0http-bun 1.2.0 → 1.2.2

package/README.md

@@ -206,11 +206,14 @@ Bun.serve({
 
 0http-bun includes a comprehensive middleware system with built-in middlewares for common use cases:
 
+> 📦 **Note**: Starting with v1.2.2, some middleware dependencies are optional. Install only what you need: `jose` (JWT), `pino` (Logger), `prom-client` (Prometheus).
+
 - **[Body Parser](./lib/middleware/README.md#body-parser)** - Automatic request body parsing (JSON, form data, text)
 - **[CORS](./lib/middleware/README.md#cors)** - Cross-Origin Resource Sharing with flexible configuration
 - **[JWT Authentication](./lib/middleware/README.md#jwt-authentication)** - JSON Web Token authentication and authorization
 - **[Logger](./lib/middleware/README.md#logger)** - Request logging with multiple output formats
 - **[Rate Limiting](./lib/middleware/README.md#rate-limiting)** - Flexible rate limiting with sliding window support
+- **[Prometheus Metrics](./lib/middleware/README.md#prometheus-metrics)** - Export metrics for monitoring and alerting
 
 ### Quick Example
 

package/lib/middleware/README.md

@@ -2,6 +2,30 @@
 
 0http-bun provides a comprehensive middleware system with built-in middlewares for common use cases. All middleware functions are TypeScript-ready and follow the standard middleware pattern.
 
+## Dependency Installation
+
+⚠️ **Important**: Starting with v1.2.2, middleware dependencies are now **optional** and must be installed separately when needed. This reduces the framework's footprint and improves startup performance through lazy loading.
+
+Install only the dependencies you need:
+
+```bash
+# For JWT Authentication middleware
+bun install jose
+
+# For Logger middleware
+bun install pino
+
+# For Prometheus Metrics middleware
+bun install prom-client
+```
+
+**Benefits of Lazy Loading:**
+
+- 📦 **Smaller Bundle**: Only install what you use
+- ⚡ **Faster Startup**: Dependencies loaded only when middleware is used
+- 💾 **Lower Memory**: Reduced initial memory footprint
+- 🔧 **Better Control**: Explicit dependency management
+
 ## Table of Contents
 
 - [Middleware Pattern](#middleware-pattern)
@@ -10,6 +34,7 @@
   - [CORS](#cors)
   - [JWT Authentication](#jwt-authentication)
   - [Logger](#logger)
+  - [Prometheus Metrics](#prometheus-metrics)
   - [Rate Limiting](#rate-limiting)
 - [Creating Custom Middleware](#creating-custom-middleware)
 
@@ -50,6 +75,7 @@ import {
   createLogger,
   createJWTAuth,
   createRateLimit,
+  createPrometheusIntegration,
 } from '0http-bun/lib/middleware'
 ```
 
@@ -65,6 +91,9 @@ const {
   createJWTAuth,
   createLogger,
   createRateLimit,
+  createPrometheusMiddleware,
+  createMetricsHandler,
+  createPrometheusIntegration,
 } = require('0http-bun/lib/middleware')
 ```
 
@@ -78,6 +107,9 @@ import {
   createJWTAuth,
   createLogger,
   createRateLimit,
+  createPrometheusMiddleware,
+  createMetricsHandler,
+  createPrometheusIntegration,
 } from '0http-bun/lib/middleware'
 
 // Import types
@@ -94,6 +126,8 @@ import type {
 
 Automatically parses request bodies based on Content-Type header.
 
+> ✅ **No additional dependencies required** - Uses Bun's built-in parsing capabilities.
+
 ```javascript
 const {createBodyParser} = require('0http-bun/lib/middleware')
 
@@ -142,6 +176,8 @@ router.use(createBodyParser(bodyParserOptions))
 
 Cross-Origin Resource Sharing middleware with flexible configuration.
 
+> ✅ **No additional dependencies required** - Built-in CORS implementation.
+
 ```javascript
 const {createCORS} = require('0http-bun/lib/middleware')
 
@@ -173,7 +209,7 @@ router.use(
     },
   }),
 )
-````
+```
 
 **TypeScript Usage:**
 
@@ -194,6 +230,8 @@ router.use(createCORS(corsOptions))
 
 JSON Web Token authentication and authorization middleware with support for static secrets, JWKS endpoints, and API key authentication.
 
