chore(deps): bump jsonwebtoken from 8.5.1 to 9.0.0

Bumps [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken) from 8.5.1 to 9.0.0.
- [Release notes](https://github.com/auth0/node-jsonwebtoken/releases)
- [Changelog](https://github.com/auth0/node-jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](https://github.com/auth0/node-jsonwebtoken/compare/v8.5.1...v9.0.0)

app.js

@@ -15,6 +15,7 @@ let issuer = process.env.ISSUER || 'localhost:3333'
 let jwksOrigin = `https://${issuer}/`
 const audience = process.env.AUDIENCE || 'https://generic-audience'
 const adminCustomClaim = process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
+const emailCustomClaim = process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
 
 const debug = Debug('app')
 
@@ -27,10 +28,29 @@ const corsOpts = (req, cb) => {
   cb(null, { origin: req.headers.origin })
 }
 
+const addCustomClaims = (email, customClaims, token) => {
+  const emailClaim = {}
+  emailClaim[emailCustomClaim] = email
+  return [...customClaims, emailClaim].reduce((acc, claim) => {
+    return {
+      ...acc,
+      ...claim
+    }
+  }, token)
+
+}
+
+const signToken = (token) => {
+  return jwt.sign(Buffer.from(JSON.stringify(token)), privateKey, {
+    algorithm: 'RS256',
+    keyid: thumbprint
+  })
+}
+
 // Configure our small auth0-mock-server
 app.options('*', cors(corsOpts))
   .use(cors())
-  .use(bodyParser.json())
+  .use(bodyParser.json({ strict: false }))
   .use(bodyParser.urlencoded({ extended: true }))
   .use(cookieParser())
   .use(express.static(`${__dirname}/public`))
@@ -38,53 +58,73 @@ app.options('*', cors(corsOpts))
 
 // This route can be used to generate a valid jwt-token.
 app.post('/oauth/token', (req, res) => {
-  const code = req.body.code
-  const session = sessions[code]
-
   let date = Math.floor(Date.now() / 1000)
-  let accessToken = jwt.sign(Buffer.from(JSON.stringify({
-    iss: jwksOrigin,
-    aud: [audience],
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId
-  })), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+  if (req.body.grant_type === 'client_credentials' && req.body.client_id) {
+    let accessToken = signToken({
+      iss: jwksOrigin,
+      aud: [audience],
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id
+    })
 
-  const token = session.customClaims.reduce((acc, claim) => {
-    return {
-      ...acc,
-      ...claim
-    }
-  }, {
-    iss: jwksOrigin,
-    aud: session.clientId,
-    nonce: session.nonce,
-    sub: 'auth0|' + session.email,
-    iat: date,
-    exp: date + 7200,
-    azp: session.clientId,
-    name: 'Example Person',
-    picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
-  })
-  let idToken = jwt.sign(Buffer.from(JSON.stringify(token)), privateKey, {
-    algorithm: 'RS256',
-    keyid: thumbprint
-  })
+    let idToken = signToken({
+      iss: jwksOrigin,
+      aud: req.body.client_id,
+      sub: 'auth0|management',
+      iat: date,
+      exp: date + 7200,
+      azp: req.body.client_id,
+      name: 'Management API'
+    })
 
-  debug('Signed token for ' + session.email)
-  // res.json({ token });
+    debug('Signed token for management API')
 
-  res.json({
-    access_token: accessToken,
-    id_token: idToken,
-    scope: 'openid%20profile%20email',
-    expires_in: 7200,
-    token_type: 'Bearer'
-  })
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else if (req.body.code) {
+    const code = req.body.code
+    const session = sessions[code]
+    let accessToken = signToken(addCustomClaims(session.email, session.customClaims, {
+      iss: jwksOrigin,
+      aud: [audience],
+      sub: 'auth0|' + session.email,
+      iat: date,
+      exp: date + 7200,
+      azp: session.clientId
+    }))
+
+    let idToken = signToken(addCustomClaims(session.email, session.customClaims, {
+      iss: jwksOrigin,
+      aud: session.clientId,
+      nonce: session.nonce,
+      sub: 'auth0|' + session.email,
+      iat: date,
+      exp: date + 7200,
+      azp: session.clientId,
+      name: 'Example Person',
+      picture: 'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
+    }))
+
+    debug('Signed token for ' + session.email)
+
+    res.json({
+      access_token: accessToken,
+      id_token: idToken,
+      scope: 'openid%20profile%20email',
+      expires_in: 7200,
+      token_type: 'Bearer'
+    })
+  } else {
+    res.status(401)
+    res.send('Missing client_id or client_secret')
+  }
 })
 
