With new release of god_crypto v1.4.7, you can now add support for the following algorithms: RS512, PS256, and PS512.

RS512

await rsa.sign(message, { algorithm: "rsassa-pkcs1-v1_5", hash: "sha512" })
await rsa.verify(signature, message,  { algorithm: "rsassa-pkcs1-v1_5", hash: "sha512" });

PS256

await rsa.sign(message, { algorithm: "rsassa-pss", hash: "sha256" });
await rsa.verify(signature, message, { algorithm: "rsassa-pss", hash: "sha256" });

PS512

await rsa.sign(message, { algorithm: "rsassa-pss", hash: "sha512" });
await rsa.verify(signature, message, { algorithm: "rsassa-pss", hash: "sha512" });

Would it be possible to push the latest version to nest.land? Or is nest.land not supported anymore?

Noob here - what's the best way to access claims on a JWT once validation has passed?

https://nest.land/

Or would you rather do it yourself?

Hello there,

First of all thanks for the great work on this library. I'm finding it very useful.
I'm using it to sign in with Apple and it requires that the algorithm is ES256.
Do you have any plans to add this to the library?

Thanks

Hello,

I'm getting the following error when I attempt to verify an access token from auth0:

From what I can tell, RS256 keys are implemented in this library, but there may be something upstream going wrong with god_crypto?

TypeError: Unsupported key format
    at detect_format (https://deno.land/x/[email protected]/src/rsa/import_key.ts:25:9)
    at rsa_import_key (https://deno.land/x/[email protected]/src/rsa/import_key.ts:177:43)
    at Function.importKey (https://deno.land/x/[email protected]/src/rsa/mod.ts:102:23)
    at Function.parseKey (https://deno.land/x/[email protected]/src/rsa/mod.ts:89:17)
    at verify (https://deno.land/x/[email protected]/signature.ts:122:34)
    at verify (https://deno.land/x/[email protected]/mod.ts:149:13)
    at file:///home/arunscape/Downloads/capstone/server/server.ts:64:27
    at async dispatch (https://deno.land/x/[email protected]/middleware.ts:41:7)
    at async dispatch (https://deno.land/x/[email protected]/middleware.ts:41:7)
    at async dispatch (https://deno.land/x/[email protected]/middleware.ts:41:7)

I have successfully verified my key using jwt.io, but am struggling to verify it with djwt. Any help is appreciated.

jwt header:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "bhZbLtSnYfcBV8fKsvJQF"
}

payload:

{
  "https://polyserver.polypong.ca/email": "[email protected]",
  "iss": "https://polypong.us.auth0.com/",
  "sub": "google-oauth2|103380978269062535255",
  "aud": [
    "https://polyserver.polypong.ca",
    "https://polypong.us.auth0.com/userinfo"
  ],
  "iat": 1617403858,
  "exp": 1617490258,
  "azp": "mHazgm6fRKXOgoLxFYRhvstXJRl1dSGC",
  "scope": "openid profile email"
}

edit:
I should also probably mention that decode seems to parse the token correctly and I can extract the other data from it

Thanks!

The deps.ts file has dependencies for older versions of the Deno std lib.

https://github.com/timonson/djwt/blob/master/deps.ts

Current version is 0.95.0

I have created this function to extract the payload

async fetchPayload(token: string):Promise<object> {
    const data = await validateJwt(token, key, { isThrowing: false });
    return data.payload;
  },

but I am getting this error

TS2322 [ERROR]: Type 'Payload | undefined' is not assignable to type 'JwtObject | null'.
  Type 'undefined' is not assignable to type 'JwtObject | null'.
      return data.payload;

Hi! I am writing a JWT Middleware for Oak using your module, but I need the internal types, mainly Handlers to be exported. Would it be possible to export all types and interfaces?

Thanks for your work on this module!

Deno dev team has implemented hmac512, referencing denoland/deno#5924

@timonson If I'd get a chance this week, I can tackle this

I would like to check validity of Google Login JWT's which uses RS256.

