[BUG] jose `jwtVerify` is no longer working in Cloudflare worker environment

[immunity23tick]

What happened?

I noticed recently calling jwtVerify in my Cloudflare worker is causing following excepion:

TypeError: Key for the ES512 algorithm must be one of type CryptoKey, KeyObject, or JSON Web Key. Received an instance of CryptoKey\n    at asymmetricTypeCheck (bundledWorker-0.7783238848318434.mjs:1411:11)\n    at default (bundledWorker-0.7783238848318434.mjs:1442:5)\n    at flattenedVerify (bundledWorker-0.7783238848318434.mjs:1987:3)\n    at async compactVerify (bundledWorker-0.7783238848318434.mjs:2037:20)\n    at async jwtVerify (bundledWorker-0.7783238848318434.mjs:2275:20)\n    at async bundledWorker-0.7783238848318434.mjs:3009:44\n    at async Object.fetch (bundledWorker-0.7783238848318434.mjs:20:27)

Upon further debugging:

"logs": [
    {
      "message": [
        "=== isJWK ===",
        false
      ],
      "level": "log",
      "timestamp": 1759898167172
    },
    {
      "message": [
        "=== isKeyLike ===",
        false
      ],
      "level": "log",
      "timestamp": 1759898167172
    },
    {
      "message": [
        "=== isCryptoKey ===",
        false
      ],
      "level": "log",
      "timestamp": 1759898167172
    },
    {
      "message": [
        "=== isKeyObject ===",
        false
      ],
      "level": "log",
      "timestamp": 1759898167172
    },
    {
      "message": [
        "=== key?.[Symbol.toStringTag] ===",
        null
      ],
      "level": "log",
      "timestamp": 1759898167172
    }
  ]

It appears isKeyLike check is no longer working due to key?.[Symbol.toStringTag] returning null.

I updated the implementation to following:
https://github.com/immunity23tick/jose/blob/804b80540f28b423fb0bfb3c771a933628848536/src/lib/is_key_like.ts
And it starts working for me again.

Version

https://registry.npmjs.org/jose/-/jose-6.1.0.tgz sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA==

Runtime

Cloudflare Workers

Runtime Details

Compatibility date Jul 27, 2023

Code to reproduce

import isKeyLike, { isCryptoKey, isKeyObject } from '../node_modules/jose/dist/webapi/lib/is_key_like.js';

console.log('=== isKeyLike ===', isKeyLike(key));
console.log('=== isCryptoKey ===', isCryptoKey(key));
console.log('=== isKeyObject ===', isKeyObject(key));
console.log('=== key?.[Symbol.toStringTag] ===', key?.[Symbol.toStringTag]);

Required

• I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• I agree to follow this project's Code of Conduct

[panva]

cloudflare/workerd#2769
cloudflare/workerd#2771

All you need is to set a recent compatibility date.

[immunity23tick]

@panva thank you, I can confirm using a more recent compatibility date fixed my problem.
Just curious, it there a reason we don't want to use instanceof CryptoKey in the is_key_like.js checkes?

[panva]

FYI: https://github.com/panva/jose/releases/tag/v6.1.2