Assist_Design/apps/bff/src/modules/auth/infra/token/jose-jwt.service.ts

import { Injectable } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { SignJWT, decodeJwt, jwtVerify, errors, type JWTPayload } from "jose";
import { parseJwtExpiry } from "../../utils/jwt-expiry.util.js";

@Injectable()
export class JoseJwtService {
  private readonly signingKey: Uint8Array;
  private readonly verificationKeys: Uint8Array[];
  private readonly issuer?: string;
  private readonly audience?: string | string[];

  constructor(private readonly configService: ConfigService) {
    const secret = configService.get<string>("JWT_SECRET");
    if (!secret) {
      throw new Error("JWT_SECRET is required in environment variables");
    }
    this.signingKey = new TextEncoder().encode(secret);

    const previousRaw = configService.get<string | undefined>("JWT_SECRET_PREVIOUS");
    const previousSecrets = this.parsePreviousSecrets(previousRaw).filter(s => s !== secret);
    this.verificationKeys = [
      this.signingKey,
      ...previousSecrets.map(s => new TextEncoder().encode(s)),
    ];

    const issuer = configService.get<string | undefined>("JWT_ISSUER");
    this.issuer = issuer && issuer.trim().length > 0 ? issuer.trim() : undefined;

    const audienceRaw = configService.get<string | undefined>("JWT_AUDIENCE");
    const parsedAudience = this.parseAudience(audienceRaw);
    this.audience = parsedAudience;
  }

  private parsePreviousSecrets(raw: string | undefined): string[] {
    if (!raw) return [];
    const trimmed = raw.trim();
    if (!trimmed) return [];
    return trimmed
      .split(",")
      .map(s => s.trim())
      .filter(Boolean);
  }

  private parseAudience(raw: string | undefined): string | string[] | undefined {
    if (!raw) return undefined;
    const trimmed = raw.trim();
    if (!trimmed) return undefined;
    const parts = trimmed
      .split(",")
      .map(p => p.trim())
      .filter(Boolean);
    if (parts.length === 0) return undefined;
    return parts.length === 1 ? parts[0] : parts;
  }

  async sign(payload: JWTPayload, expiresIn: string | number): Promise<string> {
    const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : parseJwtExpiry(expiresIn);
    const nowSeconds = Math.floor(Date.now() / 1000);

    const tokenId = (payload as { tokenId?: unknown }).tokenId;

    let builder = new SignJWT(payload)
      .setProtectedHeader({ alg: "HS256" })
      .setIssuedAt(nowSeconds)
      .setExpirationTime(nowSeconds + expiresInSeconds);

    if (this.issuer) {
      builder = builder.setIssuer(this.issuer);
    }

    if (this.audience) {
      builder = builder.setAudience(this.audience);
    }

    // Optional: set standard JWT ID when a tokenId is present in the payload
    if (typeof tokenId === "string" && tokenId.length > 0) {
      builder = builder.setJti(tokenId);
    }

    return builder.sign(this.signingKey);
  }

  async verify<T extends JWTPayload>(token: string): Promise<T> {
    const options = {
      algorithms: ["HS256"],
      issuer: this.issuer,
      audience: this.audience,
    };

    let lastError: unknown;

    for (let i = 0; i < this.verificationKeys.length; i++) {
      const key = this.verificationKeys[i];
      try {
        const { payload } = await jwtVerify(token, key, options);
        return payload as T;
      } catch (err) {
        lastError = err;
        const isLast = i === this.verificationKeys.length - 1;
        if (isLast) {
          break;
        }

        // Only try the next key on signature-related failures.
        if (err instanceof errors.JWSSignatureVerificationFailed) {
          continue;
        }
        throw err;
      }
    }

    if (lastError instanceof Error) {
      throw lastError;
    }
    throw new Error("JWT verification failed");
  }

  async verifyAllowExpired<T extends JWTPayload>(token: string): Promise<T | null> {
    try {
      return await this.verify<T>(token);
    } catch (err) {
      if (err instanceof errors.JWTExpired) {
        return this.decode<T>(token);
      }
      throw err;
    }
  }

  decode<T extends JWTPayload>(token: string): T | null {
    try {
      return decodeJwt(token) as T;
    } catch {
      return null;
    }
  }
}
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`import { Injectable } from "@nestjs/common";`
			`import { ConfigService } from "@nestjs/config";`
			`import { SignJWT, decodeJwt, jwtVerify, errors, type JWTPayload } from "jose";`
			`import { parseJwtExpiry } from "../../utils/jwt-expiry.util.js";`

			`@Injectable()`
			`export class JoseJwtService {`
Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`private readonly signingKey: Uint8Array;`
			`private readonly verificationKeys: Uint8Array[];`
Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00			`private readonly issuer?: string;`
			`private readonly audience?: string \| string[];`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00
			`constructor(private readonly configService: ConfigService) {`
			`const secret = configService.get<string>("JWT_SECRET");`
			`if (!secret) {`
			`throw new Error("JWT_SECRET is required in environment variables");`
			`}`
Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`this.signingKey = new TextEncoder().encode(secret);`

			`const previousRaw = configService.get<string \| undefined>("JWT_SECRET_PREVIOUS");`
			`const previousSecrets = this.parsePreviousSecrets(previousRaw).filter(s => s !== secret);`
			`this.verificationKeys = [`
			`this.signingKey,`
			`...previousSecrets.map(s => new TextEncoder().encode(s)),`
			`];`
Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00
			`const issuer = configService.get<string \| undefined>("JWT_ISSUER");`
			`this.issuer = issuer && issuer.trim().length > 0 ? issuer.trim() : undefined;`