Maybe this is already possible and i'm misinterpreting the README? If not, is it something you can/would implement?

The default implementation, and the default examples provided, results in insecure implementation.

Since algorithm of "none" is a value algorithm, and the validation method by default is using the algorithm specified within the token itself, an attack will succeed, if a token is send without signature and algorithm of "none".
This would allow access to the protected resources at any time, by generating tokens on the fly with algorithm "none", even if the original token was generated with HS256 or RS256 signature.

The validation function should be changed to always require an array of allowed algorithms as a required parameter. For a even more secure implementation, separate validation methods should be made available, one for each supported algorithm.

Prof of concept of the attack. The code below generates two tokens. One generated by makeJwt on the server, and one that could easily be generated locally by encoding a hacked payload and header.
Submit each token to the server, and the server will respond with "Valid JWT' in both cases.

import { serve } from "https://deno.land/[email protected]/http/server.ts";
import { encode, decode } from "https://deno.land/[email protected]/encoding/utf8.ts"
import { decodeString as convertHexToUint8Array } from "https://deno.land/[email protected]/encoding/hex.ts";
import { HmacSha256 } from "https://deno.land/[email protected]/hash/sha256.ts";
import { HmacSha512 } from "https://deno.land/[email protected]/hash/sha512.ts";
import { validateJwt } from "https://deno.land/x/[email protected]/validate.ts";
import { makeJwt, setExpiration, Jose, Payload } from "https://deno.land/x/[email protected]/create.ts";
import { convertUint8ArrayToBase64url } from "https://deno.land/x/[email protected]/base64/base64url.ts";

interface JwtInput {
  key: string;
  header: Jose;
  payload?: Payload;
}

const mykey = "your-secret";

const jwtInput = {
  header: { typ: "JWT", alg: "HS256" as const },
  payload: { iss: "joe", exp: setExpiration(new Date().getTime()+30000), securityRole: "user" },
  key: mykey,
}

const jwtHackedInput = {
  header: { typ: "JWT", alg: "none" as const },
  payload: { iss: "joe", exp: setExpiration(new Date().getTime()+30000), securityRole: "admin" },
  key: "",
}


function convertStringToBase64url(input: string): string {
  return convertUint8ArrayToBase64url(new TextEncoder().encode(input));
}

function encodeHackedJWT( { key, header, payload }: JwtInput ): string {
  return `${convertStringToBase64url(
    JSON.stringify(header)
  )}.${convertStringToBase64url(JSON.stringify(payload || ""))}.`;
}

console.log("server is listening at 0.0.0.0:3000")
for await (const req of serve("0.0.0.0:3000")) {
  if (req.method === "GET")
    req.respond({
      body: encode(makeJwt(jwtInput) + "\n" + encodeHackedJWT(jwtHackedInput) + "\n"),
    })
  else
    (await validateJwt(decode(await Deno.readAll(req.body)), mykey, {isThrowing:false}))
      ? req.respond({ body: encode("Valid JWT\n") })
      : req.respond({ status: 401, body: encode("Invalid JWT\n") })
}

Could you provide examples on how to set the jwt 'exp' claim with setExpiration():

1. a date four months from the current date
2. a date 16 hours from the current date

Thank you

Hello !
The validateJwt() function changed since your last commit and now I can't have my token when using it.
The token I get is "Invalid Signature" : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhZG1pbiIsImV4cCI6MTU5MTgyMDU5NzQ1NX0.QcfGBvexnUUP0b1-5KlEM7A3AuMtsTjijFVOhaYNRBE
When I try your exemple form your github in my project It doesn't work

Maybe I do something wrong but I don't know how to solve this
Thanks for your work and help !

It seems verify fail ( with latest version of Deno )
The hs512 exemple fail ...
( sometimes it work )
The problem is about signature

If you use Deno.bundle() to bundle with djwt lib compiler throws downcast error.
In one of the latest deno releases deno dev team generalized errors to use ErrOp and has removed some javascript errors.

