Bun bun bun!! about jose HOT 17 CLOSED

jwks-rsa has a package.json engines entry marking it node-only.

from jose.

BTW, the crypto works fine if I point bun to the node package of jose.

It might for you, it might not for others. Open an issue with bun on how they resolve node-first module dependencies. Yours is not an isolated issue, i've seen them popping up and it's a runtime issue.

from jose.

Why import bun as a browser module?

Because bun is Web Platform API first and node's crypto module compatibility is not guaranteed and will never be a 100%.

from jose.

I wasted 2 hours thinking something was wrong with jwks-rsa auth0/node-jwks-rsa/issues/373

There isn't anything wrong with jwks-rsa, but it's a node module, not one made for other runtimes.

from jose.

Mention it on docs. Please?

from jose.

BTW, the crypto works fine if I point bun to the node package of jose.

from jose.

FYI auth0/node-jwks-rsa#374 give this branch a shot and let me know if there's anything else.

from jose.

Hey @panva its me again.

Here is my code.

import JwksClient from "jwks-rsa";
import JsonWebToken, { JwtHeader } from "jsonwebtoken";

const client = JwksClient({
    jwksUri: `https://${process.env.AUTH0_DOMAIN}/.well-known/jwks.json`
})

const keySets: any = await client.getKeys();

export const certToPEM = (cert: string) => {
    cert = cert.match(/.{1,64}/g)!.join('\n')
    cert = `-----BEGIN CERTIFICATE-----\n${cert}\n-----END CERTIFICATE-----\n`;
    return cert;
}

export const verifySession = (token: string) => {
    const decoded = JsonWebToken.decode(token, { complete: true }) as { header: JwtHeader, payload: any };
    const kid = decoded.header.kid;

    const keySet = keySets.find((key: { kid: string; }) => key.kid === kid);

    if (!keySet) {
        throw new Error("No key set");
    }

    const signingKey = certToPEM(keySet.x5c[0]);
    return JsonWebToken.verify(token, signingKey);
}

Here is my error

115 | 
116 |     if (!hasSignature && !options.algorithms) {
117 |       return done(new JsonWebTokenError('please specify "none" in "algorithms" to verify unsigned tokens'));
118 |     }
119 | 
120 |     if (secretOrPublicKey != null && !(secretOrPublicKey instanceof KeyObject)) {
                                          ^
TypeError: Right hand side of instanceof is not an object
      at /home/xxxxxxxxxx/hono-bun/node_modules/jsonwebtoken/verify.js:120:39

from jose.

https://bun.sh/docs/runtime/nodejs-apis#node-crypto Bun does not implement those APIs. Use jose, not jsonwebtoken.

You can replace both jwks-rsa and jsonwebtoken with jose.

const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
  issuer: 'urn:example:issuer',
  audience: 'urn:example:audience',
})
console.log(protectedHeader)
console.log(payload)

from jose.

This was the code that got me segmentation fault

from jose.

Then create a reproduction sample and open a Bun issue please, there's nothing I can do about those.

from jose.

Sure man, thx you for helping me out.

from jose.

To explain, it is far more likely the segmentation fault is related to some other code and just presents itself when the jose code yields control. So it seems like jose is triggering it but it's not. The whole jose test suite gets executed using Bun without segmentation faults.

from jose.

Hmm
One question!

I am using Auth0 to do openid stuff. My JWKS does not contain publicKey directly. I use x5c to create it. Can this be the reason?

PS: Also the jwks-rsa is your custom branch from github not from npm

from jose.

The OP is correct. Every thing is fine in node

from jose.

My JWKS does not contain publicKey directly

JWKs are the public keys, just in a JWK format

from jose.

Ohhh got

from jose.