v4.0.7 - opt verify-jwt

Author: steve-lemon

README.md

@@ -69,6 +69,7 @@ See [CODE_OF_CONDUCT](CODE_OF_CONDUCT.md)
 
 | Version   | Description
 |--         |--
+| 4.0.7     | optimized `verifyJWT()` w/ more detail error.
 | 4.0.6     | optimized `loadProfile()` as sync call.
 | 4.0.5     | improve `$protocol` w/ `lambda` invoke.
 | 4.0.0     | optimized with `nodejs22`.

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "lemon-core",
-  "version": "4.0.6",
+  "version": "4.0.7",
   "description": "Lemon Serverless Micro-Service Platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package.json

@@ -23,6 +23,7 @@ import { GetPublicKeyCommand, EncryptCommand, DecryptCommand, VerifyCommand } fr
 import { EncryptCommandInput, DecryptCommandInput, GetPublicKeyCommandInput, SignCommandInput, VerifyCommandInput } from '@aws-sdk/client-kms';
 import { CoreKmsService } from '../core-services';
 import { awsConfig } from '../../tools';
+import { GETERR } from '../../common/test-helper';
 const NS = $U.NS('KMSS', 'blue'); // NAMESPACE TO BE PRINTED.
 
 type MySigningAlgorithm = SigningAlgorithmSpec;
@@ -169,9 +170,11 @@ export class AWSKMSService implements CoreKmsService {
      * @param {*} message any string
      * @param {*} signature signature of Buffer or string(in base64)
      */
-    public verify = async (message: string, signature: Buffer | string): Promise<boolean> => {
-        if (!message || typeof message !== 'string') throw new Error(`@message[${message}] is invalid - kms.verify()`);
-        if (!signature) throw new Error(`@signature (string|Buffer) is required - kms.verify()`);
+    public verify = async (message: string, signature: string, options?: { throwable?: boolean }): Promise<boolean> => {
+        const errScope = `kms.verify()`;
+        const throwable = options?.throwable ?? false;
+        if (!message || typeof message !== 'string') throw new Error(`@message[${message}] is invalid - ${errScope}`);
+        if (!signature) throw new Error(`@signature (string|Buffer) is required - ${errScope}`);
         const KeyId = this.keyId();
         _inf(NS, `verify(${KeyId}, ${message.substring(0, 10)}...)..`);
         const params: VerifyCommandInput = {
@@ -184,7 +187,8 @@ export class AWSKMSService implements CoreKmsService {
         const result = await this.instance()
             .send(new VerifyCommand(params))
             .catch(e => {
-                _err(NS, `! err=`, e);
+                if (throwable) throw e;
+                _err(NS, `! err =`, GETERR(e), e);
                 return null as any;
             });
         return result?.SignatureValid;

src/cores/aws/aws-kms-service.ts

@@ -161,9 +161,11 @@ describe('LambdaWEBHandler', () => {
                 iat: 1652149353,
                 ...identity,
             });
-            expect2(await $t.parseIdentityJWT(null).catch(GETERR)).toEqual('@token (string) is required - but object');
+            expect2(await $t.parseIdentityJWT(null).catch(GETERR)).toEqual(
+                '@token (string) is required (but object) - verifyJWT(http)',
+            );
             expect2(await $t.parseIdentityJWT(`${expectedHead}.`).catch(GETERR)).toEqual(
-                '@iss[null] is invalid - unsupportable issuer!',
+                '@iss[null] is invalid (unsupportable issuer) - verifyJWT(http)',
             );
         }
 

src/cores/lambda/lambda-web-handler.spec.ts

@@ -670,23 +670,25 @@ export class MyHttpHeaderTool implements HttpHeaderTool<APIGatewayEventRequestCo
         },
     ): Promise<T> {
         const isVerify = params?.verify ?? true;
+        const errScope = `verifyJWT(http)`;
 
         //* it must be JWT Token. verify signature, and load.
-        if (typeof token !== 'string' || !token) throw new Error(`@token (string) is required - but ${typeof token}`);
+        if (typeof token !== 'string' || !token)
+            throw new Error(`@token (string) is required (but ${typeof token}) - ${errScope}`);
         // STEP.1 decode jwt, and extract { iss, iat, exp }
         const current = params?.current ?? $U.current_time_ms();
         const sections = token.split('.');
-        if (sections.length !== 3) throw new Error(`@token[${token}] is invalid format!`);
+        if (sections.length !== 3) throw new Error(`@token[${token}] is invalid (format) - ${errScope}`);
         const [header, payload, signature] = sections;
         const $jwt = $U.jwt();
         const data = $jwt.decode(token, { complete: false, json: true });
-        if (!data) throw new Error(`@token[${token}] is invalid - failed to decode!`);
+        if (!data) throw new Error(`@token[${token}] is invalid (failed to decode) - ${errScope}`);
         const { iss, iat, exp } = data;
 
         // STEP.1-1 validate parameters.
-        if (typeof iss !== 'string' && iss !== null) throw new Error(`.iss (string) is required!`);
-        if (typeof iat !== 'number' && iat !== null) throw new Error(`.iat (number) is required!`);
-        if (typeof exp !== 'number' && exp !== null) throw new Error(`.exp (number) is required!`);
+        if (typeof iss !== 'string' && iss !== null) throw new Error(`.iss (string) is required - ${errScope}`);
+        if (typeof iat !== 'number' && iat !== null) throw new Error(`.iat (number) is required - ${errScope}`);
+        if (typeof exp !== 'number' && exp !== null) throw new Error(`.exp (number) is required - ${errScope}`);
 
         // STEP.2 validate signature by KMS(iss).verify()
         //TODO - iss 에 인증제공자의 api 넣기 (ex: api/lemon-backend-dev?)
@@ -697,13 +699,19 @@ export class MyHttpHeaderTool implements HttpHeaderTool<APIGatewayEventRequestCo
         } else if (typeof iss === 'string' && iss.startsWith('kms/')) {
             const alias = _alias(iss);
             const $kms = alias ? this.findKMSService(`alias/${alias}`) : null;
-            const verified = $kms ? await $kms.verify([header, payload].join('.'), signature) : false;
-            if (!verified) throw new Error(`@signature[] is invalid - not be verified by iss:${iss}!`);
-            if (!exp || exp * 1000 < current) throw new Error(`.exp[${$U.ts(exp * 1000)}] is invalid - expired!`);
+            const message = [header, payload].join('.');
+            const verified = $kms
+                ? await $kms.verify(message, signature, { throwable: true }).catch(e => {
+                      throw new Error(`@signature[] is invalid (kms: ${GETERR(e)}) - ${errScope}`);
+                  })
+                : false;
+            if (!verified) throw new Error(`@signature[] is invalid (failed to verify by iss:${iss}) - ${errScope}`);
+            if (!exp) throw new Error(`.exp[${exp}] is invalid (empty) - ${errScope}`);
+            if (exp * 1000 < current) throw new Error(`.exp[${$U.ts(exp * 1000)}] is invalid (expired) - ${errScope}`);
             return data as T;
         }
         //* or throw
-        throw new Error(`@iss[${iss}] is invalid - unsupportable issuer!`);
+        throw new Error(`@iss[${iss}] is invalid (unsupportable issuer) - ${errScope}`);
     }
 
     /**