vanpana Comments - Answer Overflow

vanpana

Posts Comments

CDCloudflare Developers

•Created by sanner on 9/2/2024 in #workers-help

knex+workers TypeError

Did you ever find a solution for this?

2 replies

CDCloudflare Developers

•Created by vanpana on 12/24/2024 in #workers-help

"crypto" package inconsistencies

// ...
// rest of the middleware

// a custom fetcher is needed since `jsonwebtoken` uses http request underneath
const jwksClientConfig = {
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 10,
  jwksUri: `https://${auth.domain}/.well-known/jwks.json`, // this resolves to the same uri as the express service
  fetcher: async (jwksUri: string) => {
    return fetch(jwksUri).then((res) => res.json());
  },
};

const options: Params = {
  secret: jwksRsa.expressJwtSecret(jwksClientConfig) as GetVerificationKey,
  audience: auth.audience,
  issuer: auth.issuer,
  algorithms: auth.algorithms,
};

const getVerificationKey: GetVerificationKey =
  typeof options.secret === 'function'
    ? options.secret
    : async () => options.secret as jwt.Secret;

// ... other steps such as getting the token from the headers
const decodedToken = jwt.decode(token, { complete: true });
const key = await getVerificationKey(req, decodedToken as jwt.Jwt);
jwt.verify(token, key, options); // There's an error thrown here

// ...
// rest of the middleware

// a custom fetcher is needed since `jsonwebtoken` uses http request underneath
const jwksClientConfig = {
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 10,
  jwksUri: `https://${auth.domain}/.well-known/jwks.json`, // this resolves to the same uri as the express service
  fetcher: async (jwksUri: string) => {
    return fetch(jwksUri).then((res) => res.json());
  },
};

const options: Params = {
  secret: jwksRsa.expressJwtSecret(jwksClientConfig) as GetVerificationKey,
  audience: auth.audience,
  issuer: auth.issuer,
  algorithms: auth.algorithms,
};

const getVerificationKey: GetVerificationKey =
  typeof options.secret === 'function'
    ? options.secret
    : async () => options.secret as jwt.Secret;

// ... other steps such as getting the token from the headers
const decodedToken = jwt.decode(token, { complete: true });
const key = await getVerificationKey(req, decodedToken as jwt.Jwt);
jwt.verify(token, key, options); // There's an error thrown here

The error that is thrown is:

TypeError: CryptoKey is not extractable
    at genericExport (.../node_modules/jose/dist/browser/runtime/asn1.js:12:15)
    at toSPKI (.../node_modules/jose/dist/browser/runtime/asn1.js:20:12)

TypeError: CryptoKey is not extractable
    at genericExport (.../node_modules/jose/dist/browser/runtime/asn1.js:12:15)
    at toSPKI (.../node_modules/jose/dist/browser/runtime/asn1.js:20:12)

but I believe the original issue comes even before exporting. The jwks-rsa tries to do const key = await jose.importJWK(jwk, resolveAlg(jwk)); and, internally, it gets to return crypto.subtle.importKey('jwk', { ...jwk }, ...rest); I have traced that the difference between the worker implementation and express implementation comes from here, since the data up to this point is completely the same. Am I doing something wrong or is it a difference in the crypto compatibility layer implementation?

4 replies

Gaming

Programming