[major] bump jose

.circleci/config.yml

@@ -8,7 +8,7 @@ jobs:
  parameters:
  node-version:
  type: string
- default: "12"
+ default: "18"
  docker:
  - image: circleci/node:<< parameters.node-version >>
  environment:
@@ -37,7 +37,7 @@ workflows:
  - build:
  matrix:
  parameters:
- node-version: ["10", "12", "14"]
+ node-version: ["14", "16", "18"]
  - ship/node-publish:
  requires:
  - build

package.json

@@ -15,7 +15,7 @@
  "@types/express": "^4.17.14",
  "@types/jsonwebtoken": "^8.5.9",
  "debug": "^4.3.4",
- "jose": "^2.0.6",
+ "jose": "^4.10.3",
  "limiter": "^1.1.5",
  "lru-memoizer": "^2.1.4"
  },
@@ -32,6 +32,7 @@
  "express-jwt": "^6.0.0",
  "express-jwt-v7": "npm:express-jwt@^7.5.0",
  "jsonwebtoken": "^8.5.1",
+ "jose2": "npm:jose@^2.0.6",
  "koa": "^2.12.1",
  "koa-jwt": "^3.6.0",
  "mocha": "^6.2.3",

src/JwksClient.js

@@ -56,7 +56,7 @@ class JwksClient {
  throw new JwksError('The JWKS endpoint did not contain any keys');
  }
 
- const signingKeys = retrieveSigningKeys(keys);
+ const signingKeys = await retrieveSigningKeys(keys);
 
  if (!signingKeys.length) {
  throw new JwksError('The JWKS endpoint did not contain any signing keys');

src/integrations/passport.js

@@ -1,4 +1,4 @@
-const JWT = require('jose').JWT;
+const jose = require('jose');
 const { ArgumentError } = require('../errors');
 const { JwksClient } = require('../JwksClient');
 const supportedAlg = require('./config');
@@ -30,7 +30,10 @@ module.exports.passportJwtSecret = function (options) {
  return function secretProvider(req, rawJwtToken, cb) {
  let decoded;
  try {
- decoded = JWT.decode(rawJwtToken, { complete: true });
+ decoded = {
+ payload: jose.decodeJwt(rawJwtToken),
+ header: jose.decodeProtectedHeader(rawJwtToken)
+ };
  } catch (err) {
  decoded = null;
  }

src/utils.js

@@ -1,17 +1,36 @@
 const jose = require('jose');
+const crypto = require('crypto');
 
-function retrieveSigningKeys(keys) {
- const keystore = jose.JWKS.asKeyStore({ keys }, { ignoreErrors: true });
+async function retrieveSigningKeys(jwks) {
+ const results = [];
 
- return keystore.all({ use: 'sig' }).map((key) => {
- return {
- kid: key.kid,
- alg: key.alg,
- get publicKey() { return key.toPEM(false); },
- get rsaPublicKey() { return key.toPEM(false); },
- getPublicKey() { return key.toPEM(false); }
- };
- });
+ jwks = jwks
+ .filter(({ use }) => use === 'sig' || use === undefined)
+ .filter(({ kty }) => kty === 'RSA' || kty === 'EC' || kty === 'OKP');
+
+ for (const jwk of jwks) {
+ try {
+ // The algorithm is actually not used in the Node.js KeyObject-based runtime
+ // passing an arbitrary value here and checking that KeyObject was returned
+ // later
+ const keyObject = await jose.importJWK(jwk, 'RS256');
+ if (!(keyObject instanceof crypto.KeyObject) || keyObject.type !== 'public') {
+ continue;
+ }
+ const getSpki = () => keyObject.export({ format: 'pem', type: 'spki' });
+ results.push({
+ get publicKey() { return getSpki(); },
+ get rsaPublicKey() { return getSpki(); },
+ getPublicKey() { return getSpki(); },
+ ...(typeof jwk.kid === 'string' && jwk.kid ? { kid: jwk.kid } : undefined),
+ ...(typeof jwk.alg === 'string' && jwk.alg ? { alg: jwk.alg } : undefined)
+ });
+ } catch (err) {
+ continue;
+ }
+ }
+
+ return results;
 }
 
 module.exports = {

src/wrappers/interceptor.js

@@ -12,7 +12,7 @@ function getKeysInterceptor(client, { getKeysInterceptor }) {
 
  let signingKeys;
  if (keys && keys.length) {
- signingKeys = retrieveSigningKeys(keys);
+ signingKeys = await retrieveSigningKeys(keys);
  }
 
  if (signingKeys && signingKeys.length) {

tests/mocks/jwks.js

@@ -1,12 +1,12 @@
 const nock = require('nock');
-const jose = require('jose');
+const jose2 = require('jose2');
 
 function jwksEndpoint(host, certs) {
  return nock(host)
  .get('/.well-known/jwks.json')
  .reply(200, {
  keys: certs.map(cert => {
- const parsed = jose.JWK.asKey(cert.pub).toJWK();
+ const parsed = jose2.JWK.asKey(cert.pub).toJWK();
  return {
  ...parsed,
  use: 'sig',