diff --git a/backend/src/auth/CustomJwtPayload.ts b/backend/src/auth/CustomJwtPayload.ts index 7966b413e..e20e5b272 100644 --- a/backend/src/auth/CustomJwtPayload.ts +++ b/backend/src/auth/CustomJwtPayload.ts @@ -1,5 +1,5 @@ -import { JwtPayload } from 'jsonwebtoken' +import { JWTPayload } from 'jose' -export interface CustomJwtPayload extends JwtPayload { +export interface CustomJwtPayload extends JWTPayload { gradidoID: string } diff --git a/backend/src/auth/JWT.ts b/backend/src/auth/JWT.ts index 75a69cd0c..4f5d645c2 100644 --- a/backend/src/auth/JWT.ts +++ b/backend/src/auth/JWT.ts @@ -1,22 +1,33 @@ -import { verify, sign } from 'jsonwebtoken' +import { SignJWT, jwtVerify } from 'jose' import { CONFIG } from '@/config/' import { LogError } from '@/server/LogError' import { CustomJwtPayload } from './CustomJwtPayload' -export const decode = (token: string): CustomJwtPayload | null => { +export const decode = async (token: string): Promise => { if (!token) throw new LogError('401 Unauthorized') + try { - return verify(token, CONFIG.JWT_SECRET) + const secret = new TextEncoder().encode(CONFIG.JWT_SECRET) + const { payload } = await jwtVerify(token, secret, { + issuer: 'urn:example:issuer', // TODO urn + audience: 'urn:example:audience', // TODO urn + }) + return payload as CustomJwtPayload } catch (err) { return null } } -export const encode = (gradidoID: string): string => { - const token = sign({ gradidoID }, CONFIG.JWT_SECRET, { - expiresIn: CONFIG.JWT_EXPIRES_IN, - }) +export const encode = async (gradidoID: string): Promise => { + const secret = new TextEncoder().encode(CONFIG.JWT_SECRET) + const token = await new SignJWT({ gradidoID, 'urn:example:claim': true }) // TODO urn + .setProtectedHeader({ alg: 'HS256' }) + .setIssuedAt() + .setIssuer('urn:example:issuer') // TODO urn + .setAudience('urn:example:audience') // TODO urn + .setExpirationTime(CONFIG.JWT_EXPIRES_IN) + .sign(secret) return token }