From 1b34cad8c8f9902fd21833fff0b6754cbec8bf1d Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Wed, 10 Jan 2024 07:13:22 -0600 Subject: [PATCH 01/16] feat: Use JWT caches JWKS --- packages/plugins/jwt/src/index.ts | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index d2a85e21ea..1fcab6181b 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -70,6 +70,8 @@ export function useJWT(options: JwtPluginOptions): Plugin { const payloadByRequest = new WeakMap(); let jwksClient: JwksClient; + const jwksCache: Map = new Map(); + if (options.jwksUri) { jwksClient = new JwksClient({ cache: true, @@ -82,8 +84,19 @@ export function useJWT(options: JwtPluginOptions): Plugin { return { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); - if (token != null) { - const signingKey = options.signingKey ?? (await fetchKey(jwksClient, token)); + if (token) { + const decodedToken = decode(token, { complete: true }); + if (!decodedToken?.header?.kid) { + throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); + } + + let signingKey: string; + if (jwksCache.has(decodedToken.header.kid)) { + signingKey = jwksCache.get(decodedToken.header.kid)!; + } else { + signingKey = await fetchKey(jwksClient, decodedToken.header.kid); + jwksCache.set(decodedToken.header.kid, signingKey); + } const verified = await verify(token, signingKey, options); @@ -142,13 +155,8 @@ function verify( }); } -async function fetchKey(jwksClient: JwksClient, token: string): Promise { - const decodedToken = decode(token, { complete: true }); - if (decodedToken?.header?.kid == null) { - throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); - } - - const secret = await jwksClient.getSigningKey(decodedToken.header.kid); +async function fetchKey(jwksClient: JwksClient, kid: string): Promise { + const secret = await jwksClient.getSigningKey(kid); const signingKey = secret?.getPublicKey(); if (!signingKey) { throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); From 406718430a01af38d4a3538b163a2bb86d0e8832 Mon Sep 17 00:00:00 2001 From: peterklingelhofer Date: Wed, 10 Jan 2024 17:49:32 -0600 Subject: [PATCH 02/16] chore: Avoid mutable variable Co-authored-by: Valentin Cocaud --- packages/plugins/jwt/src/index.ts | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 1fcab6181b..7f34d5961e 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -90,13 +90,10 @@ export function useJWT(options: JwtPluginOptions): Plugin { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } - let signingKey: string; - if (jwksCache.has(decodedToken.header.kid)) { - signingKey = jwksCache.get(decodedToken.header.kid)!; - } else { - signingKey = await fetchKey(jwksClient, decodedToken.header.kid); - jwksCache.set(decodedToken.header.kid, signingKey); + if (!jwksCache.has(decodedToken.header.kid)) { + jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); } + const signingKey = jwksCache.get(decodedToken.header.kid)!; const verified = await verify(token, signingKey, options); From b84f93369699480eb9c9d6f45f062a4a8b00b735 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 09:43:25 -0600 Subject: [PATCH 03/16] fix: Only fetch signing key if not provided --- packages/plugins/jwt/src/index.ts | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 7f34d5961e..0a15fb0fe6 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -4,6 +4,19 @@ import { JwksClient } from 'jwks-rsa'; const { decode } = jsonwebtoken; +async function getSigningKeyFromJWKS(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { + const decodedToken = decode(token, { complete: true }); + if (!decodedToken?.header?.kid) { + throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); + } + + if (!jwksCache.has(decodedToken.header.kid)) { + jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); + } + + return jwksCache.get(decodedToken.header.kid)!; +} + export type JwtPluginOptions = JwtPluginOptionsWithJWKS | JwtPluginOptionsWithSigningKey; export interface JwtPluginOptionsBase { @@ -85,15 +98,7 @@ export function useJWT(options: JwtPluginOptions): Plugin { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token) { - const decodedToken = decode(token, { complete: true }); - if (!decodedToken?.header?.kid) { - throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); - } - - if (!jwksCache.has(decodedToken.header.kid)) { - jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); - } - const signingKey = jwksCache.get(decodedToken.header.kid)!; + const signingKey = options.signingKey ?? await getSigningKeyFromJWKS(token, jwksClient, jwksCache); const verified = await verify(token, signingKey, options); From bc5e47f59ff4ff31eaac39d6809cc681606556ec Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 09:45:48 -0600 Subject: [PATCH 04/16] fix: Revert token comparison change --- packages/plugins/jwt/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 0a15fb0fe6..59c7e231ec 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -97,7 +97,7 @@ export function useJWT(options: JwtPluginOptions): Plugin { return { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); - if (token) { + if (token != null) { const signingKey = options.signingKey ?? await getSigningKeyFromJWKS(token, jwksClient, jwksCache); const verified = await verify(token, signingKey, options); From c5bee330e51a94b68725f516268dfb3ad0a4633b Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 09:48:38 -0600 Subject: [PATCH 05/16] chore: Move signing key fetch near fetch key --- packages/plugins/jwt/src/index.ts | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 59c7e231ec..bce2be459f 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -4,19 +4,6 @@ import { JwksClient } from 'jwks-rsa'; const { decode } = jsonwebtoken; -async function getSigningKeyFromJWKS(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { - const decodedToken = decode(token, { complete: true }); - if (!decodedToken?.header?.kid) { - throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); - } - - if (!jwksCache.has(decodedToken.header.kid)) { - jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); - } - - return jwksCache.get(decodedToken.header.kid)!; -} - export type JwtPluginOptions = JwtPluginOptionsWithJWKS | JwtPluginOptionsWithSigningKey; export interface JwtPluginOptionsBase { @@ -166,6 +153,19 @@ async function fetchKey(jwksClient: JwksClient, kid: string): Promise { return signingKey; } +async function getSigningKeyFromJWKS(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { + const decodedToken = decode(token, { complete: true }); + if (!decodedToken?.header?.kid) { + throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); + } + + if (!jwksCache.has(decodedToken.header.kid)) { + jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); + } + + return jwksCache.get(decodedToken.header.kid)!; +} + const defaultGetToken: NonNullable = ({ request }) => { const header = request.headers.get('authorization'); if (!header) { From ae6c842b52eca2aaf1cd1fbf6eeb59780cdf6cc3 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 09:57:14 -0600 Subject: [PATCH 06/16] chore: Clean up key fetch helper funcs --- packages/plugins/jwt/src/index.ts | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index bce2be459f..5d85ac272c 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -85,7 +85,7 @@ export function useJWT(options: JwtPluginOptions): Plugin { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token != null) { - const signingKey = options.signingKey ?? await getSigningKeyFromJWKS(token, jwksClient, jwksCache); + const signingKey = options.signingKey ?? await fetchKey(token, jwksClient, jwksCache); const verified = await verify(token, signingKey, options); @@ -144,23 +144,19 @@ function verify( }); } -async function fetchKey(jwksClient: JwksClient, kid: string): Promise { - const secret = await jwksClient.getSigningKey(kid); - const signingKey = secret?.getPublicKey(); - if (!signingKey) { - throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); - } - return signingKey; -} - -async function getSigningKeyFromJWKS(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { +async function fetchKey(token: string, jwksClient: JwksClient | undefined, jwksCache: Map): Promise { const decodedToken = decode(token, { complete: true }); if (!decodedToken?.header?.kid) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } if (!jwksCache.has(decodedToken.header.kid)) { - jwksCache.set(decodedToken.header.kid, await fetchKey(jwksClient, decodedToken.header.kid)); + const secret = await jwksClient?.getSigningKey(decodedToken.header.kid); + const signingKey = secret?.getPublicKey(); + if (!signingKey) { + throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); + } + jwksCache.set(decodedToken.header.kid, signingKey); } return jwksCache.get(decodedToken.header.kid)!; From b0c469a0f859b9fe5d882efb0055221a4d32f7dd Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 09:57:54 -0600 Subject: [PATCH 07/16] fix: Parentheses around await --- packages/plugins/jwt/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 5d85ac272c..d699269ed0 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -85,7 +85,7 @@ export function useJWT(options: JwtPluginOptions): Plugin { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token != null) { - const signingKey = options.signingKey ?? await fetchKey(token, jwksClient, jwksCache); + const signingKey = options.signingKey ?? (await fetchKey(token, jwksClient, jwksCache)); const verified = await verify(token, signingKey, options); From 175ed92200c445ccfeca34d9fd65145a8112880c Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 10:34:09 -0600 Subject: [PATCH 08/16] fix: Revert decoded token null comparison --- packages/plugins/jwt/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index d699269ed0..6baa1cdbfb 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -146,7 +146,7 @@ function verify( async function fetchKey(token: string, jwksClient: JwksClient | undefined, jwksCache: Map): Promise { const decodedToken = decode(token, { complete: true }); - if (!decodedToken?.header?.kid) { + if (decodedToken?.header?.kid == null) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } From b8f77401f21dac06bfa3e0866093c3cc9e661124 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 10:35:30 -0600 Subject: [PATCH 09/16] fix: Jwks client is never undefined --- packages/plugins/jwt/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 6baa1cdbfb..13b598b7e1 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -144,14 +144,14 @@ function verify( }); } -async function fetchKey(token: string, jwksClient: JwksClient | undefined, jwksCache: Map): Promise { +async function fetchKey(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } if (!jwksCache.has(decodedToken.header.kid)) { - const secret = await jwksClient?.getSigningKey(decodedToken.header.kid); + const secret = await jwksClient.getSigningKey(decodedToken.header.kid); const signingKey = secret?.getPublicKey(); if (!signingKey) { throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); From 9c1d64366b4f1893d43329044d85297a4ee1adac Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 10:37:05 -0600 Subject: [PATCH 10/16] fix: Order parameters closer to original order --- packages/plugins/jwt/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 13b598b7e1..88d004d586 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -85,7 +85,7 @@ export function useJWT(options: JwtPluginOptions): Plugin { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token != null) { - const signingKey = options.signingKey ?? (await fetchKey(token, jwksClient, jwksCache)); + const signingKey = options.signingKey ?? (await fetchKey(jwksClient, jwksCache, token)); const verified = await verify(token, signingKey, options); @@ -144,7 +144,7 @@ function verify( }); } -async function fetchKey(token: string, jwksClient: JwksClient, jwksCache: Map): Promise { +async function fetchKey(jwksClient: JwksClient, jwksCache: Map, token: string): Promise { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); From fd04ed7f8052b75e2be9adb87fd9c32d9f2026d2 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 10:58:48 -0600 Subject: [PATCH 11/16] feat: Refresh stale key from cache on initial verification failure --- packages/plugins/jwt/src/index.ts | 44 ++++++++++++++++++++++++------- 1 file changed, 35 insertions(+), 9 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 88d004d586..e38c380dfa 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -85,15 +85,25 @@ export function useJWT(options: JwtPluginOptions): Plugin { async onRequestParse({ request, serverContext, url }) { const token = await getToken({ request, serverContext, url }); if (token != null) { - const signingKey = options.signingKey ?? (await fetchKey(jwksClient, jwksCache, token)); - - const verified = await verify(token, signingKey, options); - - if (!verified) { - throw unauthorizedError(`Unauthenticated`); + try { + let signingKey = options.signingKey ?? (await fetchKey({ jwksClient, jwksCache, token })); + let verified = await verify(token, signingKey, options); + + if (!verified) { + throw new Error("Initial verification failed."); + } + + payloadByRequest.set(request, verified); + } catch (error) { + // If initial verification fails, attempt to refresh the key and retry verification + const signingKey = await fetchKey({ jwksClient, jwksCache, token, shouldRefreshCache: true }); + const verified = await verify(token, signingKey, options); + if (!verified) { + throw unauthorizedError(`Unauthenticated`); + } + + payloadByRequest.set(request, verified); } - - payloadByRequest.set(request, verified); } }, onContextBuilding({ context, extendContext }) { @@ -144,12 +154,28 @@ function verify( }); } -async function fetchKey(jwksClient: JwksClient, jwksCache: Map, token: string): Promise { +interface FetchKeyOptions { + jwksClient: JwksClient; + jwksCache: Map; + token: string; + shouldRefreshCache?: boolean; +} + +async function fetchKey({ + jwksClient, + jwksCache, + token, + shouldRefreshCache = false +}: FetchKeyOptions): Promise { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } + if (shouldRefreshCache) { + jwksCache.delete(decodedToken.header.kid); + } + if (!jwksCache.has(decodedToken.header.kid)) { const secret = await jwksClient.getSigningKey(decodedToken.header.kid); const signingKey = secret?.getPublicKey(); From 695713764e9cc5e06d0b261ec6110d201c747767 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 12:37:06 -0600 Subject: [PATCH 12/16] fix: Use constants where possible --- packages/plugins/jwt/src/index.