Drop jsonwebtoken and jwks-rsa in favor of jose (#37)

* chore: depedencies update and TS support

* feat: Authentic rewrite to use Jose

* infra: build CJS and ESM module

* fix: validate token without `Bearer`

* fix: throw Boom errors for incorrect ISS

* fix: show OIDC http request error message

* test: added tests using Jest

* test: further tests

* fix: validate error instance instead of assertion

* docs: update README references

* ci: adding changeset release

* test: add test for missing required claim

* docs: changelog

* fix: Removing the authentic export default option

BREAKING CHANGE: Authentic doesn't have an default export anymore, services using this
newer version will need to import `authentic` from authentic

* text: fixed named import on test

* fix: fix OIDC fetching for issuers with URLs with path

* fix: make "aud" claim optional

* fix: stop requiring any claims

* feat: allow JWK URLs with custom ports

* docs: update CHANGELOG.md

.changeset/curly-bottles-sing.md

@@ -0,0 +1,15 @@
+---
+"@articulate/authentic": major
+---
+
+Typescript refactor and replace `jsonwebtoken` and `jwks-rsa` in favor of `jose`
+
+The biggest change on this version is the replacement of [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) and [jwks-rsa](https://github.com/auth0/node-jwks-rsa) in favor of [jose](https://github.com/panva/jose). jose exports the same features the other two libraries offer, without adding the extra dependencies previously required (it has zero dependencies!). This change significantly decreases `@authentic` final bundle size, allowing it to also be used in Lambdas.
+
+Also, this new version doesn't export `authentic` as a default export anymore, apps using this new version will to import/require `{ authentic } from "@articulate/authentic"` instead.
+
+Before upgrading make sure your app uses the new expected `jwks` and `verify` options (which differ from the old ones).
+
+### Dual Export of ESM and CJS Bundles
+
+Starting with this new version, Authentic started exporting both an ECMAScript Module (ESM) bundle and a CommonJS (CJS) bundle. This means that applications utilizing either of these architectures can now choose the bundle that best suits their specific use case.

.eslintignore

@@ -0,0 +1,5 @@
+.changeset
+.git*
+coverage
+dist
+node_modules

.eslintrc.js

@@ -1,20 +1,24 @@
 module.exports = {
-  'env': {
-    'es2017': true,
-    'mocha': true,
-    'node': true
+  env: {
+    es2020: true,
+    node: true
   },
-  'extends': 'eslint:recommended',
-  'parserOptions': {
-    'sourceType': 'module'
-  },
-  'rules': {
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/recommended'
+  ],
+  parser: '@typescript-eslint/parser',
+  plugins: [
+    '@typescript-eslint'
+  ],
+  root: true,
+  rules: {
     'eol-last': ['error', 'always'],
-    'indent': ['error', 2, { 'SwitchCase': 1 }],
+    indent: ['error', 2, { 'SwitchCase': 1 }],
     'linebreak-style': ['error', 'unix'],
     'no-console': 'off',
     'no-trailing-spaces': 'error',
-    'quotes': ['error', 'single', { 'allowTemplateLiterals': true }],
-    'semi': ['error', 'never']
+    quotes: ['error', 'single', { 'allowTemplateLiterals': true }],
+    semi: ['error', 'never']
   }
 }

.gitignore

@@ -1,5 +1,6 @@
 *.log
-coverage
 .DS_Store
-/node_modules
-/.nyc_output
+.nyc_output
+coverage
+dist
+node_modules

README.md

@@ -1,6 +1,5 @@
 # @articulate/authentic
 [![@articulate/authentic](https://img.shields.io/npm/v/@articulate/authentic.svg)](https://www.npmjs.com/package/@articulate/authentic)
-[![Build Status](https://travis-ci.org/articulate/authentic.svg?branch=master)](https://travis-ci.org/articulate/authentic)
 [![Coverage Status](https://coveralls.io/repos/github/articulate/authentic/badge.svg?branch=master)](https://coveralls.io/github/articulate/authentic?branch=master)
 
 Proper validation of JWT's against JWK's.
@@ -42,16 +41,17 @@ const handler = req =>
 
 `authentic` accepts a JSON object with the following options:
 
-* `jwks` Object: options to forward to [`node-jwks-rsa`](https://github.com/auth0/node-jwks-rsa) with the following defaults:
+* `jwks` Object: options to forward to `jose.createRemoteJWKSet` from [`jose`](https://github.com/panva/jose/blob/main/docs/interfaces/jwks_remote.RemoteJWKSetOptions.md) with the following defaults:
 
 | option      | default |
 | ----------- | ------- |
-| `cache`     | `true`  |
-| `rateLimit` | `true`  |
+| `timeoutDuration` | `5000` (5 seconds)  |
+| `cooldownDuration` | `30000` (30 seconds)  |
+| `cacheMaxAge` | `60000` (10 minutes)  |
 
-* `verify` Object: options to forward to `jwt.verify` from [`jsonwebtoken`](https://github.com/auth0/node-jsonwebtoken#jwtverifytoken-secretorpublickey-options-callback)
+* `verify` Object: options to forward to `jose.jwtVerify` from [`jose`](https://github.com/panva/jose/blob/main/docs/interfaces/jwt_verify.JWTVerifyOptions.md)
 * `issWhitelist` Array: list of trusted OIDC issuers
-* `claimsInError` Array: list of jwt payload claims to receive as the `data` propery of the error when verification fails.  When a list is not provided a `data` property will not be added to the error.
+* `claimsInError` Array: list of jwt payload claims to receive as the `data` property of the error when verification fails.  When a list is not provided a `data` property will not be added to the error.
 
 ## Contributing
 

jest.config.js

@@ -0,0 +1,5 @@
+/** @type {import('ts-jest').JestConfigWithTsJest} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+}