feat: allow compact verify/decrypt tokens to be uint8array encoded

This means that when Nested JWT is used the decrypted plaintext can
be piped directly to verify.

src/jwe/compact/decrypt.ts

@@ -1,5 +1,6 @@
 import decrypt from '../flattened/decrypt.js'
 import { JWEInvalid } from '../../util/errors.js'
+import { decoder } from '../../lib/buffer_utils.js'
 import type {
  KeyLike,
  DecryptOptions,
@@ -60,12 +61,17 @@ export interface CompactDecryptGetKey extends GetKeyFunction<JWEHeaderParameters
  * ```
  */
 export default async function compactDecrypt(
- jwe: string,
+ jwe: string | Uint8Array,
  key: KeyLike | CompactDecryptGetKey,
  options?: DecryptOptions,
 ): Promise<CompactDecryptResult> {
+ if (jwe instanceof Uint8Array) {
+ // eslint-disable-next-line no-param-reassign
+ jwe = decoder.decode(jwe)
+ }
+
  if (typeof jwe !== 'string') {
- throw new JWEInvalid('Compact JWE must be a string')
+ throw new JWEInvalid('Compact JWE must be a string or Uint8Array')
  }
  const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length } = jwe.split(
  '.',

src/jws/compact/verify.ts

@@ -1,5 +1,6 @@
 import verify from '../flattened/verify.js'
 import { JWSInvalid } from '../../util/errors.js'
+import { decoder } from '../../lib/buffer_utils.js'
 import type {
  CompactVerifyResult,
  FlattenedJWSInput,
@@ -57,12 +58,17 @@ export interface CompactVerifyGetKey
  * ```
  */
 export default async function compactVerify(
- jws: string,
+ jws: string | Uint8Array,
  key: KeyLike | CompactVerifyGetKey,
  options?: VerifyOptions,
 ): Promise<CompactVerifyResult> {
+ if (jws instanceof Uint8Array) {
+ // eslint-disable-next-line no-param-reassign
+ jws = decoder.decode(jws)
+ }
+
  if (typeof jws !== 'string') {
- throw new JWSInvalid('Compact JWS must be a string')
+ throw new JWSInvalid('Compact JWS must be a string or Uint8Array')
  }
  const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.')
 

src/jwt/decrypt.ts

@@ -63,7 +63,7 @@ export interface JWTDecryptGetKey extends GetKeyFunction<JWEHeaderParameters, Fl
  * ```
  */
 export default async function jwtDecrypt(
- jwt: string,
+ jwt: string | Uint8Array,
  key: KeyLike | JWTDecryptGetKey,
  options?: JWTDecryptOptions,
 ): Promise<JWTDecryptResult> {

src/jwt/verify.ts

@@ -64,7 +64,7 @@ export interface JWTVerifyGetKey extends GetKeyFunction<JWSHeaderParameters, Fla
  * ```
  */
 export default async function jwtVerify(
- jwt: string,
+ jwt: string | Uint8Array,
  key: KeyLike | JWTVerifyGetKey,
  options?: JWTVerifyOptions,
 ): Promise<JWTVerifyResult> {

test/jwe/compact.decrypt.test.mjs

@@ -6,7 +6,7 @@ import(`${root}/jwe/compact/decrypt`).then(
  ({ default: flattenedDecrypt }) => {
  test('JWE format validation', async (t) => {
  await t.throwsAsync(flattenedDecrypt(null, new Uint8Array()), {
- message: 'Compact JWE must be a string',
+ message: 'Compact JWE must be a string or Uint8Array',
  code: 'ERR_JWE_INVALID',
  });
  await t.throwsAsync(flattenedDecrypt('...', new Uint8Array()), {

test/jws/compact.verify.test.mjs

@@ -6,7 +6,7 @@ import(`${root}/jws/compact/verify`).then(
  ({ default: flattenedVerify }) => {
  test('JWS format validation', async (t) => {
  await t.throwsAsync(flattenedVerify(null, new Uint8Array()), {
- message: 'Compact JWS must be a string',
+ message: 'Compact JWS must be a string or Uint8Array',
  code: 'ERR_JWS_INVALID',
  });
  await t.throwsAsync(flattenedVerify('.....', new Uint8Array()), {

test/jwt/decrypt.test.mjs

@@ -49,6 +49,7 @@ Promise.all([
  maxTokenAge: '30s',
  }),
  );
+ await t.notThrowsAsync(jwtDecrypt(new TextEncoder().encode(jwt), t.context.secret));
  });
 
  test('Payload must be an object', async (t) => {

test/jwt/verify.test.mjs

@@ -49,6 +49,7 @@ Promise.all([
  maxTokenAge: '30s',
  }),
  );
+ await t.notThrowsAsync(jwtVerify(new TextEncoder().encode(jwt), t.context.secret));
  });
 
  test('Payload must be an object', async (t) => {