@authticon/client 0.0.0-beta1

package/dist/TokenManager.test.js

@@ -0,0 +1,118 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { TokenManager } from "./TokenManager.js";
+vi.mock("./TokenVerifier.js", () => ({
+    TokenVerifier: class {
+        verifyToken = vi.fn().mockResolvedValue({ sub: "user-1", exp: 9999999999 });
+        clearKeyCache = vi.fn();
+    },
+}));
+vi.mock("./generated/index.js", () => ({
+    postApiV1AuthTokenRefresh: vi.fn(),
+}));
+const createMockClient = () => ({});
+const createMockAdapter = () => ({
+    get: vi.fn().mockReturnValue(null),
+    set: vi.fn(),
+    remove: vi.fn(),
+});
+describe("TokenManager", () => {
+    describe("without storage (no CookieAdapter)", () => {
+        let manager;
+        beforeEach(() => {
+            manager = new TokenManager(createMockClient(), {
+                jwksUrl: "https://example.com/.well-known/jwks.json",
+            });
+        });
+        it("should verify a token", async () => {
+            const payload = await manager.verifyToken("some-jwt");
+            expect(payload).toEqual({ sub: "user-1", exp: 9999999999 });
+        });
+        it("should clear key cache", () => {
+            expect(() => manager.clearKeyCache()).not.toThrow();
+        });
+        it("should report hasStorage as false", () => {
+            expect(manager.hasStorage()).toBe(false);
+        });
+        it("should throw on save without adapter", () => {
+            expect(() => manager.save({ accessToken: "a", refreshToken: "r", deviceId: "d" }))
+                .toThrow("TokenStorage is not configured");
+        });
+        it("should throw on getAccessToken without adapter", () => {
+            expect(() => manager.getAccessToken())
+                .toThrow("TokenStorage is not configured");
+        });
+        it("should throw on getRefreshToken without adapter", () => {
+            expect(() => manager.getRefreshToken())
+                .toThrow("TokenStorage is not configured");
+        });
+        it("should throw on getAll without adapter", () => {
+            expect(() => manager.getAll())
+                .toThrow("TokenStorage is not configured");
+        });
+        it("should throw on clear without adapter", () => {
+            expect(() => manager.clear())
+                .toThrow("TokenStorage is not configured");
+        });
+        it("should throw on verifyStoredAccessToken without adapter", async () => {
+            await expect(manager.verifyStoredAccessToken())
+                .rejects.toThrow("TokenStorage is not configured");
+        });
+    });
+    describe("with storage (CookieAdapter provided)", () => {
+        let manager;
+        let adapter;
+        beforeEach(() => {
+            adapter = createMockAdapter();
+            manager = new TokenManager(createMockClient(), {
+                jwksUrl: "https://example.com/.well-known/jwks.json",
+                cookies: adapter,
+            });
+        });
+        it("should report hasStorage as true", () => {
+            expect(manager.hasStorage()).toBe(true);
+        });
+        it("should save tokens via adapter", () => {
+            manager.save({ accessToken: "abc", refreshToken: "xyz", deviceId: "dev-1" });
+            expect(adapter.set).toHaveBeenCalledTimes(3);
+            expect(adapter.set).toHaveBeenCalledWith("access_token", "abc", expect.any(Object));
+            expect(adapter.set).toHaveBeenCalledWith("refresh_token", "xyz", expect.any(Object));
+        });
+        it("should get access token via adapter", () => {
+            vi.mocked(adapter.get).mockReturnValue("stored-access");
+            expect(manager.getAccessToken()).toBe("stored-access");
+            expect(adapter.get).toHaveBeenCalledWith("access_token");
+        });
+        it("should get refresh token via adapter", () => {
+            vi.mocked(adapter.get).mockReturnValue("stored-refresh");
+            expect(manager.getRefreshToken()).toBe("stored-refresh");
+        });
+        it("should get all tokens", () => {
+            vi.mocked(adapter.get)
+                .mockReturnValueOnce("access-val")
+                .mockReturnValueOnce("refresh-val")
+                .mockReturnValueOnce("device-val");
+            expect(manager.getAll()).toEqual({
+                accessToken: "access-val",
+                refreshToken: "refresh-val",
+                deviceId: "device-val",
+            });
+        });
+        it("should return null from getAll when tokens are missing", () => {
+            expect(manager.getAll()).toBeNull();
+        });
+        it("should clear tokens via adapter", () => {
+            manager.clear();
+            expect(adapter.remove).toHaveBeenCalledTimes(2);
+        });
+        it("should verify stored access token", async () => {
+            vi.mocked(adapter.get).mockReturnValue("stored-jwt");
+            const payload = await manager.verifyStoredAccessToken();
+            expect(payload).toEqual({ sub: "user-1", exp: 9999999999 });
+        });
+        it("should return null from verifyStoredAccessToken when no token stored", async () => {
+            const payload = await manager.verifyStoredAccessToken();
+            expect(payload).toBeNull();
+        });
+    });
+});
+//# sourceMappingURL=TokenManager.test.js.map