 // This route can be used to generate a valid jwt-token.
@@ -257,7 +297,7 @@ app.post('/issuer', (req, res) => {
   }
   issuer = req.body.issuer
   jwksOrigin = `https://${issuer}/`
-  const { privateKey: key, certDer: der, thumbPrint: thumb, exponent: exp, modulus: mod } = cert(jwksOrigin)
+  const { privateKey: key, certDer: der, thumbprint: thumb, exponent: exp, modulus: mod } = cert(jwksOrigin)
   privateKey = key
   certDer = der
   thumbprint = thumb
@@ -267,6 +307,28 @@ app.post('/issuer', (req, res) => {
   res.send('ok')
 })
 
+app.get('/api/v2/users-by-email', (req, res) => {
+  res.json([])
+})
+
+app.post('/api/v2/users', (req, res) => {
+  const email = req.body.email
+  res.json({
+    user_id: `auth0|${email}`
+  })
+})
+
+app.post('/api/v2/tickets/password-change', (req, res) => {
+  res.json({
+    ticket: `https://some-url`
+  })
+})
+
+app.use(function(req, res, next) {
+  console.log('404', req.path)
+  res.status(404).send('error: 404 Not Found ' + req.path)
+})
+
 app.listen(3333, () => {
   debug('Auth0-Mock-Server listening on port 3333!')
 })

cert.js

@@ -1,132 +1,132 @@
-const base64url = require('base64-url');
-const createHash = require('crypto').createHash;
-const forge = require('node-forge');
-const NodeRSA = require('node-rsa');
+const base64url = require('base64-url')
+const createHash = require('crypto').createHash
+const forge = require('node-forge')
+const NodeRSA = require('node-rsa')
 
