@astronautlabs/jwt 0.0.12

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Astronaut Labs, LLC.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,107 @@
+# @/jwt
+
+> This library is **Alpha quality** in the `0.0.x` series (no automatic updates 
+> by semver). Please take caution if you choose to use it, and do not use it 
+> in production. We welcome PRs for fixes, features and general improvements.
+
+A simple isomorphic JWT library (works in browser and Node.js) with support for 
+signing and verifying JWTs using a number of common algorithms.
+
+# Installation
+
+```bash
+npm install @astronautlabs/jwt
+```
+
+# Usage
+
+## Common Options
+
+- `now` -- Specify the UNIX wall clock time to use when enforcing `exp` claims. When not specified, `Date.now()` is used.
+- `algorithm` -- The signature algorithm to use. See [Supported Algorithms](#supported-algorithms) for the options.
+- `secretOrKey` -- The key to use for the operation. When using asymmetric
+  algorithms (like `RS256`, `ES256`, etc) you should pass public keys for 
+  `validate()` and private keys for `encode()`
+
+## Signing
+
+```typescript
+    async encode(claims: any, options: EncodeOptions): Promise<Token>
+```
+
+### Remarks
+
+Returns a `Token` object with the given claims, and signed by the credentials
+specified in `options` (see `algorithm` and `secretOrKey`).
+
+### Example
+
+```typescript
+import { JWT } from '@astronautlabs/jwt';
+
+try {
+    let token = await JWT.encode({ sub: 123 }, { algorithm: 'HS256', secretOrKey: 'stuff' });
+    console.dir(token); // => { string: 'eY...', claims: { sub: ..., ... } }
+} catch (e) {
+    console.error('Failed to validate token: ');
+    console.error(e);
+}
+```
+
+
+## Validation
+
+```typescript
+JWT.validate(string : string, options: DecodeOptions): Promise<Token>
+```
+
+Returns a `Token` object if the given string is a valid (and trusted) JWT.
+If validation fails, throws an `Error`.
+
+Types of errors `JWT.validate()` can throw:
+- Algorithm mismatch: If the token header's `alg` claim does not match the 
+  configured algorithm (`options.algorithm`)
+- Signature mismatch: If the signature does not match
+- Expiration: If the token's `exp` claim is not acceptable according to policy
+
+```typescript
+import { JWT } from '@astronautlabs/jwt';
+
+try {
+    let token = await JWT.validate(`eY...`, { algorithm: 'HS256', secretOrKey: 'stuff' });
+    console.dir(token); // => { string: 'eY...', claims: { sub: ..., ... } }
+} catch (e) {
+    console.error('Failed to validate token: ');
+    console.error(e);
+}
+```
+
+### Expiration
+
+You can configure a policy for built-in validation of the `exp` claim when validating tokens.
+To do so, specify `{ validate: { exp: "(policyName)" }}` within the `options` passed to `JWT.validate()`.
+
+The available policies are:
+- `when-present` (default) -- When a token has an `exp` claim, fail validation if the token is expired
+- `force` -- Require tokens to have a valid (fresh) `exp` claim
+- `ignore` -- Ignore `exp` even when it is present (it will still be available on `token.claims`).  
+
+You can override the current time by providing `options.now`. Consider using this instead 
+of `options.validate.exp = 'ignore'`.
+
+### Options
+
+- `validate`
+  * `exp` -- Expiration policy. For more see [Expiration](#expiration)
+
+# Supported Platforms
+- **Browser/Web** using WebCrypto
+- **Node.js**
+
+# Supported Algorithms
+- `HS256`
+- `HS384`
+- `HS512`
+- `RS256`
+- `RS512`
+- `ES256`

package/demo.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw
+kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr
+m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi
+NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV
+3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2
+QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs
+kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go
+amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM
++bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9
+D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC
+0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y
+lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+
+hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp
+bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X
++jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B
+BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC
+2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx
+QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz
+5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9
+Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0
+NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j
+8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma
+3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K
+y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB
+jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE=
+-----END RSA PRIVATE KEY-----

