feat: implement crypto hardening and bump deps#44
Merged
chrislyons-dev merged 6 commits intomainfrom Mar 6, 2026
Merged
Conversation
… hardening TypeScript: - Add ES512SignConfig interface and createES512SignConfig() factory for ECDSA P-521 signing via the explicit API (closes #32) - Add ES256/ES384/ES512 to all asymmetric algorithm whitelists in verify.ts - Add JWT_JWKS_URL_NAME indirection to getJwksUrl() and envMode() (closes #33) - Add --alg flag to keygen CLI (EdDSA|ES256|ES384|ES512) and --dotenv output (closes #35) - Widen JwtHeader.alg from AlgType to string (external tokens have arbitrary alg) - Export createES512SignConfig and ES512SignConfig from index.ts Python: - Raise HS512 minimum secret from 32 to 64 bytes to match TypeScript - Add mode conflict detection in env.mode() — raises RuntimeError when both JWT_SECRET and asymmetric keys are configured - Widen JwtHeader.alg from AlgType to str (parity with TypeScript) - Fix and expand test suite: 5 new tests, all 29 pass Docs: - security-guide.md: add ECDSA cryptographic profile, update algorithm whitelists, document keygen --alg and --dotenv flags with security rationale - core-concepts.md: update algorithm summary, mode detection note, add ES512 and ECDSA verification rows to cross-language parity table - cloudflare-workers.md: add "Internal JWKS via Service Binding" section (closes #38) - README, index.md, explicit-config.md, CLAUDE.md: reflect updated algorithm surface and keygen CLI usage - notes/tone-of-voice.md: update example to include ES512 alongside EdDSA Closes #32, #33, #35, #38 Closes #34 as duplicate of #33 Written-by: Chris Lyons
- Add ES512VerifyConfig + createES512VerifyConfig to explicit API - Add signWithRequestBinding / verifyWithRequestBinding (req claim, SHA-256 bound to method+path+body) - Fill JWT_JWKS_URL_NAME test coverage in config.test.ts - Add ES512 round-trip tests to explicit.test.ts - Delete empty explicit-jwks.test.ts.tmp
Contributor
Dependency ReviewThe following issues were found:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.