feat: bring jwt (#123)

* wip

* wip

* wip

* wip

* wip

* wip

.github/workflows/canary.yaml

@@ -175,6 +175,27 @@ jobs:
       - name: Test
         run: wing test
         working-directory: github
+  canary-jwt:
+    name: Test jwt
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          sparse-checkout: jwt
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+      - name: Install winglang
+        run: npm i -g winglang
+      - name: Install dependencies
+        run: npm install --include=dev
+        working-directory: jwt
+      - name: Test
+        run: wing test
+        working-directory: jwt
   canary-lock:
     name: Test lock
     runs-on: ubuntu-latest

.github/workflows/jwt-pull.yaml

@@ -0,0 +1,29 @@
+name: jwt-pull
+on:
+  pull_request:
+    paths:
+      - jwt/**
+jobs:
+  build-jwt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          sparse-checkout: jwt
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+      - name: Install winglang
+        run: npm i -g winglang
+      - name: Install dependencies
+        run: npm install --include=dev
+        working-directory: jwt
+      - name: Test
+        run: wing test
+        working-directory: jwt
+      - name: Pack
+        run: wing pack
+        working-directory: jwt

.github/workflows/jwt-release.yaml

@@ -0,0 +1,54 @@
+name: jwt-release
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - jwt/**
+      - "!jwt/package-lock.json"
+jobs:
+  build-jwt:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          sparse-checkout: jwt
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20.x
+          registry-url: https://registry.npmjs.org
+      - name: Install winglang
+        run: npm i -g winglang
+      - name: Install dependencies
+        run: npm install --include=dev
+        working-directory: jwt
+      - name: Test
+        run: wing test
+        working-directory: jwt
+      - name: Pack
+        run: wing pack
+        working-directory: jwt
+      - name: Get package version
+        run: echo WINGLIB_VERSION=$(node -p "require('./package.json').version") >>
+          "$GITHUB_ENV"
+        working-directory: jwt
+      - name: Publish
+        run: npm publish --access=public --registry https://registry.npmjs.org --tag
+          latest *.tgz
+        working-directory: jwt
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Tag commit
+        uses: tvdias/[email protected]
+        with:
+          repo-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          tag: jwt-v${{ env.WINGLIB_VERSION }}
+      - name: GitHub release
+        uses: softprops/action-gh-release@v1
+        with:
+          name: jwt v${{ env.WINGLIB_VERSION }}
+          tag_name: jwt-v${{ env.WINGLIB_VERSION }}
+          files: "*.tgz"
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}

.mergify.yml

@@ -59,6 +59,9 @@ pull_request_rules:
       - -check-failure=build-github
       - -check-pending=build-github
       - -check-stale=build-github
+      - -check-failure=build-jwt
+      - -check-pending=build-jwt
+      - -check-stale=build-jwt
       - -check-failure=build-lock
       - -check-pending=build-lock
       - -check-stale=build-lock
@@ -131,6 +134,9 @@ pull_request_rules:
       - -check-failure=build-github
       - -check-pending=build-github
       - -check-stale=build-github
+      - -check-failure=build-jwt
+      - -check-pending=build-jwt
+      - -check-stale=build-jwt
       - -check-failure=build-lock
       - -check-pending=build-lock
       - -check-stale=build-lock

README.md

@@ -23,6 +23,7 @@ publishing them for you.
 | [eventbridge](./eventbridge) | [@winglibs/eventbridge](https://www.npmjs.com/package/@winglibs/eventbridge) | awscdk, sim, tf-aws |
 | [fifoqueue](./fifoqueue) | [@winglibs/fifoqueue](https://www.npmjs.com/package/@winglibs/fifoqueue) | sim, tf-aws |
 | [github](./github) | [@winglibs/github](https://www.npmjs.com/package/@winglibs/github) | * |
+| [jwt](./jwt) | [@winglibs/jwt](https://www.npmjs.com/package/@winglibs/jwt) | * |
 | [lock](./lock) | [@winglibs/lock](https://www.npmjs.com/package/@winglibs/lock) | * |
 | [messagefanout](./messagefanout) | [@winglibs/messagefanout](https://www.npmjs.com/package/@winglibs/messagefanout) |  |
 | [ngrok](./ngrok) | [@winglibs/ngrok](https://www.npmjs.com/package/@winglibs/ngrok) | * |

jwt/.gitignore

@@ -0,0 +1,2 @@
+target/
+node_modules/

jwt/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Wing
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

jwt/README.md

@@ -0,0 +1,30 @@
+# jwt
+
+A Wing library for working with JWT authentication.
+
+## Prerequisites
+
+* [winglang](https://winglang.io).
+
+## Installation
+
+```sh
+npm i @winglibs/jwt
+```
+
+## Usage
+
+```js
+bring util;
+bring jwt;
+
+test "will sign and verify" {
+  let id = util.nanoid();
+  let token = jwt.sign({ foo: id }, "shhhhh");
+  let decoded1 = jwt.verify(token, secret: "shhhhh");
+}
+```
+
+## License
+
+This library is licensed under the [MIT License](./LICENSE).

