@aura-stack/jose 0.2.0 → 0.4.0

package/dist/sign.cjs

@@ -1,9 +1,7 @@
 "use strict";
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __export = (target, all) => {
   for (var name in all)
@@ -17,14 +15,6 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
-  // If the importer is in node compatibility mode or this is not an ESM
-  // file that has been converted to a CommonJS file using a Babel-
-  // compatible transform (i.e. "__esModule" has not been set), then set
-  // "default" to the CommonJS "module.exports" for node compatibility.
-  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
-  mod
-));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
 // src/sign.ts
@@ -35,7 +25,6 @@ __export(sign_exports, {
   verifyJWS: () => verifyJWS
 });
 module.exports = __toCommonJS(sign_exports);
-var import_node_crypto = __toESM(require("crypto"), 1);
 var import_jose = require("jose");
 
 // src/errors.ts
@@ -76,16 +65,54 @@ var isInvalidPayload = (payload) => {
   return isFalsy(payload) || !isObject(payload) || typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0;
 };
 
+// src/crypto.ts
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+var getRandomBytes = (size) => {
+  return globalThis.crypto.getRandomValues(new Uint8Array(size));
+};
+
 // src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
+var MIN_SECRET_ENTROPY_BITS = 4.5;
+var getEntropy = (secret) => {
+  const charFreq = /* @__PURE__ */ new Map();
+  for (const char of secret) {
+    if (!charFreq.has(char)) {
+      charFreq.set(char, 0);
+    }
+    charFreq.set(char, charFreq.get(char) + 1);
+  }
+  let entropy = 0;
+  const length = secret.length;
+  for (const freq of charFreq.values()) {
+    const p = freq / length;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+};
+var createSecret = (secret, length = 32) => {
+  if (!Boolean(secret)) throw new InvalidSecretError("Secret is required");
   if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
+    const encoded = encoder.encode(secret);
+    const byteLength = encoded.byteLength;
+    if (byteLength < length) {
+      throw new InvalidSecretError(`Secret string must be at least ${length} bytes long`);
+    }
+    const entropy = getEntropy(secret);
+    if (entropy < MIN_SECRET_ENTROPY_BITS) {
+      throw new InvalidSecretError(
+        `Secret string must have an entropy of at least ${MIN_SECRET_ENTROPY_BITS} bits per character`
+      );
+    }
+    return encoded;
+  }
+  if (secret instanceof CryptoKey || secret instanceof Uint8Array) {
+    if (secret instanceof Uint8Array && secret.byteLength < length) {
+      throw new InvalidSecretError(`Secret must be at least ${length} bytes long`);
     }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
+    return secret;
   }
-  return secret;
+  throw new InvalidSecretError("Secret must be a string, Uint8Array, or CryptoKey");
 };
 
 // src/sign.ts
@@ -95,8 +122,8 @@ var signJWS = async (payload, secret) => {
       throw new InvalidPayloadError("The payload must be a non-empty object");
     }
     const secretKey = createSecret(secret);
-    const jti = import_node_crypto.default.randomBytes(32).toString("base64url");
-    return new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
+    const jti = import_jose.base64url.encode(getRandomBytes(32));
+    return await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256", typ: "JWT" }).setIssuedAt().setNotBefore(payload.nbf ?? "0s").setExpirationTime(payload.exp ?? "15d").setJti(jti).sign(secretKey);
   } catch (error) {
     if (isAuraJoseError(error)) {
       throw error;

