@authup/server-kit 1.0.0-beta.23 → 1.0.0-beta.24

package/dist/index.cjs

@@ -1,39 +1,20 @@
 'use strict';
 
 var bcrypt = require('@node-rs/bcrypt');
-var node_crypto = require('node:crypto');
 var kit = require('@authup/kit');
-var path = require('node:path');
-var fs = require('node:fs');
+var specs = require('@authup/specs');
 var jsonwebtoken = require('@node-rs/jsonwebtoken');
 var smob = require('smob');
 var redisExtension = require('redis-extension');
 var singa = require('singa');
 var TTLCache = require('@isaacs/ttlcache');
-var process$1 = require('node:process');
+var path = require('node:path');
+var process = require('node:process');
 var winston = require('winston');
 var vault = require('@hapic/vault');
+var coreRealtimeKit = require('@authup/core-realtime-kit');
 var redisEmitter = require('@socket.io/redis-emitter');
 
-function _interopNamespaceDefault(e) {
-    var n = Object.create(null);
-    if (e) {
-        Object.keys(e).forEach(function (k) {
-            if (k !== 'default') {
-                var d = Object.getOwnPropertyDescriptor(e, k);
-                Object.defineProperty(n, k, d.get ? d : {
-                    enumerable: true,
-                    get: function () { return e[k]; }
-                });
-            }
-        });
-    }
-    n.default = e;
-    return Object.freeze(n);
-}
-
-var process__namespace = /*#__PURE__*/_interopNamespaceDefault(process$1);
-
 async function compare(value, hashedValue) {
     return bcrypt.compare(value, hashedValue);
 }
@@ -47,103 +28,124 @@ async function hash(str, rounds = 10) {
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
- */ var KeyPairKind = /*#__PURE__*/ function(KeyPairKind) {
-    KeyPairKind["PRIVATE"] = "private";
-    KeyPairKind["PUBLIC"] = "public";
-    return KeyPairKind;
+ */ var CryptoAsymmetricAlgorithm = /*#__PURE__*/ function(CryptoAsymmetricAlgorithm) {
+    CryptoAsymmetricAlgorithm["RSA_PSS"] = "RSA-PSS";
+    CryptoAsymmetricAlgorithm["RSASSA_PKCS1_V1_5"] = "RSASSA-PKCS1-v1_5";
+    CryptoAsymmetricAlgorithm["RSA_OAEP"] = "RSA-OAEP";
+    CryptoAsymmetricAlgorithm["ECDSA"] = "ECDSA";
+    CryptoAsymmetricAlgorithm["ECDH"] = "ECDH";
+    return CryptoAsymmetricAlgorithm;
 }({});
 
-function isKeyPair(data) {
-    return kit.isObject(data) && typeof data.privateKey !== 'undefined' && typeof data.publicKey !== 'undefined';
-}
-function isKeyPairWithPublicKey(data) {
-    return kit.isObject(data) && typeof data.publicKey !== 'undefined';
+function isAsymmetricAlgorithm(input) {
+    return Object.values(CryptoAsymmetricAlgorithm).indexOf(input) !== -1;
 }
 
