From c56ac433a269a3667fedd91848f03ceeb8ff2107 Mon Sep 17 00:00:00 2001
From: Yann Amsellem <yann@agnostic.engineering>
Date: Tue, 4 Nov 2025 15:47:26 +0100
Subject: [PATCH] fix: use jose to decode jwt from parent app

---
 package-lock.json                | 10 ++++++++++
 package.json                     |  1 +
 src/lib/auth/embedded-handler.ts |  9 ++++-----
 3 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 6a2ff80..2871ff6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -26,6 +26,7 @@
 				"d3": "^7.9.0",
 				"dayjs": "^1.11.18",
 				"highlight.js": "^11.11.1",
+				"jose": "^6.1.0",
 				"lodash": "^4.17.21",
 				"marked": "^16.4.1",
 				"marked-highlight": "^2.2.2",
@@ -2349,6 +2350,15 @@
 			"integrity": "sha512-tFLRAygk9NqrRPhJSnNGh7g7oaVWDwR0wKh/GM2LgmPa50Eg4UfyaCO4I8k6EqJHl1/uh2RAD6g06n5ygEnrjQ==",
 			"license": "ISC"
 		},
+		"node_modules/jose": {
+			"version": "6.1.0",
+			"resolved": "https://registry.npmjs.org/jose/-/jose-6.1.0.tgz",
+			"integrity": "sha512-TTQJyoEoKcC1lscpVDCSsVgYzUDg/0Bt3WE//WiTPK6uOCQC2KZS4MpugbMWt/zyjkopgZoXhZuCi00gLudfUA==",
+			"license": "MIT",
+			"funding": {
+				"url": "https://github.com/sponsors/panva"
+			}
+		},
 		"node_modules/kleur": {
 			"version": "4.1.5",
 			"resolved": "https://registry.npmjs.org/kleur/-/kleur-4.1.5.tgz",
diff --git a/package.json b/package.json
index 5537d58..2dac529 100644
--- a/package.json
+++ b/package.json
@@ -32,6 +32,7 @@
 		"d3": "^7.9.0",
 		"dayjs": "^1.11.18",
 		"highlight.js": "^11.11.1",
+		"jose": "^6.1.0",
 		"lodash": "^4.17.21",
 		"marked": "^16.4.1",
 		"marked-highlight": "^2.2.2",
diff --git a/src/lib/auth/embedded-handler.ts b/src/lib/auth/embedded-handler.ts
index 7f144f7..81016cd 100644
--- a/src/lib/auth/embedded-handler.ts
+++ b/src/lib/auth/embedded-handler.ts
@@ -1,4 +1,5 @@
-import type { AuthService, AuthSession } from './service';
+import { decodeJwt } from 'jose/jwt/decode';
+import type { AuthService } from './service';
 
 export class EmbeddedAuthHandler {
 	constructor(private service: AuthService) {
@@ -9,10 +10,8 @@ export class EmbeddedAuthHandler {
 		const url = new URL(window.location.href);
 		const token = url.searchParams.get('token');
 		if (token) {
-			const decoded = JSON.parse(atob(token.split('.')[1]));
-			const expiresAt = +(decoded.exp ?? Date.now() + 3600 * 1000);
-			const session: AuthSession = { idToken: token, expiresAt };
-			await this.service.setSession(session);
+			const claims = decodeJwt(token);
+			if (claims.exp) await this.service.setSession({ idToken: token, expiresAt: claims.exp });
 		}
 	}
 }