@authup/server-kit 1.0.0-beta.3 → 1.0.0-beta.32

package/dist/index.mjs

@@ -1,607 +1,982 @@
-import { compare as compare$1, hash as hash$1 } from 'bcrypt';
-import { createPrivateKey, generateKeyPair, createPublicKey } from 'node:crypto';
-import { isObject, TokenError, KeyType, DomainEventName, buildDomainEventFullName } from '@authup/core';
+import { compare as compare$1, hash as hash$1 } from '@node-rs/bcrypt';
+import { arrayBufferToBase64, base64ToArrayBuffer, isObject as isObject$1 } from '@authup/kit';
+import { JWTAlgorithm, JWTError, JWKType } from '@authup/specs';
+import { subtle } from 'uncrypto';
+import { Algorithm, sign, verify } from '@node-rs/jsonwebtoken';
+import { isObject } from 'smob';
+import { TTLCache } from '@isaacs/ttlcache';
+import { createClient, JsonAdapter, buildKeyPath } from 'redis-extension';
+export { Client as RedisClient, JsonAdapter as RedisJsonAdapter, Watcher as RedisWatcher, buildKeyPath as buildRedisKeyPath, escapeKey as escapeRedisKey, parseKeyPath as parseRedisKeyPath } from 'redis-extension';
 import path from 'node:path';
-import fs from 'node:fs';
-import { decode, sign, verify } from 'jsonwebtoken';
-import { isObject as isObject$1 } from 'smob';
-import { hasClient, hasConfig, useClient } from 'redis-extension';
+import process from 'node:process';
+import { transports, createLogger as createLogger$1, format } from 'winston';
+export { Logger } from 'winston';
+import { singa } from 'singa';
+export { VaultClient, createClient as createVaultClient } from '@hapic/vault';
+import { buildEventFullName } from '@authup/core-realtime-kit';
 import { Emitter } from '@socket.io/redis-emitter';
-import { createTransport, createTestAccount } from 'nodemailer';
 
 async function compare(value, hashedValue) {
     return compare$1(value, hashedValue);
 }
 
-async function hash(str, saltOrRounds = 10) {
-    return hash$1(str, saltOrRounds);
+async function hash(str, rounds = 10) {
+    return hash$1(str, rounds);
 }
 
 /*
- * Copyright (c) 2022.
+ * Copyright (c) 2022-2024.
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
- */ var KeyPairKind;
-(function(KeyPairKind) {
-    KeyPairKind["PRIVATE"] = "private";
-    KeyPairKind["PUBLIC"] = "public";
-})(KeyPairKind || (KeyPairKind = {}));
-
-function isKeyPair(data) {
-    return isObject(data) && typeof data.privateKey !== 'undefined' && typeof data.publicKey !== 'undefined';
-}
-function isKeyPairWithPublicKey(data) {
-    return isObject(data) && typeof data.publicKey !== 'undefined';
-}
-
-function extendKeyPairOptions(options) {
-    var _options;
-    options = options ?? {};
-    options.directory = options.directory || process.cwd();
-    options.directory = path.isAbsolute(options.directory) ? options.directory : path.resolve(process.cwd(), options.directory);
-    (_options = options).type ?? (_options.type = 'rsa');
-    if (options.type === 'rsa' || options.type === 'rsa-pss' || options.type === 'dsa') {
-        options.modulusLength = 2048;
-    }
-    if (!options.privateKeyEncoding) {
-        options.privateKeyEncoding = {
-            type: 'pkcs8',
-            format: 'pem'
-        };
+ */ var CryptoAsymmetricAlgorithm = /*#__PURE__*/ function(CryptoAsymmetricAlgorithm) {
+    CryptoAsymmetricAlgorithm["RSA_PSS"] = "RSA-PSS";
+    CryptoAsymmetricAlgorithm["RSASSA_PKCS1_V1_5"] = "RSASSA-PKCS1-v1_5";
+    CryptoAsymmetricAlgorithm["RSA_OAEP"] = "RSA-OAEP";
+    CryptoAsymmetricAlgorithm["ECDSA"] = "ECDSA";
+    CryptoAsymmetricAlgorithm["ECDH"] = "ECDH";
+    return CryptoAsymmetricAlgorithm;
+}({});
+
+class BaseKey {
+    key;
+    // ----------------------------------------------
+    constructor(cryptoKey){
+        this.key = cryptoKey;
+    }
+    // ----------------------------------------------
+    async toArrayBuffer() {
+        if (this.key.type === 'private') {
+            return subtle.exportKey('pkcs8', this.key);
+        }
+        if (this.key.type === 'public') {
+            return subtle.exportKey('spki', this.key);
+        }
+        return subtle.exportKey('raw', this.key);
     }
-    if (!options.publicKeyEncoding) {
-        options.publicKeyEncoding = {
-            type: 'spki',
-            format: 'pem'
-        };
+    async toUint8Array() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return new Uint8Array(arrayBuffer);
     }
-    if (options.privateKeyEncoding.passphrase && !options.privateKeyEncoding.cipher) {
-        options.privateKeyEncoding.cipher = 'aes-256-cbc';
+    async toBase64() {
+        const arrayBuffer = await this.toArrayBuffer();
+        return arrayBufferToBase64(arrayBuffer);
+    }
+    async toJWK() {
+        return subtle.exportKey('jwk', this.key);
     }
-    return options;
 }
 
