@authup/server-kit 1.0.0-beta.23 → 1.0.0-beta.25

package/dist/index.mjs

@@ -1,18 +1,19 @@
 import { compare as compare$1, hash as hash$1 } from '@node-rs/bcrypt';
-import { createPrivateKey, generateKeyPair, createPublicKey } from 'node:crypto';
-import { isObject, TokenError, JWTAlgorithm, JWKType, buildEventFullName } from '@authup/kit';
-import path from 'node:path';
-import fs from 'node:fs';
+import { subtle } from 'uncrypto';
+import { arrayBufferToBase64, base64ToArrayBuffer, isObject as isObject$1 } from '@authup/kit';
+import { JWTError, JWTAlgorithm, JWKType, OAuth2Error } from '@authup/specs';
 import { Algorithm, sign, verify } from '@node-rs/jsonwebtoken';
-import { isObject as isObject$1 } from 'smob';
+import { isObject } from 'smob';
 import { JsonAdapter, buildKeyPath } from 'redis-extension';
 export { Client as RedisClient, ClientOptions as RedisClientOptions, JsonAdapter as RedisJsonAdapter, Watcher as RedisWatcher, buildKeyPath as buildRedisKeyPath, createClient as createRedisClient, escapeKey as escapeRedisKey, parseKeyPath as parseRedisKeyPath } from 'redis-extension';
 import { singa } from 'singa';
 import TTLCache from '@isaacs/ttlcache';
-import * as process$1 from 'node:process';
+import path from 'node:path';
+import process from 'node:process';
 import { transports, createLogger as createLogger$1, format } from 'winston';
 export { Logger } from 'winston';
 export { VaultClient, createClient as createVaultClient } from '@hapic/vault';
+import { buildEventFullName } from '@authup/core-realtime-kit';
 import { Emitter } from '@socket.io/redis-emitter';
 
 async function compare(value, hashedValue) {
@@ -28,103 +29,124 @@ async function hash(str, rounds = 10) {
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
- */ var KeyPairKind = /*#__PURE__*/ function(KeyPairKind) {
-    KeyPairKind["PRIVATE"] = "private";
-    KeyPairKind["PUBLIC"] = "public";
-    return KeyPairKind;
+ */ var CryptoAsymmetricAlgorithm = /*#__PURE__*/ function(CryptoAsymmetricAlgorithm) {
+    CryptoAsymmetricAlgorithm["RSA_PSS"] = "RSA-PSS";
+    CryptoAsymmetricAlgorithm["RSASSA_PKCS1_V1_5"] = "RSASSA-PKCS1-v1_5";
+    CryptoAsymmetricAlgorithm["RSA_OAEP"] = "RSA-OAEP";
+    CryptoAsymmetricAlgorithm["ECDSA"] = "ECDSA";
+    CryptoAsymmetricAlgorithm["ECDH"] = "ECDH";
+    return CryptoAsymmetricAlgorithm;
 }({});
 
-function isKeyPair(data) {
-    return isObject(data) && typeof data.privateKey !== 'undefined' && typeof data.publicKey !== 'undefined';
-}
-function isKeyPairWithPublicKey(data) {
-    return isObject(data) && typeof data.publicKey !== 'undefined';
+function isAsymmetricAlgorithm(input) {
+    return Object.values(CryptoAsymmetricAlgorithm).indexOf(input) !== -1;
 }
 
-function extendKeyPairOptions(options) {
-    var _options;
-    options = options ?? {};
-    options.directory = options.directory || process.cwd();
-    options.directory = path.isAbsolute(options.directory) ? options.directory : path.resolve(process.cwd(), options.directory);
-    (_options = options).type ?? (_options.type = 'rsa');
-    if (options.type === 'rsa' || options.type === 'rsa-pss' || options.type === 'dsa') {
-        options.modulusLength = 2048;
-    }
-    if (!options.privateKeyEncoding) {
-        options.privateKeyEncoding = {
-            type: 'pkcs8',
-            format: 'pem'
-        };
+/**
+ * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+ */ function getKeyUsagesForAsymmetricAlgorithm(name, format) {
+    if (name === CryptoAsymmetricAlgorithm.RSA_PSS || name === CryptoAsymmetricAlgorithm.ECDSA || name === CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5) {
+        if (format === 'spki') {
+            return [
+                'verify'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'sign'
+            ];
+        }
+        return [
+            'sign',
+            'verify'
+        ];
     }
-    if (!options.publicKeyEncoding) {
-        options.publicKeyEncoding = {
-            type: 'spki',
-            format: 'pem'
-        };
+    if (name === CryptoAsymmetricAlgorithm.ECDH) {
+        if (format === 'spki') {
+            return [];
+        }
+        return [
+            'deriveKey',
+            'deriveBits'
+        ];
     }
-    if (options.privateKeyEncoding.passphrase && !options.privateKeyEncoding.cipher) {
-        options.privateKeyEncoding.cipher = 'aes-256-cbc';
+    if (name === CryptoAsymmetricAlgorithm.RSA_OAEP) {
+        if (format === 'spki') {
+            return [
+                'encrypt'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'decrypt'
+            ];
+        }
+        return [
+            'encrypt',
+            'decrypt'
+        ];
     }
-    return options;
+    throw new SyntaxError(`Key usages can not be determined for asymmetric algorithm: ${name}`);
 }
 
