@aura-stack/jose 0.2.0 → 0.4.0

package/dist/index.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,35 +15,34 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
   createDeriveKey: () => createDeriveKey,
   createJWE: () => createJWE,
   createJWS: () => createJWS,
   createJWT: () => createJWT,
+  createSecret: () => createSecret,
   decodeJWT: () => decodeJWT,
+  decoder: () => decoder,
   decryptJWE: () => decryptJWE,
   deriveKey: () => deriveKey,
   encodeJWT: () => encodeJWT,
+  encoder: () => encoder,
   encryptJWE: () => encryptJWE,
+  getEntropy: () => getEntropy,
+  getRandomBytes: () => getRandomBytes,
+  getSecrets: () => getSecrets,
+  getSubtleCrypto: () => getSubtleCrypto,
   signJWS: () => signJWS,
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(index_exports);
 
 // src/sign.ts
-var import_node_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -83,6 +80,9 @@ var JWEEncryptionError = class extends AuraJoseError {
 var InvalidSecretError = class extends AuraJoseError {
   static code = "ERR_INVALID_SECRET";
 };
+var KeyDerivationError = class extends AuraJoseError {
+  static code = "ERR_KEY_DERIVATION";
+};
 
 // src/assert.ts
 var isAuraJoseError = (error) => {
@@ -98,16 +98,60 @@ var isInvalidPayload = (payload) => {
   return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+var getSubtleCrypto = () => {
+  if (globalThis.crypto?.subtle) {
+    return globalThis.crypto.subtle;
+  }
+  throw new Error("SubtleCrypto is not available in this runtime");
+};
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return encoded;
   }
-  return secret;
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
+    }
+    return secret;
+  }
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 var getSecrets = (secret) => {
   const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
@@ -125,8 +169,8 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -157,7 +201,6 @@ var createJWS = (secret) => {
 };
 
 // src/encrypt.ts
-var import_node_crypto2 = __toESM(require("crypto"), 1);
 var import_jose2 = require("jose");
 var encryptJWE = async (payload, secret, options) => {
   try {
@@ -165,8 +208,8 @@ var encryptJWE = async (payload, secret, options) => {
       throw new InvalidPayloadError("The payload must be a non-empty string");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto2.default.randomBytes(32).toString("base64url");
-    return new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
+    const jti = import_jose2.base64url.encode(getRandomBytes(32));
+    return await new import_jose2.EncryptJWT({ payload }).setProtectedHeader({ alg: "dir", enc: "A256GCM", typ: "JWT", cty: "JWT" }).setIssuedAt().setNotBefore(options?.nbf ?? "0s").setExpirationTime(options?.exp ?? "15d").setJti(jti).encrypt(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -197,22 +240,35 @@ var createJWE = (secret) => {
 };
 
 // src/deriveKey.ts
-var import_node_crypto3 = require("crypto");
-var deriveKey = (secret, salt, info, length = 32) => {
+var deriveKey = async (secret, salt, info, length = 32) => {
   try {
-    const key = (0, import_node_crypto3.hkdfSync)("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
+    const subtle = getSubtleCrypto();
+    const secretBuffer = secret.buffer.slice(secret.byteOffset, secret.byteOffset + secret.byteLength);
+    const baseKey = await subtle.importKey("raw", secretBuffer, "HKDF", false, ["deriveBits"]);
+    const saltBuffer = typeof salt === "string" ? encoder.encode(salt) : salt;
+    const infoBuffer = typeof info === "string" ? encoder.encode(info) : info;
+    const derivedBits = await subtle.deriveBits(
+      {
+        name: "HKDF",
+        hash: "SHA-256",
+        salt: saltBuffer,
+        info: infoBuffer
+      },
+      baseKey,
+      length << 3
+    );
+    return new Uint8Array(derivedBits);
   } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
+    throw new KeyDerivationError("Failed to create a derived key (HKDF)", { cause: error });
   }
 };
-var createDeriveKey = (secret, salt, info, length = 32) => {
+var createDeriveKey = async (secret, salt, info, length = 32) => {
   const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  if (secretKey instanceof CryptoKey) {
+    throw new KeyDerivationError("Cannot derive key from CryptoKey. Use Uint8Array or string secret instead.");
+  }
+  const key = await deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
+  return key;
 };
 