-function buildKeyFileName(type, context) {
-    const options = extendKeyPairOptions(context);
-    const parts = [];
-    switch(type){
-        case KeyPairKind.PRIVATE:
+/*
+ * Copyright (c) 2024-2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ function enc(type, input) {
+    return `-----BEGIN ${type}-----\n${input}\n-----END ${type}-----`;
+}
+function encodePKCS8ToPEM(base64) {
+    return enc('PRIVATE KEY', base64);
+}
+function encodeSPKIToPem(input) {
+    return enc('PUBLIC KEY', input);
+}
+// ------------------------------------------------------------
+function dec(type, input) {
+    input = input.replace(`-----BEGIN ${type}-----\n`, '');
+    input = input.replace(`\n-----END ${type}-----\n`, '');
+    input = input.replace(`-----END ${type}-----\n`, '');
+    input = input.replace(`\n-----END ${type}-----`, '');
+    return input;
+}
+function decodePemToPKCS8(input) {
+    return dec('PRIVATE KEY', input);
+}
+function decodePemToSpki(input) {
+    return dec('PUBLIC KEY', input);
+}
+
+/**
+ * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+ */ function getKeyUsagesForAsymmetricAlgorithm(name, format) {
+    if (name === CryptoAsymmetricAlgorithm.RSA_PSS || name === CryptoAsymmetricAlgorithm.ECDSA || name === CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5) {
+        if (format === 'spki') {
+            return [
+                'verify'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'sign'
+            ];
+        }
+        return [
+            'sign',
+            'verify'
+        ];
+    }
+    if (name === CryptoAsymmetricAlgorithm.ECDH) {
+        if (format === 'spki') {
+            return [];
+        }
+        return [
+            'deriveKey',
+            'deriveBits'
+        ];
+    }
+    if (name === CryptoAsymmetricAlgorithm.RSA_OAEP) {
+        if (format === 'spki') {
+            return [
+                'encrypt'
+            ];
+        }
+        if (format === 'pkcs8') {
+            return [
+                'decrypt'
+            ];
+        }
+        return [
+            'encrypt',
+            'decrypt'
+        ];
+    }
+    throw new SyntaxError(`Key usages can not be determined for asymmetric algorithm: ${name}`);
+}
+
+function normalizeAsymmetricKeyPairCreateOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
             {
-                if (options.privateName) {
-                    parts.push(options.privateName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.privateExtension) {
-                    if (options.privateExtension.startsWith('.')) {
-                        options.privateExtension = options.privateExtension.slice(1);
-                    }
-                    parts.push(options.privateExtension);
-                } else {
-                    parts.push('pem');
-                }
+                optionsNormalized = {
+                    modulusLength: 2048,
+                    publicExponent: new Uint8Array([
+                        0x01,
+                        0x00,
+                        0x01
+                    ]),
+                    hash: 'SHA-256',
+                    ...options
+                };
                 break;
             }
-        case KeyPairKind.PUBLIC:
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
             {
-                if (options.publicName) {
-                    parts.push(options.publicName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.publicExtension) {
-                    if (options.publicExtension.startsWith('.')) {
-                        options.publicExtension = options.publicExtension.slice(1);
-                    }
-                    parts.push(options.publicExtension);
-                } else {
-                    parts.push('pem');
-                }
-                break;
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
             }
     }
-    return parts.join('.');
+    return optionsNormalized;
 }
-
-function decryptRSAPrivateKey(context, key) {
-    const privateKey = createPrivateKey({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format,
-        key,
-        passphrase: context.privateKeyEncoding.passphrase || context.passphrase
-    });
-    let content = privateKey.export({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format
-    });
-    if (typeof content !== 'string') {
-        content = Buffer.from(content).toString('utf-8');
+function normalizeAsymmetricKeyImportOptions(options) {
+    let optionsNormalized;
+    switch(options.name){
+        case CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5:
+        case CryptoAsymmetricAlgorithm.RSA_PSS:
+        case CryptoAsymmetricAlgorithm.RSA_OAEP:
+            {
+                optionsNormalized = {
+                    hash: 'SHA-256',
+                    ...options
+                };
+                break;
+            }
+        case CryptoAsymmetricAlgorithm.ECDSA:
+        case CryptoAsymmetricAlgorithm.ECDH:
+            {
+                optionsNormalized = {
+                    namedCurve: 'P-256',
+                    ...options
+                };
+            }
     }
-    return content;
+    return optionsNormalized;
 }
 
