@arcblock/jwt 1.27.16 → 1.28.1

package/esm/index.d.ts

@@ -1,25 +1,27 @@
-import { BytesType } from '@ocap/util';
-export type JwtBody = {
-    iss: string;
-    iat: string;
-    nbf: string;
-    exp: string;
-    version: string;
-    [key: string]: any;
+import { BytesType } from "@ocap/util";
+
+//#region src/index.d.ts
+type JwtBody = {
+  iss: string;
+  iat: string;
+  nbf: string;
+  exp: string;
+  version: string;
+  [key: string]: any;
 };
-export type JwtHeader = {
-    alg: string;
-    type: 'JWT';
+type JwtHeader = {
+  alg: string;
+  type: 'JWT';
 };
-export type JwtToken = {
-    header: JwtHeader;
-    body: JwtBody;
-    signature: string;
+type JwtToken = {
+  header: JwtHeader;
+  body: JwtBody;
+  signature: string;
 };
-export type JwtVerifyOptions = Partial<{
-    tolerance: number;
-    enforceTimestamp: boolean;
-    signerKey: string;
+type JwtVerifyOptions = Partial<{
+  tolerance: number;
+  enforceTimestamp: boolean;
+  signerKey: string;
 }>;
 /**
  *
@@ -31,10 +33,10 @@ export type JwtVerifyOptions = Partial<{
  * @param {string} [version='1.0.0']
  * @return {*}  {string} - hex encoded signature
  */
-export declare function sign(signer: string, sk?: BytesType, payload?: {}, doSign?: boolean, version?: string): Promise<string>;
-export declare function signV2(signer: string, sk?: BytesType, payload?: any): Promise<string>;
-export declare function decode(token: string, bodyOnly?: true): JwtBody;
-export declare function decode(token: string, bodyOnly?: false): JwtToken;
+declare function sign(signer: string, sk?: BytesType, payload?: {}, doSign?: boolean, version?: string): Promise<string>;
+declare function signV2(signer: string, sk?: BytesType, payload?: any): Promise<string>;
+declare function decode(token: string, bodyOnly?: true): JwtBody;
+declare function decode(token: string, bodyOnly?: false): JwtToken;
 /**
  * Verify a jwt token
  *
@@ -55,4 +57,6 @@ export declare function decode(token: string, bodyOnly?: false): JwtToken;
  *     }]
  * @return {*}  {boolean}
  */
-export declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+//#endregion
+export { JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, decode, sign, signV2, verify };

package/esm/index.js

@@ -1,187 +1,177 @@
-/* eslint-disable @typescript-eslint/ban-ts-comment */
-import stringify from 'json-stable-stringify';
-import semver from 'semver';
-import { toHex, toBase64, fromBase64 } from '@ocap/util';
-import { toDid, toStrictHex, toTypeInfo, isValid, isFromPublicKey } from '@arcblock/did';
-import { types, getSigner, Hasher } from '@ocap/mcrypto';
-import Debug from 'debug';
-const debug = Debug('@arcblock/jwt');
-// we start hashing before signing after 1.1
-const JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN = '1.1.0';
-// since ios requires a fixed length of input to sign, we use sha3 here before sign
+import stringify from "json-stable-stringify";
+import semver from "semver";
+import { fromBase64, toBase64, toHex } from "@ocap/util";
+import { isFromPublicKey, isValid, toDid, toStrictHex, toTypeInfo } from "@arcblock/did";
+import { Hasher, getSigner, types } from "@ocap/mcrypto";
+import Debug from "debug";
+
+//#region src/index.ts
+const debug = Debug("@arcblock/jwt");
+const JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN = "1.1.0";
 const hasher = Hasher.SHA3.hash256;
 /**
- *
- *
- * @param {string} signer - address string
- * @param {string} sk - hex encoded secret key
- * @param {*} [payload={}] - data to be included before signing
- * @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
- * @param {string} [version='1.0.0']
- * @return {*}  {string} - hex encoded signature
- */
-// eslint-disable-next-line require-await
-export async function sign(signer, sk, payload = {}, doSign = true, version = '1.0.0') {
-    if (isValid(signer) === false) {
-        throw new Error('Cannot do sign with invalid signer');
-    }
-    const type = toTypeInfo(signer);
-    const headers = {
-        [types.KeyType.SECP256K1]: {
-            alg: 'ES256K',
-            type: 'JWT',
-        },
-        [types.KeyType.ED25519]: {
-            alg: 'Ed25519',
-            type: 'JWT',
-        },
-        [types.KeyType.ETHEREUM]: {
-            alg: 'Ethereum',
