chore: bump Node to 24 and replace jsonwebtoken

phoenix-ru · phoenix-ru · commit f8e6fd88a6eb · 2026-02-06T18:14:59.000+01:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -7,7 +7,7 @@ on:
     branches: [main]
 
 env:
-  NODE_VER: 22.18
+  NODE_VER: 24.13
   CI: true
 
 jobs:
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -8,7 +8,7 @@ on:
   workflow_dispatch:
 
 env:
-  NODE_VER: 22.18
+  NODE_VER: 24.13
   CI: true
 
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
diff --git a/.github/workflows/pkg.pr.new.yml b/.github/workflows/pkg.pr.new.yml
@@ -8,7 +8,7 @@ on:
   pull_request:
 
 env:
-  NODE_VER: 22.18
+  NODE_VER: 24.13
 
 jobs:
   build:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ permissions:
   id-token: write # required for npm provenance
 
 env:
-  NODE_VER: 22.18
+  NODE_VER: 24.13
   CI: true
 
 jobs:
diff --git a/package.json b/package.json
@@ -41,7 +41,7 @@
     "test:unit": "vitest"
   },
   "dependencies": {
-    "@nuxt/kit": "^3.20.2",
+    "@nuxt/kit": "^3.21.0",
     "defu": "^6.1.4",
     "h3": "^1.15.5",
     "knitwork": "^1.3.0",
@@ -61,13 +61,13 @@
   "devDependencies": {
     "@antfu/eslint-config": "^6.7.3",
     "@nuxt/module-builder": "^1.0.2",
-    "@nuxt/schema": "^3.20.2",
+    "@nuxt/schema": "^3.21.0",
     "@nuxtjs/eslint-config-typescript": "^12.1.0",
-    "@types/node": "^20.19.29",
+    "@types/node": "^24.10.11",
     "eslint": "^9.39.2",
-    "nuxt": "^3.20.2",
+    "nuxt": "^3.21.0",
     "ofetch": "^1.5.1",
-    "oxlint": "^1.39.0",
+    "oxlint": "^1.43.0",
     "ts-essentials": "^9.4.2",
     "typescript": "^5.8.3",
     "vitepress": "^1.6.4",
diff --git a/playground-authjs/package.json b/playground-authjs/package.json
@@ -9,7 +9,7 @@
     "postinstall": "nuxt prepare"
   },
   "devDependencies": {
-    "nuxt": "^3.20.2",
+    "nuxt": "^3.21.0",
     "typescript": "^5.8.3",
     "vue-tsc": "^2.2.12"
   }
diff --git a/playground-local/nuxt.config.ts b/playground-local/nuxt.config.ts
@@ -1,9 +1,6 @@
 export default defineNuxtConfig({
   compatibilityDate: '2024-04-03',
   modules: ['../src/module.ts'],
-  build: {
-    transpile: ['jsonwebtoken']
-  },
   auth: {
     provider: {
       type: 'local',
diff --git a/playground-local/package.json b/playground-local/package.json
@@ -12,16 +12,15 @@
     "test:e2e": "vitest"
   },
   "dependencies": {
-    "jsonwebtoken": "^9.0.3",
+    "jose": "^6.1.3",
     "zod": "^3.25.76"
   },
   "devDependencies": {
     "@nuxt/test-utils": "^3.23.0",
-    "@playwright/test": "^1.57.0",
-    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^20.19.29",
+    "@playwright/test": "^1.58.2",
+    "@types/node": "^24.10.11",
     "@vue/test-utils": "^2.4.6",
-    "nuxt": "^3.20.2",
+    "nuxt": "^3.21.0",
     "typescript": "^5.8.3",
     "vitest": "^3.2.4",
     "vue-tsc": "^2.2.12"
diff --git a/playground-local/server/api/auth/refresh.post.ts b/playground-local/server/api/auth/refresh.post.ts
@@ -1,5 +1,5 @@
 import { createError, eventHandler, getRequestHeader, readBody } from 'h3'
-import { checkUserTokens, decodeToken, extractTokenFromAuthorizationHeader, getTokensByUser, refreshUserAccessToken } from '~/server/utils/session'
+import { checkUserTokens, decodeToken, extractTokenFromAuthorizationHeader, getTokensByUser, refreshUserAccessToken, userSchema } from '~/server/utils/session'
 
