fix(firebase): use importX509

aiji42 · Nov 22, 2021 · 7816ee1 · 7816ee1
1 parent fc1701c
commit 7816ee1
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 179 deletions.
diff --git a/package.json b/package.json
@@ -61,7 +61,6 @@
   },
   "dependencies": {
     "jose": "^4.3.7",
-    "js-x509-utils": "^1.0.3",
     "netmask": "^2.0.2"
   }
 }
diff --git a/src/__tests__/firebase.spec.ts b/src/__tests__/firebase.spec.ts
@@ -3,17 +3,13 @@ import { NextRequest } from 'next/server'
 import { handleFallback } from '../handle-fallback'
 import { Fallback } from '../types'
 import fetchMock from 'fetch-mock'
-import { decodeProtectedHeader, jwtVerify } from 'jose'
-import { toJwk } from 'js-x509-utils'
+import { decodeProtectedHeader, jwtVerify, importX509 } from 'jose'
 
 jest.mock('jose', () => ({
   importJWK: jest.fn(),
   decodeProtectedHeader: jest.fn(),
-  jwtVerify: jest.fn()
-}))
-
-jest.mock('js-x509-utils', () => ({
-  toJwk: jest.fn()
+  jwtVerify: jest.fn(),
+  importX509: jest.fn()
 }))
 
 fetchMock
@@ -165,7 +161,7 @@ describe('makeFirebaseInspector', () => {
       },
       undefined
     )
-    expect(toJwk).toBeCalledWith(undefined, 'pem')
+    expect(importX509).toBeCalledWith(undefined, 'RS256')
   })
 
   test('session cookie mode', async () => {
@@ -187,6 +183,6 @@ describe('makeFirebaseInspector', () => {
     } as unknown as NextRequest)
 
     expect(handleFallback).not.toBeCalled()
-    expect(toJwk).toBeCalledWith('zzzzzzzzzz', 'pem')
+    expect(importX509).toBeCalledWith('zzzzzzzzzz', 'RS256')
   })
 })
diff --git a/src/firebase.ts b/src/firebase.ts
@@ -2,8 +2,7 @@ import { AsyncMiddleware, Fallback } from './types'
 import { FIREBASE_COOKIE_KEY } from './constants'
 import { NextRequest } from 'next/server'
 import { handleFallback } from './handle-fallback'
-import { decodeProtectedHeader, jwtVerify, importJWK } from 'jose'
-import { toJwk } from 'js-x509-utils'
+import { decodeProtectedHeader, jwtVerify, importX509 } from 'jose'
 
 export const makeFirebaseInspector = (
   fallback: Fallback,
@@ -36,11 +35,9 @@ const verifyFirebaseIdToken = async (
     const keys: Record<string, string> = await fetch(endpoint).then((res) =>
       res.json()
     )
+    const { kid = '' } = decodeProtectedHeader(token)
 
-    const { kid = '', alg } = decodeProtectedHeader(token)
-    const jwk = await toJwk(keys[kid], 'pem')
-
-    return jwtVerify(token, await importJWK({ ...jwk, alg }))
+    return jwtVerify(token, await importX509(keys[kid], 'RS256'))
       .then((res) => customHandler?.(res.payload) ?? true)
       .catch(() => false)
   } catch (_) {

diff --git a/yarn.lock b/yarn.lock
@@ -2618,14 +2618,7 @@ asap@^2.0.0:
   resolved "https://registry.yarnpkg.com/asap/-/asap-2.0.6.tgz#e50347611d7e690943208bbdafebcbc2fb866d46"
   integrity sha1-5QNHYR1+aQlDIIu9r+vLwvuGbUY=
 
-asn1.js-rfc5280@~3.0.0:
-  version "3.0.0"
-  resolved "https://registry.yarnpkg.com/asn1.js-rfc5280/-/asn1.js-rfc5280-3.0.0.tgz#94e60498d5d4984b842d1a825485837574ccc902"
-  integrity sha512-Y2LZPOWeZ6qehv698ZgOGGCZXBQShObWnGthTrIFlIQjuV1gg2B8QOhWFRExq/MR1VnPpIIe7P9vX2vElxv+Pg==
-  dependencies:
-    asn1.js "^5.0.0"
-
-asn1.js@^5.0.0, asn1.js@^5.2.0, asn1.js@~5.4.1:
+asn1.js@^5.2.0:
   version "5.4.1"
   resolved "https://registry.yarnpkg.com/asn1.js/-/asn1.js-5.4.1.tgz#11a980b84ebb91781ce35b0fdc2ee294e3783f07"
   integrity sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==
@@ -3301,7 +3294,7 @@ [email protected]:
   dependencies:
     optimist ">=0.1.0"
 
