Merge commit from fork

* feat(utils/jwt): add JwtAlgorithmMismatch and JwtSymmetricAlgorithmNotAllowed error types

* fix(utils/jwt): prevent algorithm confusion attacks in verifyWithJwks

- Reject symmetric algorithms (HS256/HS384/HS512) in JWK verification
- Verify JWK alg matches JWT header alg when JWK has alg field
- Use header.alg for verification instead of JWK alg fallback

* test(utils/jwt): add security tests for verifyWithJwks

- Update header.alg fallback test to use asymmetric algorithm (RS256)
- Add tests for symmetric algorithm rejection (HS256/HS384/HS512)
- Add test for algorithm mismatch between JWK and JWT header
- Add test for algorithm confusion attack prevention

* feat(utils/jwt): add JwtAlgorithmNotAllowed error type

Add new error class for algorithm whitelist validation.
This error is thrown when JWT's algorithm is not in the allowed list.

* feat(utils/jwt): add algorithm whitelist support to verifyWithJwks

Add optional allowedAlgorithms parameter to verifyWithJwks function.
When specified, only tokens signed with algorithms in the whitelist
will be accepted. This provides an additional layer of security by
explicitly defining which algorithms are permitted.

Validation order:
1. Check algorithm against whitelist (if specified)
2. Reject symmetric algorithms (HS256/HS384/HS512)
3. Validate JWK alg matches header alg (if JWK has alg field)

* feat(middleware/jwk): add alg option for algorithm whitelist

Add alg option to JWK middleware to specify allowed algorithms.
This option is passed to verifyWithJwks as allowedAlgorithms.

Example usage:
  jwk({ keys, alg: ['RS256', 'ES256'] })

* test(utils/jwt): add algorithm whitelist tests for verifyWithJwks

Add tests for:
- Reject algorithm not in whitelist
- Accept algorithm in whitelist
- Accept any asymmetric algorithm when whitelist not specified
- Accept any asymmetric algorithm when whitelist is empty
- Reject symmetric algorithm even if in whitelist

* test(middleware/jwk): add algorithm whitelist tests

Add tests for JWK middleware alg option:
- Authorize RS256 token when RS256 is in whitelist
- Reject token when algorithm is not in whitelist
- Authorize RS256 token when multiple algorithms are in whitelist
- Authorize RS256 token when no whitelist is specified

* feat(utils/jwt): add AsymmetricAlgorithm and SymmetricAlgorithm type definitions

- Added SymmetricAlgorithm type for HMAC algorithms: HS256, HS384, HS512
- Added AsymmetricAlgorithm type for RSA/ECDSA/EdDSA algorithms
- Enables compile-time prevention of algorithm confusion attacks

* fix(utils/jwt): make allowedAlgorithms required in verifyWithJwks

BREAKING CHANGE: allowedAlgorithms is now a required parameter with type AsymmetricAlgorithm[]

- Changed allowedAlgorithms from optional to required
- Changed type from SignatureAlgorithm[] to AsymmetricAlgorithm[]
- Reordered validation: symmetric algorithm rejection before whitelist check
- Prevents algorithm confusion attacks at both runtime and compile-time

* fix(middleware/jwk): make alg option required

BREAKING CHANGE: alg option is now required with type AsymmetricAlgorithm[]

- Changed alg from optional to required
- Changed type from SignatureAlgorithm[] to AsymmetricAlgorithm[]
- Updated JSDoc to reflect breaking change
- Ensures users must explicitly specify allowed algorithms

* test(utils/jwt): update tests for required allowedAlgorithms

- Added allowedAlgorithms: ['RS256'] to all verifyWithJwks calls
- Removed tests for 'whitelist not specified' and 'empty whitelist' scenarios
- Added comments explaining breaking changes
- Renamed test to 'Should reject symmetric algorithm (HS256) in JWT header'

* test(middleware/jwk): update tests for required alg option

- Added alg: ['RS256'] to all jwk() middleware calls
- Removed test for 'no whitelist' scenario (no longer applicable)
- Added comments explaining breaking changes
- Updated verifyWithJwks test to include allowedAlgorithms

