How do I import a HS256 secret in Deno?

[vicary]

I am testing out supabase auth, for performance reasons I would like to use the jwtVerify method to verify the access token skip a user fetch. (So supabase.auth.getUser(jwt) is not an answer)

There is a, base64 encoded, HS256 secret available from their dashboard, but jose doesn't seem to provide a way to convert such a string into KeyLike object.

How should I import that secret?

[panva]

Strings make for a terrible secret format.

Use a Uint8Array/Buffer as documented directly.

[panva]

#210

[vicary]

Their secret looks like a base64 encoded string, atob gives me gibberish so I assume it is a buffer.

[vicary]

I just found the answer so I'll my own quesiton here. I am working in a deno environment but you may use the corresponding native API of your runtime.

Supabase's secret is a simple HS256 buffer, which can be copied from their dashboard. It may looks like a base64 encoded string but it's not, so don't atob() it.

Convert the secret into a buffer and jose will happily accept it.

import { jwtVerify } from "jose";

const SUPABASE_JWT_SECRET = Deno.env.get("SUPABASE_JWT_SECRET");

const verifiedPayload = await jwtVerify(jwt, new TextEncoder().encode(SUPABASE_JWT_SECRET));

[panva]

You might as well do const verifiedPayload = await jwtVerify(jwt, new TextEncoder().encode(SUPABASE_JWT_SECRET)) then.

[vicary]

@panva Yes, that also works! Let me update my answer.

[panva]

So the secret you were given is not a buffer, it's a string, that, as per my original suggestion, you just have to represent as Uint8Array. Nothing more, nothing less. TextEncoder takes care of that.

[vicary]

Yes. I was tricked by it's resemblance of a base64 string, it seems that their tokens are signed with the encoded version. I don't have control over their implementation though, I hope supabase see your recommendation.