@bb-labs/pkce 0.0.2 → 0.0.4

package/README.md

@@ -1,13 +1,6 @@
 # @bb-labs/pkce
 
-A lightweight, zero-dependency PKCE (Proof Key for Code Exchange) library for OAuth 2.0 that works across platforms.
-
-## Features
-
-- 🎯 **Zero Dependencies**: No external crypto libraries required
-- 🔄 **Cross-Platform**: Works in React Native (expo-crypto), Node.js (built-in crypto), and browsers
-- 🚀 **Auto-Detection**: Automatically uses the best available crypto implementation
-- 📦 **Tree-Shakable**: Import only what you need
+Zero-dependency PKCE library with pure JavaScript SHA-256 implementation. Bring your own crypto - provide a random bytes generator for maximum compatibility.
 
 ## Installation
 
@@ -17,108 +10,54 @@ npm install @bb-labs/pkce
 
 ## Usage
 
-### Automatic Environment Detection (Recommended)
-
 ```typescript
 import { generateCodeVerifier, createCodeChallenge } from "@bb-labs/pkce";
 
-// Generate a cryptographically secure code verifier
-const verifier = generateCodeVerifier();
-
-// Create the corresponding code challenge
-const challenge = await createCodeChallenge(verifier);
-
-console.log("Verifier:", verifier);
-console.log("Challenge:", challenge);
-```
-
-### Platform-Specific Imports
-
-#### React Native / Expo
-
-```typescript
-import { generateCodeVerifier, createCodeChallenge } from "@bb-labs/pkce/expo";
-
-// Make sure expo-crypto is installed in your React Native app
-// npm install expo-crypto
-
-const verifier = generateCodeVerifier();
-const challenge = await createCodeChallenge(verifier);
-```
-
-#### Node.js
+// Node.js
+import { randomBytes } from "crypto";
+const verifier = generateCodeVerifier(randomBytes);
+const challenge = createCodeChallenge(verifier);
 
-```typescript
-import { generateCodeVerifier, createCodeChallenge } from "@bb-labs/pkce/nodejs";
+// Browser
+const verifier = generateCodeVerifier((length) => {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+});
+const challenge = createCodeChallenge(verifier);
 
-const verifier = generateCodeVerifier();
-const challenge = await createCodeChallenge(verifier);
+// Expo
+import * as Crypto from "expo-crypto";
+const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+const challenge = createCodeChallenge(verifier);
 ```
 
 ## API
 
-### `generateCodeVerifier(): string`
-
-Generates a cryptographically secure random code verifier (43-128 characters, base64url encoded).
-
-### `createCodeChallenge(verifier: string): Promise<string>`
-
-Creates a code challenge by SHA-256 hashing the verifier and base64url encoding the result.
-
-## Requirements
-
-### React Native / Expo Apps
+### `generateCodeVerifier(getRandomBytes): string`
 
-- Install `expo-crypto`: `npm install expo-crypto`
-- The library will automatically detect and use expo-crypto
+Generates a cryptographically secure code verifier (43 chars, base64url encoded).
 
-### Node.js Apps
+- `getRandomBytes`: Function returning random bytes (Uint8Array, ArrayBuffer, or Buffer)
 
-- Node.js built-in `crypto` module (available in all modern Node.js versions)
-- No additional dependencies required
+### `createCodeChallenge(verifier): string`
 
-### Browser Apps
+Creates SHA-256 code challenge from verifier (43 chars, base64url encoded).
 
-- Modern browsers with Web Crypto API support
-- Or use a polyfill for older browsers
+## Platform Support
 
