@arcblock/jwt 1.29.13 → 1.29.15

package/esm/index.d.mts

@@ -58,5 +58,44 @@ declare function decode(token: string, bodyOnly?: false): JwtToken;
  * @return {*}  {boolean}
  */
 declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+type DelegationTokenHeader = {
+  alg: string;
+  typ: 'DelegationToken';
+};
+type DelegationTokenBody = {
+  iss: string;
+  sub: string;
+  iat: string;
+  nbf: string;
+  exp: string;
+  version: string;
+  ops: string[];
+  deny?: string[];
+  pk: string;
+  delegation?: string;
+};
+type DelegationToken = {
+  header: DelegationTokenHeader;
+  body: DelegationTokenBody;
+  signature: string;
+};
+declare function signDelegationToken(signer: string, sk: BytesType, payload: {
+  sub: string;
+  ops: string[];
+  deny?: string[];
+  delegation?: string;
+  iat?: string;
+  nbf?: string;
+  exp?: string;
+}): Promise<string>;
+declare function decodeDelegationToken(token: string): DelegationToken;
+declare function verifyDelegationToken(token: string): Promise<boolean>;
+declare function checkDelegationTokenScope(scope: string, {
+  ops,
+  deny
+}: {
+  ops: string[];
+  deny?: string[];
+}): boolean;
 //#endregion
-export { JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, decode, sign, signV2, verify };
+export { DelegationToken, DelegationTokenBody, DelegationTokenHeader, JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, checkDelegationTokenScope, decode, decodeDelegationToken, sign, signDelegationToken, signV2, verify, verifyDelegationToken };

