Skip to content

Commit

Permalink
Merge pull request #333 from panva/bump-jose
Browse files Browse the repository at this point in the history
  • Loading branch information
adamjmcgrath authored Nov 1, 2022
2 parents d578c53 + 6ae2849 commit 670bb7d
Show file tree
Hide file tree
Showing 8 changed files with 66 additions and 24 deletions.
6 changes: 3 additions & 3 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ jobs:
parameters:
node-version:
type: string
default: "12"
default: "18"
docker:
- image: circleci/node:<< parameters.node-version >>
- image: cimg/node:<< parameters.node-version >>
environment:
LANG: en_US.UTF-8
steps:
Expand All @@ -37,7 +37,7 @@ workflows:
- build:
matrix:
parameters:
node-version: ["10", "12", "14"]
node-version: ["14.20", "16.18", "18.12"]
- ship/node-publish:
requires:
- build
Expand Down
25 changes: 22 additions & 3 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"@types/express": "^4.17.14",
"@types/jsonwebtoken": "^8.5.9",
"debug": "^4.3.4",
"jose": "^2.0.6",
"jose": "^4.10.3",
"limiter": "^1.1.5",
"lru-memoizer": "^2.1.4"
},
Expand All @@ -32,6 +32,7 @@
"express-jwt": "^6.0.0",
"express-jwt-v7": "npm:express-jwt@^7.5.0",
"jsonwebtoken": "^8.5.1",
"jose2": "npm:jose@^2.0.6",
"koa": "^2.12.1",
"koa-jwt": "^3.6.0",
"mocha": "^6.2.3",
Expand Down
2 changes: 1 addition & 1 deletion src/JwksClient.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,7 @@ class JwksClient {
throw new JwksError('The JWKS endpoint did not contain any keys');
}

const signingKeys = retrieveSigningKeys(keys);
const signingKeys = await retrieveSigningKeys(keys);

if (!signingKeys.length) {
throw new JwksError('The JWKS endpoint did not contain any signing keys');
Expand Down
7 changes: 5 additions & 2 deletions src/integrations/passport.js
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
const JWT = require('jose').JWT;
const jose = require('jose');
const { ArgumentError } = require('../errors');
const { JwksClient } = require('../JwksClient');
const supportedAlg = require('./config');
Expand Down Expand Up @@ -30,7 +30,10 @@ module.exports.passportJwtSecret = function (options) {
return function secretProvider(req, rawJwtToken, cb) {
let decoded;
try {
decoded = JWT.decode(rawJwtToken, { complete: true });
decoded = {
payload: jose.decodeJwt(rawJwtToken),
header: jose.decodeProtectedHeader(rawJwtToken)
};
} catch (err) {
decoded = null;
}
Expand Down
41 changes: 30 additions & 11 deletions src/utils.js
Original file line number Diff line number Diff line change
@@ -1,17 +1,36 @@
const jose = require('jose');
const crypto = require('crypto');

function retrieveSigningKeys(keys) {
const keystore = jose.JWKS.asKeyStore({ keys }, { ignoreErrors: true });
async function retrieveSigningKeys(jwks) {
const results = [];

return keystore.all({ use: 'sig' }).map((key) => {
return {
kid: key.kid,
alg: key.alg,
get publicKey() { return key.toPEM(false); },
get rsaPublicKey() { return key.toPEM(false); },
getPublicKey() { return key.toPEM(false); }
};
});
jwks = jwks
.filter(({ use }) => use === 'sig' || use === undefined)
.filter(({ kty }) => kty === 'RSA' || kty === 'EC' || kty === 'OKP');

for (const jwk of jwks) {
try {
// The algorithm is actually not used in the Node.js KeyObject-based runtime
// passing an arbitrary value here and checking that KeyObject was returned
// later
const keyObject = await jose.importJWK(jwk, 'RS256');
if (!(keyObject instanceof crypto.KeyObject) || keyObject.type !== 'public') {
continue;
}
const getSpki = () => keyObject.export({ format: 'pem', type: 'spki' });
results.push({
get publicKey() { return getSpki(); },
get rsaPublicKey() { return getSpki(); },
getPublicKey() { return getSpki(); },
...(typeof jwk.kid === 'string' && jwk.kid ? { kid: jwk.kid } : undefined),
...(typeof jwk.alg === 'string' && jwk.alg ? { alg: jwk.alg } : undefined)
});
} catch (err) {
continue;
}
}

return results;
}

module.exports = {
Expand Down
2 changes: 1 addition & 1 deletion src/wrappers/interceptor.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ function getKeysInterceptor(client, { getKeysInterceptor }) {

let signingKeys;
if (keys && keys.length) {
signingKeys = retrieveSigningKeys(keys);
signingKeys = await retrieveSigningKeys(keys);
}

if (signingKeys && signingKeys.length) {
Expand Down
4 changes: 2 additions & 2 deletions tests/mocks/jwks.js
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
const nock = require('nock');
const jose = require('jose');
const jose2 = require('jose2');

function jwksEndpoint(host, certs) {
return nock(host)
.get('/.well-known/jwks.json')
.reply(200, {
keys: certs.map(cert => {
const parsed = jose.JWK.asKey(cert.pub).toJWK();
const parsed = jose2.JWK.asKey(cert.pub).toJWK();
return {
...parsed,
use: 'sig',
Expand Down

0 comments on commit 670bb7d

Please sign in to comment.