-## PKCE Flow Example
-
-```typescript
-import { generateCodeVerifier, createCodeChallenge } from "@bb-labs/pkce";
-
-// 1. Generate verifier and challenge
-const verifier = generateCodeVerifier();
-const challenge = await createCodeChallenge(verifier);
-
-// 2. Send challenge to authorization server
-const authUrl =
-  `https://auth.example.com/oauth/authorize?` +
-  `client_id=your_client_id&` +
-  `redirect_uri=your_redirect_uri&` +
-  `response_type=code&` +
-  `code_challenge=${challenge}&` +
-  `code_challenge_method=S256`;
-
-// 3. After user authorization, exchange code for tokens using the verifier
-const tokenResponse = await fetch("https://auth.example.com/oauth/token", {
-  method: "POST",
-  body: new URLSearchParams({
-    grant_type: "authorization_code",
-    code: authorizationCode,
-    redirect_uri: redirectUri,
-    client_id: clientId,
-    code_verifier: verifier, // ← Send the original verifier
-  }),
-});
-```
+Works in all JavaScript environments. Provide your platform's crypto random bytes function:
 
-## Error Handling
+- **Node.js**: `crypto.randomBytes`
+- **Browser**: `(length) => crypto.getRandomValues(new Uint8Array(length))`
+- **Expo/React Native**: `expo-crypto.getRandomBytes`
 
-The library will throw descriptive errors if no suitable crypto implementation is found:
+## Implementation Details
 
-- React Native: `"expo-crypto is required for React Native PKCE operations. Install expo-crypto or use a different PKCE implementation."`
-- Node.js: `"Node.js crypto is required for server-side PKCE operations."`
+- **SHA-256**: Pure JavaScript FIPS 180-4 implementation
+- **Base64URL**: RFC 4648 compliant
+- **Bundle size**: ~3KB minified
+- **TypeScript**: Full type definitions included
 
 ## License
 

package/dist/index.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Random bytes generator function type
+ * Can return Buffer, Uint8Array, or ArrayBuffer
+ */
+export type RandomBytesGenerator = (length: number) => Uint8Array | ArrayBuffer | Buffer;
+/**
+ * Generates a random code verifier for PKCE
+ * @param getRandomBytes - Function that generates cryptographically secure random bytes
+ * @returns Base64url-encoded code verifier (43 characters)
+ *
+ * @example
+ * // Node.js
+ * import { randomBytes } from 'crypto';
+ * const verifier = generateCodeVerifier(randomBytes);
+ *
+ * @example
+ * // Expo
+ * import * as Crypto from 'expo-crypto';
+ * const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+ *
+ * @example
+ * // Browser
+ * const verifier = generateCodeVerifier((length) => {
+ *   const bytes = new Uint8Array(length);
+ *   crypto.getRandomValues(bytes);
+ *   return bytes;
+ * });
+ */
+export declare function generateCodeVerifier(getRandomBytes: RandomBytesGenerator): string;
+/**
+ * Creates a code challenge from a code verifier using SHA-256
+ * Uses pure JavaScript SHA-256 implementation
+ * @param verifier - The code verifier to hash
+ * @returns Base64url-encoded SHA-256 hash of the verifier (43 characters)
+ */
+export declare function createCodeChallenge(verifier: string): string;

package/dist/index.js

@@ -1 +1,47 @@
-"use strict";
+import { uint8ArrayToBase64Url } from "./utils/base64";
+import { sha256 } from "./utils/sha256";
+/**
+ * Generates a random code verifier for PKCE
+ * @param getRandomBytes - Function that generates cryptographically secure random bytes
+ * @returns Base64url-encoded code verifier (43 characters)
+ *
+ * @example
+ * // Node.js
+ * import { randomBytes } from 'crypto';
+ * const verifier = generateCodeVerifier(randomBytes);
+ *
+ * @example
+ * // Expo
+ * import * as Crypto from 'expo-crypto';
+ * const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+ *
+ * @example
+ * // Browser
+ * const verifier = generateCodeVerifier((length) => {
+ *   const bytes = new Uint8Array(length);
+ *   crypto.getRandomValues(bytes);
+ *   return bytes;
+ * });
+ */
+export function generateCodeVerifier(getRandomBytes) {
+    // Generate 32 bytes (256 bits) of random data
+    const randomBytes = getRandomBytes(32);
+    // Ensure we have a Uint8Array
+    const bytes = randomBytes instanceof Uint8Array
+        ? randomBytes
+        : new Uint8Array(randomBytes);
+    // Convert to base64url encoding (RFC 4648)
+    return uint8ArrayToBase64Url(bytes);
+}
+/**
+ * Creates a code challenge from a code verifier using SHA-256
+ * Uses pure JavaScript SHA-256 implementation
+ * @param verifier - The code verifier to hash
+ * @returns Base64url-encoded SHA-256 hash of the verifier (43 characters)
+ */
+export function createCodeChallenge(verifier) {
+    // Hash using pure JavaScript SHA-256
+    const hash = sha256(verifier);
+    // Convert to base64url encoding
+    return uint8ArrayToBase64Url(hash);
+}

