I'm writing a reverse proxy in node.js/express to make API calls safer. Here's the code for decoding a JWE sent by google according to this documentation:
app.get('/checkGoogleToken', async (req, res) => {
const tokens = fs.readdirSync('./tokens/')
console.log('Checking Google Token')
const token = fs.readFileSync('./tokens/' + tokens[0], 'utf-8')
console.log(token)
const { plaintext, protectedHeader } = await jose.compactDecrypt(
token,
Buffer.from(process.env.DECRYPTION_KEY, "base64"
)); /* integrity_token is the token got from Integrity API response in the app.
DECRYPTION_KEY is found from Google Play Console */
console.log(protectedHeader);
console.log(new TextDecoder().decode(plaintext));
const { payload, Header = protectedHeader } = await jose.compactVerify(
plaintext,
crypto.createPublicKey("-----BEGIN PUBLIC KEY-----\n" +
process.env.VERIFICATION_KEY +
"\n-----END PUBLIC KEY-----")
)
I found the code here: Decrypt and verify locally Play Integrity API Token using NodeJS
However, even though the DECRYPTION_KEY is the one provided by Google, the decryption fails. The files in /tokens/ are plain text files containing the JWE token which my test phone saved after receiving them. There is one little detail, though. I am so far executing the app from expo via metro, i.e. not through a proper installation through the play store (in order to speed up testing)... could this lead to a different key being used to encrypt to JWE? Many thanks!
