tsndr/cloudflare-worker-jwt
1
0
Fork 0
Code Activity

Compare commits

base: tsndr:v2.0.0
Branches Tags
tsndr:main tsndr:Le0Developer-feat/allow-cryptokey tsndr:feat/allow-cryptokey
tsndr:v3.2.0 tsndr:v3.1.7 tsndr:v3.1.6 tsndr:v3.1.5 tsndr:v3.1.4 tsndr:v3.1.3 tsndr:v3.1.2 tsndr:v3.1.1 tsndr:v3.1.0 tsndr:v3.0.0 tsndr:v2.5.4 tsndr:v2.5.3 tsndr:v2.5.2 tsndr:v2.5.1 tsndr:v2.5.0 tsndr:v2.4.7 tsndr:v2.4.6 tsndr:v2.4.5 tsndr:v2.4.4 tsndr:v2.4.3 tsndr:v2.4.2 tsndr:v2.4.1 tsndr:v2.4.0 tsndr:v2.3.2 tsndr:v2.3.1 tsndr:v2.3.0 tsndr:v2.2.10 tsndr:v2.2.9 tsndr:v2.2.8 tsndr:v2.2.7 tsndr:v2.2.6 tsndr:v2.2.5 tsndr:v2.2.4 tsndr:v2.2.3 tsndr:v2.2.2 tsndr:v2.2.1 tsndr:v2.2.0 tsndr:v2.1.4 tsndr:v2.1.3 tsndr:v2.1.2 tsndr:v2.1.1 tsndr:v2.1.0 tsndr:v2.0.1 tsndr:v2.0.0 tsndr:v1.4.4 tsndr:v1.4.3 tsndr:v1.4.2 tsndr:v1.4.1 tsndr:v1.4.0 tsndr:v1.3.1 tsndr:v1.3.0 tsndr:v1.2.0 tsndr:v1.1.7 tsndr:v1.1.6 tsndr:v1.1.5 tsndr:v1.1.4 tsndr:v1.1.3 tsndr:v1.1.2 tsndr:v1.1.1 tsndr:v1.1.0 tsndr:v1.0.8 tsndr:v1.0.7 tsndr:v1.0.6 tsndr:v1.0.5 tsndr:v1.0.4 tsndr:v1.0.3 tsndr:v1.0.2 tsndr:v1.0.1 tsndr:v1.0.0
..
compare: tsndr:v2.1.0
Branches Tags
tsndr:main tsndr:Le0Developer-feat/allow-cryptokey tsndr:feat/allow-cryptokey
tsndr:v3.2.0 tsndr:v3.1.7 tsndr:v3.1.6 tsndr:v3.1.5 tsndr:v3.1.4 tsndr:v3.1.3 tsndr:v3.1.2 tsndr:v3.1.1 tsndr:v3.1.0 tsndr:v3.0.0 tsndr:v2.5.4 tsndr:v2.5.3 tsndr:v2.5.2 tsndr:v2.5.1 tsndr:v2.5.0 tsndr:v2.4.7 tsndr:v2.4.6 tsndr:v2.4.5 tsndr:v2.4.4 tsndr:v2.4.3 tsndr:v2.4.2 tsndr:v2.4.1 tsndr:v2.4.0 tsndr:v2.3.2 tsndr:v2.3.1 tsndr:v2.3.0 tsndr:v2.2.10 tsndr:v2.2.9 tsndr:v2.2.8 tsndr:v2.2.7 tsndr:v2.2.6 tsndr:v2.2.5 tsndr:v2.2.4 tsndr:v2.2.3 tsndr:v2.2.2 tsndr:v2.2.1 tsndr:v2.2.0 tsndr:v2.1.4 tsndr:v2.1.3 tsndr:v2.1.2 tsndr:v2.1.1 tsndr:v2.1.0 tsndr:v2.0.1 tsndr:v2.0.0 tsndr:v1.4.4 tsndr:v1.4.3 tsndr:v1.4.2 tsndr:v1.4.1 tsndr:v1.4.0 tsndr:v1.3.1 tsndr:v1.3.0 tsndr:v1.2.0 tsndr:v1.1.7 tsndr:v1.1.6 tsndr:v1.1.5 tsndr:v1.1.4 tsndr:v1.1.3 tsndr:v1.1.2 tsndr:v1.1.1 tsndr:v1.1.0 tsndr:v1.0.8 tsndr:v1.0.7 tsndr:v1.0.6 tsndr:v1.0.5 tsndr:v1.0.4 tsndr:v1.0.3 tsndr:v1.0.2 tsndr:v1.0.1 tsndr:v1.0.0