-function extendKeyPairOptions(options) {
-    var _options;
-    options = options ?? {};
-    options.directory = options.directory || process.cwd();
-    options.directory = path.isAbsolute(options.directory) ? options.directory : path.resolve(process.cwd(), options.directory);
-    (_options = options).type ?? (_options.type = 'rsa');
-    if (options.type === 'rsa' || options.type === 'rsa-pss' || options.type === 'dsa') {
-        options.modulusLength = 2048;
-    }
-    if (!options.privateKeyEncoding) {
-        options.privateKeyEncoding = {
-            type: 'pkcs8',
-            format: 'pem'
-        };
+/**
+ * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+ */ function getKeyUsagesForAsymmetricAlgorithm(name, format) {
+    if (name === CryptoAsymmetricAlgorithm.RSA_PSS || name === CryptoAsymmetricAlgorithm.ECDSA || name === CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5) {
+        if (format === 'spki') {
+            return [
+                'verify'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'sign'
+            ];
+        }
+        return [
+            'sign',
+            'verify'
+        ];
     }
-    if (!options.publicKeyEncoding) {
-        options.publicKeyEncoding = {
-            type: 'spki',
-            format: 'pem'
-        };
+    if (name === CryptoAsymmetricAlgorithm.ECDH) {
+        if (format === 'spki') {
+            return [];
+        }
+        return [
+            'deriveKey',
+            'deriveBits'
+        ];
     }
-    if (options.privateKeyEncoding.passphrase && !options.privateKeyEncoding.cipher) {
-        options.privateKeyEncoding.cipher = 'aes-256-cbc';
+    if (name === CryptoAsymmetricAlgorithm.RSA_OAEP) {
+        if (format === 'spki') {
+            return [
+                'encrypt'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'decrypt'
+            ];
+        }
+        return [
+            'encrypt',
+            'decrypt'
+        ];
     }
-    return options;
+    throw new SyntaxError(`Key usages can not be determined for asymmetric algorithm: ${name}`);
 }
 
-function buildKeyFileName(type, context) {
-    const options = extendKeyPairOptions(context);
-    const parts = [];
-    switch(type){
-        case KeyPairKind.PRIVATE:
+function normalizeAsymmetricKeyPairCreateOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
             {
-                if (options.privateName) {
-                    parts.push(options.privateName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.privateExtension) {
-                    if (options.privateExtension.startsWith('.')) {
-                        options.privateExtension = options.privateExtension.slice(1);
-                    }
-                    parts.push(options.privateExtension);
-                } else {
-                    parts.push('pem');
-                }
+                optionsNormalized = {
+                    modulusLength: 2048,
+                    publicExponent: new Uint8Array([
+                        0x01,
+                        0x00,
+                        0x01
+                    ]),
+                    hash: 'SHA-256',
+                    ...options
+                };
                 break;
             }
-        case KeyPairKind.PUBLIC:
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
             {
-                if (options.publicName) {
-                    parts.push(options.publicName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.publicExtension) {
-                    if (options.publicExtension.startsWith('.')) {
-                        options.publicExtension = options.publicExtension.slice(1);
-                    }
-                    parts.push(options.publicExtension);
-                } else {
-                    parts.push('pem');
-                }
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
+            }
+    }
+    return optionsNormalized;
+}
+function normalizeAsymmetricKeyImportOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
+            {
+                optionsNormalized = {
+                    hash: 'SHA-256',
+                    ...options
+                };
                 break;
             }
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
+            {
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
+            }
     }
-    return parts.join('.');
+    return optionsNormalized;
 }
 
-function decryptRSAPrivateKey(context, key) {
-    const privateKey = node_crypto.createPrivateKey({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format,
-        key,
-        passphrase: context.privateKeyEncoding.passphrase || context.passphrase
-    });
-    let content = privateKey.export({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format
-    });
-    if (typeof content !== 'string') {
-        content = Buffer.from(content).toString('utf-8');
-    }
-    return content;
+async function createAsymmetricKeyPair(options) {
+    const optionsNormalized = normalizeAsymmetricKeyPairCreateOptions(options);
+    return crypto.subtle.generateKey(optionsNormalized, true, getKeyUsagesForAsymmetricAlgorithm(optionsNormalized.name));
 }
 