package/demo8.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCfPKKzVmN80HRs
+GAoUxK++RO3CW8GxomrtLnAD6TN5U5WlVbCRZ1WFrizfxcz+lr/Kvjtq/v7PdVOa
+8NHIAdxpP3bCFEQWku/1yPmVN4lKJvKv8yub9i2MJlVaBo5giHCtfAouo+v/XWKd
+awCR8jK28dZPFlgRxcuABcW5S5pLe4X2ASI1DDMZNTW/QWqSpMGvgHydbccI3jtd
+S7S3xjR76V/izg7FBrBYPv0n3/l3dHLS9tXcCbUW0YmIm87BGwh9UKEOlhK1NwdM
+Iyq29ZtXovXUFaSnMZdJbge/jepr4ZJg4PZBTrwxvn2hKTY4H4G04ukmh+ZsYQaC
++bDIIj0zAgMBAAECggEAKIBGrbCSW2O1yOyQW9nvDUkA5EdsS58Q7US7bvM4iWpu
+DIBwCXur7/VuKnhn/HUhURLzj/JNozynSChqYyG+CvL+ZLy82LUE3ZIBkSdv/vFL
+Ft+VvvRtf1EcsmoqenkZl7aN7HD7DJeXBoz5tyVQKuH17WW0fsi9StGtCcUl+H6K
+zV9Gif0Kj0uLQbCg3THRvKuueBTwCTdjoP0PwaNADgSWb3hJPeLMm/yII4tIMGbO
+w+xd9wJRl+ZN9nkNtQMxszFGdKjedB6goYLQuP0WRZx+YtykaVJdM75bDUvsQar4
+9Pc21Fp7UVk/CN11DX/hX3TmTJAUtqYADliVKkTbCQKBgQDLU48tBxm3g1CdDM/P
+ZIEmpA3Y/m7e9eX7M1Uo/zDh4G/S9a4kkX6GQY2dLFdCtOS8M4hR11Io7MceBKDi
+djorTZ5zJPQ8+b9Rm+1GlaucGNwRW0cQk2ltT2ksPmJnQn2xvM9T8vE+a4A/YGzw
+mZOfpoVGykWs/tbSzU2aTaOybQKBgQDIfRf6OmirGPh59l+RSuDkZtISF/51mCV/
+S1M4DltWDwhjC2Y2T+meIsb/Mjtz4aVNz0EHB8yvn0TMGr94Uwjv4uBdpVSwz+xL
+hHL7J4rpInH+i0gxa0N+rGwsPwI8wJG95wLY+Kni5KCuXQw55uX1cqnnsahpRZFZ
+EerBXhjqHwKBgBmEjiaHipm2eEqNjhMoOPFBi59dJ0sCL2/cXGa9yEPA6Cfgv49F
+V0zAM2azZuwvSbm4+fXTgTMzrDW/PPXPArPmlOk8jQ6OBY3XdOrz48q+b/gZrYyO
+A6A9ZCSyW6U7+gxxds/BYLeFxF2v21xC2f0iZ/2faykv/oQMUh34en/tAoGACqVZ
+2JexZyR0TUWf3X80YexzyzIq+OOTWicNzDQ29WLm9xtr2gZ0SUlfd72bGpQoyvDu
+awkm/UxfwtbIxALkvpg1gcN9s8XWrkviLyPyZF7H3tRWiQlBFEDjnZXa8I7pLkRO
+Cmdp3fp17cxTEeAI5feovfzZDH39MdWZuZrdh9ECgYBTEv8S7nK8wrxIC390kroV
+52eBwzckQU2mWa0thUtaGQiU1EYPCSDcjkrLXwB72ft0dW57KyWtvrB6rt1ORgOL
+eI5hFbwdGQhCHTrAR1vG3SyFPMAm+8JB+sGOD/fvjtZKx//MFNweKFNEF0C/o6Z2
+FXj90PlgF8sCQut36ZfuIQ==
+-----END PRIVATE KEY-----

