70SsE20Y8cv7IwARP8k"
        but got: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJUZXN0a3VuZGUiLCJleHAiOjEyMzU0Nzg5NTJ9.qFtPTf0AHm5lJIa-wUe_Wh9EpzaCNbIa23jGj7w6K4o"

The test is

  describe "buildToken" $ do
    let expTime = Maybe.fromJust $ JWT.numericDate  1235478952
        tokenContent = TokenContent uname expTime
        tokenResult = Text.pack "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjEyMzU0Nzg5NTIsImlzcyI6IlRlc3RrdW5kZSJ9.oIDvf-oaEEFSvmudzaWylebw70SsE20Y8cv7IwARP8k"
    it "builds a JWT token as Text containing the data from Tokencontent" $ do
      buildToken tokenContent `shouldBe` tokenResult

and the buildToken function is

-- Todo: remove hard coupling of `signer`
-- | Build a JWT token containing the data in the TokenContent-parameter
buildToken :: TokenContent
           -- ^ Data that should be contained in the token
           -> Text
           -- ^Resulting token
buildToken tc =
  let signer     = mySigner
      joseHeader = mempty
                   {
                     JWT.typ = Just "JWT"
                   , JWT.alg = Just JWT.HS256
                   }
      claimSet   = mempty
                   {
                     JWT.iss = JWT.stringOrURI
                               $ unUsername
                               $ username (tc :: TokenContent)
                   , JWT.exp = Just $ expirationTime (tc :: TokenContent)
                   }
  in
  JWT.encodeSigned signer joseHeader claimSet

(sorry, I haven’t extracted a functioning minimal repro yet)

---

Here is a full diff of our environment, including all system packages, GHC version and haskell packages:
jwt-diff-colored.txt
It contains terminal color, so pipe to less -R to see it.

It was generated by

nix-diff --color=always /nix/store/3rhasajwd7w3hyk7jmb4ccraj5izhqgx-jwt-0.11.0.drv /nix/store/2p9bncn5nrmg993mx76aaskrplw8c90w-jwt-0.11.0.drv

It starts something like

- /nix/store/3rhasajwd7w3hyk7jmb4ccraj5izhqgx-jwt-0.11.0.drv:{out}
+ /nix/store/2p9bncn5nrmg993mx76aaskrplw8c90w-jwt-0.11.0.drv:{out}
• The builders do not match
    - /nix/store/wv35g5lff84rray15zlzarcqi9fxzz84-bash-4.4-p23/bin/bash
    + /nix/store/4nmqxajzaf60yjribkgvj5j54x9yvr1r-bash-5.1-p12/bin/bash
• The set of input derivation names do not match:
    - bash-4.4-p23
    - coreutils-8.32
    - cryptonite-0.28
    - ghc-8.10.4
    - glibc-locales-2.32-54
    - gnugrep-3.6
    - scientific-0.3.6.2
    - semigroups-0.19.1
    - unordered-containers-0.2.13.0
    - vector-0.12.3.0
    - x509-1.7.5
    - x509-store-1.6.7
    + bash-5.1-p12
    + coreutils-9.0
    + cryptonite-0.29
    + ghc-8.10.7
    + glibc-locales-2.33-108
    + gnugrep-3.7
    + scientific-0.3.7.0
    + semigroups-0.19.2
    + unordered-containers-0.2.16.0
    + vector-0.12.3.1
    + x509-1.7.6
    + x509-store-1.6.9

So the best guess I have from a quick look is that the version changes in the underlying crypto libraries made a difference.

Maybe we were implicitly depending on some default cipher, and that changed.

---

Since we are only using the library for our ephemeral session store, which is cleaned on restart, I think (???) this should not influence the functioning of our authentication system, but I haven’t tested it yet. Please correct me if I’m wrong!

Not sure where to go from here, maybe it’s a problematic bug, maybe it’s not, I’m not well-versed with JWTs and didn’t write the authentication code.