fix: use dart_jsonwebtoken for verifying jwt

Author: grdsdev

packages/gotrue/lib/src/gotrue_client.dart

@@ -1,9 +1,9 @@
 import 'dart:async';
 import 'dart:convert';
 import 'dart:math';
-import 'dart:typed_data';
 
 import 'package:collection/collection.dart';
+import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
 import 'package:gotrue/gotrue.dart';
 import 'package:gotrue/src/constants.dart';
 import 'package:gotrue/src/fetch.dart';
@@ -14,7 +14,6 @@ import 'package:http/http.dart';
 import 'package:jwt_decode/jwt_decode.dart';
 import 'package:logging/logging.dart';
 import 'package:meta/meta.dart';
-import 'package:pointycastle/export.dart';
 import 'package:retry/retry.dart';
 import 'package:rxdart/subjects.dart';
 
@@ -1342,17 +1341,19 @@ class GoTrueClient {
     return exception;
   }
 
-  Future<JWK?> _fetchJwk(String kid, JWKSet suppliedJwks) async {
+  Future<JWTKey?> _fetchJwk(String kid, JWKSet suppliedJwks) async {
     // try fetching from the supplied jwks
-    final jwk = suppliedJwks.keys.firstWhereOrNull((jwk) => jwk.kid == kid);
+    final jwk = suppliedJwks.keys
+        .firstWhereOrNull((jwk) => jwk.toJWK(keyID: kid)['kid'] == kid);
     if (jwk != null) {
       return jwk;
     }
 
     final now = DateTime.now();
 
     // try fetching from cache
-    final cachedJwk = _jwks?.keys.firstWhereOrNull((jwk) => jwk.kid == kid);
+    final cachedJwk = _jwks?.keys
+        .firstWhereOrNull((jwk) => jwk.toJWK(keyID: kid)['kid'] == kid);
 
     // jwks exists and it isn't stale
     if (cachedJwk != null &&
@@ -1378,7 +1379,8 @@ class GoTrueClient {
     _jwksCachedAt = now;
 
     // find the signing key
-    return jwks.keys.firstWhereOrNull((jwk) => jwk.kid == kid);
+    return jwks.keys
+        .firstWhereOrNull((jwk) => jwk.toJWK(keyID: kid)['kid'] == kid);
   }
 
   /// Extracts the JWT claims present in the access token by first verifying the
@@ -1431,26 +1433,14 @@ class GoTrueClient {
           signature: decoded.signature);
     }
 
-    final publicKey = RSAPublicKey(signingKey['n'], signingKey['e']);
-    final signer = RSASigner(SHA256Digest(), '0609608648016503040201'); // PKCS1
-
-    // initialize with false, which means verify
-    signer.init(false, PublicKeyParameter<RSAPublicKey>(publicKey));
-
-    final signature = RSASignature(Uint8List.fromList(decoded.signature));
-    final isValidSignature = signer.verifySignature(
-      Uint8List.fromList(
-          utf8.encode('${decoded.raw.header}.${decoded.raw.payload}')),
-      signature,
-    );
-
-    if (!isValidSignature) {
-      throw AuthInvalidJwtException('Invalid JWT signature');
+    try {
+      JWT.verify(token, signingKey);
+      return GetClaimsResponse(
+          claims: decoded.payload,
+          header: decoded.header,
+          signature: decoded.signature);
+    } catch (e) {
+      throw AuthInvalidJwtException('Invalid JWT signature: $e');
     }
-
-    return GetClaimsResponse(
-        claims: decoded.payload,
-        header: decoded.header,
-        signature: decoded.signature);
   }
 }

packages/gotrue/lib/src/types/jwt.dart

@@ -1,3 +1,5 @@
+import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
+
 /// JWT Header structure
 class JwtHeader {
   /// Algorithm used to sign the JWT (e.g., 'RS256', 'ES256', 'HS256')
@@ -157,109 +159,21 @@ class GetClaimsOptions {
 }
 
 class JWKSet {
-  final List<JWK> keys;
+  final List<JWTKey> keys;
 
   JWKSet({required this.keys});
 
   factory JWKSet.fromJson(Map<String, dynamic> json) {
     final keys = (json['keys'] as List<dynamic>?)
-            ?.map((e) => JWK.fromJson(e as Map<String, dynamic>))
+            ?.map((e) => JWTKey.fromJWK(e as Map<String, dynamic>))
             .toList() ??
         [];
     return JWKSet(keys: keys);
   }
 
