@bb-labs/pkce 0.0.3 → 0.0.4

package/README.md

@@ -1,6 +1,6 @@
 # @bb-labs/pkce
 
-A lightweight PKCE (Proof Key for Code Exchange) library using `@noble/hashes` for universal compatibility.
+Zero-dependency PKCE library with pure JavaScript SHA-256 implementation. Bring your own crypto - provide a random bytes generator for maximum compatibility.
 
 ## Installation
 
@@ -13,43 +13,51 @@ npm install @bb-labs/pkce
 ```typescript
 import { generateCodeVerifier, createCodeChallenge } from "@bb-labs/pkce";
 
-// Generate a cryptographically secure code verifier
-const verifier = generateCodeVerifier();
+// Node.js
+import { randomBytes } from "crypto";
+const verifier = generateCodeVerifier(randomBytes);
+const challenge = createCodeChallenge(verifier);
 
-// Create the corresponding code challenge
+// Browser
+const verifier = generateCodeVerifier((length) => {
+  const bytes = new Uint8Array(length);
+  crypto.getRandomValues(bytes);
+  return bytes;
+});
 const challenge = createCodeChallenge(verifier);
 
-// Use in OAuth flow...
+// Expo
+import * as Crypto from "expo-crypto";
+const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+const challenge = createCodeChallenge(verifier);
 ```
 
 ## API
 
-### `generateCodeVerifier(): string`
+### `generateCodeVerifier(getRandomBytes): string`
 
-Generates a cryptographically secure random code verifier (43 characters, base64url encoded).
+Generates a cryptographically secure code verifier (43 chars, base64url encoded).
 
-### `createCodeChallenge(verifier: string): string`
+- `getRandomBytes`: Function returning random bytes (Uint8Array, ArrayBuffer, or Buffer)
 
-Creates a code challenge by SHA-256 hashing the verifier and base64url encoding the result.
+### `createCodeChallenge(verifier): string`
 
-## Requirements
+Creates SHA-256 code challenge from verifier (43 chars, base64url encoded).
 
-Depends on [`@noble/hashes`](https://github.com/paulmillr/noble-hashes) for crypto functions.
+## Platform Support
 
-**React Native Setup:**
+Works in all JavaScript environments. Provide your platform's crypto random bytes function:
 
-```typescript
-// In your app/_layout.tsx (Expo) or App.tsx
-import { polyfillWebCrypto } from "expo-standard-web-crypto";
-polyfillWebCrypto();
-```
+- **Node.js**: `crypto.randomBytes`
+- **Browser**: `(length) => crypto.getRandomValues(new Uint8Array(length))`
+- **Expo/React Native**: `expo-crypto.getRandomBytes`
 
-For bare React Native:
+## Implementation Details
 
-```bash
-npm install react-native-get-random-values
-import 'react-native-get-random-values';
-```
+- **SHA-256**: Pure JavaScript FIPS 180-4 implementation
+- **Base64URL**: RFC 4648 compliant
+- **Bundle size**: ~3KB minified
+- **TypeScript**: Full type definitions included
 
 ## License
 

package/dist/index.d.ts

@@ -1,14 +1,36 @@
 /**
- * Universal PKCE implementation using @noble/hashes
- * Works in Node.js, React Native, Expo, and browsers
+ * Random bytes generator function type
+ * Can return Buffer, Uint8Array, or ArrayBuffer
  */
+export type RandomBytesGenerator = (length: number) => Uint8Array | ArrayBuffer | Buffer;
 /**
- * Generates a cryptographically secure random code verifier for PKCE
- * Uses @noble/hashes randomBytes (works in Node.js, browsers, React Native)
+ * Generates a random code verifier for PKCE
+ * @param getRandomBytes - Function that generates cryptographically secure random bytes
+ * @returns Base64url-encoded code verifier (43 characters)
+ *
+ * @example
+ * // Node.js
+ * import { randomBytes } from 'crypto';
+ * const verifier = generateCodeVerifier(randomBytes);
+ *
+ * @example
+ * // Expo
+ * import * as Crypto from 'expo-crypto';
+ * const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+ *
+ * @example
+ * // Browser
+ * const verifier = generateCodeVerifier((length) => {
+ *   const bytes = new Uint8Array(length);
+ *   crypto.getRandomValues(bytes);
+ *   return bytes;
+ * });
  */
-export declare function generateCodeVerifier(): string;
+export declare function generateCodeVerifier(getRandomBytes: RandomBytesGenerator): string;
 /**
  * Creates a code challenge from a code verifier using SHA-256
- * Uses @noble/hashes sha256 (works in Node.js, browsers, React Native)
+ * Uses pure JavaScript SHA-256 implementation
+ * @param verifier - The code verifier to hash
+ * @returns Base64url-encoded SHA-256 hash of the verifier (43 characters)
  */
 export declare function createCodeChallenge(verifier: string): string;

