@arcblock/jwt 1.18.166 → 1.19.0

package/esm/index.d.ts

@@ -0,0 +1,58 @@
+import { BytesType } from '@ocap/util';
+export type JwtBody = {
+    iss: string;
+    iat: string;
+    nbf: string;
+    exp: string;
+    version: string;
+    [key: string]: any;
+};
+export type JwtHeader = {
+    alg: string;
+    type: 'JWT';
+};
+export type JwtToken = {
+    header: JwtHeader;
+    body: JwtBody;
+    signature: string;
+};
+export type JwtVerifyOptions = Partial<{
+    tolerance: number;
+    enforceTimestamp: boolean;
+    signerKey: string;
+}>;
+/**
+ *
+ *
+ * @param {string} signer - address string
+ * @param {string} sk - hex encoded secret key
+ * @param {*} [payload={}] - data to be included before signing
+ * @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
+ * @param {string} [version='1.0.0']
+ * @return {*}  {string} - hex encoded signature
+ */
+export declare function sign(signer: string, sk?: BytesType, payload?: {}, doSign?: boolean, version?: string): string;
+export declare function signV2(signer: string, sk?: BytesType, payload?: any): string;
+export declare function decode(token: string, bodyOnly?: true): JwtBody;
+export declare function decode(token: string, bodyOnly?: false): JwtToken;
+/**
+ * Verify a jwt token
+ *
+ * @param {string} token  - the jwt token
+ * @param {string} signerPk - signer public key
+ * @param {{
+ *     tolerance: number; - number of seconds to tolerant expire
+ *     enforceTimestamp: boolean; - whether should be verify timestamps?
+ *     signerKey: string; - which field should be used to pick the signer
+ *   }} [{
+ *     tolerance,
+ *     enforceTimestamp,
+ *     signerKey,
+ *   }={
+ *       tolerance: 5,
+ *       enforceTimestamp: true,
+ *       signerKey: 'iss',
+ *     }]
+ * @return {*}  {boolean}
+ */
+export declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;