 /*
  * DISCLAIMER!
@@ -19,16 +19,24 @@ export default eventHandler(async (event) => {
   }
 
   // Verify
-  const decoded = decodeToken(refreshToken)
+  const decoded = await decodeToken(refreshToken)
   if (!decoded) {
     throw createError({
       statusCode: 401,
       message: 'Unauthorized, refreshToken can\'t be verified'
     })
   }
 
+  const user = userSchema.safeParse(decoded)
+  if (!user.success) {
+    throw createError({
+      statusCode: 401,
+      message: 'Unauthorized, user shape mismatch'
+    })
+  }
+
   // Get the helper (only for demo, use a DB in your implementation)
-  const userTokens = getTokensByUser(decoded.username)
+  const userTokens = getTokensByUser(user.data.username)
   if (!userTokens) {
     throw createError({
       statusCode: 401,
diff --git a/playground-local/server/api/auth/user.get.ts b/playground-local/server/api/auth/user.get.ts
@@ -1,22 +1,25 @@
 import { createError, eventHandler, getRequestHeader } from 'h3'
-import { checkUserAccessToken, decodeToken, extractTokenFromAuthorizationHeader, getTokensByUser } from '~/server/utils/session'
-import type { JwtPayload } from '~/server/utils/session'
+import { checkUserAccessToken, decodeToken, extractTokenFromAuthorizationHeader, getTokensByUser, userSchema, type User } from '~/server/utils/session'
 
-export default eventHandler((event) => {
+export default eventHandler(async (event) => {
   const authorizationHeader = getRequestHeader(event, 'Authorization')
   if (typeof authorizationHeader === 'undefined') {
     throw createError({ statusCode: 403, message: 'Need to pass valid Bearer-authorization header to access this endpoint' })
   }
 
   const requestAccessToken = extractTokenFromAuthorizationHeader(authorizationHeader)
-  let decoded: JwtPayload
+  let decoded: User
   try {
-    const decodeTokenResult = decodeToken(requestAccessToken)
+    const decodeTokenResult = await decodeToken(requestAccessToken)
 
     if (!decodeTokenResult) {
       throw new Error('Expected decoded JwtPayload to be non-empty')
     }
-    decoded = decodeTokenResult
+    const userParseResult = userSchema.safeParse(decodeTokenResult)
+    if (!userParseResult.success) {
+      throw new Error('User shape mismatched')
+    }
+    decoded = userParseResult.data
   }
   catch (error) {
     console.error({
diff --git a/playground-local/server/utils/session.ts b/playground-local/server/utils/session.ts
@@ -3,28 +3,25 @@
  * This is a demo implementation, please create your own handlers
  */
 
-import { sign, verify } from 'jsonwebtoken'
+import { SignJWT, jwtVerify, type JWTPayload } from 'jose'
 import { z } from 'zod'
 
 /**
  * This is a demo secret.
  * Please ensure that your secret is properly protected.
  */
-const SECRET = 'dummy'
+const SECRET = new TextEncoder().encode('dummy')
 
 /** 30 seconds */
 const ACCESS_TOKEN_TTL = 30
 
-export interface User {
-  username: string
-  name: string
-  picture: string
-}
-
-export interface JwtPayload extends User {
-  scope: Array<'test' | 'user'>
-  exp?: number
-}
+export const userSchema = z.object({
+  username: z.string().min(1),
+  name: z.string(),
+  picture: z.string().optional(),
+  scope: z.enum(['test', 'user']).array().optional(),
+})
+export type User = z.infer<typeof userSchema>
 
 interface TokensByUser {
   access: Map<string, string>
@@ -68,15 +65,10 @@ interface UserTokens {
  * Demo function for signing user tokens.
  * Your implementation may differ.
  */
-export function createUserTokens(user: User): Promise<UserTokens> {
-  const tokenData: JwtPayload = { ...user, scope: ['test', 'user'] }
-  const accessToken = sign(tokenData, SECRET, {
-    expiresIn: ACCESS_TOKEN_TTL
-  })
-  const refreshToken = sign(tokenData, SECRET, {
-    // 1 day
-    expiresIn: 60 * 60 * 24
-  })
+export async function createUserTokens(user: User): Promise<UserTokens> {
+  const tokenData: JWTPayload = { ...user, scope: ['test', 'user'] }
+  const accessToken = await createSignedJwt(tokenData, ACCESS_TOKEN_TTL)
+  const refreshToken = await createSignedJwt(tokenData, /* 1 day */ 60 * 60 * 24)
 
