From 4edfee3ee3c7075281c9f51669ec14ec71fe8809 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik <38867245+dmihalcik-virtru@users.noreply.github.com> Date: Thu, 16 Feb 2023 15:47:57 -0500 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Debias=20clock=20leeway=20on=20a?= =?UTF-8?q?uth=20tokens=20(#150)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, we added 2 hours of leeway to the expiration. This is resulting in a significant percentage of our requests failing due to `jwt.exceptions.ImmatureSignatureError: The token is not yet valid (iat)`. This change adjusts the values to be an hour in the past or future, hopefully reducing the incidence of this error. --- lib/src/auth/auth.ts | 20 +++++++++++++++----- lib/src/nanotdf-crypto/authToken.ts | 22 ---------------------- lib/src/nanotdf-crypto/index.ts | 1 - lib/src/nanotdf/Client.ts | 7 ++++--- lib/tdf3/src/tdf.ts | 8 ++------ 5 files changed, 21 insertions(+), 37 deletions(-) delete mode 100644 lib/src/nanotdf-crypto/authToken.ts diff --git a/lib/src/auth/auth.ts b/lib/src/auth/auth.ts index f59794f3..7b7189a6 100644 --- a/lib/src/auth/auth.ts +++ b/lib/src/auth/auth.ts @@ -1,4 +1,4 @@ -import { JWTPayload, SignJWT } from 'jose'; +import { type JWTHeaderParameters, type JWTPayload, type KeyLike, SignJWT } from 'jose'; export type Method = | 'GET' @@ -48,17 +48,27 @@ export function withHeaders(httpReq: HttpRequest, newHeaders: Record { - return new SignJWT(payload) - .setProtectedHeader({ alg: AlgorithmName.ES256 }) - .setIssuedAt() - .setExpirationTime('1m') - .sign(privateKey); -} diff --git a/lib/src/nanotdf-crypto/index.ts b/lib/src/nanotdf-crypto/index.ts index 7a91d991..00f4a026 100644 --- a/lib/src/nanotdf-crypto/index.ts +++ b/lib/src/nanotdf-crypto/index.ts @@ -1,5 +1,4 @@ export { Ciphers } from './ciphers.js'; -export { default as authToken } from './authToken.js'; export { default as cryptoPublicToPem } from './cryptoPublicToPem.js'; export { default as decrypt } from './decrypt.js'; export { default as digest } from './digest.js'; diff --git a/lib/src/nanotdf/Client.ts b/lib/src/nanotdf/Client.ts index ac8fcca0..b22d4469 100644 --- a/lib/src/nanotdf/Client.ts +++ b/lib/src/nanotdf/Client.ts @@ -1,7 +1,6 @@ import type { TypedArray } from '../tdf/index.js'; import * as base64 from '../encodings/base64.js'; import { - authToken, cryptoPublicToPem, decrypt, enums as cryptoEnums, @@ -13,7 +12,7 @@ import { import getHkdfSalt from './helpers/getHkdfSalt.js'; import DefaultParams from './models/DefaultParams.js'; import { fetchWrappedKey } from '../kas.js'; -import { AuthProvider } from '../auth/providers.js'; +import { AuthProvider, reqSignature } from '../auth/providers.js'; const { KeyUsageType, AlgorithmName, NamedCurve } = cryptoEnums; @@ -214,7 +213,9 @@ export default class Client { const jwtPayload = { requestBody: requestBodyStr }; const requestBody = { - signedRequestToken: await authToken(this.requestSignerKeyPair.privateKey, jwtPayload), + signedRequestToken: await reqSignature(jwtPayload, this.requestSignerKeyPair.privateKey, { + alg: AlgorithmName.ES256, + }), }; // Wrapped diff --git a/lib/tdf3/src/tdf.ts b/lib/tdf3/src/tdf.ts index 6dbb773f..99ce0d85 100644 --- a/lib/tdf3/src/tdf.ts +++ b/lib/tdf3/src/tdf.ts @@ -3,7 +3,7 @@ import { EventEmitter } from 'events'; import axios from 'axios'; import crc32 from 'buffer-crc32'; import { v4 } from 'uuid'; -import { exportSPKI, importPKCS8, importX509, SignJWT } from 'jose'; +import { exportSPKI, importPKCS8, importX509 } from 'jose'; import { AnyTdfStream, makeStream } from './client/tdf-stream.js'; import { EntityObject } from '../../src/tdf/EntityObject.js'; @@ -809,11 +809,7 @@ class TDF extends EventEmitter { const jwtPayload = { requestBody: requestBodyStr }; const pkKeyLike = await importPKCS8(this.privateKey, 'RS256'); - const signedRequestToken = await new SignJWT(isAppIdProvider ? {} : jwtPayload) - .setProtectedHeader({ alg: 'RS256' }) - .setIssuedAt() - .setExpirationTime('2h') - .sign(pkKeyLike); + const signedRequestToken = await reqSignature(isAppIdProvider ? {} : jwtPayload, pkKeyLike); let requestBody; if (isAppIdProvider) {