-            type: 'JWT',
-        },
-        [types.KeyType.PASSKEY]: {
-            alg: 'Passkey',
-            type: 'JWT',
-        },
-    };
-    // make header
-    const header = headers[type.pk];
-    const headerB64 = toBase64(stringify(header));
-    // make body
-    const now = Math.floor(Date.now() / 1000);
-    const body = {
-        iss: toDid(signer),
-        iat: String(now),
-        nbf: String(now),
-        exp: String(now + 5 * 60),
-        version,
-        ...(payload || {}),
-    };
-    // remove empty keys
-    Object.keys(body).forEach((x) => {
-        if (typeof body[x] === 'undefined' || body[x] == null || body[x] === '') {
-            delete body[x];
-        }
-    });
-    const bodyB64 = toBase64(stringify(body));
-    debug('sign.body', body);
-    // @ts-ignore make signature
-    const msgHex = toHex(`${headerB64}.${bodyB64}`);
-    const msgHash = semver.gte(semver.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN)
-        ? hasher(msgHex)
-        : msgHex;
-    // istanbul ignore if
-    if (!doSign) {
-        return `${headerB64}.${bodyB64}`;
-    }
-    const sigHex = getSigner(type.pk).sign(msgHash, sk);
-    const sigB64 = toBase64(sigHex);
-    return [headerB64, bodyB64, sigB64].join('.');
+*
+*
+* @param {string} signer - address string
+* @param {string} sk - hex encoded secret key
+* @param {*} [payload={}] - data to be included before signing
+* @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
+* @param {string} [version='1.0.0']
+* @return {*}  {string} - hex encoded signature
+*/
+async function sign(signer, sk, payload = {}, doSign = true, version = "1.0.0") {
+	if (isValid(signer) === false) throw new Error("Cannot do sign with invalid signer");
+	const type = toTypeInfo(signer);
+	const header = {
+		[types.KeyType.SECP256K1]: {
+			alg: "ES256K",
+			type: "JWT"
+		},
+		[types.KeyType.ED25519]: {
+			alg: "Ed25519",
+			type: "JWT"
+		},
+		[types.KeyType.ETHEREUM]: {
+			alg: "Ethereum",
+			type: "JWT"
+		},
+		[types.KeyType.PASSKEY]: {
+			alg: "Passkey",
+			type: "JWT"
+		}
+	}[type.pk];
+	const headerB64 = toBase64(stringify(header));
+	const now = Math.floor(Date.now() / 1e3);
+	const body = {
+		iss: toDid(signer),
+		iat: String(now),
+		nbf: String(now),
+		exp: String(now + 300),
+		version,
+		...payload || {}
+	};
+	Object.keys(body).forEach((x) => {
+		if (typeof body[x] === "undefined" || body[x] == null || body[x] === "") delete body[x];
+	});
+	const bodyB64 = toBase64(stringify(body));
+	debug("sign.body", body);
+	const msgHex = toHex(`${headerB64}.${bodyB64}`);
+	const msgHash = semver.gte(semver.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) ? hasher(msgHex) : msgHex;
+	// istanbul ignore if
+	if (!doSign) return `${headerB64}.${bodyB64}`;
+	return [
+		headerB64,
+		bodyB64,
+		toBase64(getSigner(type.pk).sign(msgHash, sk))
+	].join(".");
 }
-// eslint-disable-next-line require-await
-export async function signV2(signer, sk, payload = {}) {
-    return sign(signer, sk, payload, !!sk, '1.1.0');
+async function signV2(signer, sk, payload = {}) {
+	return sign(signer, sk, payload, !!sk, "1.1.0");
 }
-export function decode(token, bodyOnly = true) {
-    const [headerB64, bodyB64, sigB64] = token.split('.');
-    const header = JSON.parse(fromBase64(headerB64).toString());
-    const body = JSON.parse(fromBase64(bodyB64).toString());
-    const sig = Buffer.from(fromBase64(sigB64)).toString('hex');
-    if (bodyOnly) {
-        return body;
-    }
-    return { header, body, signature: `0x${toStrictHex(sig)}` };
+function decode(token, bodyOnly = true) {
+	const [headerB64, bodyB64, sigB64] = token.split(".");
+	const header = JSON.parse(fromBase64(headerB64).toString());
+	const body = JSON.parse(fromBase64(bodyB64).toString());
+	const sig = Buffer.from(fromBase64(sigB64)).toString("hex");
+	if (bodyOnly) return body;
+	return {
+		header,
+		body,
+		signature: `0x${toStrictHex(sig)}`
+	};
 }
 /**
- * Verify a jwt token
- *
- * @param {string} token  - the jwt token
- * @param {string} signerPk - signer public key
- * @param {{
- *     tolerance: number; - number of seconds to tolerant expire
- *     enforceTimestamp: boolean; - whether should be verify timestamps?