package/esm/index.mjs

@@ -1,6 +1,6 @@
 import { isFromPublicKey, isValid, toDid, toStrictHex, toTypeInfo } from "@arcblock/did";
 import { Hasher, getSigner, types } from "@ocap/mcrypto";
-import { fromBase64, toBase64, toHex } from "@ocap/util";
+import { fromBase64, scopeMatchAny, toBase64, toHex } from "@ocap/util";
 import Debug from "debug";
 import stringify from "json-stable-stringify";
 import semver from "semver";
@@ -176,6 +176,115 @@ async function verify(token, signerPk, options) {
 		return false;
 	}
 }
+const DELEGATION_TOKEN_VERSION = "1.1.0";
+const delegationTokenHeaders = {
+	[types.KeyType.ED25519]: {
+		alg: "Ed25519",
+		typ: "DelegationToken"
+	},
+	[types.KeyType.SECP256K1]: {
+		alg: "ES256K",
+		typ: "DelegationToken"
+	},
+	[types.KeyType.ETHEREUM]: {
+		alg: "Ethereum",
+		typ: "DelegationToken"
+	}
+};
+async function signDelegationToken(signer, sk, payload) {
+	if (isValid(signer) === false) throw new Error("Cannot sign DelegationToken with invalid signer");
+	const type = toTypeInfo(signer);
+	if (type.pk === void 0) throw new Error("Cannot determine key type from signer");
+	const header = delegationTokenHeaders[type.pk];
+	const headerB64 = toBase64(stringify(header));
+	const now = Math.floor(Date.now() / 1e3);
+	const body = {
+		iss: toDid(signer),
+		sub: payload.sub,
+		iat: payload.iat || String(now),
+		nbf: payload.nbf || String(now),
+		exp: payload.exp || String(now + 300),
+		version: DELEGATION_TOKEN_VERSION,
+		ops: payload.ops,
+		pk: getSigner(type.pk).getPublicKey(sk, "hex")
+	};
+	if (payload.deny && payload.deny.length > 0) {
+		for (const d of payload.deny) if (!d.startsWith("fg:")) throw new Error(`Invalid deny pattern "${d}": must start with "fg:"`);
+		body.deny = payload.deny;
+	}
+	if (payload.delegation) body.delegation = payload.delegation;
+	const bodyB64 = toBase64(stringify(body));
+	const msgHash = hasher(toHex(`${headerB64}.${bodyB64}`));
+	return [
+		headerB64,
+		bodyB64,
+		toBase64(getSigner(type.pk).sign(msgHash, sk))
+	].join(".");
+}
+function decodeDelegationToken(token) {
+	const parts = token.split(".");
+	if (parts.length !== 3) throw new Error("Invalid delegation token format: expected 3 parts");
+	const [headerB64, bodyB64, sigB64] = parts;
+	return {
+		header: JSON.parse(fromBase64(headerB64).toString()),
+		body: JSON.parse(fromBase64(bodyB64).toString()),
+		signature: `0x${toStrictHex(Buffer.from(Uint8Array.from(fromBase64(sigB64))).toString("hex"))}`
+	};
+}
+async function verifyDelegationToken(token) {
+	try {
+		const [headerB64, bodyB64] = token.split(".");
+		const { header, body, signature } = decodeDelegationToken(token);
+		if (header.typ !== "DelegationToken") {
+			debug("delegationToken.verify.error.wrongTyp");
+			return false;
+		}
+		if (!signature || !header.alg) {
+			debug("delegationToken.verify.error.missingSigOrAlg");
+			return false;
+		}
+		if (isFromPublicKey(body.iss, body.pk) === false) {
+			debug("delegationToken.verify.error.pkIssMismatch");
+			return false;
+		}
+		const now = Math.floor(Date.now() / 1e3);
+		const exp = Number(body.exp) || 0;
+		const nbf = Number(body.nbf) || 0;
+		const iat = Number(body.iat) || 0;
+		if (exp && exp < now) {
+			debug("delegationToken.verify.error.expired");
+			return false;
+		}
+		if (nbf && nbf > now) {
+			debug("delegationToken.verify.error.notYetValid");
+			return false;
+		}
+		if (iat && iat > now) {
+			debug("delegationToken.verify.error.futureIat");
+			return false;
+		}
+		const signers = {
+			ed25519: getSigner(types.KeyType.ED25519),
+			es256k: getSigner(types.KeyType.SECP256K1),
+			secp256k1: getSigner(types.KeyType.SECP256K1),
+			ethereum: getSigner(types.KeyType.ETHEREUM)
+		};
+		const alg = header.alg.toLowerCase();
+		if (!signers[alg]) {
+			debug("delegationToken.verify.error.unknownAlg");
+			return false;
+		}
+		const msgHash = hasher(toHex(`${headerB64}.${bodyB64}`));
+		return signers[alg].verify(msgHash, signature, body.pk);
+	} catch (err) {
+		debug("delegationToken.verify.error.exception", err);
+		return false;
+	}
+}
+function checkDelegationTokenScope(scope, { ops, deny }) {
+	if (deny && deny.length > 0 && scopeMatchAny(scope, deny)) return false;
+	return scopeMatchAny(scope, ops);
+}
 
 //#endregion
-export { decode, sign, signV2, verify };
+export { checkDelegationTokenScope, decode, decodeDelegationToken, sign, signDelegationToken, signV2, verify, verifyDelegationToken };