package/dist/browser/base64url.d.ts

@@ -0,0 +1,4 @@
+export declare class Base64URL {
+    static stringify(a: any): string;
+    static parse(s: any): Uint8Array;
+}

package/dist/browser/base64url.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Base64URL = void 0;
+var Base64URL = /** @class */ (function () {
+    function Base64URL() {
+    }
+    Base64URL.stringify = function (a) {
+        var base64string = btoa(String.fromCharCode.apply(0, a));
+        return base64string.replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_');
+    };
+    Base64URL.parse = function (s) {
+        s = s.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, '');
+        return new Uint8Array(Array.prototype.map.call(atob(s), function (c) { return c.charCodeAt(0); }));
+    };
+    return Base64URL;
+}());
+exports.Base64URL = Base64URL;
+//# sourceMappingURL=base64url.js.map

package/dist/browser/base64url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.js","sourceRoot":"","sources":["../../src/browser/base64url.ts"],"names":[],"mappings":";;;AACA;IAAA;IAUA,CAAC;IATiB,mBAAS,GAAvB,UAAwB,CAAC;QACrB,IAAI,YAAY,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACzD,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAClF,CAAC;IAEa,eAAK,GAAnB,UAAoB,CAAC;QACjB,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC/D,OAAO,IAAI,UAAU,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAf,CAAe,CAAC,CAAC,CAAC;IACnF,CAAC;IACL,gBAAC;AAAD,CAAC,AAVD,IAUC;AAVY,8BAAS"}

package/dist/browser/index.d.ts

@@ -0,0 +1,5 @@
+import { JWTEngine } from '../common';
+export * from '../common';
+export * from './webcrypto-jwt';
+export declare function createJWTEngine(): JWTEngine;
+export declare const JWT: JWTEngine;

package/dist/browser/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !exports.hasOwnProperty(p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWT = exports.createJWTEngine = void 0;
+var webcrypto_jwt_1 = require("./webcrypto-jwt");
+__exportStar(require("../common"), exports);
+__exportStar(require("./webcrypto-jwt"), exports);
+function createJWTEngine() { return new webcrypto_jwt_1.WebCryptoJWT(); }
+exports.createJWTEngine = createJWTEngine;
+;
+exports.JWT = createJWTEngine();
+//# sourceMappingURL=index.js.map

package/dist/browser/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/browser/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;AACA,iDAA+C;AAC/C,4CAA0B;AAC1B,kDAAgC;AAChC,SAAgB,eAAe,KAAiB,OAAO,IAAI,4BAAY,EAAE,CAAC,CAAC,CAAC;AAA5E,0CAA4E;AAAA,CAAC;AAChE,QAAA,GAAG,GAAG,eAAe,EAAE,CAAC"}

package/dist/browser/utils.d.ts

@@ -0,0 +1,6 @@
+export declare class Utils {
+    static isString(s: any): boolean;
+    static utf8ToUint8Array(str: any): Uint8Array;
+    static isFunction(fn: any): boolean;
+    static isObject(arg: any): boolean;
+}

package/dist/browser/utils.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Utils = void 0;
+var base64url_1 = require("./base64url");
+var Utils = /** @class */ (function () {
+    function Utils() {
+    }
+    Utils.isString = function (s) {
+        return typeof s === 'string';
+    };
+    Utils.utf8ToUint8Array = function (str) {
+        str = btoa(unescape(encodeURIComponent(str)));
+        return base64url_1.Base64URL.parse(str);
+    };
+    Utils.isFunction = function (fn) {
+        return typeof fn === 'function';
+    };
+    Utils.isObject = function (arg) {
+        return arg !== null && typeof arg === 'object';
+    };
+    return Utils;
+}());
+exports.Utils = Utils;
+//# sourceMappingURL=utils.js.map