- *     signerKey: string; - which field should be used to pick the signer
- *   }} [{
- *     tolerance,
- *     enforceTimestamp,
- *     signerKey,
- *   }={
- *       tolerance: 5,
- *       enforceTimestamp: true,
- *       signerKey: 'iss',
- *     }]
- * @return {*}  {boolean}
- */
-// eslint-disable-next-line require-await
-export async function verify(token, signerPk, options) {
-    const { tolerance, enforceTimestamp, signerKey } = Object.assign({
-        tolerance: 5,
-        enforceTimestamp: true,
-        signerKey: 'iss',
-    }, options);
-    try {
-        const [headerB64, bodyB64] = token.split('.');
-        const { header, body, signature } = decode(token, false);
-        if (!signature) {
-            debug('verify.error.emptySig');
-            return false;
-        }
-        if (!header.alg) {
-            debug('verify.error.emptyAlg');
-            return false;
-        }
-        const signerDid = body[signerKey];
-        if (!signerDid) {
-            debug('verify.error.emptySignerDid');
-            return false;
-        }
-        if (isFromPublicKey(signerDid, signerPk) === false) {
-            debug('verify.error.signerDidAndPkNotMatch');
-            return false;
-        }
-        if (enforceTimestamp) {
-            const now = Math.ceil(Date.now() / 1000);
-            const exp = Number(body.exp) || 0;
-            const iat = Number(body.iat) || 0;
-            const nbf = Number(body.nbf) || 0;
-            debug('verify.enforceTimestamp', { now, exp, iat, nbf });
-            if (exp && exp + tolerance < now) {
-                debug('verify.error.expired');
-                return false;
-            }
-            if (iat && iat > now && iat - now > tolerance) {
-                debug('verify.error.issuedAt');
-                return false;
-            }
-            if (nbf && nbf > now && nbf - now > tolerance) {
-                debug('verify.error.notBefore');
-                return false;
-            }
-        }
-        const signers = {
-            secp256k1: getSigner(types.KeyType.SECP256K1),
-            es256k: getSigner(types.KeyType.SECP256K1),
-            ed25519: getSigner(types.KeyType.ED25519),
-            ethereum: getSigner(types.KeyType.ETHEREUM),
-            passkey: getSigner(types.KeyType.PASSKEY),
-        };
-        const alg = header.alg.toLowerCase();
-        if (signers[alg]) {
-            // @ts-ignore
-            const msgHex = toHex(`${headerB64}.${bodyB64}`);
-            // If we are using v1.1 protocol, the message should be hashed before verify
-            const version = body.version && semver.coerce(body.version) ? semver.coerce(body.version).version : '';
-            if (version && version === JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) {
-                return signers[alg].verify(hasher(msgHex), signature, signerPk);
-            }
-            return signers[alg].verify(msgHex, signature, signerPk);
-        }
-        debug('verify.error.crypto');
-        return false;
-    }
-    catch (err) {
-        debug('verify.error.exception');
-        debug(err);
-        return false;
-    }
+* Verify a jwt token
+*
+* @param {string} token  - the jwt token
+* @param {string} signerPk - signer public key
+* @param {{
+*     tolerance: number; - number of seconds to tolerant expire
+*     enforceTimestamp: boolean; - whether should be verify timestamps?