-async function saveKeyPair(keyPair, context) {
-    context = extendKeyPairOptions(context);
-    await fs.promises.mkdir(context.directory, {
-        recursive: true
-    });
-    await Promise.all([
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PRIVATE, context)),
-            content: keyPair.privateKey
-        },
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PUBLIC, context)),
-            content: keyPair.publicKey
-        }
-    ].map((file)=>fs.promises.writeFile(file.path, file.content)));
-    return keyPair;
-}
-
-async function createKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const keyPair = await new Promise((resolve, reject)=>{
-        const callback = (err, publicKey, privateKey)=>{
-            if (err) reject(err);
-            resolve({
-                privateKey,
-                publicKey
+class AsymmetricKey extends BaseKey {
+    async toPem() {
+        const base64 = await this.toBase64();
+        if (this.key.type === 'public') {
+            return encodeSPKIToPem(base64);
+        }
+        if (this.key.type === 'private') {
+            return encodePKCS8ToPEM(base64);
+        }
+        throw new Error(`${this.key.type} can not be converted to pem.`);
+    }
+    // ----------------------------------------------------------------
+    static async fromPem(ctx) {
+        if (ctx.format === 'pkcs8') {
+            return AsymmetricKey.fromBase64({
+                ...ctx,
+                key: decodePemToPKCS8(ctx.key)
             });
-        };
-        switch(options.type){
-            case 'dsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'ec':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa-pss':
-                generateKeyPair(options.type, options, callback);
-                break;
         }
-    });
-    if (options.save) {
-        await saveKeyPair(keyPair, options);
+        return AsymmetricKey.fromBase64({
+            ...ctx,
+            key: decodePemToSpki(ctx.key)
+        });
+    }
+    static async fromBase64(ctx) {
+        const arrayBuffer = base64ToArrayBuffer(ctx.key);
+        return AsymmetricKey.fromArrayBuffer({
+            ...ctx,
+            key: arrayBuffer
+        });
     }
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        keyPair.privateKey = decryptRSAPrivateKey(options, keyPair.privateKey);
+    static async fromArrayBuffer(ctx) {
+        const normalizedOptions = normalizeAsymmetricKeyImportOptions(ctx.options);
+        const cryptoKey = await subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForAsymmetricAlgorithm(normalizedOptions.name, ctx.format));
+        return new AsymmetricKey(cryptoKey);
+    }
+    // ----------------------------------------------------------------
+    static buildImportOptionsForJWTAlgorithm(alg) {
+        if (alg === JWTAlgorithm.RS256) {
+            return {
+                name: CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5,
+                hash: 'SHA-256'
+            };
+        }
+        if (alg === JWTAlgorithm.RS384) {
+            return {
+                name: CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5,
+                hash: 'SHA-384'
+            };
+        }
+        if (alg === JWTAlgorithm.RS512) {
+            return {
+                name: CryptoAsymmetricAlgorithm.RSASSA_PKCS1_V1_5,
+                hash: 'SHA-512'
+            };
+        }
+        if (alg === JWTAlgorithm.ES256) {
+            return {
+                name: CryptoAsymmetricAlgorithm.ECDSA,
+                namedCurve: 'P-256'
+            };
+        }
+        if (alg === JWTAlgorithm.ES384) {
+            return {
+                name: CryptoAsymmetricAlgorithm.ECDSA,
+                namedCurve: 'P-384'
+            };
+        }
+        if (alg === JWTAlgorithm.ES512) {
+            return {
+                name: CryptoAsymmetricAlgorithm.ECDSA,
+                namedCurve: 'P-521'
+            };
+        }
+        throw new Error(`Signature algorithm ${alg} is not supported.`);
     }
-    return keyPair;
 }
 
-async function deleteKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    try {
-        await Promise.all([
-            privateKeyPath,
-            publicKeyPath
-        ].map((filePath)=>fs.promises.stat(filePath)));
-    } catch (e) {
-        return;
-    }
-    await Promise.all([
-        privateKeyPath,
-        publicKeyPath
-    ].map((filePath)=>fs.promises.rm(filePath)));
+function isAsymmetricAlgorithm(input) {
+    return Object.values(CryptoAsymmetricAlgorithm).includes(input);
 }
 
-async function loadKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    try {
-        await fs.promises.stat(privateKeyPath);
-    } catch (e) {
-        return undefined;
+async function createAsymmetricKeyPair(options) {
+    const optionsNormalized = normalizeAsymmetricKeyPairCreateOptions(options);
+    return subtle.generateKey(optionsNormalized, true, getKeyUsagesForAsymmetricAlgorithm(optionsNormalized.name));
+}
+
+/*
+ * Copyright (c) 2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ var SymmetricAlgorithm = /*#__PURE__*/ function(SymmetricAlgorithm) {
+    SymmetricAlgorithm["HMAC"] = "HMAC";
+    SymmetricAlgorithm["AES_CTR"] = "AES-CTR";
+    SymmetricAlgorithm["AES_CBC"] = "AES-CBC";
+    SymmetricAlgorithm["AES_GCM"] = "AES-GCM";
+    return SymmetricAlgorithm;
+}({});
+
+function isSymmetricAlgorithm(input) {
+    return Object.values(SymmetricAlgorithm).includes(input);
+}
+
+function getKeyUsagesForSymmetricAlgorithm(name) {
+    /**
+     * @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+     */ if (name === SymmetricAlgorithm.HMAC) {
+        return [
+            'sign',
+            'verify'
+        ];
+    }
+    if (name === SymmetricAlgorithm.AES_CBC || name === SymmetricAlgorithm.AES_GCM || name === SymmetricAlgorithm.AES_CTR) {
+        return [
+            'encrypt',
+            'decrypt'
+        ];
+    }
+    throw new SyntaxError(`Key usages can not be determined for symmetric algorithm: ${name}`);
+}
+
+function normalizeSymmetricKeyCreateOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
+        };
     }
-    const privateKeyBuffer = await fs.promises.readFile(privateKeyPath);
-    let privateKey = privateKeyBuffer.toString();
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        privateKey = decryptRSAPrivateKey(options, privateKey);
+    return {
+        length: 256,
+        name: input.name
+    };
+}
+function normalizeSymmetricKeyImportOptions(input) {
+    if (input.name === SymmetricAlgorithm.HMAC) {
+        return {
+            hash: 'SHA-256',
+            ...input
+        };
     }
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    let publicKey;
-    try {
-        await fs.promises.stat(publicKeyPath);
-        const publicKeyBuffer = await fs.promises.readFile(publicKeyPath);
-        publicKey = publicKeyBuffer.toString();
-    } catch (e) {
-        const publicKeyObject = createPublicKey({
-            key: privateKey,
-            format: options.privateKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        const stringOrBuffer = publicKeyObject.export({
-            format: options.publicKeyEncoding.format,
-            type: options.publicKeyEncoding.type
+    return input;
+}
+
+class SymmetricKey extends BaseKey {
+    static async fromBase64(ctx) {
+        const arrayBuffer = base64ToArrayBuffer(ctx.key);
+        return SymmetricKey.fromArrayBuffer({
+            ...ctx,
+            key: arrayBuffer
         });
-        if (typeof stringOrBuffer !== 'string') {
-            publicKey = stringOrBuffer.toString();
-        } else {
-            publicKey = stringOrBuffer;
+    }
+    static async fromArrayBuffer(ctx) {
+        const normalizedOptions = normalizeSymmetricKeyImportOptions(ctx.options);
+        const cryptoKey = await subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForSymmetricAlgorithm(normalizedOptions.name));
+        return new SymmetricKey(cryptoKey);
+    }
+    static buildImportOptionsForJWTAlgorithm(alg) {
+        if (alg === JWTAlgorithm.HS256) {
+            return {
+                name: SymmetricAlgorithm.HMAC,
+                hash: 'SHA-256'
+            };
+        }
+        if (alg === JWTAlgorithm.HS384) {
+            return {
+                name: SymmetricAlgorithm.HMAC,
+                hash: 'SHA-384'
+            };
         }
-        if (options.save) {
-            await saveKeyPair({
-                privateKey,
-                publicKey
-            }, options);
+        if (alg === JWTAlgorithm.HS512) {
+            return {
+                name: SymmetricAlgorithm.HMAC,
+                hash: 'SHA-512'
+            };
         }
+        throw new Error(`Signature algorithm ${alg} is not supported.`);
     }
-    return {
-        privateKey,
-        publicKey
-    };
 }
 