package/dist/TokenManager.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenManager.test.js","sourceRoot":"","sources":["../src/TokenManager.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAIjD,EAAE,CAAC,IAAI,CAAC,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC;IACnC,aAAa,EAAE;QACb,WAAW,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5E,aAAa,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;KACzB;CACF,CAAC,CAAC,CAAC;AAEJ,EAAE,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,yBAAyB,EAAE,EAAE,CAAC,EAAE,EAAE;CACnC,CAAC,CAAC,CAAC;AAEJ,MAAM,gBAAgB,GAAG,GAAG,EAAE,CAAC,CAAC,EAAE,CAAW,CAAC;AAE9C,MAAM,iBAAiB,GAAG,GAAkB,EAAE,CAAC,CAAC;IAC9C,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;IAClC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;IACZ,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;CAChB,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,QAAQ,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAClD,IAAI,OAAqB,CAAC;QAE1B,UAAU,CAAC,GAAG,EAAE;YACd,OAAO,GAAG,IAAI,YAAY,CAAC,gBAAgB,EAAE,EAAE;gBAC7C,OAAO,EAAE,2CAA2C;aACrD,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;YACrC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;YAEtD,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QACtD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;iBAC/E,OAAO,CAAC,gCAAgC,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC;iBACnC,OAAO,CAAC,gCAAgC,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;iBACpC,OAAO,CAAC,gCAAgC,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,GAAG,EAAE;YAChD,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;iBAC3B,OAAO,CAAC,gCAAgC,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;iBAC1B,OAAO,CAAC,gCAAgC,CAAC,CAAC;QAC/C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;YACvE,MAAM,MAAM,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC;iBAC5C,OAAO,CAAC,OAAO,CAAC,gCAAgC,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;QACrD,IAAI,OAAqB,CAAC;QAC1B,IAAI,OAAsB,CAAC;QAE3B,UAAU,CAAC,GAAG,EAAE;YACd,OAAO,GAAG,iBAAiB,EAAE,CAAC;YAC9B,OAAO,GAAG,IAAI,YAAY,CAAC,gBAAgB,EAAE,EAAE;gBAC7C,OAAO,EAAE,2CAA2C;gBACpD,OAAO,EAAE,OAAO;aACjB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,OAAO,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YAE7E,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;YAC7C,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CACtC,cAAc,EACd,KAAK,EACL,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;YACF,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CACtC,eAAe,EACf,KAAK,EACL,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,eAAe,CAAC,CAAC;YAExD,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACvD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,gBAAgB,CAAC,CAAC;YAEzD,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uBAAuB,EAAE,GAAG,EAAE;YAC/B,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACnB,mBAAmB,CAAC,YAAY,CAAC;iBACjC,mBAAmB,CAAC,aAAa,CAAC;iBAClC,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAErC,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;gBAC/B,WAAW,EAAE,YAAY;gBACzB,YAAY,EAAE,aAAa;gBAC3B,QAAQ,EAAE,YAAY;aACvB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iCAAiC,EAAE,GAAG,EAAE;YACzC,OAAO,CAAC,KAAK,EAAE,CAAC;YAEhB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,KAAK,IAAI,EAAE;YACjD,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;YAErD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,uBAAuB,EAAE,CAAC;YAExD,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sEAAsE,EAAE,KAAK,IAAI,EAAE;YACpF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,uBAAuB,EAAE,CAAC;YAExD,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC7B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/TokenStorage.d.ts

@@ -0,0 +1,17 @@
+import type { CookieAdapter, TokenPair, TokenStorageOptions } from "./types.js";
+export declare class TokenStorage {
+    private readonly cookies;
+    private readonly accessName;
+    private readonly refreshName;
+    private readonly deviceIdName;
+    private readonly setOptions;
+    private readonly removeOptions;
+    constructor(cookies: CookieAdapter, options?: TokenStorageOptions);
+    readonly save: (tokens: TokenPair) => void;
+    readonly getAccessToken: () => string | null;
+    readonly getRefreshToken: () => string | null;
+    readonly getDeviceId: () => string | null;
+    readonly getAll: () => TokenPair | null;
+    readonly clear: () => void;
+}
+//# sourceMappingURL=TokenStorage.d.ts.map

