feat: initial version

Author: gr2m

src/@types/@sagi.io/cfw-jwt/index.d.ts

@@ -0,0 +1,28 @@
+declare module "@sagi.io/cfw-jwt" {
+  type PrivateKey = string;
+  type AppId = number;
+  type Expiration = number;
+  type Token = string;
+
+  type Result = {
+    appId: AppId;
+    expiration: Expiration;
+    token: Token;
+  };
+
+  type Payload = {
+    iat: number;
+    exp: number;
+    iss: number;
+  };
+
+  type GetTokenOptions = {
+    privateKeyPEM: PrivateKey;
+    payload: Payload;
+    alg: "RS256";
+    cryptoImpl: Crypto;
+    headerAdditions: {};
+  };
+
+  export function getToken(options: GetTokenOptions): Token;
+}

src/get-token-browser.ts

@@ -0,0 +1,47 @@
+import { GetTokenOptions, Token } from "./types";
+import {
+  getEncodedMessage,
+  getDERfromPEM,
+  string2ArrayBuffer,
+  base64encode
+} from "./utils";
+
+export const getToken = async ({
+  privateKey,
+  payload
+}: GetTokenOptions): Promise<Token> => {
+  // WebCrypto only supports PKCS#8, unfortunately
+  if (/BEGIN RSA PRIVATE KEY/.test(privateKey)) {
+    throw new Error(
+      "[universal-github-app-jwt] Private Key is in PKCS#1 format, but only PKCS#8 is supported. See https://github.com/gr2m/universal-github-app-jwt#readme"
+    );
+  }
+
+  const algorithm = {
+    name: "RSASSA-PKCS1-v1_5",
+    hash: { name: "SHA-256" }
+  };
+  const header = { alg: "RS256", typ: "JWT" };
+
+  const privateKeyDER = getDERfromPEM(privateKey);
+  const importedKey = await crypto.subtle.importKey(
+    "pkcs8",
+    privateKeyDER,
+    algorithm,
+    false,
+    ["sign"]
+  );
+
+  const encodedMessage = getEncodedMessage(header, payload);
+  const encodedMessageArrBuf = string2ArrayBuffer(encodedMessage);
+
+  const signatureArrBuf = await crypto.subtle.sign(
+    algorithm.name,
+    importedKey,
+    encodedMessageArrBuf
+  );
+
+  const encodedSignature = base64encode(signatureArrBuf);
+
+  return `${encodedMessage}.${encodedSignature}`;
+};

src/get-token.ts

@@ -0,0 +1,12 @@
+import jsonwebtoken from "jsonwebtoken";
+
+import { GetTokenOptions, Token } from "./types";
+
+export async function getToken({
+  privateKey,
+  payload
+}: GetTokenOptions): Promise<Token> {
+  return jsonwebtoken.sign(payload, privateKey, {
+    algorithm: "RS256"
+  });
+}

src/index.ts

@@ -0,0 +1,32 @@
+import { getToken } from "./get-token";
+
+import { Options, Result } from "./types";
+
+export async function githubAppJwt({
+  id,
+  privateKey
+}: Options): Promise<Result> {
+  // When creating a JSON Web Token, it sets the "issued at time" (iat) to 30s
+  // in the past as we have seen people running situations where the GitHub API
+  // claimed the iat would be in future. It turned out the clocks on the
+  // different machine were not in sync.
+  const now = Math.floor(Date.now() / 1000) - 30;
+  const expiration = now + 60 * 10; // JWT expiration time (10 minute maximum)
+
+  const payload = {
+    iat: now, // Issued at time
+    exp: expiration,
+    iss: id
+  };
+
+  const token = await getToken({
+    privateKey,
+    payload
+  });
+
+  return {
+    appId: id,
+    expiration,
+    token
+  };
+}

src/types.ts

@@ -0,0 +1,27 @@
+export type PrivateKey = string;
+export type AppId = number;
+export type Expiration = number;
+export type Token = string;
+
+export type Options = {
+  id: AppId;
+  privateKey: PrivateKey;
+  crypto?: Crypto;
+};
+
+export type Result = {
+  appId: AppId;
+  expiration: Expiration;
+  token: Token;
+};
+
+export type Payload = {
+  iat: number;
+  exp: number;
+  iss: number;
+};
+
+export type GetTokenOptions = {
+  privateKey: PrivateKey;
+  payload: Payload;
+};

src/utils.ts

@@ -0,0 +1,45 @@
+export function string2ArrayBuffer(str: string) {
+  const buf = new ArrayBuffer(str.length);
+  const bufView = new Uint8Array(buf);
+  for (let i = 0, strLen = str.length; i < strLen; i++) {
+    bufView[i] = str.charCodeAt(i);
+  }
+  return buf;
+}
+
+export function getDERfromPEM(pem: string): ArrayBuffer {
+  const pemB64 = pem
+    .trim()
+    .split("\n")
+    .slice(1, -1) // Remove the --- BEGIN / END PRIVATE KEY ---
+    .join("");
+
+  const decoded = atob(pemB64);
+  return string2ArrayBuffer(decoded);
+}
+
+export function getEncodedMessage(header: object, payload: object): string {
+  return `${base64encodeJSON(header)}.${base64encodeJSON(payload)}`;
+}
+
+export function base64encode(buffer: ArrayBuffer): string {
+  var binary = "";
+  var bytes = new Uint8Array(buffer);
+  var len = bytes.byteLength;
+  for (var i = 0; i < len; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+
+  return fromBase64(btoa(binary));
+}
+
+function fromBase64(base64: string): string {
+  return base64
+    .replace(/=/g, "")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_");
+}
+
+function base64encodeJSON(obj: object) {
+  return fromBase64(btoa(JSON.stringify(obj)));
+}