fix: switch from jsonwebtoken to jose for jwt signing/verification (#678)

- Supports async jwt signing/verification using libuv
- Add support for OKP (ed25519/Ed448) jwks
- Cleaner implementation across jwt code

Author: itslenny

Dockerfile

@@ -1,5 +1,5 @@
 # Base stage for shared environment setup
-FROM node:20-alpine3.20 as base
+FROM node:22-alpine3.21 as base
 RUN apk add --no-cache g++ make python3
 WORKDIR /app
 COPY package.json package-lock.json ./

babel.config.cjs

@@ -0,0 +1,3 @@
+module.exports = {
+  presets: [['@babel/preset-env', { targets: { node: 'current' } }]],
+};

jest.config.js renamed to jest.config.cjs

@@ -1,9 +1,12 @@
 module.exports = {
   preset: 'ts-jest',
-  testSequencer: './jest.sequencer.js',
+  testSequencer: './jest.sequencer.cjs',
   transform: {
+    '^.+/node_modules/jose/.+\\.[jt]s$': 'babel-jest',
+    '^.+\\.mjs$': 'babel-jest',
     '^.+\\.(t|j)sx?$': 'ts-jest',
   },
+  transformIgnorePatterns: ['node_modules/(?!(jose)/)'],
   moduleNameMapper: {
     '^@storage/(.*)$': '<rootDir>/src/storage/$1',
     '^@internal/(.*)$': '<rootDir>/src/internal/$1',

jest.sequencer.js renamed to jest.sequencer.cjs

@@ -0,0 +1 @@
+ALTER TABLE tenants ADD COLUMN IF NOT EXISTS database_pool_mode TEXT NULL;

migrations/multitenant/0017-pool-mode.sql

@@ -28,6 +28,7 @@
     "node": ">= 14.0.0"
   },
   "dependencies": {
+    "@aws-sdk/client-ecs": "^3.795.0",
     "@aws-sdk/client-s3": "3.654.0",
     "@aws-sdk/lib-storage": "3.654.0",
     "@aws-sdk/s3-request-presigner": "3.654.0",
@@ -67,7 +68,7 @@
     "glob": "^11.0.0",
     "ioredis": "^5.2.4",
     "ip-address": "^10.0.1",
-    "jsonwebtoken": "^9.0.2",
+    "jose": "^6.0.10",
     "knex": "^3.1.0",
     "lru-cache": "^10.2.0",
     "md5-file": "^5.0.0",
@@ -84,14 +85,15 @@
   },
   "devDependencies": {
     "@aws-sdk/s3-presigned-post": "3.654.0",
+    "@babel/preset-env": "^7.26.9",
+    "@babel/preset-typescript": "^7.27.0",
     "@types/async-retry": "^1.4.5",
     "@types/busboy": "^1.3.0",
     "@types/crypto-js": "^4.1.1",
     "@types/fs-extra": "^9.0.13",
     "@types/glob": "^8.1.0",
     "@types/jest": "^29.2.1",
     "@types/js-yaml": "^4.0.5",
-    "@types/jsonwebtoken": "^9.0.5",
     "@types/multistream": "^4.1.3",
     "@types/mustache": "^4.2.2",
     "@types/node": "^20.11.5",
@@ -100,21 +102,21 @@
     "@types/xml2js": "^0.4.14",
     "@typescript-eslint/eslint-plugin": "^8.7.0",
     "@typescript-eslint/parser": "^8.7.0",
-    "babel-jest": "^29.2.2",
+    "babel-jest": "^29.7.0",
     "esbuild": "0.21.5",
     "eslint": "^8.9.0",
     "eslint-config-prettier": "^8.10.0",
     "eslint-plugin-prettier": "^4.2.1",
     "form-data": "^4.0.0",
-    "jest": "^29.2.2",
+    "jest": "^29.7.0",
     "js-yaml": "^4.1.0",
     "json-schema-to-ts": "^3.0.0",
     "mustache": "^4.2.0",
     "pino-pretty": "^8.1.0",
     "prettier": "^2.8.8",
     "resolve-tspaths": "^0.8.19",
     "stream-buffers": "^3.0.2",
-    "ts-jest": "^29.0.3",
+    "ts-jest": "^29.3.2",
     "ts-node-dev": "^1.1.8",
     "tsx": "^4.16.0",
     "tus-js-client": "^3.1.0",

migrations/multitenant/0017-tenants-s3-credentials-fix-notify-key.sql renamed to migrations/multitenant/0018-tenants-s3-credentials-fix-notify-key.sql

