feat(useSession): use JWE internally
#997
Conversation
sandros94
changed the title
useSessionuseSession): use JWE internally
|
With d0d0de2 I decided to restart from scratch, as I was having issues when testing the JWEs against other tools. But while doing so I've noticed an issue with the current implementation of My next steps will be:
|
|
All For now I've tested it against itself, The |
|
I wrote a simple test to check the compatibility of the generated JWE, and the results look good so far. I tested against two Go libraries and NGINX’s JWT module: |
|
Thank you for initiating this dear @sandros94. While JWE migration looks promising, I prefer to keep backward compatibility with ironcrypto format so users can choose either and won't cause incompatibility with current usages. It would be cool if at least in the first PR step, we minimize changes to the session.ts and postpone changes like the second expiration. Also to reduce bundle size we can share utils as much as possible. You mentioned there is an issue in the current base64 implementation (it is ported from Deno utils) can you elaborate more on this? Thank you for helping on integration tests dear @casualmatt ❤️ your repo link gives 404 9is it private?) |
|
Hi! I'm I would like to apply some automated changes to this pull request, but it looks like I don't have the necessary permissions to do so. To get this pull request into a mergeable state, please do one of the following two things:
|
autofix.ci
Oh, indeed keeping some backward compatibility would be useful. Tho I do wander how to fully support both. I'm not familiar enough with iron-crypto, but in JWE we can have any payload, although generally a JSON, in which there are some reserved keys ( To give an example, if I undesrtand the current API: interface SessionManager {
id(): string
data(): T
update(): SessionManager
clear(): Promise<SessionManager>
header(): JWEHeader // new
metadata(): JWTMetadata // new
}The header is the first section of the JWE itself, but interface Payload {
id: string
data: T
...metadata // all the supported and arbitrary metadata info (like `iss`, `exp`)
}This should allow manual implementation for things like @pi0 do you think this would be a reasonable approach?
I haven't deeply looked at the current base64 src code yet. But essentially it was failing the tampering test. This might be due to the fact that the deno fork is able to take care about any potential tampering and reconstruct the original data, but in a JWS/JWE implementation (as far as I understand it) it should be treated as an illegal operation and must be rejected. I'll look into other potential utils that could be shared, one of which I can think of are key generation and wrapping (there might be some shared crypto logic).
It is indeed private, sorry. I'm sure he'll publish it once he notices it |
|
Also, on the topic of Please feel free to tell me if this might be too much of a stretch, but I also think this might be easily achievable with a custom |
👉👈 ehh sorry 😁 it should be public now; I will probably add some bun and node test too, with a bash script to check a JTE token against all of them
Backward compatibility for Ironcrypto would be nice, but from what I know, it is not a standard, so I think that those who are using it have their own implementation. To avoid keeping Ironcrypto for too long after the introduction of JWE, I could write a guide on how to move from Ironcrypto to JWT/JWE. |
Related to #994
This is a first implementation to use
JWE(RFC7516) instead ofiron-cryptoas the internaluseSessionencryption.The main goal is to provide better support for cross-platform/cross-language support in scenarios like edge networks and proxies.
Note
I left the
iron-cryptoimplementation for now just for ease of access and testing