How can I set the `sub` claim of a JWT in FeathersJS?

Question

The sub claim for JWTs is optional, but the feathersjs-authentication won't let me set it to a blank string or remove it.

I was able to add a new value to the payload in the authentication before hook but changing sub or trying to remove it doesn't work.

app.service('/api/auth').hooks({
  before: {
    create: [
      // You can chain multiple strategies
      auth.hooks.authenticate(['jwt', 'local']),

      hook => {
        // I can add a new `SUB` value but this method doesn't work for `sub`
        Object.assign(hook.params.payload, {SUB: hook.params.payload.userId})
      }
    ],
...

I tried adding the same change to the after hook, but that didn't work either. Having the sub value as anonymous doesn't seem right to me. Their docs even say:

subject: 'anonymous', // Typically the entity id associated with the JWT

Yet there does not seem to be a straight-forward way to make the sub JWT claim a dynamic value.

Answer 1

The subject or sub is set in the authentication options and - like any other JWT specific option - can not be set through the payload.

Looking at the code you can see that valid JWT option keys can be set through params (which other than params.query is outside of a malicious client reach so it can't be easily tampered with):

app.service('/api/auth').hooks({
  before: {
    create: [
      // You can chain multiple strategies
      auth.hooks.authenticate(['jwt', 'local']),

      hook => {
        hook.params.jwt.subject = hook.params.payload.userId;
      }
    ],

Answer 2

You can define your own authenticationStrategy by extending authenticationService and using getTokenOptions() to overwrite the payload sub for that you need to work on also how will you verify it.

Scenario : I wanted to encrypt my sub for that I created a new AuthClass extending AuthService and overriding

async getTokenOptions(
    authResult: AuthenticationResult,
    params: Params
  ): Promise<any> {
    const secret = this.app.get('authentication').secret;
    const { user } = authResult;
    const { id } = user;
    const payload = await super.getTokenOptions(authResult, params);
    if (user && user.id) {
      payload.subject = encrypt(id, secret);
    }
    return payload;
  }

and also I need to decrypt at the time of adding it params.user, so I created another jwtDecryptStrategy extending given JWTStrategy and override its getEntityId() to return the decrypted id

Like this:

export class JwtDecryptStrategy extends JWTStrategy {
  async getEntityId(
    authResult: AuthenticationResult,
    _params: Params
  ): Promise<any> {
    return decrypt(
      authResult.authentication.payload.sub,
      this.app?.get('authentication').secret
    );
  }
}