Add RequestContext primitive (todo §0); harden static serving (HEAD, control-char, stream-error logging)

2026-06-14 19:33:17 +02:00
parent b4c149db27
commit c544387d3a
12 changed files with 158 additions and 34 deletions
--- a/src/jwt.test.ts
+++ b/src/jwt.test.ts
@@ -71,6 +71,11 @@ test("rejects when the JWK pins a different alg", () => {
  assert.throws(() => verifyJws(token, { ...rsaJwk, alg: "RS512" }), /alg mismatch/);
 });

+test("rejects a symmetric JWK (kty:oct) for an asymmetric alg — second defense after the allowlist", () => {
+  const token = makeJws("RS256", rsa.privateKey, { sub: "u" });
+  assert.throws(() => verifyJws(token, { k: b64url("secret"), kty: "oct" }), /invalid JWK/);
+});
+
 test("rejects a token without three segments", () => {
  assert.throws(() => verifyJws("only.two", rsaJwk), /expected 3 segments/);
 });