coolaj86/keyfetch.js-ARCHIVED
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

v1.1.5: used cached keys on verify when possible

Browse Source
This commit is contained in:
AJ ONeal 2019-02-26 23:11:26 -07:00
parent 0f0d0807a0
commit 9e5ffd1fc9
1 changed files with 26 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
keyfetch.js
View File

@ -239,15 +239,19 @@ keyfetch.verify = function (opts) {
var kid = decoded.header.kid; var kid = decoded.header.kid;
var iss; var iss;
var fetcher; var fetcher;
var fetchOne;
if (!opts.strategy || 'oidc' === opts.strategy) { if (!opts.strategy || 'oidc' === opts.strategy) {
iss = decoded.payload.iss; iss = decoded.payload.iss;
fetcher = keyfetch.oidcJwks; fetcher = keyfetch.oidcJwks;
fetchOne = keyfetch.oidcJwk;
} else if ('auth0' === opts.strategy || 'well-known' === opts.strategy) { } else if ('auth0' === opts.strategy || 'well-known' === opts.strategy) {
iss = decoded.payload.iss; iss = decoded.payload.iss;
fetcher = keyfetch.wellKnownJwks; fetcher = keyfetch.wellKnownJwks;
fetchOne = keyfetch.wellKnownJwk;
} else { } else {
iss = opts.strategy; iss = opts.strategy;
fetcher = keyfetch.jwks; fetcher = keyfetch.jwks;
fetchOne = keyfetch.jwk;
} }
function verify(jwk, payload) { function verify(jwk, payload) {
var alg = 'RSA-SHA' + decoded.header.alg.replace(/[^\d]+/i, ''); var alg = 'RSA-SHA' + decoded.header.alg.replace(/[^\d]+/i, '');
@ -256,20 +260,28 @@ keyfetch.verify = function (opts) {
.update(jwt.split('.')[0] + '.' + payload) .update(jwt.split('.')[0] + '.' + payload)
.verify(jwk.pem, decoded.signature, 'base64'); .verify(jwk.pem, decoded.signature, 'base64');
} }
return fetcher(iss).then(function (jwks) { if (kid) {
var payload = jwt.split('.')[1]; // as string, as it was signed return fetchOne(kid, iss); //.catch(fetchAny);
if (jwks.some(function (jwk) { } else {
if (kid) { fetchAny();
if (kid !== jwk.kid && kid !== jwk.thumbprint) { return; } }
if (verify(jwk, payload)) { return true; }
throw new Error('token signature verification was unsuccessful'); function fetchAny() {
} else { return fetcher(iss).then(function (jwks) {
if (verify(jwk, payload)) { return true; } var payload = jwt.split('.')[1]; // as string, as it was signed
if (jwks.some(function (jwk) {
if (kid) {
if (kid !== jwk.kid && kid !== jwk.thumbprint) { return; }
if (verify(jwk, payload)) { return true; }
throw new Error('token signature verification was unsuccessful');
} else {
if (verify(jwk, payload)) { return true; }
}
})) {
return decoded;
} }
})) { throw new Error("Retrieved a list of keys, but none of them matched the 'kid' (key id) of the token.");
return decoded; });
} }
throw new Error("Retrieved a list of keys, but none of them matched the 'kid' (key id) of the token.");
});
}); });
}; };