package/dist/browser/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../../src/browser/utils.ts"],"names":[],"mappings":";;;AAAA,yCAAwC;AAExC;IAAA;IAiBA,CAAC;IAhBiB,cAAQ,GAAtB,UAAuB,CAAC;QACpB,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC;IACjC,CAAC;IAEa,sBAAgB,GAA9B,UAA+B,GAAG;QAC9B,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,qBAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAEa,gBAAU,GAAxB,UAAyB,EAAE;QACvB,OAAO,OAAO,EAAE,KAAK,UAAU,CAAC;IACpC,CAAC;IAEa,cAAQ,GAAtB,UAAuB,GAAG;QACtB,OAAO,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,CAAC;IACnD,CAAC;IACL,YAAC;AAAD,CAAC,AAjBD,IAiBC;AAjBY,sBAAK"}

package/dist/browser/webcrypto-jwt.d.ts

@@ -0,0 +1,22 @@
+import { JWTEngine, EncodeOptions, Token, DecodeOptions } from "../common/interface";
+export declare class WebCryptoJWT implements JWTEngine {
+    private subtleCrypto?;
+    constructor(subtleCrypto?: SubtleCrypto);
+    decodeUntrusted(token: string): Promise<Token>;
+    private findSubtleCrypto;
+    encode(payload: Record<string, any>, options: EncodeOptions): Promise<Token>;
+    validate(string: string, options: DecodeOptions): Promise<Token>;
+    private algorithmOf;
+    private str2ab;
+    /**
+     * Adapted from https://chromium.googlesource.com/chromium/blink/+/master/LayoutTests/crypto/subtle/hmac/sign-verify.html
+     *
+     * @param token
+     * @param secret
+     * @param alg
+     */
+    private _verify;
+    private _sign;
+    private _decode;
+    private _decodeBase64URL;
+}

