fix: correctly handle expired JWE's in cookies

src/server/auth-client.test.ts

@@ -514,10 +514,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
         // assert session has been updated
         const updatedSessionCookie = response.cookies.get("__session");
         expect(updatedSessionCookie).toBeDefined();
-        const { payload: updatedSessionCookieValue } = await decrypt(
+        const { payload: updatedSessionCookieValue } = (await decrypt(
           updatedSessionCookie!.value,
           secret
-        );
+        )) as jose.JWTDecryptResult;
         expect(updatedSessionCookieValue).toEqual(
           expect.objectContaining({
             user: {
@@ -954,7 +954,14 @@ ca/T0LLtgmbMmxSv/MmzIg==
         `__txn_${authorizationUrl.searchParams.get("state")}`
       );
       expect(transactionCookie).toBeDefined();
-      expect((await decrypt(transactionCookie!.value, secret)).payload).toEqual(
+      expect(
+        (
+          (await decrypt(
+            transactionCookie!.value,
+            secret
+          )) as jose.JWTDecryptResult
+        ).payload
+      ).toEqual(
         expect.objectContaining({
           nonce: authorizationUrl.searchParams.get("nonce"),
           codeVerifier: expect.any(String),
@@ -1158,7 +1165,12 @@ ca/T0LLtgmbMmxSv/MmzIg==
         );
         expect(transactionCookie).toBeDefined();
         expect(
-          (await decrypt(transactionCookie!.value, secret)).payload
+          (
+            (await decrypt(
+              transactionCookie!.value,
+              secret
+            )) as jose.JWTDecryptResult
+          ).payload
         ).toEqual(
           expect.objectContaining({
             nonce: authorizationUrl.searchParams.get("nonce"),
@@ -1493,7 +1505,14 @@ ca/T0LLtgmbMmxSv/MmzIg==
         `__txn_${authorizationUrl.searchParams.get("state")}`
       );
       expect(transactionCookie).toBeDefined();
-      expect((await decrypt(transactionCookie!.value, secret)).payload).toEqual(
+      expect(
+        (
+          (await decrypt(
+            transactionCookie!.value,
+            secret
+          )) as jose.JWTDecryptResult
+        ).payload
+      ).toEqual(
         expect.objectContaining({
           nonce: authorizationUrl.searchParams.get("nonce"),
           maxAge: 3600,
@@ -1540,7 +1559,14 @@ ca/T0LLtgmbMmxSv/MmzIg==
         `__txn_${authorizationUrl.searchParams.get("state")}`
       );
       expect(transactionCookie).toBeDefined();
-      expect((await decrypt(transactionCookie!.value, secret)).payload).toEqual(
+      expect(
+        (
+          (await decrypt(
+            transactionCookie!.value,
+            secret
+          )) as jose.JWTDecryptResult
+        ).payload
+      ).toEqual(
         expect.objectContaining({
           nonce: authorizationUrl.searchParams.get("nonce"),
           codeVerifier: expect.any(String),
@@ -1586,7 +1612,14 @@ ca/T0LLtgmbMmxSv/MmzIg==
         `__txn_${authorizationUrl.searchParams.get("state")}`
       );
       expect(transactionCookie).toBeDefined();
-      expect((await decrypt(transactionCookie!.value, secret)).payload).toEqual(
+      expect(
+        (
+          (await decrypt(
+            transactionCookie!.value,
+            secret
+          )) as jose.JWTDecryptResult
+        ).payload
+      ).toEqual(
         expect.objectContaining({
           nonce: authorizationUrl.searchParams.get("nonce"),
           codeVerifier: expect.any(String),
@@ -1720,7 +1753,12 @@ ca/T0LLtgmbMmxSv/MmzIg==
         const state = transactionCookie.name.replace("__txn_", "");
         expect(transactionCookie).toBeDefined();
         expect(
-          (await decrypt(transactionCookie!.value, secret)).payload
+          (
+            (await decrypt(
+              transactionCookie.value,
+              secret
+            )) as jose.JWTDecryptResult
+          ).payload
         ).toEqual(
           expect.objectContaining({
             nonce: expect.any(String),
@@ -1874,7 +1912,12 @@ ca/T0LLtgmbMmxSv/MmzIg==
           const state = transactionCookie.name.replace("__txn_", "");
           expect(transactionCookie).toBeDefined();
           expect(
-            (await decrypt(transactionCookie!.value, secret)).payload
+            (
+              (await decrypt(
+                transactionCookie.value,
+                secret
+              )) as jose.JWTDecryptResult
+            ).payload
           ).toEqual(
             expect.objectContaining({
               nonce: expect.any(String),
@@ -1956,7 +1999,7 @@ ca/T0LLtgmbMmxSv/MmzIg==
           const state = transactionCookie.name.replace("__txn_", "");
           expect(transactionCookie).toBeDefined();
           expect(
-            (await decrypt(transactionCookie!.value, secret)).payload
+            (await decrypt(transactionCookie!.value, secret))!.payload
           ).toEqual(
             expect.objectContaining({
               nonce: expect.any(String),
@@ -2512,7 +2555,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
       // validate the session cookie
       const sessionCookie = response.cookies.get("__session");
       expect(sessionCookie).toBeDefined();
-      const { payload: session } = await decrypt(sessionCookie!.value, secret);
+      const { payload: session } = (await decrypt(
+        sessionCookie!.value,
+        secret
+      )) as jose.JWTDecryptResult;
       expect(session).toEqual(
         expect.objectContaining({
           user: {
@@ -2695,7 +2741,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
       // validate the session cookie
       const sessionCookie = response.cookies.get("__session");
       expect(sessionCookie).toBeDefined();
-      const { payload: session } = await decrypt(sessionCookie!.value, secret);
+      const { payload: session } = (await decrypt(
+        sessionCookie!.value,
+        secret
+      )) as jose.JWTDecryptResult;
       expect(session).toEqual(
         expect.objectContaining({
           user: {
@@ -3081,10 +3130,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
         // validate the session cookie
         const sessionCookie = response.cookies.get("__session");
         expect(sessionCookie).toBeDefined();
-        const { payload: session } = await decrypt(
+        const { payload: session } = (await decrypt(
           sessionCookie!.value,
           secret
-        );
+        )) as jose.JWTDecryptResult;
         expect(session).toEqual(expect.objectContaining(expectedSession));
       });
 