package/dist/utils/base64.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Converts a Uint8Array to base64url encoding (RFC 4648)
+ * Works in all JavaScript environments
+ */
+export declare function uint8ArrayToBase64Url(bytes: Uint8Array): string;

package/dist/utils/base64.js

@@ -0,0 +1,14 @@
+/**
+ * Converts a Uint8Array to base64url encoding (RFC 4648)
+ * Works in all JavaScript environments
+ */
+export function uint8ArrayToBase64Url(bytes) {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}

package/dist/utils/sha256.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Pure JavaScript SHA-256 implementation
+ * Based on FIPS 180-4 specification
+ * Works in all JavaScript environments (Node.js, browsers, React Native, Expo)
+ */
+/**
+ * Computes SHA-256 hash of input data
+ * @param data - Input string or byte array
+ * @returns SHA-256 hash as Uint8Array (32 bytes)
+ */
+export declare function sha256(data: string | Uint8Array): Uint8Array;

package/dist/utils/sha256.js

@@ -0,0 +1,114 @@
+/**
+ * Pure JavaScript SHA-256 implementation
+ * Based on FIPS 180-4 specification
+ * Works in all JavaScript environments (Node.js, browsers, React Native, Expo)
+ */
+// SHA-256 constants (first 32 bits of the fractional parts of the cube roots of the first 64 primes)
+const K = new Uint32Array([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+]);
+// Right rotate
+function rotr(n, x) {
+    return (x >>> n) | (x << (32 - n));
+}
+// Convert string to UTF-8 bytes
+function stringToBytes(str) {
+    const bytes = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; i++) {
+        const code = str.charCodeAt(i);
+        if (code > 127) {
+            // Handle UTF-8 encoding for non-ASCII characters
+            return new TextEncoder().encode(str);
+        }
+        bytes[i] = code;
+    }
+    return bytes;
+}
+/**
+ * Computes SHA-256 hash of input data
+ * @param data - Input string or byte array
+ * @returns SHA-256 hash as Uint8Array (32 bytes)
+ */
+export function sha256(data) {
+    // Convert input to bytes
+    const message = typeof data === 'string' ? stringToBytes(data) : data;
+    // Pre-processing: adding padding bits
+    const msgLength = message.length;
+    const bitLength = msgLength * 8;
+    // Calculate padding length (message + 1 bit + zeros + 64-bit length = multiple of 512 bits)
+    const paddingLength = (msgLength + 9 + 63) & ~63; // Round up to nearest multiple of 64
+    const padded = new Uint8Array(paddingLength);
+    // Copy message
+    padded.set(message);
+    // Append '1' bit (0x80 = 10000000 in binary)
+    padded[msgLength] = 0x80;
+    // Append length in bits as 64-bit big-endian integer
+    const view = new DataView(padded.buffer);
+    view.setUint32(paddingLength - 4, bitLength >>> 0, false); // Low 32 bits
+    // Initialize hash values (first 32 bits of the fractional parts of the square roots of the first 8 primes)
+    const h = new Uint32Array([
+        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
+    ]);
+    // Process message in 512-bit (64-byte) chunks
+    const w = new Uint32Array(64);
+    for (let chunkStart = 0; chunkStart < padded.length; chunkStart += 64) {
+        // Break chunk into sixteen 32-bit big-endian words
+        for (let i = 0; i < 16; i++) {
+            const offset = chunkStart + i * 4;
+            w[i] = (padded[offset] << 24) | (padded[offset + 1] << 16) |
+                (padded[offset + 2] << 8) | padded[offset + 3];
+        }
+        // Extend the sixteen 32-bit words into sixty-four 32-bit words
+        for (let i = 16; i < 64; i++) {
+            const s0 = rotr(7, w[i - 15]) ^ rotr(18, w[i - 15]) ^ (w[i - 15] >>> 3);
+            const s1 = rotr(17, w[i - 2]) ^ rotr(19, w[i - 2]) ^ (w[i - 2] >>> 10);
+            w[i] = (w[i - 16] + s0 + w[i - 7] + s1) >>> 0;
+        }
+        // Initialize working variables
+        let a = h[0], b = h[1], c = h[2], d = h[3];
+        let e = h[4], f = h[5], g = h[6], hh = h[7];
+        // Main compression loop
+        for (let i = 0; i < 64; i++) {
+            const S1 = rotr(6, e) ^ rotr(11, e) ^ rotr(25, e);
+            const ch = (e & f) ^ (~e & g);
+            const temp1 = (hh + S1 + ch + K[i] + w[i]) >>> 0;
+            const S0 = rotr(2, a) ^ rotr(13, a) ^ rotr(22, a);
+            const maj = (a & b) ^ (a & c) ^ (b & c);
+            const temp2 = (S0 + maj) >>> 0;
+            hh = g;
+            g = f;
+            f = e;
+            e = (d + temp1) >>> 0;
+            d = c;
+            c = b;
+            b = a;
+            a = (temp1 + temp2) >>> 0;
+        }
+        // Add compressed chunk to current hash value
+        h[0] = (h[0] + a) >>> 0;
+        h[1] = (h[1] + b) >>> 0;
+        h[2] = (h[2] + c) >>> 0;
+        h[3] = (h[3] + d) >>> 0;
+        h[4] = (h[4] + e) >>> 0;
+        h[5] = (h[5] + f) >>> 0;
+        h[6] = (h[6] + g) >>> 0;
+        h[7] = (h[7] + hh) >>> 0;
+    }
+    // Produce the final hash value (big-endian)
+    const hash = new Uint8Array(32);
+    for (let i = 0; i < 8; i++) {
+        hash[i * 4 + 0] = (h[i] >>> 24) & 0xff;
+        hash[i * 4 + 1] = (h[i] >>> 16) & 0xff;
+        hash[i * 4 + 2] = (h[i] >>> 8) & 0xff;
+        hash[i * 4 + 3] = h[i] & 0xff;
+    }
+    return hash;
+}

package/package.json

@@ -1,12 +1,17 @@
 {
   "name": "@bb-labs/pkce",
-  "version": "0.0.2",
-  "description": "A library for PKCE",
+  "version": "0.0.4",
+  "description": "Zero-dependency PKCE library using Web Crypto API for Node.js, browsers, React Native, and Expo",
   "homepage": "https://github.com/beepbop-labs/pkce",
   "keywords": [
     "pkce",
     "pkce-challenge",
-    "pkce-verifier"
+    "pkce-verifier",
+    "oauth",
+    "oauth2",
+    "web-crypto",
+    "react-native",
+    "expo"
   ],
   "author": "Beepbop",
   "license": "MIT",
@@ -20,15 +25,14 @@
     "README.md"
   ],
   "exports": {
-    ".": "./dist/index.js",
-    "./node": "./dist/node/index.js",
-    "./expo": "./dist/expo/index.js"
+    ".": "./dist/index.js"
   },
   "scripts": {
     "clean": "rm -rf dist",
     "build": "npm run clean && tsc -p tsconfig.json",
-    "pack": "npm run build && npm pack --pack-destination ./archive/"
+    "pack": "npm run build && rm -rf archive && mkdir -p archive && bun pm pack --destination ./archive && find ./archive -name '*.tgz' -exec mv {} ./archive/archive7.tgz \\;"
   },
+  "dependencies": {},
   "devDependencies": {
     "@types/bun": "latest"
   },

package/dist/expo/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Generates a cryptographically secure random code verifier for PKCE
- * Uses expo-crypto if available, otherwise throws an error
- */
-export declare function generateCodeVerifier(): string;
-/**
- * Creates a code challenge from a code verifier using SHA-256
- * Uses expo-crypto if available, otherwise throws an error
- */
-export declare function createCodeChallenge(verifier: string): Promise<string>;

