diff --git a/index.ts b/index.ts index ea08463..5fed094 100644 --- a/index.ts +++ b/index.ts @@ -2,6 +2,7 @@ import {hkdf, pbkdf, Usage} from "./src/kdf" export const kdf = {hkdf, pbkdf, Usage} export * as signature from "./src/signature" +export * as JWT from "./src/jwt" export {SecretBox} from './src/secret-box' export {PrivateWrap} from './src/private-wrap' export {SecretWrap} from './src/secret-wrap' diff --git a/src/jwt.ts b/src/jwt.ts new file mode 100644 index 0000000..454f7c9 --- /dev/null +++ b/src/jwt.ts @@ -0,0 +1,58 @@ +import * as jose from 'jose' +import logger from 'log' + +const log = logger('crypto:jwt') + +export type Key = jose.KeyLike | Uint8Array + +export class JWTcontext { + private constructor( + private readonly key: Key, + ) {} + + public static async gen_key(): Promise { + log.trace("generate key") + return jose.generateSecret("HS512") + } + public static new(key: Key) : JWTcontext { + return new JWTcontext(key) + } + public static async new_random() : Promise { + const k = await JWTcontext.gen_key() + return new JWTcontext(k) + } + + public async sign(message: T, set_issued: boolean = false, exp?: number | string | Date, audience?: string | string[], issuer?: string): Promise { + log.trace('sign JWT') + log.trace('Config :', { + set_issued, + exp, + issuer, + }) + + let jwt = new jose.SignJWT({message}).setProtectedHeader({alg: "HS512"}) + + if (set_issued) jwt = jwt.setIssuedAt() + if (issuer !== undefined) jwt = jwt.setIssuer(issuer) + if (audience !== undefined) jwt = jwt.setAudience(audience) + if (exp !== undefined) jwt = jwt.setExpirationTime(exp) + + return await jwt.sign(this.key) + } + + public async verify(jwt: string, audience?: string | string[], issuer?: string | string[]): Promise { + log.debug('Verify JWT') + log.trace('Issuer :', issuer) + log.trace('Audience :', audience) + + try { + let payload = await jose.jwtVerify(jwt, this.key, {audience, issuer}) + return payload.payload.message as T + } catch (e) { + log.warn('JWT verification failed') + log.debug(`Error : ${e}`) + } + + return null + } +} diff --git a/test/jwt.test.ts b/test/jwt.test.ts new file mode 100644 index 0000000..e72e27a --- /dev/null +++ b/test/jwt.test.ts @@ -0,0 +1,117 @@ +import {beforeAll, describe, expect, setSystemTime, test} from 'bun:test' +import {JWTcontext} from '../src/jwt' + + +let c!: JWTcontext; + +beforeAll(async () => { + c = await JWTcontext.new_random() +}) + +test('Base case', async () => { + let payload = { + yeet: "yaat", + lol: "yes" + } + + const jwt = await c.sign(payload, true, "2 days", "pascal", "server") + const verified = await c.verify(jwt, "pascal", "server") + expect(verified).toEqual(payload) +}) + +describe("Audience verification", () => { + const cases : [string|string[]|undefined, string|string[]|undefined, boolean][] = [ + // undefined at verify means we don't enforce that field + [undefined, undefined, true], + ["value", undefined, true], + [["value", "other"], undefined, true], + + [undefined, "value", false], + [undefined, ["value", "other"], false], + + ["value", "value", true], + ["value", ["value", "other"], true], + ["value", "yeet", false], + ["value", ["yeet", "other"], false], + + [["value", "other"], "value", true], + [["value", "other"], ["value", "yeet"], true], + [["value", "other"], ["value", "other"], true], + [["yeet", "other"], "value", false], + [["value", "other"], ["yeet", "yaat"], false], + ] + + for (const [at_sign, at_verify, result] of cases) { + test(`${at_sign} and ${at_verify} ${result ? 'should' : "shouldn't"} work`, async () => { + const message = "Yeet" + + const jwt = await c.sign(message, false, undefined, at_sign) + const res = await c.verify(jwt, at_verify) + if (result) { + expect(res).toBe(message) + } else { + expect(res).toBeNull() + } + }) + } +}) +describe("Issuer verification", () => { + const cases: [string|undefined, string|string[]|undefined, boolean][] = [ + // undefined at verify means don't enforce the field + [undefined, undefined, true], + ["value", undefined, true], + + [undefined, "value", false], + [undefined, ["value", "other"], false], + + ["value", "value", true], + ["value", ["value", "other"], true], + ["value", "yeet", false], + ["value", ["yeet", "other"], false], + ] + + for (const [at_sign, at_verify, result] of cases) { + test(`${at_sign} and ${at_verify} ${result ? 'should' : "shouldn't"} work`, async () => { + const message = "Yaat" + + const jwt = await c.sign(message, false, undefined, undefined, at_sign) + const res = await c.verify(jwt, undefined, at_verify) + if (result) { + expect(res).toBe(message) + } else { + expect(res).toBeNull() + } + }) + } +}) +test("Expired JWT is rejected", async () => { + const message = "yeet" + + const jwt = await c.sign(message, false, "5min") + + const today = new Date() + today.setDate(today.getDate() + 1) + setSystemTime(today) + + const res = await c.verify(jwt) + expect(res).toBeNull() +}) +test("Wrong key won't decrypt", async () => { + const c2 = await JWTcontext.new_random() + + const message = "yeet" + const jwt = await c.sign(message) + const res = await c2.verify(jwt) + + expect(res).toBeNull() +}) +test("tampered JWT are rejected", async () => { + const message = "yeet" + let jwt = await c.sign(message) + + if (jwt[0] === "a") jwt = "b" + jwt.substring(1) + else jwt = "a" + jwt.substring(1) + + const res = await c.verify(jwt) + expect(res).toBeNull() +})