Allow tokenVerification as function

packages/plugins/jwt/package.json

@@ -50,7 +50,8 @@
     "@types/jsonwebtoken": "^9.0.0",
     "graphql": "^16.5.0",
     "graphql-scalars": "^1.22.2",
-    "graphql-yoga": "workspace:*"
+    "graphql-yoga": "workspace:*",
+    "jose": "^5.9.6"
   },
   "publishConfig": {
     "directory": "dist",

packages/plugins/jwt/src/__tests__/jwt.spec.ts

@@ -2,6 +2,7 @@
 import { createHmac } from 'node:crypto';
 import { createServer } from 'node:http';
 import { createSchema, createYoga, Plugin } from 'graphql-yoga';
+import { decodeProtectedHeader, jwtVerify } from 'jose';
 import jwt, { Algorithm, SignOptions } from 'jsonwebtoken';
 import { useCookies } from '@whatwg-node/server-plugin-cookies';
 import { JwtPluginOptions } from '../config';
@@ -351,6 +352,42 @@ describe('jwt plugin', () => {
     });
   });
 
+  test('auth is passing when token is valid (HS256) - jose', async () => {
+    const secret = 'topsecret';
+    const test = createTestServer({
+      singingKeyProviders: [createInlineSigningKeyProvider(secret)],
+      decodeTokenHeader: token => {
+        const header = decodeProtectedHeader(token);
+        return {
+          kid: header.kid,
+        };
+      },
+      async tokenVerification(token, signingKey) {
+        const secret = new TextEncoder().encode(signingKey);
+        const payload = await jwtVerify(token, secret);
+        return payload.payload;
+      },
+    });
+    const token = buildJWT({ sub: '123' }, { key: secret });
+    const response = await test.queryWithAuth(token);
+    expect(response.status).toBe(200);
+    expect(await response.json()).toMatchObject({
+      data: {
+        ctx: {
+          jwt: {
+            payload: {
+              sub: '123',
+            },
+            token: {
+              prefix: 'Bearer',
+              value: expect.any(String),
+            },
+          },
+        },
+      },
+    });
+  });
+
   test('auth is passing when token is valid (RS256)', async () => {
     const test = createTestServer({
       singingKeyProviders: [createInlineSigningKeyProvider(JWKS_RSA512_PRIVATE_PEM)],

packages/plugins/jwt/src/config.ts

@@ -1,5 +1,6 @@
 import { type PromiseOrValue } from 'graphql-yoga';
-import { VerifyOptions } from 'jsonwebtoken';
+import { type JwtPayload, type VerifyOptions } from 'jsonwebtoken';
+import { createVerifyTokenFunction, decodeHeader } from './jsonwebtoken.js';
 import { extractFromHeader } from './utils.js';
 
 type AtleastOneItem<T> = [T, ...T[]];
@@ -46,7 +47,13 @@ export type JwtPluginOptions = {
    *
    * By defualt, only the `RS256` and `HS256` algorithms are configured as validations.
    */
-  tokenVerification?: VerifyOptions;
+  tokenVerification?:
+    | VerifyOptions
+    | ((token: string, signingKey: string) => PromiseOrValue<JwtPayload>);
+  /**
+   * Function to decode the token header.
+   */
+  decodeTokenHeader?: (token: string) => { kid?: string } | undefined;
   /**
    * Whether to reject requests/operations that does not meet criteria.
    *
@@ -113,5 +120,10 @@ export function normalizeConfig(input: JwtPluginOptions) {
       ...input.reject,
     },
     extendContextFieldName,
+    decodeHeader: input.decodeTokenHeader ?? decodeHeader,
+    verifyToken:
+      typeof input.tokenVerification === 'function'
+        ? input.tokenVerification
+        : createVerifyTokenFunction(input.tokenVerification),
   };
 }