-function buildKeyFileName(type, context) {
-    const options = extendKeyPairOptions(context);
-    const parts = [];
-    switch(type){
-        case KeyPairKind.PRIVATE:
+function normalizeAsymmetricKeyPairCreateOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
             {
-                if (options.privateName) {
-                    parts.push(options.privateName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.privateExtension) {
-                    if (options.privateExtension.startsWith('.')) {
-                        options.privateExtension = options.privateExtension.slice(1);
-                    }
-                    parts.push(options.privateExtension);
-                } else {
-                    parts.push('pem');
-                }
+                optionsNormalized = {
+                    modulusLength: 2048,
+                    publicExponent: new Uint8Array([
+                        0x01,
+                        0x00,
+                        0x01
+                    ]),
+                    hash: 'SHA-256',
+                    ...options
+                };
                 break;
             }
-        case KeyPairKind.PUBLIC:
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
             {
-                if (options.publicName) {
-                    parts.push(options.publicName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.publicExtension) {
-                    if (options.publicExtension.startsWith('.')) {
-                        options.publicExtension = options.publicExtension.slice(1);
-                    }
-                    parts.push(options.publicExtension);
-                } else {
-                    parts.push('pem');
-                }
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
+            }
+    }
+    return optionsNormalized;
+}
+function normalizeAsymmetricKeyImportOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
+            {
+                optionsNormalized = {
+                    hash: 'SHA-256',
+                    ...options
+                };
                 break;
             }
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
+            {
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
+            }
     }
-    return parts.join('.');
+    return optionsNormalized;
 }
 
-function decryptRSAPrivateKey(context, key) {
-    const privateKey = createPrivateKey({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format,
-        key,
-        passphrase: context.privateKeyEncoding.passphrase || context.passphrase
-    });
-    let content = privateKey.export({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format
-    });
-    if (typeof content !== 'string') {
-        content = Buffer.from(content).toString('utf-8');
-    }
-    return content;
+async function createAsymmetricKeyPair(options) {
+    const optionsNormalized = normalizeAsymmetricKeyPairCreateOptions(options);
+    return subtle.generateKey(optionsNormalized, true, getKeyUsagesForAsymmetricAlgorithm(optionsNormalized.name));
 }
 
 /*
@@ -132,172 +154,169 @@ function decryptRSAPrivateKey(context, key) {
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
- */ function wrapPem(type, input) {
-    if (typeof input !== 'string') {
-        input = Buffer.from(input).toString('base64');
-    }
+ */ function enc(type, input) {
     return `-----BEGIN ${type}-----\n${input}\n-----END ${type}-----`;
 }
-function wrapPrivateKeyPem(input) {
-    return wrapPem('PRIVATE KEY', input);
+function encodePKCS8ToPEM(base64) {
+    return enc('PRIVATE KEY', base64);
 }
-function wrapPublicKeyPem(input) {
-    return wrapPem('PUBLIC KEY', input);
+function encodeSPKIToPem(input) {
+    return enc('PUBLIC KEY', input);
 }
 // ------------------------------------------------------------
-function unwrapPem(type, input) {
-    if (typeof input !== 'string') {
-        input = Buffer.from(input).toString('base64');
-    }
+function dec(type, input) {
     input = input.replace(`-----BEGIN ${type}-----\n`, '');
     input = input.replace(`\n-----END ${type}-----\n`, '');
     input = input.replace(`-----END ${type}-----\n`, '');
     input = input.replace(`\n-----END ${type}-----`, '');
     return input;
 }
-function unwrapPrivateKeyPem(input) {
-    return unwrapPem('PRIVATE KEY', input);
+function decodePemToPKCS8(input) {
+    return dec('PRIVATE KEY', input);
 }
-function unwrapPublicKeyPem(input) {
-    return unwrapPem('PUBLIC KEY', input);
+function decodePemToSpki(input) {
+    return dec('PUBLIC KEY', input);
 }
 
