@supabase/auth-js 2.68.0 → 2.69.0-rc.2

package/src/GoTrueClient.ts

@@ -20,6 +20,7 @@ import {
   isAuthRetryableFetchError,
   isAuthSessionMissingError,
   isAuthImplicitGrantRedirectError,
+  AuthInvalidJwtError,
 } from './lib/errors'
 import {
   Fetch,
@@ -30,7 +31,6 @@ import {
   _ssoResponse,
 } from './lib/fetch'
 import {
-  decodeJWTPayload,
   Deferred,
   getItemAsync,
   isBrowser,
@@ -43,6 +43,9 @@ import {
   supportsLocalStorage,
   parseParametersFromURL,
   getCodeChallengeAndMethod,
+  getAlgorithm,
+  validateExp,
+  decodeJWT,
 } from './lib/helpers'
 import { localStorageAdapter, memoryLocalStorageAdapter } from './lib/local-storage'
 import { polyfillGlobalThis } from './lib/polyfills'
@@ -86,7 +89,6 @@ import type {
   MFAVerifyParams,
   AuthMFAVerifyResponse,
   AuthMFAListFactorsResponse,
-  AMREntry,
   AuthMFAGetAuthenticatorAssuranceLevelResponse,
   AuthenticatorAssuranceLevels,
   Factor,
@@ -100,7 +102,11 @@ import type {
   MFAEnrollPhoneParams,
   AuthMFAEnrollTOTPResponse,
   AuthMFAEnrollPhoneResponse,
+  JWK,
+  JwtPayload,
+  JwtHeader,
 } from './lib/types'
+import { stringToUint8Array } from './lib/base64url'
 
 polyfillGlobalThis() // Make "globalThis" available
 
@@ -140,7 +146,10 @@ export default class GoTrueClient {
   protected storageKey: string
 
   protected flowType: AuthFlowType
-
+  /**
+   * The JWKS used for verifying asymmetric JWTs
+   */
+  protected jwks: { keys: JWK[] }
   protected autoRefreshToken: boolean
   protected persistSession: boolean
   protected storage: SupportedStorage
@@ -220,7 +229,7 @@ export default class GoTrueClient {
     } else {
       this.lock = lockNoOp
     }
-
+    this.jwks = { keys: [] }
     this.mfa = {
       verify: this._verify.bind(this),
       enroll: this._enroll.bind(this),
@@ -1288,17 +1297,6 @@ export default class GoTrueClient {
     }
   }
 
-  /**
-   * Decodes a JWT (without performing any validation).
-   */
-  private _decodeJWT(jwt: string): {
-    exp?: number
-    aal?: AuthenticatorAssuranceLevels | null
-    amr?: AMREntry[] | null
-  } {
-    return decodeJWTPayload(jwt)
-  }
-
   /**
    * Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session.
    * If the refresh token or access token in the current session is invalid, an error will be thrown.
@@ -1328,7 +1326,7 @@ export default class GoTrueClient {
       let expiresAt = timeNow
       let hasExpired = true
       let session: Session | null = null
-      const payload = decodeJWTPayload(currentSession.access_token)
+      const { payload } = decodeJWT(currentSession.access_token)
       if (payload.exp) {
         expiresAt = payload.exp
         hasExpired = expiresAt <= timeNow
@@ -2576,7 +2574,7 @@ export default class GoTrueClient {
           }
         }
 
