[IMP] remove dependency on jwt library

Instead, it is now a local implementation of JWT, this makes
the server less dependent on external libraries for its security
and removes a potential source of dependency injection.

This commit also removes unnecessary async/await
(the old jsonwebtoken was also used synchronously).

Author: ThanhDodeurOdoo

package-lock.json

@@ -23,7 +23,6 @@
     "#tests/*": "./tests/*"
   },
   "dependencies": {
-    "jsonwebtoken": "^9.0.2",
     "mediasoup": "~3.15.6",
     "ws": "^8.18.1"
   },

package.json

@@ -1,16 +1,22 @@
-import jwt from "jsonwebtoken";
+import crypto from "node:crypto";
 
 import * as config from "#src/config.js";
 import { Logger } from "#src/utils/utils.js";
 import { AuthenticationError } from "#src/utils/errors.js";
 
 let jwtKey;
 const logger = new Logger("AUTH");
+const ALGORITHM = {
+    HS256: "HS256",
+};
+const ALGORITHM_FUNCTIONS = {
+    [ALGORITHM.HS256]: (data, key) => crypto.createHmac("sha256", key).update(data).digest(),
+};
 
 /**
  * @param {WithImplicitCoercion<string>} [key] buffer/b64 str
  */
-export async function start(key) {
+export function start(key) {
     const keyB64str = key || config.AUTH_KEY;
     jwtKey = Buffer.from(keyB64str, "base64");
     logger.info(`auth key set`);
@@ -20,18 +26,119 @@ export function close() {
     jwtKey = undefined;
 }
 
+/**
+ * @param {Buffer|string} data - The data to encode
+ * @returns {string} - base64 encoded string
+ */
+function base64Encode(data) {
+    if (typeof data === "string") {
+        data = Buffer.from(data);
+    }
+    return data.toString("base64");
+}
+
+/**
+ * @param {string} str base64 encoded string
+ * @returns {Buffer}
+ */
+function base64Decode(str) {
+    let output = str;
+    const paddingLength = 4 - (output.length % 4);
+    if (paddingLength < 4) {
+        output += "=".repeat(paddingLength);
+    }
+    return Buffer.from(output, "base64");
+}
+
+/**
+ * Signs and creates a JWT token
+ *
+ * @param {Object} payload - The payload to include in the token
+ * @param {WithImplicitCoercion<string>} [key] - Optional key, defaults to the configured jwtKey
+ * @param {Object} [options]
+ * @param {string} [options.algorithm] - The algorithm to use, defaults to HS256
+ * @returns {string} - The signed JWT token
+ * @throws {AuthenticationError}
+ */
+export function sign(payload, key = jwtKey, { algorithm = ALGORITHM.HS256 } = {}) {
+    if (!key) {
+        throw new AuthenticationError("JWT signing key is not set");
+    }
+    const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, "base64");
+    const headerB64 = base64Encode(JSON.stringify({ alg: algorithm, typ: "JWT" }));
+    const payloadB64 = base64Encode(JSON.stringify(payload));
+    const signedData = `${headerB64}.${payloadB64}`;
+    const signature = ALGORITHM_FUNCTIONS[algorithm]?.(signedData, keyBuffer);
+    if (!signature) {
+        throw new AuthenticationError("Unsupported algorithm");
+    }
+    const signatureB64 = base64Encode(signature);
+    return `${headerB64}.${payloadB64}.${signatureB64}`;
+}
+
+/**
+ * Parses a JWT token into its components
+ *
+ * @param {string} token
+ * @returns {{header: object, payload: object, signature: Buffer, signedData: string}}
+ */
+function parseJwt(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+        throw new AuthenticationError("Invalid JWT format");
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const header = JSON.parse(base64Decode(headerB64).toString());
+    const payload = JSON.parse(base64Decode(payloadB64).toString());
+    const signature = base64Decode(signatureB64);
+    const signedData = `${headerB64}.${payloadB64}`;
+
+    return { header, payload, signature, signedData };
+}
+
+function safeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    try {
+        return crypto.timingSafeEqual(a, b);
+    } catch {
+        return false;
+    }
+}
+
 /**
  * @param {string} jsonWebToken
  * @param {WithImplicitCoercion<string>} [key] buffer/b64 str
- * @returns {Promise<any>} json serialized data
+ * @returns {any} json serialized data
  * @throws {AuthenticationError}
  */
-export async function verify(jsonWebToken, key = jwtKey) {
+export function verify(jsonWebToken, key = jwtKey) {
+    const keyBuffer = Buffer.isBuffer(key) ? key : Buffer.from(key, "base64");
+    let parsedJWT;
     try {
-        return jwt.verify(jsonWebToken, key, {
-            algorithms: ["HS256"],
-        });
+        parsedJWT = parseJwt(jsonWebToken);
     } catch {
-        throw new AuthenticationError("JsonWebToken verification error");
+        throw new AuthenticationError("Invalid JWT format");
+    }
+    const { header, payload, signature, signedData } = parsedJWT;
+    const expectedSignature = ALGORITHM_FUNCTIONS[header.alg]?.(signedData, keyBuffer);
+    if (!expectedSignature) {
+        throw new AuthenticationError("Unsupported algorithm");
+    }
+    if (!safeEqual(signature, expectedSignature)) {
+        throw new AuthenticationError("Invalid signature");
+    }
+    // `exp`, `iat` and `nbf` are in seconds (`NumericDate` per RFC7519)
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp && payload.exp < now) {
+        throw new AuthenticationError("Token expired");
+    }
+    if (payload.nbf && payload.nbf > now) {
+        throw new AuthenticationError("Token not valid yet");
+    }
+    if (payload.iat && payload.iat > now + 60) {
+        throw new AuthenticationError("Token issued in the future");
     }
+    return payload;
 }