   // Naive implementation - please implement properly yourself!
   const userTokens: TokensByUser = tokensByUser.get(user.username) ?? {
@@ -87,18 +79,18 @@ export function createUserTokens(user: User): Promise<UserTokens> {
   userTokens.refresh.set(refreshToken, accessToken)
   tokensByUser.set(user.username, userTokens)
 
-  // Emulate async work
-  return Promise.resolve({
+  return {
     accessToken,
     refreshToken
-  })
+  }
 }
 
 /**
  * Function for getting the data from a JWT
  */
-export function decodeToken(token: string): JwtPayload | undefined {
-  return verify(token, SECRET) as JwtPayload | undefined
+export async function decodeToken(token: string): Promise<JWTPayload> {
+  const verified = await jwtVerify(token, SECRET)
+  return verified.payload
 }
 
 /**
@@ -138,33 +130,29 @@ export function invalidateAccessToken(tokensByUser: TokensByUser, accessToken: s
   tokensByUser.access.delete(accessToken)
 }
 
-export function refreshUserAccessToken(tokensByUser: TokensByUser, refreshToken: string): Promise<UserTokens | undefined> {
+export async function refreshUserAccessToken(tokensByUser: TokensByUser, refreshToken: string): Promise<UserTokens | undefined> {
   // Get the access token
   const oldAccessToken = tokensByUser.refresh.get(refreshToken)
   if (!oldAccessToken) {
-    // Promises to emulate async work (e.g. of a DB call)
-    return Promise.resolve(undefined)
+    return
   }
 
   // Invalidate old access token
   invalidateAccessToken(tokensByUser, oldAccessToken)
 
   // Get the user data. In a real implementation this is likely a DB call.
   // In this demo we simply re-use the existing JWT data
-  const jwtUser = decodeToken(refreshToken)
+  const jwtUser = await decodeToken(refreshToken)
   if (!jwtUser) {
-    return Promise.resolve(undefined)
+    return
   }
 
-  const user: User = {
-    username: jwtUser.username,
-    picture: jwtUser.picture,
-    name: jwtUser.name
+  const user = userSchema.safeParse(jwtUser)
+  if (!user.success) {
+    return
   }
 
-  const accessToken = sign({ ...user, scope: ['test', 'user'] }, SECRET, {
-    expiresIn: 60 * 5 // 5 minutes
-  })
+  const accessToken = await createSignedJwt({ ...user.data, scope: ['test', 'user'] }, /* 5 minutes */ 60 * 5)
   tokensByUser.refresh.set(refreshToken, accessToken)
   tokensByUser.access.set(accessToken, refreshToken)
 
@@ -179,3 +167,12 @@ export function extractTokenFromAuthorizationHeader(authorizationHeader: string)
     ? authorizationHeader.slice(7)
     : authorizationHeader
 }
+
+function createSignedJwt(payload: JWTPayload, ttlInSeconds: number): Promise<string> {
+  const unixTimestampNow = Math.floor(Date.now() / 1000)
+
+  return new SignJWT(payload)
+    .setProtectedHeader({ alg: 'HS256' })
+    .setExpirationTime(unixTimestampNow + ttlInSeconds)
+    .sign(SECRET)
+}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,7 @@`
`9`	`9`	`"postinstall": "nuxt prepare"`
`10`	`10`	`},`
`11`	`11`	`"devDependencies": {`
`12`		`- "nuxt": "^3.20.2",`
	`12`	`+ "nuxt": "^3.21.0",`
`13`	`13`	`"typescript": "^5.8.3",`
`14`	`14`	`"vue-tsc": "^2.2.12"`
`15`	`15`	`}`