@atproto/jwk 0.6.0 → 0.7.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +12 -0
- package/LICENSE.txt +1 -1
- package/dist/alg.js +8 -11
- package/dist/alg.js.map +1 -1
- package/dist/errors.js +15 -36
- package/dist/errors.js.map +1 -1
- package/dist/index.js +10 -28
- package/dist/index.js.map +1 -1
- package/dist/jwk.js +77 -89
- package/dist/jwk.js.map +1 -1
- package/dist/jwks.js +8 -11
- package/dist/jwks.js.map +1 -1
- package/dist/jwt-decode.js +8 -11
- package/dist/jwt-decode.js.map +1 -1
- package/dist/jwt-verify.js +1 -2
- package/dist/jwt.js +97 -102
- package/dist/jwt.js.map +1 -1
- package/dist/key.js +142 -152
- package/dist/key.js.map +1 -1
- package/dist/keyset.js +153 -169
- package/dist/keyset.js.map +1 -1
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +19 -28
- package/dist/util.js.map +1 -1
- package/package.json +7 -6
- package/src/jwk.ts +1 -1
- package/src/util.ts +2 -1
- package/tsconfig.build.tsbuildinfo +1 -1
package/dist/jwks.js
CHANGED
|
@@ -1,20 +1,17 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
exports.jwksPubSchema = exports.jwksSchema = void 0;
|
|
4
|
-
const zod_1 = require("zod");
|
|
5
|
-
const jwk_js_1 = require("./jwk.js");
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { jwkPubSchema, jwkSchema } from './jwk.js';
|
|
6
3
|
/**
|
|
7
4
|
* JSON Web Key Set schema. The keys set, in this context, represents a
|
|
8
5
|
* collection of JSON Web Keys (JWKs), that can be both public and private.
|
|
9
6
|
*/
|
|
10
|
-
|
|
11
|
-
keys:
|
|
7
|
+
export const jwksSchema = z.object({
|
|
8
|
+
keys: z.array(z.unknown()).transform((input) => {
|
|
12
9
|
// > Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
|
|
13
10
|
// > (key type) values that are not understood by them, that are missing
|
|
14
11
|
// > required members, or for which values are out of the supported
|
|
15
12
|
// > ranges.
|
|
16
13
|
return input
|
|
17
|
-
.map((item) =>
|
|
14
|
+
.map((item) => jwkSchema.safeParse(item))
|
|
18
15
|
.filter((res) => res.success)
|
|
19
16
|
.map((res) => res.data);
|
|
20
17
|
}),
|
|
@@ -22,14 +19,14 @@ exports.jwksSchema = zod_1.z.object({
|
|
|
22
19
|
/**
|
|
23
20
|
* Public JSON Web Key Set schema.
|
|
24
21
|
*/
|
|
25
|
-
|
|
26
|
-
keys:
|
|
22
|
+
export const jwksPubSchema = z.object({
|
|
23
|
+
keys: z.array(z.unknown()).transform((input) => {
|
|
27
24
|
// > Implementations SHOULD ignore JWKs within a JWK Set that use "kty"
|
|
28
25
|
// > (key type) values that are not understood by them, that are missing
|
|
29
26
|
// > required members, or for which values are out of the supported
|
|
30
27
|
// > ranges.
|
|
31
28
|
return input
|
|
32
|
-
.map((item) =>
|
|
29
|
+
.map((item) => jwkPubSchema.safeParse(item))
|
|
33
30
|
.filter((res) => res.success)
|
|
34
31
|
.map((res) => res.data);
|
|
35
32
|
}),
|
package/dist/jwks.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAElD;;;GAGG;AACH,MAAM,CAAC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aACxC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA;AAIF;;GAEG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,KAAK,EAAE,EAAE;QAC7C,uEAAuE;QACvE,wEAAwE;QACxE,mEAAmE;QACnE,YAAY;QACZ,OAAO,KAAK;aACT,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;aAC3C,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC;aAC5B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAC3B,CAAC,CAAC;CACH,CAAC,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema, jwkSchema } from './jwk.js'\n\n/**\n * JSON Web Key Set schema. The keys set, in this context, represents a\n * collection of JSON Web Keys (JWKs), that can be both public and private.\n */\nexport const jwksSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type Jwks = z.output<typeof jwksSchema>\n\n/**\n * Public JSON Web Key Set schema.\n */\nexport const jwksPubSchema = z.object({\n keys: z.array(z.unknown()).transform((input) => {\n // > Implementations SHOULD ignore JWKs within a JWK Set that use \"kty\"\n // > (key type) values that are not understood by them, that are missing\n // > required members, or for which values are out of the supported\n // > ranges.\n return input\n .map((item) => jwkPubSchema.safeParse(item))\n .filter((res) => res.success)\n .map((res) => res.data)\n }),\n})\n\nexport type JwksPub = z.output<typeof jwksPubSchema>\n"]}
|
package/dist/jwt-decode.js
CHANGED
|
@@ -1,19 +1,16 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
const jwt_js_1 = require("./jwt.js");
|
|
6
|
-
const util_js_1 = require("./util.js");
|
|
7
|
-
function unsafeDecodeJwt(jwt) {
|
|
1
|
+
import { ERR_JWT_INVALID, JwtVerifyError } from './errors.js';
|
|
2
|
+
import { jwtHeaderSchema, jwtPayloadSchema, } from './jwt.js';
|
|
3
|
+
import { parseB64uJson } from './util.js';
|
|
4
|
+
export function unsafeDecodeJwt(jwt) {
|
|
8
5
|
