verifyJwtToken accept configuration as parameter

packages/backend-for-frontend/src/services/authorizationService.ts

@@ -16,21 +16,21 @@ import {
   USER_ROLES,
   WithLogger,
   decodeJwtToken,
+  getJwksClients,
   userRoles,
   verifyJwtToken,
-  getJwksClient,
 } from "pagopa-interop-commons";
 import { TenantId, genericError, unsafeBrandId } from "pagopa-interop-models";
+import { PagoPAInteropBeClients } from "../clients/clientsProvider.js";
 import { config } from "../config/config.js";
 import {
   missingClaim,
   missingSelfcareId,
   tenantLoginNotAllowed,
   tokenVerificationFailed,
 } from "../model/errors.js";
-import { PagoPAInteropBeClients } from "../clients/clientsProvider.js";
-import { validateSamlResponse } from "../utilities/samlValidator.js";
 import { BffAppContext } from "../utilities/context.js";
+import { validateSamlResponse } from "../utilities/samlValidator.js";
 
 const SUPPORT_USER_ID = "5119b1fa-825a-4297-8c9c-152e055cabca";
 
@@ -54,7 +54,7 @@ export function authorizationServiceBuilder(
   allowList: string[],
   rateLimiter: RateLimiter
 ) {
-  const jwksClients = getJwksClient(config);
+  const jwksClients = getJwksClients(config);
 
   const readJwt = async (
     identityToken: string,
@@ -64,7 +64,7 @@ export function authorizationServiceBuilder(
     sessionClaims: SessionClaims;
     selfcareId: string;
   }> => {
-    const verified = await verifyJwtToken(identityToken, jwksClients, logger);
+    const verified = await verifyJwtToken(identityToken, jwksClients, config, logger);
     if (!verified) {
       throw tokenVerificationFailed();
     }

packages/commons/src/auth/authenticationMiddleware.ts

@@ -6,8 +6,8 @@ import {
   missingHeader,
   unauthorizedError,
 } from "pagopa-interop-models";
-import { P, match } from "ts-pattern";
-import { ExpressContext, getJwksClient, JWTConfig } from "../index.js";
+import { match, P } from "ts-pattern";
+import { ExpressContext, getJwksClients, JWTConfig } from "../index.js";
 import { Logger, logger } from "../logging/index.js";
 import { AuthData } from "./authData.js";
 import { Headers } from "./headers.js";
@@ -20,7 +20,7 @@ export const authenticationMiddleware: (
 ) => ZodiosRouterContextRequestHandler<ExpressContext> =
   (config: JWTConfig) =>
   async (req, res, next): Promise<unknown> => {
-    const jwksClients = getJwksClient(config);
+    const jwksClients = getJwksClients(config);
 
     const addCtxAuthData = async (
       authHeader: string,
@@ -38,7 +38,7 @@ export const authenticationMiddleware: (
       }
 
       const jwtToken = authorizationHeader[1];
-      const valid = await verifyJwtToken(jwtToken, jwksClients, logger);
+      const valid = await verifyJwtToken(jwtToken, jwksClients, config, logger);
       if (!valid) {
         throw unauthorizedError("Invalid token");
       }

packages/commons/src/auth/jwk.ts

@@ -1,11 +1,11 @@
 import crypto, { JsonWebKey, KeyObject } from "crypto";
+import jwksClient, { JwksClient } from "jwks-rsa";
 import {
   invalidKey,
   jwkDecodingError,
   notAllowedCertificateException,
   notAllowedPrivateKeyException,
 } from "pagopa-interop-models";
-import jwksClient, { JwksClient } from "jwks-rsa";
 import { JWTConfig } from "../config/index.js";
 
 export const decodeBase64ToPem = (base64String: string): string => {
@@ -67,7 +67,7 @@ export function sortJWK(jwk: JsonWebKey): JsonWebKey {
     );
 }
 
-export function getJwksClient(config: JWTConfig): JwksClient[] {
+export function getJwksClients(config: JWTConfig): JwksClient[] {
   return config.wellKnownUrls.map((url) =>
     jwksClient({
       cache: true,

packages/commons/src/auth/jwt.ts

@@ -62,10 +62,11 @@ const getKey = async (
 export const verifyJwtToken = async (
   jwtToken: string,
   jwksClients: jwksClient.JwksClient[],
+  config: JWTConfig,
   logger: Logger
 ): Promise<boolean> => {
   try {
-    const { acceptedAudiences } = JWTConfig.parse(process.env);
+    const { acceptedAudiences } = config;
 
     const jwtHeader = decodeJwtTokenHeaders(jwtToken, logger);
     if (!jwtHeader?.kid) {