logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

feature request: support `AbortSignal` in custom JWT claims code

Open jonsamwell opened this issue 1 year ago • 3 comments

Describe the bug

When trying to use AbortSignal in custom JWT claims a reference expect is thrown (when using the test functionality) stating AbortSignal is not defined.

Expected behavior

AbortSignal can be used.

How to reproduce?

Given this code where AbortSignal is used to enforce a timeout when using fetch a Reference error should not be thrown.

/**
* This function is called during the access token generation process to get custom claims for the JWT token.
* Limit custom claims to under 50KB.
*
* @param {Object} payload - The input payload of the function.
* @param {AccessTokenPayload} payload.token -The JWT token.
* @param {Context} payload.context - Logto internal data that can be used to pass additional information
* @param {EnvironmentVariables} [payload.environmentVariables] - The environment variables.
*
* @returns The custom claims.
 */
  const getCustomJwtClaims = async ({ token, context, environmentVariables }) => {
    const  apiUrl = environmentVariables?.apiUrl ?? '';
    const  apiKey = environmentVariables?.apiKey ?? '';
    let data = {};
  
    try {
      const response = await fetch(`${apiUrl}/members/${token.accountId}/jwt/enrich`, {
        headers: {
          Authorization: apiKey,
          },
        signal: AbortSignal.timeout(5000)
      });
  
      data = await response.json();
      } catch (e) {
        data = {
        error: e.toString()
        }
      }
  
    return {
      someProperty: "abc123",
      ...data
    };
  }

The resulting JWT Custom Data is:

Extra JWT claims:
{
  someProperty: "abc123",
  "error": "ReferenceError: AbortSignal is not defined"
}

Context

  • [x] Logto Cloud
  • [ ] Self-hosted, Logto version =
    • [ ] Container (Docker image)
    • [ ] Raw Node.js

Screenshots

jonsamwell avatar Jul 30 '24 10:07 jonsamwell

We currently does not support much API in custom JWT for security concern, the behavior is expected. After discuss with our team, we can add the support for AbortSignal API in following weeks.

darcyYe avatar Jul 31 '24 09:07 darcyYe

Thanks @darcyYe, it is not a big problem it is only to ensure the call does not take too long.

jonsamwell avatar Jul 31 '24 10:07 jonsamwell

Although we have set a timeout for the execution of getCustomJwtClaims() in the custom JWT, since we provide the fetch() method, it is reasonable for developers to customize an additional, stricter timeout setting.

darcyYe avatar Jul 31 '24 10:07 darcyYe