-        const payload = this._decodeJWT(session.access_token)
+        const { payload } = decodeJWT(session.access_token)
 
         let currentLevel: AuthenticatorAssuranceLevels | null = null
 
@@ -2599,4 +2597,128 @@ export default class GoTrueClient {
       })
     })
   }
+
+  private async fetchJwk(kid: string, jwks: { keys: JWK[] } = { keys: [] }): Promise<JWK> {
+    // try fetching from the supplied jwks
+    let jwk = jwks.keys.find((key) => key.kid === kid)
+    if (jwk) {
+      return jwk
+    }
+
+    // try fetching from cache
+    jwk = this.jwks.keys.find((key) => key.kid === kid)
+    if (jwk) {
+      return jwk
+    }
+    // jwk isn't cached in memory so we need to fetch it from the well-known endpoint
+    const { data, error } = await _request(this.fetch, 'GET', `${this.url}/.well-known/jwks.json`, {
+      headers: this.headers,
+    })
+    if (error) {
+      throw error
+    }
+    if (!data.keys || data.keys.length === 0) {
+      throw new AuthInvalidJwtError('JWKS is empty')
+    }
+    this.jwks = data
+    // Find the signing key
+    jwk = data.keys.find((key: any) => key.kid === kid)
+    if (!jwk) {
+      throw new AuthInvalidJwtError('No matching signing key found in JWKS')
+    }
+    return jwk
+  }
+
+  /**
+   * @experimental This method may change in future versions.
+   * @description Gets the claims from a JWT. If the JWT is symmetric JWTs, it will call getUser() to verify against the server. If the JWT is asymmetric, it will be verified against the JWKS using the WebCrypto API.
+   */
+  async getClaims(
+    jwt?: string,
+    jwks: { keys: JWK[] } = { keys: [] }
+  ): Promise<
+    | {
+        data: { claims: JwtPayload; header: JwtHeader; signature: Uint8Array }
+        error: null
+      }
+    | { data: null; error: AuthError }
+    | { data: null; error: null }
+  > {
+    try {
+      let token = jwt
+      if (!token) {
+        const { data, error } = await this.getSession()
+        if (error || !data.session) {
+          return { data: null, error }
+        }
+        token = data.session.access_token
+      }
+
+      const {
+        header,
+        payload,
+        signature,
+        raw: { header: rawHeader, payload: rawPayload },
+      } = decodeJWT(token)
+
+      // Reject expired JWTs
+      validateExp(payload.exp)
+
+      // If symmetric algorithm or WebCrypto API is unavailable, fallback to getUser()
+      if (
+        !header.kid ||
+        header.alg === 'HS256' ||
+        !('crypto' in globalThis && 'subtle' in globalThis.crypto)
+      ) {
+        const { error } = await this.getUser(token)
+        if (error) {
+          throw error
+        }
+        // getUser succeeds so the claims in the JWT can be trusted
+        return {
+          data: {
+            claims: payload,
+            header,
+            signature,
+          },
+          error: null,
+        }
+      }
+
+      const algorithm = getAlgorithm(header.alg)
+      const signingKey = await this.fetchJwk(header.kid, jwks)
+
+      // Convert JWK to CryptoKey
+      const publicKey = await crypto.subtle.importKey('jwk', signingKey, algorithm, true, [
+        'verify',
+      ])
+
+      // Verify the signature
+      const isValid = await crypto.subtle.verify(
+        algorithm,
+        publicKey,
+        signature,
+        stringToUint8Array(`${rawHeader}.${rawPayload}`)
+      )
+
+      if (!isValid) {
+        throw new AuthInvalidJwtError('Invalid JWT signature')
+      }
+
+      // If verification succeeds, decode and return claims
+      return {
+        data: {
+          claims: payload,
+          header,
+          signature,
+        },
+        error: null,
+      }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+      throw error
+    }
+  }
 }