package/dist/TokenStorage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenStorage.d.ts","sourceRoot":"","sources":["../src/TokenStorage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,aAAa,EAGb,SAAS,EACT,mBAAmB,EACpB,MAAM,YAAY,CAAC;AAQpB,qBAAa,YAAY;IAYrB,OAAO,CAAC,QAAQ,CAAC,OAAO;IAX1B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAIzB;IACF,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAsB;gBAGjC,OAAO,EAAE,aAAa,EACvC,OAAO,GAAE,mBAAwB;IAsCnC,QAAQ,CAAC,IAAI,GAAI,QAAQ,SAAS,KAAG,IAAI,CAIvC;IAEF,QAAQ,CAAC,cAAc,QAAO,MAAM,GAAG,IAAI,CACP;IAEpC,QAAQ,CAAC,eAAe,QAAO,MAAM,GAAG,IAAI,CACP;IAErC,QAAQ,CAAC,WAAW,QAAO,MAAM,GAAG,IAAI,CACF;IAEtC,QAAQ,CAAC,MAAM,QAAO,SAAS,GAAG,IAAI,CAMpC;IAEF,QAAQ,CAAC,KAAK,QAAO,IAAI,CAGvB;CACH"}

package/dist/TokenStorage.js

@@ -0,0 +1,68 @@
+const DEFAULT_ACCESS_TOKEN_NAME = "access_token";
+const DEFAULT_REFRESH_TOKEN_NAME = "refresh_token";
+const DEFAULT_DEVICE_ID_NAME = "device_id";
+const DEFAULT_ACCESS_TOKEN_MAX_AGE = 900;
+const DEFAULT_REFRESH_TOKEN_MAX_AGE = 2_592_000;
+export class TokenStorage {
+    cookies;
+    accessName;
+    refreshName;
+    deviceIdName;
+    setOptions;
+    removeOptions;
+    constructor(cookies, options = {}) {
+        this.cookies = cookies;
+        this.accessName = options.accessTokenName ?? DEFAULT_ACCESS_TOKEN_NAME;
+        this.refreshName = options.refreshTokenName ?? DEFAULT_REFRESH_TOKEN_NAME;
+        this.deviceIdName = options.deviceIdName ?? DEFAULT_DEVICE_ID_NAME;
+        const path = options.path ?? "/";
+        const domain = options.domain;
+        const secure = options.secure ?? true;
+        const sameSite = options.sameSite ?? "Lax";
+        this.setOptions = {
+            access: {
+                path,
+                domain,
+                secure,
+                sameSite,
+                maxAge: options.accessTokenMaxAge ?? DEFAULT_ACCESS_TOKEN_MAX_AGE,
+            },
+            refresh: {
+                path,
+                domain,
+                secure,
+                sameSite,
+                maxAge: options.refreshTokenMaxAge ?? DEFAULT_REFRESH_TOKEN_MAX_AGE,
+            },
+            deviceId: {
+                path,
+                domain,
+                secure,
+                sameSite,
+                maxAge: options.refreshTokenMaxAge ?? DEFAULT_REFRESH_TOKEN_MAX_AGE,
+            },
+        };
+        this.removeOptions = { path, domain };
+    }
+    save = (tokens) => {
+        this.cookies.set(this.accessName, tokens.accessToken, this.setOptions.access);
+        this.cookies.set(this.refreshName, tokens.refreshToken, this.setOptions.refresh);
+        this.cookies.set(this.deviceIdName, tokens.deviceId, this.setOptions.deviceId);
+    };
+    getAccessToken = () => this.cookies.get(this.accessName);
+    getRefreshToken = () => this.cookies.get(this.refreshName);
+    getDeviceId = () => this.cookies.get(this.deviceIdName);
+    getAll = () => {
+        const accessToken = this.getAccessToken();
+        const refreshToken = this.getRefreshToken();
+        const deviceId = this.getDeviceId();
+        if (accessToken === null || refreshToken === null || deviceId === null)
+            return null;
+        return { accessToken, refreshToken, deviceId };
+    };
+    clear = () => {
+        this.cookies.remove(this.accessName, this.removeOptions);
+        this.cookies.remove(this.refreshName, this.removeOptions);
+    };
+}
+//# sourceMappingURL=TokenStorage.js.map

