TypeError: Right-hand side of 'instanceof' is not an object

[edward653]

Hi - attempting to use Jose to both sign and verify JWT tokens in a Cloudflare Pages application. Server-side is implemented in typescript.

I should prefix this with the obligatory "I'm a typescript noob" etc!

I had this working fine, along the lines of:

const SECRET: string = "a 32 byte string from somewhere";
const payload: string = await new SignJWT({
    'stuff': 0
    })
    .setSubject('some_user')
    .setProtectedHeader({ 'HS256' })
    .sign(Buffer.from(SECRET));

It worked, I got a jwt fine - it checked out in a debugger, my client side was happy etc.

Now, wrangling on some non-auth related development, and now this does not work, I instead get:

TypeError: Right-hand side of 'instanceof' is not an object
    at isCryptoKey (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/runtime/webcrypto.js:2:37)
    at is_key_like_default (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/runtime/is_key_like.js:3:12)
    at symmetricTypeCheck (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/lib/check_key_type.js:6:10)
    at checkKeyType (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/lib/check_key_type.js:39:9)
    at FlattenedSign.sign (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/jws/flattened/sign.js:52:9)
    at CompactSign.sign (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/jws/compact/sign.js:11:43)
    at SignJWT.sign (/private/Users/edward/Documents/dev/kiln-pages/node_modules/jose/dist/browser/jwt/sign.js:19:20)

I found another post, which indicated this was because the arg passed to sign() was not an instance of a CryptoKey. So have tried pulling this together:

const SECRET: Uint8Array =  new TextEncoder().encode("a 32 byte string from somewhere");
const SECRET_KEY: CryptoKey = await crypto.subtle.importKey("raw", 
    SECRET, 
    {
        name: "HMAC",
        hash: "SHA-256"
    },
    false, 
    ["sign", "verify"]);

With no change whatsoever in the result sadly. I'm not convinced this is particularly a Jose issue - I'm beginning to appreciate cloudflare pages is a bit of a work in progress.

Anyone have any advice on resolving this?

[hanneslemberg]

This worked so far on all our machines, and since today the one dev on linux has the same issue! It works fine in cloudflare workers and on the other dev machines. Maybe also different node versions? Works on Mac/Node 16.18, doesn't work on Linux/Node 19.3.

Edit: works on the other devs machine after downgrading node to 18

Related Miniflare Discussion: cloudflare/miniflare#457

[panva]

Resolved upstream cloudflare/miniflare#457