fix: switch from jsonwebtoken to jose for jwt signing/verification (#678)

- Supports async jwt signing/verification using libuv
- Add support for OKP (ed25519/Ed448) jwks
- Cleaner implementation across jwt code

Author: itslenny

babel.config.cjs

@@ -0,0 +1,3 @@
+module.exports = {
+  presets: [['@babel/preset-env', { targets: { node: 'current' } }]],
+};

jest.config.js renamed to jest.config.cjs

@@ -1,9 +1,12 @@
 module.exports = {
   preset: 'ts-jest',
-  testSequencer: './jest.sequencer.js',
+  testSequencer: './jest.sequencer.cjs',
   transform: {
+    '^.+/node_modules/jose/.+\\.[jt]s$': 'babel-jest',
+    '^.+\\.mjs$': 'babel-jest',
     '^.+\\.(t|j)sx?$': 'ts-jest',
   },
+  transformIgnorePatterns: ['node_modules/(?!(jose)/)'],
   moduleNameMapper: {
     '^@storage/(.*)$': '<rootDir>/src/storage/$1',
     '^@internal/(.*)$': '<rootDir>/src/internal/$1',

jest.sequencer.js renamed to jest.sequencer.cjs

@@ -67,7 +67,7 @@
     "glob": "^11.0.0",
     "ioredis": "^5.2.4",
     "ip-address": "^10.0.1",
-    "jsonwebtoken": "^9.0.2",
+    "jose": "^6.0.10",
     "knex": "^3.1.0",
     "lru-cache": "^10.2.0",
     "md5-file": "^5.0.0",
@@ -84,14 +84,15 @@
   },
   "devDependencies": {
     "@aws-sdk/s3-presigned-post": "3.654.0",
+    "@babel/preset-env": "^7.26.9",
+    "@babel/preset-typescript": "^7.27.0",
     "@types/async-retry": "^1.4.5",
     "@types/busboy": "^1.3.0",
     "@types/crypto-js": "^4.1.1",
     "@types/fs-extra": "^9.0.13",
     "@types/glob": "^8.1.0",
     "@types/jest": "^29.2.1",
     "@types/js-yaml": "^4.0.5",
-    "@types/jsonwebtoken": "^9.0.5",
     "@types/multistream": "^4.1.3",
     "@types/mustache": "^4.2.2",
     "@types/node": "^20.11.5",
@@ -100,21 +101,21 @@
     "@types/xml2js": "^0.4.14",
     "@typescript-eslint/eslint-plugin": "^8.7.0",
     "@typescript-eslint/parser": "^8.7.0",
-    "babel-jest": "^29.2.2",
+    "babel-jest": "^29.7.0",
     "esbuild": "0.21.5",
     "eslint": "^8.9.0",
     "eslint-config-prettier": "^8.10.0",
     "eslint-plugin-prettier": "^4.2.1",
     "form-data": "^4.0.0",
-    "jest": "^29.2.2",
+    "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
     "json-schema-to-ts": "^3.0.0",
     "mustache": "^4.2.0",
     "pino-pretty": "^8.1.0",
     "prettier": "^2.8.8",
     "resolve-tspaths": "^0.8.19",
     "stream-buffers": "^3.0.2",
-    "ts-jest": "^29.0.3",
+    "ts-jest": "^29.3.2",
     "ts-node-dev": "^1.1.8",
     "tsx": "^4.16.0",
     "tus-js-client": "^3.1.0",

package-lock.json

@@ -1,6 +1,6 @@
 import dotenv from 'dotenv'
-import jwt from 'jsonwebtoken'
 import type { DBMigration } from '@internal/database/migrations'
+import { SignJWT } from 'jose'
 
 export type StorageBackendType = 'file' | 's3'
 export enum MultitenantMigrationStrategy {
@@ -93,8 +93,8 @@ type StorageConfigType = {
   requestTraceHeader?: string
   requestEtagHeaders: string[]
   responseSMaxAge: number
-  anonKey: string
-  serviceKey: string
+  anonKeyAsync: Promise<string>
+  serviceKeyAsync: Promise<string>
   storageBackendType: StorageBackendType
   tenantId: string
   requestUrlLengthLimit: number
@@ -259,10 +259,6 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
       'REQUEST_ADMIN_TRACE_HEADER'
     ),
 
