1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import { compactDecrypt } from '../jwe/compact/decrypt.ts'import type {  JWTPayload,  KeyLike,  DecryptOptions,  JWTClaimVerificationOptions,  GetKeyFunction,  CompactJWEHeaderParameters,  FlattenedJWE,  JWTDecryptResult,  ResolvedKey,} from '../types.d.ts'import jwtPayload from '../lib/jwt_claims_set.ts'import { JWTClaimValidationFailed } from '../util/errors.ts'
/** Combination of JWE Decryption options and JWT Claims Set verification options. */export interface JWTDecryptOptions extends DecryptOptions, JWTClaimVerificationOptions {}
/** * Interface for JWT Decryption dynamic key resolution. No token components have been verified at * the time of this function call. */export interface JWTDecryptGetKey  extends GetKeyFunction<CompactJWEHeaderParameters, FlattenedJWE> {}
/** * Verifies the JWT format (to be a JWE Compact format), decrypts the ciphertext, validates the JWT * Claims Set. * * @param jwt JSON Web Token value (encoded as JWE). * @param key Private Key or Secret to decrypt and verify the JWT with. See *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}. * @param options JWT Decryption and JWT Claims Set validation options. */export async function jwtDecrypt<PayloadType = JWTPayload>(  jwt: string | Uint8Array,  key: KeyLike | Uint8Array,  options?: JWTDecryptOptions,): Promise<JWTDecryptResult<PayloadType>>/** * @param jwt JSON Web Token value (encoded as JWE). * @param getKey Function resolving Private Key or Secret to decrypt and verify the JWT with. See *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}. * @param options JWT Decryption and JWT Claims Set validation options. */export async function jwtDecrypt<PayloadType = JWTPayload, KeyLikeType extends KeyLike = KeyLike>(  jwt: string | Uint8Array,  getKey: JWTDecryptGetKey,  options?: JWTDecryptOptions,): Promise<JWTDecryptResult<PayloadType> & ResolvedKey<KeyLikeType>>export async function jwtDecrypt(  jwt: string | Uint8Array,  key: KeyLike | Uint8Array | JWTDecryptGetKey,  options?: JWTDecryptOptions,) {  const decrypted = await compactDecrypt(jwt, <Parameters<typeof compactDecrypt>[1]>key, options)  const payload = jwtPayload(decrypted.protectedHeader, decrypted.plaintext, options)
  const { protectedHeader } = decrypted
  if (protectedHeader.iss !== undefined && protectedHeader.iss !== payload.iss) {    throw new JWTClaimValidationFailed(      'replicated "iss" claim header parameter mismatch',      'iss',      'mismatch',    )  }
  if (protectedHeader.sub !== undefined && protectedHeader.sub !== payload.sub) {    throw new JWTClaimValidationFailed(      'replicated "sub" claim header parameter mismatch',      'sub',      'mismatch',    )  }
  if (    protectedHeader.aud !== undefined &&    JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)  ) {    throw new JWTClaimValidationFailed(      'replicated "aud" claim header parameter mismatch',      'aud',      'mismatch',    )  }
  const result = { payload, protectedHeader }
  if (typeof key === 'function') {    return { ...result, key: decrypted.key }  }
  return result}