 const PRIVATE_KEY_PEM =
-    '-----BEGIN RSA PRIVATE KEY-----\n' +
-    'MIIEpAIBAAKCAQEApoocpO3bbUF6o8eyJlQCfwLahEsunWdVF++yOEyKu4Lp1j0m\n' +
-    '2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm93g0q2nRuYEoS+W3o6X50wjOVm8f\n' +
-    'r/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIBt+xVY4I+k6uXJJJMzbgvahAgSLZ9\n' +
-    'RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6IognqXHP6AwKZXpT6jCzjzq9uyHxVcud\n' +
-    'qw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1NUqVoiOrO4jaDB1IdLD+YmRE/JjOH\n' +
-    'sWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBrHwIDAQABAoIBAHAdmpsN5iLvafjI\n' +
-    'f45+EBAhg6p8Uq102zx6CakNHniN8Y5hLL7RJtJRwDBNqKrGv93LUoQDRhXfGw+Y\n' +
-    'iF0NVIhVTF/5pU8VPGOcCr0JB96ilwZpWRPIQW7NZAMu/GBeiMYls/IB/TXrSnv9\n' +
-    'h6/nBfEkEXgkPqx7YA0m0L3NuV3U1lCY/LhBJY4Xvi0uRdqu3tTHXftehuPwC4UB\n' +
-    '42eJTWv/qLeOlkCdUUV4f7+dNaES88Vdhj6lu/BusnNhvnwHQik4dNwzPCGeP8NV\n' +
-    '5gaesWiNWFZuTURGKk1B65p5LzNPjsVT50RDuW8FnSZwIvNcohrX9ILPsmg/t0Kr\n' +
-    'ozcOksECgYEA4XWOK4twx5RG162zveRHqU7H9RBWSz7/PzM9Eob9vx/tC/b1YqBR\n' +
-    'VShk23vje19eNiYWAkxcpobIP4ek/0ZT8nHkJg8wl+J/hnXADcvwv2dKnoFnm5pn\n' +
-    'rTBUKc8R3wrSlAV8XQAtdnxsfFa5AOQJ6WFVI9AdfH3Iw8XZk4gIIPMCgYEAvRlY\n' +
-    'y80HnR3kwMOqY488V1qk41dmfNqa+YDL+zkPF1HhHI9VnK5BQuI7lyKJl984KwHu\n' +
-    '0gbwx3Wp4XkD5JUboEpl5LnaLsjEWemjTaQWdvJHPd5wkJ0m/jRQ2YeT4g2gFu4y\n' +
-    'Pi/pWkrzhnzQQVAmOdAm5Kj27LtDzp0lspw3uCUCgYEAw2YdvFGSgfZZW4147QeO\n' +
-    'sAbON+9bysUjdMPUl10VR/LEgA0d6MdnFfX3S13Y7tDdlvJ1OrKxzcWcgaru7ism\n' +
-    'kEXy5KVfiRNNUNx2gb6RvWEpA6zFfc9ZMXlkSAPlyjfX/1+tw/Bmdn0pjK2gk0wP\n' +
-    '5wtrPameFInzWPD9O+a2nM8CgYBZ6UhgNs+M9B7FTQOiLQPa4R2PfwobCXIwef4D\n' +
-    'KIE1bFgl1T02r2AWZi1BUkmr7ZXuVQ/xyx0HKbopm/mu4PruvxEtrPTB0/IQcleU\n' +
-    'XhXUXqRjFXXePOrCaaubkqxNCn95B67aBLvmk8awxn3a4DocuQ0VIgWuT+gQwIWh\n' +
-    'JEgWBQKBgQDKD+2Yh1/rUzu15lbPH0JSpozUinuFjePieR/4n+5CtEUxWJ2f0WeK\n' +
-    's4XWWf2qgUccjpiGju2UR840mgWROoZ8BfSTd5tg1F7bo0HMgu2hu0RIRpZcRhsA\n' +
-    'Cd0GrJvf1t0QIdDCXAy+RpgU1SLSq4Q6Lomc0WA5C5nBw9RKEUOV9A==\n' +
-    '-----END RSA PRIVATE KEY-----\n';
+  '-----BEGIN RSA PRIVATE KEY-----\n' +
+  'MIIEpAIBAAKCAQEApoocpO3bbUF6o8eyJlQCfwLahEsunWdVF++yOEyKu4Lp1j0m\n' +
+  '2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm93g0q2nRuYEoS+W3o6X50wjOVm8f\n' +
+  'r/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIBt+xVY4I+k6uXJJJMzbgvahAgSLZ9\n' +
+  'RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6IognqXHP6AwKZXpT6jCzjzq9uyHxVcud\n' +
+  'qw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1NUqVoiOrO4jaDB1IdLD+YmRE/JjOH\n' +
+  'sWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBrHwIDAQABAoIBAHAdmpsN5iLvafjI\n' +
+  'f45+EBAhg6p8Uq102zx6CakNHniN8Y5hLL7RJtJRwDBNqKrGv93LUoQDRhXfGw+Y\n' +
+  'iF0NVIhVTF/5pU8VPGOcCr0JB96ilwZpWRPIQW7NZAMu/GBeiMYls/IB/TXrSnv9\n' +
+  'h6/nBfEkEXgkPqx7YA0m0L3NuV3U1lCY/LhBJY4Xvi0uRdqu3tTHXftehuPwC4UB\n' +
+  '42eJTWv/qLeOlkCdUUV4f7+dNaES88Vdhj6lu/BusnNhvnwHQik4dNwzPCGeP8NV\n' +
+  '5gaesWiNWFZuTURGKk1B65p5LzNPjsVT50RDuW8FnSZwIvNcohrX9ILPsmg/t0Kr\n' +
+  'ozcOksECgYEA4XWOK4twx5RG162zveRHqU7H9RBWSz7/PzM9Eob9vx/tC/b1YqBR\n' +
+  'VShk23vje19eNiYWAkxcpobIP4ek/0ZT8nHkJg8wl+J/hnXADcvwv2dKnoFnm5pn\n' +
+  'rTBUKc8R3wrSlAV8XQAtdnxsfFa5AOQJ6WFVI9AdfH3Iw8XZk4gIIPMCgYEAvRlY\n' +
+  'y80HnR3kwMOqY488V1qk41dmfNqa+YDL+zkPF1HhHI9VnK5BQuI7lyKJl984KwHu\n' +
+  '0gbwx3Wp4XkD5JUboEpl5LnaLsjEWemjTaQWdvJHPd5wkJ0m/jRQ2YeT4g2gFu4y\n' +
+  'Pi/pWkrzhnzQQVAmOdAm5Kj27LtDzp0lspw3uCUCgYEAw2YdvFGSgfZZW4147QeO\n' +
+  'sAbON+9bysUjdMPUl10VR/LEgA0d6MdnFfX3S13Y7tDdlvJ1OrKxzcWcgaru7ism\n' +
+  'kEXy5KVfiRNNUNx2gb6RvWEpA6zFfc9ZMXlkSAPlyjfX/1+tw/Bmdn0pjK2gk0wP\n' +
+  '5wtrPameFInzWPD9O+a2nM8CgYBZ6UhgNs+M9B7FTQOiLQPa4R2PfwobCXIwef4D\n' +
+  'KIE1bFgl1T02r2AWZi1BUkmr7ZXuVQ/xyx0HKbopm/mu4PruvxEtrPTB0/IQcleU\n' +
+  'XhXUXqRjFXXePOrCaaubkqxNCn95B67aBLvmk8awxn3a4DocuQ0VIgWuT+gQwIWh\n' +
+  'JEgWBQKBgQDKD+2Yh1/rUzu15lbPH0JSpozUinuFjePieR/4n+5CtEUxWJ2f0WeK\n' +
+  's4XWWf2qgUccjpiGju2UR840mgWROoZ8BfSTd5tg1F7bo0HMgu2hu0RIRpZcRhsA\n' +
+  'Cd0GrJvf1t0QIdDCXAy+RpgU1SLSq4Q6Lomc0WA5C5nBw9RKEUOV9A==\n' +
+  '-----END RSA PRIVATE KEY-----\n'
 
