const jose = require('jose');
const fs = require('fs');
const path = require("path");

// project
// ├── src
// │   └── app.js
// ├── package.json
// └── privatekey.pub
// └── publickey.cer

const privateKey = jose.JWK.asKey(fs.readFileSync(path.resolve(__dirname, '../privatekey.pem')));
const publicKey = jose.JWK.asKey(fs.readFileSync(path.resolve(__dirname, '../publickey.cer')));

// Sign
let jwt = jose.JWT.sign(
  { 'urn:example:claim': 'foo' },
  privateKey,
  {
    algorithm: 'RS512',
    expiresIn: '1 min',
    header: {
      typ: 'JWT'
    },
    audience: 'urn:example:client_id',
    issuer: 'https://op.example.com'
  }
);

try {
  // Verify JWT and also verify payload content
  let payload = jose.JWT.verify(
    jwt,
    publicKey,
    {
      issuer: 'https://op.example.com',
      audience: 'urn:example:client_id'
    }
    );
    console.log(payload);
} catch (err) {
  console.log(err);
  if (err instanceof jose.errors.JOSEError && err.code === 'ERR_JWT_EXPIRED') {
    console.log('Expired token');
  }
  else if (err instanceof jose.errors.JOSEError && err.code === 'ERR_JWT_MALFORMED') {
    console.log('Invalid token');
  }
  else if (err instanceof jose.errors.JOSEError && err.code === 'ERR_JWT_CLAIM_INVALID') {
    console.log('Claim invalid');
  }
  else {
    console.log('Unexpected error');
  }
};