🐛 Fixed signing key identificaiton in JWKs

refs https://github.com/TryGhost/Team/issues/1640 - The signing key returned by `GET /ghost/.well-known/jwks.json` was missing an OPTIONAL `use: "sig"` attribute needed to identify it as a signing key in client libraries. E.g. pyton lib: "pyjwt" or node lib: "jwks-client" - More about the "use" attribute at RFC7515 - https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4
2025-01-20 22:42:53 -05:00 · 2022-05-24 19:20:30 +08:00 · 2022-05-24 19:20:30 +08:00 · 6cc0c2b76b
commit 6cc0c2b76b
parent ffb8b36fc8
2 changed files with 16 additions and 2 deletions
--- a/core/server/web/well-known.js
+++ b/core/server/web/well-known.js
@ -16,7 +16,20 @@ module.exports = function setupWellKnownApp() {

    wellKnownApp.get('/jwks.json', async (req, res) => {
        const jwks = await getSafePublicJWKS();
-        res.json(jwks);
+
+        // there's only one key in the store atm
+        // based on this setting all of the keys to have
+        // "use": "sig" property
+        const keys = jwks.keys
+            .map(key => ({
+                e: key.e,
+                kid: key.kid,
+                kty: key.kty,
+                n: key.n,
+                use: 'sig'
+            }));
+
+        res.json({keys});
    });

    return wellKnownApp;
--- a/test/e2e-server/snapshots/well-known.test.js.snap
+++ b/test/e2e-server/snapshots/well-known.test.js.snap
@ -8,6 +8,7 @@ Object {
      "kid": Any<String>,
      "kty": "RSA",
      "n": Any<String>,
+      "use": "sig",
    },
  ],
 }
@ -15,7 +16,7 @@ Object {

 exports[`.well-known GET /jwks.json should return a JWKS 2: [headers] 1`] = `
 Object {
-  "content-length": "265",
+  "content-length": "277",
  "content-type": "application/json; charset=utf-8",
  "etag": StringMatching /\\(\\?:W\\\\/\\)\\?"\\(\\?:\\[ !#-\\\\x7E\\\\x80-\\\\xFF\\]\\*\\|\\\\r\\\\n\\[\\\\t \\]\\|\\\\\\\\\\.\\)\\*"/,
  "vary": "Accept-Encoding",