From 6550ea42116bbf628fdea692860fe4820377ac03 Mon Sep 17 00:00:00 2001
From: Martin Crawford <mcrawford@touchbistro.com>
Date: Fri, 22 Dec 2017 12:37:00 -0500
Subject: [PATCH 1/2] Add option to pass a fully parsed JWT object to the key
 resolver.

---
 README.md            |  2 +-
 index.js             |  9 ++++++++-
 test/key-resolver.js | 19 +++++++++++++++++--
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 0676407..b7c4cf4 100644
--- a/README.md
+++ b/README.md
@@ -255,7 +255,7 @@ verifier.verify(tokenB, function(err, verifiedJwt) {
 });
 ```
 
-
+By default the key resolver function is passed provided `kid` property of the JWT header, however, by setting the property `setResolveByJwt(true);` on the verifier the key resolver may be passed a fully parsed JWT object instead.
 
 #### Expiration Claim
 
diff --git a/index.js b/index.js
index c44df8c..dbeb335 100644
--- a/index.js
+++ b/index.js
@@ -321,6 +321,7 @@ function Verifier(){
   }
   this.setSigningAlgorithm('HS256');
   this.setKeyResolver(defaultKeyResolver.bind(this));
+  this.keyResolveByJwt = false;
   return this;
 }
 Verifier.prototype.setSigningAlgorithm = function setSigningAlgorithm(alg) {
@@ -337,6 +338,10 @@ Verifier.prototype.setSigningKey = function setSigningKey(keyStr) {
 Verifier.prototype.setKeyResolver = function setKeyResolver(keyResolver) {
   this.keyResolver = keyResolver.bind(this);
 };
+Verifier.prototype.setKeyResolveByJwt = function setResolveByJwt(keyResolveByJwt) {
+  this.keyResolveByJwt = keyResolveByJwt;
+  return this;
+};
 Verifier.prototype.isSupportedAlg = isSupportedAlg;
 
 Verifier.prototype.verify = function verify(jwtString,cb){
@@ -372,7 +377,9 @@ Verifier.prototype.verify = function verify(jwtString,cb){
   var digstInput = jwt.verificationInput;
   var verified, digest;
 
-  return this.keyResolver(header.kid, function(err, signingKey) {
+  var resolvable = this.keyResolveByJwt ? jwt : header.kid;
+
+  return this.keyResolver(resolvable, function(err, signingKey) {
 
     if (err) {
       return done(new JwtParseError(util.format(properties.errors.KEY_RESOLVER_ERROR, header.kid),jwtString,header,body, err));
diff --git a/test/key-resolver.js b/test/key-resolver.js
index a9faf38..57ea1cb 100644
--- a/test/key-resolver.js
+++ b/test/key-resolver.js
@@ -75,18 +75,21 @@ describe('Verifier', function() {
 
     describe('passing the error from the keyResolver', function() {
       var keyResolver;
+      var resolvableReceived;
       var error;
+      var jwt;
       var jwtToken;
       var jwtVerifier;
 
       beforeEach(function() {
         error = new Error('key resolver error');
-        keyResolver = function(kid, cb) {
+        keyResolver = function(resolvable, cb) {
+          resolvableReceived = resolvable;
           cb(error);
         };
 
         jwtVerifier = nJwt.createVerifier().withKeyResolver(keyResolver);
-        var jwt = new nJwt.create({},'foo');
+        jwt = new nJwt.create({},'foo');
         jwt.header.kid = 'foo'
         jwtToken = jwt.compact();
       });
@@ -111,6 +114,18 @@ describe('Verifier', function() {
           });
         });
       });
+
+      describe('key resolve by passing the parsed jwt as the resolvable', function() {
+        it('should throw the error', function() {
+          jwtVerifier.setKeyResolveByJwt(true);
+          var verify = function() {
+            jwtVerifier.verify(jwtToken);
+          };
+          assert.throws(verify, util.format(properties.errors.KEY_RESOLVER_ERROR, 'foo'));
+          assert.equal(resolvableReceived.body.jit, jwt.body.jit,);
+        });
+      });
+
     });
   });
 });

From 8992a8c32472c282fb1f81af591c82b6e3e3f47a Mon Sep 17 00:00:00 2001
From: Martin Crawford <mcrawford@touchbistro.com>
Date: Mon, 14 May 2018 11:05:09 -0400
Subject: [PATCH 2/2] Fix: convert new Buffer() to Buffer.from() for security
 reasons.

---
 index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/index.js b/index.js
index dbeb335..8d67c3d 100644
--- a/index.js
+++ b/index.js
@@ -40,7 +40,7 @@ function nowEpochSeconds(){
 }
 
 function base64urlEncode(str) {
-  return new Buffer(str)
+  return Buffer.from(str)
     .toString('base64')
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
@@ -277,7 +277,7 @@ Parser.prototype.isSupportedAlg = isSupportedAlg;
 Parser.prototype.safeJsonParse = function(input) {
   var result;
   try{
-    result = JSON.parse(new Buffer(base64urlUnescape(input),'base64'));
+    result = JSON.parse(Buffer.from(base64urlUnescape(input),'base64'));
   }catch(e){
     return e;
   }
@@ -297,7 +297,7 @@ Parser.prototype.parse = function parse(jwtString,cb){
   var body = this.safeJsonParse(segments[1]);
 
   if(segments[2]){
-    signature = new Buffer(base64urlUnescape(segments[2]),'base64')
+    signature = Buffer.from(base64urlUnescape(segments[2]),'base64')
       .toString('base64');
   }