2024-02-09 04:00:45 +08:00
|
|
|
import { create, getNumericDate, verify } from "djwt";
|
|
|
|
import type { KvPrimitives } from "$lib/data/kv_primitives.ts";
|
2023-12-11 19:11:56 +08:00
|
|
|
|
|
|
|
const jwtSecretKey = "jwtSecretKey";
|
|
|
|
|
|
|
|
export class JWTIssuer {
|
|
|
|
private key!: CryptoKey;
|
|
|
|
|
|
|
|
constructor(readonly kv: KvPrimitives) {
|
|
|
|
}
|
|
|
|
|
2023-12-14 00:52:56 +08:00
|
|
|
// authString is only used to compare hashes to see if the auth has changed
|
2023-12-11 19:11:56 +08:00
|
|
|
async init(authString: string) {
|
|
|
|
const [secret] = await this.kv.batchGet([[jwtSecretKey]]);
|
|
|
|
if (!secret) {
|
2024-01-15 23:43:12 +08:00
|
|
|
console.log("Generating new JWT secret key");
|
2023-12-11 19:11:56 +08:00
|
|
|
return this.generateNewKey();
|
|
|
|
} else {
|
|
|
|
this.key = await crypto.subtle.importKey(
|
|
|
|
"raw",
|
|
|
|
secret,
|
|
|
|
{ name: "HMAC", hash: "SHA-512" },
|
|
|
|
true,
|
|
|
|
["sign", "verify"],
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check if the authentication has changed since last run
|
|
|
|
const [currentAuthHash] = await this.kv.batchGet([[
|
|
|
|
"authHash",
|
|
|
|
]]);
|
|
|
|
const newAuthHash = await this.hashSHA256(authString);
|
|
|
|
if (currentAuthHash && currentAuthHash !== newAuthHash) {
|
2024-01-15 23:43:12 +08:00
|
|
|
console.log(
|
|
|
|
"Authentication has changed since last run, so invalidating all existing tokens",
|
|
|
|
);
|
2023-12-11 19:11:56 +08:00
|
|
|
// It has, so we need to generate a new key to invalidate all existing tokens
|
|
|
|
await this.generateNewKey();
|
|
|
|
}
|
|
|
|
if (currentAuthHash !== newAuthHash) {
|
|
|
|
// Persist new auth hash
|
|
|
|
await this.kv.batchSet([{
|
|
|
|
key: ["authHash"],
|
|
|
|
value: newAuthHash,
|
|
|
|
}]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
async generateNewKey() {
|
|
|
|
this.key = await crypto.subtle.generateKey(
|
|
|
|
{ name: "HMAC", hash: "SHA-512" },
|
|
|
|
true,
|
|
|
|
["sign", "verify"],
|
|
|
|
);
|
|
|
|
await this.kv.batchSet([{
|
|
|
|
key: [jwtSecretKey],
|
|
|
|
value: await crypto.subtle.exportKey("raw", this.key),
|
|
|
|
}]);
|
|
|
|
}
|
|
|
|
|
|
|
|
createJWT(
|
|
|
|
payload: Record<string, unknown>,
|
2024-10-28 21:09:32 +08:00
|
|
|
expirySeconds?: number,
|
2023-12-11 19:11:56 +08:00
|
|
|
): Promise<string> {
|
2024-10-28 21:09:32 +08:00
|
|
|
const jwtPayload = { ...payload };
|
|
|
|
if (expirySeconds) {
|
|
|
|
jwtPayload.exp = getNumericDate(expirySeconds);
|
|
|
|
}
|
|
|
|
return create({ alg: "HS512", typ: "JWT" }, jwtPayload, this.key);
|
2023-12-11 19:11:56 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
verifyAndDecodeJWT(jwt: string): Promise<Record<string, unknown>> {
|
|
|
|
return verify(jwt, this.key);
|
|
|
|
}
|
|
|
|
|
|
|
|
async hashSHA256(message: string): Promise<string> {
|
|
|
|
// Transform the string into an ArrayBuffer
|
|
|
|
const encoder = new TextEncoder();
|
|
|
|
const data = encoder.encode(message);
|
|
|
|
|
|
|
|
// Generate the hash
|
2024-10-10 18:52:28 +08:00
|
|
|
const hashBuffer = await globalThis.crypto.subtle.digest("SHA-256", data);
|
2023-12-11 19:11:56 +08:00
|
|
|
|
|
|
|
// Transform the hash into a hex string
|
|
|
|
return Array.from(new Uint8Array(hashBuffer)).map((b) =>
|
|
|
|
b.toString(16).padStart(2, "0")
|
|
|
|
).join("");
|
|
|
|
}
|
2023-12-10 20:23:42 +08:00
|
|
|
}
|