provide jwt migration

2023-07-30 14:03:24 -05:00 · 2023-07-30 14:03:24 -05:00 · d04dc691df
commit d04dc691df
parent 9745b82d63
3 changed files with 73 additions and 1 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -36,6 +36,7 @@
        "graphql": "^16.7.1",
        "graphql-tag": "^2.12.6",
        "graphql-type-json": "^0.3.2",
+        "jose1": "npm:jose@^1.27.2",
        "ln-service": "^56.9.0",
        "mathjs": "^11.9.1",
        "mdast-util-find-and-replace": "^3.0.0",
@ -2967,6 +2968,14 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
    },
+    "node_modules/@panva/asn1.js": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@panva/asn1.js/-/asn1.js-1.0.0.tgz",
+      "integrity": "sha512-UdkG3mLEqXgnlKsWanWcgb6dOjUzJ+XC5f+aWw30qrtjxeNUSfKX1cd5FBzOaXQumoe9nIqeZUvrRJS03HCCtw==",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/@panva/hkdf": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.1.1.tgz",
@ -9529,6 +9538,22 @@
        "url": "https://github.com/sponsors/panva"
      }
    },
+    "node_modules/jose1": {
+      "name": "jose",
+      "version": "1.27.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-1.27.2.tgz",
+      "integrity": "sha512-zLIwnMa8dh5A2jFo56KvhiXCaW0hFjdNvG0I5GScL8Wro+/r/SnyIYTbnX3fYztPNSfgQp56sDMHUuS9c3e6bw==",
+      "deprecated": "this version is no longer supported",
+      "dependencies": {
+        "@panva/asn1.js": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
    "node_modules/js-sha256": {
      "version": "0.9.0",
      "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz",
@ -21612,6 +21637,11 @@
        }
      }
    },
+    "@panva/asn1.js": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@panva/asn1.js/-/asn1.js-1.0.0.tgz",
+      "integrity": "sha512-UdkG3mLEqXgnlKsWanWcgb6dOjUzJ+XC5f+aWw30qrtjxeNUSfKX1cd5FBzOaXQumoe9nIqeZUvrRJS03HCCtw=="
+    },
    "@panva/hkdf": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/@panva/hkdf/-/hkdf-1.1.1.tgz",
@ -26672,6 +26702,14 @@
      "resolved": "https://registry.npmjs.org/jose/-/jose-4.14.4.tgz",
      "integrity": "sha512-j8GhLiKmUAh+dsFXlX1aJCbt5KMibuKb+d7j1JaOJG6s2UjX1PQlW+OKB/sD4a/5ZYF4RcmYmLSndOoU3Lt/3g=="
    },
+    "jose1": {
+      "version": "npm:jose@1.27.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-1.27.2.tgz",
+      "integrity": "sha512-zLIwnMa8dh5A2jFo56KvhiXCaW0hFjdNvG0I5GScL8Wro+/r/SnyIYTbnX3fYztPNSfgQp56sDMHUuS9c3e6bw==",
+      "requires": {
+        "@panva/asn1.js": "^1.0.0"
+      }
+    },
    "js-sha256": {
      "version": "0.9.0",
      "resolved": "https://registry.npmjs.org/js-sha256/-/js-sha256-0.9.0.tgz",
--- a/package.json
+++ b/package.json
@ -37,6 +37,7 @@
    "graphql": "^16.7.1",
    "graphql-tag": "^2.12.6",
    "graphql-type-json": "^0.3.2",
+    "jose1": "npm:jose@^1.27.2",
    "ln-service": "^56.9.0",
    "mathjs": "^11.9.1",
    "mdast-util-find-and-replace": "^3.0.0",
--- a/pages/api/auth/[...nextauth].js
+++ b/pages/api/auth/[...nextauth].js
@ -6,8 +6,9 @@ import EmailProvider from 'next-auth/providers/email'
 import prisma from '../../../api/models'
 import nodemailer from 'nodemailer'
 import { PrismaAdapter } from '@auth/prisma-adapter'
-import { getToken } from 'next-auth/jwt'
+import { decode, getToken } from 'next-auth/jwt'
 import { NodeNextRequest } from 'next/dist/server/base-http/node'
+import jose1 from 'jose1'

 function getCallbacks (req) {
  return {
@ -158,6 +159,38 @@ export const getAuthOptions = req => ({
  session: {
    strategy: 'jwt'
  },
+  jwt: {
+    decode: async ({ token, secret }) => {
+      // attempt to decode using new jwt decode
+      try {
+        const _token = await decode({ token, secret })
+        if (_token) {
+          return _token
+        }
+      } catch (err) {
+        console.log('next-auth v4 jwt decode failed', err)
+      }
+
+      // attempt to decode using old jwt decode from next-auth v3
+      // https://github.com/nextauthjs/next-auth/blob/ab764e379377f9ffd68ff984b163c0edb5fc4bda/src/lib/jwt.js#L52
+      try {
+        const signingKey = jose1.JWK.asKey(JSON.parse(process.env.JWT_SIGNING_PRIVATE_KEY))
+        const verificationOptions = {
+          maxTokenAge: '2592000s',
+          algorithms: ['HS512']
+        }
+        const _token = jose1.JWT.verify(token, signingKey, verificationOptions)
+        if (_token) {
+          console.log('next-auth v3 jwt decode success')
+          return _token
+        }
+      } catch (err) {
+        console.log('next-auth v3 jwt decode failed', err)
+      }
+
+      return null
+    }
+  },
  pages: {
    signIn: '/login',
    verifyRequest: '/email',