package/dist/sign.d.ts

@@ -1,3 +1,186 @@
+import { JWTPayload, JWTVerifyOptions, JWTDecryptOptions } from 'jose';
 export { JWTVerifyOptions } from 'jose';
-export { createJWS, signJWS, verifyJWS } from './index.js';
-import 'node:crypto';
+import './crypto.js';
+
+/**
+ * Sign a standard JWT token with the following claims:
+ *  - alg: algorithm used to sign the JWT
+ *  - typ: type of the token
+ *  - iat: time at which the JWT was issued
+ *  - nbf: not before time of the JWT
+ *  - exp: expiration time of the JWT
+ *  - jti: unique identifier to avoid collisions
+ *
+ * @param payload - Payload data information to sign the JWT
+ * @param secret - Secret key to sign the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Signed JWT string
+ */
+declare const signJWS: <Payload extends JWTPayload>(payload: TypedJWTPayload<Partial<Payload>>, secret: SecretInput) => Promise<string>;
+/**
+ * Verify the integrity of a JWT token and return the payload if valid, rejecting
+ * tokens that use the "none" algorithm to prevent unsecured tokens.
+ *
+ * @see https://datatracker.ietf.org/doc/html/rfc7519#section-6 Unsecured JWTs
+ * @param token - JWT string to verify
+ * @param secret - CryptoKey or KeyObject used to verify the JWT
+ * @param options - Additional JWT verification options
+ * @returns verify and return the payload of the JWT
+ */
+declare const verifyJWS: <Payload extends JWTPayload>(token: string, secret: SecretInput, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<Payload>>;
+/**
+ * Create a JWS (JSON Web Signature) signer and verifier. It implements the `signJWS`
+ * and `verifyJWS` functions of the module.
+ *
+ * @param secret - Secret key used for signing and verifying the JWS
+ * @returns signJWS and verifyJWS functions
+ */
+declare const createJWS: <Payload extends JWTPayload>(secret: SecretInput) => {
+    signJWS: <SignPayload extends JWTPayload = Payload>(payload: TypedJWTPayload<Partial<SignPayload>>) => Promise<string>;
+    verifyJWS: <VerifyPayload extends JWTPayload = Payload>(payload: string, options?: JWTVerifyOptions) => Promise<TypedJWTPayload<VerifyPayload>>;
+};
+
+interface EncryptedPayload {
+    payload: string;
+}
+interface EncryptOptions {
+    nbf?: string | number | Date;
+    exp?: string | number | Date;
+}
+/**
+ * Encrypt a standard JWT token with the following claims:
+ *  - alg: algorithm used to encrypt the JWT
+ *  - enc: encryption method used
+ *  - typ: type of the token
+ *  - cty: content type of the token
+ *
+ * @param payload - Payload data information to encrypt the JWT
+ * @param secret - Secret key to encrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Encrypted JWT string
+ */
+declare const encryptJWE: (payload: string, secret: SecretInput, options?: EncryptOptions) => Promise<string>;
+/**
+ * Decrypt a JWE token and return the payload if valid.
+ *
+ * @param token - Encrypted JWT string to decrypt
+ * @param secret - Secret key to decrypt the JWT (CryptoKey, KeyObject, string or Uint8Array)
+ * @returns Decrypted JWT payload string
+ */
+declare const decryptJWE: (token: string, secret: SecretInput, options?: JWTDecryptOptions) => Promise<string>;
+/**
+ * Creates a `JWE (JSON Web Encryption)` encrypter and decrypter. It implements the `encryptJWE`
+ * and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for encrypting and decrypting the JWE
+ * @returns encryptJWE and decryptJWE functions
+ */
+declare const createJWE: (secret: SecretInput) => {
+    encryptJWE: (payload: string, options?: EncryptOptions) => Promise<string>;
+    decryptJWE: (payload: string, options?: JWTDecryptOptions) => Promise<string>;
+};
+
+declare const MIN_SECRET_ENTROPY_BITS = 4.5;
+declare const getEntropy: (secret: string) => number;
+/**
+ * Create a secret in Uint8Array format
+ * Uses the standard TextEncoder API for cross-runtime compatibility
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @returns The secret in Uint8Array format
+ */
+declare const createSecret: (secret: SecretInput, length?: number) => Uint8Array<ArrayBufferLike> | CryptoKey;
+declare const getSecrets: (secret: SecretInput | DerivedKeyInput) => {
+    jwsSecret: SecretInput;
+    jweSecret: SecretInput;
+};
+
+/**
+ * @module @aura-stack/jose
+ */
+
+/**
+ * Secret input can be:
+ * - CryptoKey: W3C standard key object (works across all runtimes)
+ * - Uint8Array: Raw bytes
+ * - string: String that will be encoded to UTF-8
+ */
+type SecretInput = Uint8Array | string | CryptoKey;
+type DerivedKeyInput = {