@@ -3545,10 +3594,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
         // validate the session cookie
         const sessionCookie = response.cookies.get("__session");
         expect(sessionCookie).toBeDefined();
-        const { payload: session } = await decrypt(
+        const { payload: session } = (await decrypt(
           sessionCookie!.value,
           secret
-        );
+        )) as jose.JWTDecryptResult;
         expect(session).toEqual(
           expect.objectContaining({
             user: {
@@ -3679,10 +3728,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
         // validate the session cookie
         const sessionCookie = response.cookies.get("__session");
         expect(sessionCookie).toBeDefined();
-        const { payload: session } = await decrypt(
+        const { payload: session } = (await decrypt(
           sessionCookie!.value,
           secret
-        );
+        )) as jose.JWTDecryptResult;
         expect(session).toEqual(
           expect.objectContaining({
             user: {
@@ -3783,10 +3832,10 @@ ca/T0LLtgmbMmxSv/MmzIg==
 
       // validate that the session cookie has been updated
       const updatedSessionCookie = response.cookies.get("__session");
-      const { payload: updatedSession } = await decrypt<SessionData>(
+      const { payload: updatedSession } = (await decrypt<SessionData>(
         updatedSessionCookie!.value,
         secret
-      );
+      )) as jose.JWTDecryptResult<SessionData>;
       expect(updatedSession.tokenSet.accessToken).toEqual(newAccessToken);
     });
 

src/server/cookies.test.ts

@@ -1,4 +1,5 @@
 import { NextResponse } from "next/server";
+import * as jose from "jose";
 import { describe, expect, it } from "vitest";
 
 import { generateSecret } from "../test/utils";
@@ -13,9 +14,9 @@ describe("encrypt/decrypt", async () => {
     const maxAge = 60 * 60; // 1 hour in seconds
     const expiration = Math.floor(Date.now() / 1000 + maxAge);
     const encrypted = await encrypt(payload, secret, expiration);
-    const decrypted = await decrypt(encrypted, secret);
+    const decrypted = await decrypt(encrypted, secret) as jose.JWTDecryptResult;
 
-    expect(decrypted.payload).toEqual(expect.objectContaining(payload));
+    expect(decrypted!.payload).toEqual(expect.objectContaining(payload));
   });
 
   it("should fail to decrypt a payload with the incorrect secret", async () => {
@@ -32,9 +33,8 @@ describe("encrypt/decrypt", async () => {
     const payload = { key: "value" };
     const expiration = Math.floor(Date.now() / 1000 - 60); // 60 seconds in the past
     const encrypted = await encrypt(payload, secret, expiration);
-    await expect(() => decrypt(encrypted, secret)).rejects.toThrowError(
-      `"exp" claim timestamp check failed`
-    );
+    const decrypted = await decrypt(encrypted, secret);
+    expect(decrypted).toBeNull();
   });
 
   it("should fail to encrypt if a secret is not provided", async () => {

src/server/cookies.ts

@@ -44,20 +44,27 @@ export async function decrypt<T>(
   secret: string,
   options?: jose.JWTDecryptOptions
 ) {
-  const encryptionSecret = await hkdf(
-    DIGEST,
-    secret,
-    "",
-    ENCRYPTION_INFO,
-    BYTE_LENGTH
-  );
+  try {
+    const encryptionSecret = await hkdf(
+      DIGEST,
+      secret,
+      "",
+      ENCRYPTION_INFO,
+      BYTE_LENGTH
+    );
 
-  const cookie = await jose.jwtDecrypt<T>(cookieValue, encryptionSecret, {
-    ...options,
-    ...{ clockTolerance: 15 }
-  });
+    const cookie = await jose.jwtDecrypt<T>(cookieValue, encryptionSecret, {
+      ...options,
+      ...{ clockTolerance: 15 }
+    });
 
-  return cookie;
+    return cookie;
+  } catch (e: any) {
+    if (e.code === "ERR_JWT_EXPIRED") {
+      return null;
+    }
+    throw e;
+  }
 }
 
 /**

src/server/session/stateful-session-store.test.ts

@@ -1,3 +1,4 @@
+import * as jose from "jose";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 
 import { generateSecret } from "../../test/utils";
@@ -332,7 +333,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");
@@ -386,7 +390,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");
@@ -434,7 +441,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");
@@ -493,7 +503,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session, true);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(store.delete).toHaveBeenCalledWith(sessionId); // the old session should be deleted
@@ -542,7 +555,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");
@@ -592,7 +608,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("__session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");
@@ -686,7 +705,10 @@ describe("Stateful Session Store", async () => {
         await sessionStore.set(requestCookies, responseCookies, session);
 
         const cookie = responseCookies.get("my-session");
-        const { payload: cookieValue } = await decrypt(cookie!.value, secret);
+        const { payload: cookieValue } = (await decrypt(
+          cookie!.value,
+          secret
+        )) as jose.JWTDecryptResult;
 
         expect(cookie).toBeDefined();
         expect(cookieValue).toHaveProperty("id");