 const PUBLIC_KEY_PEM =
-    '-----BEGIN PUBLIC KEY-----\n' +
-    'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoocpO3bbUF6o8eyJlQC\n' +
-    'fwLahEsunWdVF++yOEyKu4Lp1j0m2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm\n' +
-    '93g0q2nRuYEoS+W3o6X50wjOVm8fr/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIB\n' +
-    't+xVY4I+k6uXJJJMzbgvahAgSLZ9RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6Iogn\n' +
-    'qXHP6AwKZXpT6jCzjzq9uyHxVcudqw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1N\n' +
-    'UqVoiOrO4jaDB1IdLD+YmRE/JjOHsWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBr\n' +
-    'HwIDAQAB\n' +
-    '-----END PUBLIC KEY-----\n';
+  '-----BEGIN PUBLIC KEY-----\n' +
+  'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApoocpO3bbUF6o8eyJlQC\n' +
+  'fwLahEsunWdVF++yOEyKu4Lp1j0m2j/P7iHOtxBAkjdM2X2oW3qO1mR0sIFefqnm\n' +
+  '93g0q2nRuYEoS+W3o6X50wjOVm8fr/tLqELzy5BoET0AQl7Axp1DNsb0HNOBcoIB\n' +
+  't+xVY4I+k6uXJJJMzbgvahAgSLZ9RW0Z0WT+dCHZpZUj0nLxNXIPdci65Bw6Iogn\n' +
+  'qXHP6AwKZXpT6jCzjzq9uyHxVcudqw6j0kQw48/A5A6AN5fIVy1cKnd0sKdqRX1N\n' +
+  'UqVoiOrO4jaDB1IdLD+YmRE/JjOHsWIMElYCPxKqnsNo6VCslGX/ziinArHhqRBr\n' +
+  'HwIDAQAB\n' +
+  '-----END PUBLIC KEY-----\n'
 
 const createCertificate = ({
-                               publicKey,
-                               privateKey,
-                               jwksOrigin,
+                             publicKey,
+                             privateKey,
+                             jwksOrigin
                            }) => {
-    const cert = forge.pki.createCertificate();
-    cert.publicKey = publicKey;
-    cert.serialNumber = '123';
-    const attrs = [
-        {
-            name: 'commonName',
-            value: `${jwksOrigin}`,
-        },
-    ];
-    cert.validity.notBefore = new Date();
-    cert.validity.notAfter = new Date();
-    cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
-    cert.setSubject(attrs);
-    cert.setIssuer(attrs);
-    cert.sign(privateKey);
-    return forge.pki.certificateToPem(cert)
-};
+  const cert = forge.pki.createCertificate()
+  cert.publicKey = publicKey
+  cert.serialNumber = '123'
+  const attrs = [
+    {
+      name: 'commonName',
+      value: `${jwksOrigin}`
+    }
+  ]
+  cert.validity.notBefore = new Date()
+  cert.validity.notAfter = new Date()
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1)
+  cert.setSubject(attrs)
+  cert.setIssuer(attrs)
+  cert.sign(privateKey)
+  return forge.pki.certificateToPem(cert)
+}
 
 const getCertThumbprint = (certificate) => {
-    const shasum = createHash('sha1');
-    const der = Buffer.from(certificate).toString('binary');
-    shasum.update(der);
-    return shasum.digest('base64')
-};
+  const shasum = createHash('sha1')
+  const der = Buffer.from(certificate).toString('binary')
+  shasum.update(der)
+  return shasum.digest('base64')
+}
 
