feat: signJWT, verifyJWT and decodeJWT utils

[johannschopplich]

🔗 Linked issue

#17

❓ Type of change

• 📖 Documentation (updates to the documentation, readme, or JSdoc annotations)
• 🐞 Bug fix (a non-breaking change that fixes an issue)
• 👌 Enhancement (improving an existing functionality like performance)
• ✨ New feature (a non-breaking change that adds functionality)
• 🧹 Chore (updates to the build process or auxiliary tools and libraries)
• ⚠️ Breaking change (fix or feature that would cause existing functionality to change)

📚 Description

Resolves #17.

The following JWT utilities will be available with this PR (migrated from unjwt):

• signJWT
• verifyJWT
• decodeJWT

I have kept the code as simple as possible to cover the basic needs for JWT signing, verification and decoding. Method parameters have a balance between sensible defaults and customization.

Example usage:

import { decodeJWT, signJWT, verifyJWT } from 'uncrypto/jwt'

interface JWTUserClaims {
  email: string
}

const secret = 'secret'
const issuer = 'https://domain.com'

// Sign a JWT
const accessToken = await signJWT<JWTUserClaims>({
  payload: {
    email: 'user@domain.com'
  },
  secret,
  issuer,
  audience: issuer,
})

// Verify a JWT
try {
  const verifiedAccessToken = await verifyJWT({
    token: accessToken,
    secret,
    issuer,
    audience: issuer
  })
}
catch (error) {
  // Handle error
  console.error(error)
}

// Decode a JWT – does not verify the signature
const decodedAccessToken = await decodeJWT<JWTUserClaims>(accessToken)
console.log(decodedAccessToken.email)

Please verify if the general direction of this PR makes sense to you. If you, I'm willing to add tests as best as I can.

Notes

• I had to rename crypto.web and crypto.node to crypto-web, respectively crypto-node, because unbuild v2 complained about the file extensions.
• No tests added yet. I have used these utils for a while now in some Nuxt projects and published them as unjwt package – explicitly without uncrypto, since I rely on unenv to resolve the usage von the Web Crypto API.
• In one project which used jose, I successfully migrated to these new utilities. No user got logged out. 😋

Questions

• atob and btoa are available in latest Node and worker versions, so I haven't added any usage of buffer. Is that OK for you?

📝 Checklist

• I have linked an issue or discussion.
• I have updated the documentation accordingly.

[johannschopplich]

@pi0 Suggestions implemented. Thanks for the guidance!

[pi0]

@johannschopplich i think it is a still good idea sorry didn't have to check on it yet. Any reason you preferred to close?

[johannschopplich]

Hi there, @pi0! I didn't mean to close this PR... I deleted some forked repos from my GitHub account and wasn't aware that this PR would be closed as a result.

No problem. I know you're working on a lot of projects and I don't have any expectations when contributing to OSS. 🙂

Having said that, I'm now using oslo/jwt for JWT handling. It's runtime-agnostic and feels a bit like an UnJS project.

Should I open this PR again?

[pi0]

Surely if you like to reopen i can handle the updates to merge as soon as could 👍🏼 I'm aware about oslo but kinda have some plans here that are unique ;) (Also we have OTP coming: #37)