@authup/server-kit 1.0.0-beta.4 → 1.0.0-beta.40

package/dist/index.mjs

@@ -1,613 +1,739 @@
-import { compare as compare$1, hash as hash$1 } from 'bcrypt';
-import { createPrivateKey, generateKeyPair, createPublicKey } from 'node:crypto';
-import { isObject, TokenError, KeyType, DomainEventName, buildDomainEventFullName } from '@authup/core';
-import path from 'node:path';
-import fs from 'node:fs';
-import { decode, sign, verify } from 'jsonwebtoken';
-import { isObject as isObject$1 } from 'smob';
-import { hasClient, hasConfig, useClient } from 'redis-extension';
-import { Emitter } from '@socket.io/redis-emitter';
-import { createTransport, createTestAccount } from 'nodemailer';
-
+import { compare as compare$1, hash as hash$1 } from "@node-rs/bcrypt";
+import { arrayBufferToBase64, base64ToArrayBuffer, isObject } from "@authup/kit";
+import { JWKType, JWTAlgorithm, JWTError } from "@authup/specs";
+import { subtle } from "uncrypto";
+import { Algorithm, sign, verify } from "@node-rs/jsonwebtoken";
+import { isObject as isObject$1 } from "smob";
+import { TTLCache } from "@isaacs/ttlcache";
+import { Client as RedisClient, JsonAdapter, JsonAdapter as RedisJsonAdapter, Watcher as RedisWatcher, buildKeyPath as buildRedisKeyPath, createClient, escapeKey as escapeRedisKey, parseKeyPath as parseRedisKeyPath } from "redis-extension";
+import path from "node:path";
+import process from "node:process";
+import { Logger, createLogger as createLogger$1, format, transports } from "winston";
+import { singa } from "singa";
+import { VaultClient, createClient as createVaultClient } from "@hapic/vault";
+import { buildEventFullName } from "@authup/core-realtime-kit";
+import { Emitter } from "@socket.io/redis-emitter";
+//#region src/crypto/hash/compare.ts
 async function compare(value, hashedValue) {
-    return compare$1(value, hashedValue);
+	return compare$1(value, hashedValue);
 }
-
-async function hash(str, saltOrRounds = 10) {
-    return hash$1(str, saltOrRounds);
+//#endregion
+//#region src/crypto/hash/hash.ts
+async function hash(str, rounds = 10) {
+	return hash$1(str, rounds);
 }
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ var KeyPairKind;
-(function(KeyPairKind) {
-    KeyPairKind["PRIVATE"] = "private";
-    KeyPairKind["PUBLIC"] = "public";
-})(KeyPairKind || (KeyPairKind = {}));
-
-function isKeyPair(data) {
-    return isObject(data) && typeof data.privateKey !== 'undefined' && typeof data.publicKey !== 'undefined';
+//#endregion
+//#region src/crypto/key/asymmetric/constants.ts
+let CryptoAsymmetricAlgorithm = /* @__PURE__ */ function(CryptoAsymmetricAlgorithm) {
+	CryptoAsymmetricAlgorithm["RSA_PSS"] = "RSA-PSS";
+	CryptoAsymmetricAlgorithm["RSASSA_PKCS1_V1_5"] = "RSASSA-PKCS1-v1_5";
+	CryptoAsymmetricAlgorithm["RSA_OAEP"] = "RSA-OAEP";
+	CryptoAsymmetricAlgorithm["ECDSA"] = "ECDSA";
+	CryptoAsymmetricAlgorithm["ECDH"] = "ECDH";
+	return CryptoAsymmetricAlgorithm;
+}({});
+//#endregion
+//#region src/crypto/key/base.ts
+var BaseKey = class {
+	key;
+	constructor(cryptoKey) {
+		this.key = cryptoKey;
+	}
+	async toArrayBuffer() {
+		if (this.key.type === "private") return subtle.exportKey("pkcs8", this.key);
+		if (this.key.type === "public") return subtle.exportKey("spki", this.key);
+		return subtle.exportKey("raw", this.key);
+	}
+	async toUint8Array() {
+		const arrayBuffer = await this.toArrayBuffer();
+		return new Uint8Array(arrayBuffer);
+	}
+	async toBase64() {
+		return arrayBufferToBase64(await this.toArrayBuffer());
+	}
+	async toJWK() {
+		return subtle.exportKey("jwk", this.key);
+	}
+};
+//#endregion
+//#region src/crypto/key/asymmetric/helpers/wrap.ts
+function enc(type, input) {
+	return `-----BEGIN ${type}-----\n${input}\n-----END ${type}-----`;
 }
-function isKeyPairWithPublicKey(data) {
-    return isObject(data) && typeof data.publicKey !== 'undefined';
+function encodePKCS8ToPEM(base64) {
+	return enc("PRIVATE KEY", base64);
 }
-
-function extendKeyPairOptions(options) {
-    var _options;
-    options = options ?? {};
-    options.directory = options.directory || process.cwd();
-    options.directory = path.isAbsolute(options.directory) ? options.directory : path.resolve(process.cwd(), options.directory);
-    (_options = options).type ?? (_options.type = 'rsa');
-    if (options.type === 'rsa' || options.type === 'rsa-pss' || options.type === 'dsa') {
-        options.modulusLength = 2048;
-    }
-    if (!options.privateKeyEncoding) {
-        options.privateKeyEncoding = {
-            type: 'pkcs8',
-            format: 'pem'
-        };
-    }
-    if (!options.publicKeyEncoding) {
-        options.publicKeyEncoding = {
-            type: 'spki',
-            format: 'pem'
-        };
-    }
-    if (options.privateKeyEncoding.passphrase && !options.privateKeyEncoding.cipher) {
-        options.privateKeyEncoding.cipher = 'aes-256-cbc';
-    }
-    return options;
+function encodeSPKIToPem(input) {
+	return enc("PUBLIC KEY", input);
 }
-
-function buildKeyFileName(type, context) {
-    const options = extendKeyPairOptions(context);
-    const parts = [];
-    switch(type){
-        case KeyPairKind.PRIVATE:
-            {
