From 89cba6a39c94617f00e8dda8ce71274da7dbc27c Mon Sep 17 00:00:00 2001
From: Lucas Coratger <73360179+coratgerl@users.noreply.github.com>
Date: Tue, 17 Feb 2026 18:23:07 +0100
Subject: [PATCH] feat(wabe): use algorithm for sign and verify jwt

---
 packages/wabe/src/authentication/Session.ts | 25 +++++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/packages/wabe/src/authentication/Session.ts b/packages/wabe/src/authentication/Session.ts
index e5b9d546..cc51e221 100644
--- a/packages/wabe/src/authentication/Session.ts
+++ b/packages/wabe/src/authentication/Session.ts
@@ -11,13 +11,18 @@ const getJwtSecret = <T extends WabeTypes>(context: WabeContext<T>): string => {
 	return secret
 }
 
+const JWT_ALGORITHM = 'HS256'
+
 const safeVerify = (
 	token: string,
 	secret: string,
 	options: Pick<SignOptions, 'audience' | 'issuer'> = {},
 ) => {
 	try {
-		return !!verify(token, secret, options)
+		return !!verify(token, secret, {
+			...options,
+			algorithms: [JWT_ALGORITHM],
+		})
 	} catch {
 		return false
 	}
@@ -258,7 +263,10 @@ export class Session<T extends WabeTypes> {
 
 		const secretKey = getJwtSecret(context)
 
-		const signOptions: SignOptions = { jwtid: crypto.randomUUID() }
+		const signOptions: SignOptions = {
+			jwtid: crypto.randomUUID(),
+			algorithm: JWT_ALGORITHM,
+		}
 		const audience = context.wabe.config.authentication?.session?.jwtAudience
 		const issuer = context.wabe.config.authentication?.session?.jwtIssuer
 		if (audience) signOptions.audience = audience
@@ -272,7 +280,7 @@ export class Session<T extends WabeTypes> {
 				exp: Math.floor(this.getAccessTokenExpireAt(context.wabe.config).getTime() / 1000),
 			},
 			secretKey,
-			signOptions,
+			{ ...signOptions, algorithm: JWT_ALGORITHM },
 		)
 
 		this.refreshToken = jwt.sign(
@@ -283,7 +291,7 @@ export class Session<T extends WabeTypes> {
 				exp: Math.floor(this.getRefreshTokenExpireAt(context.wabe.config).getTime() / 1000),
 			},
 			secretKey,
-			signOptions,
+			{ ...signOptions, algorithm: JWT_ALGORITHM },
 		)
 
 		const accessTokenEncrypted = encryptDeterministicToken(
@@ -430,7 +438,10 @@ export class Session<T extends WabeTypes> {
 
 		const nowSeconds = Math.floor(Date.now() / 1000)
 
-		const signOptions: SignOptions = { jwtid: crypto.randomUUID() }
+		const signOptions: SignOptions = {
+			jwtid: crypto.randomUUID(),
+			algorithm: JWT_ALGORITHM,
+		}
 		const audience = context.wabe.config.authentication?.session?.jwtAudience
 		const issuer = context.wabe.config.authentication?.session?.jwtIssuer
 		if (audience) signOptions.audience = audience
@@ -444,7 +455,7 @@ export class Session<T extends WabeTypes> {
 				exp: Math.floor(this.getAccessTokenExpireAt(context.wabe.config).getTime() / 1000),
 			},
 			secretKey,
-			signOptions,
+			{ ...signOptions, algorithm: JWT_ALGORITHM },
 		)
 
 		const newRefreshToken = jwt.sign(
@@ -455,7 +466,7 @@ export class Session<T extends WabeTypes> {
 				exp: Math.floor(this.getRefreshTokenExpireAt(context.wabe.config).getTime() / 1000),
 			},
 			secretKey,
-			signOptions,
+			{ ...signOptions, algorithm: JWT_ALGORITHM },
 		)
 
 		const newAccessTokenEncrypted = encryptDeterministicToken(