package/src/lib/base64url.ts

@@ -0,0 +1,290 @@
+/**
+ * Avoid modifying this file. It's part of
+ * https://github.com/supabase-community/base64url-js.  Submit all fixes on
+ * that repo!
+ */
+
+/**
+ * An array of characters that encode 6 bits into a Base64-URL alphabet
+ * character.
+ */
+const TO_BASE64URL = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'.split('')
+
+/**
+ * An array of characters that can appear in a Base64-URL encoded string but
+ * should be ignored.
+ */
+const IGNORE_BASE64URL = ' \t\n\r='.split('')
+
+/**
+ * An array of 128 numbers that map a Base64-URL character to 6 bits, or if -2
+ * used to skip the character, or if -1 used to error out.
+ */
+const FROM_BASE64URL = (() => {
+  const charMap: number[] = new Array(128)
+
+  for (let i = 0; i < charMap.length; i += 1) {
+    charMap[i] = -1
+  }
+
+  for (let i = 0; i < IGNORE_BASE64URL.length; i += 1) {
+    charMap[IGNORE_BASE64URL[i].charCodeAt(0)] = -2
+  }
+
+  for (let i = 0; i < TO_BASE64URL.length; i += 1) {
+    charMap[TO_BASE64URL[i].charCodeAt(0)] = i
+  }
+
+  return charMap
+})()
+
+/**
+ * Converts a byte to a Base64-URL string.
+ *
+ * @param byte The byte to convert, or null to flush at the end of the byte sequence.
+ * @param state The Base64 conversion state. Pass an initial value of `{ queue: 0, queuedBits: 0 }`.
+ * @param emit A function called with the next Base64 character when ready.
+ */
+export function byteToBase64URL(
+  byte: number | null,
+  state: { queue: number; queuedBits: number },
+  emit: (char: string) => void
+) {
+  if (byte !== null) {
+    state.queue = (state.queue << 8) | byte
+    state.queuedBits += 8
+
+    while (state.queuedBits >= 6) {
+      const pos = (state.queue >> (state.queuedBits - 6)) & 63
+      emit(TO_BASE64URL[pos])
+      state.queuedBits -= 6
+    }
+  } else if (state.queuedBits > 0) {
+    state.queue = state.queue << (6 - state.queuedBits)
+    state.queuedBits = 6
+
+    while (state.queuedBits >= 6) {
+      const pos = (state.queue >> (state.queuedBits - 6)) & 63
+      emit(TO_BASE64URL[pos])
+      state.queuedBits -= 6
+    }
+  }
+}
+
+/**
+ * Converts a String char code (extracted using `string.charCodeAt(position)`) to a sequence of Base64-URL characters.
+ *
+ * @param charCode The char code of the JavaScript string.
+ * @param state The Base64 state. Pass an initial value of `{ queue: 0, queuedBits: 0 }`.
+ * @param emit A function called with the next byte.
+ */
+export function byteFromBase64URL(
+  charCode: number,
+  state: { queue: number; queuedBits: number },
+  emit: (byte: number) => void
+) {
+  const bits = FROM_BASE64URL[charCode]
+
+  if (bits > -1) {
+    // valid Base64-URL character
+    state.queue = (state.queue << 6) | bits
+    state.queuedBits += 6
+
+    while (state.queuedBits >= 8) {
+      emit((state.queue >> (state.queuedBits - 8)) & 0xff)
+      state.queuedBits -= 8
+    }
+  } else if (bits === -2) {
+    // ignore spaces, tabs, newlines, =
+    return
+  } else {
+    throw new Error(`Invalid Base64-URL character "${String.fromCharCode(charCode)}"`)
+  }
+}
+
+/**
+ * Converts a JavaScript string (which may include any valid character) into a
+ * Base64-URL encoded string. The string is first encoded in UTF-8 which is
+ * then encoded as Base64-URL.
+ *
+ * @param str The string to convert.
+ */
+export function stringToBase64URL(str: string) {
+  const base64: string[] = []
+
+  const emitter = (char: string) => {
+    base64.push(char)
+  }
+
+  const state = { queue: 0, queuedBits: 0 }
+
+  stringToUTF8(str, (byte: number) => {
+    byteToBase64URL(byte, state, emitter)
+  })
+
+  byteToBase64URL(null, state, emitter)
+
+  return base64.join('')
+}
+
+/**
+ * Converts a Base64-URL encoded string into a JavaScript string. It is assumed
+ * that the underlying string has been encoded as UTF-8.
+ *
+ * @param str The Base64-URL encoded string.
+ */
+export function stringFromBase64URL(str: string) {
+  const conv: string[] = []
+
+  const utf8Emit = (codepoint: number) => {
+    conv.push(String.fromCodePoint(codepoint))
+  }
+
+  const utf8State = {
+    utf8seq: 0,
+    codepoint: 0,
+  }
+
