new test and correct encryptAndSign + decryptAndVerify

2026-02-06 09:56:05 +00:00 · 2025-07-01 18:21:31 +02:00 · 2025-07-01 18:21:31 +02:00 · 81de0c6c07
commit 81de0c6c07
parent cc5f3f7ee4
3 changed files with 45 additions and 32 deletions
--- a/backend/src/auth/jwt/JWT.test.ts
+++ b/backend/src/auth/jwt/JWT.test.ts
@ -2,7 +2,7 @@
 // import { testEnvironment } from '@test/helpers'
 // import { logger } from '@test/testSetup'

-import { createKeyPair, decode, decrypt, encode, encrypt, verify } from './JWT'
+import { createKeyPair, decode, decrypt, encode, encrypt, encryptAndSign, verify, verifyAndDecrypt } from './JWT'
 import { EncryptedJWEJwtPayloadType } from './payloadtypes/EncryptedJWEJwtPayloadType'
 import { OpenConnectionJwtPayloadType } from './payloadtypes/OpenConnectionJwtPayloadType'

@ -35,13 +35,10 @@ describe('test JWS creation and verification', () => {
    beforeEach(async () => {
      jest.clearAllMocks()
      jwsComA = await encode(new OpenConnectionJwtPayloadType('http://localhost:5001/api/'), keypairComA.privateKey)
-      console.log('jwsComA', jwsComA)
      jwsComB = await encode(new OpenConnectionJwtPayloadType('http://localhost:5002/api/'), keypairComB.privateKey)
-      console.log('jwsComB', jwsComB)
    })
    it('decode jwsComA', async () => {
      const decodedJwsComA = await decode(jwsComA)
-      console.log('decodedJwsComA', decodedJwsComA)
      expect(decodedJwsComA).toEqual({
        expiration: '10m',
        tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
@ -50,7 +47,6 @@ describe('test JWS creation and verification', () => {
    })
    it('decode jwsComB', async () => {
      const decodedJwsComB = await decode(jwsComB)
-      console.log('decodedJwsComB', decodedJwsComB)
      expect(decodedJwsComB).toEqual({
        expiration: '10m',
        tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
@ -59,7 +55,6 @@ describe('test JWS creation and verification', () => {
    })
    it('verify jwsComA', async () => {
      const verifiedJwsComA = await verify(jwsComA, keypairComA.publicKey)
-      console.log('verifiedJwsComA', verifiedJwsComA)
      expect(verifiedJwsComA).toEqual(expect.objectContaining({ 
        payload: expect.objectContaining({
          tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
@ -69,7 +64,6 @@ describe('test JWS creation and verification', () => {
    })
    it('verify jwsComB', async () => {
      const verifiedJwsComB = await verify(jwsComB, keypairComB.publicKey)
-      console.log('verifiedJwsComB', verifiedJwsComB)
      expect(verifiedJwsComB).toEqual(expect.objectContaining({ 
        payload: expect.objectContaining({
          tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
@ -85,13 +79,10 @@ describe('test JWE encryption and decryption', () => {
    beforeEach(async () => {
      jest.clearAllMocks()
      jweComA = await encrypt(new OpenConnectionJwtPayloadType('http://localhost:5001/api/'), keypairComB.publicKey)
-      console.log('jweComA', jweComA)
      jweComB = await encrypt(new OpenConnectionJwtPayloadType('http://localhost:5002/api/'), keypairComA.publicKey)
-      console.log('jweComB', jweComB)
    })
    it('decrypt jweComA', async () => {
      const decryptedAJwT = await decrypt(jweComA, keypairComB.privateKey)
-      console.log('decryptedAJwT', decryptedAJwT)
