2.4.3

🐛 Fix verification relying on a signing key
add test workflow
2024-01-26 15:03:51 +01:00 · 2024-01-26 15:02:52 +01:00 · 2024-01-26 15:00:40 +01:00 · 2024-01-21 00:08:03 +01:00 · 2024-01-21 00:06:50 +01:00 · 2024-01-20 23:50:02 +01:00
7 changed files with 47 additions and 24 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -0,0 +1,21 @@
+name: Test
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: latest
+          registry-url: https://registry.npmjs.org/
+      - name: Install dependencies
+        run: npm ci
+      - name: Run tests
+        run: npm test
--- a/.npmignore
+++ b/.npmignore
@@ -1,6 +1,9 @@
+.editorconfig
 .github/
+.gitignore
+.nvmrc
+coverage/
+jest.config.ts
 src/
 tests/
-.editorconfig
-jest.config.ts
 tsconfig.json
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "2.4.0",
+  "version": "2.4.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@tsndr/cloudflare-worker-jwt",
-      "version": "2.4.0",
+      "version": "2.4.3",
      "license": "MIT",
      "devDependencies": {
        "@cloudflare/workers-types": "^4.20231025.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "2.4.0",
+  "version": "2.4.3",
  "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker",
  "type": "module",
  "exports": "./index.js",
--- a/src/index.ts
+++ b/src/index.ts
@@ -46,7 +46,7 @@ export type JwtHeader<T = {}> = {
 * @prop {string} [iat] Issued At
 * @prop {string} [jti] JWT ID
 */
-export type JwtPayload<T = {}> = {
+export type JwtPayload<T = { [key: string]: any }> = {
    /** Issuer */
    iss?: string

@@ -67,8 +67,6 @@ export type JwtPayload<T = {}> = {

    /** JWT ID */
    jti?: string
-
-    [key: string]: any
 } & T

 /**
@@ -158,7 +156,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa

    const partialToken = `${textToBase64Url(JSON.stringify({ ...options.header, alg: options.algorithm }))}.${textToBase64Url(JSON.stringify(payload))}`

-    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
+    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['sign'])
    const signature = await crypto.subtle.sign(algorithm, key, textToArrayBuffer(partialToken))

    return `${partialToken}.${arrayBufferToBase64Url(signature)}`
@@ -210,7 +208,7 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
        if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000))
            throw new Error('EXPIRED')

-        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
+        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['verify'])

        return await crypto.subtle.verify(algorithm, key, base64UrlToArrayBuffer(tokenParts[2]), textToArrayBuffer(`${tokenParts[0]}.${tokenParts[1]}`))
    } catch(err) {
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -49,36 +49,37 @@ export function pemToBinary(pem: string): ArrayBuffer {
    return base64StringToArrayBuffer(pem.replace(/-+(BEGIN|END).*/g, '').replace(/\s/g, ''))
 }

-export async function importTextSecret(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("raw", textToArrayBuffer(key), algorithm, true, ["verify", "sign"])
+type KeyUsages = 'sign' | 'verify';
+export async function importTextSecret(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("raw", textToArrayBuffer(key), algorithm, true, keyUsages)
 }

-export async function importJwk(key: JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("jwk", key, algorithm, true, ["verify", "sign"])
+export async function importJwk(key: JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("jwk", key, algorithm, true, keyUsages)
 }

-export async function importPublicKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("spki", pemToBinary(key), algorithm, true, ["verify"])
+export async function importPublicKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("spki", pemToBinary(key), algorithm, true, keyUsages)
 }

-export async function importPrivateKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("pkcs8", pemToBinary(key), algorithm, true, ["sign"])
+export async function importPrivateKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("pkcs8", pemToBinary(key), algorithm, true, keyUsages)
 }

-export async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
+export async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
    if (typeof key === 'object')
-        return importJwk(key, algorithm)
+        return importJwk(key, algorithm, keyUsages)

    if (typeof key !== 'string')
        throw new Error('Unsupported key type!')

    if (key.includes('PUBLIC'))
-        return importPublicKey(key, algorithm)
+        return importPublicKey(key, algorithm, keyUsages)

    if (key.includes('PRIVATE'))
-        return importPrivateKey(key, algorithm)
+        return importPrivateKey(key, algorithm, keyUsages)

-    return importTextSecret(key, algorithm)
+    return importTextSecret(key, algorithm, keyUsages)
 }

 export function decodePayload<T = any>(raw: string): T | undefined {
--- a/tests/utils.spec.ts
+++ b/tests/utils.spec.ts
@@ -67,7 +67,7 @@ describe('Imports', () => {
 		const testAlgorithm = { name: 'HMAC', hash: { name: 'SHA-256' } }
 		const testCryptoKey = { type: 'secret', extractable: true, algorithm: { ...testAlgorithm, length: 168 }, usages: ['verify', 'sign'] }

-		expect(await importTextSecret(testKey, testAlgorithm)).toMatchObject(testCryptoKey)
+		expect(await importTextSecret(testKey, testAlgorithm, ['verify', 'sign'])).toMatchObject(testCryptoKey)
 	})

 	//test('importJwk', async () => {})
Author	SHA1	Message	Date
Toby	32e00ac6b9	2.4.3	2024-01-26 15:03:51 +01:00
Nick DeGroot	247da9b396	🐛 Fix verification relying on a signing key	2024-01-26 15:02:52 +01:00
Toby	db0e5b51e0	add test workflow	2024-01-26 15:00:40 +01:00
Toby	6594895273	2.4.2	2024-01-21 00:08:03 +01:00
Toby	61a3a2ed50	update JwtPayload type, thanks @Le0Developer #61	2024-01-21 00:06:50 +01:00
Toby	d7a6847206	2.4.1	2024-01-20 23:50:02 +01:00
Toby	5ab19c4dc0	update npmignore	2024-01-20 23:49:51 +01:00