@atproto/jwk 0.6.0 → 0.7.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/jwks.js CHANGED
@@ -1,20 +1,17 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.jwksPubSchema = exports.jwksSchema = void 0;
4
- const zod_1 = require("zod");
5
- const jwk_js_1 = require("./jwk.js");
1
+ import { z } from 'zod';
2
+ import { jwkPubSchema, jwkSchema } from './jwk.js';
6
3
  /**
7
4
  * JSON Web Key Set schema. The keys set, in this context, represents a
8
5
  * collection of JSON Web Keys (JWKs), that can be both public and private.
9
6
  */
10
- exports.jwksSchema = zod_1.z.object({
11
- keys: zod_1.z.array(zod_1.z.unknown()).transform((input) => {
7
+ export const jwksSchema = z.object({
8
+ keys: z.array(z.unknown()).transform((input) => {
12
9
  // > Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
13
10
  // > (key type) values that are not understood by them, that are missing
14
11
  // > required members, or for which values are out of the supported
15
12
  // > ranges.
16
13
  return input
17
- .map((item) => jwk_js_1.jwkSchema.safeParse(item))
14
+ .map((item) => jwkSchema.safeParse(item))
18
15
  .filter((res) => res.success)
19
16
  .map((res) => res.data);
20
17
  }),
@@ -22,14 +19,14 @@ exports.jwksSchema = zod_1.z.object({
22
19
  /**
23
20
  * Public JSON Web Key Set schema.
24
21
  */
25
- exports.jwksPubSchema = zod_1.z.object({
26
- keys: zod_1.z.array(zod_1.z.unknown()).transform((input) => {
22
+ export const jwksPubSchema = z.object({
23
+ keys: z.array(z.unknown()).transform((input) => {
27
24
  // > Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
28
25
  // > (key type) values that are not understood by them, that are missing
29
26
  // > required members, or for which values are out of the supported
30
27
  // > ranges.
31
28
  return input
32
- .map((item) => jwk_js_1.jwkPubSchema.safeParse(item))
29
+ .map((item) => jwkPubSchema.safeParse(item))
33
30
  .filter((res) => res.success)
34
31
  .map((res) => res.data);
35
32
  }),
package/dist/jwks.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"jwks.js","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qCAAkD;AAElD;;;GAGG;AACU,QAAA,UAAU,GAAG,OAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA;AAIF;;GAEG;AACU,QAAA,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,qBAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aAC3C,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema, jwkSchema } from './jwk.js'\n\n/**\n * JSON Web Key Set schema. The keys set, in this context, represents a\n * collection of JSON Web Keys (JWKs), that can be both public and private.\n */\nexport const jwksSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type Jwks = z.output<typeof jwksSchema>\n\n/**\n * Public JSON Web Key Set schema.\n */\nexport const jwksPubSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkPubSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type JwksPub = z.output<typeof jwksPubSchema>\n"]}
1
+ {"version":3,"file":"jwks.js","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAElD;;;GAGG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA;AAIF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aAC3C,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema, jwkSchema } from './jwk.js'\n\n/**\n * JSON Web Key Set schema. The keys set, in this context, represents a\n * collection of JSON Web Keys (JWKs), that can be both public and private.\n */\nexport const jwksSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type Jwks = z.output<typeof jwksSchema>\n\n/**\n * Public JSON Web Key Set schema.\n */\nexport const jwksPubSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkPubSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type JwksPub = z.output<typeof jwksPubSchema>\n"]}
@@ -1,19 +1,16 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.unsafeDecodeJwt = unsafeDecodeJwt;
4
- const errors_js_1 = require("./errors.js");
5
- const jwt_js_1 = require("./jwt.js");
6
- const util_js_1 = require("./util.js");
7
- function unsafeDecodeJwt(jwt) {
1
+ import { ERR_JWT_INVALID, JwtVerifyError } from './errors.js';
2
+ import { jwtHeaderSchema, jwtPayloadSchema, } from './jwt.js';
3
+ import { parseB64uJson } from './util.js';
4
+ export function unsafeDecodeJwt(jwt) {
8
5
  const { 0: headerEnc, 1: payloadEnc, length } = jwt.split('.');
9
6
  if (length > 3 || length < 2) {
10
- throw new errors_js_1.JwtVerifyError(undefined, errors_js_1.ERR_JWT_INVALID);
7
+ throw new JwtVerifyError(undefined, ERR_JWT_INVALID);
11
8
  }
12
- const header = jwt_js_1.jwtHeaderSchema.parse((0, util_js_1.parseB64uJson)(headerEnc));
9
+ const header = jwtHeaderSchema.parse(parseB64uJson(headerEnc));
13
10
  if (length === 2 && header?.alg !== 'none') {
14
- throw new errors_js_1.JwtVerifyError(undefined, errors_js_1.ERR_JWT_INVALID);