The underlying problem is with hmac deno/x dependency is not being up to date.
There are a few options we have:

1. bring hmac lib up to latest and greatest (meaning contribute to https://github.com/chiefbiiko/hmac, it is stuck at v0.34.0, deno std is currently at v0.53.0)
2. use HmacSha256 from deno std package

The later option is limited to support only hmac256, hmac512 is not implemented. I've submitted a feature request to implement hmac512.

I propose to disable hmac512 support for now (I can submit PR to pluck it up and replace hmac256 with HmacSha256, I've tested it) and use what deno std provides. Eventually when deno implements 512 we can put it back in :)

Just in general I think it's better build on top of deno std.

@timonson would like to hear your thoughts.

I am working with oak and when I try to create a token the server responds with a status 500, it only happens when I use makeJwt

in validate.ts file, I have error in line 3, because link version is wrong

Error

import { encodeToString as convertUint8ArrayToHex } from "https://deno.land/[email protected]/encoding/hex.ts";

Solution

import { encodeToString as convertUint8ArrayToHex } from "https://deno.land/[email protected]/encoding/hex.ts";

It's currently hardcoded on 1 second. Would be nice if it's configurable.

https://github.com/timonson/djwt/blob/b154f20ef3827765a09901e0dbef1acf4e026ad9/mod.ts#L111
https://github.com/timonson/djwt/blob/b154f20ef3827765a09901e0dbef1acf4e026ad9/mod.ts#L115

TS1205 [ERROR]: Re-exporting a type when the '--isolatedModules' flag is provided requires using 'export type'.
  Payload,
  ~~~~~~~
    at https://deno.land/x/[email protected]/validate.ts:206:3

TS1205 [ERROR]: Re-exporting a type when the '--isolatedModules' flag is provided requires using 'export type'.
  Handlers,
  ~~~~~~~~
    at https://deno.land/x/[email protected]/validate.ts:207:3

TS1205 [ERROR]: Re-exporting a type when the '--isolatedModules' flag is provided requires using 'export type'.
  JwtObject,
  ~~~~~~~~~
    at https://deno.land/x/[email protected]/validate.ts:208:3

TS1205 [ERROR]: Re-exporting a type when the '--isolatedModules' flag is provided requires using 'export type'.
  JwtValidation,
  ~~~~~~~~~~~~~
    at https://deno.land/x/[email protected]/validate.ts:209:3