-                if (options.privateName) {
-                    parts.push(options.privateName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.privateExtension) {
-                    if (options.privateExtension.startsWith('.')) {
-                        options.privateExtension = options.privateExtension.slice(1);
-                    }
-                    parts.push(options.privateExtension);
-                } else {
-                    parts.push('pem');
-                }
-                break;
-            }
-        case KeyPairKind.PUBLIC:
-            {
-                if (options.publicName) {
-                    parts.push(options.publicName);
-                } else {
-                    parts.push(type);
-                }
-                if (options.publicExtension) {
-                    if (options.publicExtension.startsWith('.')) {
-                        options.publicExtension = options.publicExtension.slice(1);
-                    }
-                    parts.push(options.publicExtension);
-                } else {
-                    parts.push('pem');
-                }
-                break;
-            }
-    }
-    return parts.join('.');
+function dec(type, input) {
+	input = input.replace(`-----BEGIN ${type}-----\n`, "");
+	input = input.replace(`\n-----END ${type}-----\n`, "");
+	input = input.replace(`-----END ${type}-----\n`, "");
+	input = input.replace(`\n-----END ${type}-----`, "");
+	return input;
 }
-
-function decryptRSAPrivateKey(context, key) {
-    const privateKey = createPrivateKey({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format,
-        key,
-        passphrase: context.privateKeyEncoding.passphrase || context.passphrase
-    });
-    let content = privateKey.export({
-        type: context.privateKeyEncoding.type,
-        format: context.privateKeyEncoding.format
-    });
-    if (typeof content !== 'string') {
-        content = Buffer.from(content).toString('utf-8');
-    }
-    return content;
+function decodePemToPKCS8(input) {
+	return dec("PRIVATE KEY", input);
 }
-
-async function saveKeyPair(keyPair, context) {
-    context = extendKeyPairOptions(context);
-    await fs.promises.mkdir(context.directory, {
-        recursive: true
-    });
-    await Promise.all([
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PRIVATE, context)),
-            content: keyPair.privateKey
-        },
-        {
-            path: path.resolve(context.directory, buildKeyFileName(KeyPairKind.PUBLIC, context)),
-            content: keyPair.publicKey
-        }
-    ].map((file)=>fs.promises.writeFile(file.path, file.content)));
-    return keyPair;
+function decodePemToSpki(input) {
+	return dec("PUBLIC KEY", input);
 }
-
-async function createKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const keyPair = await new Promise((resolve, reject)=>{
-        const callback = (err, publicKey, privateKey)=>{
-            if (err) reject(err);
-            resolve({
-                privateKey,
-                publicKey
-            });
-        };
-        switch(options.type){
-            case 'dsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'ec':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa':
-                generateKeyPair(options.type, options, callback);
-                break;
-            case 'rsa-pss':
-                generateKeyPair(options.type, options, callback);
-                break;
-        }
-    });
-    if (options.save) {
-        await saveKeyPair(keyPair, options);
-    }
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        keyPair.privateKey = decryptRSAPrivateKey(options, keyPair.privateKey);
-    }
-    return keyPair;
+//#endregion
+//#region src/crypto/key/asymmetric/key-usages.ts
+/**
+* @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+*/
+function getKeyUsagesForAsymmetricAlgorithm(name, format) {
+	if (name === "RSA-PSS" || name === "ECDSA" || name === "RSASSA-PKCS1-v1_5") {
+		if (format === "spki") return ["verify"];
+		if (format === "pkcs8") return ["sign"];
+		return ["sign", "verify"];
+	}
+	if (name === "ECDH") {
+		if (format === "spki") return [];
+		return ["deriveKey", "deriveBits"];
+	}
+	if (name === "RSA-OAEP") {
+		if (format === "spki") return ["encrypt"];
+		if (format === "pkcs8") return ["decrypt"];
+		return ["encrypt", "decrypt"];
+	}
+	throw new SyntaxError(`Key usages can not be determined for asymmetric algorithm: ${name}`);
 }
-
-async function deleteKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    try {
-        await Promise.all([
-            privateKeyPath,
-            publicKeyPath
-        ].map((filePath)=>fs.promises.stat(filePath)));
-    } catch (e) {
-        return;
-    }
-    await Promise.all([
-        privateKeyPath,
-        publicKeyPath
-    ].map((filePath)=>fs.promises.rm(filePath)));
+//#endregion
+//#region src/crypto/key/asymmetric/normalize.ts
+function normalizeAsymmetricKeyPairCreateOptions(options) {
+	let optionsNormalized;
+	switch (options.name) {
+		case "RSASSA-PKCS1-v1_5":
+		case "RSA-PSS":
+		case "RSA-OAEP":
+			optionsNormalized = {
+				modulusLength: 2048,
+				publicExponent: new Uint8Array([
+					1,
