@aura-stack/jose 0.1.0 → 0.3.0

package/dist/secret.d.ts

@@ -1,14 +1,3 @@
-import * as crypto from 'crypto';
-import { SecretInput } from './index.js';
-import 'node:crypto';
+import 'crypto';
+export { M as MIN_SECRET_ENTROPY_BITS, b as createSecret, g as getEntropy, f as getSecrets } from './sign.js';
 import 'jose';
-
-/**
- * Create a secret in Uint8Array format
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createSecret: (secret: SecretInput) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
-
-export { createSecret };

package/dist/secret.js

@@ -1,6 +1,14 @@
 import {
-  createSecret
-} from "./chunk-M4WAOCIJ.js";
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
+  getSecrets
+} from "./chunk-SES6WQL3.js";
+import "./chunk-ZHFHDRQH.js";
+import "./chunk-BMXFAB6Q.js";
 export {
-  createSecret
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
+  getSecrets
 };

package/dist/sign.cjs

@@ -35,15 +35,77 @@ __export(sign_exports, {
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(sign_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
+// src/errors.ts
+var AuraJoseError = class extends Error {
+  static code = "ERR_AURA_JOSE_ERROR";
+  code;
+  constructor(message, options) {
+    super(message, options);
+    this.name = new.target.name;
+    this.code = new.target.code;
+    Error.captureStackTrace(this, new.target);
+  }
+};
+var InvalidPayloadError = class extends AuraJoseError {
+  static code = "ERR_INVALID_PAYLOAD";
+};
+var JWSVerificationError = class extends AuraJoseError {
+  static code = "ERR_JWS_VERIFICATION";
+};
+var JWSSigningError = class extends AuraJoseError {
+  static code = "ERR_JWS_SIGNING";
+};
+var InvalidSecretError = class extends AuraJoseError {
+  static code = "ERR_INVALID_SECRET";
+};
+
+// src/assert.ts
+var isAuraJoseError = (error) => {
+  return error instanceof AuraJoseError;
+};
+var isFalsy = (value) => {
+  return value === null || value === void 0 || value === false || value === 0 || value === "" || Number.isNaN(value);
+};
+var isObject = (value) => {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+var isInvalidPayload = (payload) => {
+  return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
+};
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new Error("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new Error("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -52,23 +114,39 @@ var createSecret = (secret) => {
 
 // src/sign.ts
 var signJWS = async (payload, secret) => {
-  const secretKey = createSecret(secret);
-  const jti = import_node_crypto.default.randomBytes(32).toString("base64");
-  return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
+  try {
+    if (isInvalidPayload(payload)) {
+      throw new InvalidPayloadError("The payload must be a non-empty object");
+    }
+    const secretKey = createSecret(secret);
+    const jti = import_crypto.default.randomBytes(32).toString("base64url");
+    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+  } catch (error) {
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWSSigningError("JWS signing failed", { cause: error });
+  }
 };
-var verifyJWS = async (token, secret) => {
+var verifyJWS = async (token, secret, options) => {
   try {
+    if (isFalsy(token)) {
+      throw new InvalidPayloadError("The token must be a non-empty string");
+    }
     const secretKey = createSecret(secret);
-    const { payload } = await (0, import_jose.jwtVerify)(token, secretKey);
+    const { payload } = await (0, import_jose.jwtVerify)(token, secretKey, options);
     return payload;
   } catch (error) {
-    throw new Error("Invalid JWS", { cause: error });
+    if (isAuraJoseError(error)) {
+      throw error;
+    }
+    throw new JWSVerificationError("JWS signature verification failed", { cause: error });
   }
 };
 var createJWS = (secret) => {
   return {
     signJWS: (payload) => signJWS(payload, secret),
-    verifyJWS: (payload) => verifyJWS(payload, secret)
+    verifyJWS: (payload, options) => verifyJWS(payload, secret, options)
   };
 };
 // Annotate the CommonJS export names for ESM import in node:

package/dist/sign.d.ts

@@ -1,3 +1,174 @@
-import 'jose';
-export { createJWS, signJWS, verifyJWS } from './index.js';
-import 'node:crypto';
+import * as crypto from 'crypto';
+import { KeyObject, BinaryLike } from 'crypto';
+import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
+export { JWTVerifyOptions } from 'jose';
+
+/**
+ * Sign a standard JWT token with the following claims:
+ *  - alg: algorithm used to sign the JWT
+ *  - typ: type of the token
+ *  - iat: time at which the JWT was issued
+ *  - nbf: not before time of the JWT
+ *  - exp: expiration time of the JWT
+ *  - jti: unique identifier to avoid collisions
+ *
+ * @param payload - Payload data information to sign the JWT
+ * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Signed JWT string
+ */
+declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
+/**
+ * Verify the integrity of a JWT token and return the payload if valid, rejecting
+ * tokens that use the "none" algorithm to prevent unsecured tokens.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
+ * @param token - JWT string to verify
+ * @param secret - CryptoKey or KeyObject used to verify the JWT
+ * @param options - Additional JWT verification options
+ * @returns verify and return the payload of the JWT
+ */
+declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+/**
+ * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
+ * and `verifyJWS` functions of the module.
+ *
+ * @param secret - Secret key used for signing and verifying the JWS
+ * @returns signJWS and verifyJWS functions
+ */
+declare const createJWS: (secret: SecretInput) => {
+    signJWS: (payload: JWTPayload) => Promise<string>;
+    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+};
+
+interface EncryptedPayload {
+    payload: string;
+}
+interface EncryptOptions {
+    nbf?: string | number | Date;
+    exp?: string | number | Date;
+}
+/**
+ * Encrypt a standard JWT token with the following claims:
+ *  - alg: algorithm used to encrypt the JWT
+ *  - enc: encryption method used
+ *  - typ: type of the token
+ *  - cty: content type of the token
+ *
+ * @param payload - Payload data information to encrypt the JWT
+ * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Encrypted JWT string
+ */
+declare const encryptJWE: (payload: string, secret: SecretInput, options?: EncryptOptions) => Promise<string>;
+/**
+ * Decrypt a JWE token and return the payload if valid.
+ *
+ * @param token - Encrypted JWT string to decrypt
+ * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Decrypted JWT payload string
+ */
+declare const decryptJWE: (token: string, secret: SecretInput, options?: JWTDecryptOptions) => Promise<string>;
+/**
+ * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
+ * and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for encrypting and decrypting the JWE
+ * @returns encryptJWE and decryptJWE functions
+ */
+declare const createJWE: (secret: SecretInput) => {
+    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
+    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
+};
+
+declare const MIN_SECRET_ENTROPY_BITS = 4.5;
+declare const getEntropy: (secret: string) => number;
+/**
+ * Create a secret in Uint8Array format
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createSecret: (secret: SecretInput, length?: number) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
+declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
+    jwsSecret: SecretInput;
+    jweSecret: SecretInput;
+};
+
+/**
+ * @module @aura-stack/jose
+ */
+
+type SecretInput = KeyObject | Uint8Array | string;
+type DerivedKeyInput = {
+    jws: SecretInput;
+    jwe: SecretInput;
+};
+type DecodedJWTPayloadOptions = {
+    jws: JWTVerifyOptions;
+    jwt: JWTDecryptOptions;
+};
+/**
+ * Encode a JWT signed and encrypted token. The token first signed using JWS
+ * and then encrypted using JWE to ensure both integrity and confidentiality.
+ * It implements the `signJWS` and `encryptJWE` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
+ * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
+ *
+ * @param token - Payload data to encode in the JWT
+ * @param secret - Secret key used for both signing and encrypting the JWT
+ * @returns Promise resolving to the signed and encrypted JWT string
+ */
+declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInput) => Promise<string>;
+/**
+ * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
+ * and then verified using JWS to ensure both confidentiality and integrity. It
+ * implements the `decryptJWE` and `verifyJWS` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
+ * @param token
+ * @param secret
+ * @returns
+ */
+declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput, options?: DecodedJWTPayloadOptions) => Promise<JWTPayload>;
+/**
+ * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
+ * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
+ * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
+ * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
+ */
+declare const createJWT: (secret: SecretInput | DerivedKeyInput) => {
+    encodeJWT: (payload: JWTPayload) => Promise<string>;
+    decodeJWT: (token: string) => Promise<JWTPayload>;
+};
+
+/**
+ * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+ *
+ * @param secret Value used as the input keying material
+ * @param salt Cryptographic salt
+ * @param info Context and application specific information
+ * @param length Size of the derived key in bytes (default is 32 bytes)
+ * @returns Derived key as Uint8Array and base64 encoded string
+ */
+declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+/**
+ * Create a derived key from a given secret.
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+
+export { type DerivedKeyInput as D, type EncryptedPayload as E, MIN_SECRET_ENTROPY_BITS as M, type SecretInput as S, type EncryptOptions as a, createSecret as b, createJWE as c, createJWS, decryptJWE as d, encryptJWE as e, getSecrets as f, getEntropy as g, type DecodedJWTPayloadOptions as h, encodeJWT as i, decodeJWT as j, createJWT as k, deriveKey as l, createDeriveKey as m, signJWS, verifyJWS };

