在 PowerShell 中为 Ghost 创建 JWT 令牌

Question

Update

---

Managed to work around my problem with this method from GhostSharp :

    public static class ByteConvertor
    {
        public static byte[] StringToByteArray(string hex)
        {
            int NumberChars = hex.Length;
            byte[] bytes = new byte[NumberChars / 2];
            for (int i = 0; i < NumberChars; i += 2)
                bytes[i / 2] = Convert.ToByte(hex.Substring(i, 2), 16);
            return bytes;
        }
    }

Is there a better way to accomplish the same thing in C# or PowerShell? Am I missing some method on Encoding or Convert that would help me solve this?

---

I'm trying to construct a JWT token to authenticate against my Ghost Blog, but all of their samples are in Javascript, Ruby and Python. Nothing in C# or PowerShell and I can't seem to make the correct conversion.

This is the code I have right now:

$parts = $adminToken -split ":"
$id = $parts[0]
$secret= $parts[1]

$secret= [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($secret)) | ConvertFrom-Base64UrlString | ConvertTo-Base64UrlString

Install-Module -Name JWT

$jwtToken = New-Jwt -Header (@{
    "alg" = "HS256"
    "kid" = $id
    "typ" = "JWT"
}| ConvertTo-Json) -PayloadJson (@{
    "exp" = ([DateTimeOffset](Get-date).AddMinutes(5)).ToUnixTimeSeconds()
    "iat" = ([DateTimeOffset](Get-date)).ToUnixTimeSeconds()
    "aud" = "/admin/"
} | ConvertTo-Json) -Secret $secret

Invoke-RestMethod -Uri "https://scrumbug.ghost.io/ghost/api/admin/pages/$($trainingPage.id)" -Method PUT -Body ($trainingPage | ConvertTo-Json) -Headers @{Authorization="Ghost $jwtToken "}

But I keep getting complaints from Ghost that my token isn't correct:

  50 |  Invoke-RestMethod -Uri "https://scrumbug.ghost.io/ghost/api/admin/pag …
     |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"errors":[{"message":"Invalid token: invalid
     | signature","context":null,"type":"UnauthorizedError","details":null,"property":null,"help":null,"code":"INVALID_JWT","id":"069932a0-4009-11ed-afce-656a161cb24c","ghostErrorCode":null}]}

There are a number of samples in different languages , but I can't see what I'm missing anymore.

I suspect my error is in this line:

$key = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($secret)) | ConvertFrom-Base64UrlString | ConvertTo-Base64UrlString

Which should be equivalent to:

[secret].pack('H*')

Or:

printf '%s' "${input}" | base64 | tr -d '=' | tr '+' '-' | tr '/' '_'

A sample token provided by Ghost in the admin panel used to construct the JWT token looks like $id:$secret :

THIS TOKEN HAS BEEN REVOKED AND IS NOT VALID.
644599e8733df7003d6fa66e:9aff4fdd6bb58957da5688a9cf0046a76bcc39b6b9ab16261123927f1caf5c94

Answer 1

It's indeed the conversion from the token to a byte[] that does the magic trick.

Thanks to a colleague, the magic line of code I was looking for is:

[Convert]::FromHexString($secret)

Which does all the magic. Only works on PowerShell Core and .NET 5+.

The full solution to my problem:

Install-Module -Name JWT

$token = "id:secret" # Your token here
$parts = $token -split ":"
$id = $parts[0]
$secretKey = $parts[1]
$secretBytes = [Convert]::FromHexString($secretKey)

$jwtToken = New-Jwt -Header (@{
    "alg" = "HS256"
    "kid" = $id
    "typ" = "JWT"
}| ConvertTo-Json) -PayloadJson (@{
    "exp" = ([DateTimeOffset](Get-date).AddMinutes(5)).ToUnixTimeSeconds()
    "iat" = ([DateTimeOffset](Get-date)).ToUnixTimeSeconds()
    "aud" = "/admin/"
} | ConvertTo-Json) -Secret $secretBytes

Invoke-RestMethod -Uri "https://scrumbug.ghost.io/ghost/api/admin/pages/$($trainingPage.id)" `
    -Method PUT `
    -Body ($pageJson | ConvertTo-Json) `
    -Headers @{Authorization="Ghost $jwtToken "}

For a more complete walkthrough, see my blog .