 // src/index.ts
@@ -230,13 +286,13 @@ var encodeJWT = async (token, secret) => {
     throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
     const { jweSecret, jwsSecret } = getSecrets(secret);
     const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
     const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -246,21 +302,29 @@ var decodeJWT = async (token, secret) => {
 };
 var createJWT = (secret) => {
   return {
-    encodeJWT: async (payload) => encodeJWT(payload, secret),
-    decodeJWT: async (token) => decodeJWT(token, secret)
+    encodeJWT: async (payload) => await encodeJWT(payload, secret),
+    decodeJWT: async (token, options) => await decodeJWT(token, secret, options)
   };
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
+  decoder,
   decryptJWE,
   deriveKey,
   encodeJWT,
+  encoder,
   encryptJWE,
+  getEntropy,
+  getRandomBytes,
+  getSecrets,
+  getSubtleCrypto,
   signJWS,
   verifyJWS
 });

package/dist/index.d.ts

@@ -1,154 +1,3 @@
-import { KeyObject, BinaryLike } from 'node:crypto';
-import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
 export { JWTDecryptOptions, JWTVerifyOptions } from 'jose';
-
-/**
- * Sign a standard JWT token with the following claims:
- *  - alg: algorithm used to sign the JWT
- *  - typ: type of the token
- *  - iat: time at which the JWT was issued
- *  - nbf: not before time of the JWT
- *  - exp: expiration time of the JWT
- *  - jti: unique identifier to avoid collisions
- *
- * @param payload - Payload data information to sign the JWT
- * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Signed JWT string
- */
-declare const signJWS: (payload: JWTPayload, secret: SecretInput) => Promise<string>;
-/**
- * Verify the integrity of a JWT token and return the payload if valid, rejecting
- * tokens that use the "none" algorithm to prevent unsecured tokens.
- *
- * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
- * @param token - JWT string to verify
- * @param secret - CryptoKey or KeyObject used to verify the JWT
- * @returns verify and return the payload of the JWT
- */
-declare const verifyJWS: (token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<JWTPayload>;
-/**
- * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
- * and `verifyJWS` functions of the module.
- *
- * @param secret - Secret key used for signing and verifying the JWS
- * @returns signJWS and verifyJWS functions
- */
-declare const createJWS: (secret: SecretInput) => {
-    signJWS: (payload: JWTPayload) => Promise<string>;
-    verifyJWS: (payload: string, options?: JWTVerifyOptions) => Promise<JWTPayload>;
-};
-
-interface EncryptedPayload {
-    payload: string;
-}
-interface EncryptOptions {
-    nbf?: string | number | Date;
-    exp?: string | number | Date;
-}
-/**
- * Encrypt a standard JWT token with the following claims:
- *  - alg: algorithm used to encrypt the JWT
- *  - enc: encryption method used
- *  - typ: type of the token
- *  - cty: content type of the token
- *
- * @param payload - Payload data information to encrypt the JWT
- * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Encrypted JWT string
- */
-declare const encryptJWE: (payload: string, secret: SecretInput, options?: EncryptOptions) => Promise<string>;
-/**
- * Decrypt a JWE token and return the payload if valid.
- *
- * @param token - Encrypted JWT string to decrypt
- * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
- * @returns Decrypted JWT payload string
- */
-declare const decryptJWE: (token: string, secret: SecretInput, options?: JWTDecryptOptions) => Promise<string>;
-/**
- * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
- * and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for encrypting and decrypting the JWE
- * @returns encryptJWE and decryptJWE functions
- */
-declare const createJWE: (secret: SecretInput) => {
-    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
-    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
-};
-
-/**
- * @module @aura-stack/jose
- */
-
-type SecretInput = KeyObject | Uint8Array | string;
-type DerivedKeyInput = {
-    jws: SecretInput;
-    jwe: SecretInput;
-};
-/**
- * Encode a JWT signed and encrypted token. The token first signed using JWS
- * and then encrypted using JWE to ensure both integrity and confidentiality.
- * It implements the `signJWS` and `encryptJWE` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
- * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
- *
- * @param token - Payload data to encode in the JWT
- * @param secret - Secret key used for both signing and encrypting the JWT
- * @returns Promise resolving to the signed and encrypted JWT string
- */
-declare const encodeJWT: (token: JWTPayload, secret: SecretInput | DerivedKeyInput) => Promise<string>;
-/**
- * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
- * and then verified using JWS to ensure both confidentiality and integrity. It
- * implements the `decryptJWE` and `verifyJWS` functions of the module.
- *
- * Based on the RFC 7519 standard
- * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
- * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
- * @param token
- * @param secret
- * @returns
- */
-declare const decodeJWT: (token: string, secret: SecretInput | DerivedKeyInput) => Promise<JWTPayload>;
-/**
- * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
- * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
- * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
- *
- * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
- * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
- */
-declare const createJWT: (secret: SecretInput | DerivedKeyInput) => {
-    encodeJWT: (payload: JWTPayload) => Promise<string>;
-    decodeJWT: (token: string) => Promise<JWTPayload>;
-};
-
-/**
- * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
- *
- * @param secret Value used as the input keying material
- * @param salt Cryptographic salt
- * @param info Context and application specific information
- * @param length Size of the derived key in bytes (default is 32 bytes)
- * @returns Derived key as Uint8Array and base64 encoded string
- */
-declare const deriveKey: (secret: SecretInput, salt: BinaryLike, info: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-/**
- * Create a derived key from a given secret.
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createDeriveKey: (secret: SecretInput, salt?: BinaryLike, info?: string, length?: number) => {
-    key: ArrayBuffer;
-    derivedKey: Buffer<ArrayBuffer>;
-};
-
-export { type DerivedKeyInput, type EncryptOptions, type EncryptedPayload, type SecretInput, createDeriveKey, createJWE, createJWS, createJWT, decodeJWT, decryptJWE, deriveKey, encodeJWT, encryptJWE, signJWS, verifyJWS };
+export { D as DecodedJWTPayloadOptions, h as DerivedKeyInput, E as EncryptOptions, a as EncryptedPayload, M as MIN_SECRET_ENTROPY_BITS, P as Prettify, S as SecretInput, T as TypedJWTPayload, i as createDeriveKey, c as createJWE, createJWS, j as createJWT, b as createSecret, k as decodeJWT, d as decryptJWE, l as deriveKey, m as encodeJWT, e as encryptJWE, g as getEntropy, f as getSecrets, signJWS, verifyJWS } from './sign.js';
+export { decoder, encoder, getRandomBytes, getSubtleCrypto } from './crypto.js';

package/dist/index.js

@@ -1,27 +1,36 @@
+import {
+  createJWS,
+  signJWS,
+  verifyJWS
+} from "./chunk-WXGX6PJ5.js";
 import {
   createDeriveKey,
   deriveKey
-} from "./chunk-K5BQTFSO.js";
+} from "./chunk-OG4QRUXH.js";
 import {
   createJWE,
   decryptJWE,
   encryptJWE
-} from "./chunk-VPFE27PW.js";
-import {
-  createJWS,
-  signJWS,
-  verifyJWS
-} from "./chunk-ZHDED44B.js";
+} from "./chunk-Q2LAK6W2.js";
 import {
+  MIN_SECRET_ENTROPY_BITS,
+  createSecret,
+  getEntropy,
   getSecrets
-} from "./chunk-GXM4P5MQ.js";
+} from "./chunk-FCUM7BTG.js";
 import {
   isAuraJoseError
-} from "./chunk-ZHFHDRQH.js";
+} from "./chunk-MWFJ4CA5.js";
+import {
+  decoder,
+  encoder,
+  getRandomBytes,
+  getSubtleCrypto
+} from "./chunk-RQFUZSWH.js";
 import {
   JWTDecodingError,
   JWTEncodingError
-} from "./chunk-BMXFAB6Q.js";
+} from "./chunk-NGBYHSRN.js";
 