jwt/lib.test.w

@@ -0,0 +1,38 @@
+bring expect;
+bring util;
+bring "./lib.w" as jwt;
+
+test "sign and verify" {
+  let id = util.nanoid();
+  let token = jwt.sign({ foo: id }, "shhhhh");
+  let decoded1 = jwt.verify(token, secret: "shhhhh");
+  expect.equal(decoded1.get("foo").asStr(), id);
+
+  let token2 = jwt.sign({ foo: id }, "shhhhh", algorithm: "HS256");
+  let decoded2 = jwt.verify(token2, secret: "shhhhh", options: { algorithms: ["HS256"] });
+  expect.equal(decoded2.get("foo").asStr(), id);
+}
+
+test "sign with notBefore" {
+  try {
+    let id = util.nanoid();
+    let token = jwt.sign({ foo: id }, "shhhhh", { notBefore: 50m });
+    let decoded1 = jwt.verify(token, secret: "shhhhh");
+    expect.equal("not-id", id);
+    log(Json.stringify(decoded1));
+  } catch e {
+    expect.equal(e, "jwt not active");
+  }
+}
+
+test "sign with expiresIn" {
+  try {
+    let id = util.nanoid();
+    let token = jwt.sign({ foo: id }, "shhhhh", { expiresIn: 0s });
+    let decoded1 = jwt.verify(token, secret: "shhhhh");
+    expect.equal("not-id", id);
+    log(Json.stringify(decoded1));
+  } catch e {
+    expect.equal(e, "jwt expired");
+  }
+}

jwt/lib.w

@@ -0,0 +1,103 @@
+pub struct VerifyJwtOptions {
+  algorithms: Array<str>?;
+  audience: str?;
+  issuer: str?;
+  ignoreExpiration: bool?;
+  ignoreNotBefore: bool?;
+  jwtid: str?;
+  nonce: str?;
+  subject: str?;
+  maxAge: str?;
+}
+
+pub struct VerifyOptions  {
+  secret: str?;
+  jwksUri: str?;
+  options: VerifyJwtOptions?;
+}
+
+pub struct SignOptions {
+  algorithm: str?;
+  keyid: str?;
+  expiresIn: duration?;
+  notBefore: duration?;
+  audience: Array<str>?;
+  subject: str?;
+  issuer: str?;
+  jwtid: str?;
+  encoding: str?;
+}
+
+struct JwtHeader {
+  alg: str?;
+  typ: str?;
+  cty: str?;
+  crit: Array<str>?;
+  kid: str?;
+  jku: str?;
+  x5u: str?;
+  x5t: str?;
+  x5c: str?;
+}
+
+struct IJwksClientOptions {
+  jwksUri: str;
+}
+
+interface IJwksSigningKey {
+  inflight getPublicKey(): str;
+}
+
+interface IJwksClient {
+  inflight getSigningKey(kid: str?): IJwksSigningKey;
+}
+
+interface IJwt {
+  inflight jwksClient(options: IJwksClientOptions): IJwksClient;
+  inflight sign(data: Json, secret: str, options: Json?): str;
+  inflight verify(token: str, secret: inflight (JwtHeader, inflight (str, str): void): void, options: VerifyJwtOptions?): Json;
+}
+
+class JwtUtil {
+  extern "./utils.mts" pub static inflight _jwt(): IJwt;
+}
+
+pub class Util {
+  pub inflight static sign(data: Json, secret: str, options: SignOptions?): str {
+    let var opts: MutJson? = nil;
+    if let options = options {
+      opts = MutJson Json.parse(Json.stringify(options));
+      if let expiresIn = options.expiresIn {
+        opts?.set("expiresIn", expiresIn.seconds);
+      }
+      if let notBefore = options.notBefore {
+        opts?.set("notBefore", notBefore.seconds);
+      }
+    }
+    return JwtUtil._jwt().sign(data, secret, opts);
+  }
+
+  pub inflight static verify(token: str, options: VerifyOptions): Json {
+    if let secret = options.secret {
+      let getKey = inflight (header: JwtHeader, callback: inflight (str, str): void) => {
+        callback(unsafeCast(nil), secret);
+      };
+      let decoded = JwtUtil._jwt().verify(token, getKey, options.options);
+      return decoded;
+    } elif let jwksUri = options.jwksUri {
+      let client = JwtUtil._jwt().jwksClient(jwksUri: jwksUri);
+      let getKey = inflight (header: JwtHeader, callback: inflight (str, str): void) => {
+        try {
+          let secret = client.getSigningKey(header.kid).getPublicKey();
+          callback(unsafeCast(nil), secret);
+        } catch error {
+          callback(error, unsafeCast(nil));
+        }
+      };
+      let decoded = JwtUtil._jwt().verify(token, getKey, options.options);
+      return decoded;
+    } else {
+      throw "Either secret or jwksUri must be provided";
+    }
+  }
+}