packages/plugins/jwt/src/jsonwebtoken.ts

@@ -0,0 +1,35 @@
+import jsonwebtoken, { VerifyOptions, type JwtPayload } from 'jsonwebtoken';
+import { JwksClient, type Options as JwksClientOptions } from 'jwks-rsa';
+import type { GetSigningKeyFunction } from './config.js';
+import { unauthorizedError } from './utils.js';
+
+export function decodeHeader(token: string) {
+  const resp = jsonwebtoken.decode(token, { complete: true });
+  return resp?.header;
+}
+
+export function createVerifyTokenFunction(options: VerifyOptions | undefined) {
+  return (token: string, signingKey: string) => {
+    return new Promise<JwtPayload>((resolve, reject) => {
+      jsonwebtoken.verify(token, signingKey, options, (err, result) => {
+        if (err) {
+          reject(unauthorizedError('Unauthenticated'));
+        } else {
+          resolve(result as JwtPayload);
+        }
+      });
+    });
+  };
+}
+
+export function createInlineSigningKeyProvider(signingKey: string): GetSigningKeyFunction {
+  return () => signingKey;
+}
+
+export function createRemoteJwksSigningKeyProvider(
+  jwksClientOptions: JwksClientOptions,
+): GetSigningKeyFunction {
+  const client = new JwksClient(jwksClientOptions);
+
+  return kid => client.getSigningKey(kid)?.then(r => r.getPublicKey());
+}

packages/plugins/jwt/src/plugin.ts

@@ -1,9 +1,9 @@
+import '@whatwg-node/server-plugin-cookies';
+import { GraphQLError } from 'graphql';
 import type { Plugin, YogaLogger } from 'graphql-yoga';
-import jsonwebtoken, { type Jwt, type JwtPayload, type VerifyOptions } from 'jsonwebtoken';
+import { type JwtPayload } from 'jsonwebtoken';
 import { type OnRequestParseEventPayload } from 'packages/graphql-yoga/src/plugins/types.js';
 import { normalizeConfig, type JwtPluginOptions } from './config.js';
-import '@whatwg-node/server-plugin-cookies';
-import { GraphQLError } from 'graphql';
 import { badRequestError, unauthorizedError } from './utils.js';
 
 export type JWTExtendContextFields = {
@@ -77,9 +77,9 @@ export function useJWT(options: JwtPluginOptions): Plugin<{
 
       try {
         // Decode the token first, in order to get the key id to use.
-        let decodedToken: Jwt | null;
+        let decodedToken: { kid?: string } | undefined | null;
         try {
-          decodedToken = jsonwebtoken.decode(lookupResult.token, { complete: true });
+          decodedToken = normalizedOptions.decodeHeader(lookupResult.token);
         } catch (e) {
           logger.warn(`Failed to decode JWT authentication token: `, e);
           throw badRequestError(`Invalid authentication token provided`);
@@ -94,23 +94,18 @@ export function useJWT(options: JwtPluginOptions): Plugin<{
         }
 
         // Fetch the signing key based on the key id.
-        const signingKey = await getSigningKey(decodedToken?.header.kid);
+        const signingKey = await getSigningKey(decodedToken?.kid);
 
         if (!signingKey) {
           logger.warn(
-            `Signing key is not available for the key id: ${decodedToken?.header.kid}. Please make sure signing key providers are configured correctly.`,
+            `Signing key is not available for the key id: ${decodedToken?.kid}. Please make sure signing key providers are configured correctly.`,
           );
 
           throw Error(`Authentication is not available at the moment.`);
         }
 
         // Verify the token with the signing key.
-        const verified = await verify(
-          logger,
-          lookupResult.token,
-          signingKey,
-          normalizedOptions.tokenVerification,
-        );
+        const verified = await normalizedOptions.verifyToken(lookupResult.token, signingKey);
 
         if (!verified) {
           logger.debug(`Token failed to verify, JWT plugin failed to authenticate.`);
@@ -166,21 +161,3 @@ export function useJWT(options: JwtPluginOptions): Plugin<{
     },
   };
 }
-
-function verify(
-  logger: YogaLogger,
-  token: string,
-  signingKey: string,
-  options: VerifyOptions | undefined,
-) {
-  return new Promise((resolve, reject) => {
-    jsonwebtoken.verify(token, signingKey, options, (err, result) => {
-      if (err) {
-        logger.warn(`Failed to verify authentication token: `, err);
-        reject(unauthorizedError('Unauthenticated'));
-      } else {
-        resolve(result as JwtPayload);
-      }
-    });
-  });
-}