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index e38c380dfa..20d0caec4e 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -86,8 +86,8 @@ export function useJWT(options: JwtPluginOptions): Plugin { const token = await getToken({ request, serverContext, url }); if (token != null) { try { - let signingKey = options.signingKey ?? (await fetchKey({ jwksClient, jwksCache, token })); - let verified = await verify(token, signingKey, options); + const signingKey = options.signingKey ?? (await fetchKey({ jwksClient, jwksCache, token })); + const verified = await verify(token, signingKey, options); if (!verified) { throw new Error("Initial verification failed."); From d11dbd420caa04ef89ae48d168b34dcea44c028e Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 13:24:26 -0600 Subject: [PATCH 13/16] fix: Skip cache refresh if signing key supplied --- packages/plugins/jwt/src/index.ts | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 20d0caec4e..1ca1b69a33 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -95,6 +95,11 @@ export function useJWT(options: JwtPluginOptions): Plugin { payloadByRequest.set(request, verified); } catch (error) { + // If error is thrown and signing key was supplied, do not attempt cache refresh + if (options.signingKey) { + throw unauthorizedError(`Unauthenticated`); + } + // If initial verification fails, attempt to refresh the key and retry verification const signingKey = await fetchKey({ jwksClient, jwksCache, token, shouldRefreshCache: true }); const verified = await verify(token, signingKey, options); From 9cbe38ad24df2762c1c7a3a8fa71a5d1b0bcad04 Mon Sep 17 00:00:00 2001 From: Peter Klingelhofer Date: Mon, 15 Jan 2024 15:18:10 -0600 Subject: [PATCH 14/16] fix: Run prettier, make error text consistent --- packages/plugins/jwt/src/index.ts | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 1ca1b69a33..854aad0fcb 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -86,11 +86,12 @@ export function useJWT(options: JwtPluginOptions): Plugin { const token = await getToken({ request, serverContext, url }); if (token != null) { try { - const signingKey = options.signingKey ?? (await fetchKey({ jwksClient, jwksCache, token })); + const signingKey = + options.signingKey ?? (await fetchKey({ jwksClient, jwksCache, token })); const verified = await verify(token, signingKey, options); if (!verified) { - throw new Error("Initial verification failed."); + throw new Error('Initial verification failed.'); } payloadByRequest.set(request, verified); @@ -101,7 +102,12 @@ export function useJWT(options: JwtPluginOptions): Plugin { } // If initial verification fails, attempt to refresh the key and retry verification - const signingKey = await fetchKey({ jwksClient, jwksCache, token, shouldRefreshCache: true }); + const signingKey = await fetchKey({ + jwksClient, + jwksCache, + token, + shouldRefreshCache: true, + }); const verified = await verify(token, signingKey, options); if (!verified) { throw unauthorizedError(`Unauthenticated`); @@ -150,7 +156,7 @@ function verify( { ...options, algorithms: options?.algorithms ?? ['RS256'] }, (err, result) => { if (err) { - reject(unauthorizedError('Failed to decode authentication token. Verification failed.')); + reject(unauthorizedError('Unauthenticated')); } else { resolve(result as JwtPayload); } @@ -170,11 +176,11 @@ async function fetchKey({ jwksClient, jwksCache, token, - shouldRefreshCache = false + shouldRefreshCache = false, }: FetchKeyOptions): Promise { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { - throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); + throw unauthorizedError(`Unauthenticated`); } if (shouldRefreshCache) { @@ -185,7 +191,7 @@ async function fetchKey({ const secret = await jwksClient.getSigningKey(decodedToken.header.kid); const signingKey = secret?.getPublicKey(); if (!signingKey) { - throw unauthorizedError(`Failed to decode authentication token. Unknown key id.`); + throw unauthorizedError(`Unauthenticated`); } jwksCache.set(decodedToken.header.kid, signingKey); } From 049a1e737e8d873d3fddc8d2ce0ea010a64a5c94 Mon Sep 17 00:00:00 2001 From: peterklingelhofer Date: Sun, 28 Jan 2024 18:02:32 -0600 Subject: [PATCH 15/16] fix: Revert unauthorized rejection error text --- packages/plugins/jwt/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 854aad0fcb..6475a2b555 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -180,7 +180,7 @@ async function fetchKey({ }: FetchKeyOptions): Promise { const decodedToken = decode(token, { complete: true }); if (decodedToken?.header?.kid == null) { - throw unauthorizedError(`Unauthenticated`); + throw unauthorizedError(`Failed to decode authentication token. Missing key id.`); } if (shouldRefreshCache) { From 4200529c970a4c039f91bf67ec3726e4f0a82cb5 Mon Sep 17 00:00:00 2001 From: peterklingelhofer Date: Sun, 28 Jan 2024 18:02:39 -0600 Subject: [PATCH 16/16] fix: Revert unauthorized rejection error text --- packages/plugins/jwt/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugins/jwt/src/index.ts b/packages/plugins/jwt/src/index.ts index 6475a2b555..80446010b1 100644 --- a/packages/plugins/jwt/src/index.ts +++ b/packages/plugins/jwt/src/index.ts @@ -156,7 +156,7 @@ function verify( { ...options, algorithms: options?.algorithms ?? ['RS256'] }, (err, result) => { if (err) { - reject(unauthorizedError('Unauthenticated')); + reject(unauthorizedError('Failed to decode authentication token. Verification failed.')); } else { resolve(result as JwtPayload); }