Bug report: JWT sign broken again

[Martin12350]

Describe the bug
JWT sign is broken since version v10.23.0.
Looks like the same issue as in #1768
We can confirm from the channel log that in v10.23 jsonwebtoken was bumped to v9.0.0.

To Reproduce
Steps to reproduce the behavior or a link to the recipe / input used to cause the bug:

1. Go to CyberChef
2. Add JWT sign, key, and input
3. Bake it
4. See error:

Have you entered the key correctly? The key should be either the secret for HMAC algorithms or the PEM-encoded private key for RSA and ECDSA.

TypeError: Right-hand side of 'instanceof' is not an object

Desktop (if relevant, please complete the following information):

• OS: Windows
• Browser: Chrome
• CyberChef version: >10.23.0 (latest build: 11.0.0)

[GCHQDeveloper581]

We're in a bit of a bind here.

Versions 9.X of the jsonwebtokens library (which this functionality relies one) don't play nicely when running in the browser (due to reliance on the Node crypto API, which is only partially reimplemented within crypto-browserify) - see auth0/node-jsonwebtoken#939 for some commentary on this.

Unfortunately there is a "high" severity CVE for jsonwebtoken 8.5.1 which we previously used, which makes downgrading an unpalatable option - see GHSA-8cf7-32gw-wr33.

Likely the best solution would be to update to a more modern web token library. Jose is mentioned a number of times in the jsonwebtoken issue summary above.

[hl6226]

Hi @GCHQDeveloper581 could you please review this pull request? #2454

• It works well with latest version of libraries
• It has enhanced functions, which should be much better to use both JWT decode and JWT verify in a single operation