+					0,
+					1
+				]),
+				hash: "SHA-256",
+				...options
+			};
+			break;
+		case "ECDSA":
+		case "ECDH": optionsNormalized = {
+			namedCurve: "P-256",
+			...options
+		};
+	}
+	return optionsNormalized;
 }
-
-async function loadKeyPair(context) {
-    const options = extendKeyPairOptions(context);
-    const privateKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PRIVATE, options));
-    try {
-        await fs.promises.stat(privateKeyPath);
-    } catch (e) {
-        return undefined;
-    }
-    const privateKeyBuffer = await fs.promises.readFile(privateKeyPath);
-    let privateKey = privateKeyBuffer.toString();
-    if (options.passphrase || options.privateKeyEncoding.passphrase) {
-        privateKey = decryptRSAPrivateKey(options, privateKey);
-    }
-    const publicKeyPath = path.resolve(options.directory, buildKeyFileName(KeyPairKind.PUBLIC, options));
-    let publicKey;
-    try {
-        await fs.promises.stat(publicKeyPath);
-        const publicKeyBuffer = await fs.promises.readFile(publicKeyPath);
-        publicKey = publicKeyBuffer.toString();
-    } catch (e) {
-        const publicKeyObject = createPublicKey({
-            key: privateKey,
-            format: options.privateKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        const stringOrBuffer = publicKeyObject.export({
-            format: options.publicKeyEncoding.format,
-            type: options.publicKeyEncoding.type
-        });
-        if (typeof stringOrBuffer !== 'string') {
-            publicKey = stringOrBuffer.toString();
-        } else {
-            publicKey = stringOrBuffer;
-        }
-        if (options.save) {
-            await saveKeyPair({
-                privateKey,
-                publicKey
-            }, options);
-        }
-    }
-    return {
-        privateKey,
-        publicKey
-    };
+function normalizeAsymmetricKeyImportOptions(options) {
+	let optionsNormalized;
+	switch (options.name) {
+		case "RSASSA-PKCS1-v1_5":
+		case "RSA-PSS":
+		case "RSA-OAEP":
+			optionsNormalized = {
+				hash: "SHA-256",
+				...options
+			};
+			break;
+		case "ECDSA":
+		case "ECDH": optionsNormalized = {
+			namedCurve: "P-256",
+			...options
+		};
+	}
+	return optionsNormalized;
 }
-
-const keyPairCache = {};
-async function useKeyPair(value) {
-    let options;
-    if (typeof value === 'string') {
-        options = extendKeyPairOptions({
-            privateName: value
-        });
-    } else {
-        options = extendKeyPairOptions(value || {});
-    }
-    if (Object.prototype.hasOwnProperty.call(keyPairCache, options.privateName)) {
-        return keyPairCache[options.privateName];
-    }
-    let keyPair = await loadKeyPair(options);
-    if (typeof keyPair === 'undefined') {
-        keyPair = await createKeyPair(options);
-    }
-    keyPairCache[options.privateName] = keyPair;
-    return keyPair;
+//#endregion
+//#region src/crypto/key/asymmetric/module.ts
+var AsymmetricKey = class AsymmetricKey extends BaseKey {
+	async toPem() {
+		const base64 = await this.toBase64();
+		if (this.key.type === "public") return encodeSPKIToPem(base64);
+		if (this.key.type === "private") return encodePKCS8ToPEM(base64);
+		throw new Error(`${this.key.type} can not be converted to pem.`);
+	}
+	static async fromPem(ctx) {
+		if (ctx.format === "pkcs8") return AsymmetricKey.fromBase64({
+			...ctx,
+			key: decodePemToPKCS8(ctx.key)
+		});
+		return AsymmetricKey.fromBase64({
+			...ctx,
+			key: decodePemToSpki(ctx.key)
+		});
+	}
+	static async fromBase64(ctx) {
+		const arrayBuffer = base64ToArrayBuffer(ctx.key);
+		return AsymmetricKey.fromArrayBuffer({
+			...ctx,
+			key: arrayBuffer
+		});
+	}
+	static async fromArrayBuffer(ctx) {
+		const normalizedOptions = normalizeAsymmetricKeyImportOptions(ctx.options);
+		return new AsymmetricKey(await subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForAsymmetricAlgorithm(normalizedOptions.name, ctx.format)));
+	}
+	static buildImportOptionsForJWTAlgorithm(alg) {
+		if (alg === JWTAlgorithm.RS256) return {
+			name: "RSASSA-PKCS1-v1_5",
+			hash: "SHA-256"
+		};
+		if (alg === JWTAlgorithm.RS384) return {
+			name: "RSASSA-PKCS1-v1_5",
+			hash: "SHA-384"
+		};
+		if (alg === JWTAlgorithm.RS512) return {
+			name: "RSASSA-PKCS1-v1_5",
+			hash: "SHA-512"
+		};
+		if (alg === JWTAlgorithm.ES256) return {
+			name: "ECDSA",
+			namedCurve: "P-256"
+		};
+		if (alg === JWTAlgorithm.ES384) return {
+			name: "ECDSA",
+			namedCurve: "P-384"
+		};
+		if (alg === JWTAlgorithm.ES512) return {
+			name: "ECDSA",
+			namedCurve: "P-521"
+		};
+		throw new Error(`Signature algorithm ${alg} is not supported.`);
+	}
+};
+//#endregion
+//#region src/crypto/key/asymmetric/check.ts
+function isAsymmetricAlgorithm(input) {
+	return Object.values(CryptoAsymmetricAlgorithm).includes(input);
 }
-
+//#endregion
+//#region src/crypto/key/asymmetric/create.ts
+async function createAsymmetricKeyPair(options) {
+	const optionsNormalized = normalizeAsymmetricKeyPairCreateOptions(options);
+	return subtle.generateKey(optionsNormalized, true, getKeyUsagesForAsymmetricAlgorithm(optionsNormalized.name));
+}
+//#endregion