 const createKeyPair = () => {
-    const privateKey = forge.pki.privateKeyFromPem(PRIVATE_KEY_PEM);
-    const publicKey = forge.pki.publicKeyFromPem(PUBLIC_KEY_PEM);
-    return {
-        privateKey,
-        publicKey,
-    }
-};
+  const privateKey = forge.pki.privateKeyFromPem(PRIVATE_KEY_PEM)
+  const publicKey = forge.pki.publicKeyFromPem(PUBLIC_KEY_PEM)
+  return {
+    privateKey,
+    publicKey
+  }
+}
 
 const bnToB64 = (bn) => {
-    let hex = BigInt(bn).toString(16);
-    if (hex.length % 2) {
-        hex = '0' + hex;
-    }
+  let hex = BigInt(bn).toString(16)
+  if (hex.length % 2) {
+    hex = '0' + hex
+  }
 
-    const bin = [];
-    let i = 0;
-    let d;
-    let b;
-    while (i < hex.length) {
-        d = parseInt(hex.slice(i, i + 2), 16);
-        b = String.fromCharCode(d);
-        bin.push(b);
-        i += 2;
-    }
+  const bin = []
+  let i = 0
+  let d
+  let b
+  while (i < hex.length) {
+    d = parseInt(hex.slice(i, i + 2), 16)
+    b = String.fromCharCode(d)
+    bin.push(b)
+    i += 2
+  }
 
-    return Buffer.from(bin.join(''), 'binary').toString('base64');
-};
+  return Buffer.from(bin.join(''), 'binary').toString('base64')
+}
 
 const setup = (jwksOrigin) => {
-    const {privateKey, publicKey} = createKeyPair();
-    const certPem = createCertificate({
-        jwksOrigin,
-        privateKey,
-        publicKey,
-    });
-    const certDer = forge.util.encode64(
-        forge.asn1
-            .toDer(forge.pki.certificateToAsn1(forge.pki.certificateFromPem(certPem)))
-            .getBytes()
-    );
-    const thumbprint = base64url.encode(getCertThumbprint(certDer));
+  const { privateKey, publicKey } = createKeyPair()
+  const certPem = createCertificate({
+    jwksOrigin,
+    privateKey,
+    publicKey
+  })
+  const certDer = forge.util.encode64(
+    forge.asn1
+      .toDer(forge.pki.certificateToAsn1(forge.pki.certificateFromPem(certPem)))
+      .getBytes()
+  )
+  const thumbprint = base64url.encode(getCertThumbprint(certDer))
 
-    const helperKey = new NodeRSA();
-    helperKey.importKey(forge.pki.privateKeyToPem(privateKey));
-    const {n: modulus, e: exponent} = helperKey.exportKey('components');
+  const helperKey = new NodeRSA()
+  helperKey.importKey(forge.pki.privateKeyToPem(privateKey))
+  const { n: modulus, e: exponent } = helperKey.exportKey('components')
 
-    return {
-        privateKey: forge.pki.privateKeyToPem(privateKey),
-        certDer: certDer,
-        thumbPrint: thumbprint,
-        exponent: bnToB64(exponent),
-        modulus: modulus.toString('base64')
-    }
-};
+  return {
+    privateKey: forge.pki.privateKeyToPem(privateKey),
+    certDer,
+    thumbprint: thumbprint.toString(),
+    exponent: bnToB64(exponent),
+    modulus: modulus.toString('base64')
+  }
+}
 
-module.exports = setup;
+module.exports = setup

package.json

@@ -12,17 +12,17 @@
   "license": "MIT",
   "dependencies": {
     "base64-url": "^2.3.3",
-    "body-parser": "^1.20.0",
+    "body-parser": "^1.20.1",
     "buffer": "^6.0.3",
     "cookie-parser": "^1.4.6",
     "cors": "^2.8.3",
     "debug": "^4.3.4",
-    "express": "^4.17.3",
+    "express": "^4.18.2",
     "https-localhost": "^4.7.1",
-    "jsonwebtoken": "^8.5.1",
+    "jsonwebtoken": "^9.0.0",
     "node-forge": "^1.3.1",
     "node-rsa": "^1.1.1",
-    "nodemon": "^2.0.15",
+    "nodemon": "^2.0.20",
     "serve-favicon": "^2.4.2"
   }
 }