Showing posts from June, 2020

Building a verify JWT function in TypeScript

# Verifying an RS232 signed JWT JSON Web Tokens (JWT) are used as a way to verify the identity of the caller of an API. **The best way to verify a JWT is to use a verification library.** I wanted to have a look at some of what those libraries are doing under the hood by putting together a function that will return if a given token is valid. In this blog I'll go through what I have done to get a validation function working. To simplify things assume: - That the signing algorithm is RS232 all others are considered invalid. - That the public keys are available on a JWKS url provided to the function eg []( - I only want to know if the token was signed by a key available at the above url. I wont be checking if the token has expired, if the scopes or other claims are valid. # Break up the token A JWT is made up to 3 parts. The first thing to do in validating the token is to brea

Solving buffer.readUIntBE is not a function reading a JWKS key with NodeRSA

Recently while trying to read a public key in from a JWKS endpoint I was stumped by an error when importing the public key using [NodeRSA]( My code looked like this: ```Typescript return rsa.importKey( { n: Buffer.from(jwksKey.n), e: jwksKey.e, }, "components-public" ); ``` The error was: ```bash TypeError: buffer.readUIntBE is not a function at Object.module.exports.get32IntFromBuffer (C:\dev\jwttest\node_modules\node-rsa\src\utils.js:43:27) at RSAKey.module.exports.Key.RSAKey.setPublic (C:\dev\jwttest\node_modules\node-rsa\src\libs\rsa.js:172:48) at Object.publicImport (C:\dev\jwttest\node_modules\node-rsa\src\formats\components.js:44:17) at Object.detectAndImport (C:\dev\jwttest\node_modules\node-rsa\src\formats\formats.js:65:48) at NodeRSA.module.exports.NodeRSA.importKey (C:\dev\jwttest\node_modules\node-rsa\src\NodeRSA.js:183:22) at C:\dev\jwttest\dist\jwks.js:53:20 at Gener