package/dist/TokenStorage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenStorage.js","sourceRoot":"","sources":["../src/TokenStorage.ts"],"names":[],"mappings":"AAQA,MAAM,yBAAyB,GAAG,cAAc,CAAC;AACjD,MAAM,0BAA0B,GAAG,eAAe,CAAC;AACnD,MAAM,sBAAsB,GAAG,WAAW,CAAC;AAC3C,MAAM,4BAA4B,GAAG,GAAG,CAAC;AACzC,MAAM,6BAA6B,GAAG,SAAS,CAAC;AAEhD,MAAM,OAAO,YAAY;IAYJ;IAXF,UAAU,CAAS;IACnB,WAAW,CAAS;IACpB,YAAY,CAAS;IACrB,UAAU,CAIzB;IACe,aAAa,CAAsB;IAEpD,YACmB,OAAsB,EACvC,UAA+B,EAAE;QADhB,YAAO,GAAP,OAAO,CAAe;QAGvC,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,eAAe,IAAI,yBAAyB,CAAC;QACvE,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,gBAAgB,IAAI,0BAA0B,CAAC;QAC1E,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,sBAAsB,CAAC;QAEnE,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,GAAG,CAAC;QACjC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;QAC9B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;QACtC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,KAAK,CAAC;QAE3C,IAAI,CAAC,UAAU,GAAG;YAChB,MAAM,EAAE;gBACN,IAAI;gBACJ,MAAM;gBACN,MAAM;gBACN,QAAQ;gBACR,MAAM,EAAE,OAAO,CAAC,iBAAiB,IAAI,4BAA4B;aAClE;YACD,OAAO,EAAE;gBACP,IAAI;gBACJ,MAAM;gBACN,MAAM;gBACN,QAAQ;gBACR,MAAM,EAAE,OAAO,CAAC,kBAAkB,IAAI,6BAA6B;aACpE;YACD,QAAQ,EAAE;gBACR,IAAI;gBACJ,MAAM;gBACN,MAAM;gBACN,QAAQ;gBACR,MAAM,EAAE,OAAO,CAAC,kBAAkB,IAAI,6BAA6B;aACpE;SACF,CAAC;QAEF,IAAI,CAAC,aAAa,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;IAEQ,IAAI,GAAG,CAAC,MAAiB,EAAQ,EAAE;QAC1C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC9E,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjF,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,EAAE,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACjF,CAAC,CAAC;IAEO,cAAc,GAAG,GAAkB,EAAE,CAC5C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAE3B,eAAe,GAAG,GAAkB,EAAE,CAC7C,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE5B,WAAW,GAAG,GAAkB,EAAE,CACzC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAE7B,MAAM,GAAG,GAAqB,EAAE;QACvC,MAAM,WAAW,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QAC1C,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACpC,IAAI,WAAW,KAAK,IAAI,IAAI,YAAY,KAAK,IAAI,IAAI,QAAQ,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QACpF,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,CAAC;IACjD,CAAC,CAAC;IAEO,KAAK,GAAG,GAAS,EAAE;QAC1B,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;QACzD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;IAC5D,CAAC,CAAC;CACH"}

package/dist/TokenStorage.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=TokenStorage.test.d.ts.map

package/dist/TokenStorage.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenStorage.test.d.ts","sourceRoot":"","sources":["../src/TokenStorage.test.ts"],"names":[],"mappings":""}

