(
protectedHeader: types.JWEHeaderParameters | types.JWSHeaderParameters,
encodedPayload: Uint8Array,
options: types.JWTClaimVerificationOptions = {},
)
| 102 | } |
| 103 | |
| 104 | export function validateClaimsSet( |
| 105 | protectedHeader: types.JWEHeaderParameters | types.JWSHeaderParameters, |
| 106 | encodedPayload: Uint8Array, |
| 107 | options: types.JWTClaimVerificationOptions = {}, |
| 108 | ) { |
| 109 | let payload!: { [propName: string]: unknown } |
| 110 | try { |
| 111 | payload = JSON.parse(decoder.decode(encodedPayload)) |
| 112 | } catch { |
| 113 | // |
| 114 | } |
| 115 | |
| 116 | if (!isObject(payload)) { |
| 117 | throw new JWTInvalid('JWT Claims Set must be a top-level JSON object') |
| 118 | } |
| 119 | |
| 120 | const { typ } = options |
| 121 | if ( |
| 122 | typ && |
| 123 | (typeof protectedHeader!.typ !== 'string' || |
| 124 | normalizeTyp(protectedHeader!.typ) !== normalizeTyp(typ)) |
| 125 | ) { |
| 126 | throw new JWTClaimValidationFailed( |
| 127 | 'unexpected "typ" JWT header value', |
| 128 | payload, |
| 129 | 'typ', |
| 130 | 'check_failed', |
| 131 | ) |
| 132 | } |
| 133 | |
| 134 | const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options |
| 135 | |
| 136 | const presenceCheck = [...requiredClaims] |
| 137 | |
| 138 | if (maxTokenAge !== undefined) presenceCheck.push('iat') |
| 139 | if (audience !== undefined) presenceCheck.push('aud') |
| 140 | if (subject !== undefined) presenceCheck.push('sub') |
| 141 | if (issuer !== undefined) presenceCheck.push('iss') |
| 142 | |
| 143 | for (const claim of new Set(presenceCheck.reverse())) { |
| 144 | if (!(claim in payload)) { |
| 145 | throw new JWTClaimValidationFailed( |
| 146 | `missing required "${claim}" claim`, |
| 147 | payload, |
| 148 | claim, |
| 149 | 'missing', |
| 150 | ) |
| 151 | } |
| 152 | } |
| 153 | |
| 154 | if ( |
| 155 | issuer && |
| 156 | !((Array.isArray(issuer) ? issuer : [issuer]) as unknown[]).includes(payload.iss!) |
| 157 | ) { |
| 158 | throw new JWTClaimValidationFailed( |
| 159 | 'unexpected "iss" claim value', |
| 160 | payload, |
| 161 | 'iss', |
no test coverage detected
searching dependent graphs…