11
+ throw new JwtVerifyError(undefined, ERR_JWT_INVALID);
15
12
  }
16
- const payload = jwt_js_1.jwtPayloadSchema.parse((0, util_js_1.parseB64uJson)(payloadEnc));
13
+ const payload = jwtPayloadSchema.parse(parseB64uJson(payloadEnc));
17
14
  return { header, payload };
18
15
  }
19
16
  //# sourceMappingURL=jwt-decode.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"jwt-decode.js","sourceRoot":"","sources":["../src/jwt-decode.ts"],"names":[],"mappings":";;AASA,0CAiBC;AA1BD,2CAA6D;AAC7D,qCAKiB;AACjB,uCAAyC;AAEzC,SAAgB,eAAe,CAAC,GAAW;IAIzC,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9D,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,0BAAc,CAAC,SAAS,EAAE,2BAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,wBAAe,CAAC,KAAK,CAAC,IAAA,uBAAa,EAAC,SAAU,CAAC,CAAC,CAAA;IAC/D,IAAI,MAAM,KAAK,CAAC,IAAI,MAAM,EAAE,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3C,MAAM,IAAI,0BAAc,CAAC,SAAS,EAAE,2BAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,OAAO,GAAG,yBAAgB,CAAC,KAAK,CAAC,IAAA,uBAAa,EAAC,UAAW,CAAC,CAAC,CAAA;IAElE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;AAC5B,CAAC","sourcesContent":["import { ERR_JWT_INVALID, JwtVerifyError } from './errors.js'\nimport {\n JwtHeader,\n JwtPayload,\n jwtHeaderSchema,\n jwtPayloadSchema,\n} from './jwt.js'\nimport { parseB64uJson } from './util.js'\n\nexport function unsafeDecodeJwt(jwt: string): {\n header: JwtHeader\n payload: JwtPayload\n} {\n const { 0: headerEnc, 1: payloadEnc, length } = jwt.split('.')\n if (length > 3 || length < 2) {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const header = jwtHeaderSchema.parse(parseB64uJson(headerEnc!))\n if (length === 2 && header?.alg !== 'none') {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const payload = jwtPayloadSchema.parse(parseB64uJson(payloadEnc!))\n\n return { header, payload }\n}\n"]}
1
+ {"version":3,"file":"jwt-decode.js","sourceRoot":"","sources":["../src/jwt-decode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAC7D,OAAO,EAGL,eAAe,EACf,gBAAgB,GACjB,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA;AAEzC,MAAM,UAAU,eAAe,CAAC,GAAW;IAIzC,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9D,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,aAAa,CAAC,SAAU,CAAC,CAAC,CAAA;IAC/D,IAAI,MAAM,KAAK,CAAC,IAAI,MAAM,EAAE,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3C,MAAM,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,aAAa,CAAC,UAAW,CAAC,CAAC,CAAA;IAElE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;AAC5B,CAAC","sourcesContent":["import { ERR_JWT_INVALID, JwtVerifyError } from './errors.js'\nimport {\n JwtHeader,\n JwtPayload,\n jwtHeaderSchema,\n jwtPayloadSchema,\n} from './jwt.js'\nimport { parseB64uJson } from './util.js'\n\nexport function unsafeDecodeJwt(jwt: string): {\n header: JwtHeader\n payload: JwtPayload\n} {\n const { 0: headerEnc, 1: payloadEnc, length } = jwt.split('.')\n if (length > 3 || length < 2) {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const header = jwtHeaderSchema.parse(parseB64uJson(headerEnc!))\n if (length === 2 && header?.alg !== 'none') {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const payload = jwtPayloadSchema.parse(parseB64uJson(payloadEnc!))\n\n return { header, payload }\n}\n"]}
@@ -1,3 +1,2 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
1
+ export {};
3
2
  //# sourceMappingURL=jwt-verify.js.map
package/dist/jwt.js CHANGED
@@ -1,191 +1,186 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.jwtPayloadSchema = exports.htuSchema = exports.jwtHeaderSchema = exports.isUnsignedJwt = exports.unsignedJwtSchema = exports.isSignedJwt = exports.signedJwtSchema = void 0;
4
- const zod_1 = require("zod");
5
- const jwk_js_1 = require("./jwk.js");
6
- const util_js_1 = require("./util.js");
7
- exports.signedJwtSchema = zod_1.z
1
+ import { z } from 'zod';
2
+ import { jwkPubSchema } from './jwk.js';
3
+ import { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js';
4
+ export const signedJwtSchema = z
8
5
  .string()
9
- .superRefine(util_js_1.jwtCharsRefinement)
10
- .superRefine((0, util_js_1.segmentedStringRefinementFactory)(3));
11
- const isSignedJwt = (data) => exports.signedJwtSchema.safeParse(data).success;
12
- exports.isSignedJwt = isSignedJwt;
13
- exports.unsignedJwtSchema = zod_1.z
6
+ .superRefine(jwtCharsRefinement)
7
+ .superRefine(segmentedStringRefinementFactory(3));
8
+ export const isSignedJwt = (data) => signedJwtSchema.safeParse(data).success;
9
+ export const unsignedJwtSchema = z
14
10
  .string()
15
- .superRefine(util_js_1.jwtCharsRefinement)
16
- .superRefine((0, util_js_1.segmentedStringRefinementFactory)(2));
17
- const isUnsignedJwt = (data) => exports.unsignedJwtSchema.safeParse(data).success;
18
- exports.isUnsignedJwt = isUnsignedJwt;
11
+ .superRefine(jwtCharsRefinement)