const { 0: headerEnc, 1: payloadEnc, length } = jwt.split('.');
|
|
9
6
|
if (length > 3 || length < 2) {
|
|
10
|
-
throw new
|
|
7
|
+
throw new JwtVerifyError(undefined, ERR_JWT_INVALID);
|
|
11
8
|
}
|
|
12
|
-
const header =
|
|
9
|
+
const header = jwtHeaderSchema.parse(parseB64uJson(headerEnc));
|
|
13
10
|
if (length === 2 && header?.alg !== 'none') {
|
|
14
|
-
throw new
|
|
11
|
+
throw new JwtVerifyError(undefined, ERR_JWT_INVALID);
|
|
15
12
|
}
|
|
16
|
-
const payload =
|
|
13
|
+
const payload = jwtPayloadSchema.parse(parseB64uJson(payloadEnc));
|
|
17
14
|
return { header, payload };
|
|
18
15
|
}
|
|
19
16
|
//# sourceMappingURL=jwt-decode.js.map
|
package/dist/jwt-decode.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwt-decode.js","sourceRoot":"","sources":["../src/jwt-decode.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"jwt-decode.js","sourceRoot":"","sources":["../src/jwt-decode.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAA;AAC7D,OAAO,EAGL,eAAe,EACf,gBAAgB,GACjB,MAAM,UAAU,CAAA;AACjB,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAA;AAEzC,MAAM,UAAU,eAAe,CAAC,GAAW;IAIzC,MAAM,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC9D,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,aAAa,CAAC,SAAU,CAAC,CAAC,CAAA;IAC/D,IAAI,MAAM,KAAK,CAAC,IAAI,MAAM,EAAE,GAAG,KAAK,MAAM,EAAE,CAAC;QAC3C,MAAM,IAAI,cAAc,CAAC,SAAS,EAAE,eAAe,CAAC,CAAA;IACtD,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,aAAa,CAAC,UAAW,CAAC,CAAC,CAAA;IAElE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAA;AAC5B,CAAC","sourcesContent":["import { ERR_JWT_INVALID, JwtVerifyError } from './errors.js'\nimport {\n JwtHeader,\n JwtPayload,\n jwtHeaderSchema,\n jwtPayloadSchema,\n} from './jwt.js'\nimport { parseB64uJson } from './util.js'\n\nexport function unsafeDecodeJwt(jwt: string): {\n header: JwtHeader\n payload: JwtPayload\n} {\n const { 0: headerEnc, 1: payloadEnc, length } = jwt.split('.')\n if (length > 3 || length < 2) {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const header = jwtHeaderSchema.parse(parseB64uJson(headerEnc!))\n if (length === 2 && header?.alg !== 'none') {\n throw new JwtVerifyError(undefined, ERR_JWT_INVALID)\n }\n\n const payload = jwtPayloadSchema.parse(parseB64uJson(payloadEnc!))\n\n return { header, payload }\n}\n"]}
|
package/dist/jwt-verify.js
CHANGED
package/dist/jwt.js
CHANGED
|
@@ -1,191 +1,186 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
const
|
|
5
|
-
const jwk_js_1 = require("./jwk.js");
|
|
6
|
-
const util_js_1 = require("./util.js");
|
|
7
|
-
exports.signedJwtSchema = zod_1.z
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { jwkPubSchema } from './jwk.js';
|
|
3
|
+
import { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js';
|
|
4
|
+
export const signedJwtSchema = z
|
|
8
5
|
.string()
|
|
9
|
-
.superRefine(
|
|
10
|
-
.superRefine(
|
|
11
|
-
const isSignedJwt = (data) =>
|
|
12
|
-
|
|
13
|
-
exports.unsignedJwtSchema = zod_1.z
|
|
6
|
+
.superRefine(jwtCharsRefinement)
|
|
7
|
+
.superRefine(segmentedStringRefinementFactory(3));
|
|
8
|
+
export const isSignedJwt = (data) => signedJwtSchema.safeParse(data).success;
|
|
9
|
+
export const unsignedJwtSchema = z
|
|
14
10
|
.string()
|
|
15
|
-
.superRefine(
|
|
16
|
-
.superRefine(
|
|
17
|
-
const isUnsignedJwt = (data) =>
|
|
18
|
-
exports.isUnsignedJwt = isUnsignedJwt;
|
|
11
|
+
.superRefine(jwtCharsRefinement)
|
|
12
|
+
.superRefine(segmentedStringRefinementFactory(2));
|
|
13
|
+
export const isUnsignedJwt = (data) => unsignedJwtSchema.safeParse(data).success;
|
|
19
14
|
/**
|
|
20
15
|
* @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}
|
|
21
16
|
*/
|
|
22
|
-
|
|
17
|
+
export const jwtHeaderSchema = z
|
|
23
18
|
.object({
|
|
24
19
|
/** "alg" (Algorithm) Header Parameter */
|
|
25
|
-
alg:
|
|
20
|
+
alg: z.string(),
|
|
26
21
|
/** "jku" (JWK Set URL) Header Parameter */
|
|
27
|
-
jku:
|
|
22
|
+
jku: z.string().url().optional(),
|
|
28
23
|
/** "jwk" (JSON Web Key) Header Parameter */
|
|
29
|
-
jwk:
|
|
24
|
+
jwk: z
|
|
30
25
|
.object({
|
|
31
|
-
kty:
|
|
32
|
-
crv:
|
|
33
|
-
x:
|
|
34
|
-
y:
|
|
35
|
-
e:
|
|
36
|
-
n:
|
|
26
|
+
kty: z.string(),
|
|
27
|
+
crv: z.string().optional(),
|
|
28
|
+
x: z.string().optional(),
|
|
29
|
+
y: z.string().optional(),
|
|
30
|
+
e: z.string().optional(),
|
|
31
|
+
n: z.string().optional(),
|
|
37
32
|
})
|
|
38
33
|
.optional(),
|
|
39
34
|
/** "kid" (Key ID) Header Parameter */
|
|
40
|
-
kid:
|
|
35
|
+
kid: z.string().optional(),
|
|
41
36
|
/** "x5u" (X.509 URL) Header Parameter */
|
|
42
|
-
x5u:
|
|
37
|
+
x5u: z.string().optional(),
|
|
43
38
|
/** "x5c" (X.509 Certificate Chain) Header Parameter */
|
|
44
|
-
x5c:
|
|
39
|
+
x5c: z.array(z.string()).optional(),
|
|
45
40
|
/** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */
|
|
46
|
-
x5t:
|
|
41
|
+
x5t: z.string().optional(),
