Merge pull request #42 from fumeapp/jwt-to-jose

🔽 cant use jsonwebtoken
fumeapp · Sep 30, 2024 · 5f2f096 · 5f2f096
2 parents 0e5c85d + a51041a
commit 5f2f096
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 90 deletions.
diff --git a/package.json b/package.json
@@ -30,7 +30,8 @@
     "@nuxt/ui-pro": "^1.4.3",
     "@prisma/adapter-d1": "^5.20.0",
     "@types/jsonwebtoken": "^9.0.7",
-    "date-fns": "^4.1.0"
+    "date-fns": "^4.1.0",
+    "jose": "^5.9.3"
   },
   "devDependencies": {
     "@antfu/eslint-config": "^3.7.1",
@@ -49,7 +50,6 @@
     "@vitest/ui": "^2.1.1",
     "dotenv-cli": "^7.4.2",
     "happy-dom": "^15.7.4",
-    "jsonwebtoken": "^9.0.2",
     "nuxt": "^3.13.2",
     "nuxt-auth-utils": "^0.3.9",
     "nuxt-og-image": "3.0.2",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/server/controllers/oauth.ts b/server/controllers/oauth.ts
@@ -103,7 +103,7 @@ export const appleHandler = defineEventHandler(async (event) => {
   const config = useRuntimeConfig(event).apple
   const body = await readBody(event)
   const token = await apple.getAuthToken(config, body.code)
-  const verified = apple.verifyIdToken(token.id_token)
+  const verified = await apple.verifyIdToken(token.id_token)
 
   let dbUser
   if (body.user)

diff --git a/server/utils/apple.ts b/server/utils/apple.ts
@@ -1,4 +1,4 @@
-import jwt from 'jsonwebtoken'
+import * as jose from 'jose'
 
 import { FetchError } from 'ofetch'
 
@@ -54,7 +54,7 @@ const getAuthURL = (config: AppleConfig): string => {
   return url.toString()
 }
 
-const getSecret = (config: AppleConfig) => {
+const getSecret = async (config: AppleConfig) => {
   const timeNow = Math.floor(Date.now() / 1000)
 
   const claims = {
@@ -69,7 +69,13 @@ const getSecret = (config: AppleConfig) => {
 ${config.privateKey.split(':BR:').join('\n')}
 -----END PRIVATE KEY-----`
 
-  return jwt.sign(claims, key, { algorithm: 'ES256', header })
+  // return jwt.sign(claims, key, { algorithm: 'ES256', header })
+  const privateKey = await jose.importPKCS8(key, 'ES256')
+  return new jose.SignJWT(claims)
+    .setProtectedHeader(header)
+    .setIssuedAt()
+    .setExpirationTime('5m')
+    .sign(privateKey)
 }
 
 // taken from nuxt-auth-utils until we can figure out how to import it
@@ -99,18 +105,22 @@ export async function requestAccessToken(url: string, options: RequestAccessToke
 const getAuthToken = async (config: AppleConfig, code: string): Promise<AppleTokenResponse> => {
   return requestAccessToken('https://appleid.apple.com/auth/token', { params: {
     client_id: config.clientId,
-    client_secret: getSecret(config),
+    client_secret: await getSecret(config),
     code,
     grant_type: 'authorization_code',
     redirect_uri: config.redirectURL,
   } })
 }
 
-const verifyIdToken = (idToken: string): AppleVerifiedToken => {
-  return jwt.decode(idToken, {
-    algorithm: 'RS256',
+const verifyIdToken = async (idToken: string): Promise<AppleVerifiedToken> => {
+  const JWKS = jose.createRemoteJWKSet(new URL('https://appleid.apple.com/auth/keys'))
+
+  const { payload } = await jose.jwtVerify(idToken, JWKS, {
     issuer: 'https://appleid.apple.com',
-  }) as unknown as AppleVerifiedToken
+    audience: 'fume.bio',
+  })
+
+  return payload as unknown as AppleVerifiedToken
 }
 
 export const apple = {