cobalt/api/src/security/jwt.js

import { nanoid } from "nanoid";
import { createHmac } from "crypto";

import { env } from "../config.js";

const toBase64URL = (b) => Buffer.from(b).toString("base64url");
const fromBase64URL = (b) => Buffer.from(b, "base64url").toString();

const makeHmac = (header, payload) =>
    createHmac("sha256", env.jwtSecret)
        .update(`${header}.${payload}`)
        .digest("base64url");

export const generate = () => {
    const exp = Math.floor(new Date().getTime() / 1000) + env.jwtLifetime;

    const header = toBase64URL(JSON.stringify({
        alg: "HS256",
        typ: "JWT"
    }));

    const payload = toBase64URL(JSON.stringify({
        jti: nanoid(8),
        exp,
    }));

    const signature = makeHmac(header, payload);

    return {
        token: `${header}.${payload}.${signature}`,
        exp: env.jwtLifetime - 2,
    };
}

export const verify = (jwt) => {
    const [header, payload, signature] = jwt.split(".", 3);
    const timestamp = Math.floor(new Date().getTime() / 1000);

    if ([header, payload, signature].join('.') !== jwt) {
        return false;
    }

    const verifySignature = makeHmac(header, payload);

    if (verifySignature !== signature) {
        return false;
    }

    if (timestamp >= JSON.parse(fromBase64URL(payload)).exp) {
        return false;
    }

    return true;
}

export default {
    generate,
    verify,
}