denoland / deno

A modern runtime for JavaScript and TypeScript.
https://deno.com
MIT License
97.08k stars 5.36k forks source link

`jsonwebtoken` cannot sign with `RS256` #20938

Closed mmastrac closed 7 months ago

mmastrac commented 1 year ago

Required for octokit to write to github using an RSA public/private key JWT.

May be related to #18972

Repro:

In Deno

Uncaught Error: secretOrPrivateKey must be an asymmetric key when using RS256
    at Object.module.exports [as sign] (file:///private/tmp/x/node_modules/.deno/jsonwebtoken@9.0.2/node_modules/jsonwebtoken/sign.js:130:22)
    at <anonymous>:2:13

In node:

(prints a token)

Repro code:

let token = `-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVoKHiWLQKlnCG
oR4d8g+OSGXoJ3yY+BFubB+1TSaCvWGLkqHjYAA0UCgOoaazE2YnXhVlO4tLDLn/
5R6PJrsxksnup+AWnEbur+CuaeQqizGTQXA0nUrsza/QJxb05GSMW9kupzI5BXBi
1R8Tmo5I0CpmXDi1yF+nL2NeDXHB999tXcRSrN/Ai11G1HFoYVs36+cm/Jw71BB1
KsokwFuzvxTFL9bOXDy8/8MlF8QSBFaWBN1tNZ40+oLf/rYeNXpZAFywvC9rc/Ud
B7J9InYHJQaq+vzuWNq7l0LnkJK+/Mq3AYl5yStjBie6tXC3LCmQ5MmLdzHE+SBQ
7tUIL6fvAgMBAAECggEAMSMJRp2+smNpHK04iLj/ZshbvvuIrWt5vfuABjgJ15F9
wSosQ9E4//T60qM/bTuHppH9ELuXKNRLGMATYwtjGgqMifVTX9l+adAURvK7XUVM
yIEK6hxliJKblA3iOhXu9zEKh4mcsqEYoTw/8l4lL8A8zFSowvnEf9DOHwrnOr09
bV6+6BZbLgugLqtOB7i5agnviiCV4Z4llWdhP3zW3c8/PUQyTsqebTkY0DB4FnI0
vC0kQU/v/7MCueH0FA4fMEY9CWuzL3809I9rvUPIBgqSkpXEoWxoGUJxIHGYK6fG
+HHjZQp87Sfz5G4g/Qrq2Gqc2Mb7I0QS2zgBu1tx0QKBgQDH3EyxQ6W9r2S1WqEm
w2B32AuemWwIdxaeLf4est0rO0G0ihAsx4vNZElKO7weYDypp8AjeYfjuriweyQA
R8KDWonn9jA2QQfNNkXDIq+d5+zFbfdOFGqQEThLtpi5pPh0+NeUGQQZIb07jqLF
giuZgOmPVFwru8jYLO04GTZoEwKBgQC/qCP74LHI3/35Ftx5l9CnM5Zr84ByoI5B
3xt2Sd9OsxULxY/omvcB2EdBZSTVKunGmF2a7MDpOn0r/7FdSuuuqzrMwRqbzRFA
GSO06vnoA/k6llcfXKqLZqjHuHEAUNpEeAuzNUKP2DgvnHRtXSkBpFb+IUTMlL9y
O55+g570NQKBgBZiSgSgevOfrTvShrH8t9U0UTjWHg9kpxfYNtnhVnv9CwLZY65g
Ovwp+zthLVSJmsG1lANlHR8YTo8Ve5a8csCbZ06feA7bgbAuH+oW/GxHCXGjO0t3
Zef0xcVVEg3YuCsBo8NmedsGuFbvRrOwPInYsk/nNtt/EKOFhJv/1uQZAoGAdaYb
YLTPrcWCO/PCp4l/9gN+5Ql24eaZLOpuCzDRuZfI5Y8DBgCKfEFtjEEwWQKcuuIx
I7cNvJ3A1M+C6wfgoTpPP/2R/e3mFvjXqGlNuxUlWseK95+EuUntdZxNEaqQMdOX
Kw0YrQBHjUJ3XeMAFxfwptN5TjRJSTA73OGjI7kCgYBtw1LmjFd6wJFyqLEsBnqO
gnVnpxf1DMeMUFpNr+M14P3ETa5UaqiMvCD6VGOzCYv1F7JhnS9TFsYY+FV+L3Nh
1+bZIPY4D4seyPgH0cCycBSVfqdAHJlfxf/Pm7lHCNxTGEfBWri4Ga1bW+zQpWY7
SogaIHQjE81ZkmNtU5gM5Q==
-----END PRIVATE KEY-----`