-async function saveKeyPair(keyPair, context) {
-    context = extendKeyPairOptions(context);
-    await fs.promises.mkdir(context.directory, {
-        recursive: true
-    });
-    await Promise.all([
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PRIVATE, context)),
-            content: keyPair.privateKey
-        },
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PUBLIC, context)),
-            content: keyPair.publicKey
-        }
-    ].map((file)=>fs.promises.writeFile(file.path, file.content)));
-    return keyPair;
-}
-
-async function createKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const keyPair = await new Promise((resolve, reject)=>{
-        const callback = (err, publicKey, privateKey)=>{
-            if (err) reject(err);
-            resolve({
-                privateKey,
-                publicKey
-            });
+/*
+ * Copyright (c) 2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ var SymmetricAlgorithm = /*#__PURE__*/ function(SymmetricAlgorithm) {
+    SymmetricAlgorithm["HMAC"] = "HMAC";
+    SymmetricAlgorithm["AES_CTR"] = "AES-CTR";
+    SymmetricAlgorithm["AES_CBC"] = "AES-CBC";
+    SymmetricAlgorithm["AES_GCM"] = "AES-GCM";
+    return SymmetricAlgorithm;
+}({});
+
+function normalizeSymmetricKeyCreateOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
         };
-        switch(options.type){
-            case 'dsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'ec':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa-pss':
-                generateKeyPair(options.type, options, callback);
-                break;
-        }
-    });
-    if (options.save) {
-        await saveKeyPair(keyPair, options);
     }
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        keyPair.privateKey = decryptRSAPrivateKey(options, keyPair.privateKey);
+    return {
+        length: 256,
+        name: input.name
+    };
+}
+function normalizeSymmetricKeyImportOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
+        };
+    }
+    return input;
+}
+
+function isSymmetricAlgorithm(input) {
+    return Object.values(SymmetricAlgorithm).indexOf(input) !== -1;
+}
+
+function getKeyUsagesForSymmetricAlgorithm(name) {
+    /**
+     * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+     */ if (name === SymmetricAlgorithm.HMAC) {
+        return [
+            'sign',
+            'verify'
+        ];
+    }
+    if (name === SymmetricAlgorithm.AES_CBC || name === SymmetricAlgorithm.AES_GCM || name === SymmetricAlgorithm.AES_CTR) {
+        return [
+            'encrypt',
+            'decrypt'
+        ];
     }
-    return keyPair;
+    throw new SyntaxError(`Key usages can not be determined for symmetric algorithm: ${name}`);
 }
 
-async function deleteKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    try {
-        await Promise.all([
-            privateKeyPath,
-            publicKeyPath
-        ].map((filePath)=>fs.promises.stat(filePath)));
-    } catch (e) {
-        return;
+async function createSymmetricKey(input) {
+    const optionsNormalized = normalizeSymmetricKeyCreateOptions(input);
+    return subtle.generateKey(optionsNormalized, true, getKeyUsagesForSymmetricAlgorithm(optionsNormalized.name));
+}
+
+function getKeyUsagesForAlgorithm(name, format) {
+    if (isAsymmetricAlgorithm(name)) {
+        return getKeyUsagesForAsymmetricAlgorithm(name, format);
+    }
+    if (isSymmetricAlgorithm(name)) {
+        return getKeyUsagesForSymmetricAlgorithm(name);
     }
-    await Promise.all([
-        privateKeyPath,
-        publicKeyPath
-    ].map((filePath)=>fs.promises.rm(filePath)));
+    throw new SyntaxError(`Key usages can not be determined for algorithm: ${name}`);
 }
 
-async function loadKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    try {
-        await fs.promises.stat(privateKeyPath);
-    } catch (e) {
-        return undefined;
+class CryptoKeyContainer {
+    // ----------------------------------------------
+    async toArrayBuffer() {
+        if (this.key.type === 'private') {
+            return subtle.exportKey('pkcs8', this.key);
+        }
+        if (this.key.type === 'public') {
+            return subtle.exportKey('spki', this.key);
+        }
+        return subtle.exportKey('raw', this.key);
     }
-    const privateKeyBuffer = await fs.promises.readFile(privateKeyPath);
-    let privateKey = privateKeyBuffer.toString();
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        privateKey = decryptRSAPrivateKey(options, privateKey);
+    async toUint8Array() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return new Uint8Array(arrayBuffer);
     }
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    let publicKey;
-    try {
-        await fs.promises.stat(publicKeyPath);
-        const publicKeyBuffer = await fs.promises.readFile(publicKeyPath);
-        publicKey = publicKeyBuffer.toString();
-    } catch (e) {
-        const publicKeyObject = createPublicKey({
-            key: privateKey,
-            format: options.privateKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        const stringOrBuffer = publicKeyObject.export({
-            format: options.publicKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        if (typeof stringOrBuffer !== 'string') {
-            publicKey = stringOrBuffer.toString();
-        } else {
-            publicKey = stringOrBuffer;
+    async toBase64() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return arrayBufferToBase64(arrayBuffer);
+    }
+    async toPem() {
+        const base64 = await this.toBase64();
+        if (this.key.type === 'public') {
+            return encodeSPKIToPem(base64);
         }
-        if (options.save) {
-            await saveKeyPair({
-                privateKey,
-                publicKey
-            }, options);
+        if (this.key.type === 'private') {
+            return encodePKCS8ToPEM(base64);
         }
+        throw new Error('A symmetric key can not be encoded as PEM');
     }
-    return {
-        privateKey,
-        publicKey
-    };
-}
-
-const keyPairCache = {};
-async function useKeyPair(value) {
-    let options;
-    if (typeof value === 'string') {
-        options = extendKeyPairOptions({
-            privateName: value
+    async toJWK() {
+        return subtle.exportKey('jwk', this.key);
+    }
+    // ----------------------------------------------
+    static async fromPem(ctx) {
+        if (ctx.format === 'pkcs8') {
+            return CryptoKeyContainer.fromBase64({
+                ...ctx,
+                key: decodePemToPKCS8(ctx.key)
+            });
+        }
+        return CryptoKeyContainer.fromBase64({
+            ...ctx,
+            key: decodePemToSpki(ctx.key)
+        });
+    }
+    static async fromBase64(ctx) {
+        const arrayBuffer = base64ToArrayBuffer(ctx.key);
+        return CryptoKeyContainer.fromArrayBuffer({
+            ...ctx,
+            key: arrayBuffer
         });
-    } else {
-        options = extendKeyPairOptions(value || {});
     }
-    if (Object.prototype.hasOwnProperty.call(keyPairCache, options.privateName)) {
-        return keyPairCache[options.privateName];
+    static async fromArrayBuffer(ctx) {
+        let normalizedOptions;
+        if (ctx.format === 'spki' || ctx.format === 'pkcs8') {
+            normalizedOptions = normalizeAsymmetricKeyImportOptions(ctx.options);
+        } else if (ctx.format === 'raw') {
+            normalizedOptions = normalizeSymmetricKeyImportOptions(ctx.options);
+        } else {
+            throw new SyntaxError(`Format ${ctx.format} is not supported.`);
+        }
+        const cryptoKey = await subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForAlgorithm(normalizedOptions.name, ctx.format));
+        return new CryptoKeyContainer(cryptoKey);
     }
-    let keyPair = await loadKeyPair(options);
-    if (typeof keyPair === 'undefined') {
-        keyPair = await createKeyPair(options);
+    constructor(cryptoKey){
+        this.key = cryptoKey;
     }
-    keyPairCache[options.privateName] = keyPair;
-    return keyPair;
 }
 
 /**
@@ -305,11 +324,11 @@ async function useKeyPair(value) {
  *
  * @param token
  *
- * @throws TokenError
+ * @throws JWTError
  */ function extractTokenHeader(token) {
     const parts = token.split('.');
     if (parts.length !== 3) {
-        throw TokenError.payloadInvalid('The token format is not valid.');
+        throw JWTError.invalid();
     }
     const [headerBase64] = parts;
     try {
@@ -328,42 +347,46 @@ async function useKeyPair(value) {
             'x5t#S256': header.x5TS256CertThumbprint,
         };
          */ } catch (e) {
-        throw TokenError.headerInvalid('The token header could not be extracted.');
+        throw JWTError.headerInvalid('The token header could not be extracted.');
     }
 }
-function extractTokenPayload(token) {
+/**
+ * @param token
+ *
+ * @throws JWTError
+ */ function extractTokenPayload(token) {
     const parts = token.split('.');
     if (parts.length !== 3) {
-        throw TokenError.payloadInvalid('The token format is not valid.');
+        throw JWTError.invalid();
     }
     const [, payloadBase64] = parts;
     try {
         const payload = atob(payloadBase64);
         return JSON.parse(payload);
     } catch (e) {
-        throw TokenError.payloadInvalid('The token payload could not be extracted.');
+        throw JWTError.payloadInvalid('The token payload could not be extracted.');
     }
 }
 
