Unable to use ES256 as jwt sign/verify algorithm

[AndrewKahr]

I just started using Verdaccio so it is very possible that I have misconfigured something, but when I try to set the jwt algorithm to ES256 as specified as an option in the jsonwebtoken library I get the following error in the log and verdaccio crashes:

verdaccio  | fatal--- uncaught exception, please report this
verdaccio  | Error: secretOrPrivateKey must be an asymmetric key when using ES256
verdaccio  |     at module.exports [as sign] (/usr/local/lib/node_modules/verdaccio/node_modules/jsonwebtoken/sign.js:130:22)
verdaccio  |     at /usr/local/lib/node_modules/verdaccio/node_modules/@verdaccio/signature/build/jwt-token.js:22:27
verdaccio  |     at new Promise (<anonymous>)
verdaccio  |     at signPayload (/usr/local/lib/node_modules/verdaccio/node_modules/@verdaccio/signature/build/jwt-token.js:20:10)
verdaccio  |     at Auth.jwtEncrypt (/usr/local/lib/node_modules/verdaccio/build/lib/auth.js:471:52)
verdaccio  |     at /usr/local/lib/node_modules/verdaccio/build/api/web/api/user.js:28:29
verdaccio  |     at /usr/local/lib/node_modules/verdaccio/build/lib/auth.js:129:18
verdaccio  |     at /usr/local/lib/node_modules/verdaccio/node_modules/verdaccio-htpasswd/build/htpasswd.js:122:14

From what I gather, I need to set up a keypair for it to use to sign with but I can't quite find where I can provide the paths for the public/private keys.

I am running Verdaccio inside docker using the latest v5 image (5.28.0) and have it running behind an nginx proxy. Below is the security section inside my config file:

security:
  api:
    jwt:
      sign:
        expiresIn: 29d
        algorithm: ES256
      verify:
        algorithms: ['ES256']
  web:
    sign:
      expiresIn: 1h # 1 hour by default
      algorithm: ES256
    verify:
      algorithms: ['ES256']

Any guidance on this would be much appreciated!

[juanpicado]

I am not sure to be honest verdaccio only pass down those props to jsomwebtoken library you might need to search over there instead.

[AndrewKahr]

See the thing that confuses me is I don't see how to pass the prop down to the library. The library wants either a symmetric secret or the path to the public/private key. When I dig through verdaccio, I see the secret is set by an undocumented parameter called secret in the config file. However that's only one variable and not two so there's no way to differentiate between public and private keys. It also gets filled with something even though secret is not a field in my config file (would love to know what exactly is being set here).