JWKS exposed under /members/.well-known/jwks.json provides invalid key length for Member JWTs

[the-leonat]

Issue Summary

When verifying JWT member tokens, the JSON webtoken keyset (JWKS) exposed at /members/.well-known/jwks.json does not provide a public key of sufficient length to validate said tokens.

The issued member token header, retrieved from members/api/session/ looks like this:

{
  "alg": "RS512",
  "typ": "JWT",
  "kid": "redacted"
}

According to the official spec, RS512 requires the RSA key modulus length to be 2048 bits or larger. The current key exposed by Ghost’s JWKS endpoint appears to be smaller than this, resulting in the following error when verifying tokens with a compliant library like jose:

Error: RS512 requires key modulusLength to be 2048 bits or larger

Steps to Reproduce

Grab a member token at /member/api/session and JSON web key at /members/.well-known/jwks.json. Make sure to use just the JSON Web Key, excluding the array.

{"kty":"RSA","kid":"2B9asCdRsVD1PorgY7K8KnJ3dF_0FB3v_3qM6pu00Y8","n":"o66I-4QwmERPboZwnhS6exwhZFRohZVOw_AK74C4BbwavIaCl-P0ZObJBnFcl7AWmNhFSRwDdg1L35CwNLMxhnzvmaLgu0qw4XrIFjFnPIV66zCt9HBSZk2fNQ0IN1bomUA7OQxe_Eou0_YNa-l9ZnfQnVnBIChaXALv89kSmaM","e":"AQAB"}

Enter into a validation site like https://www.jwt.io/ and get the following error:

RS512 requires key modulusLength to be 2048 bits or larger

Ghost Version

5., 6.

Node.js Version

22

How did you install Ghost?

both locally as well as on servers installed via docker and ghost pro.

Database type

MySQL 5.7

Browser & OS version

No response

Relevant log / error output

Code of Conduct

• I agree to be friendly and polite to people in this repository

[cathysarisky]

Just popping in to confirm that I am hitting the same problem. Jose refuses to validate Ghost's tokens because of RS512 requiring a longer key. Jsonwebtoken apparently doesn't enforce this (which might be a workaround for the OP), but doesn't help me because I'm running on deno...