 function createErrorForJWTError(e) {
-    if (isObject$1(e)) {
+    if (isObject(e)) {
         if (typeof e.name === 'string') {
             switch(e.name){
                 case 'TokenExpiredError':
                     {
-                        return TokenError.expired();
+                        return JWTError.expired();
                     }
                 case 'NotBeforeError':
                     {
                         if (typeof e.date === 'string' || e.date instanceof Date) {
-                            return TokenError.notActiveBefore(e.date);
+                            return JWTError.notActiveBefore(e.date);
                         }
                         break;
                     }
                 case 'JsonWebTokenError':
                     {
                         if (typeof e.message === 'string') {
-                            return TokenError.payloadInvalid(e.message);
+                            return JWTError.payloadInvalid(e.message);
                         }
                         break;
                     }
@@ -373,20 +396,20 @@ function createErrorForJWTError(e) {
         switch(e.message){
             case 'ExpiredSignature':
                 {
-                    return TokenError.expired();
+                    return JWTError.expired();
                 }
             case 'ImmatureSignature':
                 {
-                    return TokenError.notActiveBefore();
+                    return JWTError.notActiveBefore();
                 }
             case 'InvalidToken':
             case 'InvalidSignature':
                 {
-                    return TokenError.payloadInvalid();
+                    return JWTError.payloadInvalid();
                 }
         }
     }
-    return new TokenError({
+    return new JWTError({
         cause: e,
         logMessage: true,
         message: 'The JWT error could not be determined.'
@@ -454,14 +477,20 @@ async function signToken(claims, context) {
         case JWKType.RSA:
         case JWKType.EC:
             {
-                const { privateKey } = isKeyPair(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
                 let algorithm;
+                let key;
+                if (typeof context.key === 'string') {
+                    key = encodePKCS8ToPEM(context.key);
+                } else {
+                    const keyContainer = new CryptoKeyContainer(context.key);
+                    key = await keyContainer.toPem();
+                }
                 if (context.type === JWKType.RSA) {
                     algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.RS256;
                 } else {
                     algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.ES256;
                 }
-                return sign(claims, privateKey, {
+                return sign(claims, key, {
                     algorithm,
                     keyId: context.keyId
                 });
@@ -469,13 +498,20 @@ async function signToken(claims, context) {
         case JWKType.OCT:
             {
                 const algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.HS256;
-                return sign(claims, context.key, {
+                let key;
+                if (typeof context.key === 'string') {
+                    key = context.key;
+                } else {
+                    const keyContainer = new CryptoKeyContainer(context.key);
+                    key = await keyContainer.toUint8Array();
+                }
+                return sign(claims, key, {
                     algorithm,
                     keyId: context.keyId
                 });
             }
     }
-    throw new TokenError();
+    throw new OAuth2Error();
 }
 
 /**
@@ -484,7 +520,7 @@ async function signToken(claims, context) {
  * @param token
  * @param context
  *
- * @throws TokenError
+ * @throws OAuth2Error
  */ async function verifyToken(token, context) {
     let promise;
     let output;
@@ -493,7 +529,6 @@ async function signToken(claims, context) {
             case JWKType.RSA:
             case JWKType.EC:
                 {
-                    const { publicKey } = isKeyPairWithPublicKey(context.keyPair) ? context.keyPair : await useKeyPair(context.keyPair);
                     let algorithms;
                     if (context.type === JWKType.RSA) {
                         algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
@@ -510,7 +545,14 @@ async function signToken(claims, context) {
                             Algorithm.ES384
                         ];
                     }
-                    promise = verify(token, publicKey, {
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = encodeSPKIToPem(context.key);
+                    } else {
+                        const keyContainer = new CryptoKeyContainer(context.key);
+                        key = await keyContainer.toPem();
+                    }
+                    promise = verify(token, key, {
                         algorithms,
                         validateNbf: true
                     });
@@ -523,7 +565,14 @@ async function signToken(claims, context) {
                         Algorithm.HS384,
                         Algorithm.HS512
                     ];
-                    promise = verify(token, context.key, {
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = context.key;
+                    } else {
+                        const keyContainer = new CryptoKeyContainer(context.key);
+                        key = await keyContainer.toUint8Array();
+                    }
+                    promise = verify(token, key, {
                         algorithms,
                         validateNbf: true
                     });
@@ -534,7 +583,7 @@ async function signToken(claims, context) {
         throw createErrorForJWTError(e);
     }
     if (typeof output === 'undefined') {
-        throw new TokenError({
+        throw new OAuth2Error({
             message: 'Invalid type.'
         });
     }
@@ -558,6 +607,9 @@ function useRedisClient() {
 }
 
