Merge pull request #333 from panva/bump-jose

adamjmcgrath · web-flow · commit 670bb7dd84d9 · 2022-11-01T14:57:16.000Z
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,9 +8,9 @@ jobs:
     parameters:
       node-version:
         type: string
-        default: "12"
+        default: "18"
     docker:
-      - image: circleci/node:<< parameters.node-version >>
+      - image: cimg/node:<< parameters.node-version >>
     environment:
       LANG: en_US.UTF-8
     steps:
@@ -37,7 +37,7 @@ workflows:
       - build:
           matrix:
             parameters:
-              node-version: ["10", "12", "14"]
+              node-version: ["14.20", "16.18", "18.12"]
       - ship/node-publish:
           requires:
             - build
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -15,7 +15,7 @@
     "@types/express": "^4.17.14",
     "@types/jsonwebtoken": "^8.5.9",
     "debug": "^4.3.4",
-    "jose": "^2.0.6",
+    "jose": "^4.10.3",
     "limiter": "^1.1.5",
     "lru-memoizer": "^2.1.4"
   },
@@ -32,6 +32,7 @@
     "express-jwt": "^6.0.0",
     "express-jwt-v7": "npm:express-jwt@^7.5.0",
     "jsonwebtoken": "^8.5.1",
+    "jose2": "npm:jose@^2.0.6",
     "koa": "^2.12.1",
     "koa-jwt": "^3.6.0",
     "mocha": "^6.2.3",
diff --git a/src/JwksClient.js b/src/JwksClient.js
@@ -56,7 +56,7 @@ class JwksClient {
       throw new JwksError('The JWKS endpoint did not contain any keys');
     }
 
-    const signingKeys = retrieveSigningKeys(keys);
+    const signingKeys = await retrieveSigningKeys(keys);
 
     if (!signingKeys.length) {
       throw new JwksError('The JWKS endpoint did not contain any signing keys');
diff --git a/src/integrations/passport.js b/src/integrations/passport.js
@@ -1,4 +1,4 @@
-const JWT = require('jose').JWT;
+const jose = require('jose');
 const { ArgumentError } = require('../errors');
 const { JwksClient } = require('../JwksClient');
 const supportedAlg = require('./config');
@@ -30,7 +30,10 @@ module.exports.passportJwtSecret = function (options) {
   return function secretProvider(req, rawJwtToken, cb) {
     let decoded;
     try {
-      decoded = JWT.decode(rawJwtToken, { complete: true });
+      decoded = {
+        payload: jose.decodeJwt(rawJwtToken),
+        header: jose.decodeProtectedHeader(rawJwtToken)
+      };
     } catch (err) {
       decoded = null;
     }
diff --git a/src/utils.js b/src/utils.js
@@ -1,17 +1,36 @@
 const jose = require('jose');
+const crypto = require('crypto');
 
-function retrieveSigningKeys(keys) {
-  const keystore = jose.JWKS.asKeyStore({ keys }, { ignoreErrors: true });
+async function retrieveSigningKeys(jwks) {
+  const results = [];
 
-  return keystore.all({ use: 'sig' }).map((key) => {
-    return {
-      kid: key.kid,
-      alg: key.alg,
-      get publicKey() { return key.toPEM(false); },
-      get rsaPublicKey() { return key.toPEM(false); },
-      getPublicKey() { return key.toPEM(false); }
-    };
-  });
+  jwks = jwks
+    .filter(({ use }) => use === 'sig' || use === undefined)
+    .filter(({ kty }) => kty === 'RSA' || kty === 'EC' || kty === 'OKP');
+
+  for (const jwk of jwks) {
+    try {
+      // The algorithm is actually not used in the Node.js KeyObject-based runtime
+      // passing an arbitrary value here and checking that KeyObject was returned
+      // later
+      const keyObject = await jose.importJWK(jwk, 'RS256');
+      if (!(keyObject instanceof crypto.KeyObject) || keyObject.type !== 'public') {
+        continue;
+      }
+      const getSpki = () => keyObject.export({ format: 'pem', type: 'spki' });
+      results.push({
+        get publicKey() { return getSpki(); },
+        get rsaPublicKey() { return getSpki(); },
+        getPublicKey() { return getSpki(); },
+        ...(typeof jwk.kid === 'string' && jwk.kid ? { kid: jwk.kid } : undefined),
+        ...(typeof jwk.alg === 'string' && jwk.alg ? { alg: jwk.alg } : undefined)
+      });
+    } catch (err) {
+      continue;
+    }
+  }
+
+  return results;
 }
 
 module.exports = {
diff --git a/src/wrappers/interceptor.js b/src/wrappers/interceptor.js
@@ -12,7 +12,7 @@ function getKeysInterceptor(client, { getKeysInterceptor }) {
 
     let signingKeys;
     if (keys && keys.length) {
-      signingKeys = retrieveSigningKeys(keys);
+      signingKeys = await retrieveSigningKeys(keys);
     }
 
     if (signingKeys && signingKeys.length) {
diff --git a/tests/mocks/jwks.js b/tests/mocks/jwks.js
@@ -1,12 +1,12 @@
 const nock = require('nock');
-const jose = require('jose');
+const jose2 = require('jose2');
 
 function jwksEndpoint(host, certs) {
   return nock(host)
     .get('/.well-known/jwks.json')
     .reply(200, {
       keys: certs.map(cert => {
-        const parsed = jose.JWK.asKey(cert.pub).toJWK();
+        const parsed = jose2.JWK.asKey(cert.pub).toJWK();
         return {
           ...parsed,
           use: 'sig',

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ class JwksClient {`
`56`	`56`	`throw new JwksError('The JWKS endpoint did not contain any keys');`
`57`	`57`	`}`
`58`	`58`
`59`		`- const signingKeys = retrieveSigningKeys(keys);`
	`59`	`+ const signingKeys = await retrieveSigningKeys(keys);`
`60`	`60`
`61`	`61`	`if (!signingKeys.length) {`
`62`	`62`	`throw new JwksError('The JWKS endpoint did not contain any signing keys');`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ function getKeysInterceptor(client, { getKeysInterceptor }) {`
`12`	`12`
`13`	`13`	`let signingKeys;`
`14`	`14`	`if (keys && keys.length) {`
`15`		`- signingKeys = retrieveSigningKeys(keys);`
	`15`	`+ signingKeys = await retrieveSigningKeys(keys);`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`if (signingKeys && signingKeys.length) {`