@aura-stack/jose 0.2.0 → 0.3.0

package/dist/{chunk-K5BQTFSO.js → chunk-CXN54JNY.js}

@@ -1,6 +1,6 @@
 import {
   createSecret
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-SES6WQL3.js";
 
 // src/deriveKey.ts
 import { hkdfSync } from "crypto";

package/dist/{chunk-ZHDED44B.js → chunk-EX3NULRX.js}

@@ -1,6 +1,6 @@
 import {
   createSecret
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-SES6WQL3.js";
 import {
   isAuraJoseError,
   isFalsy,

package/dist/chunk-SES6WQL3.js

@@ -0,0 +1,57 @@
+import {
+  isObject
+} from "./chunk-ZHFHDRQH.js";
+import {
+  InvalidSecretError
+} from "./chunk-BMXFAB6Q.js";
+
+// src/secret.ts
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
+  if (typeof secret === "string") {
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
+    }
+    return new Uint8Array(Buffer.from(secret, "utf-8"));
+  }
+  return secret;
+};
+var getSecrets = (secret) => {
+  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
+  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
+  return {
+    jwsSecret,
+    jweSecret
+  };
+};
+
+export {
+  MIN_SECRET_ENTROPY_BITS,
+  getEntropy,
+  createSecret,
+  getSecrets
+};

package/dist/{chunk-VPFE27PW.js → chunk-URDLFFH3.js}

@@ -1,6 +1,6 @@
 import {
   createSecret
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-SES6WQL3.js";
 import {
   isAuraJoseError,
   isFalsy

package/dist/deriveKey.cjs

@@ -24,7 +24,7 @@ __export(deriveKey_exports, {
   deriveKey: () => deriveKey
 });
 module.exports = __toCommonJS(deriveKey_exports);
-var import_node_crypto = require("crypto");
+var import_crypto = require("crypto");
 
 // src/errors.ts
 var AuraJoseError = class extends Error {
@@ -42,11 +42,35 @@ var InvalidSecretError = class extends AuraJoseError {
 };
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -56,7 +80,7 @@ var createSecret = (secret) => {
 // src/deriveKey.ts
 var deriveKey = (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_node_crypto.hkdfSync)("SHA256", secret, salt, info, length);
+    const key = (0, import_crypto.hkdfSync)("SHA256", secret, salt, info, length);
     const derivedKey = Buffer.from(key);
     return {
       key,

package/dist/deriveKey.d.ts

@@ -1,3 +1,3 @@
-import 'node:crypto';
-export { createDeriveKey, deriveKey } from './index.js';
+import 'crypto';
+export { m as createDeriveKey, l as deriveKey } from './sign.js';
 import 'jose';

package/dist/deriveKey.js

@@ -1,8 +1,8 @@
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-K5BQTFSO.js";
-import "./chunk-GXM4P5MQ.js";
+} from "./chunk-CXN54JNY.js";
+import "./chunk-SES6WQL3.js";
 import "./chunk-ZHFHDRQH.js";
 import "./chunk-BMXFAB6Q.js";
 export {

package/dist/encrypt.cjs

@@ -35,7 +35,7 @@ __export(encrypt_exports, {
   encryptJWE: () => encryptJWE
 });
 module.exports = __toCommonJS(encrypt_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -71,11 +71,35 @@ var isFalsy = (value) => {
 };
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -89,7 +113,7 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
+    const jti = import_crypto.default.randomBytes(32).toString("base64url");
     return new import_jose.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {

package/dist/encrypt.d.ts

@@ -1,3 +1,3 @@
 export { JWTDecryptOptions } from 'jose';
-export { EncryptOptions, EncryptedPayload, createJWE, decryptJWE, encryptJWE } from './index.js';
-import 'node:crypto';
+export { a as EncryptOptions, E as EncryptedPayload, c as createJWE, d as decryptJWE, e as encryptJWE } from './sign.js';
+import 'crypto';

package/dist/encrypt.js

@@ -2,8 +2,8 @@ import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-VPFE27PW.js";
-import "./chunk-GXM4P5MQ.js";
+} from "./chunk-URDLFFH3.js";
+import "./chunk-SES6WQL3.js";
 import "./chunk-ZHFHDRQH.js";
 import "./chunk-BMXFAB6Q.js";
 export {

package/dist/index.cjs

@@ -30,22 +30,26 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
   createDeriveKey: () => createDeriveKey,
   createJWE: () => createJWE,
   createJWS: () => createJWS,
   createJWT: () => createJWT,
+  createSecret: () => createSecret,
   decodeJWT: () => decodeJWT,
   decryptJWE: () => decryptJWE,
   deriveKey: () => deriveKey,
   encodeJWT: () => encodeJWT,
   encryptJWE: () => encryptJWE,
+  getEntropy: () => getEntropy,
+  getSecrets: () => getSecrets,
   signJWS: () => signJWS,
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/sign.ts
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -99,11 +103,35 @@ var isInvalidPayload = (payload) => {
 };
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -125,7 +153,7 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
+    const jti = import_crypto.default.randomBytes(32).toString("base64url");
     return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
@@ -157,7 +185,7 @@ var createJWS = (secret) => {
 };
 
 // src/encrypt.ts
-var import_node_crypto2 = __toESM(require("crypto"), 1);
+var import_crypto2 = __toESM(require("crypto"), 1);
 var import_jose2 = require("jose");
 var encryptJWE = async (payload, secret, options) => {
   try {
@@ -165,7 +193,7 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto2.default.randomBytes(32).toString("base64url");
+    const jti = import_crypto2.default.randomBytes(32).toString("base64url");
     return new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
@@ -197,10 +225,10 @@ var createJWE = (secret) => {
 };
 
 // src/deriveKey.ts
-var import_node_crypto3 = require("crypto");
+var import_crypto3 = require("crypto");
 var deriveKey = (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_node_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
+    const key = (0, import_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
     const derivedKey = Buffer.from(key);
     return {
       key,
@@ -230,13 +258,13 @@ var encodeJWT = async (token, secret) => {
     throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
     const { jweSecret, jwsSecret } = getSecrets(secret);
     const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
     const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -252,15 +280,19 @@ var createJWT = (secret) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
   decryptJWE,
   deriveKey,
   encodeJWT,
   encryptJWE,
+  getEntropy,
+  getSecrets,
   signJWS,
   verifyJWS
 });

package/dist/index.d.ts

@@ -1,154 +1,3 @@
-import { KeyObject, BinaryLike } from 'node:crypto';
-import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
 export { JWTDecryptOptions, JWTVerifyOptions } from 'jose';
-
-/**
- * Sign a standard JWT token with the following claims:
- *  - alg: algorithm used to sign the JWT
- *  - typ: type of the token
- *  - iat: time at which the JWT was issued
- *  - nbf: not before time of the JWT
- *  - exp: expiration time of the JWT
- *  - jti: unique identifier to avoid collisions
- *
- * @param payload - Payload data information to sign the JWT
- * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Signed JWT string
- */
-declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
-/**
- * Verify the integrity of a JWT token and return the payload if valid, rejecting
- * tokens that use the "none" algorithm to prevent unsecured tokens.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
- * @param token - JWT string to verify
- * @param secret - CryptoKey or KeyObject used to verify the JWT
- * @returns verify and return the payload of the JWT
- */
-declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<JWTPayload>;
-/**
- * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
- * and `verifyJWS` functions of the module.
- *
- * @param secret - Secret key used for signing and verifying the JWS
- * @returns signJWS and verifyJWS functions
- */
-declare const createJWS: (secret: SecretInput) => {
-    signJWS: (payload: JWTPayload) => Promise<string>;
-    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
-};
-
-interface EncryptedPayload {
-    payload: string;
-}
-interface EncryptOptions {
-    nbf?: string | number | Date;
-    exp?: string | number | Date;
-}
-/**
- * Encrypt a standard JWT token with the following claims:
- *  - alg: algorithm used to encrypt the JWT
- *  - enc: encryption method used
- *  - typ: type of the token
- *  - cty: content type of the token
- *
- * @param payload - Payload data information to encrypt the JWT
- * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Encrypted JWT string
- */
-declare const encryptJWE: (payload: string, secret: SecretInput, options?: EncryptOptions) => Promise<string>;
-/**
- * Decrypt a JWE token and return the payload if valid.
- *
- * @param token - Encrypted JWT string to decrypt
- * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Decrypted JWT payload string
- */
-declare const decryptJWE: (token: string, secret: SecretInput, options?: JWTDecryptOptions) => Promise<string>;
-/**
- * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
- * and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for encrypting and decrypting the JWE
- * @returns encryptJWE and decryptJWE functions
- */
-declare const createJWE: (secret: SecretInput) => {
-    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
-    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
-};
-
-/**
- * @module @aura-stack/jose
- */
-
-type SecretInput = KeyObject | Uint8Array | string;
-type DerivedKeyInput = {
-    jws: SecretInput;
-    jwe: SecretInput;
-};
-/**
- * Encode a JWT signed and encrypted token. The token first signed using JWS
- * and then encrypted using JWE to ensure both integrity and confidentiality.
- * It implements the `signJWS` and `encryptJWE` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
- * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
- *
- * @param token - Payload data to encode in the JWT
- * @param secret - Secret key used for both signing and encrypting the JWT
- * @returns Promise resolving to the signed and encrypted JWT string
- */
-declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInput) => Promise<string>;
-/**
- * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
- * and then verified using JWS to ensure both confidentiality and integrity. It
- * implements the `decryptJWE` and `verifyJWS` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
- * @param token
- * @param secret
- * @returns
- */
-declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput) => Promise<JWTPayload>;
-/**
- * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
- * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
- * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
- * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
- */
-declare const createJWT: (secret: SecretInput | DerivedKeyInput) => {
-    encodeJWT: (payload: JWTPayload) => Promise<string>;
-    decodeJWT: (token: string) => Promise<JWTPayload>;
-};
-
-/**
- * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
- *
- * @param secret Value used as the input keying material
- * @param salt Cryptographic salt
- * @param info Context and application specific information
- * @param length Size of the derived key in bytes (default is 32 bytes)
- * @returns Derived key as Uint8Array and base64 encoded string
- */
-declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-/**
- * Create a derived key from a given secret.
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-
-export { type DerivedKeyInput, type EncryptOptions, type EncryptedPayload, type SecretInput, createDeriveKey, createJWE, createJWS, createJWT, decodeJWT, decryptJWE, deriveKey, encodeJWT, encryptJWE, signJWS, verifyJWS };
+import 'crypto';
+export { h as DecodedJWTPayloadOptions, D as DerivedKeyInput, a as EncryptOptions, E as EncryptedPayload, M as MIN_SECRET_ENTROPY_BITS, S as SecretInput, m as createDeriveKey, c as createJWE, createJWS, k as createJWT, b as createSecret, j as decodeJWT, d as decryptJWE, l as deriveKey, i as encodeJWT, e as encryptJWE, g as getEntropy, f as getSecrets, signJWS, verifyJWS } from './sign.js';

package/dist/index.js

@@ -1,20 +1,23 @@
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-K5BQTFSO.js";
+} from "./chunk-CXN54JNY.js";
 import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-VPFE27PW.js";
+} from "./chunk-URDLFFH3.js";
 import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-ZHDED44B.js";
+} from "./chunk-EX3NULRX.js";
 import {
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
   getSecrets
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-SES6WQL3.js";
 import {
   isAuraJoseError
 } from "./chunk-ZHFHDRQH.js";
@@ -38,13 +41,13 @@ var encodeJWT = async (token, secret) => {
     throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
     const { jweSecret, jwsSecret } = getSecrets(secret);
     const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
     const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -59,15 +62,19 @@ var createJWT = (secret) => {
   };
 };
 export {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
   decryptJWE,
   deriveKey,
   encodeJWT,
   encryptJWE,
+  getEntropy,
+  getSecrets,
   signJWS,
   verifyJWS
 };

package/dist/secret.cjs

@@ -20,7 +20,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/secret.ts
 var secret_exports = {};
 __export(secret_exports, {
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
   createSecret: () => createSecret,
+  getEntropy: () => getEntropy,
   getSecrets: () => getSecrets
 });
 module.exports = __toCommonJS(secret_exports);
@@ -46,11 +48,35 @@ var isObject = (value) => {
 };
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -66,6 +92,8 @@ var getSecrets = (secret) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
 });

package/dist/secret.d.ts

@@ -1,18 +1,3 @@
-import * as crypto from 'crypto';
-import { SecretInput, DerivedKeyInput } from './index.js';
-import 'node:crypto';
+import 'crypto';
+export { M as MIN_SECRET_ENTROPY_BITS, b as createSecret, g as getEntropy, f as getSecrets } from './sign.js';
 import 'jose';
-
-/**
- * Create a secret in Uint8Array format
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createSecret: (secret: SecretInput) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
-declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
-    jwsSecret: SecretInput;
-    jweSecret: SecretInput;
-};
-
-export { createSecret, getSecrets };

package/dist/secret.js

@@ -1,10 +1,14 @@
 import {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-SES6WQL3.js";
 import "./chunk-ZHFHDRQH.js";
 import "./chunk-BMXFAB6Q.js";
 export {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
 };

package/dist/sign.cjs

@@ -35,7 +35,7 @@ __export(sign_exports, {
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(sign_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -77,11 +77,35 @@ var isInvalidPayload = (payload) => {
 };
 
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const byteLength = new TextEncoder().encode(secret).byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
     return new Uint8Array(Buffer.from(secret, "utf-8"));
   }
@@ -95,7 +119,7 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
+    const jti = import_crypto.default.randomBytes(32).toString("base64url");
     return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {

package/dist/sign.d.ts

@@ -1,3 +1,174 @@
+import * as crypto from 'crypto';
+import { KeyObject, BinaryLike } from 'crypto';
+import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
 export { JWTVerifyOptions } from 'jose';
-export { createJWS, signJWS, verifyJWS } from './index.js';
-import 'node:crypto';
+
+/**
+ * Sign a standard JWT token with the following claims:
+ *  - alg: algorithm used to sign the JWT
+ *  - typ: type of the token
+ *  - iat: time at which the JWT was issued
+ *  - nbf: not before time of the JWT
+ *  - exp: expiration time of the JWT
+ *  - jti: unique identifier to avoid collisions
+ *
+ * @param payload - Payload data information to sign the JWT
+ * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Signed JWT string
+ */
+declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
+/**
+ * Verify the integrity of a JWT token and return the payload if valid, rejecting
+ * tokens that use the "none" algorithm to prevent unsecured tokens.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
+ * @param token - JWT string to verify
+ * @param secret - CryptoKey or KeyObject used to verify the JWT
+ * @param options - Additional JWT verification options
+ * @returns verify and return the payload of the JWT
+ */
+declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+/**
+ * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
+ * and `verifyJWS` functions of the module.
+ *
+ * @param secret - Secret key used for signing and verifying the JWS
+ * @returns signJWS and verifyJWS functions
+ */
+declare const createJWS: (secret: SecretInput) => {
+    signJWS: (payload: JWTPayload) => Promise<string>;
+    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
+};
+
+interface EncryptedPayload {
+    payload: string;
+}
+interface EncryptOptions {
+    nbf?: string | number | Date;
+    exp?: string | number | Date;
+}
+/**
+ * Encrypt a standard JWT token with the following claims:
+ *  - alg: algorithm used to encrypt the JWT
+ *  - enc: encryption method used
+ *  - typ: type of the token
+ *  - cty: content type of the token
+ *
+ * @param payload - Payload data information to encrypt the JWT
+ * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Encrypted JWT string
+ */
+declare const encryptJWE: (payload: string, secret: SecretInput, options?: EncryptOptions) => Promise<string>;
+/**
+ * Decrypt a JWE token and return the payload if valid.
+ *
+ * @param token - Encrypted JWT string to decrypt
+ * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Decrypted JWT payload string
+ */
+declare const decryptJWE: (token: string, secret: SecretInput, options?: JWTDecryptOptions) => Promise<string>;
+/**
+ * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
+ * and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for encrypting and decrypting the JWE
+ * @returns encryptJWE and decryptJWE functions
+ */
+declare const createJWE: (secret: SecretInput) => {
+    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
+    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
+};
+
+declare const MIN_SECRET_ENTROPY_BITS = 4.5;
+declare const getEntropy: (secret: string) => number;
+/**
+ * Create a secret in Uint8Array format
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createSecret: (secret: SecretInput, length?: number) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
+declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
+    jwsSecret: SecretInput;
+    jweSecret: SecretInput;
+};
+
+/**
+ * @module @aura-stack/jose
+ */
+
+type SecretInput = KeyObject | Uint8Array | string;
+type DerivedKeyInput = {
+    jws: SecretInput;
+    jwe: SecretInput;
+};
+type DecodedJWTPayloadOptions = {
+    jws: JWTVerifyOptions;
+    jwt: JWTDecryptOptions;
+};
+/**
+ * Encode a JWT signed and encrypted token. The token first signed using JWS
+ * and then encrypted using JWE to ensure both integrity and confidentiality.
+ * It implements the `signJWS` and `encryptJWE` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
+ * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
+ *
+ * @param token - Payload data to encode in the JWT
+ * @param secret - Secret key used for both signing and encrypting the JWT
+ * @returns Promise resolving to the signed and encrypted JWT string
+ */
+declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInput) => Promise<string>;
+/**
+ * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
+ * and then verified using JWS to ensure both confidentiality and integrity. It
+ * implements the `decryptJWE` and `verifyJWS` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
+ * @param token
+ * @param secret
+ * @returns
+ */
+declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput, options?: DecodedJWTPayloadOptions) => Promise<JWTPayload>;
+/**
+ * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
+ * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
+ * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
+ * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
+ */
+declare const createJWT: (secret: SecretInput | DerivedKeyInput) => {
+    encodeJWT: (payload: JWTPayload) => Promise<string>;
+    decodeJWT: (token: string) => Promise<JWTPayload>;
+};
+
+/**
+ * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+ *
+ * @param secret Value used as the input keying material
+ * @param salt Cryptographic salt
+ * @param info Context and application specific information
+ * @param length Size of the derived key in bytes (default is 32 bytes)
+ * @returns Derived key as Uint8Array and base64 encoded string
+ */
+declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+/**
+ * Create a derived key from a given secret.
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
+    key: ArrayBuffer;
+    derivedKey: Buffer<ArrayBuffer>;
+};
+
+export { type DerivedKeyInput as D, type EncryptedPayload as E, MIN_SECRET_ENTROPY_BITS as M, type SecretInput as S, type EncryptOptions as a, createSecret as b, createJWE as c, createJWS, decryptJWE as d, encryptJWE as e, getSecrets as f, getEntropy as g, type DecodedJWTPayloadOptions as h, encodeJWT as i, decodeJWT as j, createJWT as k, deriveKey as l, createDeriveKey as m, signJWS, verifyJWS };

package/dist/sign.js

@@ -2,8 +2,8 @@ import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-ZHDED44B.js";
-import "./chunk-GXM4P5MQ.js";
+} from "./chunk-EX3NULRX.js";
+import "./chunk-SES6WQL3.js";
 import "./chunk-ZHFHDRQH.js";
 import "./chunk-BMXFAB6Q.js";
 export {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/jose",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "private": false,
   "type": "module",
   "description": "JOSE utilities for @aura-stack/auth",
@@ -57,6 +57,8 @@
     "jose": "^6.1.2"
   },
   "devDependencies": {
+    "@types/node": "^24.9.2",
+    "typescript": "^5.9.2",
     "@aura-stack/tsconfig": "0.0.0",
     "@aura-stack/tsup-config": "0.0.0"
   },

package/dist/chunk-GXM4P5MQ.js

@@ -1,31 +0,0 @@
-import {
-  isObject
-} from "./chunk-ZHFHDRQH.js";
-import {
-  InvalidSecretError
-} from "./chunk-BMXFAB6Q.js";
-
-// src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
-  if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
-    }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
-  }
-  return secret;
-};
-var getSecrets = (secret) => {
-  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
-  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
-  return {
-    jwsSecret,
-    jweSecret
-  };
-};
-
-export {
-  createSecret,
-  getSecrets
-};