+//#region src/crypto/key/symmetric/constants.ts
+let SymmetricAlgorithm = /* @__PURE__ */ function(SymmetricAlgorithm) {
+	SymmetricAlgorithm["HMAC"] = "HMAC";
+	SymmetricAlgorithm["AES_CTR"] = "AES-CTR";
+	SymmetricAlgorithm["AES_CBC"] = "AES-CBC";
+	SymmetricAlgorithm["AES_GCM"] = "AES-GCM";
+	return SymmetricAlgorithm;
+}({});
+//#endregion
+//#region src/crypto/key/symmetric/check.ts
+function isSymmetricAlgorithm(input) {
+	return Object.values(SymmetricAlgorithm).includes(input);
+}
+//#endregion
+//#region src/crypto/key/symmetric/key-usages.ts
+function getKeyUsagesForSymmetricAlgorithm(name) {
+	/**
+	* @see https://nodejs.org/api/webcrypto.html#cryptokeyusages
+	*/
+	if (name === "HMAC") return ["sign", "verify"];
+	if (name === "AES-CBC" || name === "AES-GCM" || name === "AES-CTR") return ["encrypt", "decrypt"];
+	throw new SyntaxError(`Key usages can not be determined for symmetric algorithm: ${name}`);
+}
+//#endregion
+//#region src/crypto/key/symmetric/normalize.ts
+function normalizeSymmetricKeyCreateOptions(input) {
+	if (input.name === "HMAC") return {
+		hash: "SHA-256",
+		...input
+	};
+	return {
+		length: 256,
+		name: input.name
+	};
+}
+function normalizeSymmetricKeyImportOptions(input) {
+	if (input.name === "HMAC") return {
+		hash: "SHA-256",
+		...input
+	};
+	return input;
+}
+//#endregion
+//#region src/crypto/key/symmetric/module.ts
+var SymmetricKey = class SymmetricKey extends BaseKey {
+	static async fromBase64(ctx) {
+		const arrayBuffer = base64ToArrayBuffer(ctx.key);
+		return SymmetricKey.fromArrayBuffer({
+			...ctx,
+			key: arrayBuffer
+		});
+	}
+	static async fromArrayBuffer(ctx) {
+		const normalizedOptions = normalizeSymmetricKeyImportOptions(ctx.options);
+		return new SymmetricKey(await subtle.importKey(ctx.format, ctx.key, normalizedOptions, true, getKeyUsagesForSymmetricAlgorithm(normalizedOptions.name)));
+	}
+	static buildImportOptionsForJWTAlgorithm(alg) {
+		if (alg === JWTAlgorithm.HS256) return {
+			name: "HMAC",
+			hash: "SHA-256"
+		};
+		if (alg === JWTAlgorithm.HS384) return {
+			name: "HMAC",
+			hash: "SHA-384"
+		};
+		if (alg === JWTAlgorithm.HS512) return {
+			name: "HMAC",
+			hash: "SHA-512"
+		};
+		throw new Error(`Signature algorithm ${alg} is not supported.`);
+	}
+};
+//#endregion
+//#region src/crypto/key/symmetric/create.ts
+async function createSymmetricKey(input) {
+	const optionsNormalized = normalizeSymmetricKeyCreateOptions(input);
+	return subtle.generateKey(optionsNormalized, true, getKeyUsagesForSymmetricAlgorithm(optionsNormalized.name));
+}
+//#endregion
+//#region src/crypto/json-web-token/extract.ts
+/**
+* Decode a JWT token with no verification.
+*
+* @param token
+*
+* @throws JWTError
+*/
+function extractTokenHeader(token) {
+	const parts = token.split(".");
+	if (parts.length !== 3) throw JWTError.invalid();
+	const [headerBase64] = parts;
+	try {
+		const payload = atob(headerBase64);
+		return JSON.parse(payload);
+	} catch {
+		throw JWTError.headerInvalid("The token header could not be extracted.");
+	}
+}
+/**
+* @param token
+*
+* @throws JWTError
+*/
+function extractTokenPayload(token) {
+	const parts = token.split(".");
+	if (parts.length !== 3) throw JWTError.invalid();
+	const [, payloadBase64] = parts;
+	try {
+		const payload = atob(payloadBase64);
+		return JSON.parse(payload);
+	} catch {
+		throw JWTError.payloadInvalid("The token payload could not be extracted.");
+	}
+}
+//#endregion
+//#region src/crypto/json-web-token/utils.ts
 function createErrorForJWTError(e) {
-    if (isObject$1(e) && typeof e.name === 'string') {
-        switch(e.name){
-            case 'TokenExpiredError':
-                {
-                    return TokenError.expired();
-                }
-            case 'NotBeforeError':
-                {
-                    if (typeof e.date === 'string' || e.date instanceof Date) {
-                        return TokenError.notActiveBefore(e.date);
-                    }
-                    break;
-                }
-            case 'JsonWebTokenError':
-                {
-                    if (typeof e.message === 'string') {
-                        return TokenError.payloadInvalid(e.message);
-                    }
-                    break;
-                }
-        }
-    }
-    return new TokenError({
-        cause: e,
-        logMessage: true,
-        message: 'The JWT error could not be determined.'
-    });
+	if (isObject$1(e)) {
+		if (typeof e.name === "string") switch (e.name) {
+			case "TokenExpiredError": return JWTError.expired();
+			case "NotBeforeError":
+				if (typeof e.date === "string" || e.date instanceof Date) return JWTError.notActiveBefore(e.date);
+				break;
+			case "JsonWebTokenError":
+				if (typeof e.message === "string") return JWTError.payloadInvalid(e.message);
+				break;
+		}
+		switch (e.message) {
+			case "ExpiredSignature": return JWTError.expired();
+			case "ImmatureSignature": return JWTError.notActiveBefore();
+			case "InvalidToken":
+			case "InvalidSignature": return JWTError.payloadInvalid();
+		}
+	}
+	return new JWTError({
+		cause: e,
+		logMessage: true,
+		message: "The JWT error could not be determined."
