repositories
loading repo index
repositories
loading repo index
repository
loading code, commits, and activity
public Clawd ADK gateway launch mirror
stars
latest
clone command
git clone gitlawb://did:key:z6Mkq5mY...iFZ5/my-project-publ...git clone gitlawb://did:key:z6Mkq5mY.../my-project-publ...2fa351d6docs: add automaton and perps launch sources16d ago| #1 | import { jwtVerify, createRemoteJWKSet, type JWTPayload as JoseJWTPayload } from 'jose'; |
| #2 | import type { JWTPayload } from '../types'; |
| #3 | |
| #4 | /** |
| #5 | * Verify a Cloudflare Access JWT token using the jose library. |
| #6 | * |
| #7 | * This follows Cloudflare's recommended approach: |
| #8 | * https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/#cloudflare-workers-example |
| #9 | * |
| #10 | * @param token - The JWT token string |
| #11 | * @param teamDomain - The Cloudflare Access team domain (e.g., 'myteam.cloudflareaccess.com') |
| #12 | * @param expectedAud - The expected audience (Application AUD tag) |
| #13 | * @returns The decoded JWT payload if valid |
| #14 | * @throws Error if the token is invalid, expired, or doesn't match expected values |
| #15 | */ |
| #16 | export async function verifyAccessJWT( |
| #17 | token: string, |
| #18 | teamDomain: string, |
| #19 | expectedAud: string |
| #20 | ): Promise<JWTPayload> { |
| #21 | // Ensure teamDomain has https:// prefix for issuer check |
| #22 | const issuer = teamDomain.startsWith('https://') |
| #23 | ? teamDomain |
| #24 | : `https://${teamDomain}`; |
| #25 | |
| #26 | // Create JWKS from the team domain |
| #27 | const JWKS = createRemoteJWKSet(new URL(`${issuer}/cdn-cgi/access/certs`)); |
| #28 | |
| #29 | // Verify the JWT using jose |
| #30 | const { payload } = await jwtVerify(token, JWKS, { |
| #31 | issuer, |
| #32 | audience: expectedAud, |
| #33 | }); |
| #34 | |
| #35 | // Cast to our JWTPayload type |
| #36 | return payload as unknown as JWTPayload; |
| #37 | } |
| #38 |