-base64-js@^1.0.2, base64-js@^1.3.1:
+base64-js@^1.0.2:
   version "1.5.1"
   resolved "https://registry.yarnpkg.com/base64-js/-/base64-js-1.5.1.tgz#1b1b440160a5bf7ad40b650f095963481903930a"
   integrity sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==
@@ -3367,7 +3360,7 @@ bn.js@^4.0.0, bn.js@^4.1.0, bn.js@^4.11.9:
   resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-4.12.0.tgz#775b3f278efbb9718eec7361f483fb36fbbfea88"
   integrity sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==
 
-bn.js@^5.0.0, bn.js@^5.1.1, bn.js@~5.2.0:
+bn.js@^5.0.0, bn.js@^5.1.1:
   version "5.2.0"
   resolved "https://registry.yarnpkg.com/bn.js/-/bn.js-5.2.0.tgz#358860674396c6997771a9d051fcc1b57d4ae002"
   integrity sha512-D7iWRBvnZE8ecXiLj/9wbxH7Tk79fAh8IHaTNq1RWRixsS02W+5qS+iE9yq6RYl0asXx5tw0bLhmT5pIfbSquw==
@@ -3556,14 +3549,6 @@ [email protected]:
     base64-js "^1.0.2"
     ieee754 "^1.1.4"
 
-[email protected], buffer@~6.0.0:
-  version "6.0.3"
-  resolved "https://registry.yarnpkg.com/buffer/-/buffer-6.0.3.tgz#2ace578459cc8fbe2a70aaa8f52ee63b6a74c6c6"
-  integrity sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==
-  dependencies:
-    base64-js "^1.3.1"
-    ieee754 "^1.2.1"
-
 builtin-status-codes@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8"
@@ -3777,11 +3762,6 @@ chardet@^0.7.0:
   resolved "https://registry.yarnpkg.com/chardet/-/chardet-0.7.0.tgz#90094849f0937f2eedc2425d0d28a9e5f0cbad9e"
   integrity sha512-mT8iDcrh03qDGRRmoA2hmBJnxpllMR+0/0qlzjqZES6NdiWDcZkCNAk4rPFZ9Q85r27unkiNNg8ZOiwZXBHwcA==
 
-[email protected]:
-  version "0.0.2"
-  resolved "https://registry.yarnpkg.com/charenc/-/charenc-0.0.2.tgz#c0a1d2f3a7092e03774bfa83f14c0fc5790a8667"
-  integrity sha1-wKHS86cJLgN3S/qD8UwPxXkKhmc=
-
 [email protected]:
   version "3.5.1"
   resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-3.5.1.tgz#ee9ce7bbebd2b79f49f304799d5468e31e14e68a"
@@ -4325,11 +4305,6 @@ cross-spawn@^7.0.0, cross-spawn@^7.0.2, cross-spawn@^7.0.3:
     shebang-command "^2.0.0"
     which "^2.0.1"
 
-[email protected]:
-  version "0.0.2"
-  resolved "https://registry.yarnpkg.com/crypt/-/crypt-0.0.2.tgz#88d7ff7ec0dfb86f713dc87bbb42d044d3e6c41b"
-  integrity sha1-iNf/fsDfuG9xPch7u0LQRNPmxBs=
-
 [email protected]:
   version "3.12.0"
   resolved "https://registry.yarnpkg.com/crypto-browserify/-/crypto-browserify-3.12.0.tgz#396cf9f3137f03e4b8e532c58f698254e00f80ec"
@@ -4565,7 +4540,7 @@ deprecation@^2.0.0, deprecation@^2.3.1:
   resolved "https://registry.yarnpkg.com/deprecation/-/deprecation-2.3.1.tgz#6368cbdb40abf3373b525ac87e4a260c3a700919"
   integrity sha512-xmHIy4F3scKVwMsQ4WnVaS8bHOx0DmVwRywosKhaILI0ywMDWPtBSku2HNxRvF7jtwDRsoEwYQSfbxj8b7RlJQ==
 
