feat: remove jsrsasign dependancy

Fabian Wiles · Fabian Wiles · commit 77cb37abfd08 · 2018-06-16T11:53:53.000+12:00
diff --git a/package.json b/package.json
@@ -16,7 +16,7 @@
     "docs:watch": "npm run docs:build -- -s -w",
     "format": "prettier --single-quote --write projects/**/*.ts",
     "copy:readme": "cpr README.md dist/lib/README.md --overwrite"
-  }, 
+  },
   "private": true,
   "dependencies": {
     "@angular/animations": "6.0.0",
@@ -29,11 +29,13 @@
     "@angular/platform-browser": "6.0.0",
     "@angular/platform-browser-dynamic": "6.0.0",
     "@angular/router": "6.0.0",
+    "@types/jsonwebtoken": "^7.2.7",
     "@webcomponents/custom-elements": "^1.1.0",
     "angular-oauth2-oidc": "^2.1.8",
     "bootstrap": "^3.3.7",
     "core-js": "^2.5.1",
-    "jsrsasign": "^8.0.12",
+    "jsonwebtoken": "^8.3.0",
+    "jwk-to-pem": "^2.0.0",
     "rxjs": "6.1.0",
     "rxjs-compat": "^6.0.0-rc.0",
     "zone.js": "^0.8.26"
diff --git a/projects/lib/ng-package.json b/projects/lib/ng-package.json
@@ -6,7 +6,9 @@
     "entryFile": "src/public_api.ts"
   },
   "whitelistedNonPeerDependencies": [
-      "jsrsasign"
+    "jsonwebtoken",
+    "jwk-to-pem",
+    "@types/jsonwebtoken"
   ]
 
-}
+}
diff --git a/projects/lib/ng-package.prod.json b/projects/lib/ng-package.prod.json
@@ -5,6 +5,8 @@
     "entryFile": "src/public_api.ts"
   },
   "whitelistedNonPeerDependencies": [
-      "jsrsasign"
+    "jsonwebtoken",
+    "jwk-to-pem",
+    "@types/jsonwebtoken"
   ]
-}
+}
diff --git a/projects/lib/package.json b/projects/lib/package.json
@@ -7,7 +7,9 @@
   "version": "4.0.2",
   "repository": "manfredsteyer/angular-oauth2-oidc",
   "dependencies": {
-    "jsrsasign": "^8.0.12"
+    "jsonwebtoken": "^8.3.0",
+    "jwk-to-pem": "^2.0.0",
+    "@types/jsonwebtoken": "^7.2.7"
   },
   "peerDependencies": {
     "@angular/common": "^6.0.0",
diff --git a/projects/lib/src/token-validation/jwks-validation-handler.ts b/projects/lib/src/token-validation/jwks-validation-handler.ts
@@ -2,11 +2,9 @@ import {
   AbstractValidationHandler,
   ValidationParams
 } from './validation-handler';
+import * as jwkToPem from 'jwk-to-pem';
+import * as jwt from 'jsonwebtoken';
 
-// declare var require: any;
-// let rs = require('jsrsasign');
-
-import * as rs from 'jsrsasign';
 
 /**
  * Validates the signature of an id_token against one
@@ -109,22 +107,18 @@ export class JwksValidationHandler extends AbstractValidationHandler {
       return Promise.reject(error);
     }
 
-    let keyObj = rs.KEYUTIL.getKey(key);
-    let validationOptions = {
-      alg: this.allowedAlgorithms,
-      gracePeriod: this.gracePeriodInSec
-    };
-    let isValid = rs.KJUR.jws.JWS.verifyJWT(
-      params.idToken,
-      keyObj,
-      validationOptions
-    );
-
-    if (isValid) {
-      return Promise.resolve();
-    } else {
+    const pem = jwkToPem(key)
+    try{
+      jwt.verify(
+        params.idToken,
+        pem,
+        {algorithms: this.allowedAlgorithms, clockTolerance: this.gracePeriodInSec}
+      )
+    }
+    catch(err) {
       return Promise.reject('Signature not valid');
     }
+    return Promise.resolve();
   }
 
   private alg2kty(alg: string) {
diff --git a/yarn.lock b/yarn.lock