+	});
 }
-
-function decodeToken(token, options) {
-    options ?? (options = {});
-    let output;
-    try {
-        output = decode(token, {
-            ...options
-        });
-    } catch (e) {
-        throw createErrorForJWTError(e);
-    }
-    if (output === null) {
-        throw TokenError.payloadInvalid('The token could not be decoded.');
-    }
-    return output;
+function transformJWTAlgorithmToInternal(algorithm) {
+	switch (algorithm) {
+		case JWTAlgorithm.HS256: return Algorithm.HS256;
+		case JWTAlgorithm.HS384: return Algorithm.HS384;
+		case JWTAlgorithm.HS512: return Algorithm.HS512;
+		case JWTAlgorithm.RS256: return Algorithm.RS256;
+		case JWTAlgorithm.RS384: return Algorithm.RS384;
+		case JWTAlgorithm.RS512: return Algorithm.RS512;
+		case JWTAlgorithm.ES256: return Algorithm.ES256;
+		case JWTAlgorithm.ES384: return Algorithm.ES384;
+		case JWTAlgorithm.PS256: return Algorithm.PS256;
+		case JWTAlgorithm.PS384: return Algorithm.PS384;
+		case JWTAlgorithm.PS512: return Algorithm.PS512;
+	}
+	throw new Error(`The algorithm ${algorithm} is not supported.`);
 }
-
-async function signToken(payload, context) {
-    context.expiresIn = context.expiresIn || 3600;
-    switch(context.type){
-        case KeyType.RSA:
-        case KeyType.EC:
-            {
-                const { type, keyPair, ...options } = context;
-                const { privateKey } = isKeyPair(keyPair) ? keyPair : await useKeyPair(keyPair);
-                if (type === KeyType.RSA) {
-                    options.algorithm = options.algorithm || 'RS256';
-                } else {
-                    options.algorithm = options.algorithm || 'ES256';
-                }
-                return sign(payload, privateKey, options);
-            }
-        case KeyType.OCT:
-            {
-                const { type, secret, ...options } = context;
-                options.algorithm = options.algorithm || 'HS256';
-                return sign(payload, secret, options);
-            }
-    }
-    throw new TokenError();
+//#endregion
+//#region src/crypto/json-web-token/sign/module.ts
+const getUtcTimestamp = () => Math.floor((/* @__PURE__ */ new Date()).getTime() / 1e3);
+async function signToken(claims, context) {
+	if (typeof claims.exp !== "number") claims.exp = getUtcTimestamp() + 3600;
+	if (typeof claims.iat !== "number") claims.iat = getUtcTimestamp();
+	switch (context.type) {
+		case JWKType.RSA:
+		case JWKType.EC: {
+			let algorithm;
+			let key;
+			if (typeof context.key === "string") key = encodePKCS8ToPEM(context.key);
+			else key = await new AsymmetricKey(context.key).toPem();
+			if (context.type === JWKType.RSA) algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.RS256;
+			else algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.ES256;
+			return sign(claims, key, {
+				algorithm,
+				keyId: context.keyId
+			});
+		}
+		case JWKType.OCT: {
+			const algorithm = context.algorithm ? transformJWTAlgorithmToInternal(context.algorithm) : Algorithm.HS256;
+			let key;
+			if (typeof context.key === "string") key = context.key;
+			else key = await new SymmetricKey(context.key).toUint8Array();
+			return sign(claims, key, {
+				algorithm,
+				keyId: context.keyId
+			});
+		}
+	}
+	throw new JWTError();
 }
-
+//#endregion
+//#region src/crypto/json-web-token/verify/module.ts
+/**
+* Verify JWT.
+*
+* @param token
+* @param context
+*
+* @throws OAuth2Error
+*/
 async function verifyToken(token, context) {
-    let promise;
-    let output;
-    try {
-        switch(context.type){
-            case KeyType.RSA:
-            case KeyType.EC:
-                {
-                    const { type, keyPair, ...options } = context;
-                    const { publicKey } = isKeyPairWithPublicKey(keyPair) ? keyPair : await useKeyPair(keyPair);
-                    if (type === KeyType.RSA) {
-                        options.algorithms = options.algorithms || [
-                            'RS256',
-                            'RS384',
-                            'RS512',
-                            'PS256',
-                            'PS384',
-                            'PS512'
-                        ];
-                    } else {
-                        options.algorithms = options.algorithms || [
-                            'ES256',
-                            'ES384',
-                            'ES512'
-                        ];
-                    }
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, publicKey, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
-                    });
-                    break;
-                }
-            case KeyType.OCT:
-                {
-                    const { type, secret, ...options } = context;
-                    options.algorithms = options.algorithms || [
-                        'HS256',
-                        'HS384',
-                        'HS512'
-                    ];
-                    promise = new Promise((resolve, reject)=>{
-                        verify(token, secret, options, (err, decoded)=>{
-                            if (err) {
-                                reject(err);
-                                return;
-                            }
-                            resolve(decoded);
-                        });
-                    });
-                }
-        }
-        output = await promise;
-    } catch (e) {
-        throw createErrorForJWTError(e);
-    }
-    if (typeof output === 'undefined') {
-        throw new TokenError({
-            message: 'Invalid type.'