 /*
@@ -151,172 +153,169 @@ function decryptRSAPrivateKey(context, key) {
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
- */ function wrapPem(type, input) {
-    if (typeof input !== 'string') {
-        input = Buffer.from(input).toString('base64');
-    }
+ */ function enc(type, input) {
     return `-----BEGIN ${type}-----\n${input}\n-----END ${type}-----`;
 }
-function wrapPrivateKeyPem(input) {
-    return wrapPem('PRIVATE KEY', input);
+function encodePKCS8ToPEM(base64) {
+    return enc('PRIVATE KEY', base64);
 }
-function wrapPublicKeyPem(input) {
-    return wrapPem('PUBLIC KEY', input);
+function encodeSPKIToPem(input) {
+    return enc('PUBLIC KEY', input);
 }
 // ------------------------------------------------------------
-function unwrapPem(type, input) {
-    if (typeof input !== 'string') {
-        input = Buffer.from(input).toString('base64');
-    }
+function dec(type, input) {
     input = input.replace(`-----BEGIN ${type}-----\n`, '');
     input = input.replace(`\n-----END ${type}-----\n`, '');
     input = input.replace(`-----END ${type}-----\n`, '');
     input = input.replace(`\n-----END ${type}-----`, '');
     return input;
 }
-function unwrapPrivateKeyPem(input) {
-    return unwrapPem('PRIVATE KEY', input);
+function decodePemToPKCS8(input) {
+    return dec('PRIVATE KEY', input);
 }
-function unwrapPublicKeyPem(input) {
-    return unwrapPem('PUBLIC KEY', input);
+function decodePemToSpki(input) {
+    return dec('PUBLIC KEY', input);
 }
 
-async function saveKeyPair(keyPair, context) {
-    context = extendKeyPairOptions(context);
-    await fs.promises.mkdir(context.directory, {
-        recursive: true
-    });
-    await Promise.all([
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PRIVATE, context)),
-            content: keyPair.privateKey
-        },
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PUBLIC, context)),
-            content: keyPair.publicKey
-        }
-    ].map((file)=>fs.promises.writeFile(file.path, file.content)));
-    return keyPair;
-}
-
-async function createKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const keyPair = await new Promise((resolve, reject)=>{
-        const callback = (err, publicKey, privateKey)=>{
-            if (err) reject(err);
-            resolve({
-                privateKey,
-                publicKey
-            });
+/*
+ * Copyright (c) 2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ var SymmetricAlgorithm = /*#__PURE__*/ function(SymmetricAlgorithm) {
+    SymmetricAlgorithm["HMAC"] = "HMAC";
+    SymmetricAlgorithm["AES_CTR"] = "AES-CTR";
+    SymmetricAlgorithm["AES_CBC"] = "AES-CBC";
+    SymmetricAlgorithm["AES_GCM"] = "AES-GCM";
+    return SymmetricAlgorithm;
+}({});
+
+function normalizeSymmetricKeyCreateOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
         };
-        switch(options.type){
-            case 'dsa':
-                node_crypto.generateKeyPair(options.type, options, callback);
-                break;
-            case 'ec':
-                node_crypto.generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa':
-                node_crypto.generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa-pss':
-                node_crypto.generateKeyPair(options.type, options, callback);
-                break;
-        }
-    });
-    if (options.save) {
-        await saveKeyPair(keyPair, options);
     }
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        keyPair.privateKey = decryptRSAPrivateKey(options, keyPair.privateKey);
+    return {
+        length: 256,
+        name: input.name
+    };
+}
+function normalizeSymmetricKeyImportOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
+        };
     }
-    return keyPair;
+    return input;
 }
 
-async function deleteKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    try {
-        await Promise.all([
-            privateKeyPath,
-            publicKeyPath
-        ].map((filePath)=>fs.promises.stat(filePath)));
-    } catch (e) {
-        return;
+function isSymmetricAlgorithm(input) {
+    return Object.values(SymmetricAlgorithm).indexOf(input) !== -1;
+}
+
+function getKeyUsagesForSymmetricAlgorithm(name) {
+    /**
+     * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+     */ if (name === SymmetricAlgorithm.HMAC) {
+        return [
+            'sign',
+            'verify'
+        ];
+    }
+    if (name === SymmetricAlgorithm.AES_CBC || name === SymmetricAlgorithm.AES_GCM || name === SymmetricAlgorithm.AES_CTR) {
+        return [
+            'encrypt',
+            'decrypt'
+        ];
     }
-    await Promise.all([
-        privateKeyPath,
-        publicKeyPath
-    ].map((filePath)=>fs.promises.rm(filePath)));
+    throw new SyntaxError(`Key usages can not be determined for symmetric algorithm: ${name}`);
 }
 