-const keyPairCache = {};
-async function useKeyPair(value) {
-    let options;
-    if (typeof value === 'string') {
-        options = extendKeyPairOptions({
-            privateName: value
-        });
-    } else {
-        options = extendKeyPairOptions(value || {});
-    }
-    if (Object.prototype.hasOwnProperty.call(keyPairCache, options.privateName)) {
-        return keyPairCache[options.privateName];
+async function createSymmetricKey(input) {
+    const optionsNormalized = normalizeSymmetricKeyCreateOptions(input);
+    return subtle.generateKey(optionsNormalized, true, getKeyUsagesForSymmetricAlgorithm(optionsNormalized.name));
+}
+
+/**
+ * Decode a JWT token with no verification.
+ *
+ * @param token
+ *
+ * @throws JWTError
+ */ function extractTokenHeader(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw JWTError.invalid();
+    }
+    const [headerBase64] = parts;
+    try {
+        const payload = atob(headerBase64);
+        return JSON.parse(payload);
+    /*
+        return {
+            typ: 'JWT',
+            alg: transformInternalToJWTAlgorithm(header.algorithm),
+            cty: header.contentType,
+            jku: header.jsonKeyUrl,
+            kid: header.keyId,
+            x5u: header.x5Url,
+            x5c: header.x5CertChain,
+            x5t: header.x5CertThumbprint,
+            'x5t#S256': header.x5TS256CertThumbprint,
+        };
+         */ } catch  {
+        throw JWTError.headerInvalid('The token header could not be extracted.');
     }
-    let keyPair = await loadKeyPair(options);
-    if (typeof keyPair === 'undefined') {
-        keyPair = await createKeyPair(options);
+}
+/**
+ * @param token
+ *
+ * @throws JWTError
+ */ function extractTokenPayload(token) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        throw JWTError.invalid();
+    }
+    const [, payloadBase64] = parts;
+    try {
+        const payload = atob(payloadBase64);
+        return JSON.parse(payload);
+    } catch  {
+        throw JWTError.payloadInvalid('The token payload could not be extracted.');
     }
-    keyPairCache[options.privateName] = keyPair;
-    return keyPair;
 }
 