package/esm/index.js

@@ -0,0 +1,185 @@
+/* eslint-disable @typescript-eslint/ban-ts-comment */
+import stringify from 'json-stable-stringify';
+import semver from 'semver';
+import { toHex, toBase64, fromBase64 } from '@ocap/util';
+import { toDid, toStrictHex, toTypeInfo, isValid, isFromPublicKey } from '@arcblock/did';
+import { types, getSigner, Hasher } from '@ocap/mcrypto';
+import Debug from 'debug';
+const debug = Debug('@arcblock/jwt');
+// we start hashing before signing after 1.1
+const JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN = '1.1.0';
+// since ios requires a fixed length of input to sign, we use sha3 here before sign
+const hasher = Hasher.SHA3.hash256;
+/**
+ *
+ *
+ * @param {string} signer - address string
+ * @param {string} sk - hex encoded secret key
+ * @param {*} [payload={}] - data to be included before signing
+ * @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
+ * @param {string} [version='1.0.0']
+ * @return {*}  {string} - hex encoded signature
+ */
+export function sign(signer, sk, payload = {}, doSign = true, version = '1.0.0') {
+    if (isValid(signer) === false) {
+        throw new Error('Cannot do sign with invalid signer');
+    }
+    const type = toTypeInfo(signer);
+    const headers = {
+        [types.KeyType.SECP256K1]: {
+            alg: 'ES256K',
+            type: 'JWT',
+        },
+        [types.KeyType.ED25519]: {
+            alg: 'Ed25519',
+            type: 'JWT',
+        },
+        [types.KeyType.ETHEREUM]: {
+            alg: 'Ethereum',
+            type: 'JWT',
+        },
+        [types.KeyType.PASSKEY]: {
+            alg: 'Passkey',
+            type: 'JWT',
+        },
+    };
+    // make header
+    const header = headers[type.pk];
+    const headerB64 = toBase64(stringify(header));
+    // make body
+    const now = Math.floor(Date.now() / 1000);
+    const body = {
+        iss: toDid(signer),
+        iat: String(now),
+        nbf: String(now),
+        exp: String(now + 5 * 60),
+        version,
+        ...(payload || {}),
+    };
+    // remove empty keys
+    Object.keys(body).forEach((x) => {
+        if (typeof body[x] === 'undefined' || body[x] == null || body[x] === '') {
+            delete body[x];
+        }
+    });
+    const bodyB64 = toBase64(stringify(body));
+    debug('sign.body', body);
+    // @ts-ignore make signature
+    const msgHex = toHex(`${headerB64}.${bodyB64}`);
+    const msgHash = semver.gte(semver.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN)
+        ? hasher(msgHex)
+        : msgHex;
+    // istanbul ignore if
+    if (!doSign) {
+        return `${headerB64}.${bodyB64}`;
+    }
+    const sigHex = getSigner(type.pk).sign(msgHash, sk);
+    const sigB64 = toBase64(sigHex);
+    return [headerB64, bodyB64, sigB64].join('.');
+}
+export function signV2(signer, sk, payload = {}) {
+    return sign(signer, sk, payload, !!sk, '1.1.0');
+}
+export function decode(token, bodyOnly = true) {
+    const [headerB64, bodyB64, sigB64] = token.split('.');
+    const header = JSON.parse(fromBase64(headerB64).toString());
+    const body = JSON.parse(fromBase64(bodyB64).toString());
+    const sig = Buffer.from(fromBase64(sigB64)).toString('hex');
+    if (bodyOnly) {
+        return body;
+    }
+    return { header, body, signature: `0x${toStrictHex(sig)}` };
+}
+/**
+ * Verify a jwt token
+ *
+ * @param {string} token  - the jwt token
+ * @param {string} signerPk - signer public key
+ * @param {{
+ *     tolerance: number; - number of seconds to tolerant expire
+ *     enforceTimestamp: boolean; - whether should be verify timestamps?
+ *     signerKey: string; - which field should be used to pick the signer
+ *   }} [{
+ *     tolerance,
+ *     enforceTimestamp,
+ *     signerKey,
+ *   }={
+ *       tolerance: 5,
+ *       enforceTimestamp: true,
+ *       signerKey: 'iss',
+ *     }]
+ * @return {*}  {boolean}
+ */
+// eslint-disable-next-line require-await
+export async function verify(token, signerPk, options) {
+    const { tolerance, enforceTimestamp, signerKey } = Object.assign({
+        tolerance: 5,
+        enforceTimestamp: true,
+        signerKey: 'iss',
+    }, options);
+    try {
+        const [headerB64, bodyB64] = token.split('.');
+        const { header, body, signature } = decode(token, false);
+        if (!signature) {
+            debug('verify.error.emptySig');
+            return false;
+        }
+        if (!header.alg) {
+            debug('verify.error.emptyAlg');
+            return false;
+        }
+        const signerDid = body[signerKey];
+        if (!signerDid) {
+            debug('verify.error.emptySignerDid');
+            return false;
+        }
+        if (isFromPublicKey(signerDid, signerPk) === false) {
+            debug('verify.error.signerDidAndPkNotMatch');
+            return false;
+        }
+        if (enforceTimestamp) {
+            const now = Math.ceil(Date.now() / 1000);
+            const exp = Number(body.exp) || 0;
+            const iat = Number(body.iat) || 0;
+            const nbf = Number(body.nbf) || 0;
+            debug('verify.enforceTimestamp', { now, exp, iat, nbf });
+            if (exp && exp + tolerance < now) {
+                debug('verify.error.expired');
+                return false;
+            }
+            if (iat && iat > now && iat - now > tolerance) {
+                debug('verify.error.issuedAt');
+                return false;
+            }
+            if (nbf && nbf > now && nbf - now > tolerance) {
+                debug('verify.error.notBefore');
+                return false;
+            }
+        }
+        const signers = {
+            secp256k1: getSigner(types.KeyType.SECP256K1),
+            es256k: getSigner(types.KeyType.SECP256K1),
+            ed25519: getSigner(types.KeyType.ED25519),
+            ethereum: getSigner(types.KeyType.ETHEREUM),
+            passkey: getSigner(types.KeyType.PASSKEY),
+        };
+        const alg = header.alg.toLowerCase();
+        if (signers[alg]) {
+            // @ts-ignore
+            const msgHex = toHex(`${headerB64}.${bodyB64}`);
+            // If we are using v1.1 protocol, the message should be hashed before verify
+            const version = body.version && semver.coerce(body.version) ? semver.coerce(body.version).version : '';
+            if (version && version === JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) {
+                return signers[alg].verify(hasher(msgHex), signature, signerPk);
+            }
+            return signers[alg].verify(msgHex, signature, signerPk);
+        }
+        debug('verify.error.crypto');
+        return false;
+    }
+    catch (err) {
+        debug('verify.error.exception');
+        debug(err);
+        return false;
+    }
+}