-des.js@^1.0.0, des.js@~1.0.0:
+des.js@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/des.js/-/des.js-1.0.1.tgz#5382142e1bdc53f85d86d53e5f4aa7deb91e0843"
   integrity sha512-Q0I4pfFrv2VPd34/vfLrFOoRmlYj3OV50i7fskps1jZWK1kApMWWT9G6RRUeYedLcBDIhnSDaUvJMb3AhUlaEA==
@@ -4727,7 +4702,7 @@ electron-to-chromium@^1.3.896:
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.3.904.tgz#52a353994faeb0f2a9fab3606b4e0614d1af7b58"
   integrity sha512-x5uZWXcVNYkTh4JubD7KSC1VMKz0vZwJUqVwY3ihsW0bst1BXDe494Uqbg3Y0fDGVjJqA8vEeGuvO5foyH2+qw==
 
-elliptic@^6.5.3, elliptic@~6.5.0:
+elliptic@^6.5.3:
   version "6.5.4"
   resolved "https://registry.yarnpkg.com/elliptic/-/elliptic-6.5.4.tgz#da37cebd31e79a1367e941b592ed1fbebd58abbb"
   integrity sha512-iLhC6ULemrljPZb+QutR5TQGB+pdW6KGD5RSegS+8sorOZT+rdQFbsQFJgvN3eRqNALqJer4oQ16YvJHlU8hzQ==
@@ -5768,7 +5743,7 @@ hash-base@^3.0.0:
     readable-stream "^3.6.0"
     safe-buffer "^5.2.0"
 
-hash.js@^1.0.0, hash.js@^1.0.3, hash.js@~1.1.7:
+hash.js@^1.0.0, hash.js@^1.0.3:
   version "1.1.7"
   resolved "https://registry.yarnpkg.com/hash.js/-/hash.js-1.1.7.tgz#0babca538e8d4ee4a0f8988d68866537a003cf42"
   integrity sha512-taOaskGt4z4SOANNseOviYDvjEJinIkRgmp7LbKP2YTTmVxWBl87s/uzK9r+44BclBSp2X7K1hqeNfz9JbBeXA==
@@ -5940,7 +5915,7 @@ iconv-lite@^0.6.2:
   dependencies:
     safer-buffer ">= 2.1.2 < 3.0.0"
 
-ieee754@^1.1.4, ieee754@^1.2.1:
+ieee754@^1.1.4:
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/ieee754/-/ieee754-1.2.1.tgz#8eb7a10a63fff25d15a57b001586d177d1b0d352"
   integrity sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==
@@ -6156,11 +6131,6 @@ is-boolean-object@^1.1.0:
   dependencies:
     call-bind "^1.0.2"
 
-is-buffer@~1.1.6:
-  version "1.1.6"
-  resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be"
-  integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==
-
 is-callable@^1.1.4, is-callable@^1.2.3:
   version "1.2.3"
   resolved "https://registry.yarnpkg.com/is-callable/-/is-callable-1.2.3.tgz#8b1e0500b73a1d76c70487636f368e519de8db8e"
@@ -6946,101 +6916,6 @@ jose@^4.3.7:
   resolved "https://registry.yarnpkg.com/jose/-/jose-4.3.7.tgz#5000e4a2d41ae411a5abdd11e6baf63fc2973a69"
   integrity sha512-S7Xfsy8nN9Iw/AZxk+ZxEbd5ImIwJPM0TfAo8zI8FF+3lidQ2yiK4dqzsaPKSbZD0woNVSY0KCql6rlKc5V7ug==
 