+> 📦 **Required dependency**: `bun install jose`
+
 #### Basic JWT with Static Secret
 
 ```javascript
@@ -445,6 +483,9 @@ router.get('/api/profile', (req) => {
 
 Request logging middleware with customizable output formats.
 
+> 📦 **Required dependency for structured logging**: `bun install pino`  
+> ✅ **Simple logger** (`simpleLogger`) has no dependencies - uses `console.log`
+
 ```javascript
 const {createLogger, simpleLogger} = require('0http-bun/lib/middleware')
 
@@ -503,10 +544,228 @@ router.use(createLogger(loggerOptions))
 - `tiny` - Minimal output
 - `dev` - Development-friendly colored output
 
+### Prometheus Metrics
+
+Comprehensive Prometheus metrics integration for monitoring and observability with built-in security and performance optimizations.
+
+> 📦 **Required dependency**: `bun install prom-client`
+
+```javascript
+const {
+  createPrometheusMiddleware,
+  createMetricsHandler,
+  createPrometheusIntegration,
+} = require('0http-bun/lib/middleware')
+
+// Simple setup with default metrics
+const prometheus = createPrometheusIntegration()
+
+router.use(prometheus.middleware)
+router.get('/metrics', prometheus.metricsHandler)
+```
+
+#### Default Metrics Collected
+
+The Prometheus middleware automatically collects:
+
+- **HTTP Request Duration** - Histogram of request durations in seconds (buckets: 0.001, 0.005, 0.015, 0.05, 0.1, 0.2, 0.3, 0.4, 0.5, 1, 2, 5, 10)
+- **HTTP Request Count** - Counter of total requests by method, route, and status
+- **HTTP Request Size** - Histogram of request body sizes (buckets: 1B, 10B, 100B, 1KB, 10KB, 100KB, 1MB, 10MB)
+- **HTTP Response Size** - Histogram of response body sizes (buckets: 1B, 10B, 100B, 1KB, 10KB, 100KB, 1MB, 10MB)
+- **Active Connections** - Gauge of currently active HTTP connections
+- **Node.js Metrics** - Memory usage, CPU, garbage collection (custom buckets), event loop lag (5ms precision)
+
+#### Advanced Configuration
+
+```javascript
+const {
+  createPrometheusMiddleware,
+  createMetricsHandler,
+  createPrometheusIntegration,
+} = require('0http-bun/lib/middleware')
+
+const prometheus = createPrometheusIntegration({
+  // Control default Node.js metrics collection
+  collectDefaultMetrics: true,
+
+  // Exclude paths from metrics collection (optimized for performance)
+  excludePaths: ['/health', '/ping', '/favicon.ico'],
+
+  // Skip certain HTTP methods
+  skipMethods: ['OPTIONS'],
+
+  // Custom route normalization with security controls
+  normalizeRoute: (req) => {
+    const url = new URL(req.url, 'http://localhost')
+    return url.pathname
+      .replace(/\/users\/\d+/, '/users/:id')
+      .replace(/\/api\/v\d+/, '/api/:version')
+  },
+
+  // Add custom labels with automatic sanitization
+  extractLabels: (req, response) => {
+    return {
+      user_type: req.headers.get('x-user-type') || 'anonymous',
+      api_version: req.headers.get('x-api-version') || 'v1',
+    }
+  },
+
+  // Use custom metrics object instead of default metrics
+  metrics: customMetricsObject,
+})
+```
+
+#### Custom Business Metrics
+
+```javascript
+const {
+  createPrometheusIntegration,
+} = require('0http-bun/lib/middleware')
+
+// Get the prometheus client from the integration
+const prometheus = createPrometheusIntegration()
+const {promClient} = prometheus
+
+// Create custom metrics
+const orderCounter = new promClient.Counter({
+  name: 'orders_total',
+  help: 'Total number of orders processed',
+  labelNames: ['status', 'payment_method'],
+})
+
+const orderValue = new promClient.Histogram({
+  name: 'order_value_dollars',
+  help: 'Value of orders in dollars',
+  labelNames: ['payment_method'],
+  buckets: [10, 50, 100, 500, 1000, 5000],
+})
+
+// Use in your routes
+router.post('/orders', async (req) => {
+  const order = await processOrder(req.body)
+
+  // Record custom metrics
+  orderCounter.inc({
+    status: order.status,
+    payment_method: order.payment_method,
+  })
+
+  if (order.status === 'completed') {
+    orderValue.observe(
+      {
+        payment_method: order.payment_method,
+      },
+      order.amount,
+    )
+  }
+
+  return Response.json(order)
+})
+```
+
+#### Metrics Endpoint Options
+
+```javascript
