perf: replace jsonwebtoken with jose (#8217)

The jose package has 0 dependencies and is tree shakable ESM.
So we get lower bundle size and get rid of 10 dependencies.

Author: andershermansen

packages/payload/package.json

@@ -98,8 +98,8 @@
     "get-tsconfig": "^4.7.2",
     "http-status": "1.6.2",
     "image-size": "^1.1.1",
+    "jose": "5.9.2",
     "json-schema-to-typescript": "15.0.1",
-    "jsonwebtoken": "9.0.2",
     "minimist": "1.2.8",
     "pino": "9.5.0",
     "pino-pretty": "11.3.0",
@@ -114,7 +114,6 @@
     "@hyrious/esbuild-plugin-commonjs": "^0.2.4",
     "@payloadcms/eslint-config": "workspace:*",
     "@types/json-schema": "7.0.15",
-    "@types/jsonwebtoken": "8.5.9",
     "@types/minimist": "1.2.2",
     "@types/nodemailer": "6.4.14",
     "@types/pluralize": "0.0.33",

packages/payload/src/auth/jwt.ts

@@ -0,0 +1,21 @@
+import { SignJWT } from 'jose'
+
+export const jwtSign = async ({
+  fieldsToSign,
+  secret,
+  tokenExpiration,
+}: {
+  fieldsToSign: Record<string, unknown>
+  secret: string
+  tokenExpiration: number
+}) => {
+  const secretKey = new TextEncoder().encode(secret)
+  const issuedAt = Math.floor(Date.now() / 1000)
+  const exp = issuedAt + tokenExpiration
+  const token = await new SignJWT(fieldsToSign)
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setIssuedAt(issuedAt)
+    .setExpirationTime(exp)
+    .sign(secretKey)
+  return { exp, token }
+}

packages/payload/src/auth/operations/login.ts

@@ -1,5 +1,3 @@
-import jwt from 'jsonwebtoken'
-
 import type {
   AuthOperationsFromCollectionSlug,
   Collection,
@@ -16,6 +14,7 @@ import { killTransaction } from '../../utilities/killTransaction.js'
 import sanitizeInternalFields from '../../utilities/sanitizeInternalFields.js'
 import { getFieldsToSign } from '../getFieldsToSign.js'
 import isLocked from '../isLocked.js'
+import { jwtSign } from '../jwt.js'
 import { authenticateLocalStrategy } from '../strategies/local/authenticate.js'
 import { incrementLoginAttempts } from '../strategies/local/incrementLoginAttempts.js'
 import { resetLoginAttempts } from '../strategies/local/resetLoginAttempts.js'
@@ -234,8 +233,10 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
         })) || user
     }, Promise.resolve())
 
-    const token = jwt.sign(fieldsToSign, secret, {
-      expiresIn: collectionConfig.auth.tokenExpiration,
+    const { exp, token } = await jwtSign({
+      fieldsToSign,
+      secret,
+      tokenExpiration: collectionConfig.auth.tokenExpiration,
     })
 
     req.user = user
@@ -308,7 +309,7 @@ export const loginOperation = async <TSlug extends CollectionSlug>(
     }, Promise.resolve())
 
     let result: { user: DataFromCollectionSlug<TSlug> } & Result = {
-      exp: (jwt.decode(token) as jwt.JwtPayload).exp,
+      exp,
       token,
       user,
     }

packages/payload/src/auth/operations/me.ts

@@ -1,4 +1,4 @@
-import jwt from 'jsonwebtoken'
+import { decodeJwt } from 'jose'
 
 import type { Collection } from '../../collections/config/types.js'
 import type { PayloadRequest } from '../../types/index.js'
@@ -70,7 +70,7 @@ export const meOperation = async (args: Arguments): Promise<MeOperationResult> =
       result.user = user
 
       if (currentToken) {
-        const decoded = jwt.decode(currentToken) as jwt.JwtPayload
+        const decoded = decodeJwt(currentToken)
         if (decoded) {
           result.exp = decoded.exp
         }

packages/payload/src/auth/operations/refresh.ts

@@ -1,4 +1,3 @@
-import jwt from 'jsonwebtoken'
 import url from 'url'
 
 import type { BeforeOperationHook, Collection } from '../../collections/config/types.js'
@@ -10,6 +9,7 @@ import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { getFieldsToSign } from '../getFieldsToSign.js'
+import { jwtSign } from '../jwt.js'
 
 export type Result = {
   exp: number
@@ -102,12 +102,12 @@ export const refreshOperation = async (incomingArgs: Arguments): Promise<Result>
         user: args?.req?.user,
       })
 
-      const refreshedToken = jwt.sign(fieldsToSign, secret, {
-        expiresIn: collectionConfig.auth.tokenExpiration,
+      const { exp, token: refreshedToken } = await jwtSign({
+        fieldsToSign,
+        secret,
+        tokenExpiration: collectionConfig.auth.tokenExpiration,
       })
 
-      const exp = (jwt.decode(refreshedToken) as Record<string, unknown>).exp as number
-
       result = {
         exp,
         refreshedToken,

packages/payload/src/auth/operations/resetPassword.ts

@@ -1,5 +1,4 @@
 import httpStatus from 'http-status'
-import jwt from 'jsonwebtoken'
 
 import type { Collection } from '../../collections/config/types.js'
 import type { PayloadRequest } from '../../types/index.js'
@@ -9,6 +8,7 @@ import { commitTransaction } from '../../utilities/commitTransaction.js'
 import { initTransaction } from '../../utilities/initTransaction.js'
 import { killTransaction } from '../../utilities/killTransaction.js'
 import { getFieldsToSign } from '../getFieldsToSign.js'
+import { jwtSign } from '../jwt.js'
 import { authenticateLocalStrategy } from '../strategies/local/authenticate.js'
 import { generatePasswordSaltHash } from '../strategies/local/generatePasswordSaltHash.js'
 
@@ -118,8 +118,10 @@ export const resetPasswordOperation = async (args: Arguments): Promise<Result> =
       user,
     })
 
-    const token = jwt.sign(fieldsToSign, secret, {
-      expiresIn: collectionConfig.auth.tokenExpiration,
+    const { token } = await jwtSign({
+      fieldsToSign,
+      secret,
+      tokenExpiration: collectionConfig.auth.tokenExpiration,
     })
 
     const fullUser = await payload.findByID({

packages/payload/src/auth/strategies/jwt.ts

@@ -1,4 +1,4 @@
-import jwt from 'jsonwebtoken'
+import { jwtVerify } from 'jose'
 
 import type { Payload, Where } from '../../types/index.js'
 import type { AuthStrategyFunction, User } from '../index.js'
@@ -81,8 +81,8 @@ export const JWTAuthentication: AuthStrategyFunction = async ({
       return { user: null }
     }
 
-    const decodedPayload = jwt.verify(token, payload.secret) as jwt.JwtPayload & JWTToken
-
+    const secretKey = new TextEncoder().encode(payload.secret)
+    const { payload: decodedPayload } = await jwtVerify<JWTToken>(token, secretKey)
     const collection = payload.collections[decodedPayload.collection]
 
     const user = await payload.findByID({