@@ -1,6 +1,6 @@
 import dotenv from 'dotenv'
-import jwt from 'jsonwebtoken'
 import type { DBMigration } from '@internal/database/migrations'
+import { SignJWT } from 'jose'
 
 export type StorageBackendType = 'file' | 's3'
 export enum MultitenantMigrationStrategy {
@@ -86,15 +86,16 @@ type StorageConfigType = {
   databaseURL: string
   databaseSSLRootCert?: string
   databasePoolURL?: string
+  databasePoolMode?: 'single_use' | 'recycle'
   databaseMaxConnections: number
   databaseFreePoolAfterInactivity: number
   databaseConnectionTimeout: number
   region: string
   requestTraceHeader?: string
   requestEtagHeaders: string[]
   responseSMaxAge: number
-  anonKey: string
-  serviceKey: string
+  anonKeyAsync: Promise<string>
+  serviceKeyAsync: Promise<string>
   storageBackendType: StorageBackendType
   tenantId: string
   requestUrlLengthLimit: number
@@ -259,10 +260,6 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
       'REQUEST_ADMIN_TRACE_HEADER'
     ),
 
-    // Auth
-    serviceKey: getOptionalConfigFromEnv('SERVICE_KEY') || '',
-    anonKey: getOptionalConfigFromEnv('ANON_KEY') || '',
-
     encryptionKey: getOptionalConfigFromEnv('AUTH_ENCRYPTION_KEY', 'ENCRYPTION_KEY') || '',
     jwtSecret: getOptionalIfMultitenantConfigFromEnv('AUTH_JWT_SECRET', 'PGRST_JWT_SECRET') || '',
     jwtAlgorithm: getOptionalConfigFromEnv('AUTH_JWT_ALGORITHM', 'PGRST_JWT_ALGORITHM') || 'HS256',
@@ -357,6 +354,7 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     databaseSSLRootCert: getOptionalConfigFromEnv('DATABASE_SSL_ROOT_CERT'),
     databaseURL: getOptionalIfMultitenantConfigFromEnv('DATABASE_URL') || '',
     databasePoolURL: getOptionalConfigFromEnv('DATABASE_POOL_URL') || '',
+    databasePoolMode: getOptionalConfigFromEnv('DATABASE_POOL_MODE'),
     databaseMaxConnections: parseInt(
       getOptionalConfigFromEnv('DATABASE_MAX_CONNECTIONS') || '20',
       10
@@ -484,18 +482,26 @@ export function getConfig(options?: { reload?: boolean }): StorageConfigType {
     ),
   } as StorageConfigType
 
-  if (!config.isMultitenant && !config.serviceKey) {
-    config.serviceKey = jwt.sign({ role: config.dbServiceRole }, config.jwtSecret, {
-      expiresIn: '10y',
-      algorithm: config.jwtAlgorithm as jwt.Algorithm,
-    })
+  const serviceKey = getOptionalConfigFromEnv('SERVICE_KEY') || ''
+  if (!config.isMultitenant && !serviceKey) {
+    config.serviceKeyAsync = new SignJWT({ role: config.dbServiceRole })
+      .setIssuedAt()
+      .setExpirationTime('10y')
+      .setProtectedHeader({ alg: 'HS256' })
+      .sign(new TextEncoder().encode(config.jwtSecret))
+  } else {
+    config.serviceKeyAsync = Promise.resolve(serviceKey)
   }
 
-  if (!config.isMultitenant && !config.anonKey) {
-    config.anonKey = jwt.sign({ role: config.dbAnonRole }, config.jwtSecret, {
-      expiresIn: '10y',
-      algorithm: config.jwtAlgorithm as jwt.Algorithm,
-    })
+  const anonKey = getOptionalConfigFromEnv('ANON_KEY') || ''
+  if (!config.isMultitenant && !anonKey) {
+    config.anonKeyAsync = new SignJWT({ role: config.dbAnonRole })
+      .setIssuedAt()
+      .setExpirationTime('10y')
+      .setProtectedHeader({ alg: 'HS256' })
+      .sign(new TextEncoder().encode(config.jwtSecret))
+  } else {
+    config.anonKeyAsync = Promise.resolve(anonKey)
   }
 
   const jwtJWKS = getOptionalConfigFromEnv('JWT_JWKS') || null

package-lock.json

@@ -1,15 +1,15 @@
 import fastifyPlugin from 'fastify-plugin'
-import { JwtPayload } from 'jsonwebtoken'
+import { JWTPayload } from 'jose'
 
-import { verifyJWT } from '@internal/auth'
+import { verifyCacheJwt, verifyJWT } from '@internal/auth'
 import { getJwtSecret } from '@internal/database'
 import { ERRORS } from '@internal/errors'
 
 declare module 'fastify' {
   interface FastifyRequest {
     isAuthenticated: boolean
     jwt: string
-    jwtPayload?: JwtPayload & { role?: string }
+    jwtPayload?: JWTPayload & { role?: string }
     owner?: string
   }
 