+*     signerKey: string; - which field should be used to pick the signer
+*   }} [{
+*     tolerance,
+*     enforceTimestamp,
+*     signerKey,
+*   }={
+*       tolerance: 5,
+*       enforceTimestamp: true,
+*       signerKey: 'iss',
+*     }]
+* @return {*}  {boolean}
+*/
+async function verify(token, signerPk, options) {
+	const { tolerance, enforceTimestamp, signerKey } = Object.assign({
+		tolerance: 5,
+		enforceTimestamp: true,
+		signerKey: "iss"
+	}, options);
+	try {
+		const [headerB64, bodyB64] = token.split(".");
+		const { header, body, signature } = decode(token, false);
+		if (!signature) {
+			debug("verify.error.emptySig");
+			return false;
+		}
+		if (!header.alg) {
+			debug("verify.error.emptyAlg");
+			return false;
+		}
+		const signerDid = body[signerKey];
+		if (!signerDid) {
+			debug("verify.error.emptySignerDid");
+			return false;
+		}
+		if (isFromPublicKey(signerDid, signerPk) === false) {
+			debug("verify.error.signerDidAndPkNotMatch");
+			return false;
+		}
+		if (enforceTimestamp) {
+			const now = Math.ceil(Date.now() / 1e3);
+			const exp = Number(body.exp) || 0;
+			const iat = Number(body.iat) || 0;
+			const nbf = Number(body.nbf) || 0;
+			debug("verify.enforceTimestamp", {
+				now,
+				exp,
+				iat,
+				nbf
+			});
+			if (exp && exp + tolerance < now) {
+				debug("verify.error.expired");
+				return false;
+			}
+			if (iat && iat > now && iat - now > tolerance) {
+				debug("verify.error.issuedAt");
+				return false;
+			}
+			if (nbf && nbf > now && nbf - now > tolerance) {
+				debug("verify.error.notBefore");
+				return false;
+			}
+		}
+		const signers = {
+			secp256k1: getSigner(types.KeyType.SECP256K1),
+			es256k: getSigner(types.KeyType.SECP256K1),
+			ed25519: getSigner(types.KeyType.ED25519),
+			ethereum: getSigner(types.KeyType.ETHEREUM),
+			passkey: getSigner(types.KeyType.PASSKEY)
+		};
+		const alg = header.alg.toLowerCase();
+		if (signers[alg]) {
+			const msgHex = toHex(`${headerB64}.${bodyB64}`);
+			const version = body.version && semver.coerce(body.version) ? semver.coerce(body.version).version : "";
+			if (version && version === JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) return signers[alg].verify(hasher(msgHex), signature, signerPk);
+			return signers[alg].verify(msgHex, signature, signerPk);
+		}
+		debug("verify.error.crypto");
+		return false;
+	} catch (err) {
+		debug("verify.error.exception");
+		debug(err);
+		return false;
+	}
 }
+
+//#endregion
+export { decode, sign, signV2, verify };

package/lib/_virtual/rolldown_runtime.js

@@ -0,0 +1,29 @@
+//#region rolldown:runtime
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") {
+		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+			key = keys[i];
+			if (!__hasOwnProp.call(to, key) && key !== except) {
+				__defProp(to, key, {
+					get: ((k) => from[k]).bind(null, key),
+					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+				});
+			}
+		}
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+
+//#endregion
+
+exports.__toESM = __toESM;

package/lib/index.d.ts

@@ -1,25 +1,27 @@
-import { BytesType } from '@ocap/util';
-export type JwtBody = {
-    iss: string;
-    iat: string;
-    nbf: string;
-    exp: string;
-    version: string;
-    [key: string]: any;
+import { BytesType } from "@ocap/util";
+
+//#region src/index.d.ts
+type JwtBody = {
+  iss: string;
+  iat: string;
+  nbf: string;
+  exp: string;
+  version: string;
+  [key: string]: any;
 };
-export type JwtHeader = {
-    alg: string;
-    type: 'JWT';
+type JwtHeader = {
+  alg: string;
+  type: 'JWT';
 };
-export type JwtToken = {
-    header: JwtHeader;
-    body: JwtBody;
-    signature: string;
+type JwtToken = {
+  header: JwtHeader;
+  body: JwtBody;
+  signature: string;
 };
-export type JwtVerifyOptions = Partial<{
-    tolerance: number;
-    enforceTimestamp: boolean;
-    signerKey: string;
+type JwtVerifyOptions = Partial<{
+  tolerance: number;
+  enforceTimestamp: boolean;
+  signerKey: string;
 }>;
 /**
  *
@@ -31,10 +33,10 @@ export type JwtVerifyOptions = Partial<{
  * @param {string} [version='1.0.0']
  * @return {*}  {string} - hex encoded signature
  */
