Skip to content

migration(rs256): phase 121 — SDK TokenVerifier accepts both RS256 + HS256#23

Merged
khaliqgant merged 2 commits intomainfrom
migration/rs256/121-sdk-dual-verify
Apr 23, 2026
Merged

migration(rs256): phase 121 — SDK TokenVerifier accepts both RS256 + HS256#23
khaliqgant merged 2 commits intomainfrom
migration/rs256/121-sdk-dual-verify

Conversation

@kjgbot
Copy link
Copy Markdown
Contributor

@kjgbot kjgbot commented Apr 23, 2026

Phase 121 — SDK dual-verify (RS256 + HS256)

Updates @relayauth/sdk's TokenVerifier to accept both RS256 (new) and HS256 (legacy) during the cutover window. Without this, once phase 122 flips the signer to RS256, any verifier still on the old SDK fails closed.

Part of the api-keys + RS256 migration. See specs/api-keys-and-rs256-migration.md for the full design. This is phase 3a, depends on phase 120 (RS256 signing path), feeds phase 122 (production cutover).

What changed

  • packages/sdk/typescript/src/verify.ts: HS256 added to resolveVerificationAlgorithm (mapped to { name: "HMAC", hash: "SHA-256" }) and gated on RELAYAUTH_VERIFIER_ACCEPT_HS256. importVerificationKey learns an HS256 branch that reads the symmetric key from the JWK's k field per RFC 7518 and imports as an HMAC verify-only key. The kty gate in matchesJwk remains the authoritative algorithm/key-type pairing check.
  • packages/sdk/typescript/src/__tests__/verify-dual-alg.test.ts: 8 adversarial tests covering happy paths, alg confusion, alg=none, payload tampering, kid spoofing, and the sunset-flag behavior.

Peer review (ran via agent-relay, explicit verdicts)

Two independent reviewers evaluated this exact diff on 2026-04-22. Both approved.

crypto-reviewer:

All eight tests pass, typecheck is clean, and I walked every attack class through the code to confirm the reject path. The verifier is sound for dual-acceptance during the HS256 → RS256 migration. No changes required to merge; the four advisory items can be handled as follow-ups.

Advisory follow-ups (non-blocking, track separately):

  1. Consider inverting RELAYAUTH_VERIFIER_ACCEPT_HS256 polarity so missing config rejects HS256 (fail-closed posture).
  2. Stricter: require published JWKs to carry an explicit alg matching the request (currently JWKs without alg still pass when kty matches).
  3. Defensive kty === "oct" re-check at HS256 key import (relies on upstream selectJwk filter today).
  4. Add a regression test for JWK material confusion ({ kty: "RSA", alg: "HS256", k: "…" } — blocked today via kty gate, but a future refactor of matchesJwk could silently open it).

compat-reviewer:

No breaking changes, no consumer updates required. Drop-in compatible, zero code changes required in sage.

Two behavior changes documented (not breaking):

  1. HS256 now accepted by default (prior: rejected). Security-hardened consumers can opt out via RELAYAUTH_VERIFIER_ACCEPT_HS256=false.
  2. matchesJwk alg matching is stricter: a JWK missing alg no longer matches requests with a specific alg. No-op for well-formed providers; external JWKS providers that omit alg may see new invalid_token errors.

Verification

  • node --test --import tsx packages/sdk/typescript/src/__tests__/verify-dual-alg.test.ts: 8/8 pass
  • Full SDK suite: 138/138 pass
  • npx turbo typecheck --filter=@relayauth/sdk: clean

Note on workflow origin

The agent-relay workflow for this phase ran through the review gates successfully but then failed in the synthesize step (a runner heuristic: the architect agent idled for 30s and was marked incomplete before emitting the expected completion token). The reviews themselves produced complete outputs with explicit verdicts, so I committed the reviewed diff by hand and pasted the verdicts above as evidence. The synthesize failure is a workflow-framework issue unrelated to this code and will be tracked separately.

Run order in the migration

118 → 119 → 120 → 121 → publish + propagate → 122 → 123

This PR is phase 121. 118/119/120 are already merged. After this merges, bump package versions, publish @relayauth/server and @relayauth/sdk, then bump ../cloud deps before phase 122.

kjgbot and others added 2 commits April 23, 2026 06:45
@claude
phase 121: TokenVerifier accepts both RS256 and HS256 (dual-verify)
1fa679c 
Adds HS256 as an accepted verification algorithm alongside the
existing RS256/EdDSA paths, gated on RELAYAUTH_VERIFIER_ACCEPT_HS256.
Default is accept-HS256-during-migration; ops flips to "false" after
the cutover soak in phase 122.

Implementation:
- resolveVerificationAlgorithm adds HS256 → { name: "HMAC", hash:
  "SHA-256" } when the env flag is not "false".
- importVerificationKey for HS256 reads the symmetric key bytes from
  the JWK's "k" field (RFC 7518) and imports as an HMAC verify-only
  key. RSA/EdDSA paths unchanged.
- Dispatch picks "HMAC" for HS256 tokens and the original RSA/EdDSA
  AlgorithmIdentifier for those paths; kty check in matchesJwk stays
  the source of truth for algorithm/key-type pairing, defeating
  alg-confusion.

Peer review: two independent reviewers evaluated this exact diff
via agent-relay on 2026-04-22 and both approved:

- crypto-reviewer verdict: "All eight tests pass, typecheck is
  clean, and I walked every attack class through the code to
  confirm the reject path. The verifier is sound for dual-
  acceptance during the HS256 → RS256 migration. No changes
  required to merge; the four advisory items can be handled as
  follow-ups."
- compat-reviewer verdict: "No breaking changes, no consumer
  updates required. Drop-in compatible, zero code changes
  required in sage."

(The workflow's synthesize step idled out — a runner heuristic
issue unrelated to the code. Committing by hand since the peer
reviews themselves ran to completion and produced explicit
approvals.)

Adversarial tests in verify-dual-alg.test.ts cover:
- RS256 happy path (regression)
- HS256 happy path with k-field JWK
- Alg confusion: HS256 token against RSA-only JWKS rejected
- alg=none rejected
- Payload tampering invalidates signature
- Missing kid rejected
- Kid not in JWKS rejected
- Sunset flag: RELAYAUTH_VERIFIER_ACCEPT_HS256=false rejects HS256

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
phase 121: update server's HS256 rejection test for new dual-verify s…
5ca7d0a 
…emantics

assertPhase0LegacyHs256Algorithm used to assume the SDK verifier would
reject any HS256 token as an unsupported algorithm. With dual-verify
(this PR), HS256 is accepted by default, so the old assertion now sees
'jwks_fetch_failed' (the verifier looks for a matching HS256 JWK that
the test harness doesn't publish) instead of 'invalid_token'.

Fix: set RELAYAUTH_VERIFIER_ACCEPT_HS256=false around the verify call
so the test asserts the post-sunset posture that phase 122 flips in
production. Test intent ("spec-compliant verifier rejects legacy
HS256") is preserved; the fixture just scopes to the correct flag
state.

Env var is restored in a finally block to avoid cross-test leakage.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@khaliqgant khaliqgant merged commit ce0e492 into main Apr 23, 2026
2 checks passed
@khaliqgant khaliqgant deleted the migration/rs256/121-sdk-dual-verify branch April 23, 2026 04:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kjgbot @khaliqgant