refactor: changes JWT signing alg to ES256KADR36 (#110)

Author: stalniy

ts/README.md

@@ -100,13 +100,12 @@ This is the recommended method for getting authorized access to your resources o
 **Generating a JWT Token**
 
 ```ts
-import { DirectSecp256k1HdWallet } from "@cosmjs/proto-signing";
-import { JwtTokenManager, createSignArbitraryAkashWallet } from "@akashnetwork/chain-sdk"
+import { Secp256k1HdWallet } from "@cosmjs/amino";
+import { JwtTokenManager } from "@akashnetwork/chain-sdk"
 
-const wallet = await DirectSecp256k1HdWallet.fromMnemonic(mnemonic, { prefix: "akash" });
+const wallet = await Secp256k1HdWallet.fromMnemonic(mnemonic, { prefix: "akash" });
 const accounts = await wallet.getAccounts();
-const signer = await createSignArbitraryAkashWallet(wallet);
-const tokenManager = new JwtTokenManager(signer);
+const tokenManager = new JwtTokenManager(wallet);
 
 // See https://akash.network/roadmap/aep-64/ for details
 const token = await tokenManager.generateToken({

ts/package-lock.json

@@ -60,6 +60,7 @@
     "@cosmjs/math": "^0.33.1",
     "@cosmjs/proto-signing": "^0.33.1",
     "@cosmjs/stargate": "^0.33.1",
+    "base64-js": "^1.5.1",
     "js-yaml": "^4.1.0",
     "json-stable-stringify": "^1.3.0",
     "jsrsasign": "^11.1.0",

ts/package.json

@@ -2,4 +2,4 @@ export * from "./index.shared.ts";
 export { createChainNodeSDK, type ChainNodeSDKOptions } from "./chain/createChainNodeSDK.ts";
 export { createProviderSDK, type ProviderSDKOptions } from "./provider/createProviderSDK.ts";
 export { certificateManager, CertificateManager, type CertificateInfo, type CertificatePem, type ValidityRangeOptions } from "./provider/auth/mtls/index.ts";
-export { JwtTokenManager, type CreateJWTOptions, type JwtTokenPayload, type JwtValidationResult, createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./provider/auth/jwt/index.ts";
+export * from "./provider/auth/jwt/index.ts";

ts/src/generated/protos/akash/base/offchain/sign/v1/sign.ts

@@ -1,4 +1,4 @@
 export * from "./index.shared.ts";
 export { createChainNodeWebSDK, type ChainNodeWebSDKOptions } from "./chain/createChainNodeWebSDK.ts";
 export { certificateManager, CertificateManager, type CertificateInfo, type CertificatePem, type ValidityRangeOptions } from "./provider/auth/mtls/index.ts";
-export { JwtTokenManager, type CreateJWTOptions, type JwtTokenPayload, type JwtValidationResult, type SignArbitraryAkashWallet } from "./provider/auth/jwt/index.ts";
+export * from "./provider/auth/jwt/index.ts";

ts/src/sdk/index.ts

@@ -1,7 +1,7 @@
+import { fromByteArray } from "base64-js";
+
 export function base64UrlEncode(value: string | Uint8Array): string {
-  const str = typeof value === "string" ? value : String.fromCharCode(...value);
-  const base64 = btoa(str);
-  return toBase64Url(base64);
+  return toBase64Url(base64Encode(value));
 }
 
 /**
@@ -11,13 +11,14 @@ export function toBase64Url(base64Encoded: string): string {
   return base64Encoded.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
+const textDecoder = new TextDecoder();
 export function base64UrlDecode(value: string): string {
   let str = value;
   // Convert from base64url → base64
   str = str.replace(/-/g, "+").replace(/_/g, "/");
   str = str.padEnd(str.length + (4 - (str.length % 4)) % 4, "=");
 
-  return new TextDecoder().decode(Uint8Array.from(atob(str), (c) => c.charCodeAt(0)));
+  return textDecoder.decode(Uint8Array.from(atob(str), (c) => c.charCodeAt(0)));
 }
 
 /**
@@ -29,3 +30,9 @@ export function base64Decode(base64String: string): Record<string, unknown> {
   const decoded = atob(base64String);
   return JSON.parse(decoded);
 }
+
+const textEncoder = new TextEncoder();