 function createErrorForJWTError(e) {
-    if (isObject$1(e) && typeof e.name === 'string') {
-        switch(e.name){
-            case 'TokenExpiredError':
+    if (isObject(e)) {
+        if (typeof e.name === 'string') {
+            switch(e.name){
+                case 'TokenExpiredError':
+                    {
+                        return JWTError.expired();
+                    }
+                case 'NotBeforeError':
+                    {
+                        if (typeof e.date === 'string' || e.date instanceof Date) {
+                            return JWTError.notActiveBefore(e.date);
+                        }
+                        break;
+                    }
+                case 'JsonWebTokenError':
+                    {
+                        if (typeof e.message === 'string') {
+                            return JWTError.payloadInvalid(e.message);
+                        }
+                        break;
+                    }
+            }
+        }
+        // @see https://github.com/Keats/jsonwebtoken/blob/master/src/errors.rs
+        switch(e.message){
+            case 'ExpiredSignature':
                 {
-                    return TokenError.expired();
+                    return JWTError.expired();
                 }
-            case 'NotBeforeError':
+            case 'ImmatureSignature':
                 {
-                    if (typeof e.date === 'string' || e.date instanceof Date) {
-                        return TokenError.notActiveBefore(e.date);
-                    }
-                    break;
+                    return JWTError.notActiveBefore();
                 }
-            case 'JsonWebTokenError':
+            case 'InvalidToken':
+            case 'InvalidSignature':
                 {
-                    if (typeof e.message === 'string') {
-                        return TokenError.payloadInvalid(e.message);
-                    }
-                    break;
+                    return JWTError.payloadInvalid();
                 }
         }
     }
-    return new TokenError({
+    return new JWTError({
         cause: e,
         logMessage: true,
         message: 'The JWT error could not be determined.'
     });
 }
-
-function decodeToken(token, options) {
-    options ?? (options = {});
-    let output;
-    try {
-        output = decode(token, {
-            ...options
-        });
-    } catch (e) {
-        throw createErrorForJWTError(e);
-    }
-    if (output === null) {
-        throw TokenError.payloadInvalid('The token could not be decoded.');
+function transformJWTAlgorithmToInternal(algorithm) {
+    switch(algorithm){
+        case JWTAlgorithm.HS256:
+            {
+                return Algorithm.HS256;
+            }
+        case JWTAlgorithm.HS384:
+            {
+                return Algorithm.HS384;
+            }
+        case JWTAlgorithm.HS512:
+            {
+                return Algorithm.HS512;
+            }
+        case JWTAlgorithm.RS256:
+            {
+                return Algorithm.RS256;
+            }
+        case JWTAlgorithm.RS384:
+            {
+                return Algorithm.RS384;
+            }
+        case JWTAlgorithm.RS512:
+            {
+                return Algorithm.RS512;
+            }
+        case JWTAlgorithm.ES256:
+            {
+                return Algorithm.ES256;
+            }
+        case JWTAlgorithm.ES384:
+            {
+                return Algorithm.ES384;
+            }
+        case JWTAlgorithm.PS256:
+            {
+                return Algorithm.PS256;
+            }
+        case JWTAlgorithm.PS384:
+            {
+                return Algorithm.PS384;
+            }
+        case JWTAlgorithm.PS512:
+            {
+                return Algorithm.PS512;
+            }
     }
-    return output;
+    throw new Error(`The algorithm ${algorithm} is not supported.`);
 }
 
-async function signToken(payload, context) {
-    context.expiresIn = context.expiresIn || 3600;
+const getUtcTimestamp = ()=>Math.floor(new Date().getTime() / 1000);
+async function signToken(claims, context) {
+    if (typeof claims.exp !== 'number') {
+        claims.exp = getUtcTimestamp() + 3600;
+    }
+    if (typeof claims.iat !== 'number') {
+        claims.iat = getUtcTimestamp();
+    }
     switch(context.type){
-        case KeyType.RSA:
-        case KeyType.EC:
+        case JWKType.RSA:
+        case JWKType.EC:
             {
-                const { type, keyPair, ...options } = context;
-                const { privateKey } = isKeyPair(keyPair) ? keyPair : await useKeyPair(keyPair);
-                if (type === KeyType.RSA) {
-                    options.algorithm = options.algorithm || 'RS256';
+                let algorithm;
+                let key;
+                if (typeof context.key === 'string') {
+                    key = encodePKCS8ToPEM(context.key);
+                } else {
+                    const keyContainer = new AsymmetricKey(context.key);
+                    key = await keyContainer.toPem();
+                }
+                if (context.type === JWKType.RSA) {
+                    algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.RS256;
                 } else {
-                    options.algorithm = options.algorithm || 'ES256';
+                    algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.ES256;
                 }
-                return sign(payload, privateKey, options);
+                return sign(claims, key, {
+                    algorithm,
+                    keyId: context.keyId
+                });
             }
-        case KeyType.OCT:
+        case JWKType.OCT:
             {
-                const { type, secret, ...options } = context;
-                options.algorithm = options.algorithm || 'HS256';
-                return sign(payload, secret, options);
+                const algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.HS256;
+                let key;
+                if (typeof context.key === 'string') {
+                    key = context.key;
+                } else {
+                    const keyContainer = new SymmetricKey(context.key);
+                    key = await keyContainer.toUint8Array();
+                }
+                return sign(claims, key, {
+                    algorithm,
+                    keyId: context.keyId
+                });
             }
     }
-    throw new TokenError();
+    throw new JWTError();
 }
 