			`const audienceRaw = configService.get<string \| undefined>("JWT_AUDIENCE");`
			`const parsedAudience = this.parseAudience(audienceRaw);`
			`this.audience = parsedAudience;`
			`}`

Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`private parsePreviousSecrets(raw: string \| undefined): string[] {`
			`if (!raw) return [];`
			`const trimmed = raw.trim();`
			`if (!trimmed) return [];`
			`return trimmed`
			`.split(",")`
			`.map(s => s.trim())`
			`.filter(Boolean);`
			`}`

Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00			`private parseAudience(raw: string \| undefined): string \| string[] \| undefined {`
			`if (!raw) return undefined;`
			`const trimmed = raw.trim();`
			`if (!trimmed) return undefined;`
			`const parts = trimmed`
			`.split(",")`
			`.map(p => p.trim())`
			`.filter(Boolean);`
			`if (parts.length === 0) return undefined;`
			`return parts.length === 1 ? parts[0] : parts;`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`}`

Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`async sign(payload: JWTPayload, expiresIn: string \| number): Promise<string> {`
			`const expiresInSeconds = typeof expiresIn === "number" ? expiresIn : parseJwtExpiry(expiresIn);`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`const nowSeconds = Math.floor(Date.now() / 1000);`

Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00			`const tokenId = (payload as { tokenId?: unknown }).tokenId;`

			`let builder = new SignJWT(payload)`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`.setProtectedHeader({ alg: "HS256" })`
			`.setIssuedAt(nowSeconds)`
Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00			`.setExpirationTime(nowSeconds + expiresInSeconds);`

			`if (this.issuer) {`
			`builder = builder.setIssuer(this.issuer);`
			`}`

			`if (this.audience) {`
			`builder = builder.setAudience(this.audience);`
			`}`

			`// Optional: set standard JWT ID when a tokenId is present in the payload`
			`if (typeof tokenId === "string" && tokenId.length > 0) {`
			`builder = builder.setJti(tokenId);`
			`}`

Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`return builder.sign(this.signingKey);`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`}`

			`async verify<T extends JWTPayload>(token: string): Promise<T> {`
Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`const options = {`
Enhance authentication and CSRF protection mechanisms - Introduced optional JWT issuer and audience configurations in the JoseJwtService for improved token validation. - Updated CSRF middleware to streamline token validation and enhance security measures. - Added new environment variables for JWT issuer and audience, allowing for more flexible authentication setups. - Refactored CSRF controller and middleware to improve token handling and security checks. - Cleaned up and standardized cookie paths for access and refresh tokens in the AuthController. - Enhanced error handling in the TokenBlacklistService to manage Redis availability more effectively. 2025-12-12 15:00:11 +09:00			`algorithms: ["HS256"],`
			`issuer: this.issuer,`
			`audience: this.audience,`
Enhance JWT handling and authentication flow - Introduced support for previous JWT secrets in the environment configuration to facilitate key rotation. - Refactored the JoseJwtService to manage multiple signing and verification keys, improving security during token validation. - Updated the AuthTokenService to include family identifiers for refresh tokens, enhancing session management and security. - Modified the PasswordWorkflowService and SignupWorkflowService to return session metadata instead of token strings, aligning with security best practices. - Improved error handling and token revocation logic in the TokenBlacklistService and AuthTokenService to prevent replay attacks. - Updated documentation to reflect changes in the authentication architecture and security model. 2025-12-12 15:29:58 +09:00			`};`

			`let lastError: unknown;`

			`for (let i = 0; i < this.verificationKeys.length; i++) {`
			`const key = this.verificationKeys[i];`
			`try {`
			`const { payload } = await jwtVerify(token, key, options);`
			`return payload as T;`
			`} catch (err) {`
			`lastError = err;`
			`const isLast = i === this.verificationKeys.length - 1;`
			`if (isLast) {`
			`break;`
			`}`

			`// Only try the next key on signature-related failures.`
			`if (err instanceof errors.JWSSignatureVerificationFailed) {`
			`continue;`
			`}`
			`throw err;`
			`}`
			`}`

			`if (lastError instanceof Error) {`
			`throw lastError;`
			`}`
			`throw new Error("JWT verification failed");`
Update package dependencies and refactor authentication module - Added sharp dependency for image processing in package.json. - Updated argon2 dependency version to 0.44.0 for enhanced security. - Removed unused @nestjs/jwt dependency and refactored authentication module to utilize JoseJwtService for JWT handling. - Adjusted type definitions for @types/node and @types/pg to ensure compatibility across applications. - Cleaned up package.json files in BFF and Portal applications for consistency and improved dependency management. 2025-12-11 12:03:31 +09:00			`}`

			`async verifyAllowExpired<T extends JWTPayload>(token: string): Promise<T \| null> {`
			`try {`
			`return await this.verify<T>(token);`
			`} catch (err) {`
			`if (err instanceof errors.JWTExpired) {`
			`return this.decode<T>(token);`
			`}`
			`throw err;`
			`}`
			`}`

			`decode<T extends JWTPayload>(token: string): T \| null {`
			`try {`
			`return decodeJwt(token) as T;`
			`} catch {`
			`return null;`
			`}`
			`}`
			`}`