+export function base64Encode(value: string | Uint8Array): string {
+  const data = typeof value === "string" ? textEncoder.encode(value) : value;
+  return fromByteArray(data);
+}

ts/src/sdk/index.web.ts

@@ -1,4 +1,4 @@
 export { JwtTokenManager, type CreateJWTOptions } from "./jwt-token.ts";
 export type { JwtTokenPayload, AccessScope as JwtTokenAccessScope, LeasePermission } from "./types.ts";
 export { JwtValidator, type JwtValidationResult } from "./jwt-validator.ts";
-export { createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./wallet-utils.ts";
+export { type OfflineDataSigner } from "./wallet-utils.ts";

ts/src/sdk/provider/auth/jwt/base64.ts

@@ -1,4 +1,5 @@
-import { DirectSecp256k1HdWallet } from "@cosmjs/proto-signing";
+import { Secp256k1HdWallet } from "@cosmjs/amino";
+import type { AccountData } from "@cosmjs/proto-signing";
 import { beforeAll, describe, expect, it } from "@jest/globals";
 import fs from "fs";
 import path from "path";
@@ -8,28 +9,29 @@ import type { CreateJWTOptions } from "./jwt-token.ts";
 import { JwtTokenManager } from "./jwt-token.ts";
 import type { ClaimsTestCase, SigningTestCase } from "./test/test-utils.ts";
 import { replaceTemplateValues } from "./test/test-utils.ts";
-import { createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./wallet-utils.ts";
+import { createOfflineDataSigner } from "./wallet-utils.ts";
 
 describe("JWT Claims Validation", () => {
   const testdataPath = path.join(__dirname, "../../../../../..", "testdata", "jwt");
   const jwtMnemonic = fs.readFileSync(path.join(testdataPath, "mnemonic"), "utf-8").trim();
   const jwtSigningTestCases = JSON.parse(fs.readFileSync(path.join(testdataPath, "cases_es256k.json"), "utf-8")) as SigningTestCase[];
   const jwtClaimsTestCases = JSON.parse(fs.readFileSync(path.join(testdataPath, "cases_jwt.json.tmpl"), "utf-8")) as ClaimsTestCase[];
 
-  let testWallet: DirectSecp256k1HdWallet;
+  let testWallet: Secp256k1HdWallet;
   let jwtToken: JwtTokenManager;
-  let akashWallet: SignArbitraryAkashWallet;
+  let testAccount: AccountData;
 
   beforeAll(async () => {
-    testWallet = await DirectSecp256k1HdWallet.fromMnemonic(jwtMnemonic, {
+    testWallet = await Secp256k1HdWallet.fromMnemonic(jwtMnemonic, {
       prefix: "akash",
     });
-    akashWallet = await createSignArbitraryAkashWallet(testWallet);
-    jwtToken = new JwtTokenManager(akashWallet);
+    const [account] = await testWallet.getAccounts();
+    testAccount = account;
+    jwtToken = new JwtTokenManager(testWallet);
   });
 
-  it.each(jwtClaimsTestCases)("$description", async (testCase) => {
-    const { claims, tokenString } = replaceTemplateValues(testCase);
+  it.each(jwtClaimsTestCases.filter(isSigningWithES256KADR36))("$description", async (testCase) => {
+    const { claims, tokenString } = replaceTemplateValues(testCase, { iss: testAccount.address });
 
     // For test cases that should fail, we need to validate the payload first
     if (testCase.expected.signFail || testCase.expected.verifyFail) {
@@ -54,16 +56,17 @@ describe("JWT Claims Validation", () => {
     }
   });
 
-  it.each(jwtSigningTestCases)("$description", async (testCase) => {
+  it.each(jwtSigningTestCases.filter(isSigningWithES256KADR36))("$description", async (testCase) => {
     const [expectedHeader, expectedPayload, expectedSignature] = testCase.tokenString.split(".");
     expect(expectedHeader).toBeDefined();
     expect(expectedPayload).toBeDefined();
     expect(expectedSignature).toBeDefined();
 
     const signingString = `${expectedHeader}.${expectedPayload}`;
 
-    // Sign using the mock wallet's signArbitrary method
-    const signResponse = await akashWallet.signArbitrary(akashWallet.address, signingString);
