@aura-stack/jose 0.1.0 → 0.3.0

package/dist/errors.d.ts

@@ -0,0 +1,34 @@
+/**
+ * @todo: add link attribute to docs when available
+ */
+declare class AuraJoseError extends Error {
+    static code: string;
+    readonly code: string;
+    constructor(message?: string, options?: ErrorOptions);
+}
+declare class JWTEncodingError extends AuraJoseError {
+    static code: string;
+}
+declare class JWTDecodingError extends AuraJoseError {
+    static code: string;
+}
+declare class InvalidPayloadError extends AuraJoseError {
+    static code: string;
+}
+declare class JWSVerificationError extends AuraJoseError {
+    static code: string;
+}
+declare class JWSSigningError extends AuraJoseError {
+    static code: string;
+}
+declare class JWEDecryptionError extends AuraJoseError {
+    static code: string;
+}
+declare class JWEEncryptionError extends AuraJoseError {
+    static code: string;
+}
+declare class InvalidSecretError extends AuraJoseError {
+    static code: string;
+}
+
+export { AuraJoseError, InvalidPayloadError, InvalidSecretError, JWEDecryptionError, JWEEncryptionError, JWSSigningError, JWSVerificationError, JWTDecodingError, JWTEncodingError };

package/dist/errors.js

@@ -0,0 +1,22 @@
+import {
+  AuraJoseError,
+  InvalidPayloadError,
+  InvalidSecretError,
+  JWEDecryptionError,
+  JWEEncryptionError,
+  JWSSigningError,
+  JWSVerificationError,
+  JWTDecodingError,
+  JWTEncodingError
+} from "./chunk-BMXFAB6Q.js";
+export {
+  AuraJoseError,
+  InvalidPayloadError,
+  InvalidSecretError,
+  JWEDecryptionError,
+  JWEEncryptionError,
+  JWSSigningError,
+  JWSVerificationError,
+  JWTDecodingError,
+  JWTEncodingError
+};

package/dist/index.cjs

@@ -30,87 +30,205 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
   createDeriveKey: () => createDeriveKey,
   createJWE: () => createJWE,
   createJWS: () => createJWS,
   createJWT: () => createJWT,
+  createSecret: () => createSecret,
   decodeJWT: () => decodeJWT,
   decryptJWE: () => decryptJWE,
   deriveKey: () => deriveKey,
   encodeJWT: () => encodeJWT,
   encryptJWE: () => encryptJWE,
+  getEntropy: () => getEntropy,
+  getSecrets: () => getSecrets,
   signJWS: () => signJWS,
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(index_exports);
 
-// src/encrypt.ts
-var import_node_crypto = __toESM(require("crypto"), 1);
+// src/sign.ts
+var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
+// src/errors.ts
+var AuraJoseError = class extends Error {
+  static code = "ERR_AURA_JOSE_ERROR";
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = new.target.name;
+    this.code = new.target.code;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var JWTEncodingError = class extends AuraJoseError {
+  static code = "ERR_JWT_ENCODING";
+};
+var JWTDecodingError = class extends AuraJoseError {
+  static code = "ERR_JWT_DECODING";
+};
+var InvalidPayloadError = class extends AuraJoseError {
+  static code = "ERR_INVALID_PAYLOAD";
+};
+var JWSVerificationError = class extends AuraJoseError {
+  static code = "ERR_JWS_VERIFICATION";
+};
+var JWSSigningError = class extends AuraJoseError {
+  static code = "ERR_JWS_SIGNING";
+};
+var JWEDecryptionError = class extends AuraJoseError {
+  static code = "ERR_JWE_DECRYPTION";
+};
+var JWEEncryptionError = class extends AuraJoseError {
+  static code = "ERR_JWE_ENCRYPTION";
+};
+var InvalidSecretError = class extends AuraJoseError {
+  static code = "ERR_INVALID_SECRET";
+};
+
+// src/assert.ts
+var isAuraJoseError = (error) => {
+  return error instanceof AuraJoseError;
+};
+var isFalsy = (value) => {
+  return value === null || value === void 0 || value === false || value === 0 || value === "" || Number.isNaN(value);
+};
+var isObject = (value) => {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+var isInvalidPayload = (payload) => {
+  return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
+};
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new Error("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new Error("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
   return secret;
 };
+var getSecrets = (secret) => {
+  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
+  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
+  return {
+    jwsSecret,
+    jweSecret
+  };
+};
 
-// src/encrypt.ts
-var encryptJWE = async (payload, secret) => {
-  const secretKey = createSecret(secret);
-  const jti = import_node_crypto.default.randomBytes(32).toString("base64");
-  return new import_jose.EncryptJWT({ token: payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).encrypt(secretKey);
+// src/sign.ts
+var signJWS = async (payload, secret) => {
+  try {
+    if (isInvalidPayload(payload)) {
+      throw new InvalidPayloadError("The payload must be a non-empty object");
+    }
+    const secretKey = createSecret(secret);
+    const jti = import_crypto.default.randomBytes(32).toString("base64url");
+    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+  } catch (error) {
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWSSigningError("JWS signing failed", { cause: error });
+  }
 };
-var decryptJWE = async (token, secret) => {
+var verifyJWS = async (token, secret, options) => {
   try {
+    if (isFalsy(token)) {
+      throw new InvalidPayloadError("The token must be a non-empty string");
+    }
     const secretKey = createSecret(secret);
-    const { payload } = await (0, import_jose.jwtDecrypt)(token, secretKey);
-    return payload.token;
+    const { payload } = await (0, import_jose.jwtVerify)(token, secretKey, options);
+    return payload;
   } catch (error) {
-    throw new Error("Invalid JWE", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWSVerificationError("JWS signature verification failed", { cause: error });
   }
 };
-var createJWE = (secret) => {
+var createJWS = (secret) => {
   return {
-    encryptJWE: (payload) => encryptJWE(payload, secret),
-    decryptJWE: (payload) => decryptJWE(payload, secret)
+    signJWS: (payload) => signJWS(payload, secret),
+    verifyJWS: (payload, options) => verifyJWS(payload, secret, options)
   };
 };
 
-// src/sign.ts
-var import_node_crypto2 = __toESM(require("crypto"), 1);
+// src/encrypt.ts
+var import_crypto2 = __toESM(require("crypto"), 1);
 var import_jose2 = require("jose");
-var signJWS = async (payload, secret) => {
-  const secretKey = createSecret(secret);
-  const jti = import_node_crypto2.default.randomBytes(32).toString("base64");
-  return new import_jose2.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
+var encryptJWE = async (payload, secret, options) => {
+  try {
+    if (isFalsy(payload)) {
+      throw new InvalidPayloadError("The payload must be a non-empty string");
+    }
+    const secretKey = createSecret(secret);
+    const jti = import_crypto2.default.randomBytes(32).toString("base64url");
+    return new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+  } catch (error) {
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWEEncryptionError("JWE encryption failed", { cause: error });
+  }
 };
-var verifyJWS = async (token, secret) => {
+var decryptJWE = async (token, secret, options) => {
   try {
+    if (isFalsy(token)) {
+      throw new InvalidPayloadError("The token must be a non-empty string");
+    }
     const secretKey = createSecret(secret);
-    const { payload } = await (0, import_jose2.jwtVerify)(token, secretKey);
-    return payload;
+    const { payload } = await (0, import_jose2.jwtDecrypt)(token, secretKey, options);
+    return payload.payload;
   } catch (error) {
-    throw new Error("Invalid JWS", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWEDecryptionError("JWE decryption verification failed", { cause: error });
   }
 };
-var createJWS = (secret) => {
+var createJWE = (secret) => {
   return {
-    signJWS: (payload) => signJWS(payload, secret),
-    verifyJWS: (payload) => verifyJWS(payload, secret)
+    encryptJWE: (payload, options) => encryptJWE(payload, secret, options),
+    decryptJWE: (payload, options) => decryptJWE(payload, secret, options)
   };
 };
 
 // src/deriveKey.ts
-var import_node_crypto3 = require("crypto");
+var import_crypto3 = require("crypto");
 var deriveKey = (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_node_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
+    const key = (0, import_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
     const derivedKey = Buffer.from(key);
     return {
       key,
@@ -128,22 +246,30 @@ var createDeriveKey = (secret, salt, info, length = 32) => {
 // src/index.ts
 var encodeJWT = async (token, secret) => {
   try {
-    const { signJWS: signJWS2 } = createJWS(secret);
-    const { encryptJWE: encryptJWE2 } = createJWE(secret);
+    const { jweSecret, jwsSecret } = getSecrets(secret);
+    const { signJWS: signJWS2 } = createJWS(jwsSecret);
+    const { encryptJWE: encryptJWE2 } = createJWE(jweSecret);
     const signed = await signJWS2(token);
     return await encryptJWE2(signed);
   } catch (error) {
-    throw new Error("Failed to encode JWT", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
-    const { verifyJWS: verifyJWS2 } = createJWS(secret);
-    const { decryptJWE: decryptJWE2 } = createJWE(secret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const { jweSecret, jwsSecret } = getSecrets(secret);
+    const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
+    const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
-    throw new Error("Failed to decode JWT", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWTDecodingError("JWT decoding failed", { cause: error });
   }
 };
 var createJWT = (secret) => {
@@ -154,15 +280,19 @@ var createJWT = (secret) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
   decryptJWE,
   deriveKey,
   encodeJWT,
   encryptJWE,
+  getEntropy,
+  getSecrets,
   signJWS,
   verifyJWS
 });

package/dist/index.d.ts

@@ -1,145 +1,3 @@
-import { KeyObject, BinaryLike } from 'node:crypto';
-import { JWTPayload } from 'jose';
-
-/**
- * Sign a standard JWT token with the following claims:
- *  - alg: algorithm used to sign the JWT
- *  - typ: type of the token
- *  - iat: time at which the JWT was issued
- *  - nbf: not before time of the JWT
- *  - exp: expiration time of the JWT
- *  - jti: unique identifier to avoid collisions
- *
- * @param payload - Payload data information to sign the JWT
- * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Signed JWT string
- */
-declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
-/**
- * Verify the integrity of a JWT token and return the payload if valid, rejecting
- * tokens that use the "none" algorithm to prevent unsecured tokens.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
- * @param token - JWT string to verify
- * @param secret - CryptoKey or KeyObject used to verify the JWT
- * @returns verify and return the payload of the JWT
- */
-declare const verifyJWS: (token: string, secret: SecretInput) => Promise<JWTPayload>;
-/**
- * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
- * and `verifyJWS` functions of the module.
- *
- * @param secret - Secret key used for signing and verifying the JWS
- * @returns signJWS and verifyJWS functions
- */
-declare const createJWS: (secret: SecretInput) => {
-    signJWS: (payload: JWTPayload) => Promise<string>;
-    verifyJWS: (payload: string) => Promise<JWTPayload>;
-};
-
-interface EncryptedPayload {
-    token: string;
-}
-/**
- * Encrypt a standard JWT token with the following claims:
- *  - alg: algorithm used to encrypt the JWT
- *  - enc: encryption method used
- *  - typ: type of the token
- *  - cty: content type of the token
- *
- * @param payload - Payload data information to encrypt the JWT
- * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Encrypted JWT string
- */
-declare const encryptJWE: (payload: string, secret: SecretInput) => Promise<string>;
-/**
- * Decrypt a JWE token and return the payload if valid.
- *
- * @param token - Encrypted JWT string to decrypt
- * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Decrypted JWT payload string
- */
-declare const decryptJWE: (token: string, secret: SecretInput) => Promise<string>;
-/**
- * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
- * and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for encrypting and decrypting the JWE
- * @returns encryptJWE and decryptJWE functions
- */
-declare const createJWE: (secret: SecretInput) => {
-    encryptJWE: (payload: string) => Promise<string>;
-    decryptJWE: (payload: string) => Promise<string>;
-};
-
-/**
- * @module @aura-stack/jose
- */
-
-type SecretInput = KeyObject | Uint8Array | string;
-/**
- * Encode a JWT signed and encrypted token. The token first signed using JWS
- * and then encrypted using JWE to ensure both integrity and confidentiality.
- * It implements the `signJWS` and `encryptJWE` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
- * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
- *
- * @param token - Payload data to encode in the JWT
- * @param secret - Secret key used for both signing and encrypting the JWT
- * @returns Promise resolving to the signed and encrypted JWT string
- */
-declare const encodeJWT: (token: JWTPayload, secret: SecretInput) => Promise<string>;
-/**
- * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
- * and then verified using JWS to ensure both confidentiality and integrity. It
- * implements the `decryptJWE` and `verifyJWS` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
- * @param token
- * @param secret
- * @returns
- */
-declare const decodeJWT: (token: string, secret: SecretInput) => Promise<JWTPayload>;
-/**
- * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
- * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
- * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
- * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
- */
-declare const createJWT: (secret: SecretInput) => {
-    encodeJWT: (payload: JWTPayload) => Promise<string>;
-    decodeJWT: (token: string) => Promise<JWTPayload>;
-};
-
-/**
- * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
- *
- * @param secret Value used as the input keying material
- * @param salt Cryptographic salt
- * @param info Context and application specific information
- * @param length Size of the derived key in bytes (default is 32 bytes)
- * @returns Derived key as Uint8Array and base64 encoded string
- */
-declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-/**
- * Create a derived key from a given secret.
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-
-export { type EncryptedPayload, type SecretInput, createDeriveKey, createJWE, createJWS, createJWT, decodeJWT, decryptJWE, deriveKey, encodeJWT, encryptJWE, signJWS, verifyJWS };
+export { JWTDecryptOptions, JWTVerifyOptions } from 'jose';
+import 'crypto';
+export { h as DecodedJWTPayloadOptions, D as DerivedKeyInput, a as EncryptOptions, E as EncryptedPayload, M as MIN_SECRET_ENTROPY_BITS, S as SecretInput, m as createDeriveKey, c as createJWE, createJWS, k as createJWT, b as createSecret, j as decodeJWT, d as decryptJWE, l as deriveKey, i as encodeJWT, e as encryptJWE, g as getEntropy, f as getSecrets, signJWS, verifyJWS } from './sign.js';

package/dist/index.js

@@ -1,38 +1,58 @@
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-ODRHALUH.js";
+} from "./chunk-CXN54JNY.js";
 import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-T7MMDRY3.js";
+} from "./chunk-URDLFFH3.js";
 import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-KSVD3YEC.js";
-import "./chunk-M4WAOCIJ.js";
+} from "./chunk-EX3NULRX.js";
+import {
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
+  getSecrets
+} from "./chunk-SES6WQL3.js";
+import {
+  isAuraJoseError
+} from "./chunk-ZHFHDRQH.js";
+import {
+  JWTDecodingError,
+  JWTEncodingError
+} from "./chunk-BMXFAB6Q.js";
 
 // src/index.ts
 var encodeJWT = async (token, secret) => {
   try {
-    const { signJWS: signJWS2 } = createJWS(secret);
-    const { encryptJWE: encryptJWE2 } = createJWE(secret);
+    const { jweSecret, jwsSecret } = getSecrets(secret);
+    const { signJWS: signJWS2 } = createJWS(jwsSecret);
+    const { encryptJWE: encryptJWE2 } = createJWE(jweSecret);
     const signed = await signJWS2(token);
     return await encryptJWE2(signed);
   } catch (error) {
-    throw new Error("Failed to encode JWT", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
-    const { verifyJWS: verifyJWS2 } = createJWS(secret);
-    const { decryptJWE: decryptJWE2 } = createJWE(secret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const { jweSecret, jwsSecret } = getSecrets(secret);
+    const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
+    const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
-    throw new Error("Failed to decode JWT", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWTDecodingError("JWT decoding failed", { cause: error });
   }
 };
 var createJWT = (secret) => {
@@ -42,15 +62,19 @@ var createJWT = (secret) => {
   };
 };
 export {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
   decryptJWE,
   deriveKey,
   encodeJWT,
   encryptJWE,
+  getEntropy,
+  getSecrets,
   signJWS,
   verifyJWS
 };

package/dist/secret.cjs

@@ -20,20 +20,80 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/secret.ts
 var secret_exports = {};
 __export(secret_exports, {
-  createSecret: () => createSecret
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
+  createSecret: () => createSecret,
+  getEntropy: () => getEntropy,
+  getSecrets: () => getSecrets
 });
 module.exports = __toCommonJS(secret_exports);
-var createSecret = (secret) => {
-  if (secret === void 0) throw new Error("Secret is required");
+
+// src/errors.ts
+var AuraJoseError = class extends Error {
+  static code = "ERR_AURA_JOSE_ERROR";
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = new.target.name;
+    this.code = new.target.code;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var InvalidSecretError = class extends AuraJoseError {
+  static code = "ERR_INVALID_SECRET";
+};
+
+// src/assert.ts
+var isObject = (value) => {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+
+// src/secret.ts
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new Error("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
   return secret;
 };
+var getSecrets = (secret) => {
+  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
+  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
+  return {
+    jwsSecret,
+    jweSecret
+  };
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  createSecret
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
+  getSecrets
 });