.github/ISSUE_TEMPLATE/bug-report.md

@@ -1,7 +1,7 @@
 ---
 name: 🐞Bug report
 about: There's a bug I want to report
-labels: bug, triage
+labels: triage
 ---
 
 **Describe the bug**

.github/workflows/label-sponsors.yml

@@ -0,0 +1,14 @@
+name: Label sponsors
+on:
+  pull_request:
+    types: [opened]
+  issues:
+    types: [opened]
+jobs:
+  build:
+    name: is-sponsor-label
+    runs-on: ubuntu-latest
+    steps:
+      - uses: JasonEtco/is-sponsor-label-action@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -35,6 +35,8 @@ jobs:
           - 12
           - 13.0.0
           - 13
+          - 14.0.0
+          - 14
         os:
           - ubuntu-latest
           - windows-latest

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.26.1](https://github.com/panva/jose/compare/v1.26.0...v1.26.1) (2020-04-27)
+
+
+### Bug Fixes
+
+* **typescript:** types of key generate functions without overloads ([7e60722](https://github.com/panva/jose/commit/7e60722ae7054f8acf833e015c22679d56fbc0ca)), closes [#80](https://github.com/panva/jose/issues/80)
+* "typ" content-type validation, case insensitive and handled prefix ([0691586](https://github.com/panva/jose/commit/06915861b32c0ae252dcc84791050bc3716ce102))
+
+
+
 # [1.26.0](https://github.com/panva/jose/compare/v1.25.2...v1.26.0) (2020-04-16)
 
 

README.md

@@ -141,8 +141,6 @@ jose.JWT.verify(
 <details>
   <summary><em><strong>Verifying OIDC ID Tokens</strong></em> (Click to expand)</summary><br>
 
-#### ID Token Verifying
-
 ID Token is a JWT, but profiled, there are additional requirements to a JWT to be accepted as an
 ID Token and it is pretty easy to omit some, use the `profile` option of `JWT.verify` or the
 `JWT.IdToken.verify` shorthand to make sure what you're accepting is really an ID Token meant to
@@ -171,7 +169,9 @@ to validate those hashes after getting the ID Token payload and signature valida
 <details>
   <summary><em><strong>Verifying OAuth 2.0 JWT Access Tokens</strong></em> (Click to expand)</summary><br>
 
-#### JWT Access Token Verifying
+Draft specification profiles are updated as minor versions of the library, therefore,
+since they may have breaking changes use the `~` semver operator when using these and pay close
+attention to changelog and the drafts themselves.
 
 When accepting a JWT-formatted OAuth 2.0 Access Token there are additional requirements for the JWT
 to be accepted as an Access Token according to the [specification][draft-ietf-oauth-access-token-jwt]
@@ -197,7 +197,9 @@ jose.JWT.AccessToken.verify(
 <details>
   <summary><em><strong>Verifying OIDC Logout Token</strong></em> (Click to expand)</summary><br>
 
-#### Logout Token Verifying
+Draft specification profiles are updated as minor versions of the library, therefore,
+since they may have breaking changes use the `~` semver operator when using these and pay close
+attention to changelog and the drafts themselves.
 
 Logout Token is a JWT, but profiled, there are additional requirements to a JWT to be accepted as an
 Logout Token and it is pretty easy to omit some, use the `profile` option of `JWT.verify` or the
@@ -301,18 +303,16 @@ jose.JWE.decrypt(
 | RSAES-PKCS1-v1_5 | ✓ | RSA1_5 |
 | PBES2 | ✓ | PBES2-HS256+A128KW<sup>[1]</sup>, PBES2-HS384+A192KW<sup>[1]</sup>, PBES2-HS512+A256KW<sup>[1]</sup> |
 | ECDH-ES | ✓<sup>[4]</sup> | ECDH-ES, ECDH-ES+A128KW<sup>[1]</sup>, ECDH-ES+A192KW<sup>[1]</sup>, ECDH-ES+A256KW<sup>[1]</sup> |
-| (X)ChaCha | ✓ <sup>via [plugin][plugin-chacha]</sup> | C20PKW, XC20PKW, ECDH-ES+C20PKW, ECDH-ES+XC20PKW |
 