-async function loadKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    try {
-        await fs.promises.stat(privateKeyPath);
-    } catch (e) {
-        return undefined;
+async function createSymmetricKey(input) {
+    const optionsNormalized = normalizeSymmetricKeyCreateOptions(input);
+    return crypto.subtle.generateKey(optionsNormalized, true, getKeyUsagesForSymmetricAlgorithm(optionsNormalized.name));
+}
+
+function getKeyUsagesForAlgorithm(name, format) {
+    if (isAsymmetricAlgorithm(name)) {
+        return getKeyUsagesForAsymmetricAlgorithm(name, format);
     }
-    const privateKeyBuffer = await fs.promises.readFile(privateKeyPath);
-    let privateKey = privateKeyBuffer.toString();
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        privateKey = decryptRSAPrivateKey(options, privateKey);
+    if (isSymmetricAlgorithm(name)) {
+        return getKeyUsagesForSymmetricAlgorithm(name);
     }
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    let publicKey;
-    try {
-        await fs.promises.stat(publicKeyPath);
-        const publicKeyBuffer = await fs.promises.readFile(publicKeyPath);
-        publicKey = publicKeyBuffer.toString();
-    } catch (e) {
-        const publicKeyObject = node_crypto.createPublicKey({
-            key: privateKey,
-            format: options.privateKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        const stringOrBuffer = publicKeyObject.export({
-            format: options.publicKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        if (typeof stringOrBuffer !== 'string') {
-            publicKey = stringOrBuffer.toString();
-        } else {
-            publicKey = stringOrBuffer;
+    throw new SyntaxError(`Key usages can not be determined for algorithm: ${name}`);
+}
+
+class CryptoKeyContainer {
+    // ----------------------------------------------
+    async toArrayBuffer() {
+        if (this.key.type === 'private') {
+            return crypto.subtle.exportKey('pkcs8', this.key);
         }
-        if (options.save) {
-            await saveKeyPair({
-                privateKey,
-                publicKey
-            }, options);
+        if (this.key.type === 'public') {
+            return crypto.subtle.exportKey('spki', this.key);
         }
+        return crypto.subtle.exportKey('raw', this.key);
     }
-    return {
-        privateKey,
-        publicKey
-    };
-}
-
-const keyPairCache = {};
-async function useKeyPair(value) {
-    let options;
-    if (typeof value === 'string') {
-        options = extendKeyPairOptions({
-            privateName: value
+    async toUint8Array() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return new Uint8Array(arrayBuffer);
+    }
+    async toBase64() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return kit.arrayBufferToBase64(arrayBuffer);
+    }
+    async toPem() {
+        const base64 = await this.toBase64();
+        if (this.key.type === 'public') {
+            return encodeSPKIToPem(base64);
+        }
+        if (this.key.type === 'private') {
+            return encodePKCS8ToPEM(base64);
+        }
+        throw new Error('A symmetric key can not be encoded as PEM');
+    }
+    async toJWK() {
+        return crypto.subtle.exportKey('jwk', this.key);
+    }
+    // ----------------------------------------------
+    static async fromPem(ctx) {
+        if (ctx.format === 'pkcs8') {
+            return CryptoKeyContainer.fromBase64({
+                ...ctx,
+                key: decodePemToPKCS8(ctx.key)
+            });
+        }
+        return CryptoKeyContainer.fromBase64({
+            ...ctx,
+            key: decodePemToSpki(ctx.key)
         });
-    } else {
-        options = extendKeyPairOptions(value || {});
     }
-    if (Object.prototype.hasOwnProperty.call(keyPairCache, options.privateName)) {
-        return keyPairCache[options.privateName];
+    static async fromBase64(ctx) {
+        const arrayBuffer = kit.base64ToArrayBuffer(ctx.key);
+        return CryptoKeyContainer.fromArrayBuffer({
+            ...ctx,
+            key: arrayBuffer
+        });
     }
-    let keyPair = await loadKeyPair(options);
-    if (typeof keyPair === 'undefined') {
-        keyPair = await createKeyPair(options);
+    static async fromArrayBuffer(ctx) {
+        let normalizedOptions;
+        if (ctx.format === 'spki' || ctx.format === 'pkcs8') {
+            normalizedOptions = normalizeAsymmetricKeyImportOptions(ctx.options);
+        } else if (ctx.format === 'raw') {
+            normalizedOptions = normalizeSymmetricKeyImportOptions(ctx.options);
+        } else {
+            throw new SyntaxError(`Format ${ctx.format} is not supported.`);
+        }
+        const cryptoKey = await crypto.subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForAlgorithm(normalizedOptions.name, ctx.format));
+        return new CryptoKeyContainer(cryptoKey);
+    }
+    constructor(cryptoKey){
+        this.key = cryptoKey;
     }
-    keyPairCache[options.privateName] = keyPair;
-    return keyPair;
 }
 