12
+ .superRefine(segmentedStringRefinementFactory(2));
13
+ export const isUnsignedJwt = (data) => unsignedJwtSchema.safeParse(data).success;
19
14
  /**
20
15
  * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}
21
16
  */
22
- exports.jwtHeaderSchema = zod_1.z
17
+ export const jwtHeaderSchema = z
23
18
  .object({
24
19
  /** "alg" (Algorithm) Header Parameter */
25
- alg: zod_1.z.string(),
20
+ alg: z.string(),
26
21
  /** "jku" (JWK Set URL) Header Parameter */
27
- jku: zod_1.z.string().url().optional(),
22
+ jku: z.string().url().optional(),
28
23
  /** "jwk" (JSON Web Key) Header Parameter */
29
- jwk: zod_1.z
24
+ jwk: z
30
25
  .object({
31
- kty: zod_1.z.string(),
32
- crv: zod_1.z.string().optional(),
33
- x: zod_1.z.string().optional(),
34
- y: zod_1.z.string().optional(),
35
- e: zod_1.z.string().optional(),
36
- n: zod_1.z.string().optional(),
26
+ kty: z.string(),
27
+ crv: z.string().optional(),
28
+ x: z.string().optional(),
29
+ y: z.string().optional(),
30
+ e: z.string().optional(),
31
+ n: z.string().optional(),
37
32
  })
38
33
  .optional(),
39
34
  /** "kid" (Key ID) Header Parameter */
40
- kid: zod_1.z.string().optional(),
35
+ kid: z.string().optional(),
41
36
  /** "x5u" (X.509 URL) Header Parameter */
42
- x5u: zod_1.z.string().optional(),
37
+ x5u: z.string().optional(),
43
38
  /** "x5c" (X.509 Certificate Chain) Header Parameter */
44
- x5c: zod_1.z.array(zod_1.z.string()).optional(),
39
+ x5c: z.array(z.string()).optional(),
45
40
  /** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
46
- x5t: zod_1.z.string().optional(),
41
+ x5t: z.string().optional(),
47
42
  /** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
48
- 'x5t#S256': zod_1.z.string().optional(),
43
+ 'x5t#S256': z.string().optional(),
49
44
  /** "typ" (Type) Header Parameter */
50
- typ: zod_1.z.string().optional(),
45
+ typ: z.string().optional(),
51
46
  /** "cty" (Content Type) Header Parameter */
52
- cty: zod_1.z.string().optional(),
47
+ cty: z.string().optional(),
53
48
  /** "crit" (Critical) Header Parameter */
54
- crit: zod_1.z.array(zod_1.z.string()).optional(),
49
+ crit: z.array(z.string()).optional(),
55
50
  })
56
51
  .passthrough();
57
52
  /**
58
53
  * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}
59
54
  * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}
60
55
  */
61
- exports.htuSchema = zod_1.z.string().superRefine((value, ctx) => {
56
+ export const htuSchema = z.string().superRefine((value, ctx) => {
62
57
  try {
63
58
  const url = new URL(value);
64
59
  if (url.protocol !== 'http:' && url.protocol !== 'https:') {
65
60
  ctx.addIssue({
66
- code: zod_1.z.ZodIssueCode.custom,
61
+ code: z.ZodIssueCode.custom,
67
62
  message: 'Only http: and https: protocols are allowed',
68
63
  });
69
64
  }
70
65
  if (url.username || url.password) {
71
66
  ctx.addIssue({
72
- code: zod_1.z.ZodIssueCode.custom,
67
+ code: z.ZodIssueCode.custom,
73
68
  message: 'Credentials not allowed',
74
69
  });
75
70
  }
76
71
  if (url.search) {
77
72
  ctx.addIssue({
78
- code: zod_1.z.ZodIssueCode.custom,
73
+ code: z.ZodIssueCode.custom,
79
74
  message: 'Query string not allowed',
80
75
  });
81
76
  }
82
77
  if (url.hash) {
83
78
  ctx.addIssue({
84
- code: zod_1.z.ZodIssueCode.custom,
79
+ code: z.ZodIssueCode.custom,
85
80
  message: 'Fragment not allowed',
86
81
  });
87
82
  }
88
83
  }
89
84
  catch (err) {
90
85
  ctx.addIssue({
91
- code: zod_1.z.ZodIssueCode.invalid_string,
86
+ code: z.ZodIssueCode.invalid_string,
92
87
  validation: 'url',
93
88
  });
94
89
  }
95
90
  return value;
96
91
  });
97
92
  // https://www.iana.org/assignments/jwt/jwt.xhtml
98
- exports.jwtPayloadSchema = zod_1.z
93
+ export const jwtPayloadSchema = z
99
94
  .object({
100
- iss: zod_1.z.string().optional(),
101
- aud: zod_1.z.union([zod_1.z.string(), zod_1.z.array(zod_1.z.string()).nonempty()]).optional(),
102
- sub: zod_1.z.string().optional(),
103
- exp: zod_1.z.number().int().optional(),
104
- nbf: zod_1.z.number().int().optional(),
105
- iat: zod_1.z.number().int().optional(),
106
- jti: zod_1.z.string().optional(),
107
- htm: zod_1.z.string().optional(),
108
- htu: exports.htuSchema.optional(),
109
- ath: zod_1.z.string().optional(),
110
- acr: zod_1.z.string().optional(),
111
- azp: zod_1.z.string().optional(),
112
- amr: zod_1.z.array(zod_1.z.string()).optional(),
95
+ iss: z.string().optional(),
96
+ aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
97
+ sub: z.string().optional(),
98
+ exp: z.number().int().optional(),
99
+ nbf: z.number().int().optional(),
100
+ iat: z.number().int().optional(),
101
+ jti: z.string().optional(),
102
+ htm: z.string().optional(),
103
+ htu: htuSchema.optional(),
104
+ ath: z.string().optional(),
105
+ acr: z.string().optional(),
106
+ azp: z.string().optional(),