package/dist/browser/webcrypto-jwt.js

@@ -0,0 +1,378 @@
+"use strict";
+// Originally from https://github.com/pose/webcrypto-jwt
+// (C) Copyright (c) 2015 Alberto Pose albertopose@gmail.com
+// Used under the terms of the MIT License (https://github.com/pose/webcrypto-jwt/blob/master/LICENSE.md)
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (_) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebCryptoJWT = void 0;
+var base64url_1 = require("./base64url");
+var utils_1 = require("./utils");
+var common_1 = require("../common");
+var ALGORITHMS = {
+    none: {},
+    HS256: {
+        importKey: {
+            name: 'HMAC',
+            hash: 'SHA-256'
+        },
+        operation: {
+            name: 'HMAC',
+            hash: 'SHA-256'
+        }
+    },
+    HS384: {
+        importKey: {
+            name: 'HMAC',
+            hash: 'SHA-384'
+        },
+        operation: {
+            name: 'HMAC',
+            hash: 'SHA-384'
+        }
+    },
+    HS512: {
+        importKey: {
+            name: 'HMAC',
+            hash: 'SHA-512'
+        },
+        operation: {
+            name: 'HMAC',
+            hash: 'SHA-512'
+        }
+    },
+    RS256: {
+        importKey: {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: 'SHA-256'
+        },
+        operation: {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: 'SHA-256'
+        }
+    },
+    RS512: {
+        importKey: {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: 'SHA-512'
+        },
+        operation: {
+            name: 'RSASSA-PKCS1-v1_5',
+            hash: 'SHA-512'
+        }
+    },
+    ES256: {
+        importKey: {
+            name: 'ECDSA',
+            namedCurve: 'P-256'
+        },
+        operation: {
+            name: 'ECDSA',
+            namedCurve: 'P-256',
+            hash: 'SHA-256'
+        }
+    }
+};
+var WebCryptoJWT = /** @class */ (function () {
+    function WebCryptoJWT(subtleCrypto) {
+        this.subtleCrypto = subtleCrypto;
+        if (!subtleCrypto)
+            this.findSubtleCrypto();
+    }
+    WebCryptoJWT.prototype.decodeUntrusted = function (token) {
+        return __awaiter(this, void 0, void 0, function () {
+            var decodedToken;
+            return __generator(this, function (_a) {
+                decodedToken = this._decode(token);
+                return [2 /*return*/, { claims: decodedToken.payload, string: token }];
+            });
+        });
+    };
+    WebCryptoJWT.prototype.findSubtleCrypto = function () {
+        if ('crypto' in window)
+            this.subtleCrypto = crypto.subtle || crypto['webkitSubtle'];
+        if (!this.subtleCrypto && 'msCrypto' in window)
+            this.subtleCrypto = window['msCrypto'].Subtle;
+    };
+    WebCryptoJWT.prototype.encode = function (payload, options) {
+        return __awaiter(this, void 0, void 0, function () {
+            var _a;
+            return __generator(this, function (_b) {
+                switch (_b.label) {
+                    case 0:
+                        _a = {};
+                        return [4 /*yield*/, this._sign(payload, options.secretOrKey, this.algorithmOf(options))];
+                    case 1: return [2 /*return*/, (_a.string = _b.sent(),
+                            _a.claims = payload,
+                            _a)];
+                }
+            });
+        });
+    };
+    WebCryptoJWT.prototype.validate = function (string, options) {
+        var _a;
+        return __awaiter(this, void 0, void 0, function () {
+            var decodedToken, algorithm, secretOrKey, claims, _b;
+            return __generator(this, function (_c) {
+                switch (_c.label) {
+                    case 0:
+                        decodedToken = this._decode(string);
+                        algorithm = this.algorithmOf(options);
+                        secretOrKey = options.secretOrKey;
+                        claims = decodedToken.payload;
+                        // Signature must match
+                        if (decodedToken.header.alg !== algorithm)
+                            throw new Error("Cannot validate JWT '" + string + "': Token has incorrect algorithm");
+                        _b = algorithm !== 'none';
+                        if (!_b) return [3 /*break*/, 2];
+                        return [4 /*yield*/, this._verify(decodedToken, secretOrKey, algorithm)];
+                    case 1:
+                        _b = !(_c.sent());
+                        _c.label = 2;
+                    case 2:
+                        if (_b)
+                            throw new Error("Cannot validate JWT '" + string + "': Invalid signature");
+                        // Algorithm must match
+                        // Expiration
+                        try {
+                            common_1.validateExpiry(claims.exp, options.now, (_a = options.validate) === null || _a === void 0 ? void 0 : _a.exp);
+                        }
+                        catch (e) {
+                            throw new Error("Cannot validate JWT '" + string + "': " + e.message);
+                        }
+                        return [2 /*return*/, {