 /**
@@ -328,7 +327,7 @@ async function useKeyPair(value) {
  */ function extractTokenHeader(token) {
     const parts = token.split('.');
     if (parts.length !== 3) {
-        throw kit.TokenError.payloadInvalid('The token format is not valid.');
+        throw specs.TokenError.payloadInvalid('The token format is not valid.');
     }
     const [headerBase64] = parts;
     try {
@@ -347,20 +346,20 @@ async function useKeyPair(value) {
             'x5t#S256': header.x5TS256CertThumbprint,
         };
          */ } catch (e) {
-        throw kit.TokenError.headerInvalid('The token header could not be extracted.');
+        throw specs.TokenError.headerInvalid('The token header could not be extracted.');
     }
 }
 function extractTokenPayload(token) {
     const parts = token.split('.');
     if (parts.length !== 3) {
-        throw kit.TokenError.payloadInvalid('The token format is not valid.');
+        throw specs.TokenError.payloadInvalid('The token format is not valid.');
     }
     const [, payloadBase64] = parts;
     try {
         const payload = atob(payloadBase64);
         return JSON.parse(payload);
     } catch (e) {
-        throw kit.TokenError.payloadInvalid('The token payload could not be extracted.');
+        throw specs.TokenError.payloadInvalid('The token payload could not be extracted.');
     }
 }
 