+  const b64State = { queue: 0, queuedBits: 0 }
+
+  const byteEmit = (byte: number) => {
+    stringFromUTF8(byte, utf8State, utf8Emit)
+  }
+
+  for (let i = 0; i < str.length; i += 1) {
+    byteFromBase64URL(str.charCodeAt(i), b64State, byteEmit)
+  }
+
+  return conv.join('')
+}
+
+/**
+ * Converts a Unicode codepoint to a multi-byte UTF-8 sequence.
+ *
+ * @param codepoint The Unicode codepoint.
+ * @param emit      Function which will be called for each UTF-8 byte that represents the codepoint.
+ */
+export function codepointToUTF8(codepoint: number, emit: (byte: number) => void) {
+  if (codepoint <= 0x7f) {
+    emit(codepoint)
+    return
+  } else if (codepoint <= 0x7ff) {
+    emit(0xc0 | (codepoint >> 6))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  } else if (codepoint <= 0xffff) {
+    emit(0xe0 | (codepoint >> 12))
+    emit(0x80 | ((codepoint >> 6) & 0x3f))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  } else if (codepoint <= 0x10ffff) {
+    emit(0xf0 | (codepoint >> 18))
+    emit(0x80 | ((codepoint >> 12) & 0x3f))
+    emit(0x80 | ((codepoint >> 6) & 0x3f))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  }
+
+  throw new Error(`Unrecognized Unicode codepoint: ${codepoint.toString(16)}`)
+}
+
+/**
+ * Converts a JavaScript string to a sequence of UTF-8 bytes.
+ *
+ * @param str  The string to convert to UTF-8.
+ * @param emit Function which will be called for each UTF-8 byte of the string.
+ */
+export function stringToUTF8(str: string, emit: (byte: number) => void) {
+  for (let i = 0; i < str.length; i += 1) {
+    let codepoint = str.charCodeAt(i)
+
+    if (codepoint > 0xd7ff && codepoint <= 0xdbff) {
+      // most UTF-16 codepoints are Unicode codepoints, except values in this
+      // range where the next UTF-16 codepoint needs to be combined with the
+      // current one to get the Unicode codepoint
+      const highSurrogate = ((codepoint - 0xd800) * 0x400) & 0xffff
+      const lowSurrogate = (str.charCodeAt(i + 1) - 0xdc00) & 0xffff
+      codepoint = (lowSurrogate | highSurrogate) + 0x10000
+      i += 1
+    }
+
+    codepointToUTF8(codepoint, emit)
+  }
+}
+
+/**
+ * Converts a UTF-8 byte to a Unicode codepoint.
+ *
+ * @param byte  The UTF-8 byte next in the sequence.
+ * @param state The shared state between consecutive UTF-8 bytes in the
+ *              sequence, an object with the shape `{ utf8seq: 0, codepoint: 0 }`.
+ * @param emit  Function which will be called for each codepoint.
+ */
+export function stringFromUTF8(
+  byte: number,
+  state: { utf8seq: number; codepoint: number },
+  emit: (codepoint: number) => void
+) {
+  if (state.utf8seq === 0) {
+    if (byte <= 0x7f) {
+      emit(byte)
+      return
+    }
+
+    // count the number of 1 leading bits until you reach 0
+    for (let leadingBit = 1; leadingBit < 6; leadingBit += 1) {
+      if (((byte >> (7 - leadingBit)) & 1) === 0) {
+        state.utf8seq = leadingBit
+        break
+      }
+    }
+
+    if (state.utf8seq === 2) {
+      state.codepoint = byte & 31
+    } else if (state.utf8seq === 3) {
+      state.codepoint = byte & 15
+    } else if (state.utf8seq === 4) {
+      state.codepoint = byte & 7
+    } else {
+      throw new Error('Invalid UTF-8 sequence')
+    }
+
+    state.utf8seq -= 1
+  } else if (state.utf8seq > 0) {
+    if (byte <= 0x7f) {
+      throw new Error('Invalid UTF-8 sequence')
+    }
+
+    state.codepoint = (state.codepoint << 6) | (byte & 63)
+    state.utf8seq -= 1
+
+    if (state.utf8seq === 0) {
+      emit(state.codepoint)
+    }
+  }
+}
+
+/**
+ * Helper functions to convert different types of strings to Uint8Array
+ */
+
+export function base64UrlToUint8Array(str: string): Uint8Array {
+  const result: number[] = []
+  const state = { queue: 0, queuedBits: 0 }
+
+  const onByte = (byte: number) => {
+    result.push(byte)
+  }
+
+  for (let i = 0; i < str.length; i += 1) {
+    byteFromBase64URL(str.charCodeAt(i), state, onByte)
+  }
+
+  return new Uint8Array(result)
+}
+
+export function stringToUint8Array(str: string): Uint8Array {
+  const result: number[] = []
+  stringToUTF8(str, (byte: number) => result.push(byte))
+  return new Uint8Array(result)
+}