107
+ amr: z.array(z.string()).optional(),
113
108
  // https://datatracker.ietf.org/doc/html/rfc7800
114
- cnf: zod_1.z
109
+ cnf: z
115
110
  .object({
116
- kid: zod_1.z.string().optional(), // Key ID
117
- jwk: jwk_js_1.jwkPubSchema.optional(), // JWK
118
- jwe: zod_1.z.string().optional(), // Encrypted key
119
- jku: zod_1.z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
111
+ kid: z.string().optional(), // Key ID
112
+ jwk: jwkPubSchema.optional(), // JWK
113
+ jwe: z.string().optional(), // Encrypted key
114
+ jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
120
115
  // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
121
- jkt: zod_1.z.string().optional(),
116
+ jkt: z.string().optional(),
122
117
  // https://datatracker.ietf.org/doc/html/rfc8705
123
- 'x5t#S256': zod_1.z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
118
+ 'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
124
119
  // https://datatracker.ietf.org/doc/html/rfc9203
125
- osc: zod_1.z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
120
+ osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
126
121
  })
127
122
  .optional(),
128
- client_id: zod_1.z.string().optional(),
129
- scope: zod_1.z.string().optional(),
130
- nonce: zod_1.z.string().optional(),
131
- at_hash: zod_1.z.string().optional(),
132
- c_hash: zod_1.z.string().optional(),
133
- s_hash: zod_1.z.string().optional(),
134
- auth_time: zod_1.z.number().int().optional(),
123
+ client_id: z.string().optional(),
124
+ scope: z.string().optional(),
125
+ nonce: z.string().optional(),
126
+ at_hash: z.string().optional(),
127
+ c_hash: z.string().optional(),
128
+ s_hash: z.string().optional(),
129
+ auth_time: z.number().int().optional(),
135
130
  // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
136
131
  // OpenID: "profile" scope
137
- name: zod_1.z.string().optional(),
138
- family_name: zod_1.z.string().optional(),
139
- given_name: zod_1.z.string().optional(),
140
- middle_name: zod_1.z.string().optional(),
141
- nickname: zod_1.z.string().optional(),
142
- preferred_username: zod_1.z.string().optional(),
143
- gender: zod_1.z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
144
- picture: zod_1.z.string().url().optional(),
145
- profile: zod_1.z.string().url().optional(),
146
- website: zod_1.z.string().url().optional(),
147
- birthdate: zod_1.z
132
+ name: z.string().optional(),
133
+ family_name: z.string().optional(),
134
+ given_name: z.string().optional(),
135
+ middle_name: z.string().optional(),
136
+ nickname: z.string().optional(),
137
+ preferred_username: z.string().optional(),
138
+ gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
139
+ picture: z.string().url().optional(),
140
+ profile: z.string().url().optional(),
141
+ website: z.string().url().optional(),
142
+ birthdate: z
148
143
  .string()
149
144
  .regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
150
145
  .optional(),
151
- zoneinfo: zod_1.z
146
+ zoneinfo: z
152
147
  .string()
153
148
  .regex(/^[A-Za-z0-9_/]+$/)
154
149
  .optional(),
155
- locale: zod_1.z
150
+ locale: z
156
151
  .string()
157
152
  .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)
158
153
  .optional(),
159
- updated_at: zod_1.z.number().int().optional(),
154
+ updated_at: z.number().int().optional(),
160
155
  // OpenID: "email" scope
161
- email: zod_1.z.string().optional(),
162
- email_verified: zod_1.z.boolean().optional(),
156
+ email: z.string().optional(),
157
+ email_verified: z.boolean().optional(),
163
158
  // OpenID: "phone" scope
164
- phone_number: zod_1.z.string().optional(),
165
- phone_number_verified: zod_1.z.boolean().optional(),
159
+ phone_number: z.string().optional(),
160
+ phone_number_verified: z.boolean().optional(),
166
161
  // OpenID: "address" scope
167
162
  // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
168
- address: zod_1.z
163
+ address: z
169
164
  .object({
170
- formatted: zod_1.z.string().optional(),
171
- street_address: zod_1.z.string().optional(),
172
- locality: zod_1.z.string().optional(),
173
- region: zod_1.z.string().optional(),
174
- postal_code: zod_1.z.string().optional(),
175
- country: zod_1.z.string().optional(),
165
+ formatted: z.string().optional(),
166
+ street_address: z.string().optional(),
167
+ locality: z.string().optional(),
168
+ region: z.string().optional(),
169
+ postal_code: z.string().optional(),
170
+ country: z.string().optional(),
176
171
  })
177
172
  .optional(),
178
173
  // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
179
- authorization_details: zod_1.z
180
- .array(zod_1.z
174
+ authorization_details: z
175
+ .array(z
181
176
  .object({
182
- type: zod_1.z.string(),
177
+ type: z.string(),
183
178
  // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
184
