Switch to using JWTKit v5

vapor · Nov 6, 2023 · 980ebc0 · 980ebc0
1 parent 326c0a2
commit 980ebc0
Show file tree

Hide file tree

Showing 10 changed files with 137 additions and 369 deletions.
diff --git a/Package.swift b/Package.swift
@@ -1,19 +1,19 @@
-// swift-tools-version:5.4
+// swift-tools-version:5.9
 import PackageDescription
 
 let package = Package(
     name: "jwt",
     platforms: [
-        .macOS(.v10_15),
-        .iOS(.v13),
-        .tvOS(.v13),
-        .watchOS(.v6)
+        .macOS(.v13),
+        .iOS(.v16),
+        .tvOS(.v16),
+        .watchOS(.v9),
     ],
     products: [
         .library(name: "JWT", targets: ["JWT"]),
     ],
     dependencies: [
-        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.0.0"),
+        .package(url: "https://github.com/vapor/jwt-kit.git", branch: "jwtkit-5"),
         .package(url: "https://github.com/vapor/vapor.git", from: "4.50.0"),
     ],
     targets: [

diff --git a/Sources/JWT/Application+JWT.swift b/Sources/JWT/Application+JWT.swift
@@ -1,16 +1,16 @@
-import Vapor
 import JWTKit
+import Vapor
 
-extension Application {
-    public var jwt: JWT {
+public extension Application {
+    var jwt: JWT {
         .init(_application: self)
     }
 
-    public struct JWT {
+    struct JWT {
         private final class Storage {
-            var signers: JWTSigners
+            var keys: JWTKeyCollection
             init() {
-                self.signers = .init()
+                self.keys = .init()
             }
         }
 
@@ -20,9 +20,9 @@ extension Application {
 
         public let _application: Application
 
-        public var signers: JWTSigners {
-            get { self.storage.signers }
-            set { self.storage.signers = newValue }
+        public var keys: JWTKeyCollection {
+            get { self.storage.keys }
+            set { self.storage.keys = newValue }
         }
 
         private var storage: Storage {

diff --git a/Sources/JWT/AsyncJWTAuthenticator.swift b/Sources/JWT/AsyncJWTAuthenticator.swift
diff --git a/Sources/JWT/JWT+Apple.swift b/Sources/JWT/JWT+Apple.swift
@@ -8,30 +8,25 @@ extension Request.JWT {
     public struct Apple {
         public let _jwt: Request.JWT
 
-        public func verify(applicationIdentifier: String? = nil) -> EventLoopFuture<AppleIdentityToken> {
+        public func verify(applicationIdentifier: String? = nil) async throws -> AppleIdentityToken {
             guard let token = self._jwt._request.headers.bearerAuthorization?.token else {
                 self._jwt._request.logger.error("Request is missing JWT bearer header.")
-                return self._jwt._request.eventLoop.makeFailedFuture(Abort(.unauthorized))
+                throw Abort(.unauthorized)
             }
-            return self.verify(token, applicationIdentifier: applicationIdentifier)
+            return try await self.verify(token, applicationIdentifier: applicationIdentifier)
         }
 
-        public func verify(_ message: String, applicationIdentifier: String? = nil) -> EventLoopFuture<AppleIdentityToken> {
-            self.verify([UInt8](message.utf8), applicationIdentifier: applicationIdentifier)
+        public func verify(_ message: String, applicationIdentifier: String? = nil) async throws -> AppleIdentityToken {
+            try await self.verify([UInt8](message.utf8), applicationIdentifier: applicationIdentifier)
         }
 
-        public func verify<Message>(_ message: Message, applicationIdentifier: String? = nil) -> EventLoopFuture<AppleIdentityToken>
-            where Message: DataProtocol
-        {
-            self._jwt._request.application.jwt.apple.signers(
-                on: self._jwt._request
-            ).flatMapThrowing { signers in
-                let token = try signers.verify(message, as: AppleIdentityToken.self)
-                if let applicationIdentifier = applicationIdentifier ?? self._jwt._request.application.jwt.apple.applicationIdentifier {
-                    try token.audience.verifyIntendedAudience(includes: applicationIdentifier)
-                }
-                return token
+        public func verify(_ message: some DataProtocol, applicationIdentifier: String? = nil) async throws -> AppleIdentityToken {
+            let keys = try await self._jwt._request.application.jwt.apple.keys(on: self._jwt._request)
+            let token = try await keys.verify(message, as: AppleIdentityToken.self)
+            if let applicationIdentifier = applicationIdentifier ?? self._jwt._request.application.jwt.apple.applicationIdentifier {
+                try token.audience.verifyIntendedAudience(includes: applicationIdentifier)
             }
+            return token
         }
     }
 }
@@ -44,12 +39,8 @@ extension Application.JWT {
     public struct Apple {
         public let _jwt: Application.JWT
 