package/dist/TokenStorage.test.js

@@ -0,0 +1,179 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { TokenStorage } from "./TokenStorage.js";
+const createMockAdapter = () => ({
+    get: vi.fn().mockReturnValue(null),
+    set: vi.fn(),
+    remove: vi.fn(),
+});
+describe("TokenStorage", () => {
+    let adapter;
+    beforeEach(() => {
+        adapter = createMockAdapter();
+    });
+    describe("save", () => {
+        it("should set both tokens via adapter with correct options", () => {
+            const storage = new TokenStorage(adapter);
+            storage.save({ accessToken: "abc", refreshToken: "xyz", deviceId: "dev-1" });
+            expect(adapter.set).toHaveBeenCalledWith("access_token", "abc", {
+                path: "/",
+                domain: undefined,
+                secure: true,
+                sameSite: "Lax",
+                maxAge: 900,
+            });
+            expect(adapter.set).toHaveBeenCalledWith("refresh_token", "xyz", {
+                path: "/",
+                domain: undefined,
+                secure: true,
+                sameSite: "Lax",
+                maxAge: 2_592_000,
+            });
+            expect(adapter.set).toHaveBeenCalledWith("device_id", "dev-1", {
+                path: "/",
+                domain: undefined,
+                secure: true,
+                sameSite: "Lax",
+                maxAge: 2_592_000,
+            });
+        });
+        it("should use custom cookie names", () => {
+            const storage = new TokenStorage(adapter, {
+                accessTokenName: "at",
+                refreshTokenName: "rt",
+            });
+            storage.save({ accessToken: "a1", refreshToken: "r1", deviceId: "dev-1" });
+            expect(adapter.set).toHaveBeenCalledWith("at", "a1", expect.any(Object));
+            expect(adapter.set).toHaveBeenCalledWith("rt", "r1", expect.any(Object));
+        });
+        it("should pass custom cookie options", () => {
+            const storage = new TokenStorage(adapter, {
+                path: "/app",
+                domain: ".example.com",
+                secure: false,
+                sameSite: "Strict",
+                accessTokenMaxAge: 60,
+                refreshTokenMaxAge: 120,
+            });
+            storage.save({ accessToken: "a", refreshToken: "r", deviceId: "dev-1" });
+            expect(adapter.set).toHaveBeenCalledWith("access_token", "a", {
+                path: "/app",
+                domain: ".example.com",
+                secure: false,
+                sameSite: "Strict",
+                maxAge: 60,
+            });
+            expect(adapter.set).toHaveBeenCalledWith("refresh_token", "r", {
+                path: "/app",
+                domain: ".example.com",
+                secure: false,
+                sameSite: "Strict",
+                maxAge: 120,
+            });
+            expect(adapter.set).toHaveBeenCalledWith("device_id", "dev-1", {
+                path: "/app",
+                domain: ".example.com",
+                secure: false,
+                sameSite: "Strict",
+                maxAge: 120,
+            });
+        });
+    });
+    describe("getAccessToken", () => {
+        it("should delegate to adapter.get with access token name", () => {
+            vi.mocked(adapter.get).mockReturnValue("token123");
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAccessToken()).toBe("token123");
+            expect(adapter.get).toHaveBeenCalledWith("access_token");
+        });
+        it("should return null when adapter returns null", () => {
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAccessToken()).toBeNull();
+        });
+        it("should use custom access token name", () => {
+            const storage = new TokenStorage(adapter, {
+                accessTokenName: "my_at",
+            });
+            storage.getAccessToken();
+            expect(adapter.get).toHaveBeenCalledWith("my_at");
+        });
+    });
+    describe("getRefreshToken", () => {
+        it("should delegate to adapter.get with refresh token name", () => {
+            vi.mocked(adapter.get).mockReturnValue("refresh123");
+            const storage = new TokenStorage(adapter);
+            expect(storage.getRefreshToken()).toBe("refresh123");
+            expect(adapter.get).toHaveBeenCalledWith("refresh_token");
+        });
+        it("should return null when adapter returns null", () => {
+            const storage = new TokenStorage(adapter);
+            expect(storage.getRefreshToken()).toBeNull();
+        });
+    });
+    describe("getAll", () => {
+        it("should return all tokens when present", () => {
+            vi.mocked(adapter.get)
+                .mockReturnValueOnce("access-val")
+                .mockReturnValueOnce("refresh-val")
+                .mockReturnValueOnce("device-val");
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAll()).toEqual({
+                accessToken: "access-val",
+                refreshToken: "refresh-val",
+                deviceId: "device-val",
+            });
+        });
+        it("should return null when access token is missing", () => {
+            vi.mocked(adapter.get)
+                .mockReturnValueOnce(null)
+                .mockReturnValueOnce("refresh-val")
+                .mockReturnValueOnce("device-val");
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAll()).toBeNull();
+        });
+        it("should return null when refresh token is missing", () => {
+            vi.mocked(adapter.get)
+                .mockReturnValueOnce("access-val")
+                .mockReturnValueOnce(null)
+                .mockReturnValueOnce("device-val");
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAll()).toBeNull();
+        });
+        it("should return null when device id is missing", () => {
+            vi.mocked(adapter.get)
+                .mockReturnValueOnce("access-val")
+                .mockReturnValueOnce("refresh-val")
+                .mockReturnValueOnce(null);
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAll()).toBeNull();
+        });
+        it("should return null when all tokens are missing", () => {
+            const storage = new TokenStorage(adapter);
+            expect(storage.getAll()).toBeNull();
+        });
+    });
+    describe("clear", () => {
+        it("should remove both tokens via adapter", () => {
+            const storage = new TokenStorage(adapter);
+            storage.clear();
+            expect(adapter.remove).toHaveBeenCalledWith("access_token", {
+                path: "/",
+                domain: undefined,
+            });
+            expect(adapter.remove).toHaveBeenCalledWith("refresh_token", {
+                path: "/",
+                domain: undefined,
+            });
+        });
+        it("should pass domain to remove options", () => {
+            const storage = new TokenStorage(adapter, {
+                domain: ".example.com",
+            });
+            storage.clear();
+            expect(adapter.remove).toHaveBeenCalledWith("access_token", {
+                path: "/",
+                domain: ".example.com",
+            });
+        });
+    });
+});
+//# sourceMappingURL=TokenStorage.test.js.map