|
|
47
42
|
/** "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */
|
|
48
|
-
'x5t#S256':
|
|
43
|
+
'x5t#S256': z.string().optional(),
|
|
49
44
|
/** "typ" (Type) Header Parameter */
|
|
50
|
-
typ:
|
|
45
|
+
typ: z.string().optional(),
|
|
51
46
|
/** "cty" (Content Type) Header Parameter */
|
|
52
|
-
cty:
|
|
47
|
+
cty: z.string().optional(),
|
|
53
48
|
/** "crit" (Critical) Header Parameter */
|
|
54
|
-
crit:
|
|
49
|
+
crit: z.array(z.string()).optional(),
|
|
55
50
|
})
|
|
56
51
|
.passthrough();
|
|
57
52
|
/**
|
|
58
53
|
* @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}
|
|
59
54
|
* @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}
|
|
60
55
|
*/
|
|
61
|
-
|
|
56
|
+
export const htuSchema = z.string().superRefine((value, ctx) => {
|
|
62
57
|
try {
|
|
63
58
|
const url = new URL(value);
|
|
64
59
|
if (url.protocol !== 'http:' && url.protocol !== 'https:') {
|
|
65
60
|
ctx.addIssue({
|
|
66
|
-
code:
|
|
61
|
+
code: z.ZodIssueCode.custom,
|
|
67
62
|
message: 'Only http: and https: protocols are allowed',
|
|
68
63
|
});
|
|
69
64
|
}
|
|
70
65
|
if (url.username || url.password) {
|
|
71
66
|
ctx.addIssue({
|
|
72
|
-
code:
|
|
67
|
+
code: z.ZodIssueCode.custom,
|
|
73
68
|
message: 'Credentials not allowed',
|
|
74
69
|
});
|
|
75
70
|
}
|
|
76
71
|
if (url.search) {
|
|
77
72
|
ctx.addIssue({
|
|
78
|
-
code:
|
|
73
|
+
code: z.ZodIssueCode.custom,
|
|
79
74
|
message: 'Query string not allowed',
|
|
80
75
|
});
|
|
81
76
|
}
|
|
82
77
|
if (url.hash) {
|
|
83
78
|
ctx.addIssue({
|
|
84
|
-
code:
|
|
79
|
+
code: z.ZodIssueCode.custom,
|
|
85
80
|
message: 'Fragment not allowed',
|
|
86
81
|
});
|
|
87
82
|
}
|
|
88
83
|
}
|
|
89
84
|
catch (err) {
|
|
90
85
|
ctx.addIssue({
|
|
91
|
-
code:
|
|
86
|
+
code: z.ZodIssueCode.invalid_string,
|
|
92
87
|
validation: 'url',
|
|
93
88
|
});
|
|
94
89
|
}
|
|
95
90
|
return value;
|
|
96
91
|
});
|
|
97
92
|
// https://www.iana.org/assignments/jwt/jwt.xhtml
|
|
98
|
-
|
|
93
|
+
export const jwtPayloadSchema = z
|
|
99
94
|
.object({
|
|
100
|
-
iss:
|
|
101
|
-
aud:
|
|
102
|
-
sub:
|
|
103
|
-
exp:
|
|
104
|
-
nbf:
|
|
105
|
-
iat:
|
|
106
|
-
jti:
|
|
107
|
-
htm:
|
|
108
|
-
htu:
|
|
109
|
-
ath:
|
|
110
|
-
acr:
|
|
111
|
-
azp:
|
|
112
|
-
amr:
|
|
95
|
+
iss: z.string().optional(),
|
|
96
|
+
aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),
|
|
97
|
+
sub: z.string().optional(),
|
|
98
|
+
exp: z.number().int().optional(),
|
|
99
|
+
nbf: z.number().int().optional(),
|
|
100
|
+
iat: z.number().int().optional(),
|
|
101
|
+
jti: z.string().optional(),
|
|
102
|
+
htm: z.string().optional(),
|
|
103
|
+
htu: htuSchema.optional(),
|
|
104
|
+
ath: z.string().optional(),
|
|
105
|
+
acr: z.string().optional(),
|
|
106
|
+
azp: z.string().optional(),
|
|
107
|
+
amr: z.array(z.string()).optional(),
|
|
113
108
|
// https://datatracker.ietf.org/doc/html/rfc7800
|
|
114
|
-
cnf:
|
|
109
|
+
cnf: z
|
|
115
110
|
.object({
|
|
116
|
-
kid:
|
|
117
|
-
jwk:
|
|
118
|
-
jwe:
|
|
119
|
-
jku:
|
|
111
|
+
kid: z.string().optional(), // Key ID
|
|
112
|
+
jwk: jwkPubSchema.optional(), // JWK
|
|
113
|
+
jwe: z.string().optional(), // Encrypted key
|
|
114
|
+
jku: z.string().url().optional(), // JWK Set URI ("kid" should also be provided)
|
|
120
115
|
// https://datatracker.ietf.org/doc/html/rfc9449#section-6.1
|
|
121
|
-
jkt:
|
|
116
|
+
jkt: z.string().optional(),
|
|
122
117
|
// https://datatracker.ietf.org/doc/html/rfc8705
|
|
123
|
-
'x5t#S256':
|
|
118
|
+
'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint
|
|
124
119
|
// https://datatracker.ietf.org/doc/html/rfc9203
|
|
125
|
-
osc:
|
|
120
|
+
osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation
|
|
126
121
|
})
|
|
127
122
|
.optional(),
|
|
128
|
-
client_id:
|
|
129
|
-
scope:
|
|
130
|
-
nonce:
|
|
131
|
-
at_hash:
|
|
132
|
-
c_hash:
|
|
133
|
-
s_hash:
|
|
134
|
-
auth_time:
|
|
123
|
+
client_id: z.string().optional(),
|
|
124
|
+
scope: z.string().optional(),
|
|
125
|
+
nonce: z.string().optional(),
|
|
126
|
+
at_hash: z.string().optional(),
|
|
127
|
+
c_hash: z.string().optional(),
|
|
128
|
+
s_hash: z.string().optional(),
|
|
129
|
+
auth_time: z.number().int().optional(),
|
|
135
130
|
// https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
|
|
136
131
|
// OpenID: "profile" scope
|
|
137
|
-
name:
|
|
138
|
-
family_name:
|
|
139
|
-
given_name:
|
|
140
|
-
middle_name:
|
|
141
|
-
nickname:
|
|
142
|
-
preferred_username:
|
|
143
|
-
gender:
|
|
144
|
-
picture:
|
|
145
|
-
profile:
|
|
146
|
-
website:
|
|
147
|
-
birthdate:
|
|
132
|
+
name: z.string().optional(),
|
|
133
|
+
family_name: z.string().optional(),
|
|
134
|
+
given_name: z.string().optional(),
|
|
135
|
+
middle_name: z.string().optional(),
|
|
136
|
+
nickname: z.string().optional(),
|
|
137
|
+