+    const signer = createOfflineDataSigner(testWallet);
+    const [account] = await testWallet.getAccounts();
+    const signResponse = await signer.signArbitrary(account.address, signingString);
     const signature = toBase64Url(signResponse.signature);
 
     if (!testCase.mustFail) {
@@ -72,4 +75,8 @@ describe("JWT Claims Validation", () => {
       expect(signature).not.toBe(expectedSignature);
     }
   });
+
+  function isSigningWithES256KADR36(testCase: SigningTestCase | ClaimsTestCase): boolean {
+    return !testCase.expected.alg || testCase.expected.alg === "ES256KADR36";
+  }
 });

ts/src/sdk/provider/auth/jwt/index.ts

@@ -1,40 +1,36 @@
+import type { OfflineAminoSigner } from "@cosmjs/amino";
+import { default as stableStringify } from "json-stable-stringify";
+
 import { base64UrlDecode, base64UrlEncode, toBase64Url } from "./base64.ts";
 import { JwtValidator } from "./jwt-validator.ts";
 import type { JwtTokenPayload } from "./types.ts";
-import type { SignArbitraryAkashWallet } from "./wallet-utils.ts";
+import type { OfflineDataSigner } from "./wallet-utils.ts";
+import { createOfflineDataSigner } from "./wallet-utils.ts";
 
 export class JwtTokenManager {
-  private validator: JwtValidator;
-  private wallet: SignArbitraryAkashWallet;
+  private readonly validator: JwtValidator;
+  private readonly signer: OfflineDataSigner;
 
-  constructor(wallet: SignArbitraryAkashWallet) {
+  constructor(signer: OfflineDataSigner | OfflineAminoSigner) {
     this.validator = new JwtValidator();
-    this.wallet = wallet;
+    this.signer = "signAmino" in signer ? createOfflineDataSigner(signer) : signer;
   }
 
   /**
    * Creates a new JWT token with ES256K signature using a custom signArbitrary method with the current wallet
    * @param options - JWT token options
    * @returns The signed JWT token
    * @example
-   * const wallet = await DirectSecp256k1HdWallet.fromMnemonic(jwtMnemonic, {
+   * const wallet = await Secp256k1HdWallet.fromMnemonic(jwtMnemonic, {
    *   prefix: "akash"
    * });
-   * const akashWallet = await createSignArbitraryAkashWallet(wallet);
-   * const jwtToken = new JwtToken(akashWallet);
+   * const jwtToken = new JwtTokenManager(wallet);
    * // OR ON FRONTEND
-   * const { getAccount, signArbitrary } = useSelectedChain();
-   * const { address, pubkey } = await getAccount();
-   * const jwt = new JwtToken(
-   *   {
-   *     signArbitrary,
-   *     address,
-   *     pubkey
-   *   }
-   * );
+   * const wallet = useSelectedChain();
+   * const jwt = new JwtTokenManager(wallet);
    * const token = await jwtToken.generateToken({
    *   version: "v1",
-   *   iss: "akash...",
+   *   iss: wallet.address, // akash1...
    *   exp: Math.floor(Date.now() / 1000) + 3600, // 1 hour from now
    *   iat: Math.floor(Date.now() / 1000), // current timestamp
    * });
@@ -57,9 +53,9 @@ export class JwtTokenManager {
       throw new Error(`Invalid payload: ${validationResult.errors?.join(", ")}`);
     }
 
-    const header = base64UrlEncode(JSON.stringify({ alg: "ES256K", typ: "JWT" }));
-    const stringPayload = base64UrlEncode(JSON.stringify(inputPayload));
-    const { signature } = await this.wallet.signArbitrary(this.wallet.address, `${header}.${stringPayload}`);
+    const header = base64UrlEncode(stableStringify({ alg: this.signer.algorithm || "ES256KADR36", typ: "JWT" })!);
+    const stringPayload = base64UrlEncode(stableStringify(inputPayload)!);
+    const { signature } = await this.signer.signArbitrary(options.iss, `${header}.${stringPayload}`);
     const token = `${header}.${stringPayload}.${toBase64Url(signature)}`;
 
     return token;