package/dist/TokenStorage.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenStorage.test.js","sourceRoot":"","sources":["../src/TokenStorage.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAC9D,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAGjD,MAAM,iBAAiB,GAAG,GAAkB,EAAE,CAAC,CAAC;IAC9C,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC;IAClC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;IACZ,MAAM,EAAE,EAAE,CAAC,EAAE,EAAE;CAChB,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,OAAsB,CAAC;IAE3B,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,iBAAiB,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,MAAM,EAAE,GAAG,EAAE;QACpB,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;YACjE,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,OAAO,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YAE7E,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,cAAc,EAAE,KAAK,EAAE;gBAC9D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,GAAG;aACZ,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,eAAe,EAAE,KAAK,EAAE;gBAC/D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,WAAW,EAAE,OAAO,EAAE;gBAC7D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,KAAK;gBACf,MAAM,EAAE,SAAS;aAClB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;YACxC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE;gBACxC,eAAe,EAAE,IAAI;gBACrB,gBAAgB,EAAE,IAAI;aACvB,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YAE3E,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CACtC,IAAI,EACJ,IAAI,EACJ,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;YACF,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CACtC,IAAI,EACJ,IAAI,EACJ,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CACnB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE;gBACxC,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE,QAAQ;gBAClB,iBAAiB,EAAE,EAAE;gBACrB,kBAAkB,EAAE,GAAG;aACxB,CAAC,CAAC;YAEH,OAAO,CAAC,IAAI,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;YAEzE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,cAAc,EAAE,GAAG,EAAE;gBAC5D,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,EAAE;aACX,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,eAAe,EAAE,GAAG,EAAE;gBAC7D,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,GAAG;aACZ,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,WAAW,EAAE,OAAO,EAAE;gBAC7D,IAAI,EAAE,MAAM;gBACZ,MAAM,EAAE,cAAc;gBACtB,MAAM,EAAE,KAAK;gBACb,QAAQ,EAAE,QAAQ;gBAClB,MAAM,EAAE,GAAG;aACZ,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;QAC9B,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAClD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,cAAc,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE;YAC7C,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE;gBACxC,eAAe,EAAE,OAAO;aACzB,CAAC,CAAC;YAEH,OAAO,CAAC,cAAc,EAAE,CAAC;YAEzB,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;YAChE,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;YACrD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YACrD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,eAAe,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,QAAQ,EAAE,GAAG,EAAE;QACtB,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACnB,mBAAmB,CAAC,YAAY,CAAC;iBACjC,mBAAmB,CAAC,aAAa,CAAC;iBAClC,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAErC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC;gBAC/B,WAAW,EAAE,YAAY;gBACzB,YAAY,EAAE,aAAa;gBAC3B,QAAQ,EAAE,YAAY;aACvB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACnB,mBAAmB,CAAC,IAAI,CAAC;iBACzB,mBAAmB,CAAC,aAAa,CAAC;iBAClC,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAErC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;YAC1D,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACnB,mBAAmB,CAAC,YAAY,CAAC;iBACjC,mBAAmB,CAAC,IAAI,CAAC;iBACzB,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAErC,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;YACtD,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC;iBACnB,mBAAmB,CAAC,YAAY,CAAC;iBACjC,mBAAmB,CAAC,aAAa,CAAC;iBAClC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YAE7B,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;YACxD,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE;QACrB,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YAE1C,OAAO,CAAC,KAAK,EAAE,CAAC;YAEhB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,cAAc,EAAE;gBAC1D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS;aAClB,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,eAAe,EAAE;gBAC3D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,SAAS;aAClB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,OAAO,EAAE;gBACxC,MAAM,EAAE,cAAc;aACvB,CAAC,CAAC;YAEH,OAAO,CAAC,KAAK,EAAE,CAAC;YAEhB,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,oBAAoB,CAAC,cAAc,EAAE;gBAC1D,IAAI,EAAE,GAAG;gBACT,MAAM,EAAE,cAAc;aACvB,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/TokenVerifier.d.ts

@@ -0,0 +1,13 @@
+import { type JWTPayload } from "jose";
+export declare class TokenVerifier {
+    private readonly jwksUrl;
+    private readonly cacheTtlMs;
+    private cached;
+    constructor(jwksUrl: string, cacheTtlMs?: number);
+    private readonly fetchJwks;
+    private readonly getCachedOrFetch;
+    private readonly resolveKey;
+    readonly verifyToken: (token: string) => Promise<JWTPayload>;
+    readonly clearKeyCache: () => void;
+}
+//# sourceMappingURL=TokenVerifier.d.ts.map

package/dist/TokenVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.d.ts","sourceRoot":"","sources":["../src/TokenVerifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,UAAU,EAGhB,MAAM,MAAM,CAAC;AAmCd,qBAAa,aAAa;IAItB,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAJ7B,OAAO,CAAC,MAAM,CAA2B;gBAGtB,OAAO,EAAE,MAAM,EACf,UAAU,GAAE,MAA6B;IAG5D,OAAO,CAAC,QAAQ,CAAC,SAAS,CAOxB;IAEF,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAO/B;IAEF,OAAO,CAAC,QAAQ,CAAC,UAAU,CAczB;IAEF,QAAQ,CAAC,WAAW,GAAU,OAAO,MAAM,KAAG,OAAO,CAAC,UAAU,CAAC,CAS/D;IAEF,QAAQ,CAAC,aAAa,QAAO,IAAI,CAE/B;CACH"}

