Module @luolapeikko/oidc-jwt-verify
@luolapeikko/oidc-jwt-verify
Json Webtoken Utility to validate OpenID JWT tokens against issuer public ssl keys
- Can build public PEM cert from modulus + exponent (i.e. Google OIDC)
- Caches issuer OpenID Connector configuration 24h
- New Token "kid" forces reloading OpenID Connector jwks_uri data.
Note: if running NodeJS less than 18.0.0 you need to install and use cross-fetch polyfill
Usage example
// with Bearer header
try {
const { body, isCached } = await jwtBearerVerify(req.headers.authorization);
} catch (err) {
console.log(err);
}
// or Just token
try {
const { body, isCached } = await jwtVerify(process.env.GOOGLE_ID_TOKEN);
} catch (err) {
console.log(err);
}
// attach logger to see http requests (console and log4js should be working)
setJwtLogger(console);
Enable public cert file caching
const certCacheSchema = z.object({certs: z.record(z.string(), z.record(z.string(), z.string())), _ts: z.number()}) satisfies StandardSchemaV1<
unknown,
CertRecords
>;
await useCache(new FileCertCache({fileName: './certCache.json', schema: certCacheSchema}));
// or with Tachyon storage driver
await useCache(new TachyonCertCache(new FileStorageDriver({name: 'FileCertCacheDriver', fileName: './unitTestCache.json'}, certCacheBufferSerializer(certCacheSchema))));
Enable verified token persist caching (Tachyon storage driver with encryption)
import {
isRawJwtToken,
type RawJwtToken,
setTokenCache,
} from "@luolapeikko/oidc-jwt-verify";
import { buildTokenCacheBufferSerializer } from "@luolapeikko/oidc-jwt-verify-tachyon";
import {
CryptoBufferProcessor,
FileStorageDriver,
} from "tachyon-drive-node-fs";
import { TachyonExpireCache } from "tachyon-expire-cache";
import { z } from "zod";
const tokenBodySchema = z.object({}).loose(); // or build token payload schema
const tokenCacheMapSchema = z.map(
z.string().refine(isRawJwtToken),
z.object({ expires: z.number(), data: tokenBodySchema }),
);
const bufferSerializer = buildTokenCacheBufferSerializer(tokenCacheMapSchema);
// const stringSerializer = buildTokenCacheStringSerializer<TokenPayload>(tokenCacheMapSchema); // if using string based Tachyon drivers
const processor = new CryptoBufferProcessor(Buffer.from("some-secret-key"));
const driver = new FileStorageDriver(
{ name: "TokenStorageDriver", fileName: "./tokenCache.aes" },
bufferSerializer,
processor,
);
const cache = new TachyonExpireCache<
z.infer<typeof tokenBodySchema>,
RawJwtToken
>({ name: "TachyonExpireCache" }, driver);
setTokenCache(cache);
CertCache
Other
- IssuerCertLoader
- JwtHeaderError
- FileCertCacheProps
- FullDecodedIssuerTokenStructure
- FullDecodedTokenStructure
- TokenHeader
- TokenIssuerPayloadCommon
- TokenPayloadCommon
- CertIssuerRecord
- CertRecords
- CertRecordsSchema
- IssuerCertLoaderProps
- JsonWebKey
- JwtResponse
- JwtVerifyPromiseFunc
- OpenIdConfig
- OpenIdConfigCerts
- RawJwtToken
- TokenIssuerPayload
- TokenPayload
- jwtVerifyPromise
- assertIssuerToken
- assertIsTokenFullDecoded
- buildCertFrame
- getTokenOrAuthHeader
- isIssuerToken
- isRawJwtToken
- isTokenFullDecoded
- jwtBearerVerify
- jwtDeleteKid
- jwtHaveIssuer
- jwtVerify
- rsaPublicKeyPem
- setCertLoader
- setJwtLogger
- setTokenCache
- testGetCache
- useCache