next try for verifyJWT with RS256 and private/public key usage

2026-02-06 01:46:07 +00:00 · 2025-04-14 19:03:47 +02:00 · 2025-04-14 19:03:47 +02:00 · 675ee6fd81
commit 675ee6fd81
parent 1b2f1ea275
2 changed files with 26 additions and 13 deletions
--- a/backend/src/auth/jwt/JWT.ts
+++ b/backend/src/auth/jwt/JWT.ts
@ -5,21 +5,26 @@ import { backendLogger as logger } from '@/server/logger'

 import { JwtPayloadType } from './payloadtypes/JwtPayloadType'

-export const decode = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
+export const verify = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
  if (!token) throw new LogError('401 Unauthorized')
-  logger.debug('JWT.decode... token, signkey=', token, signkey)
+  logger.debug(
+    'JWT.verify... token, signkey, signkey.toString()',
+    token,
+    signkey,
+    signkey.toString(),
+  )

  try {
    const secret = new TextEncoder().encode(signkey.toString())
-    logger.debug('JWT.decode... secret=', secret)
+    logger.debug('JWT.verify... secret=', secret)
    const { payload } = await jwtVerify(token, secret, {
      issuer: 'urn:gradido:issuer',
      audience: 'urn:gradido:audience',
    })
-    logger.debug('JWT.decode after jwtVerify... payload=', payload)
+    logger.debug('JWT.verify after jwtVerify... payload=', payload)
    return payload as unknown as JwtPayloadType
  } catch (err) {
-    logger.error('JWT.decode after jwtVerify... error=', err)
+    logger.error('JWT.verify after jwtVerify... error=', err)
    return null
  }
 }
@ -27,7 +32,9 @@ export const decode = async (token: string, signkey: Buffer): Promise<JwtPayload
 export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<string> => {
  const secret = new TextEncoder().encode(signkey.toString())
  const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
-    .setProtectedHeader({ alg: 'HS256' })
+    .setProtectedHeader({
+      alg: 'RS256',
+    })
    .setIssuedAt()
    .setIssuer('urn:gradido:issuer')
    .setAudience('urn:gradido:audience')
@ -36,7 +43,7 @@ export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<
  return token
 }

-export const decodeJwtType = async (token: string, signkey: Buffer): Promise<string> => {
-  const payload = await decode(token, signkey)
+export const verifyJwtType = async (token: string, signkey: Buffer): Promise<string> => {
+  const payload = await verify(token, signkey)
  return payload ? payload.tokentype : 'unknown token type'
 }
--- a/backend/src/graphql/resolver/TransactionLinkResolver.ts
+++ b/backend/src/graphql/resolver/TransactionLinkResolver.ts
@ -23,7 +23,7 @@ import { TransactionLink, TransactionLinkResult } from '@model/TransactionLink'
 import { User } from '@model/User'
 import { QueryLinkResult } from '@union/QueryLinkResult'

-import { decode, encode } from '@/auth/jwt/JWT'
+import { verify, encode } from '@/auth/jwt/JWT'
 import { DisbursementJwtPayloadType } from '@/auth/jwt/payloadtypes/DisbursementJwtPayloadType'
 import { RIGHTS } from '@/auth/RIGHTS'
 import {
@ -177,21 +177,27 @@ export class TransactionLinkResolver {
        return new TransactionLink(dbTransactionLink, new User(user), redeemedBy, communities)
      } else {
        // disbursement jwt-token
-        logger.debug(
-          'TransactionLinkResolver.queryTransactionLink... disbursement jwt-token found=',
-        )
+        logger.debug('TransactionLinkResolver.queryTransactionLink... disbursement jwt-token found')
        // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-assignment
        const homeCom = await getHomeCommunity()
-        const jwtPayload = await decode(code, homeCom.publicKey)
+        const jwtPayload = await verify(code, homeCom.publicKey)
        logger.debug('TransactionLinkResolver.queryTransactionLink... jwtPayload=', jwtPayload)
        if (jwtPayload !== null && jwtPayload instanceof DisbursementJwtPayloadType) {
          const disburseJwtPayload: DisbursementJwtPayloadType = jwtPayload
+          logger.debug(
+            'TransactionLinkResolver.queryTransactionLink... disburseJwtPayload=',
+            jwtPayload,
+          )
          transactionLink.communityName = homeCom.name !== null ? homeCom.name : 'unknown'
          // transactionLink.user = new User()
          transactionLink.user.alias = disburseJwtPayload.sendername
          transactionLink.amount = new Decimal(disburseJwtPayload.amount)
          transactionLink.memo = disburseJwtPayload.memo
          transactionLink.code = disburseJwtPayload.redeemcode
+          logger.debug(
+            'TransactionLinkResolver.queryTransactionLink... transactionLink=',
+            transactionLink,
+          )
          return transactionLink
        } else {
          throw new LogError('Redeem with wrong type of JWT-Token! jwtType=', jwtPayload)