-async function verifyToken(token, context) {
+/**
+ * Verify JWT.
+ *
+ * @param token
+ * @param context
+ *
+ * @throws OAuth2Error
+ */ async function verifyToken(token, context) {
     let promise;
     let output;
     try {
         switch(context.type){
-            case KeyType.RSA:
-            case KeyType.EC:
+            case JWKType.RSA:
+            case JWKType.EC:
                 {
-                    const { type, keyPair, ...options } = context;
-                    const { publicKey } = isKeyPairWithPublicKey(keyPair) ? keyPair : await useKeyPair(keyPair);
-                    if (type === KeyType.RSA) {
-                        options.algorithms = options.algorithms || [
-                            'RS256',
-                            'RS384',
-                            'RS512',
-                            'PS256',
-                            'PS384',
-                            'PS512'
+                    let algorithms;
+                    if (context.type === JWKType.RSA) {
+                        algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                            Algorithm.RS256,
+                            Algorithm.RS384,
+                            Algorithm.RS512,
+                            Algorithm.PS256,
+                            Algorithm.PS384,
+                            Algorithm.PS512
                         ];
                     } else {
-                        options.algorithms = options.algorithms || [
-                            'ES256',
-                            'ES384',
-                            'ES512'
+                        algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                            Algorithm.ES256,
+                            Algorithm.ES384
                         ];
                     }
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, publicKey, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = encodeSPKIToPem(context.key);
+                    } else {
+                        const keyContainer = new AsymmetricKey(context.key);
+                        key = await keyContainer.toPem();
+                    }
+                    promise = verify(token, key, {
+                        algorithms,
+                        validateNbf: true
                     });
                     break;
                 }
-            case KeyType.OCT:
+            case JWKType.OCT:
                 {
-                    const { type, secret, ...options } = context;
-                    options.algorithms = options.algorithms || [
-                        'HS256',
-                        'HS384',
-                        'HS512'
+                    const algorithms = context.algorithms ? context.algorithms.map((algorithm)=>transformJWTAlgorithmToInternal(algorithm)) : [
+                        Algorithm.HS256,
+                        Algorithm.HS384,
+                        Algorithm.HS512
                     ];
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, secret, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
+                    let key;
+                    if (typeof context.key === 'string') {
+                        key = context.key;
+                    } else {
+                        const keyContainer = new SymmetricKey(context.key);
+                        key = await keyContainer.toUint8Array();
+                    }
+                    promise = verify(token, key, {
+                        algorithms,
+                        validateNbf: true
                     });
                 }
         }
-        output = await promise;
+        if (promise) {
+            output = await promise;
+        }
     } catch (e) {
         throw createErrorForJWTError(e);
     }
-    if (typeof output === 'undefined') {
-        throw new TokenError({
-            message: 'Invalid type.'
-        });
+    if (!output) {
+        throw new JWTError();
     }
     return output;
 }
 
-function transformDomainEventData(input) {
-    if (isObject(input)) {
-        const keys = Object.keys(input);
-        for(let i = 0; i < keys.length; i++){
-            const value = input[keys[i]];
-            if (value instanceof Date) {
-                input[keys[i]] = value.toISOString();
+/*
+ * Copyright (c) 2024-2024.
+ * Author Peter Placzek (tada5hi)
+ * For the full copyright and license information,
+ * view the LICENSE file that was distributed with this source code.
+ */ class DomainEventPublisher {
+    publishers;
+    constructor(){
+        this.publishers = new Set();
+    }
+    mount(publisher) {
+        this.publishers.add(publisher);
+    }
+    async publish(ctx) {
+        const publishers = this.publishers.values();
+        while(true){
+            const it = publishers.next();
+            if (it.done) {
+                return;
             }
+            await it.value.publish(ctx);
         }
     }
-    return input;
-}
-function buildDomainEventChannelName(input, id) {
-    if (typeof input === 'string') {
-        return input;
-    }
-    return input(id);
 }
 
-async function publishDomainRedisEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return Promise.resolve();
+class MemoryCache {
+    instance;
+    constructor(options = {}){
+        this.instance = new TTLCache({
+            checkAgeOnGet: true,
+            ttl: Infinity,
+            ...options || {}
+        });
     }
-    context = transformDomainEventData(context);
-    const json = JSON.stringify(context);
-    const client = useClient();
-    const pipeline = client.pipeline();
-    for(let i = 0; i < destinations.length; i++){
-        const { namespace } = destinations[i];
-        const keyPrefix = namespace ? `${namespace}:` : '';
-        let key = keyPrefix + buildDomainEventChannelName(destinations[i].channel);
-        pipeline.publish(key, json);
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            key = keyPrefix + buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            pipeline.publish(key, json);
+    async pop(key) {
+        if (this.instance.has(key)) {
+            const output = this.instance.get(key);
+            this.instance.delete(key);
+            return output;
         }
+        return null;
     }
-    return pipeline.exec();
-}
-
-let instance$3;
-function useSocketEmitter() {
-    if (typeof instance$3 !== 'undefined') {
-        return instance$3;
-    }
-    instance$3 = new Emitter(useClient());
-    return instance$3;
-}
-
-function publishDomainSocketEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return;
+    async has(key) {
+        return this.instance.has(key);
     }
-    context = transformDomainEventData(context);
-    for(let i = 0; i < destinations.length; i++){
-        let emitter = useSocketEmitter();
-        if (destinations[i].namespace) {
-            emitter = emitter.of(destinations[i].namespace);
+    async get(key) {
+        const output = await this.instance.get(key);
+        if (output) {
+            return output;
         }
-        let roomName = buildDomainEventChannelName(destinations[i].channel);
-        const fullEventName = buildDomainEventFullName(context.type, context.event);
-        emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        .emit(fullEventName, {
-            ...context,
-            meta: {
-                roomName
-            }
+        return null;
+    }
+    async set(key, value, options) {
+        this.instance.set(key, value, {
+            ttl: options.ttl
         });
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            roomName = buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore
-            .emit(fullEventName, {
-                ...context,
-                meta: {
-                    roomName,
-                    roomId: context.data.id
+    }
+    async drop(key) {
+        this.instance.delete(key);
+    }
+    async dropMany(keys) {
+        for (const key of keys){
+            this.instance.delete(key);
+        }
+    }
+    async clear(options = {}) {
+        if (options.prefix) {
+            const keys = this.instance.keys();
+            let iterator = keys.next();
+            while(!iterator.done){
+                if (typeof iterator.value !== 'string') {
+                    continue;
                 }
-            });
+                if (iterator.value.startsWith(options.prefix)) {
+                    this.instance.delete(iterator.value);
+                }
+                iterator = keys.next();
+            }
+            return;
         }
+        this.instance.clear();
     }
 }
 
