switch out jsonwebtoken for jose

package.json

@@ -68,7 +68,7 @@
     "fs-extra": "10.1.0",
     "fx-runner": "1.2.0",
     "import-fresh": "3.3.0",
-    "jsonwebtoken": "8.5.1",
+    "jose": "4.8.3",
     "mkdirp": "1.0.4",
     "multimatch": "6.0.0",
     "mz": "2.7.0",

src/util/submit-addon.js

@@ -5,7 +5,7 @@ import { promisify } from 'util';
 
 // eslint-disable-next-line no-shadow
 import fetch, { FormData, fileFromSync, Response } from 'node-fetch';
-import jwt from 'jsonwebtoken';
+import { SignJWT } from 'jose';
 
 import {createLogger} from './../util/logger.js';
 
@@ -202,15 +202,20 @@ export default class Client {
     return data;
   }
 
-  fetch(
+  async signJWT(): Promise<string> {
+    return new SignJWT({ iss: this.apiKey })
+      .setProtectedHeader({ alg: 'HS256' })
+      .setIssuedAt()
+      .setExpirationTime(`${this.apiJwtExpiresIn}seconds`)
+      .sign(Uint8Array.from(Buffer.from(this.apiSecret, 'utf8')));
+  }
+
+  async fetch(
     url: string,
     method: string = 'GET',
     body?: typeof FormData | string,
   ): Promise<typeof Response> {
-    const authToken = jwt.sign({ iss: this.apiKey }, this.apiSecret, {
-      algorithm: 'HS256',
-      expiresIn: this.apiJwtExpiresIn,
-    });
+    const authToken = await this.signJWT();
 
     log.info(`Fetching URL: ${url}`);
     let headers = {

tests/unit/test-util/test.submit-addon.js

@@ -8,7 +8,6 @@ import { afterEach, before, beforeEach, describe, it } from 'mocha';
 import * as sinon from 'sinon';
 import nock from 'nock';
 import { File, FormData } from 'node-fetch';
-import jwt from 'jsonwebtoken';
 
 import Client, { signAddon } from '../../../src/util/submit-addon.js';
 import { makeSureItFails } from '../helpers.js';
@@ -36,7 +35,7 @@ describe('util.submit-addon', () => {
 
     const signAddonDefaults = {
       apiKey: 'some-key',
-      apiSecret: 'some-secret',
+      apiSecret: 'ffff',
       apiHost: 'https://some.url',
       timeout: 1,
       downloadDir: '/some-dir/',
@@ -46,7 +45,7 @@ describe('util.submit-addon', () => {
 
     it.skip('creates Client with parameters', async () => {
       const apiKey = 'fooKey';
-      const apiSecret = 'fooSecret';
+      const apiSecret = '4321';
       const apiHost = 'fooPrefix';
       const downloadDir = '/foo';
       const clientSpy = sinon.spy(Client);
@@ -126,7 +125,7 @@ describe('util.submit-addon', () => {
 
     const clientDefaults = {
       apiKey: 'fake-api-key',
-      apiSecret: 'fake-api-secret',
+      apiSecret: '1234abcd',
       apiHost,
       approvalCheckInterval: 0,
       validationCheckInterval: 0,
@@ -501,13 +500,13 @@ describe('util.submit-addon', () => {
       const client = new Client(clientDefaults);
       let jwtSignSpy;
       const reqheaders = {
-        Authorization: (headerValue) =>
-          headerValue === `JWT ${jwtSignSpy.firstCall.returnValue}`,
+        Authorization: async (headerValue) =>
+          headerValue === `JWT ${await jwtSignSpy.firstCall.returnValue}`,
         Accept: 'application/json',
       };
 
       beforeEach(() => {
-        jwtSignSpy = sinon.spy(jwt, 'sign');
+        jwtSignSpy = sinon.spy(client, 'signJWT');
       });
 
       afterEach(() => {