package/lib/index.cjs

@@ -180,9 +180,122 @@ async function verify(token, signerPk, options) {
 		return false;
 	}
 }
+const DELEGATION_TOKEN_VERSION = "1.1.0";
+const delegationTokenHeaders = {
+	[_ocap_mcrypto.types.KeyType.ED25519]: {
+		alg: "Ed25519",
+		typ: "DelegationToken"
+	},
+	[_ocap_mcrypto.types.KeyType.SECP256K1]: {
+		alg: "ES256K",
+		typ: "DelegationToken"
+	},
+	[_ocap_mcrypto.types.KeyType.ETHEREUM]: {
+		alg: "Ethereum",
+		typ: "DelegationToken"
+	}
+};
+async function signDelegationToken(signer, sk, payload) {
+	if ((0, _arcblock_did.isValid)(signer) === false) throw new Error("Cannot sign DelegationToken with invalid signer");
+	const type = (0, _arcblock_did.toTypeInfo)(signer);
+	if (type.pk === void 0) throw new Error("Cannot determine key type from signer");
+	const header = delegationTokenHeaders[type.pk];
+	const headerB64 = (0, _ocap_util.toBase64)((0, json_stable_stringify.default)(header));
+	const now = Math.floor(Date.now() / 1e3);
+	const body = {
+		iss: (0, _arcblock_did.toDid)(signer),
+		sub: payload.sub,
+		iat: payload.iat || String(now),
+		nbf: payload.nbf || String(now),
+		exp: payload.exp || String(now + 300),
+		version: DELEGATION_TOKEN_VERSION,
+		ops: payload.ops,
+		pk: (0, _ocap_mcrypto.getSigner)(type.pk).getPublicKey(sk, "hex")
+	};
+	if (payload.deny && payload.deny.length > 0) {
+		for (const d of payload.deny) if (!d.startsWith("fg:")) throw new Error(`Invalid deny pattern "${d}": must start with "fg:"`);
+		body.deny = payload.deny;
+	}
+	if (payload.delegation) body.delegation = payload.delegation;
+	const bodyB64 = (0, _ocap_util.toBase64)((0, json_stable_stringify.default)(body));
+	const msgHash = hasher((0, _ocap_util.toHex)(`${headerB64}.${bodyB64}`));
+	return [
+		headerB64,
+		bodyB64,
+		(0, _ocap_util.toBase64)((0, _ocap_mcrypto.getSigner)(type.pk).sign(msgHash, sk))
+	].join(".");
+}
+function decodeDelegationToken(token) {
+	const parts = token.split(".");
+	if (parts.length !== 3) throw new Error("Invalid delegation token format: expected 3 parts");
+	const [headerB64, bodyB64, sigB64] = parts;
+	return {
+		header: JSON.parse((0, _ocap_util.fromBase64)(headerB64).toString()),
+		body: JSON.parse((0, _ocap_util.fromBase64)(bodyB64).toString()),
+		signature: `0x${(0, _arcblock_did.toStrictHex)(Buffer.from(Uint8Array.from((0, _ocap_util.fromBase64)(sigB64))).toString("hex"))}`
+	};
+}
+async function verifyDelegationToken(token) {
+	try {
+		const [headerB64, bodyB64] = token.split(".");
+		const { header, body, signature } = decodeDelegationToken(token);
+		if (header.typ !== "DelegationToken") {
+			debug$1("delegationToken.verify.error.wrongTyp");
+			return false;
+		}
+		if (!signature || !header.alg) {
+			debug$1("delegationToken.verify.error.missingSigOrAlg");
+			return false;
+		}
+		if ((0, _arcblock_did.isFromPublicKey)(body.iss, body.pk) === false) {
+			debug$1("delegationToken.verify.error.pkIssMismatch");
+			return false;
+		}
+		const now = Math.floor(Date.now() / 1e3);
+		const exp = Number(body.exp) || 0;
+		const nbf = Number(body.nbf) || 0;
+		const iat = Number(body.iat) || 0;
+		if (exp && exp < now) {
+			debug$1("delegationToken.verify.error.expired");
+			return false;
+		}
+		if (nbf && nbf > now) {
+			debug$1("delegationToken.verify.error.notYetValid");
+			return false;
+		}
+		if (iat && iat > now) {
+			debug$1("delegationToken.verify.error.futureIat");
+			return false;
+		}
+		const signers = {
+			ed25519: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.ED25519),
+			es256k: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.SECP256K1),
+			secp256k1: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.SECP256K1),
+			ethereum: (0, _ocap_mcrypto.getSigner)(_ocap_mcrypto.types.KeyType.ETHEREUM)
+		};
+		const alg = header.alg.toLowerCase();
+		if (!signers[alg]) {
+			debug$1("delegationToken.verify.error.unknownAlg");
+			return false;
+		}
+		const msgHash = hasher((0, _ocap_util.toHex)(`${headerB64}.${bodyB64}`));
+		return signers[alg].verify(msgHash, signature, body.pk);
+	} catch (err) {
+		debug$1("delegationToken.verify.error.exception", err);
+		return false;
+	}
+}
+function checkDelegationTokenScope(scope, { ops, deny }) {
+	if (deny && deny.length > 0 && (0, _ocap_util.scopeMatchAny)(scope, deny)) return false;
+	return (0, _ocap_util.scopeMatchAny)(scope, ops);
+}
 
