Skip to content

refactor: Full TypeScript rewrite with sync API and security hardening (v10.0.0) #995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

refactor: Full TypeScript rewrite with sync API and security hardening (v10.0.0) #995

wants to merge 7 commits into from

Conversation

interpret-tech
Copy link

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please
see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR completes the TypeScript migration for the jsonwebtoken library (v10.0.0), introducing significant improvements in type safety, security, and developer experience.

Key changes:

  • Full TypeScript migration: All source code has been migrated from JavaScript to TypeScript with comprehensive type definitions
  • New synchronous API: Added signSync() and verifySync() functions for synchronous operations, addressing long-standing community requests
  • Enhanced security: Implemented multiple security hardening measures, including:
  • Protection against timing attacks in signature verification
  • Strict input validation to prevent prototype pollution
  • Enhanced header validation to prevent injection attacks
  • Improved key confusion attack prevention
  • DOS protection through payload size limits
  • Dual module support: Configured for both CommonJS and ESM module systems
  • Improved code organisation: Extracted shared logic into reusable modules for better maintainability
  • Modern tooling: Updated to use Jest for testing, ESLint flat config, and TypeScript 5.x

Breaking changes:

  • Minimum Node.js version is now 20.x
  • TypeScript types are now built-in (no need for @types/jsonwebtoken)
  • Some internal APIs have changed (see migration guide)
  • Error messages have been standardised and improved

References

  • Addresses multiple long-standing issues regarding TypeScript support and synchronous API requests
  • Implements security recommendations from various vulnerability reports
  • Follows Auth0's security best practices for JWT implementations

Testing

The entire test suite has been reorganised and expanded:

To test this PR:

# Install dependencies
npm install

# Run linting
npm run lint

# Run type checking
npm run type-check

# Run tests with coverage (requires 95%+ coverage)
npm run test:coverage

# Run full test suite
npm test

Testing coverage includes:
- All JWT operations (sign, verify, decode) with both async and sync variants
- All supported algorithms (HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512, none)
- Security attack scenarios (timing attacks, key confusion, prototype pollution, header injection)
- Edge cases for timestamps, expiration, and claims validation
- Compatibility with various key formats (PEM, JWK, symmetric keys)

###Development environment:
- Node.js 20.x
- TypeScript 5.x
- macOS/Linux/Windows compatible
- This change adds test coverage for new/changed/fixed functionality

###Checklist
- I have added documentation for new/changed functionality in this PR or in auth0.com/docs

interpret-tech and others added 5 commits August 2, 2025 09:21
@interpret-tech
feat: Migrate to TypeScript and modernize to v10.0.0
b58eb25 
BREAKING CHANGE: Complete rewrite in TypeScript with Promise-based API

This is a major version upgrade that modernizes the entire codebase:

### Breaking Changes
- All methods now return Promises (no more callbacks)
- Removed callback-based API entirely
- Requires Node.js >= 20 and npm >= 10
- TypeScript rewrite with full type definitions

### New Features
- Full TypeScript support with comprehensive type definitions
- Modern Promise-based API using async/await
- Enhanced algorithm support including EdDSA (Ed25519/Ed448)
- Improved error handling with typed error classes
- Better security defaults and validation

### Technical Changes
- Migrated from CommonJS to TypeScript modules
- Replaced Mocha/Chai with Jest for testing
- Updated from ESLint legacy config to flat config
- Modernized all dependencies
- Added comprehensive JSDoc documentation
- Improved test coverage and added new test cases

### Migration
- See MIGRATION_GUIDE_V10.md for detailed upgrade instructions
- All existing functionality is preserved with Promise-based equivalents

Co-authored-by: Dylan Keys <[email protected]>
@interpret-tech @claude
ci: add GitHub Actions workflows and git hooks for automated testing
812f3f7 
- Add CI workflow for testing on Node.js 20.x and 22.x
- Add PR checks for title validation, security audit, and bundle size
- Add pre-commit hook for linting and testing staged files
- Add pre-push hook for full test suite validation
- Configure husky and lint-staged for git hook management

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@interpret-tech
refactor: complete TypeScript migration and add synchronous API with …
0314c97 
…security hardening

- Remove all JavaScript source files and legacy tests
- Add synchronous versions of sign and verify functions
- Reorganize test structure into unit tests with TypeScript
- Update build configuration for dual CommonJS/ESM support
- Add shared utility modules for better code organization
- Improve algorithm implementations with better type safety
- Enhance security with stricter input validation and error handling
- Harden against timing attacks in signature verification
- Add comprehensive type guards for JWT payload validation
- Update documentation with new API references

BREAKING CHANGE: This completes the v10 migration to TypeScript with new synchronous APIs and reorganized module structure
@interpret-tech
docs: rename wiki folder to docs and update README links
8adc9cc 
- Rename wiki/ directory to docs/ for better organization
- Update README.md to link directly to documentation files in docs/ folder
- Remove external wiki links in favor of local documentation
@interpret-tech
chore: remove obsolete test conversion script
9e9e5bb 
- Remove convert-tests-to-async.js as it's no longer needed
- All tests have been migrated to TypeScript with modern async/await syntax
- The script was used during migration but is now obsolete
@interpret-tech interpret-tech marked this pull request as ready for review August 3, 2025 03:37
@interpret-tech
fix: update timespan.ts to use ES module import syntax
1b1ebc4 
Replace CommonJS require with ES module import for the 'ms' package
@interpret-tech
fix: add type assertion for ms package compatibility
93037b2 
The ms package requires a StringValue type for string inputs. Added type assertion to satisfy TypeScript compiler requirements.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@interpret-tech