jwt-bearer-client-auth/dist/verify.js

Create and verify JWT bearer client assertions from the OAuth-JWT-bearer RFC

"use strict";
/**
 * @license
 * Copyright 2015-2022 Open Ag Data Alliance
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
Object.defineProperty(exports, "__esModule", { value: true });
exports.verify = void 0;
const pem_jwk_1 = require("pem-jwk");
const jsonwebtoken_1 = require("jsonwebtoken");
const certs_1 = require("@oada/certs");
async function verify({ token, hint, issuer, clientId, tokenEndpoint, payload, }) {
    const jwk = await certs_1.jwksUtils.jwkForSignature(token, hint);
    const key = jwk.kty === 'PEM' ? jwk.pem : (0, pem_jwk_1.jwk2pem)(jwk);
    const jwtPayload = (0, jsonwebtoken_1.verify)(token, key, {
        issuer,
        audience: tokenEndpoint,
        // HACK: Avoid vulnerability CVE-2022-23540, CVE-2022-23529
        algorithms: [
            'HS256',
            'HS384',
            'HS512',
            'RS256',
            'RS384',
            'RS512',
            'ES256',
            'ES384',
            'ES512',
            'PS256',
            'PS384',
            'PS512',
        ],
    });
    if (typeof jwtPayload === 'string') {
        throw new TypeError(`Failed to parse payload: ${jwtPayload}`);
    }
    if (!jwtPayload.exp) {
        throw new Error('exp claim is required');
    }
    // Check required sub key
    if (jwtPayload.sub !== clientId) {
        throw new Error('sub claim is inconsistent with clientId');
    }
    // Check for optional not before property
    if (jwtPayload.nbf && Math.floor(Date.now() / 1000) <= jwtPayload.nbf) {
        throw new Error('nbf claim violated');
    }
    // Check for any other user required claims
    if (typeof payload === 'object') {
        for (const [k, v] of Object.entries(payload)) {
            if (jwtPayload[k] !== v) {
                throw new Error(`${k} claim is inconsistent`);
            }
        }
    }
    return jwtPayload;
}
exports.verify = verify;
//# sourceMappingURL=verify.js.map