5 Commits
v2.0.0 ... v2.1.0

Author SHA1 Message Date
Tobias Schneider
ffc1e87b32 2.1.0 2022-10-03 01:58:51 +02:00
Tobias Schneider
decfa65391 clean up 2022-10-03 01:57:59 +02:00
badoge
67f1a8e5ed support for base64 secrets 2022-10-03 01:54:28 +02:00
Tobias Schneider
fe1baf46b4 2.0.1 2022-07-08 15:07:00 +02:00
Tobias Schneider
81f9eafd86 export types 2022-07-08 15:06:17 +02:00
4 changed files with 72 additions and 41 deletions
Expand all files Collapse all files

13
index.test.js
View File

@@ -22,9 +22,10 @@ const secrets = {}
// Keypairs // Keypairs
for (const algorithm of algorithms) { for (const algorithm of algorithms) {
if (algorithm.startsWith('HS')) if (algorithm.startsWith('HS')) {
//secrets[algorithm] = 'c2VjcmV0'
secrets[algorithm] = 'secret' secrets[algorithm] = 'secret'
else if (algorithm.startsWith('RS')) { } else if (algorithm.startsWith('RS')) {
secrets[algorithm] = { secrets[algorithm] = {
public: `-----BEGIN PUBLIC KEY----- public: `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
@@ -122,6 +123,7 @@ const testPayload = {
test.each(Object.entries(secrets))(`Self test: %s`, async (algorithm, key) => { test.each(Object.entries(secrets))(`Self test: %s`, async (algorithm, key) => {
let privateKey = key let privateKey = key
let publicKey = key let publicKey = key
if (typeof key === 'object') { if (typeof key === 'object') {
privateKey = key.private privateKey = key.private
publicKey = key.public publicKey = key.public
@@ -158,12 +160,11 @@ const externalTokens = {
test.each(Object.entries(externalTokens))('Verify external tokens: %s', async (algorithm, token) => { test.each(Object.entries(externalTokens))('Verify external tokens: %s', async (algorithm, token) => {
const key = secrets[algorithm] const key = secrets[algorithm]
let privateKey = key
let publicKey = key let publicKey = key
if (typeof key === 'object') {
privateKey = key.private if (typeof key === 'object')
publicKey = key.public publicKey = key.public
}
const verified = await jwt.verify(token, publicKey, { algorithm }) const verified = await jwt.verify(token, publicKey, { algorithm })
expect(verified).toBeTruthy() expect(verified).toBeTruthy()

4
package-lock.json generated
View File

@@ -1,12 +1,12 @@
{ {
"name": "@tsndr/cloudflare-worker-jwt", "name": "@tsndr/cloudflare-worker-jwt",
"version": "2.0.0", "version": "2.1.0",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "@tsndr/cloudflare-worker-jwt", "name": "@tsndr/cloudflare-worker-jwt",
"version": "2.0.0", "version": "2.1.0",
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"@cloudflare/workers-types": "^3.13.0", "@cloudflare/workers-types": "^3.13.0",

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@tsndr/cloudflare-worker-jwt", "name": "@tsndr/cloudflare-worker-jwt",
"version": "2.0.0", "version": "2.1.0",
"description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker", "description": "A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker",
"main": "index.js", "main": "index.js",
"types": "index.d.ts", "types": "index.d.ts",