+    jws: SecretInput;
+    jwe: SecretInput;
+};
+type DecodedJWTPayloadOptions = {
+    jws: JWTVerifyOptions;
+    jwt: JWTDecryptOptions;
+};
+type Prettify<T> = {
+    [K in keyof T]: T[K];
+} & {};
+type TypedJWTPayload<Payload extends JWTPayload> = JWTPayload & Payload;
+/**
+ * Encode a JWT signed and encrypted token. The token first signed using JWS
+ * and then encrypted using JWE to ensure both integrity and confidentiality.
+ * It implements the `signJWS` and `encryptJWE` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Nested JWTs should be signed and then encrypted: https://datatracker.ietf.org/doc/html/rfc7519#section-5.2
+ * - Ensuring the integrity and confidentiality of the claims: https://datatracker.ietf.org/doc/html/rfc7519#section-11.2
+ *
+ * @param token - Payload data to encode in the JWT
+ * @param secret - Secret key used for both signing and encrypting the JWT
+ * @returns Promise resolving to the signed and encrypted JWT string
+ */
+declare const encodeJWT: <Payload extends JWTPayload>(token: TypedJWTPayload<Partial<Payload>>, secret: SecretInput | DerivedKeyInput) => Promise<string>;
+/**
+ * Decode a JWT signed and encrypted token. The token is first decrypted using JWE
+ * and then verified using JWS to ensure both confidentiality and integrity. It
+ * implements the `decryptJWE` and `verifyJWS` functions of the module.
+ *
+ * Based on the RFC 7519 standard
+ * - Official RFC: https://datatracker.ietf.org/doc/html/rfc7519
+ * - Validating a JWT: https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
+ * @param token
+ * @param secret
+ * @returns
+ */
+declare const decodeJWT: <Payload extends JWTPayload>(token: string, secret: SecretInput | DerivedKeyInput, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<Payload>>;
+/**
+ * Create a JWT handler with encode and decode methods to `signJWS/encryptJWE` and `verifyJWS/decryptJWE`
+ * JWT tokens. The JWTs are signed and verified using JWS and encrypted and decrypted using JWE. It
+ * implements the `signJWS`, `verifyJWS`, `encryptJWE` and `decryptJWE` functions of the module.
+ *
+ * @param secret - Secret key used for signing, verifying, encrypting and decrypting the JWT
+ * @returns JWT handler object with `signJWS/encryptJWE` and `verifyJWS/decryptJWE` methods
+ */
+declare const createJWT: <Payload extends JWTPayload>(secret: SecretInput | DerivedKeyInput) => {
+    encodeJWT: <EncodePayload extends JWTPayload = Payload>(payload: TypedJWTPayload<Partial<EncodePayload>>) => Promise<string>;
+    decodeJWT: <DecodePayload extends JWTPayload = Payload>(token: string, options?: DecodedJWTPayloadOptions) => Promise<TypedJWTPayload<DecodePayload>>;
+};
+
+/**
+ * Generate a derived key using HKDF (HMAC-based Extract-and-Expand Key Derivation Function)
+ * Uses the Web Crypto API for cross-runtime compatibility (Node.js, Deno, Bun, Browsers)
+ *
+ * @param secret Value used as the input keying material
+ * @param salt Cryptographic salt
+ * @param info Context and application specific information
+ * @param length Size of the derived key in bytes (default is 32 bytes)
+ * @returns Derived key as Uint8Array
+ */
+declare const deriveKey: (secret: Uint8Array, salt: string | Uint8Array, info: string | Uint8Array, length?: number) => Promise<Uint8Array>;
+/**
+ * Create a derived key from a given secret.
+ * This is an async function that works across all modern JavaScript runtimes.
+ *
+ * > [!NOTE]
+ * > If the secret is a CryptoKey, this function cannot derive keys from it.
+ *
+ * @param secret - The secret as a string or Uint8Array
+ * @param salt - Optional cryptographic salt (defaults to "Aura Jose secret salt")
+ * @param info - Optional context information (defaults to "Aura Jose secret derivation")
+ * @param length - Size of the derived key in bytes (default is 32 bytes)
+ * @returns Promise resolving to the derived key as a Uint8Array
+ */
+declare const createDeriveKey: (secret: SecretInput, salt?: string | Uint8Array, info?: string | Uint8Array, length?: number) => Promise<Uint8Array<ArrayBufferLike>>;
+
+export { type DecodedJWTPayloadOptions as D, type EncryptOptions as E, MIN_SECRET_ENTROPY_BITS as M, type Prettify as P, type SecretInput as S, type TypedJWTPayload as T, type EncryptedPayload as a, createSecret as b, createJWE as c, createJWS, decryptJWE as d, encryptJWE as e, getSecrets as f, getEntropy as g, type DerivedKeyInput as h, createDeriveKey as i, createJWT as j, decodeJWT as k, deriveKey as l, encodeJWT as m, signJWS, verifyJWS };