@@ -370,19 +369,19 @@ function createErrorForJWTError(e) {
             switch(e.name){
                 case 'TokenExpiredError':
                     {
-                        return kit.TokenError.expired();
+                        return specs.TokenError.expired();
                     }
                 case 'NotBeforeError':
                     {
                         if (typeof e.date === 'string' || e.date instanceof Date) {
-                            return kit.TokenError.notActiveBefore(e.date);
+                            return specs.TokenError.notActiveBefore(e.date);
                         }
                         break;
                     }
                 case 'JsonWebTokenError':
                     {
                         if (typeof e.message === 'string') {
-                            return kit.TokenError.payloadInvalid(e.message);
+                            return specs.TokenError.payloadInvalid(e.message);
                         }
                         break;
                     }
@@ -392,20 +391,20 @@ function createErrorForJWTError(e) {
         switch(e.message){
             case 'ExpiredSignature':
                 {
-                    return kit.TokenError.expired();
+                    return specs.TokenError.expired();
                 }
             case 'ImmatureSignature':
                 {
-                    return kit.TokenError.notActiveBefore();
+                    return specs.TokenError.notActiveBefore();
                 }
             case 'InvalidToken':
             case 'InvalidSignature':
                 {
-                    return kit.TokenError.payloadInvalid();
+                    return specs.TokenError.payloadInvalid();
                 }
         }
     }
-    return new kit.TokenError({
+    return new specs.TokenError({
         cause: e,
         logMessage: true,
         message: 'The JWT error could not be determined.'
@@ -413,47 +412,47 @@ function createErrorForJWTError(e) {
 }
 function transformJWTAlgorithmToInternal(algorithm) {
     switch(algorithm){
-        case kit.JWTAlgorithm.HS256:
+        case specs.JWTAlgorithm.HS256:
             {
                 return jsonwebtoken.Algorithm.HS256;
             }
-        case kit.JWTAlgorithm.HS384:
+        case specs.JWTAlgorithm.HS384:
             {
                 return jsonwebtoken.Algorithm.HS384;
             }
-        case kit.JWTAlgorithm.HS512:
+        case specs.JWTAlgorithm.HS512:
             {
                 return jsonwebtoken.Algorithm.HS512;
             }
-        case kit.JWTAlgorithm.RS256:
+        case specs.JWTAlgorithm.RS256:
             {
                 return jsonwebtoken.Algorithm.RS256;
             }
-        case kit.JWTAlgorithm.RS384:
+        case specs.JWTAlgorithm.RS384:
             {
                 return jsonwebtoken.Algorithm.RS384;
             }
-        case kit.JWTAlgorithm.RS512:
+        case specs.JWTAlgorithm.RS512:
             {
                 return jsonwebtoken.Algorithm.RS512;
             }
-        case kit.JWTAlgorithm.ES256:
+        case specs.JWTAlgorithm.ES256:
             {
                 return jsonwebtoken.Algorithm.ES256;
             }
-        case kit.JWTAlgorithm.ES384:
+        case specs.JWTAlgorithm.ES384:
             {
                 return jsonwebtoken.Algorithm.ES384;
             }
-        case kit.JWTAlgorithm.PS256:
+        case specs.JWTAlgorithm.PS256:
             {
                 return jsonwebtoken.Algorithm.PS256;
             }
-        case kit.JWTAlgorithm.PS384:
+        case specs.JWTAlgorithm.PS384:
             {
                 return jsonwebtoken.Algorithm.PS384;
             }
-        case kit.JWTAlgorithm.PS512:
+        case specs.JWTAlgorithm.PS512:
             {
                 return jsonwebtoken.Algorithm.PS512;
             }
@@ -470,31 +469,44 @@ async function signToken(claims, context) {
         claims.iat = getUtcTimestamp();
     }
     switch(context.type){
-        case kit.JWKType.RSA:
-        case kit.JWKType.EC:
+        case specs.JWKType.RSA:
+        case specs.JWKType.EC:
             {
-                const { privateKey } = isKeyPair(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
                 let algorithm;
-                if (context.type === kit.JWKType.RSA) {
+                let key;
+                if (typeof context.key === 'string') {
+                    key = encodePKCS8ToPEM(context.key);
+                } else {
+                    const keyContainer = new CryptoKeyContainer(context.key);
+                    key = await keyContainer.toPem();
+                }
+                if (context.type === specs.JWKType.RSA) {
                     algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : jsonwebtoken.Algorithm.RS256;
                 } else {
                     algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : jsonwebtoken.Algorithm.ES256;
                 }
-                return jsonwebtoken.sign(claims, privateKey, {
+                return jsonwebtoken.sign(claims, key, {
                     algorithm,
                     keyId: context.keyId
                 });
             }
-        case kit.JWKType.OCT:
+        case specs.JWKType.OCT:
             {
                 const algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : jsonwebtoken.Algorithm.HS256;
-                return jsonwebtoken.sign(claims, context.key, {
+                let key;
+                if (typeof context.key === 'string') {
+                    key = context.key;
+                } else {
+                    const keyContainer = new CryptoKeyContainer(context.key);
+                    key = await keyContainer.toUint8Array();
+                }
+                return jsonwebtoken.sign(claims, key, {
                     algorithm,
                     keyId: context.keyId
                 });
             }
     }
-    throw new kit.TokenError();
+    throw new specs.TokenError();
 }
 