 //#endregion
+exports.checkDelegationTokenScope = checkDelegationTokenScope;
 exports.decode = decode;
+exports.decodeDelegationToken = decodeDelegationToken;
 exports.sign = sign;
+exports.signDelegationToken = signDelegationToken;
 exports.signV2 = signV2;
-exports.verify = verify;
+exports.verify = verify;
+exports.verifyDelegationToken = verifyDelegationToken;

package/lib/index.d.cts

@@ -58,5 +58,44 @@ declare function decode(token: string, bodyOnly?: false): JwtToken;
  * @return {*}  {boolean}
  */
 declare function verify(token: string, signerPk: BytesType, options?: JwtVerifyOptions): Promise<boolean>;
+type DelegationTokenHeader = {
+  alg: string;
+  typ: 'DelegationToken';
+};
+type DelegationTokenBody = {
+  iss: string;
+  sub: string;
+  iat: string;
+  nbf: string;
+  exp: string;
+  version: string;
+  ops: string[];
+  deny?: string[];
+  pk: string;
+  delegation?: string;
+};
+type DelegationToken = {
+  header: DelegationTokenHeader;
+  body: DelegationTokenBody;
+  signature: string;
+};
+declare function signDelegationToken(signer: string, sk: BytesType, payload: {
+  sub: string;
+  ops: string[];
+  deny?: string[];
+  delegation?: string;
+  iat?: string;
+  nbf?: string;
+  exp?: string;
+}): Promise<string>;
+declare function decodeDelegationToken(token: string): DelegationToken;
+declare function verifyDelegationToken(token: string): Promise<boolean>;
+declare function checkDelegationTokenScope(scope: string, {
+  ops,
+  deny
+}: {
+  ops: string[];
+  deny?: string[];
+}): boolean;
 //#endregion
-export { JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, decode, sign, signV2, verify };
+export { DelegationToken, DelegationTokenBody, DelegationTokenHeader, JwtBody, JwtHeader, JwtToken, JwtVerifyOptions, checkDelegationTokenScope, decode, decodeDelegationToken, sign, signDelegationToken, signV2, verify, verifyDelegationToken };

package/package.json

@@ -2,7 +2,7 @@
   "name": "@arcblock/jwt",
   "description": "JSON Web Token variant for arcblock DID solutions",
   "type": "module",
-  "version": "1.29.13",
+  "version": "1.29.15",
   "author": {
     "name": "wangshijun",
     "email": "shijun@arcblock.io",
@@ -19,15 +19,15 @@
     "access": "public"
   },
   "dependencies": {
-    "@arcblock/did": "1.29.13",
-    "@ocap/mcrypto": "1.29.13",
-    "@ocap/util": "1.29.13",
+    "@arcblock/did": "1.29.15",
+    "@ocap/mcrypto": "1.29.15",
+    "@ocap/util": "1.29.15",
     "debug": "^4.4.3",
     "json-stable-stringify": "^1.0.1",
     "semver": "^7.6.3"
   },
   "devDependencies": {
-    "@ocap/wallet": "1.29.13",
+    "@ocap/wallet": "1.29.15",
     "@types/json-stable-stringify": "^1.0.36",
     "@types/node": "^22.7.5",
     "@types/semver": "^7.5.8",