package/dist/index.js

@@ -1,74 +1,47 @@
+import { uint8ArrayToBase64Url } from "./utils/base64";
+import { sha256 } from "./utils/sha256";
 /**
- * Universal PKCE implementation using @noble/hashes
- * Works in Node.js, React Native, Expo, and browsers
+ * Generates a random code verifier for PKCE
+ * @param getRandomBytes - Function that generates cryptographically secure random bytes
+ * @returns Base64url-encoded code verifier (43 characters)
+ *
+ * @example
+ * // Node.js
+ * import { randomBytes } from 'crypto';
+ * const verifier = generateCodeVerifier(randomBytes);
+ *
+ * @example
+ * // Expo
+ * import * as Crypto from 'expo-crypto';
+ * const verifier = generateCodeVerifier(Crypto.getRandomBytes);
+ *
+ * @example
+ * // Browser
+ * const verifier = generateCodeVerifier((length) => {
+ *   const bytes = new Uint8Array(length);
+ *   crypto.getRandomValues(bytes);
+ *   return bytes;
+ * });
  */
-import { sha256 } from "@noble/hashes/sha2";
-import { randomBytes } from "@noble/hashes/utils";
-/**
- * Generates a cryptographically secure random code verifier for PKCE
- * Uses @noble/hashes randomBytes (works in Node.js, browsers, React Native)
- */
-export function generateCodeVerifier() {
+export function generateCodeVerifier(getRandomBytes) {
     // Generate 32 bytes (256 bits) of random data
-    const randomBytesData = randomBytes(32);
+    const randomBytes = getRandomBytes(32);
+    // Ensure we have a Uint8Array
+    const bytes = randomBytes instanceof Uint8Array
+        ? randomBytes
+        : new Uint8Array(randomBytes);
     // Convert to base64url encoding (RFC 4648)
-    return base64UrlEncode(randomBytesData);
+    return uint8ArrayToBase64Url(bytes);
 }
 /**
  * Creates a code challenge from a code verifier using SHA-256
- * Uses @noble/hashes sha256 (works in Node.js, browsers, React Native)
+ * Uses pure JavaScript SHA-256 implementation
+ * @param verifier - The code verifier to hash
+ * @returns Base64url-encoded SHA-256 hash of the verifier (43 characters)
  */
 export function createCodeChallenge(verifier) {
-    // Convert string to bytes
-    const bytes = stringToBytes(verifier);
-    // Hash using SHA-256 from @noble/hashes
-    const hash = sha256(bytes);
+    // Hash using pure JavaScript SHA-256
+    const hash = sha256(verifier);
     // Convert to base64url encoding
-    return base64UrlEncode(hash);
-}
-/**
- * Converts a string to UTF-8 bytes
- */
-function stringToBytes(str) {
-    const bytes = [];
-    for (let i = 0; i < str.length; i++) {
-        const code = str.charCodeAt(i);
-        if (code < 0x80) {
-            bytes.push(code);
-        }
-        else if (code < 0x800) {
-            bytes.push(0xc0 | (code >> 6), 0x80 | (code & 0x3f));
-        }
-        else if (code < 0xd800 || code >= 0xe000) {
-            bytes.push(0xe0 | (code >> 12), 0x80 | ((code >> 6) & 0x3f), 0x80 | (code & 0x3f));
-        }
-        else {
-            // Surrogate pair
-            i++;
-            const cp = 0x10000 + (((code & 0x3ff) << 10) | (str.charCodeAt(i) & 0x3ff));
-            bytes.push(0xf0 | (cp >> 18), 0x80 | ((cp >> 12) & 0x3f), 0x80 | ((cp >> 6) & 0x3f), 0x80 | (cp & 0x3f));
-        }
-    }
-    return new Uint8Array(bytes);
-}
-/**
- * Converts Uint8Array to base64url encoding (RFC 4648)
- */
-function base64UrlEncode(bytes) {
-    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
-    let result = "";
-    for (let i = 0; i < bytes.length; i += 3) {
-        const b1 = bytes[i];
-        const b2 = i + 1 < bytes.length ? bytes[i + 1] : 0;
-        const b3 = i + 2 < bytes.length ? bytes[i + 2] : 0;
-        result += chars[b1 >> 2];
-        result += chars[((b1 & 0x03) << 4) | (b2 >> 4)];
-        if (i + 1 < bytes.length) {
-            result += chars[((b2 & 0x0f) << 2) | (b3 >> 6)];
-        }
-        if (i + 2 < bytes.length) {
-            result += chars[b3 & 0x3f];
-        }
-    }
-    return result;
+    return uint8ArrayToBase64Url(hash);
 }

