Implement JWT

index.ts

@@ -2,6 +2,7 @@ import {hkdf, pbkdf, Usage} from "./src/kdf"
 
 export const kdf = {hkdf, pbkdf, Usage}
 export * as signature from "./src/signature"
+export * as JWT from "./src/jwt"
 export {SecretBox} from './src/secret-box'
 export {PrivateWrap} from './src/private-wrap'
 export {SecretWrap} from './src/secret-wrap'

src/jwt.ts

@@ -0,0 +1,58 @@
+import * as jose from 'jose'
+import logger from 'log'
+
+const log = logger('crypto:jwt')
+
+export type Key = jose.KeyLike | Uint8Array
+
+export class JWTcontext {
+    private constructor(
+        private readonly key: Key,
+    ) {}
+
+    public static async gen_key(): Promise<Key> {
+        log.trace("generate key")
+        return jose.generateSecret("HS512")
+    }
+    public static new(key: Key) : JWTcontext {
+        return new JWTcontext(key)
+    }
+    public static async new_random() : Promise<JWTcontext> {
+        const k = await JWTcontext.gen_key()
+        return new JWTcontext(k)
+    }
+
+    public async sign<T>(message: T, set_issued: boolean = false, exp?: number | string | Date, audience?: string | string[], issuer?: string): Promise<string> {
+        log.trace('sign JWT')
+        log.trace('Config :', {
+            set_issued,
+            exp,
+            issuer,
+        })
+
+        let jwt = new jose.SignJWT({message}).setProtectedHeader({alg: "HS512"})
+
+        if (set_issued) jwt = jwt.setIssuedAt()
+        if (issuer !== undefined) jwt = jwt.setIssuer(issuer)
+        if (audience !== undefined) jwt = jwt.setAudience(audience)
+        if (exp !== undefined) jwt = jwt.setExpirationTime(exp)
+
+        return await jwt.sign(this.key)
+    }
+
+    public async verify<T>(jwt: string, audience?: string | string[], issuer?: string | string[]): Promise<T | null> {
+        log.debug('Verify JWT')
+        log.trace('Issuer :', issuer)
+        log.trace('Audience :', audience)
+
+        try {
+            let payload = await jose.jwtVerify(jwt, this.key, {audience, issuer})
+            return payload.payload.message as T
+        } catch (e) {
+            log.warn('JWT verification failed')
+            log.debug(`Error : ${e}`)
+        }
+
+        return null
+    }
+}

test/jwt.test.ts

@@ -0,0 +1,117 @@
+import {beforeAll, describe, expect, setSystemTime, test} from 'bun:test'
+import {JWTcontext} from '../src/jwt'
+
+
+let c!: JWTcontext;
+
+beforeAll(async () => {
+    c = await JWTcontext.new_random()
+})
+
+test('Base case', async () => {
+    let payload = {
+        yeet: "yaat",
+        lol: "yes"
+    }
+
+    const jwt = await c.sign(payload, true, "2 days", "pascal", "server")
+    const verified = await c.verify(jwt, "pascal", "server")
+    expect(verified).toEqual(payload)
+})
+
+describe("Audience verification", () => {
+    const cases : [string|string[]|undefined, string|string[]|undefined, boolean][] = [
+        // undefined at verify means we don't enforce that field
+        [undefined, undefined, true],
+        ["value", undefined, true],
+        [["value", "other"], undefined, true],
+
+        [undefined, "value", false],
+        [undefined, ["value", "other"], false],
+
+        ["value", "value", true],
+        ["value", ["value", "other"], true],
+        ["value", "yeet", false],
+        ["value", ["yeet", "other"], false],
+
+        [["value", "other"], "value", true],
+        [["value", "other"], ["value", "yeet"], true],
+        [["value", "other"], ["value", "other"], true],
+        [["yeet", "other"], "value", false],
+        [["value", "other"], ["yeet", "yaat"], false],
+    ]
+
+    for (const [at_sign, at_verify, result] of cases) {
+        test(`${at_sign} and ${at_verify} ${result ? 'should' : "shouldn't"} work`, async () => {
+            const message = "Yeet"
+
+            const jwt = await c.sign(message, false, undefined, at_sign)
+            const res = await c.verify<string>(jwt, at_verify)
+            if (result) {
+                expect(res).toBe(message)
+            } else {
+                expect(res).toBeNull()
+            }
+        })
+    }
+})
+describe("Issuer verification", () => {
+    const cases: [string|undefined, string|string[]|undefined, boolean][] = [
+        // undefined at verify means don't enforce the field
+        [undefined, undefined, true],
+        ["value", undefined, true],
+
+        [undefined, "value", false],
+        [undefined, ["value", "other"], false],
+
+        ["value", "value", true],
+        ["value", ["value", "other"], true],
+        ["value", "yeet", false],
+        ["value", ["yeet", "other"], false],
+    ]
+
+    for (const [at_sign, at_verify, result] of cases) {
+        test(`${at_sign} and ${at_verify} ${result ? 'should' : "shouldn't"} work`, async () => {
+            const message = "Yaat"
+
+            const jwt = await c.sign(message, false, undefined, undefined, at_sign)
+            const res = await c.verify<string>(jwt, undefined, at_verify)
+            if (result) {
+                expect(res).toBe(message)
+            } else {
+                expect(res).toBeNull()
+            }
+        })
+    }
+})
+test("Expired JWT is rejected", async () => {
+    const message = "yeet"
+
+    const jwt = await c.sign(message, false, "5min")
+
+    const today = new Date()
+    today.setDate(today.getDate() + 1)
+    setSystemTime(today)
+
+    const res = await c.verify<string>(jwt)
+    expect(res).toBeNull()
+})
+test("Wrong key won't decrypt", async () => {
+    const c2 = await JWTcontext.new_random()
+
+    const message = "yeet"
+    const jwt = await c.sign(message)
+    const res = await c2.verify<string>(jwt)
+
+    expect(res).toBeNull()
+})
+test("tampered JWT are rejected", async () => {
+    const message = "yeet"
+    let jwt = await c.sign(message)
+
+    if (jwt[0] === "a") jwt = "b" + jwt.substring(1)
+    else jwt = "a" + jwt.substring(1)
+
+    const res = await c.verify<string>(jwt)
+    expect(res).toBeNull()
+})