package/dist/TokenVerifier.js

@@ -0,0 +1,61 @@
+import { jwtVerify, importJWK, decodeProtectedHeader, } from "jose";
+import axios from "axios";
+const DEFAULT_CACHE_TTL_MS = 3_600_000;
+const importKeysFromJwks = async (jwks) => {
+    const keysWithKid = jwks.filter((jwk) => typeof jwk.kid === "string");
+    const entries = await Promise.all(keysWithKid.map(async (jwk) => {
+        const imported = await importJWK(jwk);
+        if (imported instanceof Uint8Array) {
+            throw new Error(`Symmetric key (kid: ${jwk.kid}) is not supported`);
+        }
+        return [jwk.kid, imported];
+    }));
+    return new Map(entries);
+};
+export class TokenVerifier {
+    jwksUrl;
+    cacheTtlMs;
+    cached = null;
+    constructor(jwksUrl, cacheTtlMs = DEFAULT_CACHE_TTL_MS) {
+        this.jwksUrl = jwksUrl;
+        this.cacheTtlMs = cacheTtlMs;
+    }
+    fetchJwks = async () => {
+        const { data } = await axios.get(this.jwksUrl);
+        const keys = await importKeysFromJwks(data.keys);
+        this.cached = { keys, fetchedAt: Date.now() };
+        return keys;
+    };
+    getCachedOrFetch = async () => {
+        if (this.cached && Date.now() - this.cached.fetchedAt < this.cacheTtlMs) {
+            return this.cached.keys;
+        }
+        return this.fetchJwks();
+    };
+    resolveKey = async (kid) => {
+        const keys = await this.getCachedOrFetch();
+        const key = keys.get(kid);
+        if (key)
+            return key;
+        this.cached = null;
+        const freshKeys = await this.fetchJwks();
+        const freshKey = freshKeys.get(kid);
+        if (!freshKey) {
+            throw new Error(`Key with kid "${kid}" not found in JWKS`);
+        }
+        return freshKey;
+    };
+    verifyToken = async (token) => {
+        const header = decodeProtectedHeader(token);
+        if (!header.kid) {
+            throw new Error("Token header is missing 'kid' claim");
+        }
+        const key = await this.resolveKey(header.kid);
+        const { payload } = await jwtVerify(token, key);
+        return payload;
+    };
+    clearKeyCache = () => {
+        this.cached = null;
+    };
+}
+//# sourceMappingURL=TokenVerifier.js.map

package/dist/TokenVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.js","sourceRoot":"","sources":["../src/TokenVerifier.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,SAAS,EACT,qBAAqB,GAItB,MAAM,MAAM,CAAC;AACd,OAAO,KAAK,MAAM,OAAO,CAAC;AAW1B,MAAM,oBAAoB,GAAG,SAAS,CAAC;AAEvC,MAAM,kBAAkB,GAAG,KAAK,EAC9B,IAAoB,EACyB,EAAE;IAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAC7B,CAAC,GAAG,EAAyC,EAAE,CAC7C,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,CAC9B,CAAC;IAEF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,WAAW,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAC5B,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,QAAQ,YAAY,UAAU,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,uBAAuB,GAAG,CAAC,GAAG,oBAAoB,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAU,CAAC;IACtC,CAAC,CAAC,CACH,CAAC;IAEF,OAAO,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;AAC1B,CAAC,CAAC;AAEF,MAAM,OAAO,aAAa;IAIL;IACA;IAJX,MAAM,GAAsB,IAAI,CAAC;IAEzC,YACmB,OAAe,EACf,aAAqB,oBAAoB;QADzC,YAAO,GAAP,OAAO,CAAQ;QACf,eAAU,GAAV,UAAU,CAA+B;IACzD,CAAC;IAEa,SAAS,GAAG,KAAK,IAEhC,EAAE;QACF,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,KAAK,CAAC,GAAG,CAAe,IAAI,CAAC,OAAO,CAAC,CAAC;QAC7D,MAAM,IAAI,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;IAEe,gBAAgB,GAAG,KAAK,IAEvC,EAAE;QACF,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC,CAAC;IAEe,UAAU,GAAG,KAAK,EACjC,GAAW,EACa,EAAE;QAC1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC1B,IAAI,GAAG;YAAE,OAAO,GAAG,CAAC;QAEpB,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;QACnB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,iBAAiB,GAAG,qBAAqB,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC,CAAC;IAEO,WAAW,GAAG,KAAK,EAAE,KAAa,EAAuB,EAAE;QAClE,MAAM,MAAM,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QAC5C,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;QAChD,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC;IAEO,aAAa,GAAG,GAAS,EAAE;QAClC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC;IACrB,CAAC,CAAC;CACH"}

package/dist/TokenVerifier.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=TokenVerifier.test.d.ts.map

package/dist/TokenVerifier.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TokenVerifier.test.d.ts","sourceRoot":"","sources":["../src/TokenVerifier.test.ts"],"names":[],"mappings":""}