preferred_username: z.string().optional(),
|
|
138
|
+
gender: z.string().optional(), // OpenID only defines "male" and "female" without forbidding other values
|
|
139
|
+
picture: z.string().url().optional(),
|
|
140
|
+
profile: z.string().url().optional(),
|
|
141
|
+
website: z.string().url().optional(),
|
|
142
|
+
birthdate: z
|
|
148
143
|
.string()
|
|
149
144
|
.regex(/\d{4}-\d{2}-\d{2}/) // YYYY-MM-DD
|
|
150
145
|
.optional(),
|
|
151
|
-
zoneinfo:
|
|
146
|
+
zoneinfo: z
|
|
152
147
|
.string()
|
|
153
148
|
.regex(/^[A-Za-z0-9_/]+$/)
|
|
154
149
|
.optional(),
|
|
155
|
-
locale:
|
|
150
|
+
locale: z
|
|
156
151
|
.string()
|
|
157
152
|
.regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)
|
|
158
153
|
.optional(),
|
|
159
|
-
updated_at:
|
|
154
|
+
updated_at: z.number().int().optional(),
|
|
160
155
|
// OpenID: "email" scope
|
|
161
|
-
email:
|
|
162
|
-
email_verified:
|
|
156
|
+
email: z.string().optional(),
|
|
157
|
+
email_verified: z.boolean().optional(),
|
|
163
158
|
// OpenID: "phone" scope
|
|
164
|
-
phone_number:
|
|
165
|
-
phone_number_verified:
|
|
159
|
+
phone_number: z.string().optional(),
|
|
160
|
+
phone_number_verified: z.boolean().optional(),
|
|
166
161
|
// OpenID: "address" scope
|
|
167
162
|
// https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
|
|
168
|
-
address:
|
|
163
|
+
address: z
|
|
169
164
|
.object({
|
|
170
|
-
formatted:
|
|
171
|
-
street_address:
|
|
172
|
-
locality:
|
|
173
|
-
region:
|
|
174
|
-
postal_code:
|
|
175
|
-
country:
|
|
165
|
+
formatted: z.string().optional(),
|
|
166
|
+
street_address: z.string().optional(),
|
|
167
|
+
locality: z.string().optional(),
|
|
168
|
+
region: z.string().optional(),
|
|
169
|
+
postal_code: z.string().optional(),
|
|
170
|
+
country: z.string().optional(),
|
|
176
171
|
})
|
|
177
172
|
.optional(),
|
|
178
173
|
// https://datatracker.ietf.org/doc/html/rfc9396#section-14.2
|
|
179
|
-
authorization_details:
|
|
180
|
-
.array(
|
|
174
|
+
authorization_details: z
|
|
175
|
+
.array(z
|
|
181
176
|
.object({
|
|
182
|
-
type:
|
|
177
|
+
type: z.string(),
|
|
183
178
|
// https://datatracker.ietf.org/doc/html/rfc9396#section-2.2
|
|
184
|
-
locations:
|
|
185
|
-
actions:
|
|
186
|
-
datatypes:
|
|
187
|
-
identifier:
|
|
188
|
-
privileges:
|
|
179
|
+
locations: z.array(z.string()).optional(),
|
|
180
|
+
actions: z.array(z.string()).optional(),
|
|
181
|
+
datatypes: z.array(z.string()).optional(),
|
|
182
|
+
identifier: z.string().optional(),
|
|
183
|
+
privileges: z.array(z.string()).optional(),
|
|
189
184
|
})
|
|
190
185
|
.passthrough())
|
|
191
186
|
.optional(),
|
package/dist/jwt.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":";;;AAAA,6BAAuB;AACvB,qCAAuC;AACvC,uCAAgF;AAEnE,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,EAAE;KACR,WAAW,CAAC,4BAAkB,CAAC;KAC/B,WAAW,CAAC,IAAA,0CAAgC,EAAC,CAAC,CAAC,CAAC,CAAA;AAG5C,MAAM,WAAW,GAAG,CAAC,IAAa,EAAqB,EAAE,CAC9D,uBAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD5B,QAAA,WAAW,eACiB;AAE5B,QAAA,iBAAiB,GAAG,OAAC;KAC/B,MAAM,EAAE;KACR,WAAW,CAAC,4BAAkB,CAAC;KAC/B,WAAW,CAAC,IAAA,0CAAgC,EAAC,CAAC,CAAC,CAAC,CAAA;AAG5C,MAAM,aAAa,GAAG,CAAC,IAAa,EAAuB,EAAE,CAClE,yBAAiB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAD9B,QAAA,aAAa,iBACiB;AAE3C;;GAEG;AACU,QAAA,eAAe,GAAG,OAAC;KAC7B,MAAM,CAAC;IACN,yCAAyC;IACzC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;IACf,2CAA2C;IAC3C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,4CAA4C;IAC5C,GAAG,EAAE,OAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC;SACD,QAAQ,EAAE;IACb,sCAAsC;IACtC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,uDAAuD;IACvD,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,kEAAkE;IAClE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yEAAyE;IACzE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,oCAAoC;IACpC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,4CAA4C;IAC5C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,IAAI,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,WAAW,EAAE,CAAA;AAIhB;;;GAGG;AACU,QAAA,SAAS,GAAG,OAAC,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;QAC1B,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjC,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,OAAC,CAAC,YAAY,CAAC,cAAc;YACnC,UAAU,EAAE,KAAK;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAC,CAAA;AAEF,iDAAiD;AACpC,QAAA,gBAAgB,GAAG,OAAC;KAC9B,MAAM,CAAC;IACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,CAAC,OAAC,CAAC,MAAM,EAAE,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,iBAAS,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,gDAAgD;IAChD,GAAG,EAAE,OAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS;QACrC,GAAG,EAAE,qBAAY,CAAC,QAAQ,EAAE,EAAE,MAAM;QACpC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,gBAAgB;QAC5C,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8CAA8C;QAEhF,4DAA4D;QAC5D,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAE1B,gDAAgD;QAChD,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;QAE1E,gDAAgD;QAChD,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qHAAqH;KAClJ,CAAC;SACD,QAAQ,EAAE;IAEb,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEhC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5B,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEtC,uEAAuE;IAEvE,0BAA0B;IAC1B,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,kBAAkB,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,0EAA0E;IACzG,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,OAAC;SACT,MAAM,EAAE;SACR,KAAK,CAAC,mBAAmB,CAAC,CAAC,aAAa;SACxC,QAAQ,EAAE;IACb,QAAQ,EAAE,OAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,kBAAkB,CAAC;SACzB,QAAQ,EAAE;IACb,MAAM,EAAE,OAAC;SACN,MAAM,EAAE;SACR,KAAK,CAAC,0BAA0B,CAAC;SACjC,QAAQ,EAAE;IACb,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEvC,wBAAwB;IACxB,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,cAAc,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEtC,wBAAwB;IACxB,YAAY,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,qBAAqB,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7C,0BAA0B;IAC1B,qEAAqE;IACrE,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,SAAS,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,cAAc,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACrC,QAAQ,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,WAAW,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;SACD,QAAQ,EAAE;IAEb,6DAA6D;IAC7D,qBAAqB,EAAE,OAAC;SACrB,KAAK,CACJ,OAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE;QAChB,4DAA4D;QAC5D,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,OAAO,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACvC,SAAS,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,UAAU,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3C,CAAC;SACD,WAAW,EAAE,CACjB;SACA,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema } from './jwk.js'\nimport { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js'\n\nexport const signedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(3))\n\nexport type SignedJwt = z.infer<typeof signedJwtSchema>\nexport const isSignedJwt = (data: unknown): data is SignedJwt =>\n signedJwtSchema.safeParse(data).success\n\nexport const unsignedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(2))\n\nexport type UnsignedJwt = z.infer<typeof unsignedJwtSchema>\nexport const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>\n unsignedJwtSchema.safeParse(data).success\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}\n */\nexport const jwtHeaderSchema = z\n .object({\n /** \"alg\" (Algorithm) Header Parameter */\n alg: z.string(),\n /** \"jku\" (JWK Set URL) Header Parameter */\n jku: z.string().url().optional(),\n /** \"jwk\" (JSON Web Key) Header Parameter */\n jwk: z\n .object({\n kty: z.string(),\n crv: z.string().optional(),\n x: z.string().optional(),\n y: z.string().optional(),\n e: z.string().optional(),\n n: z.string().optional(),\n })\n .optional(),\n /** \"kid\" (Key ID) Header Parameter */\n kid: z.string().optional(),\n /** \"x5u\" (X.509 URL) Header Parameter */\n x5u: z.string().optional(),\n /** \"x5c\" (X.509 Certificate Chain) Header Parameter */\n x5c: z.array(z.string()).optional(),\n /** \"x5t\" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */\n x5t: z.string().optional(),\n /** \"x5t#S256\" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */\n 'x5t#S256': z.string().optional(),\n /** \"typ\" (Type) Header Parameter */\n typ: z.string().optional(),\n /** \"cty\" (Content Type) Header Parameter */\n cty: z.string().optional(),\n /** \"crit\" (Critical) Header Parameter */\n crit: z.array(z.string()).optional(),\n })\n .passthrough()\n\nexport type JwtHeader = z.infer<typeof jwtHeaderSchema>\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}\n */\nexport const htuSchema = z.string().superRefine((value, ctx) => {\n try {\n const url = new URL(value)\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Only http: and https: protocols are allowed',\n })\n }\n\n if (url.username || url.password) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Credentials not allowed',\n })\n }\n\n if (url.search) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Query string not allowed',\n })\n }\n\n if (url.hash) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Fragment not allowed',\n })\n }\n } catch (err) {\n ctx.addIssue({\n code: z.ZodIssueCode.invalid_string,\n validation: 'url',\n })\n }\n\n return value\n})\n\n// https://www.iana.org/assignments/jwt/jwt.xhtml\nexport const jwtPayloadSchema = z\n .object({\n iss: z.string().optional(),\n aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),\n sub: z.string().optional(),\n exp: z.number().int().optional(),\n nbf: z.number().int().optional(),\n iat: z.number().int().optional(),\n jti: z.string().optional(),\n htm: z.string().optional(),\n htu: htuSchema.optional(),\n ath: z.string().optional(),\n acr: z.string().optional(),\n azp: z.string().optional(),\n amr: z.array(z.string()).optional(),\n // https://datatracker.ietf.org/doc/html/rfc7800\n cnf: z\n .object({\n kid: z.string().optional(), // Key ID\n jwk: jwkPubSchema.optional(), // JWK\n jwe: z.string().optional(), // Encrypted key\n jku: z.string().url().optional(), // JWK Set URI (\"kid\" should also be provided)\n\n // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1\n jkt: z.string().optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc8705\n 'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint\n\n // https://datatracker.ietf.org/doc/html/rfc9203\n osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation\n })\n .optional(),\n\n client_id: z.string().optional(),\n\n scope: z.string().optional(),\n nonce: z.string().optional(),\n\n at_hash: z.string().optional(),\n c_hash: z.string().optional(),\n s_hash: z.string().optional(),\n auth_time: z.number().int().optional(),\n\n // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n\n // OpenID: \"profile\" scope\n name: z.string().optional(),\n family_name: z.string().optional(),\n given_name: z.string().optional(),\n middle_name: z.string().optional(),\n nickname: z.string().optional(),\n preferred_username: z.string().optional(),\n gender: z.string().optional(), // OpenID only defines \"male\" and \"female\" without forbidding other values\n picture: z.string().url().optional(),\n profile: z.string().url().optional(),\n website: z.string().url().optional(),\n birthdate: z\n .string()\n .regex(/\\d{4}-\\d{2}-\\d{2}/) // YYYY-MM-DD\n .optional(),\n zoneinfo: z\n .string()\n .regex(/^[A-Za-z0-9_/]+$/)\n .optional(),\n locale: z\n .string()\n .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)\n .optional(),\n updated_at: z.number().int().optional(),\n\n // OpenID: \"email\" scope\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n\n // OpenID: \"phone\" scope\n phone_number: z.string().optional(),\n phone_number_verified: z.boolean().optional(),\n\n // OpenID: \"address\" scope\n // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim\n address: z\n .object({\n formatted: z.string().optional(),\n street_address: z.string().optional(),\n locality: z.string().optional(),\n region: z.string().optional(),\n postal_code: z.string().optional(),\n country: z.string().optional(),\n })\n .optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2\n authorization_details: z\n .array(\n z\n .object({\n type: z.string(),\n // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2\n locations: z.array(z.string()).optional(),\n actions: z.array(z.string()).optional(),\n datatypes: z.array(z.string()).optional(),\n identifier: z.string().optional(),\n privileges: z.array(z.string()).optional(),\n })\n .passthrough(),\n )\n .optional(),\n })\n .passthrough()\n\nexport type JwtPayload = z.infer<typeof jwtPayloadSchema>\n"]}
|
|
1
|
+
{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AACvC,OAAO,EAAE,kBAAkB,EAAE,gCAAgC,EAAE,MAAM,WAAW,CAAA;AAEhF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,EAAE;KACR,WAAW,CAAC,kBAAkB,CAAC;KAC/B,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAA;AAGnD,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,IAAa,EAAqB,EAAE,CAC9D,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAEzC,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC;KAC/B,MAAM,EAAE;KACR,WAAW,CAAC,kBAAkB,CAAC;KAC/B,WAAW,CAAC,gCAAgC,CAAC,CAAC,CAAC,CAAC,CAAA;AAGnD,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAa,EAAuB,EAAE,CAClE,iBAAiB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,OAAO,CAAA;AAE3C;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC;KAC7B,MAAM,CAAC;IACN,yCAAyC;IACzC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,2CAA2C;IAC3C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,4CAA4C;IAC5C,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC1B,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC;SACD,QAAQ,EAAE;IACb,sCAAsC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,uDAAuD;IACvD,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,kEAAkE;IAClE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yEAAyE;IACzE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,oCAAoC;IACpC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,4CAA4C;IAC5C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,yCAAyC;IACzC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;CACrC,CAAC;KACD,WAAW,EAAE,CAAA;AAIhB;;;GAGG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,WAAW,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;IAC7D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,CAAA;QAC1B,IAAI,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1D,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjC,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,yBAAyB;aACnC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;YACf,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,0BAA0B;aACpC,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;YACb,GAAG,CAAC,QAAQ,CAAC;gBACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,MAAM;gBAC3B,OAAO,EAAE,sBAAsB;aAChC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,GAAG,CAAC,QAAQ,CAAC;YACX,IAAI,EAAE,CAAC,CAAC,YAAY,CAAC,cAAc;YACnC,UAAU,EAAE,KAAK;SAClB,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC,CAAC,CAAA;AAEF,iDAAiD;AACjD,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAChC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,SAAS,CAAC,QAAQ,EAAE;IACzB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC1B,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;IACnC,gDAAgD;IAChD,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,SAAS;QACrC,GAAG,EAAE,YAAY,CAAC,QAAQ,EAAE,EAAE,MAAM;QACpC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,gBAAgB;QAC5C,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8CAA8C;QAEhF,4DAA4D;QAC5D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAE1B,gDAAgD;QAChD,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,uCAAuC;QAE1E,gDAAgD;QAChD,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,qHAAqH;KAClJ,CAAC;SACD,QAAQ,EAAE;IAEb,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAEhC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAE5B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC9B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEtC,uEAAuE;IAEvE,0BAA0B;IAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC/B,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACzC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,EAAE,0EAA0E;IACzG,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACpC,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,KAAK,CAAC,mBAAmB,CAAC,CAAC,aAAa;SACxC,QAAQ,EAAE;IACb,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,KAAK,CAAC,kBAAkB,CAAC;SACzB,QAAQ,EAAE;IACb,MAAM,EAAE,CAAC;SACN,MAAM,EAAE;SACR,KAAK,CAAC,0BAA0B,CAAC;SACjC,QAAQ,EAAE;IACb,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IAEvC,wBAAwB;IACxB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAEtC,wBAAwB;IACxB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACnC,qBAAqB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAE7C,0BAA0B;IAC1B,qEAAqE;IACrE,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAChC,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACrC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC/B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC7B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAClC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC/B,CAAC;SACD,QAAQ,EAAE;IAEb,6DAA6D;IAC7D,qBAAqB,EAAE,CAAC;SACrB,KAAK,CACJ,CAAC;SACE,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,4DAA4D;QAC5D,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACvC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;QACzC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACjC,UAAU,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC3C,CAAC;SACD,WAAW,EAAE,CACjB;SACA,QAAQ,EAAE;CACd,CAAC;KACD,WAAW,EAAE,CAAA","sourcesContent":["import { z } from 'zod'\nimport { jwkPubSchema } from './jwk.js'\nimport { jwtCharsRefinement, segmentedStringRefinementFactory } from './util.js'\n\nexport const signedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(3))\n\nexport type SignedJwt = z.infer<typeof signedJwtSchema>\nexport const isSignedJwt = (data: unknown): data is SignedJwt =>\n signedJwtSchema.safeParse(data).success\n\nexport const unsignedJwtSchema = z\n .string()\n .superRefine(jwtCharsRefinement)\n .superRefine(segmentedStringRefinementFactory(2))\n\nexport type UnsignedJwt = z.infer<typeof unsignedJwtSchema>\nexport const isUnsignedJwt = (data: unknown): data is UnsignedJwt =>\n unsignedJwtSchema.safeParse(data).success\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4}\n */\nexport const jwtHeaderSchema = z\n .object({\n /** \"alg\" (Algorithm) Header Parameter */\n alg: z.string(),\n /** \"jku\" (JWK Set URL) Header Parameter */\n jku: z.string().url().optional(),\n /** \"jwk\" (JSON Web Key) Header Parameter */\n jwk: z\n .object({\n kty: z.string(),\n crv: z.string().optional(),\n x: z.string().optional(),\n y: z.string().optional(),\n e: z.string().optional(),\n n: z.string().optional(),\n })\n .optional(),\n /** \"kid\" (Key ID) Header Parameter */\n kid: z.string().optional(),\n /** \"x5u\" (X.509 URL) Header Parameter */\n x5u: z.string().optional(),\n /** \"x5c\" (X.509 Certificate Chain) Header Parameter */\n x5c: z.array(z.string()).optional(),\n /** \"x5t\" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */\n x5t: z.string().optional(),\n /** \"x5t#S256\" (X.509 Certificate SHA-256 Thumbprint) Header Parameter */\n 'x5t#S256': z.string().optional(),\n /** \"typ\" (Type) Header Parameter */\n typ: z.string().optional(),\n /** \"cty\" (Content Type) Header Parameter */\n cty: z.string().optional(),\n /** \"crit\" (Critical) Header Parameter */\n crit: z.array(z.string()).optional(),\n })\n .passthrough()\n\nexport type JwtHeader = z.infer<typeof jwtHeaderSchema>\n\n/**\n * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}\n * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}\n */\nexport const htuSchema = z.string().superRefine((value, ctx) => {\n try {\n const url = new URL(value)\n if (url.protocol !== 'http:' && url.protocol !== 'https:') {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Only http: and https: protocols are allowed',\n })\n }\n\n if (url.username || url.password) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Credentials not allowed',\n })\n }\n\n if (url.search) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Query string not allowed',\n })\n }\n\n if (url.hash) {\n ctx.addIssue({\n code: z.ZodIssueCode.custom,\n message: 'Fragment not allowed',\n })\n }\n } catch (err) {\n ctx.addIssue({\n code: z.ZodIssueCode.invalid_string,\n validation: 'url',\n })\n }\n\n return value\n})\n\n// https://www.iana.org/assignments/jwt/jwt.xhtml\nexport const jwtPayloadSchema = z\n .object({\n iss: z.string().optional(),\n aud: z.union([z.string(), z.array(z.string()).nonempty()]).optional(),\n sub: z.string().optional(),\n exp: z.number().int().optional(),\n nbf: z.number().int().optional(),\n iat: z.number().int().optional(),\n jti: z.string().optional(),\n htm: z.string().optional(),\n htu: htuSchema.optional(),\n ath: z.string().optional(),\n acr: z.string().optional(),\n azp: z.string().optional(),\n amr: z.array(z.string()).optional(),\n // https://datatracker.ietf.org/doc/html/rfc7800\n cnf: z\n .object({\n kid: z.string().optional(), // Key ID\n jwk: jwkPubSchema.optional(), // JWK\n jwe: z.string().optional(), // Encrypted key\n jku: z.string().url().optional(), // JWK Set URI (\"kid\" should also be provided)\n\n // https://datatracker.ietf.org/doc/html/rfc9449#section-6.1\n jkt: z.string().optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc8705\n 'x5t#S256': z.string().optional(), // X.509 Certificate SHA-256 Thumbprint\n\n // https://datatracker.ietf.org/doc/html/rfc9203\n osc: z.string().optional(), // OSCORE_Input_Material carrying the parameters for using OSCORE per-message security with implicit key confirmation\n })\n .optional(),\n\n client_id: z.string().optional(),\n\n scope: z.string().optional(),\n nonce: z.string().optional(),\n\n at_hash: z.string().optional(),\n c_hash: z.string().optional(),\n s_hash: z.string().optional(),\n auth_time: z.number().int().optional(),\n\n // https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n\n // OpenID: \"profile\" scope\n name: z.string().optional(),\n family_name: z.string().optional(),\n given_name: z.string().optional(),\n middle_name: z.string().optional(),\n nickname: z.string().optional(),\n preferred_username: z.string().optional(),\n gender: z.string().optional(), // OpenID only defines \"male\" and \"female\" without forbidding other values\n picture: z.string().url().optional(),\n profile: z.string().url().optional(),\n website: z.string().url().optional(),\n birthdate: z\n .string()\n .regex(/\\d{4}-\\d{2}-\\d{2}/) // YYYY-MM-DD\n .optional(),\n zoneinfo: z\n .string()\n .regex(/^[A-Za-z0-9_/]+$/)\n .optional(),\n locale: z\n .string()\n .regex(/^[a-z]{2,3}(-[A-Z]{2})?$/)\n .optional(),\n updated_at: z.number().int().optional(),\n\n // OpenID: \"email\" scope\n email: z.string().optional(),\n email_verified: z.boolean().optional(),\n\n // OpenID: \"phone\" scope\n phone_number: z.string().optional(),\n phone_number_verified: z.boolean().optional(),\n\n // OpenID: \"address\" scope\n // https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim\n address: z\n .object({\n formatted: z.string().optional(),\n street_address: z.string().optional(),\n locality: z.string().optional(),\n region: z.string().optional(),\n postal_code: z.string().optional(),\n country: z.string().optional(),\n })\n .optional(),\n\n // https://datatracker.ietf.org/doc/html/rfc9396#section-14.2\n authorization_details: z\n .array(\n z\n .object({\n type: z.string(),\n // https://datatracker.ietf.org/doc/html/rfc9396#section-2.2\n locations: z.array(z.string()).optional(),\n actions: z.array(z.string()).optional(),\n datatypes: z.array(z.string()).optional(),\n identifier: z.string().optional(),\n privileges: z.array(z.string()).optional(),\n })\n .passthrough(),\n )\n .optional(),\n })\n .passthrough()\n\nexport type JwtPayload = z.infer<typeof jwtPayloadSchema>\n"]}
|