+                                string: string,
+                                claims: decodedToken.payload
+                            }];
+                }
+            });
+        });
+    };
+    WebCryptoJWT.prototype.algorithmOf = function (options) {
+        return options.algorithm || 'HS256';
+    };
+    WebCryptoJWT.prototype.str2ab = function (str) {
+        var buf = new ArrayBuffer(str.length);
+        var bufView = new Uint8Array(buf);
+        for (var i = 0, strLen = str.length; i < strLen; i++) {
+            bufView[i] = str.charCodeAt(i);
+        }
+        return buf;
+    };
+    /**
+     * Adapted from https://chromium.googlesource.com/chromium/blink/+/master/LayoutTests/crypto/subtle/hmac/sign-verify.html
+     *
+     * @param token
+     * @param secret
+     * @param alg
+     */
+    WebCryptoJWT.prototype._verify = function (token, secret, alg) {
+        return __awaiter(this, void 0, void 0, function () {
+            var importAlgorithm, keyFormat, secretBuf, encoder, key, e_1, identifier, partialToken, signaturePart, messageAsUint8Array, signatureAsUint8Array, e_2;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        if (alg === 'none')
+                            return [2 /*return*/, true];
+                        importAlgorithm = ALGORITHMS[alg];
+                        if (!importAlgorithm)
+                            throw new Error("Algorithm " + alg + " is not supported");
+                        encoder = new TextEncoder();
+                        // TODO Test utf8ToUint8Array function
+                        if (secret.includes('-----BEGIN PUBLIC KEY-----')) {
+                            secretBuf = this.str2ab(atob(secret
+                                .replace(/^-----BEGIN PUBLIC KEY-----\n/, '')
+                                .replace(/\n-----END PUBLIC KEY-----/, '')
+                                .replace(/\n/g, '')));
+                            keyFormat = 'spki';
+                        }
+                        else if (secret.includes('-----BEGIN RSA PUBLIC KEY-----')) {
+                            throw new Error("PKCS#1 keys are not supported. "
+                                + "Please convert the key to PKCS#8 instead: "
+                                + "openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs1.key -out pkcs8.key");
+                        }
+                        else {
+                            secretBuf = encoder.encode(secret);
+                            keyFormat = 'raw';
+                        }
+                        if (!this.subtleCrypto)
+                            throw new Error("Not supported: No Subtle Crypto support");
+                        _a.label = 1;
+                    case 1:
+                        _a.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, this.subtleCrypto.importKey(keyFormat, secretBuf, importAlgorithm.importKey, false, ['verify'])];
+                    case 2:
+                        key = _a.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        e_1 = _a.sent();
+                        identifier = "jwtUncaughtError" + Math.floor(10000 + Math.random() * 10000);
+                        console.error("JWT.verify(): Caught error while importing " + alg + " key: format=" + keyFormat + ", importAlgorithm: " + JSON.stringify(importAlgorithm.importKey) + ".");
+                        console.error(e_1);
+                        if (typeof window !== 'undefined') {
+                            window[identifier] = e_1;
+                            console.error("To aid in debugging, this error was saved to " + identifier);
+                        }
+                        throw e_1;
+                    case 4:
+                        partialToken = token.encodedHeader + "." + token.encodedPayload;
+                        signaturePart = token.signature;
+                        messageAsUint8Array = encoder.encode(partialToken);
+                        signatureAsUint8Array = base64url_1.Base64URL.parse(signaturePart);
+                        if (!this.subtleCrypto)
+                            throw new Error("Not supported: No Subtle Crypto support");
+                        _a.label = 5;
+                    case 5:
+                        _a.trys.push([5, 7, , 8]);
+                        return [4 /*yield*/, this.subtleCrypto.verify(importAlgorithm.operation, key, signatureAsUint8Array, messageAsUint8Array)];
+                    case 6: return [2 /*return*/, _a.sent()];
+                    case 7:
+                        e_2 = _a.sent();
+                        console.error("JWT.verify(): Caught error while verifying token:");
+                        console.error(e_2);
+                        throw e_2;
+                    case 8: return [2 /*return*/];
+                }
+            });
+        });
+    };
+    ;
+    WebCryptoJWT.prototype._sign = function (payload, secret, alg) {
+        return __awaiter(this, void 0, void 0, function () {
+            var importAlgorithm, payloadAsJSON, header, headerAsJSON, partialToken, keyFormat, encoder, secretBuf, key, e_3, messageAsUint8Array, signature, e_4, signatureAsBase64, token;