-        });
-    }
-    return output;
+	let promise;
+	let output;
+	try {
+		switch (context.type) {
+			case JWKType.RSA:
+			case JWKType.EC: {
+				let algorithms;
+				if (context.type === JWKType.RSA) algorithms = context.algorithms ? context.algorithms.map((algorithm) => transformJWTAlgorithmToInternal(algorithm)) : [
+					Algorithm.RS256,
+					Algorithm.RS384,
+					Algorithm.RS512,
+					Algorithm.PS256,
+					Algorithm.PS384,
+					Algorithm.PS512
+				];
+				else algorithms = context.algorithms ? context.algorithms.map((algorithm) => transformJWTAlgorithmToInternal(algorithm)) : [Algorithm.ES256, Algorithm.ES384];
+				let key;
+				if (typeof context.key === "string") key = encodeSPKIToPem(context.key);
+				else key = await new AsymmetricKey(context.key).toPem();
+				promise = verify(token, key, {
+					algorithms,
+					validateNbf: true
+				});
+				break;
+			}
+			case JWKType.OCT: {
+				const algorithms = context.algorithms ? context.algorithms.map((algorithm) => transformJWTAlgorithmToInternal(algorithm)) : [
+					Algorithm.HS256,
+					Algorithm.HS384,
+					Algorithm.HS512
+				];
+				let key;
+				if (typeof context.key === "string") key = context.key;
+				else key = await new SymmetricKey(context.key).toUint8Array();
+				promise = verify(token, key, {
+					algorithms,
+					validateNbf: true
+				});
+			}
+		}
+		if (promise) output = await promise;
+	} catch (e) {
+		throw createErrorForJWTError(e);
+	}
+	if (!output) throw new JWTError();
+	return output;
 }
-
-function transformDomainEventData(input) {
-    if (isObject(input)) {
-        const keys = Object.keys(input);
-        for(let i = 0; i < keys.length; i++){
-            const value = input[keys[i]];
-            if (value instanceof Date) {
-                input[keys[i]] = value.toISOString();
-            }
-        }
-    }
-    return input;
+//#endregion
+//#region src/domain-event/module.ts
+var DomainEventPublisher = class {
+	publishers;
+	constructor() {
+		this.publishers = /* @__PURE__ */ new Set();
+	}
+	mount(publisher) {
+		this.publishers.add(publisher);
+	}
+	async publish(ctx) {
+		const publishers = this.publishers.values();
+		while (true) {
+			const it = publishers.next();
+			if (it.done) return;
+			await it.value.publish(ctx);
+		}
+	}
+};
+//#endregion
+//#region src/services/cache/adapters/memory.ts
+var MemoryCache = class {
+	instance;
+	constructor(options = {}) {
+		this.instance = new TTLCache({
+			checkAgeOnGet: true,
+			ttl: Infinity,
+			...options || {}
+		});
+	}
+	async pop(key) {
+		if (this.instance.has(key)) {
+			const output = this.instance.get(key);
+			this.instance.delete(key);
+			return output;
+		}
+		return null;
+	}
+	async has(key) {
+		return this.instance.has(key);
+	}
+	async get(key) {
+		const output = await this.instance.get(key);
+		if (output) return output;
+		return null;
+	}
+	async set(key, value, options) {
+		this.instance.set(key, value, { ttl: options.ttl });
+	}
+	async drop(key) {
+		this.instance.delete(key);
+	}
+	async dropMany(keys) {
+		for (const key of keys) this.instance.delete(key);
+	}
+	async clear(options = {}) {
+		if (options.prefix) {
+			const keys = this.instance.keys();
+			let iterator = keys.next();
+			while (!iterator.done) {
+				if (typeof iterator.value !== "string") continue;
+				if (iterator.value.startsWith(options.prefix)) this.instance.delete(iterator.value);
+				iterator = keys.next();
+			}
+			return;
+		}
+		this.instance.clear();
+	}
+};
+//#endregion
+//#region src/services/redis/check.ts
+function isRedisClient(data) {
+	return isObject$1(data) && typeof data.connect === "function" && typeof data.disconnect === "function";
 }
-function buildDomainEventChannelName(input, id) {
-    if (typeof input === 'string') {
-        return input;
-    }
-    return input(id);
+//#endregion
+//#region src/services/redis/factory.ts
+function createRedisClient(input) {
+	if (typeof input === "boolean") return createClient({ connectionString: "redis://127.0.0.1" });
+	if (typeof input === "string") return createClient({ connectionString: input });
+	if (!isRedisClient(input)) return createClient({ options: input });
+	return input;
 }
-
-async function publishDomainRedisEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return Promise.resolve();
-    }
-    context = transformDomainEventData(context);
-    const json = JSON.stringify(context);
-    const client = useClient();
-    const pipeline = client.pipeline();
-    for(let i = 0; i < destinations.length; i++){
-        const { namespace } = destinations[i];
-        const keyPrefix = namespace ? `${namespace}:` : '';
-        let key = keyPrefix + buildDomainEventChannelName(destinations[i].channel);
-        pipeline.publish(key, json);
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            key = keyPrefix + buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            pipeline.publish(key, json);
-        }
-    }
-    return pipeline.exec();
+//#endregion
+//#region src/services/cache/adapters/redis.ts
+var RedisCache = class {
+	client;
+	jsonAdapter;
+	constructor(input) {
+		this.client = createRedisClient(input);
+		this.jsonAdapter = new JsonAdapter(this.client);
+	}
+	async get(key) {
+		const output = await this.jsonAdapter.get(key);
+		if (output) return output;
+		return null;
+	}
+	async pop(key) {
+		const raw = await this.client.getdel(key);
+		if (!raw) return null;
+		try {
+			return JSON.parse(raw);
+		} catch {
+			return null;
+		}
+	}
+	async has(key) {
+		return !!await this.get(key);
+	}
+	async set(key, value, options) {
+		await this.jsonAdapter.set(key, value, { milliseconds: options.ttl });
+	}
+	async drop(key) {
+		await this.jsonAdapter.drop(key);
+	}
+	async dropMany(keys) {
+		const pipeline = this.client.pipeline();
+		for (const key of keys) pipeline.del(key);
+		await pipeline.exec();
+	}
+	async clear(options = {}) {
+		if (options.prefix) {
+			const pipeline = this.client.pipeline();
+			const keys = await this.client.keys(`${options.prefix}*`);
+			for (const key of keys) pipeline.del(key);
+			await pipeline.exec();
+			return;
+		}
+		await this.client.flushdb();
+	}
+};
+//#endregion
+//#region src/services/cache/helper.ts
+function buildCacheKey(options) {
+	return buildRedisKeyPath(options);
 }
-
-let instance$3;
-function useSocketEmitter() {
-    if (typeof instance$3 !== 'undefined') {
-        return instance$3;
-    }
-    instance$3 = new Emitter(useClient());
-    return instance$3;
+//#endregion
+//#region src/services/logger/module.ts
+function createNoopLogger() {
+	return createLogger$1({ silent: true });
 }
-
-function publishDomainSocketEvent(context, destinations) {
-    if (!hasClient() && !hasConfig()) {
-        return;
-    }
-    context = transformDomainEventData(context);
-    for(let i = 0; i < destinations.length; i++){
-        let emitter = useSocketEmitter();
-        if (destinations[i].namespace) {
-            emitter = emitter.of(destinations[i].namespace);
-        }
-        let roomName = buildDomainEventChannelName(destinations[i].channel);
-        const fullEventName = buildDomainEventFullName(context.type, context.event);
-        emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-        // @ts-ignore
-        .emit(fullEventName, {
-            ...context,
-            meta: {
-                roomName
-            }
-        });
-        if (context.event !== DomainEventName.CREATED && typeof destinations[i].channel === 'function') {
-            roomName = buildDomainEventChannelName(destinations[i].channel, context.data.id);
-            emitter.in(roomName)// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-            // @ts-ignore
-            .emit(fullEventName, {
-                ...context,
-                meta: {
-                    roomName,
-                    roomId: context.data.id
-                }
-            });
-        }
-    }
+function createLogger(context) {
+	let items;
+	const cwd = context.directory || process.cwd();
+	if (context.env === "production") items = [
+		new transports.Console({ level: "info" }),
+		new transports.File({
+			filename: path.join(cwd, "http.log"),
+			level: "http",
+			maxsize: 10 * 1024 * 1024,
+			maxFiles: 5
+		}),
+		new transports.File({
+			filename: path.join(cwd, "error.log"),
+			level: "warn",
+			maxsize: 10 * 1024 * 1024,
+			maxFiles: 5
+		})
+	];
+	else items = [new transports.Console({ level: "debug" })];
+	return createLogger$1({
+		format: format.combine(format.errors({ stack: true }), format.timestamp(), format.colorize(), format.simple()),
+		transports: items
+	});
 }
-
-async function publishDomainEvent(context, destinations) {
-    await publishDomainRedisEvent(context, destinations);
-    publishDomainSocketEvent(context, destinations);
+//#endregion
+//#region src/services/logger/singleton.ts
+const instance$1 = singa({ name: "logger" });
+function setLoggerFactory(factory) {
+	instance$1.setFactory(factory);
 }
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ class VoidLogger {
-    error() {
-        return this;
-    }
-    warn() {
-        return this;
-    }
-    info() {
-        return this;
-    }
-    http() {
-        return this;
-    }
-    verbose() {
-        return this;
-    }
-    debug() {
-        return this;
-    }
+function isLoggerUsable() {
+	return instance$1.has() || instance$1.hasFactory();
+}
+function setLogger(input) {
+	instance$1.set(input);
 }
-
-let instance$2;
 function useLogger() {
-    if (typeof instance$2 !== 'undefined') {
-        return instance$2;
-    }
-    instance$2 = new VoidLogger();
-    return instance$2;
+	return instance$1.use();
 }
-function setLogger(logger) {
-    instance$2 = logger;
+//#endregion
+//#region src/services/vault/singleton.ts
+const instance = singa({ name: "vault" });
+function setVaultFactory(factory) {
+	instance.setFactory(factory);
 }
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ let instance$1;
-function hasSmtpConfig() {
-    return !!instance$1;
-}
-function setSmtpConfig(value) {
-    instance$1 = value;
-}
-function useSmtpConfig() {
-    if (typeof instance$1 !== 'undefined') {
-        return instance$1;
-    }
-    instance$1 = {};
-    return instance$1;
+function isVaultClientUsable() {
+	return instance.has() || instance.hasFactory();
 }
-
-function createSmtpClient(options) {
-    let transport;
-    options = options || {};
-    if (typeof options === 'string') {
-        transport = createTransport(options);
-    } else if (options.connectionString) {
-        transport = createTransport(options.connectionString);
-    } else {
-        let auth;
-        if (options.user && options.password) {
-            auth = {
-                type: 'login',
-                user: options.user,
-                pass: options.password
-            };
-        }
-        transport = createTransport({
-            host: options.host,
-            port: options.port,
-            auth,
-            secure: options.ssl,
-            opportunisticTLS: options.starttls,
-            tls: {
-                rejectUnauthorized: false
-            }
-        });
-    }
-    transport.on('error', (e)=>{
-        useLogger().error(e.message);
-    });
-    return transport;
+function useVaultClient() {
+	return instance.use();
 }
-
-let instance;
-async function useSMTPClient() {
-    if (typeof instance !== 'undefined') {
-        return instance;
-    }
-    let options;
-    if (process.env.NODE_ENV === 'test') {
-        const testAccount = await createTestAccount();
-        options = {
-            host: 'smtp.ethereal.email',
-            port: 587,
-            ssl: false,
-            user: testAccount.user,
-            password: testAccount.pass
-        };
-    } else {
-        options = useSmtpConfig();
-    }
-    instance = createSmtpClient(options);
-    return instance;
+//#endregion
+//#region src/domain-event/utils.ts
+function transformDomainEventData(input) {
+	const keys = Object.keys(input);
+	for (const key_ of keys) {
+		const key = key_;
+		const value = input[key];
+		if (!isObject(value)) continue;
+		if (value instanceof Date) input[key] = value.toISOString();
+	}
+	return input;
 }
-
-/*
- * Copyright (c) 2022.