 | JWE Content Encryption Algorithms | Supported ||
 | -- | -- | -- |
 | AES GCM | ✓ | A128GCM, A192GCM, A256GCM |
 | AES_CBC_HMAC_SHA2 | ✓ |  A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 |
-| (X)ChaCha | ✓ <sup>via [plugin][plugin-chacha]</sup> | C20P, XC20P |
 
 | JWT profile validation | Supported | Stable profile | profile option value |
 | -- | -- | -- | -- |
 | ID Token - [OpenID Connect Core 1.0][spec-oidc-id_token] | ✓ | ✓ | `id_token` |
-| JWT Access Tokens [JWT Profile for OAuth 2.0 Access Tokens][draft-ietf-oauth-access-token-jwt] | ✓ | ✕<sup>5</sup> | `at+JWT` |
+| JWT Access Tokens - [JWT Profile for OAuth 2.0 Access Tokens][draft-ietf-oauth-access-token-jwt] | ✓ | ✕<sup>5</sup> | `at+JWT` |
 | Logout Token - [OpenID Connect Back-Channel Logout 1.0][spec-oidc-logout_token] | ✓ | ✕<sup>5</sup> | `logout_token` |
 | JARM - [JWT Secured Authorization Response Mode for OAuth 2.0][draft-jarm] | ◯ |||
 | [JWT Response for OAuth Token Introspection][draft-jwtintrospection] | ◯ |||
@@ -341,6 +341,10 @@ attention to changelog and the drafts themselves.
 [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html). The rest is to be considered
 private API and is subject to change between any versions.
 
+**Although.** Draft specification profiles are updated as minor versions of the library, therefore,
+since they may have breaking changes use the `~` semver operator when using these and pay close
+attention to changelog and the drafts themselves.
+
 #### How do I use it outside of Node.js
 
 It is **only built for >=10.13.0 Node.js** environment - including `jose` in transpiled
@@ -406,4 +410,3 @@ in terms of performance and API (not having well defined errors).
 [oidc-token-hash]: https://www.npmjs.com/package/oidc-token-hash
 [support-sponsor]: https://github.com/sponsors/panva
 [sponsor-auth0]: https://auth0.com/overview?utm_source=GHsponsor&utm_medium=GHsponsor&utm_campaign=panva-jose&utm_content=auth
-[plugin-chacha]: https://github.com/panva/jose-chacha

lib/jwt/verify.js

@@ -36,6 +36,7 @@ const isStringOrArrayOfStrings = (value, label, required = false) => {
 }
 
 const isNotArrayOfStrings = val => !Array.isArray(val) || val.length === 0 || val.some(isNotString)
+const normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, '')
 
 const validateOptions = ({
   algorithms, audience, clockTolerance, complete = false, crit, ignoreExp = false,
@@ -254,7 +255,7 @@ module.exports = (token, key, options = {}) => {
     throw new JWTClaimInvalid('unexpected "aud" claim value', 'aud', 'check_failed')
   }
 
-  if (typ && decoded.header.typ !== typ) {
+  if (typ && normalizeTyp(decoded.header.typ) !== normalizeTyp(typ)) {
     throw new JWTClaimInvalid('unexpected "typ" JWT header value', 'typ', 'check_failed')
   }
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "jose",
-  "version": "1.26.0",
+  "version": "1.26.1",
   "description": "JSON Web Almost Everything - JWA, JWS, JWE, JWK, JWT, JWKS for Node.js with minimal dependencies",
   "keywords": [
     "access token",

test/jwt/verify.test.js

@@ -199,8 +199,26 @@ test('option.typ validation fails', t => {
 })
 
 test('option.typ validation success', t => {
-  const token = JWT.sign({}, key, { header: { typ: 'foo' } })
-  JWT.verify(token, key, { typ: 'foo' })
+  {
+    const token = JWT.sign({}, key, { header: { typ: 'foo' } })
+    JWT.verify(token, key, { typ: 'foo' })
+  }
+  {
+    const token = JWT.sign({}, key, { header: { typ: 'application/foo' } })
+    JWT.verify(token, key, { typ: 'foo' })
+  }
+  {
+    const token = JWT.sign({}, key, { header: { typ: 'foo' } })
+    JWT.verify(token, key, { typ: 'application/foo' })
+  }
+  {
+    const token = JWT.sign({}, key, { header: { typ: 'foO' } })
+    JWT.verify(token, key, { typ: 'application/foo' })
+  }
+  {
+    const token = JWT.sign({}, key, { header: { typ: 'application/foo' } })
+    JWT.verify(token, key, { typ: 'fOo' })
+  }
   t.pass()
 })
 