+const {createMetricsHandler} = require('0http-bun/lib/middleware')
+
+// Custom metrics endpoint
+const metricsHandler = createMetricsHandler({
+  endpoint: '/custom-metrics', // Default: '/metrics'
+  registry: customRegistry, // Default: promClient.register
+})
+
+router.get('/custom-metrics', metricsHandler)
+```
+
+#### Route Normalization & Security
+
+The middleware automatically normalizes routes and implements security measures to prevent high cardinality and potential attacks:
+
+```javascript
+// URLs like these:
+// /users/123, /users/456, /users/789
+// Are normalized to: /users/:id
+
+// /products/abc-123, /products/def-456
+// Are normalized to: /products/:slug
+
+// /api/v1/data, /api/v2/data
+// Are normalized to: /api/:version/data
+
+// Route sanitization examples:
+// /users/:id → _users__id (special characters replaced with underscores)
+// /api/v1/orders → _api_v1_orders
+// Very long tokens → _api__token (pattern-based normalization)
+```
+
+**Route Sanitization:**
+
+- Special characters (`/`, `:`, etc.) are replaced with underscores (`_`) for Prometheus compatibility
+- UUIDs are automatically normalized to `:id` patterns
+- Long tokens (>20 characters) are normalized to `:token` patterns
+- Numeric IDs are normalized to `:id` patterns
+- Route complexity is limited to 10 segments maximum
+
+**Security Features:**
+
+- **Label Sanitization**: Removes potentially dangerous characters from metric labels and truncates values to 100 characters
+- **Cardinality Limits**: Prevents memory exhaustion from too many unique metric combinations
+- **Route Complexity Limits**: Caps the number of route segments to 10 to prevent DoS attacks
+- **Size Limits**: Limits request/response body size processing (up to 100MB) to prevent memory issues
+- **Header Processing Limits**: Caps the number of headers processed per request (50 for requests, 20 for responses)
+- **URL Processing**: Handles both full URLs and pathname-only URLs with proper fallback handling
+
+#### Performance Optimizations
+
+- **Fast Path for Excluded Routes**: Bypasses all metric collection for excluded paths with smart URL parsing
+- **Lazy Evaluation**: Only processes metrics when actually needed
+- **Efficient Size Calculation**: Optimized request/response size measurement with capping at 1MB estimation
+- **Error Handling**: Graceful handling of malformed URLs and invalid data with fallback mechanisms
+- **Header Count Limits**: Prevents excessive header processing overhead (50 request headers, 20 response headers)
+- **Smart URL Parsing**: Handles both full URLs and pathname-only URLs efficiently
+
+#### Production Considerations
+
+- **Performance**: Adds <1ms overhead per request with optimized fast paths
+- **Memory**: Metrics stored in memory with cardinality controls; use recording rules for high cardinality
+- **Security**: Built-in protections against label injection and cardinality bombs
+- **Cardinality**: Automatic limits prevent high cardinality issues
+- **Monitoring**: Consider protecting `/metrics` endpoint in production
+
+#### Integration with Monitoring
+
+```yaml
+# prometheus.yml
+scrape_configs:
+  - job_name: '0http-bun-app'
+    static_configs:
+      - targets: ['localhost:3000']
+    scrape_interval: 15s
+    metrics_path: /metrics
+```
+
+#### Troubleshooting
+
+**Common Issues:**
+
+- **High Memory Usage**: Check for high cardinality metrics. Route patterns should be normalized (e.g., `/users/:id` not `/users/12345`)
+- **Missing Metrics**: Ensure paths aren't in `excludePaths` and HTTP methods aren't in `skipMethods`
+- **Route Sanitization**: Routes are automatically sanitized (special characters become underscores: `/users/:id` → `_users__id`)
+- **URL Parsing Errors**: The middleware handles both full URLs and pathname-only URLs with graceful fallback
+
+**Performance Tips:**
+
+- Use `excludePaths` for health checks and static assets
+- Consider using `skipMethods` for OPTIONS requests
+- Monitor memory usage in production for metric cardinality
+- Use Prometheus recording rules for high-cardinality aggregations
+
 ### Rate Limiting
 
 Configurable rate limiting middleware with multiple store options.
 
