From e4b029e732267ee4b5ddacdc68ab7d2312ef81ce Mon Sep 17 00:00:00 2001
From: Ou <orongxing@gmail.com>
Date: Mon, 14 Oct 2024 01:20:43 +0800
Subject: [PATCH] fix: test jose to sign jwt

---
 package.json                           |  2 ++
 pnpm-lock.yaml                         | 23 +++++++++++++++++++++++
 server/middleware/auth.ts              | 12 +++++++-----
 server/routes/oauth-callback/github.ts | 11 ++++++-----
 4 files changed, 38 insertions(+), 10 deletions(-)

diff --git a/package.json b/package.json
index 0be169d..4cf83e1 100644
--- a/package.json
+++ b/package.json
@@ -26,6 +26,7 @@
     "@dnd-kit/core": "^6.1.0",
     "@dnd-kit/sortable": "^8.0.0",
     "@dnd-kit/utilities": "^3.2.2",
+    "@oslojs/jwt": "^0.2.0",
     "@tanstack/react-query-devtools": "^5.59.9",
     "@tanstack/react-router": "^1.64.0",
     "@tsndr/cloudflare-worker-jwt": "^3.1.2",
@@ -40,6 +41,7 @@
     "framer-motion": "^11.11.8",
     "h3": "^1.13.0",
     "iconv-lite": "^0.6.3",
+    "jose": "^5.9.4",
     "jotai": "^2.10.0",
     "jsonwebtoken": "^9.0.2",
     "libsql": "^0.4.6",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 7aa1011..56d7165 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -26,6 +26,9 @@ importers:
       '@dnd-kit/utilities':
         specifier: ^3.2.2
         version: 3.2.2(react@18.3.1)
+      '@oslojs/jwt':
+        specifier: ^0.2.0
+        version: 0.2.0
       '@tanstack/react-query-devtools':
         specifier: ^5.59.9
         version: 5.59.9(@tanstack/react-query@5.59.9(react@18.3.1))(react@18.3.1)
@@ -68,6 +71,9 @@ importers:
       iconv-lite:
         specifier: ^0.6.3
         version: 0.6.3
+      jose:
+        specifier: ^5.9.4
+        version: 5.9.4
       jotai:
         specifier: ^2.10.0
         version: 2.10.0(@types/react@18.3.11)(react@18.3.1)
@@ -1336,6 +1342,12 @@ packages:
     resolution: {integrity: sha512-T8TbSnGsxo6TDBJx/Sgv/BlVJL3tshxZP7Aq5R1mSnM5OcHY2dQaxLMu2+E8u3gN0MLOzdjurqN4ZRVuzQycOQ==}
     engines: {node: '>=8.0'}
 
+  '@oslojs/encoding@0.4.1':
+    resolution: {integrity: sha512-hkjo6MuIK/kQR5CrGNdAPZhS01ZCXuWDRJ187zh6qqF2+yMHZpD9fAYpX8q2bOO6Ryhl3XpCT6kUX76N8hhm4Q==}
+
+  '@oslojs/jwt@0.2.0':
+    resolution: {integrity: sha512-bLE7BtHrURedCn4Mco3ma9L4Y1GR2SMBuIvjWr7rmQ4/W/4Jy70TIAgZ+0nIlk0xHz1vNP8x8DCns45Sb2XRbg==}
+
   '@ourongxing/db0@0.1.6':
     resolution: {integrity: sha512-FVrPq9quQjHyJ2qq1N11rcXKsIGqlV9M/XWkGGXZUhLsU3oC/op0xgd7WwAxAZdITFy2sLe2eWER5mLu8HBC8A==}
     peerDependencies:
@@ -3496,6 +3508,9 @@ packages:
     resolution: {integrity: sha512-pmfRbVRs/7khFrSAYnSiJ8C0D5GvzkE4Ey2pAvUcJsw1ly/p+7ut27jbJrjY79BpAJQJ4gXYFtK6d1Aub+9baQ==}
     hasBin: true
 
+  jose@5.9.4:
+    resolution: {integrity: sha512-WBBl6au1qg6OHj67yCffCgFR3BADJBXN8MdRvCgJDuMv3driV2nHr7jdGvaKX9IolosAsn+M0XRArqLXUhyJHQ==}
+
   jotai@2.10.0:
     resolution: {integrity: sha512-8W4u0aRlOIwGlLQ0sqfl/c6+eExl5D8lZgAUolirZLktyaj4WnxO/8a0HEPmtriQAB6X5LMhXzZVmw02X0P0qQ==}
     engines: {node: '>=12.20.0'}
@@ -6018,6 +6033,12 @@ snapshots:
 
   '@oozcitak/util@8.3.8': {}
 
+  '@oslojs/encoding@0.4.1': {}
+
+  '@oslojs/jwt@0.2.0':
+    dependencies:
+      '@oslojs/encoding': 0.4.1
+
   '@ourongxing/db0@0.1.6(@libsql/client@0.14.0)(libsql@0.4.6)':
     optionalDependencies:
       '@libsql/client': 0.14.0
@@ -8470,6 +8491,8 @@ snapshots:
 
   jiti@2.0.0-beta.3: {}
 
+  jose@5.9.4: {}
+
   jotai@2.10.0(@types/react@18.3.11)(react@18.3.1):
     optionalDependencies:
       '@types/react': 18.3.11
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
index f9ce5c3..2e51e2c 100644
--- a/server/middleware/auth.ts
+++ b/server/middleware/auth.ts
@@ -1,13 +1,15 @@
 import process from "node:process"
-import jwt from "@tsndr/cloudflare-worker-jwt"
+import { jwtVerify } from "jose"
 
 export default defineEventHandler(async (event) => {
   const token = getCookie(event, "jwt")
   if (token && process.env.JWT_SECRET) {
-    const v = await jwt.verify(token, process.env.JWT_SECRET) as { preload?: { id: string, exp: number } }
-    if (v?.preload?.id) {
-      event.context.user = v.preload.id
-    } else {
+    try {
+      const { payload } = await jwtVerify(token, new TextEncoder().encode(process.env.JWT_SECRET)) as { payload?: { id: string, type: string } }
+      if (payload?.id) {
+        event.context.user = payload.id
+      }
+    } catch {
       logger.error("JWT verification failed")
     }
   }
diff --git a/server/routes/oauth-callback/github.ts b/server/routes/oauth-callback/github.ts
index 207bb08..2f81dd7 100644
--- a/server/routes/oauth-callback/github.ts
+++ b/server/routes/oauth-callback/github.ts
@@ -1,5 +1,5 @@
 import process from "node:process"
-import jwt from "@tsndr/cloudflare-worker-jwt"
+import { SignJWT } from "jose"
 import { UserTable } from "#/database/user"
 
 export default defineEventHandler(async (event) => {
@@ -57,12 +57,13 @@ export default defineEventHandler(async (event) => {
   const userID = String(userInfo.id)
   await userTable.addUser(userID, emailinfo.find(item => item.primary)?.email || "", "github")
 
-  const jwtToken = await jwt.sign({
+  const jwtToken = await new SignJWT({
     id: userID,
     type: "github",
-    // seconds
-    exp: Math.floor(Date.now() / 1000 + 65 * 24 * 60 * 60),
-  }, process.env.JWT_SECRET!)
+  })
+    .setExpirationTime("65d")
+    .setProtectedHeader({ alg: "HS256" })
+    .sign(new TextEncoder().encode(process.env.JWT_SECRET!))
 
   // seconds
   const maxAge = 60 * 24 * 60 * 60