-export declare function sign(signer: string, sk?: BytesType, payload?: {}, doSign?: boolean, version?: string): Promise<string>;
-export declare function signV2(signer: string, sk?: BytesType, payload?: any): Promise<string>;
-export declare function decode(token: string, bodyOnly?: true): JwtBody;
-export declare function decode(token: string, bodyOnly?: false): JwtToken;
+declare function sign(signer: string, sk?: BytesType, payload?: {}, doSign?: boolean, version?: string): Promise<string>;
+declare function signV2(signer: string, sk?: BytesType, payload?: any): Promise<string>;
+declare function decode(token: string, bodyOnly?: true): JwtBody;
+declare function decode(token: string, bodyOnly?: false): JwtToken;
 /**
  * Verify a jwt token
  *
@@ -55,4 +57,6 @@ export declare function decode(token: string, bodyOnly?: false): JwtToken;
  *     }]
  * @return {*}  {boolean}
  */
-export declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+//#endregion
+export { JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, decode, sign, signV2, verify };

package/lib/index.js

@@ -1,196 +1,184 @@
-"use strict";
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sign = sign;
-exports.signV2 = signV2;
-exports.decode = decode;
-exports.verify = verify;
-/* eslint-disable @typescript-eslint/ban-ts-comment */
-const json_stable_stringify_1 = __importDefault(require("json-stable-stringify"));
-const semver_1 = __importDefault(require("semver"));
-const util_1 = require("@ocap/util");
-const did_1 = require("@arcblock/did");
-const mcrypto_1 = require("@ocap/mcrypto");
-const debug_1 = __importDefault(require("debug"));
-const debug = (0, debug_1.default)('@arcblock/jwt');
-// we start hashing before signing after 1.1
-const JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN = '1.1.0';
-// since ios requires a fixed length of input to sign, we use sha3 here before sign
-const hasher = mcrypto_1.Hasher.SHA3.hash256;
+const require_rolldown_runtime = require('./_virtual/rolldown_runtime.js');
+let json_stable_stringify = require("json-stable-stringify");
+json_stable_stringify = require_rolldown_runtime.__toESM(json_stable_stringify);
+let semver = require("semver");
+semver = require_rolldown_runtime.__toESM(semver);
+let _ocap_util = require("@ocap/util");
+let _arcblock_did = require("@arcblock/did");
+let _ocap_mcrypto = require("@ocap/mcrypto");
+let debug = require("debug");
+debug = require_rolldown_runtime.__toESM(debug);
+
+//#region src/index.ts
+const debug$1 = (0, debug.default)("@arcblock/jwt");
+const JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN = "1.1.0";
+const hasher = _ocap_mcrypto.Hasher.SHA3.hash256;
 /**
- *
- *
- * @param {string} signer - address string
- * @param {string} sk - hex encoded secret key
- * @param {*} [payload={}] - data to be included before signing
- * @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
- * @param {string} [version='1.0.0']
- * @return {*}  {string} - hex encoded signature
- */
-// eslint-disable-next-line require-await
-async function sign(signer, sk, payload = {}, doSign = true, version = '1.0.0') {
-    if ((0, did_1.isValid)(signer) === false) {
-        throw new Error('Cannot do sign with invalid signer');
-    }
-    const type = (0, did_1.toTypeInfo)(signer);
-    const headers = {
-        [mcrypto_1.types.KeyType.SECP256K1]: {
-            alg: 'ES256K',
-            type: 'JWT',
-        },
-        [mcrypto_1.types.KeyType.ED25519]: {
-            alg: 'Ed25519',
-            type: 'JWT',
-        },
-        [mcrypto_1.types.KeyType.ETHEREUM]: {
-            alg: 'Ethereum',
-            type: 'JWT',
-        },
-        [mcrypto_1.types.KeyType.PASSKEY]: {
-            alg: 'Passkey',
-            type: 'JWT',
-        },
-    };
-    // make header
-    const header = headers[type.pk];
-    const headerB64 = (0, util_1.toBase64)((0, json_stable_stringify_1.default)(header));
-    // make body
-    const now = Math.floor(Date.now() / 1000);
-    const body = {
-        iss: (0, did_1.toDid)(signer),
-        iat: String(now),
-        nbf: String(now),
-        exp: String(now + 5 * 60),
-        version,
-        ...(payload || {}),