- locations: zod_1.z.array(zod_1.z.string()).optional(),
185
- actions: zod_1.z.array(zod_1.z.string()).optional(),
186
- datatypes: zod_1.z.array(zod_1.z.string()).optional(),
187
- identifier: zod_1.z.string().optional(),
188
- privileges: zod_1.z.array(zod_1.z.string()).optional(),
179
+ locations: z.array(z.string()).optional(),
180
+ actions: z.array(z.string()).optional(),
181
+ datatypes: z.array(z.string()).optional(),
182
+ identifier: z.string().optional(),
183
+ privileges: z.array(z.string()).optional(),
189
184
  })
190
185
  .passthrough())
191
186
  .optional(),
package/dist/jwt.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qCAAuC;AACvC,uCAAgF;AAEnE,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,WAAW,CAAC,4BAAkB,CAAC;KAC/B,WAAW,CAAC,IAAA,0CAAgC,EAAC,CAAC,CAAC,CAAC,CAAA;AAG5C,MAAM,WAAW,GAAG,CAAC,IAAa,EAAqB,EAAE,CAC9D,uBAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD5B,QAAA,WAAW,eACiB;AAE5B,QAAA,iBAAiB,GAAG,OAAC;KAC/B,MAAM,EAAE;KACR,WAAW,CAAC,4BAAkB,CAAC;KAC/B,WAAW,CAAC,IAAA,0CAAgC,EAAC,CAAC,CAAC,CAAC,CAAA;AAG5C,MAAM,aAAa,GAAG,CAAC,IAAa,EAAuB,EAAE,CAClE,yBAAiB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD9B,QAAA,aAAa,iBACiB;AAE3C;;GAEG;AACU,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,CAAC;IACN,yCAAyC;IACzC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,2CAA2C;IAC3C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,4CAA4C;IAC5C,GAAG,EAAE,OAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC;SACD,QAAQ,EAAE;IACb,sCAAsC;IACtC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,uDAAuD;IACvD,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,kEAAkE;IAClE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yEAAyE;IACzE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,oCAAoC;IACpC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,4CAA4C;IAC5C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,WAAW,EAAE,CAAA;AAIhB;;;GAGG;AACU,QAAA,SAAS,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;QAC1B,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjC,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,cAAc;YACnC,UAAU,EAAE,KAAK;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAC,CAAA;AAEF,iDAAiD;AACpC,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,CAAC;IACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,iBAAS,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,gDAAgD;IAChD,GAAG,EAAE,OAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS;QACrC,GAAG,EAAE,qBAAY,CAAC,QAAQ,EAAE,EAAE,MAAM;QACpC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,gBAAgB;QAC5C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8CAA8C;QAEhF,4DAA4D;QAC5D,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAE1B,gDAAgD;QAChD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;QAE1E,gDAAgD;QAChD,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qHAAqH;KAClJ,CAAC;SACD,QAAQ,EAAE;IAEb,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEhC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEtC,uEAAuE;IAEvE,0BAA0B;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,0EAA0E;IACzG,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,OAAC;SACT,MAAM,EAAE;SACR,KAAK,CAAC,mBAAmB,CAAC,CAAC,aAAa;SACxC,QAAQ,EAAE;IACb,QAAQ,EAAE,OAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,kBAAkB,CAAC;SACzB,QAAQ,EAAE;IACb,MAAM,EAAE,OAAC;SACN,MAAM,EAAE;SACR,KAAK,CAAC,0BAA0B,CAAC;SACjC,QAAQ,EAAE;IACb,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEvC,wBAAwB;IACxB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEtC,wBAAwB;IACxB,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7C,0BAA0B;IAC1B,qEAAqE;IACrE,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;SACD,QAAQ,EAAE;IAEb,6DAA6D;IAC7D,qBAAqB,EAAE,OAAC;SACrB,KAAK,CACJ,OAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;QAChB,4DAA4D;QAC5D,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACvC,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3C,CAAC;SACD,WAAW,EAAE,CACjB;SACA,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema } from './jwk.js'\nimport { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js'\n\nexport const signedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(3))\n\nexport type SignedJwt = z.infer<typeof signedJwtSchema>\nexport const isSignedJwt = (data: unknown): data is SignedJwt =>\n signedJwtSchema.safeParse(data).success\n\nexport const unsignedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(2))\n\nexport type UnsignedJwt = z.infer<typeof unsignedJwtSchema>\nexport const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>\n unsignedJwtSchema.safeParse(data).success\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}\n */\nexport const jwtHeaderSchema = z\n .object({\n /** \"alg\" (Algorithm) Header Parameter */\n alg: z.string(),\n /** \"jku\" (JWK Set URL) Header Parameter */\n jku: z.string().url().optional(),\n /** \"jwk\" (JSON Web Key) Header Parameter */\n jwk: z\n .object({\n kty: z.string(),\n crv: z.string().optional(),\n x: z.string().optional(),\n y: z.string().optional(),\n e: z.string().optional(),\n n: z.string().optional(),\n })\n .optional(),\n /** \"kid\" (Key ID) Header Parameter */\n kid: z.string().optional(),\n /** \"x5u\" (X.509 URL) Header Parameter */\n x5u: z.string().optional(),\n /** \"x5c\" (X.509 Certificate Chain) Header Parameter */\n x5c: z.array(z.string()).optional(),\n /** \"x5t\" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */\n x5t: z.string().optional(),\n /** \"x5t#S256\" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */\n 'x5t#S256': z.string().optional(),\n /** \"typ\" (Type) Header Parameter */\n typ: z.string().optional(),\n /** \"cty\" (Content Type) Header Parameter */\n cty: z.string().optional(),\n /** \"crit\" (Critical) Header Parameter */\n crit: z.array(z.string()).optional(),\n })\n .passthrough()\n\nexport type JwtHeader = z.infer<typeof jwtHeaderSchema>\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}\n */\nexport const htuSchema = z.string().superRefine((value, ctx) => {\n try {\n const url = new URL(value)\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Only http: and https: protocols are allowed',\n })\n }\n\n if (url.username || url.password) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Credentials not allowed',\n })\n }\n\n if (url.search) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Query string not allowed',\n })\n }\n\n if (url.hash) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Fragment not allowed',\n })\n }\n } catch (err) {\n ctx.addIssue({\n code: z.ZodIssueCode.invalid_string,\n validation: 'url',\n })\n }\n\n return value\n})\n\n// https://www.iana.org/assignments/jwt/jwt.xhtml\nexport const jwtPayloadSchema = z\n .object({\n iss: z.string().optional(),\n aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),\n sub: z.string().optional(),\n exp: z.number().int().optional(),\n nbf: z.number().int().optional(),\n iat: z.number().int().optional(),\n jti: z.string().optional(),\n htm: z.string().optional(),\n htu: htuSchema.optional(),\n ath: z.string().optional(),\n acr: z.string().optional(),\n azp: z.string().optional(),\n amr: z.array(z.string()).optional(),\n // https://datatracker.ietf.org/doc/html/rfc7800\n cnf: z\n .object({\n kid: z.string().optional(), // Key ID\n jwk: jwkPubSchema.optional(), // JWK\n jwe: z.string().optional(), // Encrypted key\n jku: z.string().url().optional(), // JWK Set URI (\"kid\" should also be provided)\n\n // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1\n jkt: z.string().optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc8705\n 'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint\n\n // https://datatracker.ietf.org/doc/html/rfc9203\n osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation\n })\n .optional(),\n\n client_id: z.string().optional(),\n\n scope: z.string().optional(),\n nonce: z.string().optional(),\n\n at_hash: z.string().optional(),\n c_hash: z.string().optional(),\n s_hash: z.string().optional(),\n auth_time: z.number().int().optional(),\n\n // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n\n // OpenID: \"profile\" scope\n name: z.string().optional(),\n family_name: z.string().optional(),\n given_name: z.string().optional(),\n middle_name: z.string().optional(),\n nickname: z.string().optional(),\n preferred_username: z.string().optional(),\n gender: z.string().optional(), // OpenID only defines \"male\" and \"female\" without forbidding other values\n picture: z.string().url().optional(),\n profile: z.string().url().optional(),\n website: z.string().url().optional(),\n birthdate: z\n .string()\n .regex(/\\d{4}-\\d{2}-\\d{2}/) // YYYY-MM-DD\n .optional(),\n zoneinfo: z\n .string()\n .regex(/^[A-Za-z0-9_/]+$/)\n .optional(),\n locale: z\n .string()\n .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)\n .optional(),\n updated_at: z.number().int().optional(),\n\n // OpenID: \"email\" scope\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n\n // OpenID: \"phone\" scope\n phone_number: z.string().optional(),\n phone_number_verified: z.boolean().optional(),\n\n // OpenID: \"address\" scope\n // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim\n address: z\n .object({\n formatted: z.string().optional(),\n street_address: z.string().optional(),\n locality: z.string().optional(),\n region: z.string().optional(),\n postal_code: z.string().optional(),\n country: z.string().optional(),\n })\n .optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2\n authorization_details: z\n .array(\n z\n .object({\n type: z.string(),\n // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2\n locations: z.array(z.string()).optional(),\n actions: z.array(z.string()).optional(),\n datatypes: z.array(z.string()).optional(),\n identifier: z.string().optional(),\n privileges: z.array(z.string()).optional(),\n })\n .passthrough(),\n )\n .optional(),\n })\n .passthrough()\n\nexport type JwtPayload = z.infer<typeof jwtPayloadSchema>\n"]}
