|
17 | 17 | */ |
18 | 18 |
|
19 | 19 | import * as jose from "jose"; |
20 | | -import { JWKInterface } from "./models/crypto"; |
| 20 | +import { Crypto, JWKInterface } from "./models/crypto"; |
21 | 21 |
|
22 | | -interface CryptoInterface<T> { |
23 | | - base64URLEncode(value: T): string; |
24 | | - base64URLDecode(value: string): string; |
25 | | - hashSha256(data: string): Promise<Uint8Array>; // Changed to Promise to match implementation |
26 | | - generateRandomBytes(length: number): Uint8Array; |
27 | | - verifyJwt( |
28 | | - idToken: string, |
29 | | - jwk: Partial<any>, |
30 | | - algorithms: string[], |
31 | | - clientId: string, |
32 | | - issuer: string, |
33 | | - subject: string, |
34 | | - clockTolerance?: number, |
35 | | - ): Promise<boolean>; |
36 | | -} |
37 | | - |
38 | | -export class DefaultCrypto implements CryptoInterface<Uint8Array | string> { |
39 | | - |
40 | | - constructor() {} |
41 | | - |
42 | | - /** |
43 | | - * Cross-platform Base64URL encoding using 'jose' utilities |
44 | | - */ |
45 | | - public base64URLEncode(value: Uint8Array | string): string { |
46 | | - const uint8Array = typeof value === "string" |
47 | | - ? new TextEncoder().encode(value) |
48 | | - : value; |
| 22 | +/** |
| 23 | + * Default implementation of the Crypto interface using the 'jose' library |
| 24 | + * and the native Web Crypto API. |
| 25 | + */ |
| 26 | +export class DefaultCrypto implements Crypto<Uint8Array> { |
| 27 | + |
| 28 | + /** |
| 29 | + * Decodes a base64url string back into a UTF-8 string. |
| 30 | + */ |
| 31 | + public base64URLDecode(value: string): string { |
| 32 | + const decodedArray = jose.base64url.decode(value); |
| 33 | + return new TextDecoder().decode(decodedArray); |
| 34 | + } |
49 | 35 |
|
50 | | - return jose.base64url.encode(uint8Array); |
51 | | - } |
| 36 | + /** |
| 37 | + * Encodes a Uint8Array into a base64url string. |
| 38 | + */ |
| 39 | + public base64URLEncode(value: Uint8Array): string { |
| 40 | + return jose.base64url.encode(value); |
| 41 | + } |
52 | 42 |
|
53 | | - /** |
54 | | - * Cross-platform Base64URL decoding |
55 | | - */ |
56 | | - public base64URLDecode(value: string): string { |
57 | | - const decodedArray = jose.base64url.decode(value); |
58 | | - return new TextDecoder().decode(decodedArray); |
59 | | - } |
| 43 | + /** |
| 44 | + * Generates cryptographically strong random bytes. |
| 45 | + */ |
| 46 | + public generateRandomBytes(length: number): Uint8Array { |
| 47 | + return crypto.getRandomValues(new Uint8Array(length)); |
| 48 | + } |
60 | 49 |
|
61 | | - public async hashSha256(data: string): Promise<Uint8Array> { |
62 | | - const encoder = new TextEncoder(); |
| 50 | + /** |
| 51 | + * Hash data using SHA-256. |
| 52 | + * Note: The Crypto interface expects synchronous return, but Web Crypto is async. |
| 53 | + * This implementation throws an error - use IsomorphicCrypto wrapper for async hashing. |
| 54 | + */ |
| 55 | + public async hashSha256(data: string): Promise<Uint8Array> { |
| 56 | + const encoder = new TextEncoder(); |
63 | 57 | const dataBuffer = encoder.encode(data); |
64 | 58 |
|
65 | 59 | // Using native web crypto (available in modern Node and Browsers) |
66 | 60 | const hashBuffer = await crypto.subtle.digest("SHA-256", dataBuffer); |
67 | 61 | return new Uint8Array(hashBuffer); |
68 | | - } |
69 | | - |
70 | | - public generateRandomBytes(length: number): Uint8Array { |
71 | | - // globalThis.crypto works in Browsers and Node.js 19+ |
72 | | - const array = new Uint8Array(length); |
73 | | - crypto.getRandomValues(array); |
74 | | - return array; |
75 | | - } |
76 | | - |
77 | | - public async verifyJwt( |
78 | | - idToken: string, |
79 | | - jwk: Partial<JWKInterface>, |
80 | | - algorithms: string[], |
81 | | - clientId: string, |
82 | | - issuer: string, |
83 | | - subject: string, |
84 | | - clockTolerance?: number, |
85 | | - ): Promise<boolean> { |
| 62 | +} |
86 | 63 |
|
87 | | - const key = await jose.importJWK(jwk as any); |
| 64 | + /** |
| 65 | + * Verifies the JWT using the provided JWK and claims. |
| 66 | + */ |
| 67 | + public async verifyJwt( |
| 68 | + idToken: string, |
| 69 | + jwk: JWKInterface, |
| 70 | + algorithms: string[], |
| 71 | + clientId: string, |
| 72 | + issuer: string, |
| 73 | + subject: string, |
| 74 | + clockTolerance?: number, |
| 75 | + validateJwtIssuer: boolean = true, |
| 76 | + ): Promise<boolean> { |
| 77 | + const key = await jose.importJWK(jwk as jose.JWK); |
88 | 78 |
|
89 | | - await jose.jwtVerify(idToken, key, { |
90 | | - algorithms, |
91 | | - audience: clientId, |
92 | | - issuer, |
93 | | - subject, |
94 | | - clockTolerance, |
95 | | - }); |
| 79 | + await jose.jwtVerify(idToken, key, { |
| 80 | + algorithms, |
| 81 | + audience: clientId, |
| 82 | + issuer: validateJwtIssuer ? issuer : undefined, |
| 83 | + subject, |
| 84 | + clockTolerance, |
| 85 | + }); |
96 | 86 |
|
97 | | - return true; |
98 | | - } |
| 87 | + return true; |
| 88 | + } |
99 | 89 | } |
0 commit comments