package/dist/expo/index.js

@@ -1,55 +0,0 @@
-/**
- * Generates a cryptographically secure random code verifier for PKCE
- * Uses expo-crypto if available, otherwise throws an error
- */
-export function generateCodeVerifier() {
-    try {
-        const Crypto = require("expo-crypto");
-        // Generate 32 bytes (256 bits) of random data
-        const randomBytes = Crypto.getRandomBytes(32);
-        // Convert to base64url encoding (RFC 4648)
-        return base64UrlEncode(randomBytes);
-    }
-    catch (error) {
-        throw new Error("expo-crypto is required for React Native PKCE operations. Install expo-crypto or use a different PKCE implementation.");
-    }
-}
-/**
- * Creates a code challenge from a code verifier using SHA-256
- * Uses expo-crypto if available, otherwise throws an error
- */
-export async function createCodeChallenge(verifier) {
-    try {
-        const Crypto = require("expo-crypto");
-        // Hash the verifier using SHA-256
-        const hashBuffer = await Crypto.digestStringAsync(Crypto.CryptoDigestAlgorithm.SHA256, verifier, {
-            encoding: Crypto.CryptoEncoding.BASE64,
-        });
-        // Return base64url encoded hash
-        return base64UrlEncode(hashBuffer);
-    }
-    catch (error) {
-        throw new Error("expo-crypto is required for React Native PKCE operations. Install expo-crypto or use a different PKCE implementation.");
-    }
-}
-/**
- * Converts input to base64url encoding (RFC 4648)
- * Replaces '+' with '-', '/' with '_', and removes padding
- */
-function base64UrlEncode(input) {
-    let base64;
-    if (typeof input === "string") {
-        // If input is already a base64 string, use it directly
-        base64 = input;
-    }
-    else {
-        // Convert Uint8Array to base64
-        base64 = "";
-        for (let i = 0; i < input.length; i++) {
-            base64 += String.fromCharCode(input[i]);
-        }
-        base64 = btoa(base64);
-    }
-    // Convert to base64url
-    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}

package/dist/node/index.d.ts

@@ -1,10 +0,0 @@
-/**
- * Generates a cryptographically secure random code verifier for PKCE
- * Node.js implementation using built-in crypto
- */
-export declare function generateCodeVerifier(): string;
-/**
- * Creates a code challenge from a code verifier using SHA-256
- * Node.js implementation using built-in crypto
- */
-export declare function createCodeChallenge(verifier: string): Promise<string>;

package/dist/node/index.js

@@ -1,49 +0,0 @@
-/**
- * Generates a cryptographically secure random code verifier for PKCE
- * Node.js implementation using built-in crypto
- */
-export function generateCodeVerifier() {
-    try {
-        const { randomBytes } = require("crypto");
-        // Generate 32 bytes (256 bits) of random data
-        const randomBytesData = randomBytes(32);
-        // Convert to base64url encoding (RFC 4648)
-        return base64UrlEncode(randomBytesData);
-    }
-    catch (error) {
-        throw new Error("Node.js crypto is required for server-side PKCE operations.");
-    }
-}
-/**
- * Creates a code challenge from a code verifier using SHA-256
- * Node.js implementation using built-in crypto
- */
-export async function createCodeChallenge(verifier) {
-    try {
-        const { createHash } = require("crypto");
-        // Hash the verifier using SHA-256
-        const hash = createHash("sha256").update(verifier).digest();
-        // Return base64url encoded hash
-        return base64UrlEncode(hash);
-    }
-    catch (error) {
-        throw new Error("Node.js crypto is required for server-side PKCE operations.");
-    }
-}
-/**
- * Converts input to base64url encoding (RFC 4648)
- * Replaces '+' with '-', '/' with '_', and removes padding
- */
-function base64UrlEncode(input) {
-    let base64;
-    if (typeof input === "string") {
-        // If input is already a base64 string, use it directly
-        base64 = input;
-    }
-    else {
-        // Convert Buffer to base64
-        base64 = input.toString("base64");
-    }
-    // Convert to base64url
-    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}