 // src/index.ts
 var encodeJWT = async (token, secret) => {
@@ -38,13 +47,13 @@ var encodeJWT = async (token, secret) => {
     throw new JWTEncodingError("JWT encoding failed", { cause: error });
   }
 };
-var decodeJWT = async (token, secret) => {
+var decodeJWT = async (token, secret, options) => {
   try {
     const { jweSecret, jwsSecret } = getSecrets(secret);
     const { verifyJWS: verifyJWS2 } = createJWS(jwsSecret);
     const { decryptJWE: decryptJWE2 } = createJWE(jweSecret);
-    const decrypted = await decryptJWE2(token);
-    return await verifyJWS2(decrypted);
+    const decrypted = await decryptJWE2(token, options?.jwt);
+    return await verifyJWS2(decrypted, options?.jws);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;
@@ -54,20 +63,28 @@ var decodeJWT = async (token, secret) => {
 };
 var createJWT = (secret) => {
   return {
-    encodeJWT: async (payload) => encodeJWT(payload, secret),
-    decodeJWT: async (token) => decodeJWT(token, secret)
+    encodeJWT: async (payload) => await encodeJWT(payload, secret),
+    decodeJWT: async (token, options) => await decodeJWT(token, secret, options)
   };
 };
 export {
+  MIN_SECRET_ENTROPY_BITS,
   createDeriveKey,
   createJWE,
   createJWS,
   createJWT,
+  createSecret,
   decodeJWT,
+  decoder,
   decryptJWE,
   deriveKey,
   encodeJWT,
+  encoder,
   encryptJWE,
+  getEntropy,
+  getRandomBytes,
+  getSecrets,
+  getSubtleCrypto,
   signJWS,
   verifyJWS
 };

package/dist/secret.cjs

@@ -20,7 +20,9 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/secret.ts
 var secret_exports = {};
 __export(secret_exports, {
+  MIN_SECRET_ENTROPY_BITS: () => MIN_SECRET_ENTROPY_BITS,
   createSecret: () => createSecret,
+  getEntropy: () => getEntropy,
   getSecrets: () => getSecrets
 });
 module.exports = __toCommonJS(secret_exports);
@@ -45,16 +47,51 @@ var isObject = (value) => {
   return typeof value === "object" && value !== null && !Array.isArray(value);
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
+    }
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 var getSecrets = (secret) => {
   const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
@@ -66,6 +103,8 @@ var getSecrets = (secret) => {
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
 });

package/dist/secret.d.ts

@@ -1,18 +1,3 @@
-import * as crypto from 'crypto';
-import { SecretInput, DerivedKeyInput } from './index.js';
-import 'node:crypto';
+export { M as MIN_SECRET_ENTROPY_BITS, b as createSecret, g as getEntropy, f as getSecrets } from './sign.js';
 import 'jose';
-
-/**
- * Create a secret in Uint8Array format
- *
- * @param secret - The secret as a string or Uint8Array
- * @returns The secret in Uint8Array format
- */
-declare const createSecret: (secret: SecretInput) => crypto.KeyObject | Uint8Array<ArrayBufferLike>;
-declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
-    jwsSecret: SecretInput;
-    jweSecret: SecretInput;
-};
-
-export { createSecret, getSecrets };
+import './crypto.js';

package/dist/secret.js

@@ -1,10 +1,15 @@
 import {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
-} from "./chunk-GXM4P5MQ.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
+  MIN_SECRET_ENTROPY_BITS,
   createSecret,
+  getEntropy,
   getSecrets
 };