-
Notifications
You must be signed in to change notification settings - Fork 279
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(backend): Add new method for signing jwt tokens
This method is marked as unstable since it will be only used for internal purposes for now.
- Loading branch information
Showing
11 changed files
with
139 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
'@clerk/backend': patch | ||
--- | ||
|
||
Added \_\_unstable\_\_signJwt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,5 @@ | ||
export { hasValidSignature, decodeJwt, verifyJwt } from './verifyJwt'; | ||
export { __unstable__signJwt } from './signJwt'; | ||
|
||
export type { VerifyJwtOptions } from './verifyJwt'; | ||
export type { SignJwtOptions } from './signJwt'; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
import type QUnit from 'qunit'; | ||
|
||
import { | ||
mockJwtHeader, | ||
mockJwtPayload, | ||
pemEncodedPublicKey, | ||
pemEncodedSignKey, | ||
publicJwks, | ||
signingJwks, | ||
} from '../fixtures'; | ||
import { hasValidSignature } from './hasValidSignature'; | ||
import { __unstable__signJwt } from './signJwt'; | ||
import { decodeJwt } from './verifyJwt'; | ||
|
||
export default (QUnit: QUnit) => { | ||
const { module, test } = QUnit; | ||
|
||
module('signJwt(payload, options)', () => { | ||
test('signs a JWT with a JWK formatted secret', async assert => { | ||
const jwt = await __unstable__signJwt(mockJwtPayload, signingJwks, { | ||
algorithm: mockJwtHeader.alg, | ||
header: mockJwtHeader, | ||
}); | ||
|
||
assert.true(await hasValidSignature(decodeJwt(jwt), publicJwks)); | ||
}); | ||
|
||
test('signs a JWT with a pkcs8 formatted secret', async assert => { | ||
const jwt = await __unstable__signJwt(mockJwtPayload, pemEncodedSignKey, { | ||
algorithm: mockJwtHeader.alg, | ||
header: mockJwtHeader, | ||
}); | ||
|
||
assert.true(await hasValidSignature(decodeJwt(jwt), pemEncodedPublicKey)); | ||
}); | ||
}); | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import runtime from '../../runtime'; | ||
import { base64url } from '../../util/rfc4648'; | ||
import { getCryptoAlgorithm, importKey } from './algorithms'; | ||
|
||
export interface SignJwtOptions { | ||
algorithm?: string; | ||
header?: Record<string, unknown>; | ||
} | ||
|
||
function encodeJwtData(value: unknown): string { | ||
const stringified = JSON.stringify(value); | ||
const encoder = new TextEncoder(); | ||
const encoded = encoder.encode(stringified); | ||
return base64url.stringify(encoded, { pad: false }); | ||
} | ||
|
||
export async function __unstable__signJwt( | ||
payload: Record<string, unknown>, | ||
secret: string | JsonWebKey, | ||
options: SignJwtOptions, | ||
): Promise<string> { | ||
if (!options.algorithm) { | ||
throw new Error('No algorithm specified'); | ||
} | ||
const encoder = new TextEncoder(); | ||
|
||
const algorithm = getCryptoAlgorithm(options.algorithm); | ||
if (!algorithm) { | ||
throw new Error(`Unsupported algorithm ${options.algorithm}`); | ||
} | ||
|
||
const cryptoKey = await importKey(secret, algorithm, 'sign'); | ||
const header = options.header || { typ: 'JWT' }; | ||
header.alg = options.algorithm; | ||
|
||
const encodedHeader = encodeJwtData(header); | ||
const encodedPayload = encodeJwtData(payload); | ||
const firstPart = `${encodedHeader}.${encodedPayload}`; | ||
|
||
const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart)); | ||
|
||
return `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters