@aura-stack/jose 0.1.0-rc.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Auth Stack Js
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,43 @@
+<div align="center">
+
+<h1><b>@aura-stack/jose</b></h1>
+
+**Type-safe JOSE utilities for JWT signing, verification, and encryption**
+
+[![npm version](https://img.shields.io/npm/v/@aura-stack/jose.svg)](https://www.npmjs.com/package/@aura-stack/jose)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+
+[Official Docs](https://aura-stack-auth.vercel.app/docs) · [JOSE Package Docs](https://aura-stack-auth.vercel.app/docs/packages/jose)
+
+</div>
+
+---
+
+## Overview
+
+`@aura-stack/jose` is a lightweight, type-safe wrapper around the [`jose`](https://github.com/panva/jose) library.  
+It provides utilities for working with **JWS (signing)**, **JWE (encryption)**, and **JWTs**, offering a simplified, consistent API built for modern TypeScript environments.
+
+This package is used internally by [`@aura-stack/auth`](https://www.npmjs.com/package/@aura-stack/auth) but can also be installed and used as a standalone module.
+
+## Features
+
+- **JWT management** — Sign, verify, encrypt, and decrypt JWTs with ease.
+- **Type-safe** — Built with modern TypeScript for full type inference.
+- **Composable utilities** — Use `createJWS`, `createJWE`, and `createJWT` to simplify configuration.
+- **Lightweight integration** — Minimal wrapper around `jose` for better DX without overhead.
+- **Flexible algorithms** — Compatible with HMAC, RSA, and EC key types.
+
+## Documentation
+
+Visit the [**official documentation website**](https://aura-stack-auth.vercel.app).
+
+## License
+
+Licensed under the [MIT License](LICENSE). © [Aura Stack](https://github.com/aura-stack-ts)
+
+---
+
+<p align="center">
+  Made with ❤️ by <a href="https://github.com/aura-stack-ts">Aura Stack team</a>
+</p>

package/dist/chunk-KSVD3YEC.js

@@ -0,0 +1,33 @@
+import {
+  createSecret
+} from "./chunk-M4WAOCIJ.js";
+
+// src/sign.ts
+import crypto from "crypto";
+import { jwtVerify, SignJWT } from "jose";
+var signJWS = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = crypto.randomBytes(32).toString("base64");
+  return new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
+};
+var verifyJWS = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await jwtVerify(token, secretKey);
+    return payload;
+  } catch (error) {
+    throw new Error("Invalid JWS", { cause: error });
+  }
+};
+var createJWS = (secret) => {
+  return {
+    signJWS: (payload) => signJWS(payload, secret),
+    verifyJWS: (payload) => verifyJWS(payload, secret)
+  };
+};
+
+export {
+  signJWS,
+  verifyJWS,
+  createJWS
+};

package/dist/chunk-M4WAOCIJ.js

@@ -0,0 +1,15 @@
+// src/secret.ts
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+
+export {
+  createSecret
+};

package/dist/chunk-ODRHALUH.js

@@ -0,0 +1,27 @@
+import {
+  createSecret
+} from "./chunk-M4WAOCIJ.js";
+
+// src/deriveKey.ts
+import { hkdfSync } from "crypto";
+var deriveKey = (secret, salt, info, length = 32) => {
+  try {
+    const key = hkdfSync("SHA256", secret, salt, info, length);
+    const derivedKey = Buffer.from(key);
+    return {
+      key,
+      derivedKey
+    };
+  } catch (error) {
+    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+  }
+};
+var createDeriveKey = (secret, salt, info, length = 32) => {
+  const secretKey = createSecret(secret);
+  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+};
+
+export {
+  deriveKey,
+  createDeriveKey
+};

package/dist/chunk-T7MMDRY3.js

@@ -0,0 +1,33 @@
+import {
+  createSecret
+} from "./chunk-M4WAOCIJ.js";
+
+// src/encrypt.ts
+import crypto from "crypto";
+import { EncryptJWT, jwtDecrypt } from "jose";
+var encryptJWE = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = crypto.randomBytes(32).toString("base64");
+  return new EncryptJWT({ token: payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).encrypt(secretKey);
+};
+var decryptJWE = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await jwtDecrypt(token, secretKey);
+    return payload.token;
+  } catch (error) {
+    throw new Error("Invalid JWE", { cause: error });
+  }
+};
+var createJWE = (secret) => {
+  return {
+    encryptJWE: (payload) => encryptJWE(payload, secret),
+    decryptJWE: (payload) => decryptJWE(payload, secret)
+  };
+};
+
+export {
+  encryptJWE,
+  decryptJWE,
+  createJWE
+};

package/dist/deriveKey.cjs

@@ -0,0 +1,62 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/deriveKey.ts
+var deriveKey_exports = {};
+__export(deriveKey_exports, {
+  createDeriveKey: () => createDeriveKey,
+  deriveKey: () => deriveKey
+});
+module.exports = __toCommonJS(deriveKey_exports);
+var import_node_crypto = require("crypto");
+
+// src/secret.ts
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+
+// src/deriveKey.ts
+var deriveKey = (secret, salt, info, length = 32) => {
+  try {
+    const key = (0, import_node_crypto.hkdfSync)("SHA256", secret, salt, info, length);
+    const derivedKey = Buffer.from(key);
+    return {
+      key,
+      derivedKey
+    };
+  } catch (error) {
+    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+  }
+};
+var createDeriveKey = (secret, salt, info, length = 32) => {
+  const secretKey = createSecret(secret);
+  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createDeriveKey,
+  deriveKey
+});

package/dist/deriveKey.d.ts

@@ -0,0 +1,3 @@
+import 'node:crypto';
+export { createDeriveKey, deriveKey } from './index.js';
+import 'jose';

package/dist/deriveKey.js

@@ -0,0 +1,9 @@
+import {
+  createDeriveKey,
+  deriveKey
+} from "./chunk-ODRHALUH.js";
+import "./chunk-M4WAOCIJ.js";
+export {
+  createDeriveKey,
+  deriveKey
+};

package/dist/encrypt.cjs

@@ -0,0 +1,79 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/encrypt.ts
+var encrypt_exports = {};
+__export(encrypt_exports, {
+  createJWE: () => createJWE,
+  decryptJWE: () => decryptJWE,
+  encryptJWE: () => encryptJWE
+});
+module.exports = __toCommonJS(encrypt_exports);
+var import_node_crypto = __toESM(require("crypto"), 1);
+var import_jose = require("jose");
+
+// src/secret.ts
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+
+// src/encrypt.ts
+var encryptJWE = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = import_node_crypto.default.randomBytes(32).toString("base64");
+  return new import_jose.EncryptJWT({ token: payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).encrypt(secretKey);
+};
+var decryptJWE = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await (0, import_jose.jwtDecrypt)(token, secretKey);
+    return payload.token;
+  } catch (error) {
+    throw new Error("Invalid JWE", { cause: error });
+  }
+};
+var createJWE = (secret) => {
+  return {
+    encryptJWE: (payload) => encryptJWE(payload, secret),
+    decryptJWE: (payload) => decryptJWE(payload, secret)
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createJWE,
+  decryptJWE,
+  encryptJWE
+});

package/dist/encrypt.d.ts

@@ -0,0 +1,3 @@
+export { EncryptedPayload, createJWE, decryptJWE, encryptJWE } from './index.js';
+import 'node:crypto';
+import 'jose';

package/dist/encrypt.js

@@ -0,0 +1,11 @@
+import {
+  createJWE,
+  decryptJWE,
+  encryptJWE
+} from "./chunk-T7MMDRY3.js";
+import "./chunk-M4WAOCIJ.js";
+export {
+  createJWE,
+  decryptJWE,
+  encryptJWE
+};

package/dist/index.cjs

@@ -0,0 +1,168 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  createDeriveKey: () => createDeriveKey,
+  createJWE: () => createJWE,
+  createJWS: () => createJWS,
+  createJWT: () => createJWT,
+  decodeJWT: () => decodeJWT,
+  decryptJWE: () => decryptJWE,
+  deriveKey: () => deriveKey,
+  encodeJWT: () => encodeJWT,
+  encryptJWE: () => encryptJWE,
+  signJWS: () => signJWS,
+  verifyJWS: () => verifyJWS
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/encrypt.ts
+var import_node_crypto = __toESM(require("crypto"), 1);
+var import_jose = require("jose");
+
+// src/secret.ts
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+
+// src/encrypt.ts
+var encryptJWE = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = import_node_crypto.default.randomBytes(32).toString("base64");
+  return new import_jose.EncryptJWT({ token: payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).encrypt(secretKey);
+};
+var decryptJWE = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await (0, import_jose.jwtDecrypt)(token, secretKey);
+    return payload.token;
+  } catch (error) {
+    throw new Error("Invalid JWE", { cause: error });
+  }
+};
+var createJWE = (secret) => {
+  return {
+    encryptJWE: (payload) => encryptJWE(payload, secret),
+    decryptJWE: (payload) => decryptJWE(payload, secret)
+  };
+};
+
+// src/sign.ts
+var import_node_crypto2 = __toESM(require("crypto"), 1);
+var import_jose2 = require("jose");
+var signJWS = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = import_node_crypto2.default.randomBytes(32).toString("base64");
+  return new import_jose2.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
+};
+var verifyJWS = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await (0, import_jose2.jwtVerify)(token, secretKey);
+    return payload;
+  } catch (error) {
+    throw new Error("Invalid JWS", { cause: error });
+  }
+};
+var createJWS = (secret) => {
+  return {
+    signJWS: (payload) => signJWS(payload, secret),
+    verifyJWS: (payload) => verifyJWS(payload, secret)
+  };
+};
+
+// src/deriveKey.ts
+var import_node_crypto3 = require("crypto");
+var deriveKey = (secret, salt, info, length = 32) => {
+  try {
+    const key = (0, import_node_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
+    const derivedKey = Buffer.from(key);
+    return {
+      key,
+      derivedKey
+    };
+  } catch (error) {
+    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+  }
+};
+var createDeriveKey = (secret, salt, info, length = 32) => {
+  const secretKey = createSecret(secret);
+  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+};
+
+// src/index.ts
+var encodeJWT = async (token, secret) => {
+  try {
+    const { signJWS: signJWS2 } = createJWS(secret);
+    const { encryptJWE: encryptJWE2 } = createJWE(secret);
+    const signed = await signJWS2(token);
+    return await encryptJWE2(signed);
+  } catch (error) {
+    throw new Error("Failed to encode JWT", { cause: error });
+  }
+};
+var decodeJWT = async (token, secret) => {
+  try {
+    const { verifyJWS: verifyJWS2 } = createJWS(secret);
+    const { decryptJWE: decryptJWE2 } = createJWE(secret);
+    const decrypted = await decryptJWE2(token);
+    return await verifyJWS2(decrypted);
+  } catch (error) {
+    throw new Error("Failed to decode JWT", { cause: error });
+  }
+};
+var createJWT = (secret) => {
+  return {
+    encodeJWT: async (payload) => encodeJWT(payload, secret),
+    decodeJWT: async (token) => decodeJWT(token, secret)
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createDeriveKey,
+  createJWE,
+  createJWS,
+  createJWT,
+  decodeJWT,
+  decryptJWE,
+  deriveKey,
+  encodeJWT,
+  encryptJWE,
+  signJWS,
+  verifyJWS
+});

package/dist/index.d.ts

@@ -0,0 +1,145 @@
+import { KeyObject, BinaryLike } from 'node:crypto';
+import { JWTPayload } from 'jose';
+
+/**
+ * Sign a standard JWT token with the following claims:
+ *  - alg: algorithm used to sign the JWT
+ *  - typ: type of the token
+ *  - iat: time at which the JWT was issued
+ *  - nbf: not before time of the JWT
+ *  - exp: expiration time of the JWT
+ *  - jti: unique identifier to avoid collisions
+ *
+ * @param payload - Payload data information to sign the JWT
+ * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Signed JWT string
+ */
+declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
+/**
+ * Verify the integrity of a JWT token and return the payload if valid, rejecting
+ * tokens that use the "none" algorithm to prevent unsecured tokens.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
+ * @param token - JWT string to verify
+ * @param secret - CryptoKey or KeyObject used to verify the JWT
+ * @returns verify and return the payload of the JWT
+ */
+declare const verifyJWS: (token: string, secret: SecretInput) => Promise<JWTPayload>;
+/**
+ * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
+ * and `verifyJWS` functions of the module.
+ *
+ * @param secret - Secret key used for signing and verifying the JWS
+ * @returns signJWS and verifyJWS functions
+ */
+declare const createJWS: (secret: SecretInput) => {
+    signJWS: (payload: JWTPayload) => Promise<string>;
+    verifyJWS: (payload: string) => Promise<JWTPayload>;
+};
+
+interface EncryptedPayload {
+    token: string;
+}
+/**
+ * Encrypt a standard JWT token with the following claims:
+ *  - alg: algorithm used to encrypt the JWT
+ *  - enc: encryption method used
+ *  - typ: type of the token
+ *  - cty: content type of the token
+ *
+ * @param payload - Payload data information to encrypt the JWT
+ * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Encrypted JWT string
+ */
+declare const encryptJWE: (payload: string, secret: SecretInput) => Promise<string>;
+/**
+ * Decrypt a JWE token and return the payload if valid.
+ *
+ * @param token - Encrypted JWT string to decrypt
+ * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Decrypted JWT payload string
+ */
+declare const decryptJWE: (token: string, secret: SecretInput) => Promise<string>;
+/**
+ * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
+ * and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for encrypting and decrypting the JWE
+ * @returns encryptJWE and decryptJWE functions
+ */
+declare const createJWE: (secret: SecretInput) => {
+    encryptJWE: (payload: string) => Promise<string>;
+    decryptJWE: (payload: string) => Promise<string>;
+};
+
+/**
+ * @module @aura-stack/jose
+ */
+
+type SecretInput = KeyObject | Uint8Array | string;
+/**
+ * Encode a JWT signed and encrypted token. The token first signed using JWS
+ * and then encrypted using JWE to ensure both integrity and confidentiality.
+ * It implements the `signJWS` and `encryptJWE` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
+ * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
+ *
+ * @param token - Payload data to encode in the JWT
+ * @param secret - Secret key used for both signing and encrypting the JWT
+ * @returns Promise resolving to the signed and encrypted JWT string
+ */
+declare const encodeJWT: (token: JWTPayload, secret: SecretInput) => Promise<string>;
+/**
+ * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
+ * and then verified using JWS to ensure both confidentiality and integrity. It
+ * implements the `decryptJWE` and `verifyJWS` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
+ * @param token
+ * @param secret
+ * @returns
+ */
+declare const decodeJWT: (token: string, secret: SecretInput) => Promise<JWTPayload>;
+/**
+ * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
+ * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
+ * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
+ * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
+ */
+declare const createJWT: (secret: SecretInput) => {
+    encodeJWT: (payload: JWTPayload) => Promise<string>;
+    decodeJWT: (token: string) => Promise<JWTPayload>;
+};
+
+/**
+ * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+ *
+ * @param secret Value used as the input keying material
+ * @param salt Cryptographic salt
+ * @param info Context and application specific information
+ * @param length Size of the derived key in bytes (default is 32 bytes)
+ * @returns Derived key as Uint8Array and base64 encoded string
+ */
+declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+/**
+ * Create a derived key from a given secret.
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+
+export { type EncryptedPayload, type SecretInput, createDeriveKey, createJWE, createJWS, createJWT, decodeJWT, decryptJWE, deriveKey, encodeJWT, encryptJWE, signJWS, verifyJWS };

package/dist/index.js

@@ -0,0 +1,56 @@
+import {
+  createDeriveKey,
+  deriveKey
+} from "./chunk-ODRHALUH.js";
+import {
+  createJWE,
+  decryptJWE,
+  encryptJWE
+} from "./chunk-T7MMDRY3.js";
+import {
+  createJWS,
+  signJWS,
+  verifyJWS
+} from "./chunk-KSVD3YEC.js";
+import "./chunk-M4WAOCIJ.js";
+
+// src/index.ts
+var encodeJWT = async (token, secret) => {
+  try {
+    const { signJWS: signJWS2 } = createJWS(secret);
+    const { encryptJWE: encryptJWE2 } = createJWE(secret);
+    const signed = await signJWS2(token);
+    return await encryptJWE2(signed);
+  } catch (error) {
+    throw new Error("Failed to encode JWT", { cause: error });
+  }
+};
+var decodeJWT = async (token, secret) => {
+  try {
+    const { verifyJWS: verifyJWS2 } = createJWS(secret);
+    const { decryptJWE: decryptJWE2 } = createJWE(secret);
+    const decrypted = await decryptJWE2(token);
+    return await verifyJWS2(decrypted);
+  } catch (error) {
+    throw new Error("Failed to decode JWT", { cause: error });
+  }
+};
+var createJWT = (secret) => {
+  return {
+    encodeJWT: async (payload) => encodeJWT(payload, secret),
+    decodeJWT: async (token) => decodeJWT(token, secret)
+  };
+};
+export {
+  createDeriveKey,
+  createJWE,
+  createJWS,
+  createJWT,
+  decodeJWT,
+  decryptJWE,
+  deriveKey,
+  encodeJWT,
+  encryptJWE,
+  signJWS,
+  verifyJWS
+};

package/dist/jose.cjs

@@ -0,0 +1,24 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/jose.ts
+var jose_exports = {};
+module.exports = __toCommonJS(jose_exports);
+__reExport(jose_exports, require("jose"), module.exports);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ...require("jose")
+});

package/dist/jose.d.ts

@@ -0,0 +1 @@
+export * from 'jose';

package/dist/jose.js

@@ -0,0 +1,2 @@
+// src/jose.ts
+export * from "jose";

package/dist/secret.cjs

@@ -0,0 +1,39 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/secret.ts
+var secret_exports = {};
+__export(secret_exports, {
+  createSecret: () => createSecret
+});
+module.exports = __toCommonJS(secret_exports);
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSecret
+});

package/dist/secret.d.ts

@@ -0,0 +1,14 @@
+import * as crypto from 'crypto';
+import { SecretInput } from './index.js';
+import 'node:crypto';
+import 'jose';
+
+/**
+ * Create a secret in Uint8Array format
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createSecret: (secret: SecretInput) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
+
+export { createSecret };

package/dist/secret.js

@@ -0,0 +1,6 @@
+import {
+  createSecret
+} from "./chunk-M4WAOCIJ.js";
+export {
+  createSecret
+};

package/dist/sign.cjs

@@ -0,0 +1,79 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/sign.ts
+var sign_exports = {};
+__export(sign_exports, {
+  createJWS: () => createJWS,
+  signJWS: () => signJWS,
+  verifyJWS: () => verifyJWS
+});
+module.exports = __toCommonJS(sign_exports);
+var import_node_crypto = __toESM(require("crypto"), 1);
+var import_jose = require("jose");
+
+// src/secret.ts
+var createSecret = (secret) => {
+  if (secret === void 0) throw new Error("Secret is required");
+  if (typeof secret === "string") {
+    if (new TextEncoder().encode(secret).byteLength < 32) {
+      throw new Error("Secret string must be at least 32 characters long");
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+
+// src/sign.ts
+var signJWS = async (payload, secret) => {
+  const secretKey = createSecret(secret);
+  const jti = import_node_crypto.default.randomBytes(32).toString("base64");
+  return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
+};
+var verifyJWS = async (token, secret) => {
+  try {
+    const secretKey = createSecret(secret);
+    const { payload } = await (0, import_jose.jwtVerify)(token, secretKey);
+    return payload;
+  } catch (error) {
+    throw new Error("Invalid JWS", { cause: error });
+  }
+};
+var createJWS = (secret) => {
+  return {
+    signJWS: (payload) => signJWS(payload, secret),
+    verifyJWS: (payload) => verifyJWS(payload, secret)
+  };
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createJWS,
+  signJWS,
+  verifyJWS
+});

package/dist/sign.d.ts

@@ -0,0 +1,3 @@
+import 'jose';
+export { createJWS, signJWS, verifyJWS } from './index.js';
+import 'node:crypto';

package/dist/sign.js

@@ -0,0 +1,11 @@
+import {
+  createJWS,
+  signJWS,
+  verifyJWS
+} from "./chunk-KSVD3YEC.js";
+import "./chunk-M4WAOCIJ.js";
+export {
+  createJWS,
+  signJWS,
+  verifyJWS
+};

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@aura-stack/jose",
+  "version": "0.1.0-rc.1",
+  "private": false,
+  "type": "module",
+  "description": "JOSE utilities for @aura-stack/auth",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aura-stack-ts/auth"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.cjs",
+      "import": "./dist/index.js"
+    },
+    "./encrypt": {
+      "types": "./dist/encrypt.d.ts",
+      "require": "./dist/encrypt.cjs",
+      "import": "./dist/encrypt.js"
+    },
+    "./sign": {
+      "types": "./dist/sign.d.ts",
+      "require": "./dist/sign.cjs",
+      "import": "./dist/sign.js"
+    },
+    "./jose": {
+      "types": "./dist/jose.d.ts",
+      "require": "./dist/jose.cjs",
+      "import": "./dist/jose.js"
+    },
+    "./hkdf": {
+      "types": "./dist/deriveKey.d.ts",
+      "require": "./dist/deriveKey.cjs",
+      "import": "./dist/deriveKey.js"
+    }
+  },
+  "keywords": [
+    "auth",
+    "session",
+    "authentication"
+  ],
+  "author": "Aura Stack <aurastackjs@gmail.com> | Hernan Alvarado <halvaradop.dev@gmail.com>",
+  "homepage": "https://aura-stack-auth.vercel.app",
+  "bugs": {
+    "url": "https://github.com/aura-stack-ts/auth/issues"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "jose": "^6.1.2"
+  },
+  "devDependencies": {
+    "@aura-stack/tsconfig": "0.0.0",
+    "@aura-stack/tsup-config": "0.0.0"
+  },
+  "scripts": {
+    "dev": "tsup --watch",
+    "build": "tsup",
+    "test": "vitest --run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest --run --coverage",
+    "format": "prettier --write . --cache --cache-location .cache/.prettiercache",
+    "format:check": "prettier --check . --cache --cache-location .cache/.prettiercache",
+    "type-check": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "clean:cts": "rm -rf dist/*.cts",
+    "prepublish": "pnpm clean:cts"
+  }
+}