package/dist/sign.js

@@ -2,8 +2,10 @@ import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-KSVD3YEC.js";
-import "./chunk-M4WAOCIJ.js";
+} from "./chunk-EX3NULRX.js";
+import "./chunk-SES6WQL3.js";
+import "./chunk-ZHFHDRQH.js";
+import "./chunk-BMXFAB6Q.js";
 export {
   createJWS,
   signJWS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/jose",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "private": false,
   "type": "module",
   "description": "JOSE utilities for @aura-stack/auth",
@@ -57,6 +57,8 @@
     "jose": "^6.1.2"
   },
   "devDependencies": {
+    "@types/node": "^24.9.2",
+    "typescript": "^5.9.2",
     "@aura-stack/tsconfig": "0.0.0",
     "@aura-stack/tsup-config": "0.0.0"
   },

package/dist/chunk-KSVD3YEC.js

@@ -1,33 +0,0 @@
-import {
-  createSecret
-} from "./chunk-M4WAOCIJ.js";
-
-// src/sign.ts
-import crypto from "crypto";
-import { jwtVerify, SignJWT } from "jose";
-var signJWS = async (payload, secret) => {
-  const secretKey = createSecret(secret);
-  const jti = crypto.randomBytes(32).toString("base64");
-  return new SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).sign(secretKey);
-};
-var verifyJWS = async (token, secret) => {
-  try {
-    const secretKey = createSecret(secret);
-    const { payload } = await jwtVerify(token, secretKey);
-    return payload;
-  } catch (error) {
-    throw new Error("Invalid JWS", { cause: error });
-  }
-};
-var createJWS = (secret) => {
-  return {
-    signJWS: (payload) => signJWS(payload, secret),
-    verifyJWS: (payload) => verifyJWS(payload, secret)
-  };
-};
-
-export {
-  signJWS,
-  verifyJWS,
-  createJWS
-};

package/dist/chunk-M4WAOCIJ.js

@@ -1,15 +0,0 @@
-// src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new Error("Secret is required");
-  if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new Error("Secret string must be at least 32 characters long");
-    }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
-  }
-  return secret;
-};
-
-export {
-  createSecret
-};

package/dist/chunk-T7MMDRY3.js

@@ -1,33 +0,0 @@
-import {
-  createSecret
-} from "./chunk-M4WAOCIJ.js";
-
-// src/encrypt.ts
-import crypto from "crypto";
-import { EncryptJWT, jwtDecrypt } from "jose";
-var encryptJWE = async (payload, secret) => {
-  const secretKey = createSecret(secret);
-  const jti = crypto.randomBytes(32).toString("base64");
-  return new EncryptJWT({ token: payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore("0s").setExpirationTime("15d").setJti(jti).encrypt(secretKey);
-};
-var decryptJWE = async (token, secret) => {
-  try {
-    const secretKey = createSecret(secret);
-    const { payload } = await jwtDecrypt(token, secretKey);
-    return payload.token;
-  } catch (error) {
-    throw new Error("Invalid JWE", { cause: error });
-  }
-};
-var createJWE = (secret) => {
-  return {
-    encryptJWE: (payload) => encryptJWE(payload, secret),
-    decryptJWE: (payload) => decryptJWE(payload, secret)
-  };
-};
-
-export {
-  encryptJWE,
-  decryptJWE,
-  createJWE
-};