 /**
@@ -509,12 +521,11 @@ async function signToken(claims, context) {
     let output;
     try {
         switch(context.type){
-            case kit.JWKType.RSA:
-            case kit.JWKType.EC:
+            case specs.JWKType.RSA:
+            case specs.JWKType.EC:
                 {
-                    const { publicKey } = isKeyPairWithPublicKey(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
                     let algorithms;
-                    if (context.type === kit.JWKType.RSA) {
+                    if (context.type === specs.JWKType.RSA) {
                         algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
                             jsonwebtoken.Algorithm.RS256,
                             jsonwebtoken.Algorithm.RS384,
@@ -529,20 +540,34 @@ async function signToken(claims, context) {
                             jsonwebtoken.Algorithm.ES384
                         ];
                     }
-                    promise = jsonwebtoken.verify(token, publicKey, {
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = encodeSPKIToPem(context.key);
+                    } else {
+                        const keyContainer = new CryptoKeyContainer(context.key);
+                        key = await keyContainer.toPem();
+                    }
+                    promise = jsonwebtoken.verify(token, key, {
                         algorithms,
                         validateNbf: true
                     });
                     break;
                 }
-            case kit.JWKType.OCT:
+            case specs.JWKType.OCT:
                 {
                     const algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
                         jsonwebtoken.Algorithm.HS256,
                         jsonwebtoken.Algorithm.HS384,
                         jsonwebtoken.Algorithm.HS512
                     ];
-                    promise = jsonwebtoken.verify(token, context.key, {
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = context.key;
+                    } else {
+                        const keyContainer = new CryptoKeyContainer(context.key);
+                        key = await keyContainer.toUint8Array();
+                    }
+                    promise = jsonwebtoken.verify(token, key, {
                         algorithms,
                         validateNbf: true
                     });
@@ -553,7 +578,7 @@ async function signToken(claims, context) {
         throw createErrorForJWTError(e);
     }
     if (typeof output === 'undefined') {
-        throw new kit.TokenError({
+        throw new specs.TokenError({
             message: 'Invalid type.'
         });
     }
@@ -708,14 +733,14 @@ function useCache() {
 
