From 675ee6fd8112b847ed2c4c1a70098ea74c656817 Mon Sep 17 00:00:00 2001
From: clauspeterhuebner <hr.softwarelab@t-online.de>
Date: Mon, 14 Apr 2025 19:03:47 +0200
Subject: [PATCH] next try for verifyJWT with RS256 and private/public key
 usage

---
 backend/src/auth/jwt/JWT.ts                   | 23 ++++++++++++-------
 .../resolver/TransactionLinkResolver.ts       | 16 +++++++++----
 2 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/backend/src/auth/jwt/JWT.ts b/backend/src/auth/jwt/JWT.ts
index 5bf0166a4..f8acfe4a3 100644
--- a/backend/src/auth/jwt/JWT.ts
+++ b/backend/src/auth/jwt/JWT.ts
@@ -5,21 +5,26 @@ import { backendLogger as logger } from '@/server/logger'
 
 import { JwtPayloadType } from './payloadtypes/JwtPayloadType'
 
-export const decode = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
+export const verify = async (token: string, signkey: Buffer): Promise<JwtPayloadType | null> => {
   if (!token) throw new LogError('401 Unauthorized')
-  logger.debug('JWT.decode... token, signkey=', token, signkey)
+  logger.debug(
+    'JWT.verify... token, signkey, signkey.toString()',
+    token,
+    signkey,
+    signkey.toString(),
+  )
 
   try {
     const secret = new TextEncoder().encode(signkey.toString())
-    logger.debug('JWT.decode... secret=', secret)
+    logger.debug('JWT.verify... secret=', secret)
     const { payload } = await jwtVerify(token, secret, {
       issuer: 'urn:gradido:issuer',
       audience: 'urn:gradido:audience',
     })
-    logger.debug('JWT.decode after jwtVerify... payload=', payload)
+    logger.debug('JWT.verify after jwtVerify... payload=', payload)
     return payload as unknown as JwtPayloadType
   } catch (err) {
-    logger.error('JWT.decode after jwtVerify... error=', err)
+    logger.error('JWT.verify after jwtVerify... error=', err)
     return null
   }
 }
@@ -27,7 +32,9 @@ export const decode = async (token: string, signkey: Buffer): Promise<JwtPayload
 export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<string> => {
   const secret = new TextEncoder().encode(signkey.toString())
   const token = await new SignJWT({ payload, 'urn:gradido:claim': true })
-    .setProtectedHeader({ alg: 'HS256' })
+    .setProtectedHeader({
+      alg: 'RS256',
+    })
     .setIssuedAt()
     .setIssuer('urn:gradido:issuer')
     .setAudience('urn:gradido:audience')
@@ -36,7 +43,7 @@ export const encode = async (payload: JwtPayloadType, signkey: Buffer): Promise<
   return token
 }
 
-export const decodeJwtType = async (token: string, signkey: Buffer): Promise<string> => {
-  const payload = await decode(token, signkey)
+export const verifyJwtType = async (token: string, signkey: Buffer): Promise<string> => {
+  const payload = await verify(token, signkey)
   return payload ? payload.tokentype : 'unknown token type'
 }
diff --git a/backend/src/graphql/resolver/TransactionLinkResolver.ts b/backend/src/graphql/resolver/TransactionLinkResolver.ts
index c5c040eea..429c7ba9b 100644
--- a/backend/src/graphql/resolver/TransactionLinkResolver.ts
+++ b/backend/src/graphql/resolver/TransactionLinkResolver.ts
@@ -23,7 +23,7 @@ import { TransactionLink, TransactionLinkResult } from '@model/TransactionLink'
 import { User } from '@model/User'
 import { QueryLinkResult } from '@union/QueryLinkResult'
 
-import { decode, encode } from '@/auth/jwt/JWT'
+import { verify, encode } from '@/auth/jwt/JWT'
 import { DisbursementJwtPayloadType } from '@/auth/jwt/payloadtypes/DisbursementJwtPayloadType'
 import { RIGHTS } from '@/auth/RIGHTS'
 import {
@@ -177,21 +177,27 @@ export class TransactionLinkResolver {
         return new TransactionLink(dbTransactionLink, new User(user), redeemedBy, communities)
       } else {
         // disbursement jwt-token
-        logger.debug(
-          'TransactionLinkResolver.queryTransactionLink... disbursement jwt-token found=',
-        )
+        logger.debug('TransactionLinkResolver.queryTransactionLink... disbursement jwt-token found')
         // eslint-disable-next-line @typescript-eslint/no-unsafe-call, @typescript-eslint/no-unsafe-assignment
         const homeCom = await getHomeCommunity()
-        const jwtPayload = await decode(code, homeCom.publicKey)
+        const jwtPayload = await verify(code, homeCom.publicKey)
         logger.debug('TransactionLinkResolver.queryTransactionLink... jwtPayload=', jwtPayload)
         if (jwtPayload !== null && jwtPayload instanceof DisbursementJwtPayloadType) {
           const disburseJwtPayload: DisbursementJwtPayloadType = jwtPayload
+          logger.debug(
+            'TransactionLinkResolver.queryTransactionLink... disburseJwtPayload=',
+            jwtPayload,
+          )
           transactionLink.communityName = homeCom.name !== null ? homeCom.name : 'unknown'
           // transactionLink.user = new User()
           transactionLink.user.alias = disburseJwtPayload.sendername
           transactionLink.amount = new Decimal(disburseJwtPayload.amount)
           transactionLink.memo = disburseJwtPayload.memo
           transactionLink.code = disburseJwtPayload.redeemcode
+          logger.debug(
+            'TransactionLinkResolver.queryTransactionLink... transactionLink=',
+            transactionLink,
+          )
           return transactionLink
         } else {
           throw new LogError('Redeem with wrong type of JWT-Token! jwtType=', jwtPayload)