From 22ab7500bd65dcbca9a30820bc75cbd7fab195a6 Mon Sep 17 00:00:00 2001
From: Sergey Konovalov <Sergey.Konovalov@onlyoffice.com>
Date: Sun, 9 Nov 2025 11:08:29 +0300
Subject: [PATCH] [bug] Fix crash in getJwtHsKey; Uses validation approach from
 jsonwebtoken library

---
 Common/sources/utils.js | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/Common/sources/utils.js b/Common/sources/utils.js
index 4e82c529..b0ba5b6a 100644
--- a/Common/sources/utils.js
+++ b/Common/sources/utils.js
@@ -1108,13 +1108,18 @@ const jwtKeyCache = Object.create(null);
 /**
  * Gets or creates a cached symmetric key for JWT verification (HS256/HS384/HS512).
  * Caches crypto.KeyObject to avoid expensive key creation on every request.
- * @param {string} secret - JWT symmetric secret
- * @returns {crypto.KeyObject} Cached secret key object
+ * Uses the same validation approach as jsonwebtoken library.
+ * @param {string|Buffer} secret - JWT symmetric secret
+ * @returns {crypto.KeyObject|undefined} Cached secret key object, or undefined when secret is missing/invalid
  */
 function getJwtHsKey(secret) {
   let res = jwtKeyCache[secret];
-  if (!res) {
-    res = jwtKeyCache[secret] = crypto.createSecretKey(Buffer.from(secret, 'utf8'));
+  if (!res && secret != null) {
+    try {
+      res = jwtKeyCache[secret] = crypto.createSecretKey(typeof secret === 'string' ? Buffer.from(secret, 'utf8') : secret);
+    } catch {
+      return undefined;
+    }
   }
   return res;
 }