* test(utils/jwt): add type tests for algorithm type definitions

- Added tests for SymmetricAlgorithm type (HS256, HS384, HS512)
- Added tests for AsymmetricAlgorithm type (RS*, PS*, ES*, EdDSA)
- Added tests for SignatureAlgorithm type (all 13 algorithms)
- Tests verify type constraints at runtime

* fix(test): resolve TypeScript errors in JWK middleware tests

- Removed unused @ts-expect-error directive on line 40
- Added @ts-expect-error for empty object test (line 210)
- Added required alg option to crypto.subtle test (line 220)
- All 115 tests still passing

* refactor: use SymmetricAlgorithm type for symmetricAlgorithms array

* fix(utils/jwt): cast header.alg to SymmetricAlgorithm to prevent type errors

* fix(utils/jwt): update comment for clarity on algorithm validation

---------

Co-authored-by: Yusuke Wada <[email protected]>

Author: calloc134

src/middleware/jwk/index.test.ts

@@ -35,9 +35,9 @@ describe('JWK', () => {
   afterAll(() => server.close())
 
   describe('verifyWithJwks', () => {
-    it('Should throw error on missing options', async () => {
+    it('Should throw error on missing keys/jwks_uri options', async () => {
       const credential = await Jwt.sign({ message: 'hello world' }, test_keys.private_keys[0])
-      await expect(verifyWithJwks(credential, {})).rejects.toThrow(
+      await expect(verifyWithJwks(credential, { allowedAlgorithms: ['RS256'] })).rejects.toThrow(
         'verifyWithJwks requires options for either "keys" or "jwks_uri" or both'
       )
     })
@@ -52,7 +52,7 @@ describe('JWK', () => {
 
     const app = new Hono()
 
-    app.use('/backend-auth-or-anon/*', jwk({ keys: verify_keys, allow_anon: true }))
+    app.use('/backend-auth-or-anon/*', jwk({ keys: verify_keys, allow_anon: true, alg: ['RS256'] }))
 
     app.get('/backend-auth-or-anon/*', (c) => {
       handlerExecuted = true
@@ -105,10 +105,10 @@ describe('JWK', () => {
 
     const app = new Hono()
 
-    app.use('/auth-with-keys/*', jwk({ keys: verify_keys }))
-    app.use('/auth-with-keys-unicode/*', jwk({ keys: verify_keys }))
+    app.use('/auth-with-keys/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
+    app.use('/auth-with-keys-unicode/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
     app.use('/auth-with-keys-nested/*', async (c, next) => {
-      const auth = jwk({ keys: verify_keys })
+      const auth = jwk({ keys: verify_keys, alg: ['RS256'] })
       return auth(c, next)
     })
     app.use(
@@ -119,37 +119,43 @@ describe('JWK', () => {
           const data = await response.json()
           return data.keys
         },
+        alg: ['RS256'],
       })
     )
     app.use(
       '/auth-with-jwks_uri/*',
       jwk({
         jwks_uri: 'http://localhost/.well-known/jwks.json',
+        alg: ['RS256'],
       })
     )
     app.use(
       '/auth-with-keys-and-jwks_uri/*',
       jwk({
         keys: verify_keys,
         jwks_uri: () => 'http://localhost/.well-known/jwks.json',
+        alg: ['RS256'],
       })
     )
     app.use(
       '/auth-with-missing-jwks_uri/*',
       jwk({
         jwks_uri: 'http://localhost/.well-known/missing-jwks.json',
+        alg: ['RS256'],
       })
     )
     app.use(
       '/auth-with-404-jwks_uri/*',
       jwk({
         jwks_uri: 'http://localhost/.well-known/404-jwks.json',
+        alg: ['RS256'],
       })
     )
     app.use(
       '/auth-with-bad-jwks_uri/*',
       jwk({
         jwks_uri: 'http://localhost/.well-known/bad-jwks.json',
+        alg: ['RS256'],
       })
     )
 
@@ -200,6 +206,7 @@ describe('JWK', () => {
     })
 
     it('Should throw an error if the middleware is missing both keys and jwks_uri (empty)', async () => {
+      // @ts-expect-error - Testing runtime error with missing required alg option
       expect(() => app.use('/auth-with-empty-middleware/*', jwk({}))).toThrow(
         'JWK auth middleware requires options for either "keys" or "jwks_uri"'
       )
@@ -210,7 +217,9 @@ describe('JWK', () => {
         importKey: undefined,
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
       } as any)
-      expect(() => app.use('/auth-with-bad-env/*', jwk({ keys: verify_keys }))).toThrow()
+      expect(() =>
+        app.use('/auth-with-bad-env/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
+      ).toThrow()
       subtleSpy.mockRestore()
     })
 