package/src/lib/constants.ts

@@ -28,3 +28,5 @@ export const API_VERSIONS = {
     name: '2024-01-01',
   },
 }
+
+export const BASE64URL_REGEX = /^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)$/i

package/src/lib/errors.ts

@@ -157,3 +157,9 @@ export class AuthWeakPasswordError extends CustomAuthError {
 export function isAuthWeakPasswordError(error: unknown): error is AuthWeakPasswordError {
   return isAuthError(error) && error.name === 'AuthWeakPasswordError'
 }
+
+export class AuthInvalidJwtError extends CustomAuthError {
+  constructor(message: string) {
+    super(message, 'AuthInvalidJwtError', 400, 'invalid_jwt')
+  }
+}

package/src/lib/helpers.ts

@@ -1,5 +1,7 @@
-import { API_VERSION_HEADER_NAME } from './constants'
-import { SupportedStorage } from './types'
+import { API_VERSION_HEADER_NAME, BASE64URL_REGEX } from './constants'
+import { AuthInvalidJwtError } from './errors'
+import { base64UrlToUint8Array, stringFromBase64URL, stringToBase64URL } from './base64url'
+import { JwtHeader, JwtPayload, SupportedStorage } from './types'
 
 export function expiresAt(expiresIn: number) {
   const timeNow = Math.round(Date.now() / 1000)
@@ -141,34 +143,6 @@ export const removeItemAsync = async (storage: SupportedStorage, key: string): P
   await storage.removeItem(key)
 }
 
-export function decodeBase64URL(value: string): string {
-  const key = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/='
-  let base64 = ''
-  let chr1, chr2, chr3
-  let enc1, enc2, enc3, enc4
-  let i = 0
-  value = value.replace('-', '+').replace('_', '/')
-
-  while (i < value.length) {
-    enc1 = key.indexOf(value.charAt(i++))
-    enc2 = key.indexOf(value.charAt(i++))
-    enc3 = key.indexOf(value.charAt(i++))
-    enc4 = key.indexOf(value.charAt(i++))
-    chr1 = (enc1 << 2) | (enc2 >> 4)
-    chr2 = ((enc2 & 15) << 4) | (enc3 >> 2)
-    chr3 = ((enc3 & 3) << 6) | enc4
-    base64 = base64 + String.fromCharCode(chr1)
-
-    if (enc3 != 64 && chr2 != 0) {
-      base64 = base64 + String.fromCharCode(chr2)
-    }
-    if (enc4 != 64 && chr3 != 0) {
-      base64 = base64 + String.fromCharCode(chr3)
-    }
-  }
-  return base64
-}
-
 /**
  * A deferred represents some asynchronous work that is not yet finished, which
  * may or may not culminate in a value.
@@ -194,23 +168,38 @@ export class Deferred<T = any> {
   }
 }
 