+            return __generator(this, function (_a) {
+                switch (_a.label) {
+                    case 0:
+                        importAlgorithm = ALGORITHMS[alg];
+                        if (!importAlgorithm)
+                            throw new Error("Algorithm '" + alg + "' is not supported");
+                        payloadAsJSON = JSON.stringify(payload);
+                        header = { alg: alg, typ: 'JWT' };
+                        headerAsJSON = JSON.stringify(header);
+                        partialToken = base64url_1.Base64URL.stringify(utils_1.Utils.utf8ToUint8Array(headerAsJSON)) + '.' +
+                            base64url_1.Base64URL.stringify(utils_1.Utils.utf8ToUint8Array(payloadAsJSON));
+                        if (alg === 'none')
+                            return [2 /*return*/, partialToken + "."];
+                        keyFormat = 'raw';
+                        encoder = new TextEncoder();
+                        // TODO Test utf8ToUint8Array function
+                        if (secret.includes('-----BEGIN RSA PRIVATE KEY-----')) {
+                            throw new Error("PKCS#1 keys are not supported. Please convert the key to PKCS#8 instead: openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs1.key -out pkcs8.key");
+                        }
+                        else if (secret.includes('-----BEGIN PRIVATE KEY-----')) {
+                            secretBuf = this.str2ab(atob(secret
+                                .replace(/^-----BEGIN PRIVATE KEY-----\n/, '')
+                                .replace(/\n-----END PRIVATE KEY-----/, '')
+                                .replace(/\n/g, '')));
+                            keyFormat = 'pkcs8';
+                        }
+                        else {
+                            secretBuf = encoder.encode(secret);
+                        }
+                        if (!this.subtleCrypto)
+                            throw new Error("Not supported: No Subtle Crypto support");
+                        _a.label = 1;
+                    case 1:
+                        _a.trys.push([1, 3, , 4]);
+                        return [4 /*yield*/, this.subtleCrypto.importKey(keyFormat, secretBuf, importAlgorithm.importKey, false, ['sign'])];
+                    case 2:
+                        key = _a.sent();
+                        return [3 /*break*/, 4];
+                    case 3:
+                        e_3 = _a.sent();
+                        console.error("JWT.sign(): Caught error while importing " + alg + " key: format=" + keyFormat + ", importAlgorithm: " + JSON.stringify(importAlgorithm.importKey));
+                        console.error(e_3);
+                        throw e_3;
+                    case 4:
+                        messageAsUint8Array = utils_1.Utils.utf8ToUint8Array(partialToken);
+                        if (!this.subtleCrypto)
+                            throw new Error("Not supported: No Subtle Crypto support");
+                        _a.label = 5;
+                    case 5:
+                        _a.trys.push([5, 7, , 8]);
+                        return [4 /*yield*/, this.subtleCrypto.sign(importAlgorithm.operation, key, messageAsUint8Array)];
+                    case 6:
+                        signature = _a.sent();
+                        return [3 /*break*/, 8];
+                    case 7:
+                        e_4 = _a.sent();
+                        console.error("JWT.sign(): Caught error while signing token:");
+                        console.error(e_4);
+                        throw e_4;
+                    case 8:
+                        signatureAsBase64 = base64url_1.Base64URL.stringify(new Uint8Array(signature));
+                        token = partialToken + "." + signatureAsBase64;
+                        return [2 /*return*/, token];
+                }
+            });
+        });
+    };
+    ;
+    WebCryptoJWT.prototype._decode = function (token) {
+        var parts = token.split('.');
+        if (parts.length !== 3)
+            throw new Error("Invalid token '" + token + "': must have 3 parts separated by '.'");
+        return {
+            encodedHeader: parts[0],
+            encodedPayload: parts[1],
+            signature: parts[2],
+            header: JSON.parse(this._decodeBase64URL(parts[0])),
+            payload: JSON.parse(this._decodeBase64URL(parts[1])),
+        };
+    };
+    ;
+    WebCryptoJWT.prototype._decodeBase64URL = function (string) {
+        string = string.replace(/-/g, '+').replace(/_/g, '/');
+        switch (string.length % 4) {
+            case 0:
+                break;
+            case 2:
+                string += '==';
+                break;
+            case 3:
+                string += '=';
+                break;
+            default:
+                throw new Error("Illegal Base64URL string '" + string + "'");
+        }
+        // TODO Use shim or document incompatible browsers
+        return decodeURIComponent(escape(atob(string)));
+    };
+    return WebCryptoJWT;
+}());
+exports.WebCryptoJWT = WebCryptoJWT;
+//# sourceMappingURL=webcrypto-jwt.js.map