Merge pull request #38 from authdog/snyk-upgrade-d641b1e67fbe80ebfd39…

…41f00379564e bump to jose@5
authdog · Oct 25, 2023 · 84361e5 · 84361e5
2 parents 59e67dd + ceca31c
commit 84361e5
Show file tree

Hide file tree

Showing 6 changed files with 787 additions and 837 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,7 +8,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x,18.x]
+        node-version: [16.x,18.x,20.x]
 
     steps:
       - uses: actions/checkout@v2

diff --git a/README.md b/README.md
@@ -91,6 +91,7 @@ const isValid = await checkTokenValidness(
 
 ## Changelog
 
+- 0.1.26: Remove fetchJwksWithUri, remove node-fetch dependency
 - 0.1.20: Improve Cloudflare Workers compatibility for verify
 - 0.1.19: Export `getKeyPair`
 - 0.1.18: Export `pemToJwk`

diff --git a/jest.config.js b/jest.config.js
@@ -13,7 +13,7 @@ module.exports = {
        "<rootDir>/scripts/**/*.test.ts"
     ],
     testEnvironment: "node",
-    testTimeout: 10000,
+    testTimeout: 25000,
     collectCoverageFrom: [
         "<rootDir>/scripts/**/*.ts",
         "<rootDir>/lib/**/*.ts",

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "keylab",
-    "version": "0.1.25",
+    "version": "0.1.26",
     "source": "src/index.ts",
     "main": "dist/index.js",
     "description": "keylab is a library aiming to create and validate JSON Web Tokens without hussle or prerequisitie cryptography knowledge.",
@@ -57,7 +57,6 @@
         "typescript": "^4.3.5"
     },
     "dependencies": {
-        "jose": "^4.15.4",
-        "node-fetch": "2.7.0"
+        "jose": "^5.0.1"
     }
 }
diff --git a/src/vendors/jwks/jwks.ts b/src/vendors/jwks/jwks.ts
@@ -1,9 +1,9 @@
 import {
     createLocalJWKSet,
     importSPKI,
-    JSONWebKeySet,
     JWK,
-    jwtVerify
+    jwtVerify,
+    createRemoteJWKSet
 } from "jose";
 import { extractAlgFromJwtHeader } from "../jwt";
 
@@ -66,35 +66,6 @@ export const makePublicKey = (privateKey: any) => {
     return publicKey;
 };
 
-/**
- *
- * @param jwksUri is the endpoint to retrieve the public Json web keys
- * @param verifySsl can be used in a context where self-signed certificates are being used
- * @returns return an array with keys objects
- */
-export const fetchJwksWithUri = async ({
-    jwksUri,
-    verifySsl = true
-}): Promise<JSONWebKeySet> => {
-    const fetch = require("node-fetch");
-    let httpsAgent;
-
-    if (!verifySsl) {
-      httpsAgent = new (require("https").Agent)({
-        rejectUnauthorized: false,
-      });
-    }
-
-    return await fetch(jwksUri, {
-      method: "GET",
-      agent: httpsAgent,
-    })
-      .then((res) => res.json())
-      .catch((err) => {
-        throw new Error(err.message);
-      });
-};
-
 export interface ITokenExtractedWithPubKey {
     payload: any;
     protectedHeader: any;
@@ -133,14 +104,7 @@ export const verifyTokenWithPublicKey = async (
             keys: [jwk]
         });
     } else if (opts?.jwksUri) {
-        // fetch jwk keys
-        const remoteJwks: JSONWebKeySet = await fetchJwksWithUri({
-            jwksUri: opts?.jwksUri
-        });
-
-        JWKS = createLocalJWKSet({
-            keys: remoteJwks.keys
-        });
+        JWKS = createRemoteJWKSet(new URL(opts?.jwksUri))
     } else {
         throw new Error("Invalid public key format (must be JWK or JWKs URI)");
     }