fix(auth): wire dual-key JWT verification into TokenService for WebSocket auth

Extract shared `verifyWithRotation` helper and `makeSecretOrKeyProvider` into `jwt-rotation.ts` so both REST (passport-jwt strategy) and WebSocket (TokenService.verifyAccessToken) paths honour JWT_SECRET_PREVIOUS during secret rotation. Add env-validation for optional previous secrets and document the rotation policy for WebSocket sessions. Resolves GOO-237 Co-Authored-By: Claude Opus 4 <noreply@anthropic.com>
2026-04-24 14:44:23 +07:00
parent 455c959f44
commit 3705193f97
8 changed files with 345 additions and 252 deletions
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -87,6 +87,9 @@ importers:
      '@aws-sdk/s3-request-presigner':
        specifier: ^3.1026.0
        version: 3.1026.0
+      '@goodgo/contracts-events':
+        specifier: workspace:*
+        version: link:../../libs/contracts/events
      '@goodgo/mcp-servers':
        specifier: workspace:*
        version: link:../../libs/mcp-servers
@@ -186,6 +189,9 @@ importers:
      ioredis:
        specifier: ^5.4.0
        version: 5.10.1
+      jsonwebtoken:
+        specifier: ^9.0.3
+        version: 9.0.3
      nodemailer:
        specifier: ^8.0.5
        version: 8.0.5
@@ -259,6 +265,9 @@ importers:
      '@types/express':
        specifier: ^5.0.0
        version: 5.0.6
+      '@types/jsonwebtoken':
+        specifier: ^9.0.10
+        version: 9.0.10
      '@types/node':
        specifier: ^25.5.2
        version: 25.5.2
@@ -420,6 +429,12 @@ importers:
        specifier: ^4.1.3
        version: 4.1.3(@opentelemetry/api@1.9.1)(@types/node@25.5.2)(jsdom@29.0.2(@noble/hashes@2.0.1))(msw@2.13.2(@types/node@25.5.2)(typescript@6.0.2))(vite@7.3.2(@types/node@25.5.2)(jiti@1.21.7)(terser@5.46.1)(tsx@4.21.0)(yaml@2.8.3))

+  libs/contracts/events:
+    devDependencies:
+      typescript:
+        specifier: ^5.5.0
+        version: 5.9.3
+
  libs/mcp-servers:
    dependencies:
      '@modelcontextprotocol/sdk':