Allowing JWE aswell as JWT tokens

[uplift]

In my quest to bring our custom version of this project inline with the official release, I have one more task to make them the same.

Our payload cookie is currently encoded using JWE tokens instead of basic JWT. Would it be possible to add a config in the Admin Setting page that allows the switch to JWE encryption?

[julianlam]

Would that require a new dependency? It doesn't look like jsonwebtoken supports JWE. If so, do you have a recommended module?

[uplift]

Yes it would. We currently use https://github.com/cisco/node-jose

[julianlam]

@uplift If I am reading this correctly, we would be removing our dependency on node-jsonwebtoken and instead use node-jose, is that right?

Seems like a fairly major operation, and wouldn't be backwards compatible with pre-existing installs, unless node-jose can produce a JWS (which is what node-jsonwebtoken currently outputs)

[sl354207]

Hi @julianlam. I am curious if it's possible to add this feature as well.

This library https://github.com/panva/jose seems potentially more widely used than the one mentioned above and can produce a JWS for backwards compatibility.

It would also allow for different signing algorithms as requested in issue #31.

I'm not an expert on JWT's or nodebb but I'd be willing to help if you're interested.