package/dist/TokenVerifier.test.js

@@ -0,0 +1,117 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { TokenVerifier } from "./TokenVerifier.js";
+import { generateKeyPair, exportJWK, SignJWT, } from "jose";
+import axios from "axios";
+vi.mock("axios", async (importOriginal) => {
+    const actual = await importOriginal();
+    return {
+        ...actual,
+        default: {
+            ...actual.default,
+            get: vi.fn(),
+        },
+    };
+});
+const JWKS_URL = "https://authticon.com/.well-known/jwks.json";
+const createTestKeyPair = async (kid) => {
+    const { publicKey, privateKey } = await generateKeyPair("RS256");
+    const jwk = await exportJWK(publicKey);
+    jwk.kid = kid;
+    jwk.use = "sig";
+    jwk.alg = "RS256";
+    return { publicKey, privateKey, jwk };
+};
+const signToken = (privateKey, kid, claims = {}) => new SignJWT(claims)
+    .setProtectedHeader({ alg: "RS256", kid })
+    .setIssuedAt()
+    .setExpirationTime("1h")
+    .sign(privateKey);
+describe("TokenVerifier", () => {
+    beforeEach(() => {
+        vi.clearAllMocks();
+        vi.useRealTimers();
+    });
+    it("should verify a valid token", async () => {
+        const { privateKey, jwk } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({ data: { keys: [jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const token = await signToken(privateKey, "key-1", { sub: "user-123" });
+        const payload = await verifier.verifyToken(token);
+        expect(payload.sub).toBe("user-123");
+        expect(axios.get).toHaveBeenCalledWith(JWKS_URL);
+    });
+    it("should cache JWKS keys across multiple verify calls", async () => {
+        const { privateKey, jwk } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({ data: { keys: [jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const token1 = await signToken(privateKey, "key-1", { sub: "user-1" });
+        const token2 = await signToken(privateKey, "key-1", { sub: "user-2" });
+        await verifier.verifyToken(token1);
+        await verifier.verifyToken(token2);
+        expect(axios.get).toHaveBeenCalledTimes(1);
+    });
+    it("should refetch JWKS when kid is not found (key rotation)", async () => {
+        const key1 = await createTestKeyPair("key-1");
+        const key2 = await createTestKeyPair("key-2");
+        vi.mocked(axios.get)
+            .mockResolvedValueOnce({ data: { keys: [key1.jwk] } })
+            .mockResolvedValueOnce({ data: { keys: [key1.jwk, key2.jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const token1 = await signToken(key1.privateKey, "key-1");
+        await verifier.verifyToken(token1);
+        const token2 = await signToken(key2.privateKey, "key-2");
+        await verifier.verifyToken(token2);
+        expect(axios.get).toHaveBeenCalledTimes(2);
+    });
+    it("should throw when kid is missing from token header", async () => {
+        const { privateKey } = await generateKeyPair("RS256");
+        const token = await new SignJWT({ sub: "user-123" })
+            .setProtectedHeader({ alg: "RS256" })
+            .setIssuedAt()
+            .setExpirationTime("1h")
+            .sign(privateKey);
+        const verifier = new TokenVerifier(JWKS_URL);
+        await expect(verifier.verifyToken(token)).rejects.toThrow("kid");
+    });
+    it("should throw when key is not found after refetch", async () => {
+        const { jwk } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({ data: { keys: [jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const { privateKey: otherKey } = await generateKeyPair("RS256");
+        const token = await signToken(otherKey, "unknown-kid");
+        await expect(verifier.verifyToken(token)).rejects.toThrow("not found in JWKS");
+    });
+    it("should clear cache on clearKeyCache()", async () => {
+        const { privateKey, jwk } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({ data: { keys: [jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const token = await signToken(privateKey, "key-1");
+        await verifier.verifyToken(token);
+        verifier.clearKeyCache();
+        await verifier.verifyToken(token);
+        expect(axios.get).toHaveBeenCalledTimes(2);
+    });
+    it("should refetch JWKS when cache TTL expires", async () => {
+        vi.useFakeTimers();
+        const { privateKey, jwk } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({ data: { keys: [jwk] } });
+        const verifier = new TokenVerifier(JWKS_URL, 1000);
+        const token = await signToken(privateKey, "key-1");
+        await verifier.verifyToken(token);
+        vi.advanceTimersByTime(1001);
+        await verifier.verifyToken(token);
+        expect(axios.get).toHaveBeenCalledTimes(2);
+    });
+    it("should skip JWK entries without kid", async () => {
+        const { privateKey } = await generateKeyPair("RS256");
+        const jwkWithoutKid = await exportJWK((await generateKeyPair("RS256")).publicKey);
+        const { jwk: jwkWithKid } = await createTestKeyPair("key-1");
+        vi.mocked(axios.get).mockResolvedValue({
+            data: { keys: [jwkWithoutKid, jwkWithKid] },
+        });
+        const verifier = new TokenVerifier(JWKS_URL);
+        const token = await signToken(privateKey, "key-no-match");
+        await expect(verifier.verifyToken(token)).rejects.toThrow("not found in JWKS");
+    });
+});
+//# sourceMappingURL=TokenVerifier.test.js.map