tried different solutions for asymmetric keys and only HS256 could

create a JWT but without a valid signature
2026-02-06 01:46:07 +00:00 · 2025-04-15 16:49:51 +02:00 · 2025-04-15 16:49:51 +02:00 · 41032e5fc6
commit 41032e5fc6
parent 675ee6fd81
1 changed files with 37 additions and 18 deletions
--- a/backend/src/auth/jwt/JWT.ts
+++ b/backend/src/auth/jwt/JWT.ts
@ -1,3 +1,5 @@
+import { createPrivateKey, sign } from 'node:crypto'
+
 import { SignJWT, jwtVerify } from 'jose'

 import { LogError } from '@/server/LogError'
@ -7,21 +9,30 @@ import { JwtPayloadType } from './payloadtypes/JwtPayloadType'

 export const verify = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
  if (!token) throw new LogError('401 Unauthorized')
-  logger.debug(
-    'JWT.verify... token, signkey, signkey.toString()',
+  logger.info(
+    'JWT.verify... token, signkey, signkey.toString(hex)',
    token,
    signkey,
-    signkey.toString(),
+    signkey.toString('hex'),
  )

  try {
-    const secret = new TextEncoder().encode(signkey.toString())
-    logger.debug('JWT.verify... secret=', secret)
-    const { payload } = await jwtVerify(token, secret, {
+    /*
+    const { KeyObject } = await import('node:crypto')
+    const cryptoKey = await crypto.subtle.importKey('raw', signkey, { name: 'RS256' }, false, [ 
+      'sign',
+    ])
+    const keyObject = KeyObject.from(cryptoKey)
+    logger.info('JWT.verify... keyObject=', keyObject)
+    logger.info('JWT.verify... keyObject.asymmetricKeyDetails=', keyObject.asymmetricKeyDetails)
+    logger.info('JWT.verify... keyObject.asymmetricKeyType=', keyObject.asymmetricKeyType)
+    logger.info('JWT.verify... keyObject.asymmetricKeySize=', keyObject.asymmetricKeySize)
+    */
+    const { payload } = await jwtVerify(token, signkey, {
      issuer: 'urn:gradido:issuer',
      audience: 'urn:gradido:audience',
    })
-    logger.debug('JWT.verify after jwtVerify... payload=', payload)
+    logger.info('JWT.verify after jwtVerify... payload=', payload)
    return payload as unknown as JwtPayloadType
  } catch (err) {
    logger.error('JWT.verify after jwtVerify... error=', err)
@ -30,17 +41,25 @@ export const verify = async (token: string, signkey: Buffer): Promise<JwtPayload
 }

 export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<string> => {
-  const secret = new TextEncoder().encode(signkey.toString())
-  const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
-    .setProtectedHeader({
-      alg: 'RS256',
-    })
-    .setIssuedAt()
-    .setIssuer('urn:gradido:issuer')
-    .setAudience('urn:gradido:audience')
-    .setExpirationTime(payload.expiration)
-    .sign(secret)
-  return token
+  logger.info('JWT.encode... payload=', payload)
+  logger.info('JWT.encode... signkey=', signkey)
+  logger.info('JWT.encode... signkey length=', signkey.length)
+  logger.info('JWT.encode... signkey.toString(hex)=', signkey.toString('hex'))
+  try {
+    const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
+      .setProtectedHeader({
+        alg: 'HS256',
+      })
+      .setIssuedAt()
+      .setIssuer('urn:gradido:issuer')
+      .setAudience('urn:gradido:audience')
+      .setExpirationTime(payload.expiration)
+      .sign(signkey)
+    return token
+  } catch (e) {
+    logger.error('Failed to sign JWT:', e)
+    throw e
+  }
 }

 export const verifyJwtType = async (token: string, signkey: Buffer): Promise<string> => {