src/services/auth.js

@@ -53,7 +53,7 @@ export async function start({ httpInterface = config.HTTP_INTERFACE, port = conf
             try {
                 const jsonWebToken = req.headers.authorization?.split(" ")[1];
                 /** @type {{ iss: string, key: string || undefined }} */
-                const claims = await auth.verify(jsonWebToken);
+                const claims = auth.verify(jsonWebToken);
                 if (!claims.iss) {
                     logger.warn(`${remoteAddress}: missing issuer claim when creating channel`);
                     res.statusCode = 403; // forbidden
@@ -82,7 +82,7 @@ export async function start({ httpInterface = config.HTTP_INTERFACE, port = conf
             try {
                 const jsonWebToken = await parseBody(req);
                 /** @type {{ sessionIdsByChannel: Object<string, number[]> }} */
-                const claims = await auth.verify(jsonWebToken);
+                const claims = auth.verify(jsonWebToken);
                 for (const [channelUuid, sessionIds] of Object.entries(
                     claims.sessionIdsByChannel
                 )) {

src/services/http.js

@@ -48,11 +48,11 @@ export async function start(options) {
             logger.warn(`${remoteAddress} WS timed out, closing it`);
             unauthenticatedWebSockets.delete(currentPendingId);
         }, config.timeouts.authentication);
-        webSocket.once("message", async (message) => {
+        webSocket.once("message", (message) => {
             try {
                 /** @type {Credentials | String} can be a string (the jwt) for backwards compatibility with version 1.1 and earlier */
                 const credentials = JSON.parse(message);
-                const session = await connect(webSocket, {
+                const session = connect(webSocket, {
                     channelUUID: credentials?.channelUUID,
                     jwt: credentials.jwt || credentials,
                 });
@@ -102,10 +102,10 @@ export function close() {
  * @param {import("ws").WebSocket} webSocket
  * @param {Credentials}
  */
-async function connect(webSocket, { channelUUID, jwt }) {
+function connect(webSocket, { channelUUID, jwt }) {
     let channel = Channel.records.get(channelUUID);
     /** @type {{sfu_channel_uuid: string, session_id: number, ice_servers: Object[] }} */
-    const authResult = await verify(jwt, channel?.key);
+    const authResult = verify(jwt, channel?.key);
     const { sfu_channel_uuid, session_id, ice_servers } = authResult;
     if (!channelUUID && sfu_channel_uuid) {
         // Cases where the channelUUID is not provided in the credentials for backwards compatibility with version 1.1 and earlier.