+> ✅ **No additional dependencies required** - Uses built-in memory store.
+
 ```javascript
 const {createRateLimit, MemoryStore} = require('0http-bun/lib/middleware')
 
@@ -590,15 +849,127 @@ class CustomStore implements RateLimitStore {
 }
 ```
 
-````
+#### Sliding Window Rate Limiter
+
+For more precise rate limiting, use the sliding window implementation that **prevents burst traffic** at any point in time:
+
+```javascript
+const {createSlidingWindowRateLimit} = require('0http-bun/lib/middleware')
+
+// Basic sliding window rate limiter
+router.use(
+  createSlidingWindowRateLimit({
+    windowMs: 60 * 1000, // 1 minute sliding window
+    max: 10, // Max 10 requests per minute
+    keyGenerator: (req) => req.headers.get('x-forwarded-for') || 'default',
+  }),
+)
+```
+
+**TypeScript Usage:**
+
+```typescript
+import {createSlidingWindowRateLimit} from '0http-bun/lib/middleware'
+import type {RateLimitOptions} from '0http-bun/lib/middleware'
+
+const slidingOptions: RateLimitOptions = {
+  windowMs: 60 * 1000, // 1 minute
+  max: 10, // 10 requests max
+  keyGenerator: (req) => req.user?.id || req.headers.get('x-forwarded-for'),
+  handler: (req, hits, max, resetTime) => {
+    return Response.json(
+      {
+        error: 'Rate limit exceeded',
+        retryAfter: Math.ceil((resetTime.getTime() - Date.now()) / 1000),
+        limit: max,
+        used: hits,
+      },
+      {status: 429},
+    )
+  },
+}
+
+router.use(createSlidingWindowRateLimit(slidingOptions))
+```
+
+**How Sliding Window Differs from Fixed Window:**
+
+The sliding window approach provides **more accurate and fair rate limiting** by tracking individual request timestamps:
+
+- **Fixed Window**: Divides time into discrete chunks (e.g., 09:00:00-09:00:59, 09:01:00-09:01:59)
+  - ⚠️ **Problem**: Allows burst traffic at window boundaries (20 requests in 2 seconds)
+- **Sliding Window**: Uses a continuous, moving time window from current moment
+  - ✅ **Advantage**: Prevents bursts at any point in time (true rate limiting)
+
+**Use Cases for Sliding Window:**
+
+```javascript
+// Financial API - Zero tolerance for payment bursts
+router.use(
+  '/api/payments/*',
+  createSlidingWindowRateLimit({
+    windowMs: 60 * 1000, // 1 minute
+    max: 3, // Only 3 payment attempts per minute
+    keyGenerator: (req) => req.user.accountId,
+  }),
+)
+
+// User Registration - Prevent automated signups
+router.use(
+  '/api/register',
+  createSlidingWindowRateLimit({
+    windowMs: 3600 * 1000, // 1 hour
+    max: 3, // 3 accounts per IP per hour
+    keyGenerator: (req) => req.headers.get('x-forwarded-for'),
+  }),
+)
+
+// File Upload - Prevent abuse
+router.use(
+  '/api/upload',
+  createSlidingWindowRateLimit({
+    windowMs: 300 * 1000, // 5 minutes
+    max: 10, // 10 uploads per 5 minutes
+    keyGenerator: (req) => req.user.id,
+  }),
+)
+```
+
+**Performance Considerations:**
+
+- **Memory Usage**: Higher than fixed window (stores timestamp arrays)
+- **Time Complexity**: O(n) per request where n = requests in window
+- **Best For**: Critical APIs, financial transactions, user-facing features
+- **Use Fixed Window For**: High-volume APIs where approximate limiting is acceptable
+
+**Advanced Configuration:**
+
+```typescript
+// Tiered rate limiting based on user level
+const createTieredRateLimit = (req) => {
+  const userTier = req.user?.tier || 'free'
+  const configs = {
+    free: {windowMs: 60 * 1000, max: 10},
+    premium: {windowMs: 60 * 1000, max: 100},
+    enterprise: {windowMs: 60 * 1000, max: 1000},
+  }
+  return createSlidingWindowRateLimit(configs[userTier])
+}
+```
 
 **Rate Limit Headers:**
 
+Both rate limiters send the following headers when `standardHeaders: true`:
+
 - `X-RateLimit-Limit` - Request limit
 - `X-RateLimit-Remaining` - Remaining requests
 - `X-RateLimit-Reset` - Reset time (Unix timestamp)
 - `X-RateLimit-Used` - Used requests
 