let jwt = require('jsonwebtoken');
let t = jwt.sign({}, token, { algorithm: 'RS256' });
adamtaylor13 commented 11 months ago

Which deno version is this? Oddly enough, if I run this exact same code (with a slight modification because evidently I can't use require?) I actually get valid output:

// main.ts
const token = `-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCVoKHiWLQKlnCG
oR4d8g+OSGXoJ3yY+BFubB+1TSaCvWGLkqHjYAA0UCgOoaazE2YnXhVlO4tLDLn/
5R6PJrsxksnup+AWnEbur+CuaeQqizGTQXA0nUrsza/QJxb05GSMW9kupzI5BXBi
1R8Tmo5I0CpmXDi1yF+nL2NeDXHB999tXcRSrN/Ai11G1HFoYVs36+cm/Jw71BB1
KsokwFuzvxTFL9bOXDy8/8MlF8QSBFaWBN1tNZ40+oLf/rYeNXpZAFywvC9rc/Ud
B7J9InYHJQaq+vzuWNq7l0LnkJK+/Mq3AYl5yStjBie6tXC3LCmQ5MmLdzHE+SBQ
7tUIL6fvAgMBAAECggEAMSMJRp2+smNpHK04iLj/ZshbvvuIrWt5vfuABjgJ15F9
wSosQ9E4//T60qM/bTuHppH9ELuXKNRLGMATYwtjGgqMifVTX9l+adAURvK7XUVM
yIEK6hxliJKblA3iOhXu9zEKh4mcsqEYoTw/8l4lL8A8zFSowvnEf9DOHwrnOr09
bV6+6BZbLgugLqtOB7i5agnviiCV4Z4llWdhP3zW3c8/PUQyTsqebTkY0DB4FnI0
vC0kQU/v/7MCueH0FA4fMEY9CWuzL3809I9rvUPIBgqSkpXEoWxoGUJxIHGYK6fG
+HHjZQp87Sfz5G4g/Qrq2Gqc2Mb7I0QS2zgBu1tx0QKBgQDH3EyxQ6W9r2S1WqEm
w2B32AuemWwIdxaeLf4est0rO0G0ihAsx4vNZElKO7weYDypp8AjeYfjuriweyQA
R8KDWonn9jA2QQfNNkXDIq+d5+zFbfdOFGqQEThLtpi5pPh0+NeUGQQZIb07jqLF
giuZgOmPVFwru8jYLO04GTZoEwKBgQC/qCP74LHI3/35Ftx5l9CnM5Zr84ByoI5B
3xt2Sd9OsxULxY/omvcB2EdBZSTVKunGmF2a7MDpOn0r/7FdSuuuqzrMwRqbzRFA
GSO06vnoA/k6llcfXKqLZqjHuHEAUNpEeAuzNUKP2DgvnHRtXSkBpFb+IUTMlL9y
O55+g570NQKBgBZiSgSgevOfrTvShrH8t9U0UTjWHg9kpxfYNtnhVnv9CwLZY65g
Ovwp+zthLVSJmsG1lANlHR8YTo8Ve5a8csCbZ06feA7bgbAuH+oW/GxHCXGjO0t3
Zef0xcVVEg3YuCsBo8NmedsGuFbvRrOwPInYsk/nNtt/EKOFhJv/1uQZAoGAdaYb
YLTPrcWCO/PCp4l/9gN+5Ql24eaZLOpuCzDRuZfI5Y8DBgCKfEFtjEEwWQKcuuIx
I7cNvJ3A1M+C6wfgoTpPP/2R/e3mFvjXqGlNuxUlWseK95+EuUntdZxNEaqQMdOX
Kw0YrQBHjUJ3XeMAFxfwptN5TjRJSTA73OGjI7kCgYBtw1LmjFd6wJFyqLEsBnqO
gnVnpxf1DMeMUFpNr+M14P3ETa5UaqiMvCD6VGOzCYv1F7JhnS9TFsYY+FV+L3Nh
1+bZIPY4D4seyPgH0cCycBSVfqdAHJlfxf/Pm7lHCNxTGEfBWri4Ga1bW+zQpWY7
SogaIHQjE81ZkmNtU5gM5Q==
-----END PRIVATE KEY-----`

