base64url | Fast and url-safe base64 encoder and decoder for R

There are a few issues with your code:

1. The URL you call to obtain public keys returns a list of x509 certificates. These are not public keys used to verify signatures. Are you sure you don't have access directly to the public keys? It seems like it's possible to get the public key information from an x509 certificate (as described here: Extract PEM Public Key from X.509 Certificate), though I'm not sure whether that's possible from a Cloudflare worker.

2. In importPublicKey you're telling the import method, that the key is in raw format and that it is an HMAC key. This means that crypto treats your key as a symmetric HMAC key, not as a public key. According to the docs: https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey#subjectpublickeyinfo you should be using spki format as this is the one to import a public key. You would have to know up front whether the JWT access token is signed using RSA or Elliptic Curve algorithm. (e.g. check the alg header claim)

3. You're using sign method to verify the signature. That's not how it works. You should be using the verify method of crypto.subtle and this method will verify the signature for you.

I think you shouldn't be trying to verify JWTs manually, as you will most probably do it wrong (and create security issues for your app). You should be using libraries that deal with the verification of JWT signatures. It will be much easier for you and more secure for your app. One thing you have to figure out is to where you should take the public key from.

I think this should be like:

This ended up being a misunderstanding of what was being returned by the AWS SDK. According to the docs:

When used with the ECDSA_SHA_256, ECDSA_SHA_384, or ECDSA_SHA_512 signing algorithms, this value is a DER-encoded object as defined by ANS X9.62–2005 and RFC 3279 Section 2.2.3.

What this means is that I needed to perform one final step on the returned signature before adding it to my JWT. Using the ecdsa-sig-formatter package my final code takes the following shape:

This is because the file.dataURL property has not been set when the addedFile event is fired. See this post - DropzoneJS dataURL is undefined.

You're setting the timeout to give DropZone enough time to populate the value. But the disadvantage is that things could take longer than the time you've set.

You could do something like this:

add this to your pom.xml:

use doesn't return a config for you to pass into requests. As long as you are using the same instance, the config would get altered.

Here's the base64url decode code, taken from my jose universal javascript module which I suggest you use for any and all JOSE functionality instead of writing your own.

A new version of @grpc/grpc-js has been released that now fixes this issue with thanks to @murgatroid99. Just install v1.4.6 or later and update any dependencies as instructed in the original issue's thread.

Change this