-    };
-    // remove empty keys
-    Object.keys(body).forEach((x) => {
-        if (typeof body[x] === 'undefined' || body[x] == null || body[x] === '') {
-            delete body[x];
-        }
-    });
-    const bodyB64 = (0, util_1.toBase64)((0, json_stable_stringify_1.default)(body));
-    debug('sign.body', body);
-    // @ts-ignore make signature
-    const msgHex = (0, util_1.toHex)(`${headerB64}.${bodyB64}`);
-    const msgHash = semver_1.default.gte(semver_1.default.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN)
-        ? hasher(msgHex)
-        : msgHex;
-    // istanbul ignore if
-    if (!doSign) {
-        return `${headerB64}.${bodyB64}`;
-    }
-    const sigHex = (0, mcrypto_1.getSigner)(type.pk).sign(msgHash, sk);
-    const sigB64 = (0, util_1.toBase64)(sigHex);
-    return [headerB64, bodyB64, sigB64].join('.');
+*
+*
+* @param {string} signer - address string
+* @param {string} sk - hex encoded secret key
+* @param {*} [payload={}] - data to be included before signing
+* @param {boolean} [doSign=true] - do we need to sign the payload or just return the content to be signed
+* @param {string} [version='1.0.0']
+* @return {*}  {string} - hex encoded signature
+*/
+async function sign(signer, sk, payload = {}, doSign = true, version = "1.0.0") {
+	if ((0, _arcblock_did.isValid)(signer) === false) throw new Error("Cannot do sign with invalid signer");
+	const type = (0, _arcblock_did.toTypeInfo)(signer);
+	const header = {
+		[_ocap_mcrypto.types.KeyType.SECP256K1]: {
+			alg: "ES256K",
+			type: "JWT"
+		},
+		[_ocap_mcrypto.types.KeyType.ED25519]: {
+			alg: "Ed25519",
+			type: "JWT"
+		},
+		[_ocap_mcrypto.types.KeyType.ETHEREUM]: {
+			alg: "Ethereum",
+			type: "JWT"
+		},
+		[_ocap_mcrypto.types.KeyType.PASSKEY]: {
+			alg: "Passkey",
+			type: "JWT"
+		}
+	}[type.pk];
+	const headerB64 = (0, _ocap_util.toBase64)((0, json_stable_stringify.default)(header));
+	const now = Math.floor(Date.now() / 1e3);
+	const body = {
+		iss: (0, _arcblock_did.toDid)(signer),
+		iat: String(now),
+		nbf: String(now),
+		exp: String(now + 300),
+		version,
+		...payload || {}
+	};
+	Object.keys(body).forEach((x) => {
+		if (typeof body[x] === "undefined" || body[x] == null || body[x] === "") delete body[x];
+	});
+	const bodyB64 = (0, _ocap_util.toBase64)((0, json_stable_stringify.default)(body));
+	debug$1("sign.body", body);
+	const msgHex = (0, _ocap_util.toHex)(`${headerB64}.${bodyB64}`);
+	const msgHash = semver.default.gte(semver.default.coerce(version).version, JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) ? hasher(msgHex) : msgHex;
+	// istanbul ignore if
+	if (!doSign) return `${headerB64}.${bodyB64}`;
+	return [
+		headerB64,
+		bodyB64,
+		(0, _ocap_util.toBase64)((0, _ocap_mcrypto.getSigner)(type.pk).sign(msgHash, sk))
+	].join(".");
 }
-// eslint-disable-next-line require-await
 async function signV2(signer, sk, payload = {}) {
-    return sign(signer, sk, payload, !!sk, '1.1.0');
+	return sign(signer, sk, payload, !!sk, "1.1.0");
 }
 function decode(token, bodyOnly = true) {
-    const [headerB64, bodyB64, sigB64] = token.split('.');
-    const header = JSON.parse((0, util_1.fromBase64)(headerB64).toString());
-    const body = JSON.parse((0, util_1.fromBase64)(bodyB64).toString());
-    const sig = Buffer.from((0, util_1.fromBase64)(sigB64)).toString('hex');
-    if (bodyOnly) {
-        return body;
-    }
-    return { header, body, signature: `0x${(0, did_1.toStrictHex)(sig)}` };
+	const [headerB64, bodyB64, sigB64] = token.split(".");
+	const header = JSON.parse((0, _ocap_util.fromBase64)(headerB64).toString());
+	const body = JSON.parse((0, _ocap_util.fromBase64)(bodyB64).toString());
+	const sig = Buffer.from((0, _ocap_util.fromBase64)(sigB64)).toString("hex");
+	if (bodyOnly) return body;
+	return {
+		header,
+		body,
+		signature: `0x${(0, _arcblock_did.toStrictHex)(sig)}`
+	};
 }
 /**
- * Verify a jwt token
- *
- * @param {string} token  - the jwt token
- * @param {string} signerPk - signer public key
- * @param {{
- *     tolerance: number; - number of seconds to tolerant expire
- *     enforceTimestamp: boolean; - whether should be verify timestamps?