80
src/index.ts
View File

@@ -5,12 +5,12 @@ if (typeof crypto === 'undefined' || !crypto.subtle)
* @typedef JwtAlgorithm * @typedef JwtAlgorithm
* @type {'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'} * @type {'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'}
*/ */
type JwtAlgorithm = 'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512' export type JwtAlgorithm = 'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'
/** /**
* @typedef JwtAlgorithms * @typedef JwtAlgorithms
*/ */
interface JwtAlgorithms { export interface JwtAlgorithms {
[key: string]: SubtleCryptoImportKeyAlgorithm [key: string]: SubtleCryptoImportKeyAlgorithm
} }
@@ -18,7 +18,7 @@ interface JwtAlgorithms {
* @typedef JwtHeader * @typedef JwtHeader
* @prop {string} [typ] Type * @prop {string} [typ] Type
*/ */
interface JwtHeader { export interface JwtHeader {
/** /**
* Type (default: `"JWT"`) * Type (default: `"JWT"`)
* *
@@ -39,7 +39,7 @@ interface JwtHeader {
* @prop {string} [iat] Issued At * @prop {string} [iat] Issued At
* @prop {string} [jti] JWT ID * @prop {string} [jti] JWT ID
*/ */
interface JwtPayload { export interface JwtPayload {
/** Issuer */ /** Issuer */
iss?: string iss?: string
@@ -68,7 +68,7 @@ interface JwtPayload {
* @typedef JwtOptions * @typedef JwtOptions
* @prop {JwtAlgorithm | string} algorithm * @prop {JwtAlgorithm | string} algorithm
*/ */
interface JwtOptions { export interface JwtOptions {
algorithm?: JwtAlgorithm | string algorithm?: JwtAlgorithm | string
} }
@@ -77,7 +77,7 @@ interface JwtOptions {
* @extends JwtOptions * @extends JwtOptions
* @prop {JwtHeader} [header] * @prop {JwtHeader} [header]
*/ */
interface JwtSignOptions extends JwtOptions { export interface JwtSignOptions extends JwtOptions {
header?: JwtHeader header?: JwtHeader
} }
@@ -86,7 +86,7 @@ interface JwtSignOptions extends JwtOptions {
* @extends JwtOptions * @extends JwtOptions
* @prop {boolean} [throwError=false] If `true` throw error if checks fail. (default: `false`) * @prop {boolean} [throwError=false] If `true` throw error if checks fail. (default: `false`)
*/ */
interface JwtVerifyOptions extends JwtOptions { export interface JwtVerifyOptions extends JwtOptions {
/** /**
* If `true` throw error if checks fail. (default: `false`) * If `true` throw error if checks fail. (default: `false`)
* *
@@ -100,7 +100,7 @@ interface JwtVerifyOptions extends JwtOptions {
* @prop {JwtHeader} header * @prop {JwtHeader} header
* @prop {JwtPayload} payload * @prop {JwtPayload} payload
*/ */
interface JwtData { export interface JwtData {
header: JwtHeader header: JwtHeader
payload: JwtPayload payload: JwtPayload
} }
@@ -129,17 +129,31 @@ const algorithms: JwtAlgorithms = {
RS512: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-512' } } RS512: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-512' } }
} }
function _parseSecret(secret: string): { raw: boolean, key: ArrayBuffer } {
if (secret.startsWith('-----BEGIN'))
return { raw: false, key: _str2ab(secret.replace(/-----BEGIN.*?-----/g, '').replace(/-----END.*?-----/g, '').replace(/\s/g, '')) }
// Check for Base64
if (/^([0-9a-zA-Z+/]{4})*(([0-9a-zA-Z+/]{2}==)|([0-9a-zA-Z+/]{3}=))?$/.test(secret))
return { raw: true, key: base64UrlParse(secret) }
else
return { raw: true, key: _utf8ToUint8Array(secret) }
}
function _utf8ToUint8Array(str: string): Uint8Array { function _utf8ToUint8Array(str: string): Uint8Array {
return base64UrlParse(btoa(unescape(encodeURIComponent(str)))) return base64UrlParse(btoa(unescape(encodeURIComponent(str))))