TS1205 [ERROR]: Re-exporting a type when the '--isolatedModules' flag is provided requires using 'export type'.
  Validation,
  ~~~~~~~~~~
    at https://deno.land/x/[email protected]/validate.ts:210:3

any existing lib version can use? or need to wait for fix?
I am using oak framework, thanks.

warning: Compiled module not found "https://deno.land/[email protected]/encoding/base64url.ts"
From: https://deno.land/x/[email protected]/_depts.ts
If the source module contains only types, use import type and export type to import it instead.

warning: Compiled module not found "https://deno.land/[email protected]/encoding/hex.ts"
From: https://deno.land/x/[email protected]/_depts.ts
If the source module contains only types, use import type and export type to import it instead.

warning: Compiled module not found "https://deno.land/[email protected]/hash/sha256.ts"
From: https://deno.land/x/[email protected]/_depts.ts
If the source module contains only types, use import type and export type to import it instead.

warning: Compiled module not found "https://deno.land/[email protected]/hash/sha512.ts"
From: https://deno.land/x/[email protected]/_depts.ts
If the source module contains only types, use import type and export type to import it instead.

warning: Compiled module not found "https://deno.land/x/[email protected]/rsa.ts"
From: https://deno.land/x/[email protected]/_depts.ts
If the source module contains only types, use import type and export type to import it instead.

error: Uncaught SyntaxError: The requested module 'https://deno.land/[email protected]/encoding/hex.ts' does not provide an export named 'decodeString'

Not sure what is causing this, the module does in fact has the export it needs...

I can generate a JWT just fine but when I try to validate the JWT it is invalid somehow:

const jwt = await makeJwt({ header, payload, jwtSecretKey })
const isJwtValid = await validateJwt(jwt, jwtSecretKey, { isThrowing: false })

In this case isJwtValid === null.

Also jwt.io indicates that the signature is not valid when I put the secret and JWT in on their landing page.

When using GitHub Actions I get an error when bundling my deno server.

Steps to reproduce

Using following yml file in GitHub Actions.

on: [push]

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:

  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    
    - uses: actions/checkout@v2

    - uses: azure/[email protected]
      with:
        creds: ${{ secrets.AZURE_SECRET }}
    
    - name: Set up Deno
      uses: denolib/setup-deno@master
      with:
        deno-version: 1.0.2

    - name: Bundle and zip Deno app
      run: |
        deno bundle server.ts server.bundle.js
        zip app.zip server.bundle.js
    - name: Deploy to Azure Web Apps
      uses: anthonychu/azure-webapps-deno-deploy@master
      with:
        app-name: my-app-name
        resource-group: resource-group-demo
        package: app.zip
        script-file: server.bundle.js
        deno-version: "1.17.0"

Error

Run deno bundle server.ts server.bundle.js
Bundling file:///home/runner/work/cute-ferret-75/cute-ferret-75/server.ts
Download https://deno.land/x/[email protected]/mod.ts
Download https://deno.land/x/[email protected]/mod.ts
Download https://deno.land/x/[email protected]/mod.ts
Download https://deno.land/x/smtp/mod.ts
Download https://deno.land/x/scrypt/mod.ts
Warning Implicitly using latest version (v2.1.1) for https://deno.land/x/scrypt/mod.ts
Download https://deno.land/x/[email protected]/mod.ts
error: Expected Comma, got Some(Colon) at https://deno.land/x/[email protected]/mod.ts:73:10
Error: Process completed with exit code 1.

https://deno.land/x/[email protected] is returning a 404 at the moment

https://deno.land/x/[email protected] is the last one available.

deno.land/x downloads and stores your repository contents every time you create a git tag. We only do this once for every tag. This ensures that the contents we serve for a specific version can never change.
Our service needs to get informed whenever a new tag is created. For this purpose we use GitHub webhooks.

Maybe there is an issue with the webhook configuration ? Or is it something on their side ?

Getting an odd bug in my environment - would you have any advice on troubleshooting?

in my /deps.js - I have the line:
export { makeJwt, setExpiration, Jose, Payload } from "https://deno.land/x/djwt/create.ts"
To support subsequent imports into other project files as needed.

When deno run -A -r ./bin/server.js

The following error occurs:

error: Uncaught SyntaxError: The requested module 'https://deno.land/x/djwt/create.ts' does not provide an export named 'Jose'

Same is true for "Payload"

error: Uncaught SyntaxError: The requested module 'https://deno.land/x/djwt/create.ts' does not provide an export named 'Payload'

Both "makeJWT" and "setExpiration" seem not to cause error...

Version:
deno 1.2.1
v8 8.5.216
typescript 3.9.2

Supporting the retrieval and use of JWKS public keys would be very helpful. This would allow secure use of public key JWT signatures provided by Auth0, Okta, and other JWKS providers. This would allow client or server side tools to validate JWT's signed by Auth0, Okta, and other identity providers.

https://auth0.com/docs/tokens/json-web-tokens/json-web-key-sets
https://developer.okta.com/code/dotnet/jwt-validation/

Here's a sample of a live JWKS keyset:

https://login.truestamp.com/.well-known/jwks.json

Here is a similar project from Auth0 that pulls in a JWKS set for use in their Node Express lib that might provide inspiration for the API:

https://github.com/auth0/node-jwks-rsa

cant cache deno.land/x/djwt/mod.ts as its not there, making the example files invalid.

Getting an Error while creating a Token in DENO v 1.13.0

error: TS2345 [ERROR]: Argument of type '"jwk"' is not assignable to parameter of type '"raw"'.
"jwk",
~~~~~
at https://deno.land/x/[email protected]/src/rsa/rsa_wc.ts:55:5