- *     signerKey: string; - which field should be used to pick the signer
- *   }} [{
- *     tolerance,
- *     enforceTimestamp,
- *     signerKey,
- *   }={
- *       tolerance: 5,
- *       enforceTimestamp: true,
- *       signerKey: 'iss',
- *     }]
- * @return {*}  {boolean}
- */
-// eslint-disable-next-line require-await
+* Verify a jwt token
+*
+* @param {string} token  - the jwt token
+* @param {string} signerPk - signer public key
+* @param {{
+*     tolerance: number; - number of seconds to tolerant expire
+*     enforceTimestamp: boolean; - whether should be verify timestamps?
+*     signerKey: string; - which field should be used to pick the signer
+*   }} [{
+*     tolerance,
+*     enforceTimestamp,
+*     signerKey,
+*   }={
+*       tolerance: 5,
+*       enforceTimestamp: true,
+*       signerKey: 'iss',
+*     }]
+* @return {*}  {boolean}
+*/
 async function verify(token, signerPk, options) {
-    const { tolerance, enforceTimestamp, signerKey } = Object.assign({
-        tolerance: 5,
-        enforceTimestamp: true,
-        signerKey: 'iss',
-    }, options);
-    try {
-        const [headerB64, bodyB64] = token.split('.');
-        const { header, body, signature } = decode(token, false);
-        if (!signature) {
-            debug('verify.error.emptySig');
-            return false;
-        }
-        if (!header.alg) {
-            debug('verify.error.emptyAlg');
-            return false;
-        }
-        const signerDid = body[signerKey];
-        if (!signerDid) {
-            debug('verify.error.emptySignerDid');
-            return false;
-        }
-        if ((0, did_1.isFromPublicKey)(signerDid, signerPk) === false) {
-            debug('verify.error.signerDidAndPkNotMatch');
-            return false;
-        }
-        if (enforceTimestamp) {
-            const now = Math.ceil(Date.now() / 1000);
-            const exp = Number(body.exp) || 0;
-            const iat = Number(body.iat) || 0;
-            const nbf = Number(body.nbf) || 0;
-            debug('verify.enforceTimestamp', { now, exp, iat, nbf });
-            if (exp && exp + tolerance < now) {
-                debug('verify.error.expired');
-                return false;
-            }
-            if (iat && iat > now && iat - now > tolerance) {
-                debug('verify.error.issuedAt');
-                return false;
-            }
-            if (nbf && nbf > now && nbf - now > tolerance) {
-                debug('verify.error.notBefore');
-                return false;
-            }
-        }
-        const signers = {
-            secp256k1: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.SECP256K1),
-            es256k: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.SECP256K1),
-            ed25519: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.ED25519),
-            ethereum: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.ETHEREUM),
-            passkey: (0, mcrypto_1.getSigner)(mcrypto_1.types.KeyType.PASSKEY),
-        };
-        const alg = header.alg.toLowerCase();
-        if (signers[alg]) {
-            // @ts-ignore
-            const msgHex = (0, util_1.toHex)(`${headerB64}.${bodyB64}`);
-            // If we are using v1.1 protocol, the message should be hashed before verify
-            const version = body.version && semver_1.default.coerce(body.version) ? semver_1.default.coerce(body.version).version : '';
-            if (version && version === JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) {
-                return signers[alg].verify(hasher(msgHex), signature, signerPk);
-            }
-            return signers[alg].verify(msgHex, signature, signerPk);
-        }
-        debug('verify.error.crypto');
-        return false;
-    }
-    catch (err) {
-        debug('verify.error.exception');
-        debug(err);
-        return false;
-    }
+	const { tolerance, enforceTimestamp, signerKey } = Object.assign({
+		tolerance: 5,
+		enforceTimestamp: true,
+		signerKey: "iss"
+	}, options);
+	try {
