chore: added expiry to jwt

aryanjassal · aryanjassal · commit bb15a92d9934 · 2025-06-23T15:54:53.000+10:00
diff --git a/src/client/callers/authIdentityToken.ts b/src/client/callers/authIdentityToken.ts
@@ -0,0 +1,12 @@
+import type { HandlerTypes } from '@matrixai/rpc';
+import type AuthIdentityToken from '../handlers/AuthIdentityToken.js';
+import { UnaryCaller } from '@matrixai/rpc';
+
+type CallerTypes = HandlerTypes<AuthIdentityToken>;
+
+const authIdentityToken = new UnaryCaller<
+  CallerTypes['input'],
+  CallerTypes['output']
+>();
+
+export default authIdentityToken;
diff --git a/src/client/callers/authSignToken.ts b/src/client/callers/authSignToken.ts
diff --git a/src/client/callers/index.ts b/src/client/callers/index.ts
@@ -4,7 +4,7 @@ import agentStop from './agentStop.js';
 import agentUnlock from './agentUnlock.js';
 import auditEventsGet from './auditEventsGet.js';
 import auditMetricGet from './auditMetricGet.js';
-import authSignToken from './authSignToken.js';
+import authIdentityToken from './authIdentityToken.js';
 import gestaltsActionsGetByIdentity from './gestaltsActionsGetByIdentity.js';
 import gestaltsActionsGetByNode from './gestaltsActionsGetByNode.js';
 import gestaltsActionsSetByIdentity from './gestaltsActionsSetByIdentity.js';
@@ -86,7 +86,7 @@ const clientManifest = {
   agentUnlock,
   auditEventsGet,
   auditMetricGet,
-  authSignToken,
+  authIdentityToken,
   gestaltsActionsGetByIdentity,
   gestaltsActionsGetByNode,
   gestaltsActionsSetByIdentity,
@@ -167,7 +167,7 @@ export {
   agentStop,
   agentUnlock,
   auditEventsGet,
-  authSignToken,
+  authIdentityToken,
   gestaltsActionsGetByIdentity,
   gestaltsActionsGetByNode,
   gestaltsActionsSetByIdentity,
diff --git a/src/client/errors.ts b/src/client/errors.ts
@@ -28,6 +28,11 @@ class ErrorClientProtocolError<T> extends ErrorClient<T> {
   exitCode = sysexits.USAGE;
 }
 
+class ErrorClientAuthenticationInvalidJTI<T> extends ErrorClient<T> {
+  static description = 'Failed to generate JTI';
+  exitCode = sysexits.PROTOCOL;
+}
+
 class ErrorClientService<T> extends ErrorClient<T> {}
 
 class ErrorClientServiceRunning<T> extends ErrorClientService<T> {
@@ -50,22 +55,17 @@ class ErrorClientVerificationFailed<T> extends ErrorClientService<T> {
   exitCode = sysexits.USAGE;
 }
 