-        public func signers(on request: Request) -> EventLoopFuture<JWTSigners> {
-            self.jwks.get(on: request).flatMapThrowing {
-                let signers = JWTSigners()
-                try signers.use(jwks: $0)
-                return signers
-            }
+        public func keys(on request: Request) async throws -> JWTKeyCollection {
+            try await JWTKeyCollection().add(jwks: jwks.get(on: request).get())
         }
 
         public var jwks: EndpointCache<JWKS> {

diff --git a/Sources/JWT/JWT+Concurrency.swift b/Sources/JWT/JWT+Concurrency.swift
diff --git a/Sources/JWT/JWT+Google.swift b/Sources/JWT/JWT+Google.swift
@@ -11,57 +11,42 @@ extension Request.JWT {
         public func verify(
             applicationIdentifier: String? = nil,
             gSuiteDomainName: String? = nil
-        ) -> EventLoopFuture<GoogleIdentityToken> {
+        ) async throws -> GoogleIdentityToken {
             guard let token = self._jwt._request.headers.bearerAuthorization?.token else {
                 self._jwt._request.logger.error("Request is missing JWT bearer header.")
-                return self._jwt._request.eventLoop.makeFailedFuture(Abort(.unauthorized))
+                throw Abort(.unauthorized)
             }
-            return self.verify(
-                token,
-                applicationIdentifier: applicationIdentifier,
-                gSuiteDomainName: gSuiteDomainName
-            )
+            return try await self.verify(token, applicationIdentifier: applicationIdentifier, gSuiteDomainName: gSuiteDomainName)
         }
 
         public func verify(
             _ message: String,
             applicationIdentifier: String? = nil,
             gSuiteDomainName: String? = nil
-        ) -> EventLoopFuture<GoogleIdentityToken> {
-            self.verify(
-                [UInt8](message.utf8),
-                applicationIdentifier: applicationIdentifier,
-                gSuiteDomainName: gSuiteDomainName
-            )
+        ) async throws -> GoogleIdentityToken {
+            try await self.verify([UInt8](message.utf8), applicationIdentifier: applicationIdentifier, gSuiteDomainName: gSuiteDomainName)
         }
 
-        public func verify<Message>(
-            _ message: Message,
+        public func verify(
+            _ message: some DataProtocol,
             applicationIdentifier: String? = nil,
             gSuiteDomainName: String? = nil
-        ) -> EventLoopFuture<GoogleIdentityToken>
-            where Message: DataProtocol
-        {
-            self._jwt._request.application.jwt.google.signers(
-                on: self._jwt._request
-            ).flatMapThrowing { signers in
-                let token = try signers.verify(message, as: GoogleIdentityToken.self)
-                if let applicationIdentifier = applicationIdentifier ?? self._jwt._request.application.jwt.google.applicationIdentifier {
-                    try token.audience.verifyIntendedAudience(includes: applicationIdentifier)
-                }
-
-                if let gSuiteDomainName = gSuiteDomainName ?? self._jwt._request.application.jwt.google.gSuiteDomainName {
-                    guard let hd = token.hostedDomain, hd.value == gSuiteDomainName else {
-                        throw JWTError.claimVerificationFailure(
-                            name: "hostedDomain",
-                            reason: "Hosted domain claim does not match gSuite domain name"
-                        )
-                    }
+        ) async throws -> GoogleIdentityToken {
+            let keys = try await self._jwt._request.application.jwt.google.keys(on: self._jwt._request)
+            let token = try await keys.verify(message, as: GoogleIdentityToken.self)
+            if let applicationIdentifier = applicationIdentifier ?? self._jwt._request.application.jwt.google.applicationIdentifier {
+                try token.audience.verifyIntendedAudience(includes: applicationIdentifier)
+            }
+            if let gSuiteDomainName = gSuiteDomainName ?? self._jwt._request.application.jwt.google.gSuiteDomainName {
+                guard let hd = token.hostedDomain, hd.value == gSuiteDomainName else {
+                    throw JWTError.claimVerificationFailure(
+                        name: "hostedDomain",
+                        reason: "Hosted domain claim does not match gSuite domain name"
+                    )
                 }
-                return token
             }
+            return token
         }
-
     }
 }
 
@@ -73,12 +58,8 @@ extension Application.JWT {
     public struct Google {
         public let _jwt: Application.JWT
 
-        public func signers(on request: Request) -> EventLoopFuture<JWTSigners> {
-            self.jwks.get(on: request).flatMapThrowing {
-                let signers = JWTSigners()
-                try signers.use(jwks: $0)
-                return signers
-            }
+        public func keys(on request: Request) async throws -> JWTKeyCollection {
+            try await JWTKeyCollection().add(jwks: jwks.get(on: request).get())
         }
 
         public var jwks: EndpointCache<JWKS> {