-    // Auth
-    serviceKey: getOptionalConfigFromEnv('SERVICE_KEY') || '',
-    anonKey: getOptionalConfigFromEnv('ANON_KEY') || '',
-
     encryptionKey: getOptionalConfigFromEnv('AUTH_ENCRYPTION_KEY', 'ENCRYPTION_KEY') || '',
     jwtSecret: getOptionalIfMultitenantConfigFromEnv('AUTH_JWT_SECRET', 'PGRST_JWT_SECRET') || '',
     jwtAlgorithm: getOptionalConfigFromEnv('AUTH_JWT_ALGORITHM', 'PGRST_JWT_ALGORITHM') || 'HS256',
@@ -484,18 +480,26 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     ),
   } as StorageConfigType
 
-  if (!config.isMultitenant && !config.serviceKey) {
-    config.serviceKey = jwt.sign({ role: config.dbServiceRole }, config.jwtSecret, {
-      expiresIn: '10y',
-      algorithm: config.jwtAlgorithm as jwt.Algorithm,
-    })
+  const serviceKey = getOptionalConfigFromEnv('SERVICE_KEY') || ''
+  if (!config.isMultitenant && !serviceKey) {
+    config.serviceKeyAsync = new SignJWT({ role: config.dbServiceRole })
+      .setIssuedAt()
+      .setExpirationTime('10y')
+      .setProtectedHeader({ alg: 'HS256' })
+      .sign(new TextEncoder().encode(config.jwtSecret))
+  } else {
+    config.serviceKeyAsync = Promise.resolve(serviceKey)
   }
 
-  if (!config.isMultitenant && !config.anonKey) {
-    config.anonKey = jwt.sign({ role: config.dbAnonRole }, config.jwtSecret, {
-      expiresIn: '10y',
-      algorithm: config.jwtAlgorithm as jwt.Algorithm,
-    })
+  const anonKey = getOptionalConfigFromEnv('ANON_KEY') || ''
+  if (!config.isMultitenant && !anonKey) {
+    config.anonKeyAsync = new SignJWT({ role: config.dbAnonRole })
+      .setIssuedAt()
+      .setExpirationTime('10y')
+      .setProtectedHeader({ alg: 'HS256' })
+      .sign(new TextEncoder().encode(config.jwtSecret))
+  } else {
+    config.anonKeyAsync = Promise.resolve(anonKey)
   }
 
   const jwtJWKS = getOptionalConfigFromEnv('JWT_JWKS') || null

package.json

@@ -1,5 +1,5 @@
 import fastifyPlugin from 'fastify-plugin'
-import { JwtPayload } from 'jsonwebtoken'
+import { JWTPayload } from 'jose'
 
 import { verifyJWT } from '@internal/auth'
 import { getJwtSecret } from '@internal/database'
@@ -9,7 +9,7 @@ declare module 'fastify' {
   interface FastifyRequest {
     isAuthenticated: boolean
     jwt: string
-    jwtPayload?: JwtPayload & { role?: string }
+    jwtPayload?: JWTPayload & { role?: string }
     owner?: string
   }
 

src/config.ts

@@ -9,8 +9,8 @@ import { getConfig } from '../../config'
 import { MultipartFile, MultipartValue } from '@fastify/multipart'
 
 const {
-  anonKey,
-  serviceKey,
+  anonKeyAsync,
+  serviceKeyAsync,
   storageS3Region,
   isMultitenant,
   requestAllowXForwardedPrefix,
@@ -138,7 +138,9 @@ async function createServerSignature(tenantId: string, clientSignature: ClientSi
   const awsService = 's3'
 
   if (clientSignature?.sessionToken) {
-    const tenantAnonKey = isMultitenant ? (await getTenantConfig(tenantId)).anonKey : anonKey
+    const tenantAnonKey = isMultitenant
+      ? (await getTenantConfig(tenantId)).anonKey
+      : await anonKeyAsync
 
     if (!tenantAnonKey) {
       throw ERRORS.AccessDenied('Missing tenant anon key')
@@ -198,5 +200,5 @@ async function createServerSignature(tenantId: string, clientSignature: ClientSi
     },
   })
 
-  return { signature, claims: undefined, token: serviceKey }
+  return { signature, claims: undefined, token: await serviceKeyAsync }
 }

src/http/plugins/jwt.ts

@@ -90,8 +90,7 @@ function validateAddJwkRequest({ jwk, kind }: JwksAddRequestInterface['Body']):
       if (jwk.d) {
         return { message: 'Invalid asymmetric public jwk. Private fields are not allowed' }
       }
-      // jsonwebtoken does not support OKP (ed25519/Ed448) keys yet, if/when this changes replace this with a break and we should be good to go
-      return { message: 'OKP jwks are not yet supported. Please use RSA or EC' }
+      break
     default:
       return { message: 'Unsupported jwk algorithm ' + jwk.kty }
   }