fix(jwt): kid is part of header

Author: coderbyheart

cli/commands/generate-jwt-keypair.ts

@@ -7,10 +7,7 @@ import {
 	type Settings,
 } from '../../settings/jwt.js'
 import { STACK_NAME } from '../../cdk/stackConfig.js'
-import run from '@bifravst/run'
-import fs from 'node:fs/promises'
-import path from 'node:path'
-import os from 'node:os'
+import { generateJWTKeyPair } from '../../jwt/generateJWTKeyPair.js'
 
 export const generateJWTKeypairCommand = ({
 	ssm,
@@ -41,30 +38,7 @@ export const generateJWTKeypairCommand = ({
 			return
 		}
 
-		const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'jwt-'))
-		const privateKeyFile = path.join(tempDir, 'private.pem')
-		const publicKeyFile = path.join(tempDir, 'public.pem')
-
-		await run({
-			command: 'openssl',
-			args: [
-				'ecparam',
-				'-out',
-				privateKeyFile,
-				'-name',
-				'secp521r1',
-				'-genkey',
-			],
-		})
-
-		await run({
-			command: 'openssl',
-			args: ['ec', '-out', publicKeyFile, '-in', privateKeyFile, '-pubout'],
-		})
-
-		const privateKey = await fs.readFile(privateKeyFile, 'utf-8')
-		const publicKey = await fs.readFile(publicKeyFile, 'utf-8')
-		const keyId = crypto.randomUUID()
+		const { privateKey, publicKey, keyId } = await generateJWTKeyPair()
 
 		const put = putSetting({
 			ssm,

feature-runner/steps/jwt.ts

@@ -32,20 +32,28 @@ const jwtVerify = ({
 			const expected = JSON.parse(codeBlockOrThrow(step).code)
 			const token = context[storageName]
 			progress(token)
-			const decoded = jwt.verify(token, publicKey, {
+			const decoded = jwt.decode(token, { complete: true })
+
+			jwt.verify(token, publicKey, {
 				audience,
 			}) as jwt.JwtPayload
 			progress(JSON.stringify(decoded, null, 2))
 
-			check(decoded).is(
+			check(decoded?.payload).is(
 				objectMatching({
 					...expected,
 					aud: audience,
-					kid: keyId,
 					iat: closeTo(Date.now() / 1000, 10),
 					exp: closeTo(Date.now() / 1000 + 60 * 60, 10),
 				}),
 			)
+
+			check(decoded?.header).is(
+				objectMatching({
+					alg: 'ES512',
+					kid: keyId,
+				}),
+			)
 		},
 	)
 

jwt/deviceJWT.spec.ts

@@ -0,0 +1,53 @@
+import { it, describe } from 'node:test'
+import { generateJWTKeyPair } from './generateJWTKeyPair.js'
+import { deviceJWT } from './deviceJWT.js'
+import { randomWords } from '@bifravst/random-words'
+import { ModelID } from '@hello.nrfcloud.com/proto-map/models'
+import jwt from 'jsonwebtoken'
+import assert from 'node:assert/strict'
+
+void describe('deviceJWT()', () => {
+	void it('should return a JWT', async () => {
+		const { privateKey, publicKey, keyId } = await generateJWTKeyPair()
+
+		const deviceId = randomWords({ numWords: 3 }).join('-')
+		const id = crypto.randomUUID()
+
+		const token = deviceJWT(
+			{
+				deviceId,
+				id,
+				model: ModelID.Thingy91x,
+			},
+			{
+				privateKey,
+				keyId,
+			},
+		)
+
+		const decoded = jwt.decode(token, { complete: true })
+		jwt.verify(token, publicKey, {
+			audience: 'hello.nrfcloud.com',
+		}) as jwt.JwtPayload
+
+		const header = decoded?.header as jwt.JwtHeader
+		const payload = decoded?.payload as jwt.JwtPayload
+
+		assert.equal(header.kid, keyId)
+		assert.equal(header.alg, 'ES512')
+		assert.equal(payload.aud, 'hello.nrfcloud.com')
+		assert.equal(payload.deviceId, deviceId)
+		assert.equal(payload.id, id)
+		assert.equal(payload.model, 'thingy91x')
+		assert.equal(
+			(payload.iat ?? 0) >= Math.floor(Date.now() / 1000),
+			true,
+			'Should not be in the past',
+		)
+		assert.equal(
+			payload.exp,
+			(payload.iat ?? 0) + 3600,
+			'Should be valid for an hour',
+		)
+	})
+})