-async function publishDomainEvent(context, destinations) {
-    await publishDomainRedisEvent(context, destinations);
-    publishDomainSocketEvent(context, destinations);
+function isRedisClient(data) {
+    return isObject(data) && typeof data.connect === 'function' && typeof data.disconnect === 'function';
 }
 
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ class VoidLogger {
-    error() {
-        return this;
+function createRedisClient(input) {
+    if (typeof input === 'boolean') {
+        return createClient({
+            connectionString: 'redis://127.0.0.1'
+        });
+    }
+    if (typeof input === 'string') {
+        return createClient({
+            connectionString: input
+        });
+    }
+    if (!isRedisClient(input)) {
+        return createClient({
+            options: input
+        });
+    }
+    return input;
+}
+
+class RedisCache {
+    client;
+    jsonAdapter;
+    constructor(input){
+        this.client = createRedisClient(input);
+        this.jsonAdapter = new JsonAdapter(this.client);
+    }
+    async get(key) {
+        const output = await this.jsonAdapter.get(key);
+        if (output) {
+            return output;
+        }
+        return null;
     }
-    warn() {
-        return this;
+    async pop(key) {
+        const raw = await this.client.getdel(key);
+        if (!raw) {
+            return null;
+        }
+        try {
+            return JSON.parse(raw);
+        } catch  {
+            return null;
+        }
     }
-    info() {
-        return this;
+    async has(key) {
+        const output = await this.get(key);
+        return !!output;
     }
-    http() {
-        return this;
+    async set(key, value, options) {
+        await this.jsonAdapter.set(key, value, {
+            milliseconds: options.ttl
+        });
     }
-    verbose() {
-        return this;
+    async drop(key) {
+        await this.jsonAdapter.drop(key);
     }
-    debug() {
-        return this;
+    async dropMany(keys) {
+        const pipeline = this.client.pipeline();
+        for (const key of keys){
+            pipeline.del(key);
+        }
+        await pipeline.exec();
+    }
+    async clear(options = {}) {
+        if (options.prefix) {
+            const pipeline = this.client.pipeline();
+            const keys = await this.client.keys(`${options.prefix}*`);
+            for (const key of keys){
+                pipeline.del(key);
+            }
+            await pipeline.exec();
+            return;
+        }
+        await this.client.flushdb();
     }
 }
 
-let instance$2;
-function useLogger() {
-    if (typeof instance$2 !== 'undefined') {
-        return instance$2;
-    }
-    instance$2 = new VoidLogger();
-    return instance$2;
+function buildCacheKey(options) {
+    return buildKeyPath(options);
 }
-function setLogger(logger) {
-    instance$2 = logger;
+
+function createNoopLogger() {
+    return createLogger$1({
+        silent: true
+    });
+}
+function createLogger(context) {
+    let items;
+    const cwd = context.directory || process.cwd();
+    if (context.env === 'production') {
+        items = [
+            new transports.Console({
+                level: 'info'
+            }),
+            new transports.File({
+                filename: path.join(cwd, 'http.log'),
+                level: 'http',
+                maxsize: 10 * 1024 * 1024,
+                maxFiles: 5
+            }),
+            new transports.File({
+                filename: path.join(cwd, 'error.log'),
+                level: 'warn',
+                maxsize: 10 * 1024 * 1024,
+                maxFiles: 5
+            })
+        ];
+    } else {
+        items = [
+            new transports.Console({
+                level: 'debug'
+            })
+        ];
+    }
+    // @see https://github.com/winstonjs/triple-beam/blob/master/config/npm.js
+    return createLogger$1({
+        format: format.combine(format.errors({
+            stack: true
+        }), format.timestamp(), format.colorize(), format.simple()),
+        transports: items
+    });
 }
 
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ let instance$1;
-function hasSmtpConfig() {
-    return !!instance$1;
+const instance$1 = singa({
+    name: 'logger'
+});
+function setLoggerFactory(factory) {
+    instance$1.setFactory(factory);
 }
-function setSmtpConfig(value) {
-    instance$1 = value;
+function isLoggerUsable() {
+    return instance$1.has() || instance$1.hasFactory();
 }
-function useSmtpConfig() {
-    if (typeof instance$1 !== 'undefined') {
-        return instance$1;
-    }
-    instance$1 = {};
-    return instance$1;
+function setLogger(input) {
+    instance$1.set(input);
+}
+function useLogger() {
+    return instance$1.use();
 }
 
