-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PLT 155 - Introduce jwt signing js backend #1786
Conversation
🦋 Changeset detectedLatest commit: f47a6ba The changes in this PR will be included in the next version bump. This PR includes changesets to release 6 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
9194ca3
to
b8128d8
Compare
b8128d8
to
5f9a83c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Nikpolik excellent PR description!
Can you please elaborate on the comment about iat? Is this about updating the iat of the token when we compute the signature?
Basically overwrite the iat |
5f9a83c
to
2016926
Compare
51b07ba
to
7e4189c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👏 Nice work! Overall seems fine to me, just not approving since I'm not so well-versed in JS/TS and there might be some subtle issue with crypto I'm missing.
|
||
export type { VerifyJwtOptions } from './verifyJwt'; | ||
export type { SignJwtOptions } from './signJwt'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ Does it make sense to prefix these options as unstable? Unlikely to be used, but only for semantics purposes.
Really nice work! 🚀 |
b5b367e
to
c251845
Compare
Also extracted some functionality to scr/tokens/jwt/algorithms so it can be reused in the future and added some spec. Removed constants and tests for ES256, ES384, ES512
This method is marked as internal since it will be only used on other clerk packages for now.
c251845
to
f47a6ba
Compare
This PR has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Description
Added a new
signJwt(payload, secret, options)
function to allow us to sign tokens.Updated the
hasValidSignature(jwt, secret)
method to be able to verify tokens using PEM formatted keys.The process for signing JWT was heavily inspired from another library cloudflare-worker-jwt and its sign method.
Quick overview of process for signing JWT
headerEncoded.payloadEncoded
headerEncoded.payloadEncoded.signature
Changes implemented
Notes
jwk
,pkcs8
,spki
and notraw
.Isomorphic atob could be imported fromDone@clerk/shared
(fix(shared, nextjs): Support importing @clerk/shared in @clerk/backend #1769)In the cloudflare-worker-jwt implementation of the sign method, the IAT (Issued at) field in the payload is updated. I am not sure if this is something that should be handled in the signing process or when we create the payload 🤔Changed to update IAT.verifyJWT method was not updated since it has its own implementation ofFixed and removed duplicate (unusedhasValidSignature
maybe it should use the updated one? This will allow us to use it PEM pem keys also.hasValidSignature
)Checklist
npm test
runs as expected.npm run build
runs as expected.Type of change
Packages affected
@clerk/clerk-js
@clerk/clerk-react
@clerk/nextjs
@clerk/remix
@clerk/types
@clerk/themes
@clerk/localizations
@clerk/clerk-expo
@clerk/backend
@clerk/clerk-sdk-node
@clerk/shared
@clerk/fastify
@clerk/chrome-extension
gatsby-plugin-clerk
build/tooling/chore