-// Taken from: https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library
-export function decodeJWTPayload(token: string) {
-  // Regex checks for base64url format
-  const base64UrlRegex = /^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}=?$|[a-z0-9_-]{2}(==)?$)$/i
-
+export function decodeJWT(token: string): {
+  header: JwtHeader
+  payload: JwtPayload
+  signature: Uint8Array
+  raw: {
+    header: string
+    payload: string
+  }
+} {
   const parts = token.split('.')
 
   if (parts.length !== 3) {
-    throw new Error('JWT is not valid: not a JWT structure')
+    throw new AuthInvalidJwtError('Invalid JWT structure')
   }
 
-  if (!base64UrlRegex.test(parts[1])) {
-    throw new Error('JWT is not valid: payload is not in base64url format')
+  // Regex checks for base64url format
+  for (let i = 0; i < parts.length; i++) {
+    if (!BASE64URL_REGEX.test(parts[i] as string)) {
+      throw new AuthInvalidJwtError('JWT not in base64url format')
+    }
   }
-
-  const base64Url = parts[1]
-  return JSON.parse(decodeBase64URL(base64Url))
+  const data = {
+    // using base64url lib
+    header: JSON.parse(stringFromBase64URL(parts[0])),
+    payload: JSON.parse(stringFromBase64URL(parts[1])),
+    signature: base64UrlToUint8Array(parts[2]),
+    raw: {
+      header: parts[0],
+      payload: parts[1],
+    },
+  }
+  return data
 }
 
 /**
@@ -287,10 +276,6 @@ async function sha256(randomString: string) {
     .join('')
 }
 
-function base64urlencode(str: string) {
-  return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')
-}
-
 export async function generatePKCEChallenge(verifier: string) {
   const hasCryptoSupport =
     typeof crypto !== 'undefined' &&
@@ -304,7 +289,7 @@ export async function generatePKCEChallenge(verifier: string) {
     return verifier
   }
   const hashed = await sha256(verifier)
-  return base64urlencode(hashed)
+  return stringToBase64URL(hashed)
 }
 
 export async function getCodeChallengeAndMethod(
@@ -344,3 +329,31 @@ export function parseResponseAPIVersion(response: Response) {
     return null
   }
 }
+
+export function validateExp(exp: number) {
+  if (!exp) {
+    throw new Error('Missing exp claim')
+  }
+  const timeNow = Math.floor(Date.now() / 1000)
+  if (exp <= timeNow) {
+    throw new Error('JWT has expired')
+  }
+}
+
+export function getAlgorithm(alg: 'RS256' | 'ES256'): RsaHashedImportParams | EcKeyImportParams {
+  switch (alg) {
+    case 'RS256':
+      return {
+        name: 'RSASSA-PKCS1-v1_5',
+        hash: { name: 'SHA-256' },
+      }
+    case 'ES256':
+      return {
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+        hash: { name: 'SHA-256' },
+      }
+    default:
+      throw new Error('Invalid alg claim')
+  }
+}

package/src/lib/types.ts

@@ -1199,3 +1199,32 @@ export type AuthMFAEnrollPhoneResponse =
       data: null
       error: AuthError
     }
+
+export type JwtHeader = {
+  alg: 'RS256' | 'ES256' | 'HS256'
+  kid: string
+  typ: string
+}
+
+export type RequiredClaims = {
+  iss: string
+  sub: string
+  aud: string | string[]
+  exp: number
+  iat: number
+  role: string
+  aal: AuthenticatorAssuranceLevels
+  session_id: string
+}
+
+export type JwtPayload = RequiredClaims & {
+  [key: string]: any
+}
+
+export interface JWK {
+  kty: 'RSA' | 'EC' | 'oct'
+  key_ops: string[]
+  alg?: string
+  kid?: string
+  [key: string]: any
+}