verify-rsa-jwt-cloudflare-worker
Advanced tools
This is a lightweight library that verifies a JWT (JSON Web Token) signed with RS256. This is built for Cloudflare Workers.
Although, the project itself has no dependencies. If the runtime supports Web Standard APIs, it should just work :tm:
This package includes the Hono Middleware :fire:
It uses JWKS to verify a JWT. To fetch JWKS, you need to provide the JWKs endpoint URL to JWKS_URI.
npm install verify-rsa-jwt-cloudflare-worker
import {
getJwks,
useKVStore,
verify,
VerifyRsaJwtEnv,
} from "verify-rsa-jwt-cloudflare-worker";
export default {
async fetch(request: Request, env: VerifyRsaJwtEnv): Promise<Response> {
const token =
request.headers.get("Authorization")?.replace(/Bearer\s+/i, "") || "";
try {
const jwks = await getJwks(env.JWKS_URI, useKVStore(env.VERIFY_RSA_JWT));
const { payload } = await verify(token, jwks);
// Then, you could validate the payload and return a response
return new Response(JSON.stringify({ payload }), {
headers: { "content-type": "application/json" },
});
} catch (error: any) {
return new Response((error as Error).message, { status: 401 });
}
},
};
wrangler.tomlname = "verify-rsa-jwt-cloudflare-worker"
compatibility_date = "2023-05-18"
[vars]
JWKS_URI = "https://<your-authentication-server-host>/.well-known/jwks.json"
VERIFY_RSA_JWT_JWKS_CACHE_KEY = ""
[[kv_namespaces]]
binding = "VERIFY_RSA_JWT"
id = "<ID CREATED BY WRANGLER>"
preview_id = "<ID CREATED BY WRANGLER>"
If you do not want to use a KV store to cache the JWKS returned by getJwks(), you can omit the second parameter.
const jwks = await getJwks("https://<myurl>/.well-known/jwks.json");
[!WARNING] Not caching the JWKS in a KV store will result in longer response times since the JWKS must be refetched on every request. It can also lead to request throttling from the JWKS provider if your Worker receives a lot of traffic.
If you are working on a Cloudflare Workers based project, the following parameters can be set via wrangler.toml.
VerifyRsaJwtEnv| Variable | Description |
|---|---|
| VERIFY_RSA_JWT | KVNamespace. It want to store downloaded JWKS |
| VERIFY_RSA_JWT_JWKS_CACHE_KEY | Optional string to specify what key we want to sue to store JWKS. Default: verify-rsa-jwt-cloudflare-worker-jwks-cache-key |
| JWKS_URI | A URI for downloading JWKS. Typically https://<host>/.well-known/jwks.json |
| JWKS | Optional. Instead of giving the URI, You could provide hardcoded jwks. |
Additionally, or, if you are working on a non-Cloudflare Workers based project, such as Node.js, the following optional config values are available:
VerifyRsaJwtConfig| Variable | Description |
|---|---|
| jwksUri | A URI for downloading JWKS. |
| jwks | Optional. Instead of giving the URI, You could provide hardcoded jwks. |
| kvStore | Any storage manager that has get and put. It's used for storing JWKS. |
| payloadValidator | Every authentication vendor would configure JWT payload differently. Please give a function that validates the payload and throw an error. |
| verbose | A debug flag. |
import { Hono } from "hono";
import {
verifyRsaJwt,
getPayloadFromContext,
} from "verify-rsa-jwt-cloudflare-worker";
const app = new Hono()
app.use(
'/auth/*',
verifyRsaJwt({
jwksUri: "https://<host>/.well-known/jwks.json",
kvStore: // Anything that keeps a value, KVNamespace would work too.
payloadValidator: ({payload, ctx}) => { /* Validate the payload, throw an error if invalid */ },
})
)
app.get('/auth/page', (c) => {
const claims = getPayloadFromContext(c)
return c.text('You are authorized')
})
Some tests use PEM files to create JWT tokens / imitate JWKS. You need the following setup to prepare them.
Create a .env file.
echo PEM_NAME="test-pem" > .env
Run npm run gen-pem-keys to generate PEM files.
Then, as you may be familiar, test with npm test.
For testing through src/worker.ts, you can:
Launch a local server
npm run start src/worker.ts
cURL with your JWT!
url -H "Authorization: Bearer <YOUR-JWT>" http://127.0.0.1:<YOUR-DEV-SERVER-PORT>/
Then, if everything is set correctly, you'd expect to see something like this:
{
"payload": {
"iss": " ... ",
"sub": " ... ",
"aud": " ... ",
"iat": 1690401415,
"exp": 1690487815,
"azp": " ... ",
"gty": " ... "
}
}
Please follow this document. https://developers.cloudflare.com/workers/get-started/guide/.
Auth0 provides amazing documents.
FAQs
Verify RSA JWT on Cloudflare Workers
The npm package verify-rsa-jwt-cloudflare-worker receives a total of 290 weekly downloads. As such, verify-rsa-jwt-cloudflare-worker popularity was classified as not popular.
We found that verify-rsa-jwt-cloudflare-worker demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Product
Customize license detection with Socket’s new license overlays: gain control, reduce noise, and handle edge cases with precision.
Product
Socket now supports Rust and Cargo, offering package search for all users and experimental SBOM generation for enterprise projects.