package/lib/index.d.ts

@@ -1,5 +1,5 @@
 import { BytesType } from '@ocap/util';
-export declare type JwtBody = {
+export type JwtBody = {
     iss: string;
     iat: string;
     nbf: string;
@@ -7,16 +7,16 @@ export declare type JwtBody = {
     version: string;
     [key: string]: any;
 };
-export declare type JwtHeader = {
+export type JwtHeader = {
     alg: string;
     type: 'JWT';
 };
-export declare type JwtToken = {
+export type JwtToken = {
     header: JwtHeader;
     body: JwtBody;
     signature: string;
 };
-export declare type JwtVerifyOptions = Partial<{
+export type JwtVerifyOptions = Partial<{
     tolerance: number;
     enforceTimestamp: boolean;
     signerKey: string;
@@ -55,4 +55,4 @@ export declare function decode(token: string, bodyOnly?: false): JwtToken;
  *     }]
  * @return {*}  {boolean}
  */
-export declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): boolean;
+export declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;

package/lib/index.js

@@ -3,7 +3,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verify = exports.decode = exports.signV2 = exports.sign = void 0;
+exports.sign = sign;
+exports.signV2 = signV2;
+exports.decode = decode;
+exports.verify = verify;
 /* eslint-disable @typescript-eslint/ban-ts-comment */
 const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
 const semver_1 = __importDefault(require("semver"));
@@ -44,6 +47,10 @@ function sign(signer, sk, payload = {}, doSign = true, version = '1.0.0') {
             alg: 'Ethereum',
             type: 'JWT',
         },
+        [mcrypto_1.types.KeyType.PASSKEY]: {
+            alg: 'Passkey',
+            type: 'JWT',
+        },
     };
     // make header
     const header = headers[type.pk];
@@ -66,24 +73,22 @@ function sign(signer, sk, payload = {}, doSign = true, version = '1.0.0') {
     });
     const bodyB64 = (0, util_1.toBase64)((0, json_stable_stringify_1.default)(body));
     debug('sign.body', body);
-    // istanbul ignore if
-    if (!doSign) {
-        return `${headerB64}.${bodyB64}`;
-    }
     // @ts-ignore make signature
     const msgHex = (0, util_1.toHex)(`${headerB64}.${bodyB64}`);
     const msgHash = semver_1.default.gte(semver_1.default.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN)
         ? hasher(msgHex)
         : msgHex;
+    // istanbul ignore if
+    if (!doSign) {
+        return `${headerB64}.${bodyB64}`;
+    }
     const sigHex = (0, mcrypto_1.getSigner)(type.pk).sign(msgHash, sk);
     const sigB64 = (0, util_1.toBase64)(sigHex);
     return [headerB64, bodyB64, sigB64].join('.');
 }
-exports.sign = sign;
 function signV2(signer, sk, payload = {}) {
     return sign(signer, sk, payload, !!sk, '1.1.0');
 }
-exports.signV2 = signV2;
 function decode(token, bodyOnly = true) {
     const [headerB64, bodyB64, sigB64] = token.split('.');
     const header = JSON.parse((0, util_1.fromBase64)(headerB64).toString());
@@ -94,7 +99,6 @@ function decode(token, bodyOnly = true) {
     }
     return { header, body, signature: `0x${(0, did_1.toStrictHex)(sig)}` };
 }
-exports.decode = decode;
 /**
  * Verify a jwt token
  *
@@ -115,7 +119,8 @@ exports.decode = decode;
  *     }]
  * @return {*}  {boolean}