package/dist/sign.js

@@ -2,10 +2,11 @@ import {
   createJWS,
   signJWS,
   verifyJWS
-} from "./chunk-ZHDED44B.js";
-import "./chunk-GXM4P5MQ.js";
-import "./chunk-ZHFHDRQH.js";
-import "./chunk-BMXFAB6Q.js";
+} from "./chunk-WXGX6PJ5.js";
+import "./chunk-FCUM7BTG.js";
+import "./chunk-MWFJ4CA5.js";
+import "./chunk-RQFUZSWH.js";
+import "./chunk-NGBYHSRN.js";
 export {
   createJWS,
   signJWS,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aura-stack/jose",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "private": false,
   "type": "module",
   "description": "JOSE utilities for @aura-stack/auth",
@@ -40,6 +40,11 @@
       "types": "./dist/deriveKey.d.ts",
       "require": "./dist/deriveKey.cjs",
       "import": "./dist/deriveKey.js"
+    },
+    "./crypto": {
+      "types": "./dist/crypto.d.ts",
+      "require": "./dist/crypto.cjs",
+      "import": "./dist/crypto.js"
     }
   },
   "keywords": [
@@ -57,6 +62,7 @@
     "jose": "^6.1.2"
   },
   "devDependencies": {
+    "typescript": "^5.9.2",
     "@aura-stack/tsconfig": "0.0.0",
     "@aura-stack/tsup-config": "0.0.0"
   },

package/dist/chunk-GXM4P5MQ.js

@@ -1,31 +0,0 @@
-import {
-  isObject
-} from "./chunk-ZHFHDRQH.js";
-import {
-  InvalidSecretError
-} from "./chunk-BMXFAB6Q.js";
-
-// src/secret.ts
-var createSecret = (secret) => {
-  if (secret === void 0) throw new InvalidSecretError("Secret is required");
-  if (typeof secret === "string") {
-    if (new TextEncoder().encode(secret).byteLength < 32) {
-      throw new InvalidSecretError("Secret string must be at least 32 characters long");
-    }
-    return new Uint8Array(Buffer.from(secret, "utf-8"));
-  }
-  return secret;
-};
-var getSecrets = (secret) => {
-  const jwsSecret = isObject(secret) && "jws" in secret ? secret.jws : secret;
-  const jweSecret = isObject(secret) && "jwe" in secret ? secret.jwe : secret;
-  return {
-    jwsSecret,
-    jweSecret
-  };
-};
-
-export {
-  createSecret,
-  getSecrets
-};

package/dist/chunk-K5BQTFSO.js

@@ -1,27 +0,0 @@
-import {
-  createSecret
-} from "./chunk-GXM4P5MQ.js";
-
-// src/deriveKey.ts
-import { hkdfSync } from "crypto";
-var deriveKey = (secret, salt, info, length = 32) => {
-  try {
-    const key = hkdfSync("SHA256", secret, salt, info, length);
-    const derivedKey = Buffer.from(key);
-    return {
-      key,
-      derivedKey
-    };
-  } catch (error) {
-    throw new Error("Failed to create a derived key (HKDF)", { cause: error });
-  }
-};
-var createDeriveKey = (secret, salt, info, length = 32) => {
-  const secretKey = createSecret(secret);
-  return deriveKey(secretKey, salt ?? "Aura Jose secret salt", info ?? "Aura Jose secret derivation", length);
-};
-
-export {
-  deriveKey,
-  createDeriveKey
-};