+**Error Handling:**
+
+Rate limiting middleware allows errors to bubble up as proper HTTP 500 responses. If your `keyGenerator` function or custom `store.increment()` method throws an error, it will not be caught and masked - the error will propagate up the middleware chain for proper error handling.
+
 ## Creating Custom Middleware
 
 ### Basic Middleware
@@ -619,7 +990,7 @@ const customMiddleware = (req: ZeroRequest, next: StepFunction) => {
 }
 
 router.use(customMiddleware)
-````
+```
 
 ### Async Middleware
 
@@ -682,8 +1053,8 @@ Apply middleware only to specific paths:
 
 ```typescript
 // API-only middleware
-router.use('/api/*', jwtAuth({secret: 'api-secret'}))
-router.use('/api/*', rateLimit({max: 1000}))
+router.use('/api/*', createJWTAuth({secret: 'api-secret'}))
+router.use('/api/*', createRateLimit({max: 1000}))
 
 // Admin-only middleware
 router.use('/admin/*', adminAuthMiddleware)
@@ -755,4 +1126,24 @@ router.get('/api/public/status', () => Response.json({status: 'ok'}))
 router.get('/api/protected/data', (req) => Response.json({user: req.user}))
 ```
 
+## Dependency Summary
+
+For your convenience, here's a quick reference of which dependencies you need to install for each middleware:
+
+| Middleware              | Dependencies Required | Install Command           |
+| ----------------------- | --------------------- | ------------------------- |
+| **Body Parser**         | ✅ None               | Built-in                  |
+| **CORS**                | ✅ None               | Built-in                  |
+| **Rate Limiting**       | ✅ None               | Built-in                  |
+| **Logger** (simple)     | ✅ None               | Built-in                  |
+| **Logger** (structured) | 📦 `pino`             | `bun install pino`        |
+| **JWT Authentication**  | 📦 `jose`             | `bun install jose`        |
+| **Prometheus Metrics**  | 📦 `prom-client`      | `bun install prom-client` |
+
+**Install all optional dependencies at once:**
+
+```bash
+bun install pino jose prom-client
+```
+
 This middleware stack provides a solid foundation for most web applications with security, logging, and performance features built-in.

package/lib/middleware/index.d.ts

@@ -1,5 +1,4 @@
-import {RequestHandler, ZeroRequest, StepFunction} from '../../common'
-import {Logger} from 'pino'
+import {RequestHandler, ZeroRequest} from '../../common'
 
 // Logger middleware types
 export interface LoggerOptions {
@@ -234,3 +233,68 @@ export function createMultipartParser(
 export function createBodyParser(options?: BodyParserOptions): RequestHandler
 export function hasBody(req: ZeroRequest): boolean
 export function shouldParse(req: ZeroRequest, type: string): boolean
+
+// Prometheus metrics middleware types
+export interface PrometheusMetrics {
+  httpRequestDuration: any // prom-client Histogram
+  httpRequestTotal: any // prom-client Counter
+  httpRequestSize: any // prom-client Histogram
+  httpResponseSize: any // prom-client Histogram
+  httpActiveConnections: any // prom-client Gauge
+}
+
+export interface PrometheusMiddlewareOptions {
+  /** Custom metrics object to use instead of default metrics */
+  metrics?: PrometheusMetrics
+  /** Paths to exclude from metrics collection (default: ['/health', '/ping', '/favicon.ico', '/metrics']) */
+  excludePaths?: string[]
+  /** Whether to collect default Node.js metrics (default: true) */
+  collectDefaultMetrics?: boolean
+  /** Custom route normalization function */
+  normalizeRoute?: (req: ZeroRequest) => string
+  /** Custom label extraction function */
+  extractLabels?: (
+    req: ZeroRequest,
+    response: Response,
+  ) => Record<string, string>
+  /** HTTP methods to skip from metrics collection */
+  skipMethods?: string[]
+}
+
+export interface MetricsHandlerOptions {
+  /** The endpoint path for metrics (default: '/metrics') */
+  endpoint?: string
+  /** Custom Prometheus registry to use */
+  registry?: any // prom-client Registry
+}
+
+export interface PrometheusIntegration {
+  /** The middleware function */
+  middleware: RequestHandler
+  /** The metrics handler function */
+  metricsHandler: RequestHandler
+  /** The Prometheus registry */
+  registry: any // prom-client Registry
+  /** The prom-client module */
+  promClient: any
+}
+
+export function createPrometheusMiddleware(
+  options?: PrometheusMiddlewareOptions,
+): RequestHandler
+export function createMetricsHandler(
+  options?: MetricsHandlerOptions,
+): RequestHandler
+export function createPrometheusIntegration(
+  options?: PrometheusMiddlewareOptions & MetricsHandlerOptions,
+): PrometheusIntegration
+export function createDefaultMetrics(): PrometheusMetrics
+export function extractRoutePattern(req: ZeroRequest): string
+
+// Simple interface exports for common use cases
+export const logger: typeof createLogger
+export const jwtAuth: typeof createJWTAuth
+export const rateLimit: typeof createRateLimit
+export const cors: typeof createCORS
+export const bodyParser: typeof createBodyParser
+export const prometheus: typeof createPrometheusIntegration