 function createLogger(context) {
     let items;
-    const cwd = context.directory || process__namespace.cwd();
+    const cwd = context.directory || process.cwd();
     if (context.env === 'production') {
         items = [
             new winston.transports.Console({
                 level: 'info'
             }),
             new winston.transports.File({
-                filename: path.join(cwd, 'access.log'),
+                filename: path.join(cwd, 'http.log'),
                 level: 'http',
                 maxsize: 10 * 1024 * 1024,
                 maxFiles: 5
@@ -734,6 +759,7 @@ function createLogger(context) {
             })
         ];
     }
+    // @see https://github.com/winstonjs/triple-beam/blob/master/config/npm.js
     return winston.createLogger({
         format: winston.format.combine(winston.format.errors({
             stack: true
@@ -822,7 +848,7 @@ class DomainEventSocketPublisher {
                 emitter = this.driver;
             }
             let roomName = buildDomainEventChannelName(ctx.destinations[i].channel);
-            const fullEventName = kit.buildEventFullName(ctx.content.type, ctx.content.event);
+            const fullEventName = coreRealtimeKit.buildEventFullName(ctx.content.type, ctx.content.event);
             emitter.in(roomName).emit(fullEventName, {
                 ...ctx.content,
                 meta: {
@@ -921,46 +947,47 @@ Object.defineProperty(exports, "createVaultClient", {
     get: function () { return vault.createClient; }
 });
 exports.Cache = Cache;
+exports.CryptoAsymmetricAlgorithm = CryptoAsymmetricAlgorithm;
+exports.CryptoKeyContainer = CryptoKeyContainer;
 exports.DomainEventPublisher = DomainEventPublisher;
 exports.DomainEventRedisPublisher = DomainEventRedisPublisher;
 exports.DomainEventSocketPublisher = DomainEventSocketPublisher;
-exports.KeyPairKind = KeyPairKind;
 exports.MemoryCacheAdapter = MemoryCacheAdapter;
 exports.RedisCacheAdapter = RedisCacheAdapter;
+exports.SymmetricAlgorithm = SymmetricAlgorithm;
 exports.buildCacheKey = buildCacheKey;
-exports.buildKeyFileName = buildKeyFileName;
 exports.compare = compare;
+exports.createAsymmetricKeyPair = createAsymmetricKeyPair;
 exports.createCacheAdapter = createCacheAdapter;
-exports.createKeyPair = createKeyPair;
 exports.createLogger = createLogger;
-exports.decryptRSAPrivateKey = decryptRSAPrivateKey;
-exports.deleteKeyPair = deleteKeyPair;
-exports.extendKeyPairOptions = extendKeyPairOptions;
+exports.createSymmetricKey = createSymmetricKey;
+exports.decodePemToPKCS8 = decodePemToPKCS8;
+exports.decodePemToSpki = decodePemToSpki;
+exports.encodePKCS8ToPEM = encodePKCS8ToPEM;
+exports.encodeSPKIToPem = encodeSPKIToPem;
 exports.extractTokenHeader = extractTokenHeader;
 exports.extractTokenPayload = extractTokenPayload;
+exports.getKeyUsagesForAlgorithm = getKeyUsagesForAlgorithm;
+exports.getKeyUsagesForAsymmetricAlgorithm = getKeyUsagesForAsymmetricAlgorithm;
+exports.getKeyUsagesForSymmetricAlgorithm = getKeyUsagesForSymmetricAlgorithm;
 exports.hasOwnProperty = hasOwnProperty;
 exports.hash = hash;
-exports.isKeyPair = isKeyPair;
-exports.isKeyPairWithPublicKey = isKeyPairWithPublicKey;
+exports.isAsymmetricAlgorithm = isAsymmetricAlgorithm;
 exports.isLoggerUsable = isLoggerUsable;
 exports.isRedisClientUsable = isRedisClientUsable;
+exports.isSymmetricAlgorithm = isSymmetricAlgorithm;
 exports.isVaultClientUsable = isVaultClientUsable;
-exports.loadKeyPair = loadKeyPair;
-exports.saveKeyPair = saveKeyPair;
+exports.normalizeAsymmetricKeyImportOptions = normalizeAsymmetricKeyImportOptions;
+exports.normalizeAsymmetricKeyPairCreateOptions = normalizeAsymmetricKeyPairCreateOptions;
 exports.setLogger = setLogger;
 exports.setLoggerFactory = setLoggerFactory;
 exports.setRedisClient = setRedisClient;
 exports.setRedisFactory = setRedisFactory;
 exports.setVaultFactory = setVaultFactory;
 exports.signToken = signToken;
-exports.unwrapPrivateKeyPem = unwrapPrivateKeyPem;
-exports.unwrapPublicKeyPem = unwrapPublicKeyPem;
 exports.useCache = useCache;
-exports.useKeyPair = useKeyPair;
 exports.useLogger = useLogger;
 exports.useRedisClient = useRedisClient;
 exports.useVaultClient = useVaultClient;
 exports.verifyToken = verifyToken;
-exports.wrapPrivateKeyPem = wrapPrivateKeyPem;
-exports.wrapPublicKeyPem = wrapPublicKeyPem;
 //# sourceMappingURL=index.cjs.map