From 41032e5fc68e61ed9132f38c14907ef09bb696fa Mon Sep 17 00:00:00 2001
From: clauspeterhuebner <hr.softwarelab@t-online.de>
Date: Tue, 15 Apr 2025 16:49:51 +0200
Subject: [PATCH] tried different solutions for asymmetric keys and only HS256
 could create a JWT but without a valid signature

---
 backend/src/auth/jwt/JWT.ts | 55 +++++++++++++++++++++++++------------
 1 file changed, 37 insertions(+), 18 deletions(-)

diff --git a/backend/src/auth/jwt/JWT.ts b/backend/src/auth/jwt/JWT.ts
index f8acfe4a3..d4f954987 100644
--- a/backend/src/auth/jwt/JWT.ts
+++ b/backend/src/auth/jwt/JWT.ts
@@ -1,3 +1,5 @@
+import { createPrivateKey, sign } from 'node:crypto'
+
 import { SignJWT, jwtVerify } from 'jose'
 
 import { LogError } from '@/server/LogError'
@@ -7,21 +9,30 @@ import { JwtPayloadType } from './payloadtypes/JwtPayloadType'
 
 export const verify = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
   if (!token) throw new LogError('401 Unauthorized')
-  logger.debug(
-    'JWT.verify... token, signkey, signkey.toString()',
+  logger.info(
+    'JWT.verify... token, signkey, signkey.toString(hex)',
     token,
     signkey,
-    signkey.toString(),
+    signkey.toString('hex'),
   )
 
   try {
-    const secret = new TextEncoder().encode(signkey.toString())
-    logger.debug('JWT.verify... secret=', secret)
-    const { payload } = await jwtVerify(token, secret, {
+    /*
+    const { KeyObject } = await import('node:crypto')
+    const cryptoKey = await crypto.subtle.importKey('raw', signkey, { name: 'RS256' }, false, [ 
+      'sign',
+    ])
+    const keyObject = KeyObject.from(cryptoKey)
+    logger.info('JWT.verify... keyObject=', keyObject)
+    logger.info('JWT.verify... keyObject.asymmetricKeyDetails=', keyObject.asymmetricKeyDetails)
+    logger.info('JWT.verify... keyObject.asymmetricKeyType=', keyObject.asymmetricKeyType)
+    logger.info('JWT.verify... keyObject.asymmetricKeySize=', keyObject.asymmetricKeySize)
+    */
+    const { payload } = await jwtVerify(token, signkey, {
       issuer: 'urn:gradido:issuer',
       audience: 'urn:gradido:audience',
     })
-    logger.debug('JWT.verify after jwtVerify... payload=', payload)
+    logger.info('JWT.verify after jwtVerify... payload=', payload)
     return payload as unknown as JwtPayloadType
   } catch (err) {
     logger.error('JWT.verify after jwtVerify... error=', err)
@@ -30,17 +41,25 @@ export const verify = async (token: string, signkey: Buffer): Promise<JwtPayload
 }
 
 export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<string> => {
-  const secret = new TextEncoder().encode(signkey.toString())
-  const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
-    .setProtectedHeader({
-      alg: 'RS256',
-    })
-    .setIssuedAt()
-    .setIssuer('urn:gradido:issuer')
-    .setAudience('urn:gradido:audience')
-    .setExpirationTime(payload.expiration)
-    .sign(secret)
-  return token
+  logger.info('JWT.encode... payload=', payload)
+  logger.info('JWT.encode... signkey=', signkey)
+  logger.info('JWT.encode... signkey length=', signkey.length)
+  logger.info('JWT.encode... signkey.toString(hex)=', signkey.toString('hex'))
+  try {
+    const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
+      .setProtectedHeader({
+        alg: 'HS256',
+      })
+      .setIssuedAt()
+      .setIssuer('urn:gradido:issuer')
+      .setAudience('urn:gradido:audience')
+      .setExpirationTime(payload.expiration)
+      .sign(signkey)
+    return token
+  } catch (e) {
+    logger.error('Failed to sign JWT:', e)
+    throw e
+  }
 }
 
 export const verifyJwtType = async (token: string, signkey: Buffer): Promise<string> => {