types/index.d.ts

@@ -18,6 +18,7 @@ export interface KeyParameters extends BasicParameters {
 }
 export type ECCurve = 'P-256' | 'secp256k1' | 'P-384' | 'P-521';
 export type OKPCurve = 'Ed25519' | 'Ed448' | 'X25519' | 'X448';
+export type Curves = OKPCurve | ECCurve;
 export type keyType = 'RSA' | 'EC' | 'OKP' | 'oct';
 export type asymmetricKeyObjectTypes = 'private' | 'public';
 export type keyObjectTypes = asymmetricKeyObjectTypes | 'secret';
@@ -232,11 +233,13 @@ export namespace JWK {
   function importKey(jwk: JWKECKey): ECKey;
   function importKey(jwk: JWKOKPKey): OKPKey;
 
+  function generate(kty: keyType, crvOrSize?: Curves | number, parameters?: BasicParameters, private?: boolean): Promise<JWK.Key>;
   function generate(kty: 'EC', crv?: ECCurve, parameters?: BasicParameters, private?: boolean): Promise<ECKey>;
   function generate(kty: 'OKP', crv?: OKPCurve, parameters?: BasicParameters, private?: boolean): Promise<OKPKey>;
   function generate(kty: 'RSA', bitlength?: number, parameters?: BasicParameters, private?: boolean): Promise<RSAKey>;
   function generate(kty: 'oct', bitlength?: number, parameters?: BasicParameters): Promise<OctKey>;
 
+  function generateSync(kty: keyType, crvOrSize?: Curves | number, parameters?: BasicParameters, private?: boolean): JWK.Key;
   function generateSync(kty: 'EC', crv?: ECCurve, parameters?: BasicParameters, private?: boolean): ECKey;
   function generateSync(kty: 'OKP', crv?: OKPCurve, parameters?: BasicParameters, private?: boolean): OKPKey;
   function generateSync(kty: 'RSA', bitlength?: number, parameters?: BasicParameters, private?: boolean): RSAKey;
@@ -264,11 +267,13 @@ export namespace JWKS {
 
     toJWKS(private?: boolean): JSONWebKeySet;
 
-    generate(kty: 'EC', crv?: ECCurve, parameters?: BasicParameters, private?: boolean): void;
-    generate(kty: 'OKP', crv?: OKPCurve, parameters?: BasicParameters, private?: boolean): void;
-    generate(kty: 'RSA', bitlength?: number, parameters?: BasicParameters, private?: boolean): void;
-    generate(kty: 'oct', bitlength?: number, parameters?: BasicParameters): void;
+    generate(kty: keyType, crvOrSize?: Curves | number, parameters?: BasicParameters, private?: boolean): Promise<void>;
+    generate(kty: 'EC', crv?: ECCurve, parameters?: BasicParameters, private?: boolean): Promise<void>;
+    generate(kty: 'OKP', crv?: OKPCurve, parameters?: BasicParameters, private?: boolean): Promise<void>;
+    generate(kty: 'RSA', bitlength?: number, parameters?: BasicParameters, private?: boolean): Promise<void>;
+    generate(kty: 'oct', bitlength?: number, parameters?: BasicParameters): Promise<void>;
 
+    generateSync(kty: keyType, crvOrSize?: Curves | number, parameters?: BasicParameters, private?: boolean): void;
     generateSync(kty: 'EC', crv?: ECCurve, parameters?: BasicParameters, private?: boolean): void;
     generateSync(kty: 'OKP', crv?: OKPCurve, parameters?: BasicParameters, private?: boolean): void;
     generateSync(kty: 'RSA', bitlength?: number, parameters?: BasicParameters, private?: boolean): void;