 class MemoryCacheAdapter {
+    async has(key) {
+        return this.instance.has(key);
+    }
     async get(key) {
         return this.instance.get(key);
     }
@@ -601,6 +653,10 @@ class RedisCacheAdapter {
     async get(key) {
         return this.instance.get(key);
     }
+    async has(key) {
+        const output = await this.get(key);
+        return typeof output !== 'undefined';
+    }
     async set(key, value, options) {
         await this.instance.set(key, value, {
             milliseconds: options.ttl
@@ -689,14 +745,14 @@ function useCache() {
 
 function createLogger(context) {
     let items;
-    const cwd = context.directory || process$1.cwd();
+    const cwd = context.directory || process.cwd();
     if (context.env === 'production') {
         items = [
             new transports.Console({
                 level: 'info'
             }),
             new transports.File({
-                filename: path.join(cwd, 'access.log'),
+                filename: path.join(cwd, 'http.log'),
                 level: 'http',
                 maxsize: 10 * 1024 * 1024,
                 maxFiles: 5
@@ -715,6 +771,7 @@ function createLogger(context) {
             })
         ];
     }
+    // @see https://github.com/winstonjs/triple-beam/blob/master/config/npm.js
     return createLogger$1({
         format: format.combine(format.errors({
             stack: true
@@ -753,7 +810,7 @@ function useVaultClient() {
 }
 
 function transformDomainEventData(input) {
-    if (isObject(input)) {
+    if (isObject$1(input)) {
         const keys = Object.keys(input);
         for(let i = 0; i < keys.length; i++){
             const value = input[keys[i]];
@@ -857,5 +914,5 @@ class DomainEventPublisher {
     return Object.prototype.hasOwnProperty.call(obj, prop);
 }
 
-export { Cache, DomainEventPublisher, DomainEventRedisPublisher, DomainEventSocketPublisher, KeyPairKind, MemoryCacheAdapter, RedisCacheAdapter, buildCacheKey, buildKeyFileName, compare, createCacheAdapter, createKeyPair, createLogger, decryptRSAPrivateKey, deleteKeyPair, extendKeyPairOptions, extractTokenHeader, extractTokenPayload, hasOwnProperty, hash, isKeyPair, isKeyPairWithPublicKey, isLoggerUsable, isRedisClientUsable, isVaultClientUsable, loadKeyPair, saveKeyPair, setLogger, setLoggerFactory, setRedisClient, setRedisFactory, setVaultFactory, signToken, unwrapPrivateKeyPem, unwrapPublicKeyPem, useCache, useKeyPair, useLogger, useRedisClient, useVaultClient, verifyToken, wrapPrivateKeyPem, wrapPublicKeyPem };
+export { Cache, CryptoAsymmetricAlgorithm, CryptoKeyContainer, DomainEventPublisher, DomainEventRedisPublisher, DomainEventSocketPublisher, MemoryCacheAdapter, RedisCacheAdapter, SymmetricAlgorithm, buildCacheKey, compare, createAsymmetricKeyPair, createCacheAdapter, createLogger, createSymmetricKey, decodePemToPKCS8, decodePemToSpki, encodePKCS8ToPEM, encodeSPKIToPem, extractTokenHeader, extractTokenPayload, getKeyUsagesForAlgorithm, getKeyUsagesForAsymmetricAlgorithm, getKeyUsagesForSymmetricAlgorithm, hasOwnProperty, hash, isAsymmetricAlgorithm, isLoggerUsable, isRedisClientUsable, isSymmetricAlgorithm, isVaultClientUsable, normalizeAsymmetricKeyImportOptions, normalizeAsymmetricKeyPairCreateOptions, setLogger, setLoggerFactory, setRedisClient, setRedisFactory, setVaultFactory, signToken, useCache, useLogger, useRedisClient, useVaultClient, verifyToken };
 //# sourceMappingURL=index.mjs.map