function verifySignatureAgainstJwk()

in src/jwt-rsa.ts [169:214]

• 35 lines of code
• 3 McCabe index (conditional complexity)

function verifySignatureAgainstJwk(
  header: JwtHeader,
  headerB64: string,
  payload: JwtPayload,
  payloadB64: string,
  signatureB64: string,
  jwk: Jwk,
  jwkToKeyObjectTransformer: JwkToKeyObjectTransformer = transformJwkToKeyObject
) {
  // Check JWK use
  assertStringEquals("JWK use", jwk.use, "sig", JwkInvalidUseError);

  // Check JWK kty
  assertStringEquals("JWK kty", jwk.kty, "RSA", JwkInvalidKtyError);

  // Check that JWT signature algorithm matches JWK
  if (jwk.alg) {
    assertStringEquals(
      "JWT signature algorithm",
      header.alg,
      jwk.alg,
      JwtInvalidSignatureAlgorithmError
    );
  }

  // Check JWT signature algorithm is one of RS256, RS384, RS512
  assertStringArrayContainsString(
    "JWT signature algorithm",
    header.alg,
    ["RS256", "RS384", "RS512"],
    JwtInvalidSignatureAlgorithmError
  );

  // Convert JWK modulus and exponent into DER public key
  const publicKey = jwkToKeyObjectTransformer(jwk, payload.iss, header.kid);

  // Verify the JWT signature
  const valid = createVerify(
    JwtSignatureAlgorithms[header.alg as keyof typeof JwtSignatureAlgorithms]
  )
    .update(`${headerB64}.${payloadB64}`)
    .verify(publicKey, signatureB64, "base64");
  if (!valid) {
    throw new JwtInvalidSignatureError("Invalid signature");
  }
}