Hi,

I am currently writing an app in deno that syncs playlists between spotify and apple music.
The Apple Music API requites a JWT signed with ES256

https://developer.apple.com/documentation/applemusicapi/getting_keys_and_creating_tokens

If I had the slightest idea how to implement such an algorithm I would be happy to contribute, but maybe some expert here can add the support for ES256.

Regards
Chris

Please explain which to use when. verify requires secret so does that make it more safer in comparison?

P.S.: Please enable discussions section to ask questions/queries

Last time we need 3 parameters and then now changed to 1 parameter, honnestly its really annoying.

tried deno 1.5.1 all the way down to 1.0.0 - no luck

getting rid of _deps.ts and putting decodeString and encodeToString directly from deno encoding lib for each module _signature.ts and mod.ts make the bundle work fine

Hi. I try it as simplest as I can:

import { create } from "https://deno.land/x/[email protected]/mod.ts";

const key = await crypto.subtle.generateKey(
  { name: "HMAC", hash: "SHA-512" },
  true,
  ["sign", "verify"]
);

const jwt = await create({ alg: "HS512", typ: "JWT" }, { foo: "bar" }, key);

but get errors in console:

error: TS2304 [ERROR]: Cannot find name 'HmacKeyAlgorithm'.
): algorithm is HmacKeyAlgorithm | RsaHashedKeyAlgorithm {
                ~~~~~~~~~~~~~~~~
    at https://deno.land/x/[email protected]/algorithm.ts:24:17

TS2304 [ERROR]: Cannot find name 'RsaHashedKeyAlgorithm'.
): algorithm is HmacKeyAlgorithm | RsaHashedKeyAlgorithm {
                                   ~~~~~~~~~~~~~~~~~~~~~
    at https://deno.land/x/[email protected]/algorithm.ts:24:36

TS2304 [ERROR]: Cannot find name 'EcKeyAlgorithm'.
): algorithm is EcKeyAlgorithm {
                ~~~~~~~~~~~~~~
    at https://deno.land/x/[email protected]/algorithm.ts:30:17

TS2339 [ERROR]: Property 'hash' does not exist on type 'KeyAlgorithm'.
        return keyAlgorithm.hash.name === algAlgorithm.hash.name;
                            ~~~~
    at https://deno.land/x/[email protected]/algorithm.ts:47:29

TS2339 [ERROR]: Property 'namedCurve' does not exist on type 'never'.
        return keyAlgorithm.namedCurve === algAlgorithm.namedCurve;
                            ~~~~~~~~~~
    at https://deno.land/x/[email protected]/algorithm.ts:49:29

Found 5 errors.
[E] [daem] app crashed - waiting for file changes before starting ...

Any idea what is wrong? I use Deno 1.13.2

I introduced djwt into an application I am building, as soon as I do, I start getting this error:

error: Uncaught (in worker "") TS2304 [ERROR]: Cannot find name 'window'.
  let binaryString = window.atob(b);
                     ~~~~~~
    at https://deno.land/x/[email protected]/src/helper.ts:60:22
error: Uncaught (in promise) Error: Unhandled error event reached main worker.
    at Worker.#poll (deno:runtime/js/11_workers.js:269:21)

This error starts popping up on just adding the dependencies without even using it.

export {create} from "https://deno.land/x/[email protected]/mod.ts";

Any ideas on how to debug this? Not sure if it matters, but my application has some logic that already uses workers

PS: Maybe related to this? https://stackoverflow.com/questions/62231656/deno-web-workers-cannot-find-name-window

Hello, im new and not used to this library, and im trying to port from djwt 0.9.0 to 1.0.0.