-class ErrorClientAuthenticationInvalidToken<T> extends ErrorClient<T> {
-  static description = 'Token is invalid';
-  exitCode = sysexits.PROTOCOL;
-}
-
 export {
   ErrorClient,
   ErrorClientAuthMissing,
   ErrorClientAuthFormat,
   ErrorClientAuthDenied,
   ErrorClientInvalidHeader,
   ErrorClientProtocolError,
+  ErrorClientAuthenticationInvalidJTI,
   ErrorClientService,
   ErrorClientServiceRunning,
   ErrorClientServiceNotRunning,
   ErrorClientServiceDestroyed,
   ErrorClientVerificationFailed,
-  ErrorClientAuthenticationInvalidToken,
 };
diff --git a/src/client/handlers/AuthIdentityToken.ts b/src/client/handlers/AuthIdentityToken.ts
@@ -0,0 +1,37 @@
+import type {
+  ClientRPCRequestParams,
+  ClientRPCResponseResult,
+} from '../types.js';
+import type { SignedTokenEncoded, TokenPayload } from '../../tokens/types.js';
+import type KeyRing from '../../keys/KeyRing.js';
+import { IdSortable } from '@matrixai/id';
+import { UnaryHandler } from '@matrixai/rpc';
+import Token from '../../tokens/Token.js';
+import * as nodesUtils from '../../nodes/utils.js';
+import * as clientErrors from '../errors.js';
+
+class AuthIdentityToken extends UnaryHandler<
+  {
+    keyRing: KeyRing;
+  },
+  ClientRPCRequestParams,
+  ClientRPCResponseResult<SignedTokenEncoded>
+> {
+  public handle = async (): Promise<SignedTokenEncoded> => {
+    const { keyRing }: { keyRing: KeyRing } = this.container;
+    const idGen = new IdSortable();
+    const jti = idGen.next().value;
+    if (jti == null) {
+      throw new clientErrors.ErrorClientAuthenticationInvalidJTI();
+    }
+    const outgoingToken = Token.fromPayload<TokenPayload>({
+      jti: jti.toMultibase('base64'),
+      exp: Math.floor(Date.now() / 1000) + 60, // 60 seconds after issuing
+      iss: nodesUtils.encodeNodeId(keyRing.getNodeId()),
+    });
+    outgoingToken.signWithPrivateKey(keyRing.keyPair);
+    return outgoingToken.toEncoded();
+  };
+}
+
+export default AuthIdentityToken;
diff --git a/src/client/handlers/AuthSignToken.ts b/src/client/handlers/AuthSignToken.ts
diff --git a/src/client/handlers/index.ts b/src/client/handlers/index.ts
@@ -22,7 +22,7 @@ import AgentStop from './AgentStop.js';
 import AgentUnlock from './AgentUnlock.js';
 import AuditEventsGet from './AuditEventsGet.js';
 import AuditMetricGet from './AuditMetricGet.js';
-import AuthSignToken from './AuthSignToken.js';
+import AuthIdentityToken from './AuthIdentityToken.js';
 import GestaltsActionsGetByIdentity from './GestaltsActionsGetByIdentity.js';
 import GestaltsActionsGetByNode from './GestaltsActionsGetByNode.js';
 import GestaltsActionsSetByIdentity from './GestaltsActionsSetByIdentity.js';
@@ -123,7 +123,7 @@ const serverManifest = (container: {
     agentUnlock: new AgentUnlock(container),
     auditEventsGet: new AuditEventsGet(container),
     auditMetricGet: new AuditMetricGet(container),
-    authSignToken: new AuthSignToken(container),
+    authSignToken: new AuthIdentityToken(container),
     gestaltsActionsGetByIdentity: new GestaltsActionsGetByIdentity(container),
     gestaltsActionsGetByNode: new GestaltsActionsGetByNode(container),
     gestaltsActionsSetByIdentity: new GestaltsActionsSetByIdentity(container),
@@ -210,7 +210,7 @@ export {
   AgentUnlock,
   AuditEventsGet,
   AuditMetricGet,
-  AuthSignToken,
+  AuthIdentityToken,
   GestaltsActionsGetByIdentity,
   GestaltsActionsGetByNode,
   GestaltsActionsSetByIdentity,
diff --git a/src/client/types.ts b/src/client/types.ts
@@ -21,7 +21,6 @@ import type {
 } from '../keys/types.js';
 import type { Notification } from '../notifications/types.js';
 import type { ProviderToken } from '../identities/types.js';
-import type { TokenPayload, SignedTokenEncoded } from '../tokens/types.js';
 import type { AuditMetricGetTypeOverride } from './callers/auditMetricGet.js';
 import type {
   NodeContact,
@@ -108,12 +107,6 @@ type TokenMessage = {
   token: ProviderToken;
 };
 