1
+ {"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AACvC,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,WAAW,CAAA;AAEhF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,WAAW,CAAC,kBAAkB,CAAC;KAC/B,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAA;AAGnD,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,IAAa,EAAqB,EAAE,CAC9D,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAEzC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,EAAE;KACR,WAAW,CAAC,kBAAkB,CAAC;KAC/B,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAA;AAGnD,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAa,EAAuB,EAAE,CAClE,iBAAiB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,CAAC;IACN,yCAAyC;IACzC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,2CAA2C;IAC3C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,4CAA4C;IAC5C,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC;SACD,QAAQ,EAAE;IACb,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,uDAAuD;IACvD,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,kEAAkE;IAClE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yEAAyE;IACzE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,oCAAoC;IACpC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,4CAA4C;IAC5C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,WAAW,EAAE,CAAA;AAIhB;;;GAGG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;QAC1B,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjC,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,cAAc;YACnC,UAAU,EAAE,KAAK;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAC,CAAA;AAEF,iDAAiD;AACjD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,SAAS,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,gDAAgD;IAChD,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS;QACrC,GAAG,EAAE,YAAY,CAAC,QAAQ,EAAE,EAAE,MAAM;QACpC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,gBAAgB;QAC5C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8CAA8C;QAEhF,4DAA4D;QAC5D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAE1B,gDAAgD;QAChD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;QAE1E,gDAAgD;QAChD,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qHAAqH;KAClJ,CAAC;SACD,QAAQ,EAAE;IAEb,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEhC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEtC,uEAAuE;IAEvE,0BAA0B;IAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,0EAA0E;IACzG,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,KAAK,CAAC,mBAAmB,CAAC,CAAC,aAAa;SACxC,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,kBAAkB,CAAC;SACzB,QAAQ,EAAE;IACb,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,KAAK,CAAC,0BAA0B,CAAC;SACjC,QAAQ,EAAE;IACb,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEvC,wBAAwB;IACxB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEtC,wBAAwB;IACxB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,qBAAqB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7C,0BAA0B;IAC1B,qEAAqE;IACrE,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;SACD,QAAQ,EAAE;IAEb,6DAA6D;IAC7D,qBAAqB,EAAE,CAAC;SACrB,KAAK,CACJ,CAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,4DAA4D;QAC5D,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACvC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3C,CAAC;SACD,WAAW,EAAE,CACjB;SACA,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema } from './jwk.js'\nimport { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js'\n\nexport const signedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(3))\n\nexport type SignedJwt = z.infer<typeof signedJwtSchema>\nexport const isSignedJwt = (data: unknown): data is SignedJwt =>\n signedJwtSchema.safeParse(data).success\n\nexport const unsignedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(2))\n\nexport type UnsignedJwt = z.infer<typeof unsignedJwtSchema>\nexport const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>\n unsignedJwtSchema.safeParse(data).success\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}\n */\nexport const jwtHeaderSchema = z\n .object({\n /** \"alg\" (Algorithm) Header Parameter */\n alg: z.string(),\n /** \"jku\" (JWK Set URL) Header Parameter */\n jku: z.string().url().optional(),\n /** \"jwk\" (JSON Web Key) Header Parameter */\n jwk: z\n .object({\n kty: z.string(),\n crv: z.string().optional(),\n x: z.string().optional(),\n y: z.string().optional(),\n e: z.string().optional(),\n n: z.string().optional(),\n })\n .optional(),\n /** \"kid\" (Key ID) Header