"crypto" package inconsistencies

Hey,
In my worker, as a middleware, I'm trying to validate a JWT that is being generated from Auth0. Since I have implemented this check in the express service that's running parallel to the worker, I wanted to reuse as much logic as possible. It's not possible to take advantage of the

expressjwt

expressjwt

expressjwt

expressjwt middleware since it uses Express-specific types, so I decided to take their code and adapt it to a Worker middleware, but I have noticed inconsistencies in the

crypto

crypto

crypto

crypto package, since I'm using the same config, but I am getting different results.
The snippet that I will show is based on https://github.com/auth0/express-jwt/blob/129138815162b00b8017e6944f7fc6f3c5776ded/src/index.ts, but I'll skip the boring parts:

vanpanaOP•12/24/24, 10:31 AM

// ...
// rest of the middleware

// a custom fetcher is needed since `jsonwebtoken` uses http request underneath
const jwksClientConfig = {
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 10,
  jwksUri: `https://${auth.domain}/.well-known/jwks.json`, // this resolves to the same uri as the express service
  fetcher: async (jwksUri: string) => {
    return fetch(jwksUri).then((res) => res.json());
  },
};

const options: Params = {
  secret: jwksRsa.expressJwtSecret(jwksClientConfig) as GetVerificationKey,
  audience: auth.audience,
  issuer: auth.issuer,
  algorithms: auth.algorithms,
};

const getVerificationKey: GetVerificationKey =
  typeof options.secret === 'function'
    ? options.secret
    : async () => options.secret as jwt.Secret;

// ... other steps such as getting the token from the headers
const decodedToken = jwt.decode(token, { complete: true });
const key = await getVerificationKey(req, decodedToken as jwt.Jwt);
jwt.verify(token, key, options); // There's an error thrown here

// ...
// rest of the middleware

// a custom fetcher is needed since `jsonwebtoken` uses http request underneath
const jwksClientConfig = {
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 10,
  jwksUri: `https://${auth.domain}/.well-known/jwks.json`, // this resolves to the same uri as the express service
  fetcher: async (jwksUri: string) => {
    return fetch(jwksUri).then((res) => res.json());
  },
};

const options: Params = {
  secret: jwksRsa.expressJwtSecret(jwksClientConfig) as GetVerificationKey,
  audience: auth.audience,
  issuer: auth.issuer,
  algorithms: auth.algorithms,
};

const getVerificationKey: GetVerificationKey =
  typeof options.secret === 'function'
    ? options.secret
    : async () => options.secret as jwt.Secret;

// ... other steps such as getting the token from the headers
const decodedToken = jwt.decode(token, { complete: true });
const key = await getVerificationKey(req, decodedToken as jwt.Jwt);
jwt.verify(token, key, options); // There's an error thrown here

The error that is thrown is:

TypeError: CryptoKey is not extractable
    at genericExport (.../node_modules/jose/dist/browser/runtime/asn1.js:12:15)
    at toSPKI (.../node_modules/jose/dist/browser/runtime/asn1.js:20:12)

TypeError: CryptoKey is not extractable
    at genericExport (.../node_modules/jose/dist/browser/runtime/asn1.js:12:15)
    at toSPKI (.../node_modules/jose/dist/browser/runtime/asn1.js:20:12)

but I believe the original issue comes even before exporting. The jwks-rsajwks-rsa tries to do const key = await jose.importJWK(jwk, resolveAlg(jwk));const key = await jose.importJWK(jwk, resolveAlg(jwk)); and, internally, it gets to return crypto.subtle.importKey('jwk', { ...jwk }, ...rest);return crypto.subtle.importKey('jwk', { ...jwk }, ...rest);
I have traced that the difference between the worker implementation and express implementation comes from here, since the data up to this point is completely the same.

Am I doing something wrong or is it a difference in the crypto compatibility layer implementation?

Walshy•12/24/24, 10:33 AM

it looks like the lib is attempting to extract but isn't setting extractable - https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#extractable

Walshy•12/24/24, 10:34 AM

that's something that will need to be reported to the lib author

"crypto" package inconsistencies

Similar Threads

Similar Threads

Similar Threads