-type IdentityResponseData = TokenPayload & {
-  nodeId: NodeIdEncoded;
-};
-
-type TokenIdentityResponse = SignedTokenEncoded;
-
 // Nodes messages
 
 type NodeIdMessage = {
@@ -412,8 +405,6 @@ export type {
   ClaimIdMessage,
   ClaimNodeMessage,
   TokenMessage,
-  IdentityResponseData,
-  TokenIdentityResponse,
   NodeIdMessage,
   AddressMessage,
   NodeAddressMessage,
diff --git a/tests/client/handlers/auth.test.ts b/tests/client/handlers/auth.test.ts
@@ -1,4 +1,3 @@
-import type { IdentityResponseData } from '#src/client/types.js';
 import type { TLSConfig } from '#network/types.js';
 import fs from 'node:fs';
 import path from 'node:path';
@@ -7,17 +6,17 @@ import Logger, { formatting, LogLevel, StreamHandler } from '@matrixai/logger';
 import { RPCClient } from '@matrixai/rpc';
 import { WebSocketClient } from '@matrixai/ws';
 import * as testsUtils from '../../utils/index.js';
-import { AuthSignToken } from '#client/handlers/index.js';
-import { authSignToken } from '#client/callers/index.js';
+import { AuthIdentityToken } from '#client/handlers/index.js';
+import { authIdentityToken } from '#client/callers/index.js';
 import KeyRing from '#keys/KeyRing.js';
 import Token from '#tokens/Token.js';
 import ClientService from '#client/ClientService.js';
 import * as keysUtils from '#keys/utils/index.js';
 import * as networkUtils from '#network/utils.js';
 import * as nodesUtils from '#nodes/utils.js';
 
-describe('authSignToken', () => {
-  const logger = new Logger('authSignToken test', LogLevel.WARN, [
+describe('authIdentityToken', () => {
+  const logger = new Logger('authIdentityToken test', LogLevel.WARN, [
     new StreamHandler(
       formatting.format`${formatting.level}:${formatting.keys}:${formatting.msg}`,
     ),
@@ -30,7 +29,7 @@ describe('authSignToken', () => {
   let clientService: ClientService;
   let webSocketClient: WebSocketClient;
   let rpcClient: RPCClient<{
-    authSignToken: typeof authSignToken;
+    authIdentityToken: typeof authIdentityToken;
   }>;
 
   beforeEach(async () => {
@@ -53,7 +52,7 @@ describe('authSignToken', () => {
     });
     await clientService.start({
       manifest: {
-        authSignToken: new AuthSignToken({
+        authIdentityToken: new AuthIdentityToken({
           keyRing,
         }),
       },
@@ -69,7 +68,7 @@ describe('authSignToken', () => {
     });
     rpcClient = new RPCClient({
       manifest: {
-        authSignToken,
+        authIdentityToken,
       },
       streamFactory: () => webSocketClient.connection.newStream(),
       toError: networkUtils.toError,
@@ -89,11 +88,13 @@ describe('authSignToken', () => {
   });
 
   test('should return a signed token', async () => {
-    const identityToken = await rpcClient.methods.authSignToken({});
-    const decodedToken = Token.fromEncoded<IdentityResponseData>(identityToken);
+    const identityToken = await rpcClient.methods.authIdentityToken({});
+    const decodedToken = Token.fromEncoded(identityToken);
     const decodedPublicKey = keysUtils.publicKeyFromNodeId(keyRing.getNodeId());
     expect(decodedToken.verifyWithPublicKey(decodedPublicKey)).toBeTrue();
     const encodedNodeId = nodesUtils.encodeNodeId(keyRing.getNodeId());
-    expect(decodedToken.payload.nodeId).toBe(encodedNodeId);
+    expect(decodedToken.payload.iss).toBe(encodedNodeId);
+    expect(decodedToken.payload.exp).toBeDefined();
+    expect(decodedToken.payload.jti).toBeDefined();
   });
 });
