feat: Replace jsonwebtoken with jose (box/box-codegen#444) (#85)

Author: box-sdk-build

.codegen.json

@@ -1 +1 @@
-{ "engineHash": "a8b56d7", "specHash": "b2f7568", "version": "0.5.0" }
+{ "engineHash": "c714d1b", "specHash": "b2f7568", "version": "0.5.0" }

package.json

@@ -29,7 +29,7 @@
     "form-data": "^4.0.0",
     "node-fetch": "^2.6.3",
     "buffer": "^6.0.3",
-    "jsonwebtoken": "^9.0.0",
+    "jose": "^5.2.2",
     "tslib": "^2.6.2",
     "uuid": "^9.0.0"
   },
@@ -38,7 +38,6 @@
     "@rollup/plugin-node-resolve": "^15.2.3",
     "@rollup/plugin-typescript": "^11.1.5",
     "@types/jest": "^29.5.1",
-    "@types/jsonwebtoken": "^9.0.1",
     "@types/node": "*",
     "@types/node-fetch": "2.6.3",
     "@types/uuid": "^9.0.1",

src/box/jwtAuth.generated.ts

@@ -159,7 +159,11 @@ export class BoxJwtAuth implements Authentication {
       key: this.config.privateKey,
       passphrase: this.config.privateKeyPassphrase,
     } satisfies JwtKey;
-    const assertion: string = createJwtAssertion(claims, jwtKey, jwtOptions);
+    const assertion: string = await createJwtAssertion(
+      claims,
+      jwtKey,
+      jwtOptions
+    );
     const authManager: AuthorizationManager = !(networkSession == void 0)
       ? new AuthorizationManager({ networkSession: networkSession })
       : new AuthorizationManager({});

src/internal/utils.ts

@@ -1,6 +1,7 @@
 import { Buffer } from 'buffer';
 import type { Readable } from 'stream';
 import { v4 as uuidv4 } from 'uuid';
+import { SignJWT, importPKCS8 } from 'jose';
 
 export function isBrowser() {
   return (
@@ -266,11 +267,6 @@ export type JwtSignOptions = {
   subject?: string | undefined;
   issuer?: string | undefined;
   jwtid?: string | undefined;
-  mutatePayload?: boolean | undefined;
-  noTimestamp?: boolean | undefined;
-  encoding?: string | undefined;
-  allowInsecureKeySizes?: boolean | undefined;
-  allowInvalidAsymmetricKeyTypes?: boolean | undefined;
 };
 
 /**
@@ -281,15 +277,36 @@ export type JwtSignOptions = {
  * @param options
  * @returns
  */
-export function createJwtAssertion(
+export async function createJwtAssertion(
   claims: {
     readonly [key: string]: any;
   },
   key: JwtKey,
   options: JwtSignOptions
-): string {
-  const jwt = eval('require')('jsonwebtoken');
-  return jwt.sign(claims, key, options);
+): Promise<string> {
+  const crypto = eval('require')('crypto');
+  const privateKey = crypto.createPrivateKey({
+    key: key.key,
+    format: 'pem',
+    type: 'pkcs8',
+    passphrase: key.passphrase,
+  });
+  const pem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+  const pkcs8 = await importPKCS8(pem, options.algorithm || 'RS256');
+  let signer = new SignJWT(claims);
+  signer = options.audience ? signer.setAudience(options.audience) : signer;
+  signer = options.expiresIn
+    ? signer.setExpirationTime(options.expiresIn)
+    : signer;
+  signer = options.issuer ? signer.setIssuer(options.issuer) : signer;
+  signer = options.jwtid ? signer.setJti(options.jwtid) : signer;
+  signer = options.notBefore ? signer.setNotBefore(options.notBefore) : signer;
+  signer = options.subject ? signer.setSubject(options.subject) : signer;
+  signer = options.algorithm
+    ? signer.setProtectedHeader({ alg: options.algorithm })
+    : signer;
+  signer = signer.setIssuedAt();
+  return await signer.sign(pkcs8);
 }
 
 /**