/**
* postgres-mcp - Token Validator
*
* JWT token validation with JWKS support.
*/
import * as jose from 'jose';
import type { TokenValidatorConfig, TokenValidationResult, TokenClaims } from './types.js';
import { JwksFetchError } from './errors.js';
import { parseScopes } from './scopes.js';
import { logger } from '../utils/logger.js';
/**
* JWT Token Validator with JWKS support
*/
export class TokenValidator {
private readonly config: TokenValidatorConfig;
private jwksCache: jose.JWTVerifyGetKey | null = null;
private jwksCacheTime = 0;
constructor(config: TokenValidatorConfig) {
this.config = {
...config,
clockTolerance: config.clockTolerance ?? 60,
jwksCacheTtl: config.jwksCacheTtl ?? 3600,
algorithms: config.algorithms ?? ['RS256', 'RS384', 'RS512', 'ES256', 'ES384', 'ES512']
};
}
/**
* Validate a JWT token
*/
async validate(token: string): Promise<TokenValidationResult> {
try {
// Get or refresh JWKS
const jwks = this.getJWKS();
// Build verification options
const verifyOptions: jose.JWTVerifyOptions = {
issuer: this.config.issuer,
audience: this.config.audience
};
if (this.config.clockTolerance !== undefined) {
verifyOptions.clockTolerance = this.config.clockTolerance;
}
// Verify the token
const { payload } = await jose.jwtVerify(token, jwks, verifyOptions);
// Extract claims
const claims: TokenClaims = {
sub: payload.sub ?? '',
scopes: parseScopes(payload['scope'] as string | undefined),
exp: payload.exp ?? 0,
iat: payload.iat ?? 0,
iss: payload.iss,
aud: payload.aud,
nbf: payload.nbf,
jti: payload.jti,
client_id: payload['client_id'] as string | undefined
};
logger.debug('Token validated successfully', { sub: claims.sub });
return { valid: true, claims };
} catch (error) {
return this.handleValidationError(error);
}
}
/**
* Get or refresh JWKS cache
*/
private getJWKS(): jose.JWTVerifyGetKey {
const now = Date.now();
const cacheTtlMs = (this.config.jwksCacheTtl ?? 3600) * 1000;
// Check if cache is still valid
if (this.jwksCache && (now - this.jwksCacheTime) < cacheTtlMs) {
return this.jwksCache;
}
try {
// Create new JWKS remote key set
this.jwksCache = jose.createRemoteJWKSet(new URL(this.config.jwksUri));
this.jwksCacheTime = now;
logger.debug('JWKS cache refreshed', { uri: this.config.jwksUri });
return this.jwksCache;
} catch (error) {
logger.error('Failed to fetch JWKS', { uri: this.config.jwksUri, error: String(error) });
throw new JwksFetchError(`Failed to fetch JWKS from ${this.config.jwksUri}`);
}
}
/**
* Handle validation errors
*/
private handleValidationError(error: unknown): TokenValidationResult {
if (error instanceof jose.errors.JWTExpired) {
return {
valid: false,
error: 'Token has expired',
errorCode: 'TOKEN_EXPIRED'
};
}
if (error instanceof jose.errors.JWSSignatureVerificationFailed) {
return {
valid: false,
error: 'Invalid token signature',
errorCode: 'INVALID_SIGNATURE'
};
}
if (error instanceof jose.errors.JWTClaimValidationFailed) {
return {
valid: false,
error: `Claim validation failed: ${error.message}`,
errorCode: 'INVALID_CLAIMS'
};
}
// Generic error
return {
valid: false,
error: error instanceof Error ? error.message : 'Token validation failed',
errorCode: 'INVALID_TOKEN'
};
}
/**
* Invalidate JWKS cache (for testing or forced refresh)
*/
invalidateCache(): void {
this.jwksCache = null;
this.jwksCacheTime = 0;
}
}
/**
* Create a token validator instance
*/
export function createTokenValidator(config: TokenValidatorConfig): TokenValidator {
return new TokenValidator(config);
}
