refactor(cloudflare-access): decode token types (#1717)

Author: BarryThePenguin

packages/auth-js/eslint-suppressions.json

@@ -17,6 +17,9 @@
     "@typescript-eslint/await-thenable": {
       "count": 1
     },
+    "@typescript-eslint/no-unnecessary-type-conversion": {
+      "count": 1
+    },
     "@typescript-eslint/no-unsafe-assignment": {
       "count": 6
     }

packages/cloudflare-access/eslint-suppressions.json

@@ -1,24 +1 @@
-{
-  "src/index.test.ts": {
-    "@typescript-eslint/no-base-to-string": {
-      "count": 1
-    },
-    "@typescript-eslint/no-unsafe-assignment": {
-      "count": 2
-    },
-    "@typescript-eslint/require-await": {
-      "count": 3
-    }
-  },
-  "src/index.ts": {
-    "@typescript-eslint/no-unsafe-argument": {
-      "count": 1
-    },
-    "@typescript-eslint/no-unsafe-assignment": {
-      "count": 4
-    },
-    "@typescript-eslint/no-unsafe-member-access": {
-      "count": 3
-    }
-  }
-}
+{}

packages/cloudflare-access/src/index.test.ts

@@ -80,7 +80,7 @@ function base64URLEncode(str: string): string {
 
 function generateJWT(
   privateKey: string,
-  payload: Record<string, any>,
+  payload: Record<string, unknown>,
   expiresIn: number = 3600
 ): string {
   // Create header
@@ -120,7 +120,7 @@ describe('Cloudflare Access middleware', async () => {
 
   beforeEach(() => {
     vi.clearAllMocks()
-    vi.stubGlobal('fetch', async () => {
+    vi.stubGlobal('fetch', () => {
       return Response.json({
         keys: [publicKeyToJWK(keyPair1.publicKey), publicKeyToJWK(keyPair2.publicKey)],
       })
@@ -277,13 +277,13 @@ describe('Cloudflare Access middleware', async () => {
     expect(await res.json()).toEqual({
       sub: '1234567890',
       iss: 'https://my-cool-team-name.cloudflareaccess.com',
-      iat: expect.any(Number),
-      exp: expect.any(Number),
+      iat: expect.any(Number) as number,
+      exp: expect.any(Number) as number,
     })
   })
 
   it('Should throw an error, if the access organization does not exist', async () => {
-    vi.stubGlobal('fetch', async () => {
+    vi.stubGlobal('fetch', () => {
       return Response.json({ success: false }, { status: 404 })
     })
 
@@ -300,7 +300,7 @@ describe('Cloudflare Access middleware', async () => {
   })
 
   it('Should throw an error, if the access certs url is unavailable', async () => {
-    vi.stubGlobal('fetch', async () => {
+    vi.stubGlobal('fetch', () => {
       return Response.json({ success: false }, { status: 500 })
     })
 

packages/cloudflare-access/src/index.ts

@@ -55,7 +55,7 @@ export const cloudflareAccess = (accessTeamName: string): MiddlewareHandler => {
     let token
     try {
       token = decodeJwt(encodedToken)
-    } catch (err) {
+    } catch {
       return c.text('Authentication error: Unable to decode Bearer token', 401)
     }
 
@@ -108,7 +108,7 @@ async function getPublicKeys(accessTeamName: string) {
     })
   }
 
-  const data: any = await result.json()
+  const data = await result.json<{ keys: JsonWebKeyWithKid[] }>()
 
   // Because we keep CryptoKey's in memory between requests, we need to make sure they are refreshed once in a while
   const cacheExpiration = Math.floor(Date.now() / 1000) + 3600 // 1h
@@ -142,20 +142,16 @@ function getJwt(c: Context) {
 }
 
 function decodeJwt(token: string): DecodedToken {
-  const parts = token.split('.')
-  if (parts.length !== 3) {
+  const [header, payload, signature] = token.split('.')
+  if (!header || !payload || !signature) {
     throw new Error('Invalid token')
   }
 
-  const header = JSON.parse(atob(parts[0] as string))
-  const payload = JSON.parse(atob(parts[1] as string))
-  const signature = atob((parts[2] as string).replace(/_/g, '/').replace(/-/g, '+'))
-
   return {
-    header: header,
-    payload: payload,
-    signature: signature,
-    raw: { header: parts[0], payload: parts[1], signature: parts[2] },
+    header: JSON.parse(atob(header)) as object,
+    payload: JSON.parse(atob(payload)) as CloudflareAccessPayload,
+    signature: atob(signature.replace(/_/g, '/').replace(/-/g, '+')),
+    raw: { header, payload, signature },
   }
 }
 
@@ -178,8 +174,8 @@ async function isValidJwtSignature(token: DecodedToken, keys: Record<string, Cry
 
 async function validateSingleKey(
   key: CryptoKey,
-  signature: Uint8Array,
-  data: Uint8Array
+  signature: BufferSource,
+  data: BufferSource
 ): Promise<boolean> {
   return crypto.subtle.verify('RSASSA-PKCS1-v1_5', key, signature, data)
 }

packages/eslint-config/package.json

@@ -29,6 +29,6 @@
     "eslint-import-resolver-typescript": "^4.2.2",
     "eslint-plugin-import-x": "^4.1.1",
     "eslint-plugin-n": "^17.10.2",
-    "typescript-eslint": "^8.27.0"
+    "typescript-eslint": "^8.53.1"
   }
 }

packages/mcp/eslint-suppressions.json

@@ -76,9 +76,6 @@
     }
   },
   "src/auth/middleware/client-auth.ts": {
-    "@typescript-eslint/no-base-to-string": {
-      "count": 1
-    },
     "@typescript-eslint/no-unsafe-assignment": {
       "count": 1
     }

packages/swagger-ui/eslint-suppressions.json

@@ -1,5 +1,8 @@
 {
   "src/index.test.ts": {
+    "@typescript-eslint/no-unnecessary-type-conversion": {
+      "count": 4
+    },
     "@typescript-eslint/restrict-template-expressions": {
       "count": 2
     }

packages/ua-blocker/eslint-suppressions.json

@@ -4,6 +4,11 @@
       "count": 1
     }
   },
+  "src/ai-bots.test.ts": {
+    "@typescript-eslint/await-thenable": {
+      "count": 1
+    }
+  },
   "src/ai-bots.ts": {
     "@typescript-eslint/require-await": {
       "count": 1