      expect(JSON.parse(decryptedAJwT)).toEqual(expect.objectContaining({
        tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
        url: 'http://localhost:5001/api/',
@ -99,7 +90,6 @@ describe('test JWE encryption and decryption', () => {
    })
    it('decrypt jweComB', async () => {
      const decryptedBJwT = await decrypt(jweComB, keypairComA.privateKey)
-      console.log('decryptedBJwT', decryptedBJwT)
      expect(JSON.parse(decryptedBJwT)).toEqual(expect.objectContaining({
        tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
        url: 'http://localhost:5002/api/',
@ -110,24 +100,17 @@ describe('test JWE encryption and decryption', () => {
 describe('test encrypted and signed JWT', () => {
    let jweComA: string
    let jwsComA: string
-    let jwtComA: string
    let jweComB: string
    let jwsComB: string
-    let jwtComB: string
    beforeEach(async () => {
      jest.clearAllMocks()
      jweComA = await encrypt(new OpenConnectionJwtPayloadType('http://localhost:5001/api/'), keypairComB.publicKey)
-      console.log('jweComA', jweComA)
      jwsComA = await encode(new EncryptedJWEJwtPayloadType(jweComA), keypairComA.privateKey)
-      console.log('jwsComA', jwsComA)
      jweComB = await encrypt(new OpenConnectionJwtPayloadType('http://localhost:5002/api/'), keypairComA.publicKey)
-      console.log('jweComB', jweComB)
      jwsComB = await encode(new EncryptedJWEJwtPayloadType(jweComB), keypairComB.privateKey)
-      console.log('jwsComB', jwsComB)
    })
    it('verify jwsComA', async () => {
      const verifiedJwsComA = await verify(jwsComA, keypairComA.publicKey)
-      console.log('verifiedJwsComA', verifiedJwsComA)
      expect(verifiedJwsComA).toEqual(expect.objectContaining({ 
        payload: expect.objectContaining({
          jwe: jweComA,
@ -137,7 +120,6 @@ describe('test encrypted and signed JWT', () => {
    })
    it('verify jwsComB', async () => {
      const verifiedJwsComB = await verify(jwsComB, keypairComB.publicKey)
-      console.log('verifiedJwsComB', verifiedJwsComB)
      expect(verifiedJwsComB).toEqual(expect.objectContaining({ 
        payload: expect.objectContaining({
          jwe: jweComB,
@ -157,4 +139,20 @@ describe('test encrypted and signed JWT', () => {
        url: 'http://localhost:5002/api/',
      }))
    })
+})
+
+
+describe('test encryptAndSign and verifyAndDecrypt', () => {
+  let jwtComA: string
+  beforeEach(async () => {
+    jest.clearAllMocks()
+    jwtComA = await encryptAndSign(new OpenConnectionJwtPayloadType('http://localhost:5001/api/'), keypairComA.privateKey, keypairComB.publicKey)
+  })
+  it('verifyAndDecrypt jwtComA', async () => {
+    const verifiedAndDecryptedPayload = await verifyAndDecrypt(jwtComA, keypairComB.privateKey, keypairComA.publicKey)
+    expect(verifiedAndDecryptedPayload).toEqual(expect.objectContaining({ 
+      tokentype: OpenConnectionJwtPayloadType.OPEN_CONNECTION_TYPE,
+      url: 'http://localhost:5001/api/',
+    }))
+  })
 })
--- a/backend/src/auth/jwt/JWT.ts
+++ b/backend/src/auth/jwt/JWT.ts
@ -24,7 +24,7 @@ export const verify = async (token: string, publicKey: string): Promise<JwtPaylo
  if (!token) {
    throw new LogError('401 Unauthorized')
  }
-  logger.info('JWT.verify... token, publicKey=', token, publicKey)
+  logger.debug('JWT.verify... token, publicKey=', token, publicKey)