-js-crypto-aes@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-aes/-/js-crypto-aes-1.0.3.tgz#74a7d3fe22d40cb89722f6ef725b2c725f2110c2"
-  integrity sha512-+kLIa4Rm3xi4a3j3cLzhg5HWdUbu5rVLif1MAvWSDT7EfDKEcgCpMTcYa/OdF0o/vBWeC7CWmIQYJJG5fEjLfA==
-  dependencies:
-    js-crypto-env "^1.0.3"
-
-js-crypto-ec@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-ec/-/js-crypto-ec-1.0.3.tgz#8d9e32c84ded9b352502ee06744c98536c918071"
-  integrity sha512-hR0sTmtzqgSnI2ISeldV/TGLXfZr2pCiwBEB2UCG0Ii5OwJt58CYyp+RPFQIA/Vt3/WVQtOqBU0jMxb1TK8YrA==
-  dependencies:
-    asn1.js "~5.4.1"
-    buffer "~6.0.0"
-    elliptic "~6.5.0"
-    js-crypto-env "^1.0.3"
-    js-crypto-hash "^1.0.3"
-    js-crypto-key-utils "^1.0.3"
-    js-crypto-random "^1.0.3"
-    js-encoding-utils "0.6.2"
-
-js-crypto-env@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-env/-/js-crypto-env-1.0.3.tgz#1d545b49fc2d7a13649a6b4e8a21b5ac290cf51f"
-  integrity sha512-AQnOCVXSe6cx6UlO06Ks+26I/BrHlpJ2MJgM2Ujj25WAQZEVYShKDIk7teDg5A27kcaoHrsxrxG0SfP9EAm72g==
-
-js-crypto-hash@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-hash/-/js-crypto-hash-1.0.3.tgz#3cf21ec2006995e5e838ea94dc6afbbd22b437b3"
-  integrity sha512-LXfYkQNocto9Uv8gLNx3cyki1CQ0HoxRoxjLVqiCm97EwPbDj7TJpG3VSTdaucWRCNg8kKGTb+3aOmB+mLbLUQ==
-  dependencies:
-    buffer "~6.0.0"
-    hash.js "~1.1.7"
-    js-crypto-env "^1.0.3"
-    md5 "~2.3.0"
-    sha3 "~2.1.0"
-
-js-crypto-hmac@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-hmac/-/js-crypto-hmac-1.0.3.tgz#12cf09a09b5a28f89c1317d3be05d4213c9bebd5"
-  integrity sha512-UFt+xjHb3chK6iP5oQGvJ7fI5AarKQyKxptix7sKvsHXOPjpY4x91I+W7pnibNjHR28R5vdAC/Ce1NQ4ZAxIOw==
-  dependencies:
-    js-crypto-env "^1.0.3"
-    js-crypto-hash "^1.0.3"
-
-js-crypto-key-utils@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-key-utils/-/js-crypto-key-utils-1.0.3.tgz#bee037ae6156331a284bad1ef54f79187b71a6ba"
-  integrity sha512-8gQ4gY/m7UDEZw3QA40FCXYdi0y+uqCeFRtsz27sJkK0UGA3Qbl8/cq7bNeKETGXq2DVbJ0hI6BMxkm5PZhfdg==
-  dependencies:
-    asn1.js "~5.4.1"
-    buffer "~6.0.0"
-    des.js "~1.0.0"
-    elliptic "~6.5.0"
-    js-crypto-aes "^1.0.3"
-    js-crypto-hash "^1.0.3"
-    js-crypto-pbkdf "^1.0.3"
-    js-crypto-random "^1.0.3"
-    js-encoding-utils "0.6.2"
-    lodash.clonedeep "~4.5.0"
-
-js-crypto-pbkdf@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-pbkdf/-/js-crypto-pbkdf-1.0.3.tgz#c8a357195e894198a518a44d7c358248cfeb1363"
-  integrity sha512-28cqJmvblPd+wohChJq88cQP6891OP5rPgmcOgwvNCRMDlgGDFq0AqvHxcqLSyodoHCzSMh74V9yx8GcxF5ggA==
-  dependencies:
-    js-crypto-hash "^1.0.3"
-    js-crypto-hmac "^1.0.3"
-    js-encoding-utils "0.6.2"
-
-js-crypto-random@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-random/-/js-crypto-random-1.0.3.tgz#d47f8d9246ccbd5190206e8975bb29a64298ce41"
-  integrity sha512-XotiRPgdGoj4FVj1Dg97bkkucZfJ4q+0Y9eJi/7fatdTjmewo3sfLJBYb0k+hlDHZCmQ0QkW3Oac9YFTlb019g==
-  dependencies:
-    js-crypto-env "^1.0.3"
-
-js-crypto-rsa@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-crypto-rsa/-/js-crypto-rsa-1.0.3.tgz#59dcde36e9bf35748da22a0555dbbff8651d8049"
-  integrity sha512-zW8wuBDM9c8rm+qlCu0MlzXZjP8okJzqMqqh37fMMsjJs074HFyMl97rrIM0eo8mXQJrPfLa1hvOFLiswTKl1w==
-  dependencies:
-    bn.js "~5.2.0"
-    buffer "~6.0.0"
-    js-crypto-env "^1.0.3"
-    js-crypto-hash "^1.0.3"
-    js-crypto-key-utils "^1.0.3"
-    js-crypto-random "^1.0.3"
-    js-encoding-utils "0.6.2"
-
-[email protected]:
-  version "0.6.2"
-  resolved "https://registry.yarnpkg.com/js-encoding-utils/-/js-encoding-utils-0.6.2.tgz#8a8dfe5318bdf7aa027e9754ed0a8bb969a8c17f"
-  integrity sha512-SHH61JiECVTxS86USR/n76luRNsL7zqZVxJl6MG8ZR2GL/ooCNi0e5sV9GkH/8yAJMexgvSYHReMhX5tvna/oA==
-
 "js-tokens@^3.0.0 || ^4.0.0", js-tokens@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-4.0.0.tgz#19203fb59991df98e3a287050d4647cdeaf32499"
@@ -7051,21 +6926,6 @@ js-tokens@^3.0.2:
   resolved "https://registry.yarnpkg.com/js-tokens/-/js-tokens-3.0.2.tgz#9866df395102130e38f7f996bceb65443209c25b"
   integrity sha1-mGbfOVECEw449/mWvOtlRDIJwls=
 