-function createSmtpClient(options) {
-    let transport;
-    options = options || {};
-    if (typeof options === 'string') {
-        transport = createTransport(options);
-    } else if (options.connectionString) {
-        transport = createTransport(options.connectionString);
-    } else {
-        let auth;
-        if (options.user && options.password) {
-            auth = {
-                type: 'login',
-                user: options.user,
-                pass: options.password
-            };
+const instance = singa({
+    name: 'vault'
+});
+function setVaultFactory(factory) {
+    instance.setFactory(factory);
+}
+function isVaultClientUsable() {
+    return instance.has() || instance.hasFactory();
+}
+function useVaultClient() {
+    return instance.use();
+}
+
+function transformDomainEventData(input) {
+    const keys = Object.keys(input);
+    for (const key_ of keys){
+        const key = key_;
+        const value = input[key];
+        if (!isObject$1(value)) {
+            continue;
+        }
+        if (value instanceof Date) {
+            input[key] = value.toISOString();
         }
-        transport = createTransport({
-            host: options.host,
-            port: options.port,
-            auth,
-            secure: options.ssl,
-            opportunisticTLS: options.starttls,
-            tls: {
-                rejectUnauthorized: false
+    }
+    return input;
+}
+function buildDomainEventChannelName(input, id) {
+    if (typeof input === 'string') {
+        return input;
+    }
+    return input(id);
+}
+
+class DomainEventRedisPublisher {
+    driver;
+    constructor(input){
+        this.driver = createRedisClient(input);
+    }
+    async publish(ctx) {
+        const data = JSON.stringify(transformDomainEventData(ctx.content));
+        const pipeline = this.driver.pipeline();
+        for(let i = 0; i < ctx.destinations.length; i++){
+            const { namespace } = ctx.destinations[i];
+            const keyPrefix = namespace ? `${namespace}:` : '';
+            let key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel);
+            pipeline.publish(key, data);
+            if (typeof ctx.destinations[i].channel === 'function') {
+                key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel, ctx.content.data.id);
+                pipeline.publish(key, data);
             }
-        });
+        }
+        await pipeline.exec();
     }
-    transport.on('error', (e)=>{
-        useLogger().error(e.message);
-    });
-    return transport;
-}
-
-let instance;
-async function useSMTPClient() {
-    if (typeof instance !== 'undefined') {
-        return instance;
-    }
-    let options;
-    if (process.env.NODE_ENV === 'test') {
-        const testAccount = await createTestAccount();
-        options = {
-            host: 'smtp.ethereal.email',
-            port: 587,
-            ssl: false,
-            user: testAccount.user,
-            password: testAccount.pass
-        };
-    } else {
-        options = useSmtpConfig();
+}
+
+class DomainEventSocketPublisher {
+    driver;
+    constructor(input){
+        const client = createRedisClient(input);
+        this.driver = new Emitter(client);
+    }
+    async publish(ctx) {
+        ctx.content = transformDomainEventData(ctx.content);
+        for(let i = 0; i < ctx.destinations.length; i++){
+            const destination = ctx.destinations[i];
+            let emitter;
+            if (destination.namespace) {
+                emitter = this.driver.of(destination.namespace);
+            } else {
+                emitter = this.driver;
+            }
+            let roomName = buildDomainEventChannelName(destination.channel);
+            const fullEventName = buildEventFullName(ctx.content.type, ctx.content.event);
+            emitter.in(roomName).emit(fullEventName, {
+                ...ctx.content,
+                meta: {
+                    roomName
+                }
+            });
+            if (typeof destination.channel === 'function') {
+                roomName = buildDomainEventChannelName(destination.channel, ctx.content.data.id);
+                emitter.in(roomName).emit(fullEventName, {
+                    ...ctx.content,
+                    meta: {
+                        roomName,
+                        roomId: ctx.content.data.id
+                    }
+                });
+            }
+        }
     }
-    instance = createSmtpClient(options);
-    return instance;
 }
 
 /*
- * Copyright (c) 2022.
+ * Copyright (c) 2022-2024.
  * Author Peter Placzek (tada5hi)
  * For the full copyright and license information,
  * view the LICENSE file that was distributed with this source code.
@@ -609,5 +984,5 @@ async function useSMTPClient() {
     return Object.prototype.hasOwnProperty.call(obj, prop);
 }
 
-export { KeyPairKind, VoidLogger, buildKeyFileName, compare, createKeyPair, createSmtpClient, decodeToken, decryptRSAPrivateKey, deleteKeyPair, extendKeyPairOptions, hasOwnProperty, hasSmtpConfig, hash, isKeyPair, isKeyPairWithPublicKey, loadKeyPair, publishDomainEvent, publishDomainRedisEvent, publishDomainSocketEvent, saveKeyPair, setLogger, setSmtpConfig, signToken, useKeyPair, useLogger, useSMTPClient, useSmtpConfig, useSocketEmitter, verifyToken };
+export { AsymmetricKey, BaseKey, CryptoAsymmetricAlgorithm, DomainEventPublisher, DomainEventRedisPublisher, DomainEventSocketPublisher, MemoryCache, RedisCache, SymmetricAlgorithm, SymmetricKey, buildCacheKey, compare, createAsymmetricKeyPair, createLogger, createNoopLogger, createRedisClient, createSymmetricKey, decodePemToPKCS8, decodePemToSpki, encodePKCS8ToPEM, encodeSPKIToPem, extractTokenHeader, extractTokenPayload, getKeyUsagesForAsymmetricAlgorithm, getKeyUsagesForSymmetricAlgorithm, hasOwnProperty, hash, isAsymmetricAlgorithm, isLoggerUsable, isRedisClient, isSymmetricAlgorithm, isVaultClientUsable, normalizeAsymmetricKeyImportOptions, normalizeAsymmetricKeyPairCreateOptions, setLogger, setLoggerFactory, setVaultFactory, signToken, useLogger, useVaultClient, verifyToken };
 //# sourceMappingURL=index.mjs.map