search

Zaubrik / djwt

Create and verify JSON Web Tokens (JWT) with Deno or the browser.
MIT License
228 stars 23 forks source link

How to safe the CryptoKey for the djwt #80

Open MielkeDaniel opened 1 year ago

MielkeDaniel commented 1 year ago

Im currently implementing a login system in deno using the djwt library (https://deno.land/x/djwt@v2.8). It wants me to generate a cryptokey like so: 

const key = await crypto.subtle.generateKey(
  { name: "HMAC", hash: "SHA-512" },
  true,
  ["sign", "verify"],
);

Problem is, I cant safe that key in my env variables. If I logout the value of the key it looks like that: 

CryptoKey {
  type: "secret",
  extractable: true,
  algorithm: { name: "HMAC", hash: { name: "SHA-512" }, length: 1024 },
  usages: [ "sign", "verify" ]
}

When generating the jwt, the create function wants to have such a CryptoKey object instead of a string, like back in the days ( const jwt = await create({ alg: "HS512", typ: "JWT" }, payload, key); ). How can I consistently safe that cryptokey, so it doesnt change on each restart of my deno app? Because obviously if i want to verify the old sessions i also need the old key again...

Clad for any help I can get!

jpsSO commented 1 year ago

you can use const exportedKey = await crypto.subtle.exportKey("raw", key); to export the key (base64 encode it to store it) and later use importKey to get it back.

instead of a string, like back in the days

or even just import a plain string as shown in the link. You can see an example of the import on https://stackoverflow.com/questions/64494966/jwt-authentication-with-deno