  try {
    const importedKey = await importSPKI(publicKey, 'RS256')
@ -37,7 +37,7 @@ export const verify = async (token: string, publicKey: string): Promise<JwtPaylo
      issuer: JwtPayloadType.ISSUER,
      audience: JwtPayloadType.AUDIENCE,
    })
-    logger.info('JWT.verify after jwtVerify... payload=', payload)
+    logger.debug('JWT.verify after jwtVerify... payload=', payload)
    return payload as JwtPayloadType
  } catch (err) {
    logger.error('JWT.verify after jwtVerify... error=', err)
@ -46,8 +46,8 @@ export const verify = async (token: string, publicKey: string): Promise<JwtPaylo
 }

 export const encode = async (payload: JwtPayloadType, privatekey: string): Promise<string> => {
-  logger.info('JWT.encode... payload=', payload)
-  logger.info('JWT.encode... privatekey=', privatekey)
+  logger.debug('JWT.encode... payload=', payload)
+  logger.debug('JWT.encode... privatekey=', privatekey)
  try {
    const importedKey = await importPKCS8(privatekey, 'RS256')
    const secret = typeof importedKey === 'string' 
@ -82,8 +82,8 @@ export const decode = (token: string): JwtPayloadType => {
 }

 export const encrypt = async (payload: JwtPayloadType, publicKey: string): Promise<string> => {
-  logger.info('JWT.encrypt... payload=', payload)
-  logger.info('JWT.encrypt... publicKey=', publicKey)
+  logger.debug('JWT.encrypt... payload=', payload)
+  logger.debug('JWT.encrypt... publicKey=', publicKey)
  try {
    const encryptKey = await importSPKI(publicKey, 'RS256')
    // Convert the key to JWK format if needed
@ -96,7 +96,7 @@ export const encrypt = async (payload: JwtPayloadType, publicKey: string): Promi
    )
      .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
      .encrypt(recipientKey)
-   logger.info('JWT.encrypt... jwe=', jwe)
+   logger.debug('JWT.encrypt... jwe=', jwe)
    return jwe.toString()
  } catch (e) {
    logger.error('Failed to encrypt JWT:', e)
@ -105,14 +105,14 @@ export const encrypt = async (payload: JwtPayloadType, publicKey: string): Promi
 }

 export const decrypt = async(jwe: string, privateKey: string): Promise<string> => {
-  logger.info('JWT.decrypt... jwe=', jwe)
-  logger.info('JWT.decrypt... privateKey=', privateKey)
+  logger.debug('JWT.decrypt... jwe=', jwe)
+  logger.debug('JWT.decrypt... privateKey=', privateKey.substring(0, 10))
  try {
    const decryptKey = await importPKCS8(privateKey, 'RS256')
    const { plaintext, protectedHeader } =
      await compactDecrypt(jwe, decryptKey)
-    logger.info('JWT.decrypt... plaintext=', plaintext)
-    logger.info('JWT.decrypt... protectedHeader=', protectedHeader)
+    logger.debug('JWT.decrypt... plaintext=', plaintext)
+    logger.debug('JWT.decrypt... protectedHeader=', protectedHeader)
    return plaintext.toString()
  } catch (e) {
    logger.error('Failed to decrypt JWT:', e)
@ -122,15 +122,29 @@ export const decrypt = async(jwe: string, privateKey: string): Promise<string> =

 export const encryptAndSign = async (payload: JwtPayloadType, privateKey: string, publicKey: string): Promise<string> => {
  const jwe = await encrypt(payload, publicKey)
+  logger.debug('JWT.encryptAndSign... jwe=', jwe)
  const jws = await encode(new EncryptedJWEJwtPayloadType(jwe), privateKey)
+  logger.debug('JWT.encryptAndSign... jws=', jws)
  return jws
 }

 export const verifyAndDecrypt = async (token: string, privateKey: string, publicKey: string): Promise<JwtPayloadType | null> => {
-  const jwePayload = await verify(token, privateKey) as EncryptedJWEJwtPayloadType
+  const jweVerifyResult = await verify(token, publicKey)
+  if (!jweVerifyResult) {
+    return null
+  }
+  const jwePayload = jweVerifyResult.payload as EncryptedJWEJwtPayloadType
+  logger.debug('JWT.verifyAndDecrypt... jwePayload=', jwePayload)
  if (!jwePayload) {
    return null
  }
-  const payload = await decrypt(jwePayload.jwe as string, publicKey)
+  const jwePayloadType = jwePayload.tokentype
+  if (jwePayloadType !== EncryptedJWEJwtPayloadType.ENCRYPTED_JWE_TYPE) {
+    return null
+  }
+  const jwe = jwePayload.jwe
+  logger.debug('JWT.verifyAndDecrypt... jwe=', jwe)
+  const payload = await decrypt(jwe as string, privateKey)
+  logger.debug('JWT.verifyAndDecrypt... payload=', payload)
  return JSON.parse(payload) as JwtPayloadType
 }
--- a/backend/src/federation/client/1_0/logging/PublicCommunityInfoLogging.view.ts
+++ b/backend/src/federation/client/1_0/logging/PublicCommunityInfoLogging.view.ts
@ -13,6 +13,7 @@ export class PublicCommunityInfoLoggingView extends AbstractLoggingView {
      description: this.self.description,
      creationDate: this.dateToString(this.self.creationDate),
      publicKey: this.self.publicKey,
+      publicJwtKey: this.self.publicJwtKey,
    }
  }
 }