@@ -37,7 +37,7 @@ export const jwt = fastifyPlugin(
       const { secret, jwks } = await getJwtSecret(request.tenantId)
 
       try {
-        const payload = await verifyJWT(request.jwt, secret, jwks || null)
+        const payload = await verifyCacheJwt(request.jwt, secret, jwks || null)
         request.jwtPayload = payload
         request.owner = payload.sub
         request.isAuthenticated = true

package.json

@@ -9,8 +9,8 @@ import { getConfig } from '../../config'
 import { MultipartFile, MultipartValue } from '@fastify/multipart'
 
 const {
-  anonKey,
-  serviceKey,
+  anonKeyAsync,
+  serviceKeyAsync,
   storageS3Region,
   isMultitenant,
   requestAllowXForwardedPrefix,
@@ -138,7 +138,9 @@ async function createServerSignature(tenantId: string, clientSignature: ClientSi
   const awsService = 's3'
 
   if (clientSignature?.sessionToken) {
-    const tenantAnonKey = isMultitenant ? (await getTenantConfig(tenantId)).anonKey : anonKey
+    const tenantAnonKey = isMultitenant
+      ? (await getTenantConfig(tenantId)).anonKey
+      : await anonKeyAsync
 
     if (!tenantAnonKey) {
       throw ERRORS.AccessDenied('Missing tenant anon key')
@@ -198,5 +200,5 @@ async function createServerSignature(tenantId: string, clientSignature: ClientSi
     },
   })
 
-  return { signature, claims: undefined, token: serviceKey }
+  return { signature, claims: undefined, token: await serviceKeyAsync }
 }

src/config.ts

@@ -90,8 +90,7 @@ function validateAddJwkRequest({ jwk, kind }: JwksAddRequestInterface['Body']):
       if (jwk.d) {
         return { message: 'Invalid asymmetric public jwk. Private fields are not allowed' }
       }
-      // jsonwebtoken does not support OKP (ed25519/Ed448) keys yet, if/when this changes replace this with a break and we should be good to go
-      return { message: 'OKP jwks are not yet supported. Please use RSA or EC' }
+      break
     default:
       return { message: 'Unsupported jwk algorithm ' + jwk.kty }
   }

src/http/plugins/jwt.ts

@@ -26,6 +26,7 @@ const patchSchema = {
       anonKey: { type: 'string' },
       databaseUrl: { type: 'string' },
       databasePoolUrl: { type: 'string', nullable: true },
+      databasePoolMode: { type: 'string', nullable: true },
       maxConnections: { type: 'number' },
       jwks: { type: 'object', nullable: true },
       fileSizeLimit: { type: 'number' },
@@ -112,6 +113,7 @@ export default async function routes(fastify: FastifyInstance) {
         anon_key,
         database_url,
         database_pool_url,
+        database_pool_mode,
         max_connections,
         file_size_limit,
         jwt_secret,
@@ -130,6 +132,7 @@ export default async function routes(fastify: FastifyInstance) {
         anonKey: decrypt(anon_key),
         databaseUrl: decrypt(database_url),
         databasePoolUrl: database_pool_url ? decrypt(database_pool_url) : undefined,
+        databasePoolMode: database_pool_mode,
         maxConnections: max_connections ? Number(max_connections) : undefined,
         fileSizeLimit: Number(file_size_limit),
         jwtSecret: decrypt(jwt_secret),
@@ -164,6 +167,7 @@ export default async function routes(fastify: FastifyInstance) {
       anon_key,
       database_url,
       database_pool_url,
+      database_pool_mode,
       max_connections,
       file_size_limit,
       jwt_secret,
@@ -188,6 +192,7 @@ export default async function routes(fastify: FastifyInstance) {
           : database_pool_url
           ? decrypt(database_pool_url)
           : undefined,
+      databasePoolMode: database_pool_mode,
       maxConnections: max_connections ? Number(max_connections) : undefined,
       fileSizeLimit: Number(file_size_limit),
       jwtSecret: decrypt(jwt_secret),
@@ -217,6 +222,7 @@ export default async function routes(fastify: FastifyInstance) {
     const {
       anonKey,
       databaseUrl,
+      databasePoolMode,
       fileSizeLimit,
       jwtSecret,
       jwks,
@@ -233,6 +239,7 @@ export default async function routes(fastify: FastifyInstance) {
         anon_key: encrypt(anonKey),
         database_url: encrypt(databaseUrl),
         database_pool_url: databasePoolUrl ? encrypt(databasePoolUrl) : undefined,
+        database_pool_mode: databasePoolMode,
         max_connections: maxConnections ? Number(maxConnections) : undefined,
         file_size_limit: fileSizeLimit,
         jwt_secret: encrypt(jwtSecret),
@@ -280,6 +287,7 @@ export default async function routes(fastify: FastifyInstance) {
         serviceKey,
         features,
         databasePoolUrl,
+        databasePoolMode,
         maxConnections,
         tracingMode,
         disableEvents,
@@ -295,6 +303,7 @@ export default async function routes(fastify: FastifyInstance) {
             : databasePoolUrl === null
             ? null
             : undefined,
+          database_pool_mode: databasePoolMode,
           max_connections: maxConnections ? Number(maxConnections) : undefined,
           file_size_limit: fileSizeLimit,
           jwt_secret: jwtSecret !== undefined ? encrypt(jwtSecret) : undefined,