feat: validate expiration on jwtVerify

packages/js-auth/README.md

@@ -315,7 +315,9 @@ const auth = await authenticate('client_credentials', {
   scope: 'market:code:europe'
 })
 
-const decodedJWT = await jwtVerify(auth.accessToken)
+const decodedJWT = await jwtVerify(auth.accessToken, {
+  ignoreExpiration: true
+})
 
 if (jwtIsSalesChannel(decodedJWT.payload)) {
   console.log('organization slug is', decodedJWT.payload.organization.slug)

packages/js-auth/src/errors/TokenError.ts

@@ -0,0 +1,6 @@
+export class TokenError extends Error {
+  constructor(message: string) {
+    super(message)
+    this.name = 'TokenError'
+  }
+}

packages/js-auth/src/errors/TokenExpiredError.ts

@@ -0,0 +1,6 @@
+export class TokenExpiredError extends Error {
+  constructor() {
+    super('Token expired')
+    this.name = 'TokenExpiredError'
+  }
+}

packages/js-auth/src/index.ts

@@ -26,3 +26,6 @@ export type {
   RevokeOptions,
   RevokeReturn
 } from './types/index.js'
+
+export { TokenError } from './errors/TokenError.js'
+export { TokenExpiredError } from './errors/TokenExpiredError.js'

packages/js-auth/src/jwtDecode.spec.ts

@@ -1,9 +1,12 @@
+import { TokenError } from './errors/TokenError.js'
 import { jwtDecode } from './jwtDecode.js'
 
 describe('jwtDecode', () => {
   it('should throw when the access token is not valid.', () => {
     const accessToken = 'hello-world'
-    expect(() => jwtDecode(accessToken)).toThrowError('Invalid JWT format')
+
+    expect(() => jwtDecode(accessToken)).toThrow(TokenError)
+    expect(() => jwtDecode(accessToken)).toThrow('Invalid token format')
   })
 
   it('should throw when the access token is malformed.', () => {

packages/js-auth/src/jwtDecode.ts

@@ -1,3 +1,4 @@
+import { TokenError } from './errors/TokenError.js'
 import { decodeBase64URLSafe } from './utils/base64.js'
 
 /**
@@ -10,7 +11,7 @@ export function jwtDecode(accessToken: string): CommerceLayerJWT {
   const [encodedHeader, encodedPayload, signature] = `${accessToken}`.split('.')
 
   if (encodedHeader == null || encodedPayload == null || signature == null) {
-    throw new Error('Invalid JWT format')
+    throw new TokenError('Invalid token format')
   }
 
   return {

packages/js-auth/src/jwtVerify.spec.ts

@@ -1,15 +1,25 @@
 import jwt from 'jsonwebtoken'
+import { TokenExpiredError } from './errors/TokenExpiredError.js'
 import { jwtDecode } from './jwtDecode.js'
 import { jwtVerify } from './jwtVerify.js'
 import { encodeBase64URLSafe } from './utils/base64.js'
+import { TokenError } from './errors/TokenError.js'
 
 describe('jwtVerify', () => {
+  it('should throw when token expired.', async () => {
+    void expect(async () => await jwtVerify(accessToken)).rejects.toThrow(
+      TokenExpiredError
+    )
+  })
+
   it('should be able to verify a JWT.', async () => {
     const jsonwebtokenDecoded = jwt.decode(accessToken, {
       complete: true
     })
 
-    const verification = await jwtVerify(accessToken)
+    const verification = await jwtVerify(accessToken, {
+      ignoreExpiration: true
+    })
 
     expect(verification).toStrictEqual(jsonwebtokenDecoded)
   })
@@ -26,7 +36,11 @@ describe('jwtVerify', () => {
         signature
       ].join('.')
 
-      expect(await jwtVerify(newAccessToken)).toStrictEqual(decodedJWT)
+      expect(
+        await jwtVerify(newAccessToken, {
+          ignoreExpiration: true
+        })
+      ).toStrictEqual(decodedJWT)
     })
 
     it('should reject when the payload has been changed', async () => {
@@ -44,8 +58,18 @@ describe('jwtVerify', () => {
       ].join('.')
 
       void expect(
-        async () => await jwtVerify(newAccessToken)
-      ).rejects.toThrowError('Invalid signature')
+        async () =>
+          await jwtVerify(newAccessToken, {
+            ignoreExpiration: true
+          })
+      ).rejects.toThrow(TokenError)
+
+      void expect(
+        async () =>
+          await jwtVerify(newAccessToken, {
+            ignoreExpiration: true
+          })
+      ).rejects.toThrow('Invalid signature')
     })
   })
 })

packages/js-auth/src/jwtVerify.ts

@@ -1,3 +1,5 @@
+import { TokenError } from './errors/TokenError.js'
+import { TokenExpiredError } from './errors/TokenExpiredError.js'
 import { jwtDecode, type CommerceLayerJWT } from './jwtDecode.js'
 import { decodeBase64URLSafe } from './utils/base64.js'
 
@@ -7,14 +9,21 @@ import { decodeBase64URLSafe } from './utils/base64.js'
  */
 export async function jwtVerify(
   accessToken: string,
-  options: JwtVerifyOptions = {}
+  { ignoreExpiration = false, domain }: JwtVerifyOptions = {}
 ): Promise<CommerceLayerJWT> {
   const decodedJWT = jwtDecode(accessToken)
 
-  const jsonWebKey = await getJsonWebKey(decodedJWT.header.kid, options)
+  const jsonWebKey = await getJsonWebKey(decodedJWT.header.kid, {
+    domain,
+    ignoreExpiration
+  })
 
   if (jsonWebKey == null) {
-    throw new Error('Invalid token "kid"')
+    throw new TokenError('Invalid token "kid"')
+  }
+
+  if (!ignoreExpiration && Date.now() >= decodedJWT.payload.exp * 1000) {
+    throw new TokenExpiredError()
   }
 
   const algorithm: RsaHashedImportParams = {
@@ -48,7 +57,7 @@ export async function jwtVerify(
   )
 
   if (!isValid) {
-    throw new Error('Invalid signature')
+    throw new TokenError('Invalid signature')
   }
 
   return decodedJWT
@@ -61,6 +70,11 @@ interface JwtVerifyOptions {
    * The Commerce Layer's domain.
    */
   domain?: string
+  /**
+   * Do not validate the token expiration when set to `true`.
+   * @default false
+   */
+  ignoreExpiration?: boolean
 }
 
 /**