Fixed AWS and NodeJS support

2025-09-13 10:23:25 +00:00 · 2024-01-04 19:54:14 +01:00
parent 15b438be48
commit 8c503269d1
3 changed files with 26 additions and 23 deletions
--- a/package.json
+++ b/package.json
@@ -15,8 +15,8 @@
    "preinstall": "npx only-allow pnpm"
  },
  "dependencies": {
    "@tsndr/cloudflare-worker-jwt": "^2.3.2",
    "h3": "^1.8.1",
    "jose": "^5.2.0",
    "nitropack": "latest"
  },
  "devDependencies": {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,12 +5,12 @@ settings:
  excludeLinksFromLockfile: false
 dependencies:
  '@tsndr/cloudflare-worker-jwt':
    specifier: ^2.3.2
    version: 2.3.2
  h3:
    specifier: ^1.8.1
    version: 1.8.1
  jose:
    specifier: ^5.2.0
    version: 5.2.0
  nitropack:
    specifier: latest
    version: 2.6.3
@@ -704,10 +704,6 @@ packages:
      rollup: 3.29.1
    dev: false
  /@tsndr/cloudflare-worker-jwt@2.3.2:
    resolution: {integrity: sha512-g1jSm5olPqKh15kadnj0666YPudibHYGyFyM0URLXSeY5MzNIGkfhFedLgKHq8NCDBMzLUMX7Oz8d+jmQXqBuw==}
    dev: false
  /@types/estree@1.0.1:
    resolution: {integrity: sha512-LG4opVs2ANWZ1TJoKc937iMmNstM/d0ae1vNbnBvBhqCSezgVUOzcLCqbI5elV8Vy6WKwKjaqR+zO9VKirBBCA==}
    dev: false
@@ -2537,6 +2533,10 @@ packages:
    hasBin: true
    dev: false
  /jose@5.2.0:
    resolution: {integrity: sha512-oW3PCnvyrcm1HMvGTzqjxxfnEs9EoFOFWi2HsEGhlFVOXxTE3K9GKWVMFoFw06yPUqwpvEWic1BmtUZBI/tIjw==}
    dev: false
  /js-yaml@4.1.0:
    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
    hasBin: true
--- a/src/utils/turnstile.ts
+++ b/src/utils/turnstile.ts
@@ -1,5 +1,5 @@
 import { H3Event, EventHandlerRequest } from 'h3';
-import jsonwebtoken from '@tsndr/cloudflare-worker-jwt';
+import { SignJWT, jwtVerify } from 'jose';
 import { getIp } from '@/utils/ip';
 const turnstileSecret = process.env.TURNSTILE_SECRET ?? null;
@@ -15,13 +15,10 @@ export function isTurnstileEnabled() {
 export async function makeToken(ip: string) {
  if (!jwtSecret) throw new Error('Cannot make token without a secret');
-  return await jsonwebtoken.sign(
+  return await new SignJWT({ ip })
-    {
+    .setProtectedHeader({ alg: 'HS256' })
-      ip,
+    .setExpirationTime('10m')
-      exp: Math.floor(Date.now() / 1000) + 60 * 10, // 10 Minutes
+    .sign(new TextEncoder().encode(jwtSecret));
    },
    jwtSecret,
  );
 }
 export function setTokenHeader(
@@ -54,13 +51,19 @@ export async function isAllowedToMakeRequest(
  if (token.startsWith(jwtPrefix)) {
    const jwtToken = token.slice(jwtPrefix.length);
-    const isValid = await jsonwebtoken.verify(jwtToken, jwtSecret, {
+    let jwtPayload: { ip: string } | null = null;
-      algorithm: 'HS256',
+    try {
-    });
+      const jwtResult = await jwtVerify<{ ip: string }>(
-    if (!isValid) return false;
+        jwtToken,
-    const jwtBody = jsonwebtoken.decode<{ ip: string }>(jwtToken);
+        new TextEncoder().encode(jwtSecret),
-    if (!jwtBody.payload) return false;
+        {
-    if (getIp(event) !== jwtBody.payload.ip) return false;
+          algorithms: ['HS256'],
        },
      );
      jwtPayload = jwtResult.payload;
    } catch {}
    if (!jwtPayload) return false;
    if (getIp(event) !== jwtPayload.ip) return false;
    return true;
  }