} }
function _str2ab(str: string): ArrayBuffer { function _str2ab(str: string): ArrayBuffer {
str = atob(str) str = atob(str)
const buf = new ArrayBuffer(str.length); const buf = new ArrayBuffer(str.length);
const bufView = new Uint8Array(buf); const bufView = new Uint8Array(buf);
for (let i = 0, strLen = str.length; i < strLen; i++) { for (let i = 0, strLen = str.length; i < strLen; i++) {
bufView[i] = str.charCodeAt(i); bufView[i] = str.charCodeAt(i);
} }
return buf; return buf;
} }
@@ -156,6 +170,7 @@ function _decodePayload(raw: string): JwtHeader | JwtPayload | null {
default: default:
throw new Error('Illegal base64url string!') throw new Error('Illegal base64url string!')
} }
try { try {
return JSON.parse(decodeURIComponent(escape(atob(raw)))) return JSON.parse(decodeURIComponent(escape(atob(raw))))
} catch { } catch {
@@ -175,28 +190,32 @@ function _decodePayload(raw: string): JwtHeader | JwtPayload | null {
export async function sign(payload: JwtPayload, secret: string, options: JwtSignOptions | JwtAlgorithm = { algorithm: 'HS256', header: { typ: 'JWT' } }): Promise<string> { export async function sign(payload: JwtPayload, secret: string, options: JwtSignOptions | JwtAlgorithm = { algorithm: 'HS256', header: { typ: 'JWT' } }): Promise<string> {
if (typeof options === 'string') if (typeof options === 'string')
options = { algorithm: options, header: { typ: 'JWT' } } options = { algorithm: options, header: { typ: 'JWT' } }
options = { algorithm: 'HS256', header: { typ: 'JWT' }, ...options } options = { algorithm: 'HS256', header: { typ: 'JWT' }, ...options }
if (payload === null || typeof payload !== 'object') if (payload === null || typeof payload !== 'object')
throw new Error('payload must be an object') throw new Error('payload must be an object')
if (typeof secret !== 'string') if (typeof secret !== 'string')
throw new Error('secret must be a string') throw new Error('secret must be a string')
if (typeof options.algorithm !== 'string') if (typeof options.algorithm !== 'string')
throw new Error('options.algorithm must be a string') throw new Error('options.algorithm must be a string')
const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm] const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
if (!algorithm) if (!algorithm)
throw new Error('algorithm not found') throw new Error('algorithm not found')
payload.iat = Math.floor(Date.now() / 1000) payload.iat = Math.floor(Date.now() / 1000)
const payloadAsJSON = JSON.stringify(payload) const payloadAsJSON = JSON.stringify(payload)
const partialToken = `${base64UrlStringify(_utf8ToUint8Array(JSON.stringify({ ...options.header, alg: options.algorithm })))}.${base64UrlStringify(_utf8ToUint8Array(payloadAsJSON))}` const partialToken = `${base64UrlStringify(_utf8ToUint8Array(JSON.stringify({ ...options.header, alg: options.algorithm })))}.${base64UrlStringify(_utf8ToUint8Array(payloadAsJSON))}`
let keyFormat = 'raw' const parsedSecret = _parseSecret(secret)
let keyData
if (secret.startsWith('-----BEGIN')) { const key = await crypto.subtle.importKey(parsedSecret.raw ? 'raw' : 'pkcs8', parsedSecret.key, algorithm, false, ['sign'])
keyFormat = 'pkcs8'
keyData = _str2ab(secret.replace(/-----BEGIN.*?-----/g, '').replace(/-----END.*?-----/g, '').replace(/\s/g, ''))
} else
keyData = _utf8ToUint8Array(secret)
const key = await crypto.subtle.importKey(keyFormat, keyData, algorithm, false, ['sign'])