-js-x509-utils@^1.0.3:
-  version "1.0.3"
-  resolved "https://registry.yarnpkg.com/js-x509-utils/-/js-x509-utils-1.0.3.tgz#c8a5bfbb34f96e234de88b2996cd739abb75b0d6"
-  integrity sha512-WIFPwDnjiCeuQXanmo7p7x5AhIH5RWhNl2VGu/aLKyMXI7+ONGNvCN+QvSq1iQ4509Y279GVsu9ByMiqOOjPYA==
-  dependencies:
-    asn1.js "~5.4.1"
-    asn1.js-rfc5280 "~3.0.0"
-    bn.js "~5.2.0"
-    buffer "~6.0.0"
-    js-crypto-ec "^1.0.3"
-    js-crypto-key-utils "^1.0.3"
-    js-crypto-random "^1.0.3"
-    js-crypto-rsa "^1.0.3"
-    js-encoding-utils "0.6.2"
-
 js-yaml@^3.13.1, js-yaml@^3.3.1:
   version "3.14.1"
   resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
@@ -7863,15 +7723,6 @@ md5.js@^1.3.4:
     inherits "^2.0.1"
     safe-buffer "^5.1.2"
 
-md5@~2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/md5/-/md5-2.3.0.tgz#c3da9a6aae3a30b46b7b0c349b87b110dc3bda4f"
-  integrity sha512-T1GITYmFaKuO91vxyoQMFETst+O71VUPEU3ze5GNzDm0OWdP8v1ziTaAEPUr/3kLsY3Sftgz242A1SetQiDL7g==
-  dependencies:
-    charenc "0.0.2"
-    crypt "0.0.2"
-    is-buffer "~1.1.6"
-
 meant@^1.0.2:
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/meant/-/meant-1.0.3.tgz#67769af9de1d158773e928ae82c456114903554c"
@@ -10260,13 +10111,6 @@ sha.js@^2.4.0, sha.js@^2.4.8:
     inherits "^2.0.1"
     safe-buffer "^5.0.1"
 
-sha3@~2.1.0:
-  version "2.1.4"
-  resolved "https://registry.yarnpkg.com/sha3/-/sha3-2.1.4.tgz#000fac0fe7c2feac1f48a25e7a31b52a6492cc8f"
-  integrity sha512-S8cNxbyb0UGUM2VhRD4Poe5N58gJnJsLJ5vC7FYWGUmGhcsj4++WaIOBFVDxlG0W3To6xBuiRh+i0Qp2oNCOtg==
-  dependencies:
-    buffer "6.0.3"
-
 sha@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/sha/-/sha-3.0.0.tgz#b2f2f90af690c16a3a839a6a6c680ea51fedd1ae"