refactor: changes JWT signing alg to ES256KADR36 (#110)

Author: stalniy

go/cli/context.go

@@ -53,7 +53,7 @@ func QueryClientFromContext(ctx context.Context) (aclient.QueryClient, error) {
 
 	res, valid := val.(aclient.QueryClient)
 	if !valid {
-		return nil, fmt.Errorf("invalid context value, expected \"aclient.Client\", actual \"%s\"", reflect.TypeOf(val))
+		return nil, fmt.Errorf("invalid context value, expected \"aclient.QueryClient\", actual \"%s\"", reflect.TypeOf(val))
 	}
 
 	return res, nil

ts/README.md

@@ -100,13 +100,12 @@ This is the recommended method for getting authorized access to your resources o
 **Generating a JWT Token**
 
 ```ts
-import { DirectSecp256k1HdWallet } from "@cosmjs/proto-signing";
-import { JwtTokenManager, createSignArbitraryAkashWallet } from "@akashnetwork/chain-sdk"
+import { Secp256k1HdWallet } from "@cosmjs/amino";
+import { JwtTokenManager } from "@akashnetwork/chain-sdk"
 
-const wallet = await DirectSecp256k1HdWallet.fromMnemonic(mnemonic, { prefix: "akash" });
+const wallet = await Secp256k1HdWallet.fromMnemonic(mnemonic, { prefix: "akash" });
 const accounts = await wallet.getAccounts();
-const signer = await createSignArbitraryAkashWallet(wallet);
-const tokenManager = new JwtTokenManager(signer);
+const tokenManager = new JwtTokenManager(wallet);
 
 // See https://akash.network/roadmap/aep-64/ for details
 const token = await tokenManager.generateToken({

ts/package-lock.json

@@ -60,6 +60,7 @@
     "@cosmjs/math": "^0.33.1",
     "@cosmjs/proto-signing": "^0.33.1",
     "@cosmjs/stargate": "^0.33.1",
+    "base64-js": "^1.5.1",
     "js-yaml": "^4.1.0",
     "json-stable-stringify": "^1.3.0",
     "jsrsasign": "^11.1.0",

ts/package.json

@@ -2,4 +2,4 @@ export * from "./index.shared.ts";
 export { createChainNodeSDK, type ChainNodeSDKOptions } from "./chain/createChainNodeSDK.ts";
 export { createProviderSDK, type ProviderSDKOptions } from "./provider/createProviderSDK.ts";
 export { certificateManager, CertificateManager, type CertificateInfo, type CertificatePem, type ValidityRangeOptions } from "./provider/auth/mtls/index.ts";
-export { JwtTokenManager, type CreateJWTOptions, type JwtTokenPayload, type JwtValidationResult, createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./provider/auth/jwt/index.ts";
+export * from "./provider/auth/jwt/index.ts";

ts/src/generated/protos/akash/base/offchain/sign/v1/sign.ts

@@ -1,4 +1,4 @@
 export * from "./index.shared.ts";
 export { createChainNodeWebSDK, type ChainNodeWebSDKOptions } from "./chain/createChainNodeWebSDK.ts";
 export { certificateManager, CertificateManager, type CertificateInfo, type CertificatePem, type ValidityRangeOptions } from "./provider/auth/mtls/index.ts";
-export { JwtTokenManager, type CreateJWTOptions, type JwtTokenPayload, type JwtValidationResult, type SignArbitraryAkashWallet } from "./provider/auth/jwt/index.ts";
+export * from "./provider/auth/jwt/index.ts";

ts/src/sdk/index.ts

@@ -1,7 +1,7 @@
+import { fromByteArray } from "base64-js";
+
 export function base64UrlEncode(value: string | Uint8Array): string {
-  const str = typeof value === "string" ? value : String.fromCharCode(...value);
-  const base64 = btoa(str);
-  return toBase64Url(base64);
+  return toBase64Url(base64Encode(value));
 }
 
 /**
@@ -11,13 +11,14 @@ export function toBase64Url(base64Encoded: string): string {
   return base64Encoded.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 
+const textDecoder = new TextDecoder();
 export function base64UrlDecode(value: string): string {
   let str = value;
   // Convert from base64url → base64
   str = str.replace(/-/g, "+").replace(/_/g, "/");
   str = str.padEnd(str.length + (4 - (str.length % 4)) % 4, "=");
 
-  return new TextDecoder().decode(Uint8Array.from(atob(str), (c) => c.charCodeAt(0)));
+  return textDecoder.decode(Uint8Array.from(atob(str), (c) => c.charCodeAt(0)));
 }
 
 /**
@@ -29,3 +30,9 @@ export function base64Decode(base64String: string): Record<string, unknown> {
   const decoded = atob(base64String);
   return JSON.parse(decoded);
 }
+
+const textEncoder = new TextEncoder();
+export function base64Encode(value: string | Uint8Array): string {
+  const data = typeof value === "string" ? textEncoder.encode(value) : value;
