feat(iam-token-service): replace jsonwebtoken with jose

package.json

@@ -25,7 +25,7 @@
     "@grpc/grpc-js": "^1.6.12",
     "abort-controller-x": "^0.4.1",
     "axios": "^0.28.0",
-    "jsonwebtoken": "^9.0.0",
+    "jose": "^6.0.8",
     "lodash": "^4.17.21",
     "log4js": "^6.4.0",
     "long": "^5.2.0",
@@ -41,7 +41,6 @@
     "@commitlint/config-conventional": "^15.0.0",
     "@semantic-release/git": "^10.0.1",
     "@types/jest": "^27.0.3",
-    "@types/jsonwebtoken": "^8.5.6",
     "@types/lodash": "^4.14.178",
     "@types/luxon": "^2.0.8",
     "@types/node": "^16.11.3",

src/token-service/iam-token-service.ts

@@ -1,7 +1,7 @@
 import { credentials } from '@grpc/grpc-js';
-import * as jwt from 'jsonwebtoken';
 import { DateTime } from 'luxon';
 import { createChannel } from 'nice-grpc';
+import { importPKCS8, SignJWT } from 'jose';
 import { cloudApi, serviceClients } from '..';
 import { getServiceClientEndpoint } from '../service-endpoints';
 import { IIAmCredentials, ISslCredentials, TokenService } from '../types';
@@ -48,21 +48,27 @@ export class IamTokenService implements TokenService {
         return clientFactory.create(IamTokenServiceClient.service, channel);
     }
 
-    private getJwtRequest() {
+    private cleanPrivateKey(key: Buffer | string): string {
+        const stringKey = Buffer.isBuffer(key) ? key.toString() : key;
+
+        return stringKey.slice(stringKey.indexOf('-----BEGIN PRIVATE KEY-----'));
+    }
+
+    private async getJwtRequest() {
         const now = DateTime.utc();
         const expires = now.plus({ milliseconds: this.jwtExpirationTimeout });
-        const payload = {
-            iss: this.iamCredentials.serviceAccountId,
-            aud: 'https://iam.api.cloud.yandex.net/iam/v1/tokens',
-            iat: Math.round(now.toSeconds()),
-            exp: Math.round(expires.toSeconds()),
-        };
-        const options: jwt.SignOptions = {
-            algorithm: 'PS256',
-            keyid: this.iamCredentials.accessKeyId,
-        };
-
-        return jwt.sign(payload, this.iamCredentials.privateKey, options);
+        const alg = 'PS256';
+        const privateKey = await importPKCS8(this.cleanPrivateKey(this.iamCredentials.privateKey), alg);
+
+        const jwt = await new SignJWT()
+            .setProtectedHeader({ alg, kid: this.iamCredentials.accessKeyId, typ: 'JWT' })
+            .setIssuer(this.iamCredentials.serviceAccountId)
+            .setAudience('https://iam.api.cloud.yandex.net/iam/v1/tokens')
+            .setIssuedAt(Math.round(now.toSeconds()))
+            .setExpirationTime(Math.round(expires.toSeconds()))
+            .sign(privateKey);
+
+        return jwt;
     }
 
     private async initialize() {
@@ -81,7 +87,7 @@ export class IamTokenService implements TokenService {
 
         return this.client().create(
             cloudApi.iam.iam_token_service.CreateIamTokenRequest.fromPartial({
-                jwt: this.getJwtRequest(),
+                jwt: await this.getJwtRequest(),
             }),
             { deadline },
         );