Ghost/ghost/members-api/lib/services/TokenService.js

const jose = require('node-jose');
const jwt = require('jsonwebtoken');

module.exports = class TokenService {
    constructor({
        privateKey,
        publicKey,
        issuer
    }) {
        this._keyStore = jose.JWK.createKeyStore();
        this._keyStoreReady = this._keyStore.add(privateKey, 'pem');
        this._privateKey = privateKey;
        this._publicKey = publicKey;
        this._issuer = issuer;
    }

    async encodeIdentityToken({sub}) {
        const jwk = await this._keyStoreReady;
        return jwt.sign({
            sub,
            kid: jwk.kid
        }, this._privateKey, {
            keyid: jwk.kid,
            algorithm: 'RS512',
            audience: this._issuer,
            expiresIn: '10m',
            issuer: this._issuer
        });
    }

    /**
     * @param {string} token
     * @returns {Promise<jwt.JwtPayload>}
     */
    async decodeToken(token) {
        await this._keyStoreReady;

        const result = jwt.verify(token, this._publicKey, {
            algorithms: ['RS512'],
            issuer: this._issuer
        });

        if (typeof result === 'string') {
            return {sub: result};
        }

        return result;
    }

    async getPublicKeys() {
        await this._keyStoreReady;
        return this._keyStore.toJSON();
    }
};
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`const jose = require('node-jose');`
			`const jwt = require('jsonwebtoken');`

			`module.exports = class TokenService {`
			`constructor({`
			`privateKey,`
			`publicKey,`
			`issuer`
			`}) {`
			`this._keyStore = jose.JWK.createKeyStore();`
			`this._keyStoreReady = this._keyStore.add(privateKey, 'pem');`
			`this._privateKey = privateKey;`
			`this._publicKey = publicKey;`
			`this._issuer = issuer;`
			`}`

Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`async encodeIdentityToken({sub}) {`
			`const jwk = await this._keyStoreReady;`
			`return jwt.sign({`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`sub,`
			`kid: jwk.kid`
			`}, this._privateKey, {`
🐛 Fixed signing key mismatching in JWT/JWKS refs https://github.com/TryGhost/Team/issues/1640 closes https://github.com/TryGhost/Members/pull/401/ refs https://forum.ghost.org/t/ghost-jwt-question-possible-bug/30210 - Without `keyid` parameter some of the clien libraries were not able to match the signin key to verify JWT - Missing `keyid` parameter allows to indicate the key used to secure JWS (as per https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4) and resolves the automatic matching issue on the client. - The `kid` parameter was left in claims to avoid accidental breaking changes. 2022-05-23 13:45:08 +03:00			`keyid: jwk.kid,`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`algorithm: 'RS512',`
			`audience: this._issuer,`
			`expiresIn: '10m',`
			`issuer: this._issuer`
Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`});`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`}`

Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`/**`
			`* @param {string} token`
Added ability to fetch member by identity token (#329) refs https://github.com/TryGhost/Team/issues/1057 This method will validate a token, and then return the member associated with it. Rather than exposing token validation and coupling consumers to the structure of the token response data. 2021-09-17 12:25:57 +03:00			`* @returns {Promise<jwt.JwtPayload>}`
Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`*/`
			`async decodeToken(token) {`
			`await this._keyStoreReady;`

Added ability to fetch member by identity token (#329) refs https://github.com/TryGhost/Team/issues/1057 This method will validate a token, and then return the member associated with it. Rather than exposing token validation and coupling consumers to the structure of the token response data. 2021-09-17 12:25:57 +03:00			`const result = jwt.verify(token, this._publicKey, {`
Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`algorithms: ['RS512'],`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`issuer: this._issuer`
Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`});`
Added ability to fetch member by identity token (#329) refs https://github.com/TryGhost/Team/issues/1057 This method will validate a token, and then return the member associated with it. Rather than exposing token validation and coupling consumers to the structure of the token response data. 2021-09-17 12:25:57 +03:00
			`if (typeof result === 'string') {`
			`return {sub: result};`
			`}`

			`return result;`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`}`

Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`async getPublicKeys() {`
			`await this._keyStoreReady;`
			`return this._keyStore.toJSON();`
Refactor members-api (#231) no-issue This refactors the members-api module so that it is easier to test going forward, as well as easier to understand & navigate. The Stripe API no longer contains storage code, this is all handled via the member repository. And we have dedicated services for webhooks, and stripe plans initialisation. 2021-01-18 16:55:40 +03:00			`}`
Refactored Token Service to use async/await refs https://github.com/TryGhost/Team/issues/657 - Removes the use of "plans" from token service - method wasn't used - Updates to use async/await so the code is clearer - Install types for the node-jose module - Install types for the jsonwebtoken module 2021-05-20 17:17:12 +03:00			`};`