fix: drop dependency on jwk-to-pem by using native crypto

[dgl]

This replaces jwk-to-pem with simply using crypto.createPublicKey. This further drops elliptic from the dependency tree, which has known security issues (note this is mostly for hygiene as jwk-to-pem doesn't use the vulnerable code paths, per
Brightspace/node-jwk-to-pem#187).

[netlify]

✅ Deploy Preview for endearing-brigadeiros-63f9d0 canceled.

Name	Link
🔨 Latest commit	6e45775
🔍 Latest deploy log	https://app.netlify.com/projects/endearing-brigadeiros-63f9d0/deploys/69245104a73b5f00081f67e1

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: dgl / name: David Leadbeater (1ee2b91)
• ✅ login: jescalada / name: Juan Escalada (2c80fbf, 6e45775)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.35%. Comparing base (85e418f) to head (6e45775).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1283   +/-   ##
=======================================
  Coverage   83.35%   83.35%           
=======================================
  Files          70       70           
  Lines        3004     3004           
  Branches      499      499           
=======================================
  Hits         2504     2504           
  Misses        397      397           
  Partials      103      103           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jescalada]

Looks good to me! I added a test that uses crypto.createPublicKey, but it still injects the getJwks stub function for validateJwt. Do you think this is sufficient? @dgl

it('should validate a JWT generated with crypto.createPublicKey', async () => {
  const { privateKey, publicKey } = generateRsaKeyPair();
  const jwk = publicKeyToJwk(publicKey, 'my-kid');

  const tokenPayload = jwt.sign(
    {
      sub: 'user123',
      azp: 'client-id',
      admin: 'admin',
    },
    privateKey,
    {
      algorithm: 'RS256',
      issuer: 'https://issuer.com',
      audience: 'client-id',
      keyid: 'my-kid',
    }
  );

  const getJwksStub = sinon.stub().resolves([jwk]);

  const { verifiedPayload, error } = await validateJwt(
    tokenPayload,
    'https://issuer.com',
    'client-id',
    'client-id',
    getJwksStub
  );

  expect(error).to.be.null;
  expect(verifiedPayload.sub).to.equal('user123');
  expect(verifiedPayload.admin).to.equal('admin');
});