+		const [headerB64, bodyB64] = token.split(".");
+		const { header, body, signature } = decode(token, false);
+		if (!signature) {
+			debug$1("verify.error.emptySig");
+			return false;
+		}
+		if (!header.alg) {
+			debug$1("verify.error.emptyAlg");
+			return false;
+		}
+		const signerDid = body[signerKey];
+		if (!signerDid) {
+			debug$1("verify.error.emptySignerDid");
+			return false;
+		}
+		if ((0, _arcblock_did.isFromPublicKey)(signerDid, signerPk) === false) {
+			debug$1("verify.error.signerDidAndPkNotMatch");
+			return false;
+		}
+		if (enforceTimestamp) {
+			const now = Math.ceil(Date.now() / 1e3);
+			const exp = Number(body.exp) || 0;
+			const iat = Number(body.iat) || 0;
+			const nbf = Number(body.nbf) || 0;
+			debug$1("verify.enforceTimestamp", {
+				now,
+				exp,
+				iat,
+				nbf
+			});
+			if (exp && exp + tolerance < now) {
+				debug$1("verify.error.expired");
+				return false;
+			}
+			if (iat && iat > now && iat - now > tolerance) {
+				debug$1("verify.error.issuedAt");
+				return false;
+			}
+			if (nbf && nbf > now && nbf - now > tolerance) {
+				debug$1("verify.error.notBefore");
+				return false;
+			}
+		}
+		const signers = {
+			secp256k1: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.SECP256K1),
+			es256k: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.SECP256K1),
+			ed25519: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.ED25519),
+			ethereum: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.ETHEREUM),
+			passkey: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.PASSKEY)
+		};
+		const alg = header.alg.toLowerCase();
+		if (signers[alg]) {
+			const msgHex = (0, _ocap_util.toHex)(`${headerB64}.${bodyB64}`);
+			const version = body.version && semver.default.coerce(body.version) ? semver.default.coerce(body.version).version : "";
+			if (version && version === JWT_VERSION_REQUIRE_HASH_BEFORE_SIGN) return signers[alg].verify(hasher(msgHex), signature, signerPk);
+			return signers[alg].verify(msgHex, signature, signerPk);
+		}
+		debug$1("verify.error.crypto");
+		return false;
+	} catch (err) {
+		debug$1("verify.error.exception");
+		debug$1(err);
+		return false;
+	}
 }
+
+//#endregion
+exports.decode = decode;
+exports.sign = sign;
+exports.signV2 = signV2;
+exports.verify = verify;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@arcblock/jwt",
   "description": "JSON Web Token variant for arcblock DID solutions",
-  "version": "1.27.16",
+  "version": "1.28.1",
   "author": {
     "name": "wangshijun",
     "email": "shijun@arcblock.io",
@@ -21,10 +21,10 @@
     "debug": "^4.3.6",
     "json-stable-stringify": "^1.0.1",
     "semver": "^7.6.3",
-    "@arcblock/did": "1.27.16",
-    "@ocap/mcrypto": "1.27.16",
-    "@ocap/util": "1.27.16",
-    "@ocap/wallet": "1.27.16"
+    "@arcblock/did": "1.28.1",
+    "@ocap/util": "1.28.1",
+    "@ocap/wallet": "1.28.1",
+    "@ocap/mcrypto": "1.28.1"
   },
   "devDependencies": {
     "@arcblock/eslint-config-ts": "0.3.3",
@@ -35,6 +35,7 @@
     "eslint": "^8.57.0",
     "jest": "^29.7.0",
     "ts-jest": "^29.2.5",
+    "tsdown": "^0.18.4",
     "tslib": "^2.4.0",
     "typescript": "^5.6.2"
   },
@@ -46,8 +47,17 @@
     "nodejs"
   ],
   "license": "Apache-2.0",
+  "sideEffects": false,
   "main": "./lib/index.js",
-  "types": "./lib/index.d.ts",
+  "module": "./esm/index.js",
+  "types": "./esm/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./esm/index.d.ts",
+      "import": "./esm/index.js",
+      "default": "./lib/index.js"
+    }
+  },
   "files": [
     "lib",
     "esm"
@@ -62,11 +72,7 @@
     "lint:fix": "eslint src tests --fix",
     "test": "jest --forceExit --detectOpenHandles",
     "coverage": "npm run test -- --coverage",
-    "clean": "rm -fr lib esm",
-    "prebuild": "npm run clean",
-    "build:watch": "npm run build -- -w",
-    "build:cjs": "tsc -p tsconfig.cjs.json",
-    "build:esm": "tsc -p tsconfig.esm.json",
-    "build": "npm run build:cjs && npm run build:esm"
+    "build": "tsdown",
+    "build:watch": "tsdown --watch"
   }
 }