@@ -443,7 +452,10 @@ describe('JWK', () => {
 
     const app = new Hono()
 
-    app.use('/auth-with-keys/*', jwk({ keys: verify_keys, headerName: 'x-custom-auth-header' }))
+    app.use(
+      '/auth-with-keys/*',
+      jwk({ keys: verify_keys, headerName: 'x-custom-auth-header', alg: ['RS256'] })
+    )
 
     app.get('/auth-with-keys/*', (c) => {
       handlerExecuted = true
@@ -494,15 +506,22 @@ describe('JWK', () => {
 
     const app = new Hono()
 
-    app.use('/auth-with-keys/*', jwk({ keys: verify_keys, cookie: 'access_token' }))
-    app.use('/auth-with-keys-unicode/*', jwk({ keys: verify_keys, cookie: 'access_token' }))
+    app.use('/auth-with-keys/*', jwk({ keys: verify_keys, cookie: 'access_token', alg: ['RS256'] }))
+    app.use(
+      '/auth-with-keys-unicode/*',
+      jwk({ keys: verify_keys, cookie: 'access_token', alg: ['RS256'] })
+    )
     app.use(
       '/auth-with-keys-prefixed/*',
-      jwk({ keys: verify_keys, cookie: { key: 'access_token', prefixOptions: 'host' } })
+      jwk({
+        keys: verify_keys,
+        cookie: { key: 'access_token', prefixOptions: 'host' },
+        alg: ['RS256'],
+      })
     )
     app.use(
       '/auth-with-keys-unprefixed/*',
-      jwk({ keys: verify_keys, cookie: { key: 'access_token' } })
+      jwk({ keys: verify_keys, cookie: { key: 'access_token' }, alg: ['RS256'] })
     )
 
     app.get('/auth-with-keys/*', (c) => {
@@ -637,13 +656,18 @@ describe('JWK', () => {
 
     app.use(
       '/auth-with-signed-cookie/*',
-      jwk({ keys: verify_keys, cookie: { key: 'access_token', secret: test_secret } })
+      jwk({
+        keys: verify_keys,
+        cookie: { key: 'access_token', secret: test_secret },
+        alg: ['RS256'],
+      })
     )
     app.use(
       '/auth-with-signed-with-prefix-options-cookie/*',
       jwk({
         keys: verify_keys,
         cookie: { key: 'access_token', secret: test_secret, prefixOptions: 'host' },
+        alg: ['RS256'],
       })
     )
 
@@ -721,7 +745,7 @@ describe('JWK', () => {
   describe('Error handling with `cause`', () => {
     const app = new Hono()
 
-    app.use('/auth-with-keys/*', jwk({ keys: verify_keys }))
+    app.use('/auth-with-keys/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
     app.get('/auth-with-keys/*', (c) => c.text('Authorized'))
 
     app.onError((e, c) => {
@@ -761,10 +785,10 @@ describe('JWK', () => {
 
     const app = new Hono()
 
-    app.use('/auth-with-keys-default/*', jwk({ keys: verify_keys }))
+    app.use('/auth-with-keys-default/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
     app.use(
       '/auth-with-keys-and-issuer/*',
-      jwk({ keys: verify_keys, verification: { iss: 'http://issuer.test' } })
+      jwk({ keys: verify_keys, verification: { iss: 'http://issuer.test' }, alg: ['RS256'] })
     )
 