import jwt from 'npm:jsonwebtoken';
// EDIT: I also tried this with: `import jwt from 'npm:jsonwebtoken@9.0.2';` and got the same, correct, result.
let t = jwt.sign({}, token, { algorithm: 'RS256' });
console.log("==> t", t);

Output:

╰ $ deno run main.ts
==> t eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2OTk5NzU1OTh9.aZgzSUJAyZX4_5yTmP0Vm8-CRbnfWCWD4AGbhpDtpl8hKXixXTflVbsacHWo1kpd5Jy3_uLpjw5V5yHmDlhD8G57eKKAQkSt4lBdAcZqr9u3o9hOwSWyrfZ3Rw2TYV7lhF1bj5dzHaf7rU1P-57QNgxKy_Qlq2jud-4XfqpGHHBydAyapVUJ1qPguOxFWpnFhPcaDZWAEkfS9l09eYFr7GAt35sazIeE0bIv5wduRrpcCqIkvXVX0Mn6MzqX0maNkWvvuuPvYj3K7zoOegV23zL0vRZ4K4Yv-RDCcEucv9RTOuUDK-AU3a6HUR16X0jcEFUg7fnbBt_WVyTIinRgNw
╰ $ deno --version
deno 1.38.1 (release, aarch64-apple-darwin)
v8 12.0.267.1
typescript 5.2.2

However, I'm very interested in helping solve this because it's blocking me from using firebase auth with Fresh and Deno Deploy.

EDIT: The exact error I'm running into along with stack traces is this: https://github.com/firebase/firebase-admin-node/issues/2051

I'm certain it doesn't have anything to do with my formatting as I've tested various cases and even went so far as to inline my private key with newlines and all—all to no avail.

mmastrac commented 11 months ago

@littledivy I think you might have fixed this with your most recent changes.

adamtaylor13 commented 11 months ago

I thought to myself that it was odd that this was working locally, but not on Deno Deploy... Which brings up another question—how can I specify which version of deno to use on deno deploy? I swear I scoured the web and cannot figure out how to do that.

UPDATE: I just saw the "Playground" option, and tried this out—sure enough it has something to do with the specific runtime used on deno deploy. Surely we can use the bleeding-edge (pun-intended) most up-to-date Deno version on deploy?

CleanShot 2023-11-14 at 10 06 39@2x
bartlomieju commented 11 months ago

Surely we can use the bleeding-edge (pun-intended) most up-to-date Deno version on deploy?

That's not possible, Deploy is trailing by a few days.

adamtaylor13 commented 11 months ago

Ahh, bummer. Is there a way to get notified when a new version of deploy drops? Just curious because I've got a PoC which depends on firebase-admin-sdk and I need this to reach deploy to utilize auth so I can show it off. Not a huge deal, but it would be nice to know the moment I can use it.

mmastrac commented 11 months ago

@adamtaylor13 I think it's going to be on deploy within a week or so.

bartlomieju commented 7 months ago

Related to https://github.com/denoland/deno/issues/18972 (might be a duplicate)