- * Author Peter Placzek (tada5hi)
- * For the full copyright and license information,
- * view the LICENSE file that was distributed with this source code.
- */ function hasOwnProperty(obj, prop) {
-    return Object.prototype.hasOwnProperty.call(obj, prop);
+function buildDomainEventChannelName(input, id) {
+	if (typeof input === "string") return input;
+	return input(id);
+}
+//#endregion
+//#region src/domain-event/redis/module.ts
+var DomainEventRedisPublisher = class {
+	driver;
+	constructor(input) {
+		this.driver = createRedisClient(input);
+	}
+	async publish(ctx) {
+		const data = JSON.stringify(transformDomainEventData(ctx.content));
+		const pipeline = this.driver.pipeline();
+		for (let i = 0; i < ctx.destinations.length; i++) {
+			const { namespace } = ctx.destinations[i];
+			const keyPrefix = namespace ? `${namespace}:` : "";
+			let key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel);
+			pipeline.publish(key, data);
+			if (typeof ctx.destinations[i].channel === "function") {
+				key = keyPrefix + buildDomainEventChannelName(ctx.destinations[i].channel, ctx.content.data.id);
+				pipeline.publish(key, data);
+			}
+		}
+		await pipeline.exec();
+	}
+};
+//#endregion
+//#region src/domain-event/socket/module.ts
+var DomainEventSocketPublisher = class {
+	driver;
+	constructor(input) {
+		const client = createRedisClient(input);
+		this.driver = new Emitter(client);
+	}
+	async publish(ctx) {
+		ctx.content = transformDomainEventData(ctx.content);
+		for (let i = 0; i < ctx.destinations.length; i++) {
+			const destination = ctx.destinations[i];
+			let emitter;
+			if (destination.namespace) emitter = this.driver.of(destination.namespace);
+			else emitter = this.driver;
+			let roomName = buildDomainEventChannelName(destination.channel);
+			const fullEventName = buildEventFullName(ctx.content.type, ctx.content.event);
+			emitter.in(roomName).emit(fullEventName, {
+				...ctx.content,
+				meta: { roomName }
+			});
+			if (typeof destination.channel === "function") {
+				roomName = buildDomainEventChannelName(destination.channel, ctx.content.data.id);
+				emitter.in(roomName).emit(fullEventName, {
+					...ctx.content,
+					meta: {
+						roomName,
+						roomId: ctx.content.data.id
+					}
+				});
+			}
+		}
+	}
+};
+//#endregion
+//#region src/utils/has-property.ts
+function hasOwnProperty(obj, prop) {
+	return Object.prototype.hasOwnProperty.call(obj, prop);
 }
+//#endregion
+export { AsymmetricKey, BaseKey, CryptoAsymmetricAlgorithm, DomainEventPublisher, DomainEventRedisPublisher, DomainEventSocketPublisher, Logger, MemoryCache, RedisCache, RedisClient, RedisJsonAdapter, RedisWatcher, SymmetricAlgorithm, SymmetricKey, VaultClient, buildCacheKey, buildRedisKeyPath, compare, createAsymmetricKeyPair, createLogger, createNoopLogger, createRedisClient, createSymmetricKey, createVaultClient, decodePemToPKCS8, decodePemToSpki, encodePKCS8ToPEM, encodeSPKIToPem, escapeRedisKey, extractTokenHeader, extractTokenPayload, getKeyUsagesForAsymmetricAlgorithm, getKeyUsagesForSymmetricAlgorithm, hasOwnProperty, hash, isAsymmetricAlgorithm, isLoggerUsable, isRedisClient, isSymmetricAlgorithm, isVaultClientUsable, normalizeAsymmetricKeyImportOptions, normalizeAsymmetricKeyPairCreateOptions, parseRedisKeyPath, setLogger, setLoggerFactory, setVaultFactory, signToken, useLogger, useVaultClient, verifyToken };
 
-export { KeyPairKind, VoidLogger, buildKeyFileName, compare, createKeyPair, createSmtpClient, decodeToken, decryptRSAPrivateKey, deleteKeyPair, extendKeyPairOptions, hasOwnProperty, hasSmtpConfig, hash, isKeyPair, isKeyPairWithPublicKey, loadKeyPair, publishDomainEvent, publishDomainRedisEvent, publishDomainSocketEvent, saveKeyPair, setLogger, setSmtpConfig, signToken, useKeyPair, useLogger, useSMTPClient, useSmtpConfig, useSocketEmitter, verifyToken };
-//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map