     app.get('/auth-with-keys-default/*', (c) => {
@@ -874,4 +898,100 @@ describe('JWK', () => {
       expect(handlerExecuted).toBeFalsy()
     })
   })
+
+  describe('Algorithm whitelist (options.alg)', () => {
+    let handlerExecuted: boolean
+
+    beforeEach(() => {
+      handlerExecuted = false
+    })
+
+    const app = new Hono()
+
+    // Only allow RS256
+    app.use('/auth-whitelist-rs256/*', jwk({ keys: verify_keys, alg: ['RS256'] }))
+    app.get('/auth-whitelist-rs256/*', (c) => {
+      handlerExecuted = true
+      return c.json(c.get('jwtPayload'))
+    })
+
+    // Allow multiple algorithms
+    app.use('/auth-whitelist-multi/*', jwk({ keys: verify_keys, alg: ['RS256', 'ES256'] }))
+    app.get('/auth-whitelist-multi/*', (c) => {
+      handlerExecuted = true
+      return c.json(c.get('jwtPayload'))
+    })
+
+    // Note: Test for "no whitelist" was removed because alg is now required.
+    // This is a breaking change that enforces explicit algorithm specification for security.
+
+    it('Should authorize RS256 token when RS256 is in whitelist', async () => {
+      const payload = { message: 'hello world' }
+      const credential = await Jwt.sign(payload, test_keys.private_keys[0]) // RS256 key
+      const req = new Request('http://localhost/auth-whitelist-rs256/a')
+      req.headers.set('Authorization', `Bearer ${credential}`)
+      const res = await app.request(req)
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(200)
+      expect(await res.json()).toEqual(payload)
+      expect(handlerExecuted).toBeTruthy()
+    })
+
+    it('Should reject token when algorithm is not in whitelist', async () => {
+      // Create a token with ES256 algorithm manually
+      const kid = 'hono-test-kid-1' // Use existing kid but header will have different alg
+      const payload = { message: 'hello world' }
+
+      // Generate ES256 key pair for signing
+      const keyPair = await crypto.subtle.generateKey(
+        {
+          name: 'ECDSA',
+          namedCurve: 'P-256',
+        },
+        true,
+        ['sign', 'verify']
+      )
+
+      // Create JWT with ES256
+      const header = { alg: 'ES256', typ: 'JWT', kid }
+      const encode = (obj: object) =>
+        encodeBase64Url(utf8Encoder.encode(JSON.stringify(obj)).buffer)
+      const encodedHeader = encode(header)
+      const encodedPayload = encode(payload)
+      const signingInput = `${encodedHeader}.${encodedPayload}`
+
+      const signatureBuffer = await signing(
+        keyPair.privateKey,
+        'ES256',
+        utf8Encoder.encode(signingInput)
+      )
+      const signature = encodeBase64Url(signatureBuffer)
+
+      const token = `${encodedHeader}.${encodedPayload}.${signature}`
+
+      const url = 'http://localhost/auth-whitelist-rs256/a'
+      const req = new Request(url)
+      req.headers.set('Authorization', `Bearer ${token}`)
+      const res = await app.request(req)
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(401)
+      expect(res.headers.get('www-authenticate')).toMatch(/token verification failure/)
+      expect(handlerExecuted).toBeFalsy()
+    })
+
+    it('Should authorize RS256 token when multiple algorithms are in whitelist', async () => {
+      const payload = { message: 'hello world' }
+      const credential = await Jwt.sign(payload, test_keys.private_keys[0]) // RS256 key
+      const req = new Request('http://localhost/auth-whitelist-multi/a')
+      req.headers.set('Authorization', `Bearer ${credential}`)
+      const res = await app.request(req)
+      expect(res).not.toBeNull()
+      expect(res.status).toBe(200)
+      expect(await res.json()).toEqual(payload)
+      expect(handlerExecuted).toBeTruthy()
+    })
+
+    // Note: Test for "no whitelist" was removed because alg is now required.
+    // This is a breaking change that enforces explicit algorithm specification for security.
+  })
 })

src/middleware/jwk/jwk.ts

@@ -10,6 +10,7 @@ import type { MiddlewareHandler } from '../../types'
 import type { CookiePrefixOptions } from '../../utils/cookie'
 import { Jwt } from '../../utils/jwt'
 import '../../context'
+import type { AsymmetricAlgorithm } from '../../utils/jwt/jwa'
 import type { HonoJsonWebKey } from '../../utils/jwt/jws'
 import type { VerifyOptions } from '../../utils/jwt/jwt'
 