Parameter */\n kid: z.string().optional(),\n /** \"x5u\" (X.509 URL) Header Parameter */\n x5u: z.string().optional(),\n /** \"x5c\" (X.509 Certificate Chain) Header Parameter */\n x5c: z.array(z.string()).optional(),\n /** \"x5t\" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */\n x5t: z.string().optional(),\n /** \"x5t#S256\" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */\n 'x5t#S256': z.string().optional(),\n /** \"typ\" (Type) Header Parameter */\n typ: z.string().optional(),\n /** \"cty\" (Content Type) Header Parameter */\n cty: z.string().optional(),\n /** \"crit\" (Critical) Header Parameter */\n crit: z.array(z.string()).optional(),\n })\n .passthrough()\n\nexport type JwtHeader = z.infer<typeof jwtHeaderSchema>\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}\n */\nexport const htuSchema = z.string().superRefine((value, ctx) => {\n try {\n const url = new URL(value)\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Only http: and https: protocols are allowed',\n })\n }\n\n if (url.username || url.password) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Credentials not allowed',\n })\n }\n\n if (url.search) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Query string not allowed',\n })\n }\n\n if (url.hash) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Fragment not allowed',\n })\n }\n } catch (err) {\n ctx.addIssue({\n code: z.ZodIssueCode.invalid_string,\n validation: 'url',\n })\n }\n\n return value\n})\n\n// https://www.iana.org/assignments/jwt/jwt.xhtml\nexport const jwtPayloadSchema = z\n .object({\n iss: z.string().optional(),\n aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),\n sub: z.string().optional(),\n exp: z.number().int().optional(),\n nbf: z.number().int().optional(),\n iat: z.number().int().optional(),\n jti: z.string().optional(),\n htm: z.string().optional(),\n htu: htuSchema.optional(),\n ath: z.string().optional(),\n acr: z.string().optional(),\n azp: z.string().optional(),\n amr: z.array(z.string()).optional(),\n // https://datatracker.ietf.org/doc/html/rfc7800\n cnf: z\n .object({\n kid: z.string().optional(), // Key ID\n jwk: jwkPubSchema.optional(), // JWK\n jwe: z.string().optional(), // Encrypted key\n jku: z.string().url().optional(), // JWK Set URI (\"kid\" should also be provided)\n\n // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1\n jkt: z.string().optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc8705\n 'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint\n\n // https://datatracker.ietf.org/doc/html/rfc9203\n osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation\n })\n .optional(),\n\n client_id: z.string().optional(),\n\n scope: z.string().optional(),\n nonce: z.string().optional(),\n\n at_hash: z.string().optional(),\n c_hash: z.string().optional(),\n s_hash: z.string().optional(),\n auth_time: z.number().int().optional(),\n\n // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n\n // OpenID: \"profile\" scope\n name: z.string().optional(),\n family_name: z.string().optional(),\n given_name: z.string().optional(),\n middle_name: z.string().optional(),\n nickname: z.string().optional(),\n preferred_username: z.string().optional(),\n gender: z.string().optional(), // OpenID only defines \"male\" and \"female\" without forbidding other values\n picture: z.string().url().optional(),\n profile: z.string().url().optional(),\n website: z.string().url().optional(),\n birthdate: z\n .string()\n .regex(/\\d{4}-\\d{2}-\\d{2}/) // YYYY-MM-DD\n .optional(),\n zoneinfo: z\n .string()\n .regex(/^[A-Za-z0-9_/]+$/)\n .optional(),\n locale: z\n .string()\n .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)\n .optional(),\n updated_at: z.number().int().optional(),\n\n // OpenID: \"email\" scope\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n\n // OpenID: \"phone\" scope\n phone_number: z.string().optional(),\n phone_number_verified: z.boolean().optional(),\n\n // OpenID: \"address\" scope\n // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim\n address: z\n .object({\n formatted: z.string().optional(),\n street_address: z.string().optional(),\n locality: z.string().optional(),\n region: z.string().optional(),\n postal_code: z.string().optional(),\n country: z.string().optional(),\n })\n .optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2\n authorization_details: z\n .array(\n z\n .object({\n type: z.string(),\n // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2\n locations: z.array(z.string()).optional(),\n actions: z.array(z.string()).optional(),\n datatypes: z.array(z.string()).optional(),\n identifier: z.string().optional(),\n privileges: z.array(z.string()).optional(),\n })\n .passthrough(),\n )\n .optional(),\n })\n .passthrough()\n\nexport type JwtPayload = z.infer<typeof jwtPayloadSchema>\n"]}