Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document decomposeJwt #117

Merged
merged 3 commits into from
Mar 20, 2023
Merged

Document decomposeJwt #117

merged 3 commits into from
Mar 20, 2023

Conversation

ottokruse
Copy link
Contributor

Issue #, if available: #82

Description of changes: Document the decomposeJwt function

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@ottokruse ottokruse requested a review from hakanson March 15, 2023 16:29
hakanson
hakanson reviewed Mar 16, 2023
View reviewed changes
Copy link
Contributor

@hakanson hakanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even thought I like the decomposeUnverifiedJwt name better, I don't love the breaking change requiring a major version bump. Thoughts on leaving decomposeJwt and marking as @deprecated then having it call into decomposeUnverifiedJwt ? I found https://github.com/gund/eslint-plugin-deprecation, but not sure how many toolchains look at @deprecated in JSDoc comments.

Should we update verifyJwt calls to take either a jwt: string or a decomposedJwt: DecomposedJwt to avoid double parsing, or does it not really help peformance since we would need to validate the DecomposedJwt parts were valid anyway?

Also, should we have a top level import like JwtParser (next to JwtRsaVerifier and CognitoJwtVerifier). That would have a method decomposeUntrusted(jwt: string): DecomposedJwt to be the primary interface? Supporting issue #82 will probably require this pre-parsing and using some value of the payload to find the correct issuer for verification. This could come in a later PR or major version.

@hakanson hakanson self-assigned this Mar 16, 2023
@ottokruse
Copy link
Contributor Author

Thoughts on leaving decomposeJwt and marking as @deprecated then having it call into decomposeUnverifiedJwt ?

Valid idea for sure. We would eventually remove decomposeJwt, so this would just push that major version update to the future. Perhaps we'd have other breaking changes then, and we combine several in a new major version. OTOH I think we should be liberal with new major versions in those cases where it's needed and better for the library's design--and I think this is such a case. Avoiding it adds maintenance burden on us. We are in awslabs after all. Also, this renaming isn't a total revamp of the lib, it will be easy for users to change their code and I suspect 99% of our current users do not use decomposeJwt as it was undocumented.

Should we update verifyJwt calls to take either a jwt: string or a decomposedJwt: DecomposedJwt to avoid double parsing, or does it not really help peformance since we would need to validate the DecomposedJwt parts were valid anyway?

Mmmm good thought. It would shave a few cycles off, but only synchronous work. You're gonna have a hard time even measuring that improvement I think. And It would be at the expense of making the interface more complicated. Think I'm not inclined to it.

Also, should we have a top level import like JwtParser (next to JwtRsaVerifier and CognitoJwtVerifier). That would have a method decomposeUntrusted(jwt: string): DecomposedJwt to be the primary interface? Supporting issue #82 will probably require this pre-parsing and using some value of the payload to find the correct issuer for verification. This could come in a later PR or major version.

Interesting idea! Would also make it easier to support verifying ALB JWTs.
We'd have to play around with the idea and do some sample implementations and see what works nicely.

@hakanson
Copy link
Contributor

I'm fine with the major version and keeping the interface less complicated. We can roll the other ideas into the next minor release.

@ottokruse ottokruse merged commit 4cceb72 into awslabs:main Mar 20, 2023
@ottokruse ottokruse deleted the doc-decompose branch March 20, 2023 14:12
kodiakhq bot added a commit to weareinreach/InReach that referenced this pull request Mar 21, 2023
@kodiakhq @renovate
fix(auth): update dependency aws-jwt-verify to v4 (#313)
cb3dd5b 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [aws-jwt-verify](https://togithub.com/awslabs/aws-jwt-verify) | [`3.4.0` -> `4.0.0`](https://renovatebot.com/diffs/npm/aws-jwt-verify/3.4.0/4.0.0) | [![age](https://badges.renovateapi.com/packages/npm/aws-jwt-verify/4.0.0/age-slim)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://badges.renovateapi.com/packages/npm/aws-jwt-verify/4.0.0/adoption-slim)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://badges.renovateapi.com/packages/npm/aws-jwt-verify/4.0.0/compatibility-slim/3.4.0)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://badges.renovateapi.com/packages/npm/aws-jwt-verify/4.0.0/confidence-slim/3.4.0)](https://docs.renovatebot.com/merge-confidence/) |

---

### Release Notes

<details>
<summary>awslabs/aws-jwt-verify</summary>

### [`v4.0.0`](https://togithub.com/awslabs/aws-jwt-verify/releases/tag/v4.0.0)

[Compare Source](https://togithub.com/awslabs/aws-jwt-verify/compare/v3.4.0...v4.0.0)

#### What's Changed

-   Bump webpack from 5.70.0 to 5.76.1 in /tests/vite-app by [@&#8203;dependabot](https://togithub.com/dependabot) in [awslabs/aws-jwt-verify#116
-   Document decomposeJwt by [@&#8203;ottokruse](https://togithub.com/ottokruse) in [awslabs/aws-jwt-verify#117
-   v4.0.0 by [@&#8203;ottokruse](https://togithub.com/ottokruse) in [awslabs/aws-jwt-verify#118

NOTE: [#&#8203;117](https://togithub.com/awslabs/aws-jwt-verify/issues/117) constitutes a breaking change, hence we created new major version v4.0.0, but you will only be impacted by this change, if you were doing this:

`import { decomposeJwt } from "aws-jwt-verify/jwt"`

That method has been renamed (to make it more clear) and must now be imported like so:

`import { decomposeUnverifiedJwt } from "aws-jwt-verify/jwt";`

Happy coding!

**Full Changelog**: awslabs/aws-jwt-verify@v3.4.0...v4.0.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/weareinreach/InReach).



PR-URL: #313
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hakanson hakanson hakanson approved these changes

Assignees

@hakanson hakanson

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ottokruse @hakanson