@@ -24,6 +25,7 @@ import type { VerifyOptions } from '../../utils/jwt/jwt'
  * @param {boolean} [options.allow_anon] - If set to `true`, the middleware allows requests without a token to proceed without authentication.
  * @param {string} [options.cookie] - If set, the middleware attempts to retrieve the token from a cookie with these options (optionally signed) only if no token is found in the header.
  * @param {string} [options.headerName='Authorization'] - The name of the header to look for the JWT token. Default is 'Authorization'.
+ * @param {AsymmetricAlgorithm[]} options.alg - An array of allowed asymmetric algorithms for JWT verification. Only tokens signed with these algorithms will be accepted.
  * @param {RequestInit} [init] - Optional init options for the `fetch` request when retrieving JWKS from a URI.
  * @param {VerifyOptions} [options.verification] - Additional options for JWK payload verification.
  * @returns {MiddlewareHandler} The middleware handler function.
@@ -54,6 +56,8 @@ export const jwk = (
 
     headerName?: string
 
+    alg: AsymmetricAlgorithm[]
+
     verification?: VerifyOptions
   },
   init?: RequestInit
@@ -132,7 +136,11 @@ export const jwk = (
       const keys = typeof options.keys === 'function' ? await options.keys(ctx) : options.keys
       const jwks_uri =
         typeof options.jwks_uri === 'function' ? await options.jwks_uri(ctx) : options.jwks_uri
-      payload = await Jwt.verifyWithJwks(token, { keys, jwks_uri, verification: verifyOpts }, init)
+      payload = await Jwt.verifyWithJwks(
+        token,
+        { keys, jwks_uri, verification: verifyOpts, allowedAlgorithms: options.alg },
+        init
+      )
     } catch (e) {
       cause = e
     }

src/utils/jwt/jwa.test.ts

@@ -1,4 +1,5 @@
 import { AlgorithmTypes } from './jwa'
+import type { AsymmetricAlgorithm, SymmetricAlgorithm, SignatureAlgorithm } from './jwa'
 
 describe('Types', () => {
   it('AlgorithmTypes', () => {
@@ -21,4 +22,65 @@ describe('Types', () => {
     expect(undefined as AlgorithmTypes).toBe(undefined)
     expect('' as AlgorithmTypes).toBe('')
   })
+
+  it('SymmetricAlgorithm type should only include HMAC algorithms', () => {
+    // These should be valid SymmetricAlgorithm values
+    const hs256: SymmetricAlgorithm = 'HS256'
+    const hs384: SymmetricAlgorithm = 'HS384'
+    const hs512: SymmetricAlgorithm = 'HS512'
+
+    expect(hs256).toBe('HS256')
+    expect(hs384).toBe('HS384')
+    expect(hs512).toBe('HS512')
+
+    // Type-level test: these would cause compile errors if uncommented
+    // const rs256: SymmetricAlgorithm = 'RS256' // Error: Type '"RS256"' is not assignable to type 'SymmetricAlgorithm'
+  })
+
+  it('AsymmetricAlgorithm type should only include asymmetric algorithms', () => {
+    // These should be valid AsymmetricAlgorithm values
+    const asymmetricAlgs: AsymmetricAlgorithm[] = [
+      'RS256',
+      'RS384',
+      'RS512',
+      'PS256',
+      'PS384',
+      'PS512',
+      'ES256',
+      'ES384',
+      'ES512',
+      'EdDSA',
+    ]
+
+    expect(asymmetricAlgs).toHaveLength(10)
+
+    // Verify all asymmetric algorithms are included
+    expect(asymmetricAlgs).toContain('RS256')
+    expect(asymmetricAlgs).toContain('ES256')
+    expect(asymmetricAlgs).toContain('EdDSA')
+
+    // Type-level test: these would cause compile errors if uncommented
+    // const hs256: AsymmetricAlgorithm = 'HS256' // Error: Type '"HS256"' is not assignable to type 'AsymmetricAlgorithm'
+  })
+
+  it('SignatureAlgorithm type should include all algorithms', () => {
+    // SignatureAlgorithm should include both symmetric and asymmetric algorithms
+    const allAlgs: SignatureAlgorithm[] = [
+      'HS256',
+      'HS384',
+      'HS512',
+      'RS256',
+      'RS384',
+      'RS512',
+      'PS256',
+      'PS384',
+      'PS512',
+      'ES256',
+      'ES384',
+      'ES512',
+      'EdDSA',
+    ]
+
+    expect(allAlgs).toHaveLength(13)
+  })
 })