package/lib/middleware/index.js

@@ -4,6 +4,7 @@ const jwtAuthModule = require('./jwt-auth')
 const rateLimitModule = require('./rate-limit')
 const corsModule = require('./cors')
 const bodyParserModule = require('./body-parser')
+const prometheusModule = require('./prometheus')
 
 module.exports = {
   // Simple interface for common use cases (matches test expectations)
@@ -12,6 +13,7 @@ module.exports = {
   rateLimit: rateLimitModule.createRateLimit,
   cors: corsModule.createCORS,
   bodyParser: bodyParserModule.createBodyParser,
+  prometheus: prometheusModule.createPrometheusIntegration,
 
   // Complete factory functions for advanced usage
   createLogger: loggerModule.createLogger,
@@ -42,4 +44,11 @@ module.exports = {
   createBodyParser: bodyParserModule.createBodyParser,
   hasBody: bodyParserModule.hasBody,
   shouldParse: bodyParserModule.shouldParse,
+
+  // Prometheus metrics middleware
+  createPrometheusMiddleware: prometheusModule.createPrometheusMiddleware,
+  createMetricsHandler: prometheusModule.createMetricsHandler,
+  createPrometheusIntegration: prometheusModule.createPrometheusIntegration,
+  createDefaultMetrics: prometheusModule.createDefaultMetrics,
+  extractRoutePattern: prometheusModule.extractRoutePattern,
 }

package/lib/middleware/jwt-auth.js

@@ -1,4 +1,17 @@
-const {jwtVerify, createRemoteJWKSet, errors} = require('jose')
+// Lazy load jose to improve startup performance
+let joseLib = null
+function loadJose() {
+  if (!joseLib) {
+    try {
+      joseLib = require('jose')
+    } catch (error) {
+      throw new Error(
+        'jose is required for JWT middleware. Install it with: bun install jose',
+      )
+    }
+  }
+  return joseLib
+}
 
 /**
  * Creates JWT authentication middleware
@@ -60,6 +73,7 @@ function createJWTAuth(options = {}) {
       keyLike = jwks
     }
   } else if (jwksUri) {
+    const {createRemoteJWKSet} = loadJose()
     keyLike = createRemoteJWKSet(new URL(jwksUri))
   } else if (typeof secret === 'function') {
     keyLike = secret
@@ -143,6 +157,7 @@ function createJWTAuth(options = {}) {
       }
 
       // Verify JWT token
+      const {jwtVerify} = loadJose()
       const {payload, protectedHeader} = await jwtVerify(
         token,
         keyLike,
@@ -302,16 +317,19 @@ function handleAuthError(error, handlers = {}, req) {
     message = 'Invalid API key'
   } else if (error.message === 'JWT verification not configured') {
     message = 'JWT verification not configured'
-  } else if (error instanceof errors.JWTExpired) {
-    message = 'Token expired'
-  } else if (error instanceof errors.JWTInvalid) {
-    message = 'Invalid token format'
-  } else if (error instanceof errors.JWKSNoMatchingKey) {
-    message = 'Token signature verification failed'
-  } else if (error.message.includes('audience')) {
-    message = 'Invalid token audience'
-  } else if (error.message.includes('issuer')) {
-    message = 'Invalid token issuer'
+  } else {
+    const {errors} = loadJose()
+    if (error instanceof errors.JWTExpired) {
+      message = 'Token expired'
+    } else if (error instanceof errors.JWTInvalid) {
+      message = 'Invalid token format'
+    } else if (error instanceof errors.JWKSNoMatchingKey) {
+      message = 'Token signature verification failed'
+    } else if (error.message.includes('audience')) {
+      message = 'Invalid token audience'
+    } else if (error.message.includes('issuer')) {
+      message = 'Invalid token issuer'
+    }
   }
 
   return new Response(JSON.stringify({error: message}), {