const signature = await crypto.subtle.sign(algorithm, key, _utf8ToUint8Array(partialToken)) const signature = await crypto.subtle.sign(algorithm, key, _utf8ToUint8Array(partialToken))
return `${partialToken}.${base64UrlStringify(new Uint8Array(signature))}` return `${partialToken}.${base64UrlStringify(new Uint8Array(signature))}`
} }
@@ -212,44 +231,55 @@ export async function sign(payload: JwtPayload, secret: string, options: JwtSign
export async function verify(token: string, secret: string, options: JwtVerifyOptions | JwtAlgorithm = { algorithm: 'HS256', throwError: false }): Promise<boolean> { export async function verify(token: string, secret: string, options: JwtVerifyOptions | JwtAlgorithm = { algorithm: 'HS256', throwError: false }): Promise<boolean> {
if (typeof options === 'string') if (typeof options === 'string')
options = { algorithm: options, throwError: false } options = { algorithm: options, throwError: false }
options = { algorithm: 'HS256', throwError: false, ...options } options = { algorithm: 'HS256', throwError: false, ...options }
if (typeof token !== 'string') if (typeof token !== 'string')
throw new Error('token must be a string') throw new Error('token must be a string')
if (typeof secret !== 'string') if (typeof secret !== 'string')
throw new Error('secret must be a string') throw new Error('secret must be a string')
if (typeof options.algorithm !== 'string') if (typeof options.algorithm !== 'string')
throw new Error('options.algorithm must be a string') throw new Error('options.algorithm must be a string')
const tokenParts = token.split('.') const tokenParts = token.split('.')
if (tokenParts.length !== 3) if (tokenParts.length !== 3)
throw new Error('token must consist of 3 parts') throw new Error('token must consist of 3 parts')
const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm] const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
if (!algorithm) if (!algorithm)
throw new Error('algorithm not found') throw new Error('algorithm not found')
const { payload } = decode(token) const { payload } = decode(token)
if (!payload) { if (!payload) {
if (options.throwError) if (options.throwError)
throw 'PARSE_ERROR' throw 'PARSE_ERROR'
return false return false
} }
if (payload.nbf && payload.nbf > Math.floor(Date.now() / 1000)) { if (payload.nbf && payload.nbf > Math.floor(Date.now() / 1000)) {
if (options.throwError) if (options.throwError)
throw 'NOT_YET_VALID' throw 'NOT_YET_VALID'
return false return false
} }
if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000)) { if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000)) {
if (options.throwError) if (options.throwError)
throw 'EXPIRED' throw 'EXPIRED'
return false return false
} }
let keyFormat = 'raw'
let keyData const parsedSecret = _parseSecret(secret)
if (secret.startsWith('-----BEGIN')) { const key = await crypto.subtle.importKey(parsedSecret.raw ? 'raw' : 'spki', parsedSecret.key, algorithm, false, ['verify'])
keyFormat = 'spki'
keyData = _str2ab(secret.replace(/-----BEGIN.*?-----/g, '').replace(/-----END.*?-----/g, '').replace(/\s/g, '')) return crypto.subtle.verify(algorithm, key, base64UrlParse(tokenParts[2]), _utf8ToUint8Array(`${tokenParts[0]}.${tokenParts[1]}`))
} else
keyData = _utf8ToUint8Array(secret)
const key = await crypto.subtle.importKey(keyFormat, keyData, algorithm, false, ['verify'])
return await crypto.subtle.verify(algorithm, key, base64UrlParse(tokenParts[2]), _utf8ToUint8Array(`${tokenParts[0]}.${tokenParts[1]}`))
} }
/** /**