WIP bump Azure auth dependencies and migrate token verification to jose

Upgrade @azure/msal-node to 5.1.5 and replace azure-ad-verify-token-commonjs with a shared jose-based verifier so Azure token validation no longer depends on the vulnerable jsonwebtoken 8.x chain.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: kecso

package-lock.json

@@ -44,14 +44,13 @@
   },
   "homepage": "https://github.com/webgme/webgme-engine#README.md",
   "dependencies": {
-    "@azure/msal-node": "^2.9.2",
+    "@azure/msal-node": "^5.1.5",
     "@redocly/cli": "^2.30.3",
     "@socket.io/redis-adapter": "^8.3.0",
     "adm-zip": "^0.5.10",
     "agentkeepalive": "^4.5.0",
     "archiver": "^7",
     "aws-sdk": "^2.1443.0",
-    "azure-ad-verify-token-commonjs": "^2.0.2",
     "bcryptjs": "^3",
     "body-parser": "^2",
     "browserify": "^17.0.0",
@@ -66,6 +65,7 @@
     "ejs": "^5",
     "express": "^4.18.2",
     "import-fresh": "^3.3.0",
+    "jose": "^6.2.3",
     "jsdoc": "^4.0.2",
     "jsonwebtoken": "^9.0.2",
     "method-override": "^3.0.0",

package.json

@@ -5,7 +5,7 @@ const msal = require('@azure/msal-node');
 const jwt = require('jsonwebtoken');
 const GUID = requireJS('common/util/guid');
 const Q = require('q');
-const aadVerify = require('azure-ad-verify-token-commonjs').verify;
+const aadVerify = require('./verifyAADToken').verify;
 
 class WebGMEAADClient {
     constructor(gmeConfig, gmeAuth, logger) {

src/server/middleware/auth/WebgmeAADClient.js

@@ -0,0 +1,42 @@
+/*eslint-env node*/
+'use strict';
+
+const {URL} = require('url');
+
+let joseModulePromise = null;
+const jwksByUri = new Map();
+
+function getJoseModule() {
+    if (!joseModulePromise) {
+        joseModulePromise = import('jose');
+    }
+
+    return joseModulePromise;
+}
+
+async function getJwks(jwksUri) {
+    const key = String(jwksUri);
+
+    if (!jwksByUri.has(key)) {
+        const jose = await getJoseModule();
+        jwksByUri.set(key, jose.createRemoteJWKSet(new URL(key)));
+    }
+
+    return jwksByUri.get(key);
+}
+
+async function verify(token, options) {
+    const jose = await getJoseModule();
+    const jwks = await getJwks(options.jwksUri);
+    const result = await jose.jwtVerify(token, jwks, {
+        issuer: options.issuer,
+        audience: options.audience,
+        algorithms: ['RS256'],
+    });
+
+    return result.payload;
+}
+
+module.exports = {
+    verify,
+};

src/server/middleware/auth/verifyAADToken.js

@@ -39,6 +39,7 @@ const getClientConfig = require('../../config/getclientconfig');
 const GmeAuth = require('./middleware/auth/gmeauth');
 const Logger = require('./logger');
 const AADClient = require('./middleware/auth/WebgmeAADClient');
+const aadVerify = require('./middleware/auth/verifyAADToken');
 
 const AddOnEventPropagator = require('../addon/addoneventpropagator');
 const webgmeUtils = require('../utils');
@@ -690,7 +691,6 @@ class StandAloneServer {
                 //device access to use webgme related services - only available when access Scope is used
                 if (__gmeConfig.authentication.azureActiveDirectory.accessScope) {
 
-                    const aadVerify = require('azure-ad-verify-token-commonjs');
                     const verify = aadVerify.verify;
                     const voptions = {
                         jwksUri: __gmeConfig.authentication.azureActiveDirectory.jwksUri,