   Map<String, dynamic> toJson() {
     return {
-      'keys': keys.map((e) => e.toJson()).toList(),
-    };
-  }
-}
-
-/// {@template jwk}
-/// JSON Web Key (JWK) representation.
-/// {@endtemplate}
-class JWK {
-  /// The "kty" (key type) parameter identifies the cryptographic algorithm
-  /// family used with the key, such as "RSA" or "EC".
-  final String kty;
-
-  /// The "key_ops" (key operations) parameter identifies the cryptographic
-  /// operations for which the key is intended to be used.
-  final List<String> keyOps;
-
-  /// The "alg" (algorithm) parameter identifies the algorithm intended for
-  /// use with the key.
-  final String? alg;
-
-  /// The "kid" (key ID) parameter is used to match a specific key.
-  final String? kid;
-
-  /// Additional arbitrary properties of the JWK.
-  final Map<String, dynamic> _additionalProperties;
-
-  /// {@macro jwk}
-  JWK({
-    required this.kty,
-    required this.keyOps,
-    this.alg,
-    this.kid,
-    Map<String, dynamic>? additionalProperties,
-  }) : _additionalProperties = additionalProperties ?? {};
-
-  /// Creates a [JWK] from a JSON map.
-  factory JWK.fromJson(Map<String, dynamic> json) {
-    final kty = json['kty'] as String;
-    final keyOps =
-        (json['key_ops'] as List<dynamic>?)?.map((e) => e as String).toList() ??
-            [];
-    final alg = json['alg'] as String?;
-    final kid = json['kid'] as String?;
-
-    final Map<String, dynamic> additionalProperties = Map.from(json);
-    additionalProperties.remove('kty');
-    additionalProperties.remove('key_ops');
-    additionalProperties.remove('alg');
-    additionalProperties.remove('kid');
-
-    return JWK(
-      kty: kty,
-      keyOps: keyOps,
-      alg: alg,
-      kid: kid,
-      additionalProperties: additionalProperties,
-    );
-  }
-
-  /// Allows accessing additional properties using operator[].
-  dynamic operator [](String key) {
-    switch (key) {
-      case 'kty':
-        return kty;
-      case 'key_ops':
-        return keyOps;
-      case 'alg':
-        return alg;
-      case 'kid':
-        return kid;
-      default:
-        return _additionalProperties[key];
-    }
-  }
-
-  /// Converts this [JWK] to a JSON map.
-  Map<String, dynamic> toJson() {
-    final Map<String, dynamic> json = {
-      'kty': kty,
-      'key_ops': keyOps,
-      ..._additionalProperties,
+      'keys': keys.map((e) => e.toJWK()).toList(),
     };
-    if (alg != null) {
-      json['alg'] = alg;
-    }
-    if (kid != null) {
-      json['kid'] = kid;
-    }
-    return json;
   }
 }

packages/gotrue/pubspec.yaml

@@ -1,27 +1,26 @@
 name: gotrue
 description: A dart client library for the GoTrue API.
 version: 2.15.0
-homepage: 'https://supabase.com'
-repository: 'https://github.com/supabase/supabase-flutter/tree/main/packages/gotrue'
-documentation: 'https://supabase.com/docs/reference/dart/auth-signup'
+homepage: "https://supabase.com"
+repository: "https://github.com/supabase/supabase-flutter/tree/main/packages/gotrue"
+documentation: "https://supabase.com/docs/reference/dart/auth-signup"
 
 environment:
-  sdk: '>=3.3.0 <4.0.0'
+  sdk: ">=3.3.0 <4.0.0"
 
 dependencies:
   collection: ^1.15.0
   crypto: ^3.0.2
-  http: '>=0.13.0 <2.0.0'
+  http: ">=0.13.0 <2.0.0"
   jwt_decode: ^0.3.1
   retry: ^3.1.0
-  rxdart: '>=0.27.7 <0.29.0'
+  rxdart: ">=0.27.7 <0.29.0"
   meta: ^1.7.0
   logging: ^1.2.0
-  web: '>=0.5.0 <2.0.0'
-  pointycastle: ^4.0.0
+  web: ">=0.5.0 <2.0.0"
+  dart_jsonwebtoken: ^3.3.0
 
 dev_dependencies:
-  dart_jsonwebtoken: ^3.3.0
   dotenv: ^4.1.0
   lints: ^3.0.0
   test: ^1.16.4