+  return fromByteArray(data);
+}

ts/src/sdk/index.web.ts

@@ -1,4 +1,4 @@
 export { JwtTokenManager, type CreateJWTOptions } from "./jwt-token.ts";
 export type { JwtTokenPayload, AccessScope as JwtTokenAccessScope, LeasePermission } from "./types.ts";
 export { JwtValidator, type JwtValidationResult } from "./jwt-validator.ts";
-export { createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./wallet-utils.ts";
+export { type OfflineDataSigner } from "./wallet-utils.ts";

ts/src/sdk/provider/auth/jwt/base64.ts

@@ -1,4 +1,5 @@
-import { DirectSecp256k1HdWallet } from "@cosmjs/proto-signing";
+import { Secp256k1HdWallet } from "@cosmjs/amino";
+import type { AccountData } from "@cosmjs/proto-signing";
 import { beforeAll, describe, expect, it } from "@jest/globals";
 import fs from "fs";
 import path from "path";
@@ -8,28 +9,29 @@ import type { CreateJWTOptions } from "./jwt-token.ts";
 import { JwtTokenManager } from "./jwt-token.ts";
 import type { ClaimsTestCase, SigningTestCase } from "./test/test-utils.ts";
 import { replaceTemplateValues } from "./test/test-utils.ts";
-import { createSignArbitraryAkashWallet, type SignArbitraryAkashWallet } from "./wallet-utils.ts";
+import { createOfflineDataSigner } from "./wallet-utils.ts";
 
 describe("JWT Claims Validation", () => {
   const testdataPath = path.join(__dirname, "../../../../../..", "testdata", "jwt");
   const jwtMnemonic = fs.readFileSync(path.join(testdataPath, "mnemonic"), "utf-8").trim();
   const jwtSigningTestCases = JSON.parse(fs.readFileSync(path.join(testdataPath, "cases_es256k.json"), "utf-8")) as SigningTestCase[];
   const jwtClaimsTestCases = JSON.parse(fs.readFileSync(path.join(testdataPath, "cases_jwt.json.tmpl"), "utf-8")) as ClaimsTestCase[];
 
-  let testWallet: DirectSecp256k1HdWallet;
+  let testWallet: Secp256k1HdWallet;
   let jwtToken: JwtTokenManager;
-  let akashWallet: SignArbitraryAkashWallet;
+  let testAccount: AccountData;
 
   beforeAll(async () => {
-    testWallet = await DirectSecp256k1HdWallet.fromMnemonic(jwtMnemonic, {
+    testWallet = await Secp256k1HdWallet.fromMnemonic(jwtMnemonic, {
       prefix: "akash",
     });
-    akashWallet = await createSignArbitraryAkashWallet(testWallet);
-    jwtToken = new JwtTokenManager(akashWallet);
+    const [account] = await testWallet.getAccounts();
+    testAccount = account;
+    jwtToken = new JwtTokenManager(testWallet);
   });
 
-  it.each(jwtClaimsTestCases)("$description", async (testCase) => {
-    const { claims, tokenString } = replaceTemplateValues(testCase);
+  it.each(jwtClaimsTestCases.filter(isSigningWithES256KADR36))("$description", async (testCase) => {
+    const { claims, tokenString } = replaceTemplateValues(testCase, { iss: testAccount.address });
 
     // For test cases that should fail, we need to validate the payload first
     if (testCase.expected.signFail || testCase.expected.verifyFail) {
@@ -54,16 +56,17 @@ describe("JWT Claims Validation", () => {
     }
   });
 
-  it.each(jwtSigningTestCases)("$description", async (testCase) => {
+  it.each(jwtSigningTestCases.filter(isSigningWithES256KADR36))("$description", async (testCase) => {
     const [expectedHeader, expectedPayload, expectedSignature] = testCase.tokenString.split(".");
     expect(expectedHeader).toBeDefined();
     expect(expectedPayload).toBeDefined();
     expect(expectedSignature).toBeDefined();
 
     const signingString = `${expectedHeader}.${expectedPayload}`;
 
-    // Sign using the mock wallet's signArbitrary method
-    const signResponse = await akashWallet.signArbitrary(akashWallet.address, signingString);
+    const signer = createOfflineDataSigner(testWallet);
+    const [account] = await testWallet.getAccounts();
+    const signResponse = await signer.signArbitrary(account.address, signingString);
     const signature = toBase64Url(signResponse.signature);
 
     if (!testCase.mustFail) {
@@ -72,4 +75,8 @@ describe("JWT Claims Validation", () => {
       expect(signature).not.toBe(expectedSignature);
     }
   });
+
+  function isSigningWithES256KADR36(testCase: SigningTestCase | ClaimsTestCase): boolean {
+    return !testCase.expected.alg || testCase.expected.alg === "ES256KADR36";
+  }
 });