fix: stable public and private key generation

server/api/private/hooks.ts

@@ -1,26 +1,16 @@
-import assert from 'assert';
 import type { UserEntity } from 'common/types/user';
 import { userQuery } from 'domain/user/repository/userQuery';
-import type { JWT_PROP_NAME } from 'service/constants';
 import { prismaClient } from 'service/prismaClient';
 import type { IdTokenJwt } from 'service/types';
 import { defineHooks } from './$relay';
 
-export type AdditionalRequest = {
-  [Key in typeof JWT_PROP_NAME]: IdTokenJwt;
-} & { user: UserEntity };
+export type AdditionalRequest = { user: UserEntity };
 
 export default defineHooks(() => ({
   onRequest: async (req, res) => {
-    try {
-      await req.jwtVerify({ onlyCookie: true });
-    } catch (e) {
-      res.status(401).send((e as Error).message);
-      return;
-    }
-
-    assert(req.idToken);
-
-    req.user = await userQuery.findById(prismaClient, req.idToken.sub);
+    req.user = await req
+      .jwtVerify<IdTokenJwt>({ onlyCookie: true })
+      .then((idToken) => userQuery.findById(prismaClient, idToken.sub))
+      .catch((e) => res.status(401).send((e as Error).message));
   },
 }));

server/domain/userPool/useCase/userPoolUseCase.ts

@@ -7,14 +7,18 @@ import { userPoolQuery } from '../repository/userPoolQuery';
 
 export const userPoolUseCase = {
   initDefaults: async (): Promise<void> => {
-    const pool = userPoolMethod.create({ id: DEFAULT_USER_POOL_ID });
-    const poolClient = userPoolMethod.createClient({
-      id: DEFAULT_USER_POOL_CLIENT_ID,
-      userPoolId: DEFAULT_USER_POOL_ID,
-    });
+    await userPoolQuery
+      .findById(prismaClient, DEFAULT_USER_POOL_ID)
+      .catch(() => userPoolCommand.save(userPoolMethod.create({ id: DEFAULT_USER_POOL_ID })));
 
-    await userPoolCommand.save(pool);
-    await userPoolCommand.saveClient(poolClient);
+    await userPoolQuery.findClientById(prismaClient, DEFAULT_USER_POOL_CLIENT_ID).catch(() =>
+      userPoolCommand.saveClient(
+        userPoolMethod.createClient({
+          id: DEFAULT_USER_POOL_CLIENT_ID,
+          userPoolId: DEFAULT_USER_POOL_ID,
+        }),
+      ),
+    );
   },
   listUserPools: async (
     req: ListUserPoolsTarget['reqBody'],

server/service/app.ts

@@ -10,7 +10,7 @@ import Fastify from 'fastify';
 import buildGetJwks from 'get-jwks';
 import { join } from 'path';
 import server from '../$server';
-import { COOKIE_NAME, JWT_PROP_NAME } from './constants';
+import { COOKIE_NAME } from './constants';
 
 export const init = (): FastifyInstance => {
   const fastify = Fastify();
@@ -27,7 +27,6 @@ export const init = (): FastifyInstance => {
     },
   );
   fastify.register(fastifyJwt, {
-    decoratorName: JWT_PROP_NAME,
     cookie: { cookieName: COOKIE_NAME, signed: false },
     decode: { complete: true },
     secret: (_: FastifyRequest, token: TokenOrHeader) => {

server/service/constants.ts

@@ -1,5 +1,3 @@
 export const COOKIE_NAME = 'session';
 
-export const JWT_PROP_NAME = 'idToken';
-
 export const EXPIRES_SEC = 3600;

server/service/privateKey.ts

@@ -1,5 +1,5 @@
 import type { Jwks } from 'common/types/userPool';
-import { createPublicKey, generateKeyPairSync } from 'crypto';
+import { createHash, createPublicKey, generateKeyPairSync } from 'crypto';
 import { JWK } from 'node-jose';
 
 export const genPrivatekey = (): string => {
@@ -15,10 +15,10 @@ export const genPrivatekey = (): string => {
 export const genJwks = async (privateKey: string): Promise<Jwks> => {
   const keystore = JWK.createKeyStore();
   const publicKey = createPublicKey(privateKey);
-  await keystore.add(publicKey.export({ type: 'spki', format: 'pem' }), 'pem', {
-    alg: 'RS256',
-    use: 'sig',
-  });
+  const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' });
+  const kid = createHash('sha256').update(publicKeyPem).digest('base64url');
+
+  await keystore.add(publicKeyPem, 'pem', { alg: 'RS256', use: 'sig', kid });
 
-  return keystore.toJSON(true) as Jwks;
+  return keystore.toJSON() as Jwks;
 };