Skip to content

feat: support for remote JWKS #112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

feat: support for remote JWKS #112

Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
71628be
Add strongly-typed support for remote JWKs that doesn't collide with …
jmlow Aug 29, 2025
f1bebfe
Clean up formatting
jmlow Aug 29, 2025
5c54235
Improve collision handling between 'secret' and 'remoteJwks' for plug…
jmlow Aug 29, 2025
74f44f2
Fix error handling and 'key' assignment with optional 'secret'
jmlow Aug 29, 2025
956e3d3
Add explicit any for 'data' (causes build failure when absent)
jmlow Aug 29, 2025
480dfd9
Implement security railguards for asymmetric encryption; Clean up typing
jmlow Aug 29, 2025
fb9fa87
Improve encryption algorithm handling; Strongly type jwtDecoration
jmlow Aug 29, 2025
6ac5421
Refactor remoteJwks configuration to remoteJwksUrl for cleaner seed; …
jmlow Aug 29, 2025
3df6f48
Revert remoteJwksUrl -> remoteJwks to keep plugin interface simpler f…
jmlow Aug 29, 2025
82333fb
Remove unnecessary 'remoteJwks!' assertion
jmlow Aug 29, 2025
0f69510
Clarify documentation/types for remote verify-only config
jmlow Aug 29, 2025
38b8d28
Fix setIat logic issue
jmlow Aug 29, 2025
53d00d6
Set `iat=true` when missing default or specific config to pass tests …
jmlow Aug 29, 2025
c69cae3
Update test to account for conditional 'sign()' decoration
jmlow Aug 29, 2025
7303181
Allow disabling 'iat' when set to 'false'
jmlow Aug 29, 2025
13849fd
Handle JWK with async 'sign()' and alg-aware key
jmlow Aug 29, 2025
a761d46
Improve 'setIat' checking; Remove sensitive data from checksum
jmlow Aug 29, 2025
ceee3dd
Generalize jwks to support local or remote (but still only asymmetric…
jmlow Aug 29, 2025
3c31c1e
Add test for jwks and secret implementations co-existing in plugin
jmlow Aug 29, 2025
1dff1ec
Revert conditional decorations & throw error in 'sign()' if missing '…
jmlow Aug 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ import {
type JWK,
type KeyObject,
type JoseHeaderParameters,
type JWTVerifyOptions
type JWTVerifyOptions,
type JWTVerifyGetKey
} from 'jose'

import { Type as t } from '@sinclair/typebox'
Expand Down Expand Up @@ -185,6 +186,10 @@ export interface JWTOption<
* JWT Secret
*/
secret: string | Uint8Array | CryptoKey | JWK | KeyObject
/**
* Remote JWKS
*/
remoteJwks?: JWTVerifyGetKey
/**
* Type strict validation for JWT payload
*/
Expand All @@ -197,6 +202,7 @@ export const jwt = <
>({
name = 'jwt' as Name,
secret,
remoteJwks,
schema,
...defaultValues
}: // End JWT Payload
Expand Down Expand Up @@ -233,6 +239,7 @@ JWTOption<Name, Schema>) => {
seed: {
name,
secret,
remoteJwks,
schema,
...defaultValues
}
Expand Down Expand Up @@ -372,11 +379,20 @@ JWTOption<Name, Schema>) => {
if (!jwt) return false

try {
const data: any = (
let data: any;
if (remoteJwks) {
data = (
await (options
? jwtVerify(jwt, remoteJwks, options)
: jwtVerify(jwt, remoteJwks))
).payload
} else {
data = (
await (options
? jwtVerify(jwt, key, options)
: jwtVerify(jwt, key))
).payload
}

if (validator && !validator.Check(data))
throw new ValidationError('JWT', validator, data)
Expand Down