2.4.3

🐛 Fix verification relying on a signing key
2024-01-26 15:03:51 +01:00 · 2024-01-26 15:02:52 +01:00
5 changed files with 20 additions and 19 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "2.4.2",
+  "version": "2.4.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@tsndr/cloudflare-worker-jwt",
-      "version": "2.4.2",
+      "version": "2.4.3",
      "license": "MIT",
      "devDependencies": {
        "@cloudflare/workers-types": "^4.20231025.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@tsndr/cloudflare-worker-jwt",
-  "version": "2.4.2",
+  "version": "2.4.3",
  "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker",
  "type": "module",
  "exports": "./index.js",
--- a/src/index.ts
+++ b/src/index.ts
@@ -156,7 +156,7 @@ export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payloa

    const partialToken = `${textToBase64Url(JSON.stringify({ ...options.header, alg: options.algorithm }))}.${textToBase64Url(JSON.stringify(payload))}`

-    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
+    const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['sign'])
    const signature = await crypto.subtle.sign(algorithm, key, textToArrayBuffer(partialToken))

    return `${partialToken}.${arrayBufferToBase64Url(signature)}`
@@ -208,7 +208,7 @@ export async function verify(token: string, secret: string | JsonWebKey | Crypto
        if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000))
            throw new Error('EXPIRED')

-        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
+        const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm, ['verify'])

        return await crypto.subtle.verify(algorithm, key, base64UrlToArrayBuffer(tokenParts[2]), textToArrayBuffer(`${tokenParts[0]}.${tokenParts[1]}`))
    } catch(err) {
--- a/src/utils.ts
+++ b/src/utils.ts
@@ -49,36 +49,37 @@ export function pemToBinary(pem: string): ArrayBuffer {
    return base64StringToArrayBuffer(pem.replace(/-+(BEGIN|END).*/g, '').replace(/\s/g, ''))
 }

-export async function importTextSecret(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("raw", textToArrayBuffer(key), algorithm, true, ["verify", "sign"])
+type KeyUsages = 'sign' | 'verify';
+export async function importTextSecret(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("raw", textToArrayBuffer(key), algorithm, true, keyUsages)
 }

-export async function importJwk(key: JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("jwk", key, algorithm, true, ["verify", "sign"])
+export async function importJwk(key: JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("jwk", key, algorithm, true, keyUsages)
 }

-export async function importPublicKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("spki", pemToBinary(key), algorithm, true, ["verify"])
+export async function importPublicKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("spki", pemToBinary(key), algorithm, true, keyUsages)
 }

-export async function importPrivateKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
-    return await crypto.subtle.importKey("pkcs8", pemToBinary(key), algorithm, true, ["sign"])
+export async function importPrivateKey(key: string, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
+    return await crypto.subtle.importKey("pkcs8", pemToBinary(key), algorithm, true, keyUsages)
 }

-export async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm): Promise<CryptoKey> {
+export async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImportKeyAlgorithm, keyUsages: KeyUsages[]): Promise<CryptoKey> {
    if (typeof key === 'object')
-        return importJwk(key, algorithm)
+        return importJwk(key, algorithm, keyUsages)

    if (typeof key !== 'string')
        throw new Error('Unsupported key type!')

    if (key.includes('PUBLIC'))
-        return importPublicKey(key, algorithm)
+        return importPublicKey(key, algorithm, keyUsages)

    if (key.includes('PRIVATE'))
-        return importPrivateKey(key, algorithm)
+        return importPrivateKey(key, algorithm, keyUsages)

-    return importTextSecret(key, algorithm)
+    return importTextSecret(key, algorithm, keyUsages)
 }

 export function decodePayload<T = any>(raw: string): T | undefined {
--- a/tests/utils.spec.ts
+++ b/tests/utils.spec.ts
@@ -67,7 +67,7 @@ describe('Imports', () => {
 		const testAlgorithm = { name: 'HMAC', hash: { name: 'SHA-256' } }
 		const testCryptoKey = { type: 'secret', extractable: true, algorithm: { ...testAlgorithm, length: 168 }, usages: ['verify', 'sign'] }

-		expect(await importTextSecret(testKey, testAlgorithm)).toMatchObject(testCryptoKey)
+		expect(await importTextSecret(testKey, testAlgorithm, ['verify', 'sign'])).toMatchObject(testCryptoKey)
 	})

 	//test('importJwk', async () => {})
Author	SHA1	Message	Date
Toby	32e00ac6b9	2.4.3	2024-01-26 15:03:51 +01:00
Nick DeGroot	247da9b396	🐛 Fix verification relying on a signing key	2024-01-26 15:02:52 +01:00