jwt/deviceJWT.ts

@@ -0,0 +1,28 @@
+import type { PublicDeviceRecord } from '../devices/publicDevicesRepo.js'
+
+import jwt from 'jsonwebtoken'
+
+export const deviceJWT = (
+	device: Pick<PublicDeviceRecord, 'id' | 'deviceId' | 'model'>,
+	{
+		privateKey,
+		keyId,
+	}: {
+		privateKey: string
+		keyId: string
+	},
+): string =>
+	jwt.sign(
+		{
+			id: device.id,
+			deviceId: device.deviceId,
+			model: device.model,
+		},
+		privateKey,
+		{
+			algorithm: 'ES512',
+			expiresIn: '1h',
+			audience: 'hello.nrfcloud.com',
+			keyid: keyId,
+		},
+	)

jwt/generateJWTKeyPair.ts

@@ -0,0 +1,34 @@
+import run from '@bifravst/run'
+import fs from 'node:fs/promises'
+import path from 'node:path'
+import os from 'node:os'
+
+export const generateJWTKeyPair = async (): Promise<{
+	privateKey: string
+	publicKey: string
+	keyId: string
+}> => {
+	const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'jwt-'))
+	const privateKeyFile = path.join(tempDir, 'private.pem')
+	const publicKeyFile = path.join(tempDir, 'public.pem')
+
+	await run({
+		command: 'openssl',
+		args: ['ecparam', '-out', privateKeyFile, '-name', 'secp521r1', '-genkey'],
+	})
+
+	await run({
+		command: 'openssl',
+		args: ['ec', '-out', publicKeyFile, '-in', privateKeyFile, '-pubout'],
+	})
+
+	const [privateKey, publicKey] = await Promise.all([
+		fs.readFile(privateKeyFile, 'utf-8'),
+		fs.readFile(publicKeyFile, 'utf-8'),
+	])
+	const keyId = crypto.randomUUID()
+
+	await Promise.all([fs.rm(privateKeyFile), fs.rm(publicKeyFile)])
+
+	return { privateKey, publicKey, keyId }
+}

lambda/deviceJwt.ts

@@ -16,7 +16,7 @@ import type {
 	APIGatewayProxyEventV2,
 	APIGatewayProxyResultV2,
 } from 'aws-lambda'
-import jwt from 'jsonwebtoken'
+import { deviceJWT } from '../jwt/deviceJWT.js'
 import { publicDevicesRepo } from '../devices/publicDevicesRepo.js'
 import { getSettings } from '../settings/jwt.js'
 
@@ -59,8 +59,6 @@ const h = async (
 
 	const maybeSharedDevice = await devicesRepo.getById(id)
 
-	console.log(JSON.stringify(maybeSharedDevice))
-
 	if ('error' in maybeSharedDevice) {
 		return aProblem({
 			title: `Device with id ${maybeValidQuery.value.id} not shared: ${maybeSharedDevice.error}`,
@@ -75,20 +73,7 @@ const h = async (
 			id: maybeSharedDevice.device.id,
 			deviceId: maybeSharedDevice.device.deviceId,
 			model: maybeSharedDevice.device.model,
-			jwt: jwt.sign(
-				{
-					id: maybeSharedDevice.device.id,
-					deviceId: maybeSharedDevice.device.deviceId,
-					model: maybeSharedDevice.device.model,
-				},
-				jwtSettings.privateKey,
-				{
-					algorithm: 'ES512',
-					expiresIn: '1h',
-					audience: 'hello.nrfcloud.com',
-					keyid: jwtSettings.keyId,
-				},
-			),
+			jwt: deviceJWT(maybeSharedDevice.device, jwtSettings),
 		},
 		60 * 60 * 1000,
 	)