On 0.9.0 i could use validateJwt to get the payload and therefore the iss data stored there as the following:

const data = await validateJwt(
    jwt,
    secret,
    { isThrowing: false},
  );

console.log(data.payload.iss);

but now i can't, and i can't find any updated example on the docs.

How can i access the iss data from a decripted jwt token on 1.0.0?
Sorry for any inconvenience.

Best regards!

I noticed djwt now wants a CryptoKey and not cert strings anymore. Since I'm pretty new to crypto I would love to have an example of how to use eg RSA key files.

Every tutorial on djwt uses the secret_key as a string that was on your older versions. Now you use the crypto.subtle.generateKey() instead. But Deno doesn't have an export for that key (i.e. crypto.subtle.export() is not available), so there's no way that I'm aware of to actually persist the key.

Can you make a permanent key option available again, or clarify in the example how this is done? As the example stands, this would invalidate all cookies if the server reset.

Deno 1.13.2
i can successfully generate token using web crypto api but token verification is always wrong.
How can i store crypto key somewhere for verification purposes

await verify(jwt, KEY)
.then(() => {
console.log('valid');
})
.catch((e) => {
console.log(e);
});

Add Oak Middleware Jwt in the examples section to show how this repo can be implemented 😄

on jwt token validation encountered:

error: Uncaught Error: Uncaught ReferenceError: window is not defined
    at WorkerImpl.#poll ($deno$/web/workers.ts:210:17)

Anyway to get this to work with nodejs or browser?

All the tutorials out there I could find seem to use an outdated api for djwt.

I'm looking to just authetnicate a user upon login and validate them for authorized api calls.

Hello timonson!
When I use oak-middleware-jwt (a package that uses djwt) + Deno v1.18.1, an error occurs:

error: TS2769 [ERROR]: No overload matches this call.
   The last overload gave the following error.
     Argument of type '"jwk"' is not assignable to parameter of type '"raw" | "pkcs8" | "spki"'.
     "jwk",
     ~~~~~~
     at https://deno.land/x/[email protected]/src/rsa/rsa_wc.ts:55:5

TS2771 [ERROR]: The last overload is declared here.
         at asset:///lib.dom.d.ts:13442:5

Don't know if this is the cause of my PC or the djwt version is too low?

When I verify a token that was created by jsonwebtoken node package, it always say that token is expired, althought it's not.

function isExpired(exp: number, leeway = 0): boolean {
  return new Date(exp + leeway) < new Date();
}

Problems arise even though the expiration date remains

In an older version, the function 'validateJwt' had an option called "isThrowing", which is now missing in the 'verify' function in the current version.
My question is, is it really missing entirely, or did you move it to another function?

Thanks in advance...

Hi,

I am getting an error when trying to verify( ) a JWT that I generated using the create( ) method.

DOMException: Unrecognized algorithm name

Hello,

Issues with using a djwt 1.9

Download https://deno.land/x/djwt/validate.ts
Download https://deno.land/x/djwt/create.ts
Warning Implicitly using latest version (v1.9) for https://deno.land/x/djwt/validate.ts
Download https://deno.land/x/[email protected]/validate.ts
Warning Implicitly using latest version (v1.9) for https://deno.land/x/djwt/create.ts
Download https://deno.land/x/[email protected]/create.ts
error: Import 'https://deno.land/x/[email protected]/validate.ts' failed: 404 Not Found
at file:///C:/Users/yuriy/OneDrive/Documents/GitHub/deno_rest/deps.ts:27:0

May have found the root cause of some of your previous bug reports around expiry times.

The spec makes it clear that times in claims should be in seconds, not in milliseconds. The specification uses the term NumericDate which it defines as A JSON numeric value representing the number of seconds from 1970-01-01T00:00:00Z UTC and should apply to all time fields: iat, exp and nbf.

This is backed up by decoding tokens created with this package using JWT debugger showing around 50,000 years in the future (50 years since 1970 times 1000).

Edit: This also requires a change in isExpired to match.