  */
-function verify(token, signerPk, options) {
+// eslint-disable-next-line require-await
+async function verify(token, signerPk, options) {
     const { tolerance, enforceTimestamp, signerKey } = Object.assign({
         tolerance: 5,
         enforceTimestamp: true,
@@ -165,6 +170,7 @@ function verify(token, signerPk, options) {
             es256k: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.SECP256K1),
             ed25519: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.ED25519),
             ethereum: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.ETHEREUM),
+            passkey: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.PASSKEY),
         };
         const alg = header.alg.toLowerCase();
         if (signers[alg]) {
@@ -186,4 +192,3 @@ function verify(token, signerPk, options) {
         return false;
     }
 }
-exports.verify = verify;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@arcblock/jwt",
   "description": "JSON Web Token variant for arcblock DID solutions",
-  "version": "1.18.166",
+  "version": "1.19.0",
   "author": {
     "name": "wangshijun",
     "email": "shijun@arcblock.io",
@@ -18,24 +18,24 @@
     "access": "public"
   },
   "dependencies": {
-    "@arcblock/did": "1.18.166",
-    "@ocap/mcrypto": "1.18.166",
-    "@ocap/util": "1.18.166",
+    "@arcblock/did": "1.19.0",
+    "@ocap/mcrypto": "1.19.0",
+    "@ocap/util": "1.19.0",
     "debug": "^4.3.6",
     "json-stable-stringify": "^1.0.1",
     "semver": "^7.6.3"
   },
   "devDependencies": {
-    "@arcblock/eslint-config-ts": "0.2.3",
-    "@types/jest": "^29.5.12",
-    "@types/json-stable-stringify": "^1.0.34",
-    "@types/node": "^17.0.45",
+    "@arcblock/eslint-config-ts": "0.3.3",
+    "@types/jest": "^29.5.13",
+    "@types/json-stable-stringify": "^1.0.36",
+    "@types/node": "^22.7.5",
     "@types/semver": "^7.5.8",
-    "eslint": "^8.25.0",
+    "eslint": "^8.57.0",
     "jest": "^29.7.0",
     "ts-jest": "^29.2.5",
     "tslib": "^2.4.0",
-    "typescript": "^4.8.4"
+    "typescript": "^5.6.2"
   },
   "homepage": "https://github.com/ArcBlock/blockchain/tree/master/did/jwt",
   "keywords": [
@@ -45,10 +45,19 @@
     "nodejs"
   ],
   "license": "Apache-2.0",
-  "main": "lib/index.js",
-  "typings": "lib/index.d.ts",
+  "main": "./lib/index.js",
+  "module": "./lib/index.js",
+  "types": "./esm/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./esm/index.js",
+      "require": "./lib/index.js",
+      "default": "./esm/index.js"
+    }
+  },
   "files": [
-    "lib"
+    "lib",
+    "esm"
   ],
   "repository": {
     "type": "git",
@@ -59,10 +68,12 @@
     "lint:fix": "eslint src tests --fix",
     "test": "jest --forceExit --detectOpenHandles",
     "coverage": "npm run test -- --coverage",
-    "clean": "rm -fr lib",
+    "clean": "rm -fr lib esm",
     "prebuild": "npm run clean",
     "build:watch": "npm run build -- -w",
-    "build": "tsc"
+    "build:cjs": "tsc -p tsconfig.cjs.json",
+    "build:esm": "tsc -p tsconfig.esm.json",
+    "build": "npm run build:cjs && npm run build:esm"
   },
-  "gitHead": "58c8356b3b8c238728560e4c3fef6ed1704d3ac4"
+  "gitHead": "1b6fac03988fb18507c8ef4c21de282762005f87"
 }