package/dist/utils/base64.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Converts a Uint8Array to base64url encoding (RFC 4648)
+ * Works in all JavaScript environments
+ */
+export declare function uint8ArrayToBase64Url(bytes: Uint8Array): string;

package/dist/utils/base64.js

@@ -0,0 +1,14 @@
+/**
+ * Converts a Uint8Array to base64url encoding (RFC 4648)
+ * Works in all JavaScript environments
+ */
+export function uint8ArrayToBase64Url(bytes) {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=/g, '');
+}

package/dist/utils/sha256.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Pure JavaScript SHA-256 implementation
+ * Based on FIPS 180-4 specification
+ * Works in all JavaScript environments (Node.js, browsers, React Native, Expo)
+ */
+/**
+ * Computes SHA-256 hash of input data
+ * @param data - Input string or byte array
+ * @returns SHA-256 hash as Uint8Array (32 bytes)
+ */
+export declare function sha256(data: string | Uint8Array): Uint8Array;

package/dist/utils/sha256.js

@@ -0,0 +1,114 @@
+/**
+ * Pure JavaScript SHA-256 implementation
+ * Based on FIPS 180-4 specification
+ * Works in all JavaScript environments (Node.js, browsers, React Native, Expo)
+ */
+// SHA-256 constants (first 32 bits of the fractional parts of the cube roots of the first 64 primes)
+const K = new Uint32Array([
+    0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+    0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+    0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+    0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+    0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+    0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+    0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+    0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2
+]);
+// Right rotate
+function rotr(n, x) {
+    return (x >>> n) | (x << (32 - n));
+}
+// Convert string to UTF-8 bytes
+function stringToBytes(str) {
+    const bytes = new Uint8Array(str.length);
+    for (let i = 0; i < str.length; i++) {
+        const code = str.charCodeAt(i);
+        if (code > 127) {
+            // Handle UTF-8 encoding for non-ASCII characters
+            return new TextEncoder().encode(str);
+        }
+        bytes[i] = code;
+    }
+    return bytes;
+}
+/**
+ * Computes SHA-256 hash of input data
+ * @param data - Input string or byte array
+ * @returns SHA-256 hash as Uint8Array (32 bytes)
+ */
+export function sha256(data) {
+    // Convert input to bytes
+    const message = typeof data === 'string' ? stringToBytes(data) : data;
+    // Pre-processing: adding padding bits
+    const msgLength = message.length;
+    const bitLength = msgLength * 8;
+    // Calculate padding length (message + 1 bit + zeros + 64-bit length = multiple of 512 bits)
+    const paddingLength = (msgLength + 9 + 63) & ~63; // Round up to nearest multiple of 64
+    const padded = new Uint8Array(paddingLength);
+    // Copy message
+    padded.set(message);
+    // Append '1' bit (0x80 = 10000000 in binary)
+    padded[msgLength] = 0x80;
+    // Append length in bits as 64-bit big-endian integer
+    const view = new DataView(padded.buffer);
+    view.setUint32(paddingLength - 4, bitLength >>> 0, false); // Low 32 bits
+    // Initialize hash values (first 32 bits of the fractional parts of the square roots of the first 8 primes)
+    const h = new Uint32Array([
+        0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a,
+        0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
+    ]);
+    // Process message in 512-bit (64-byte) chunks
+    const w = new Uint32Array(64);
+    for (let chunkStart = 0; chunkStart < padded.length; chunkStart += 64) {
+        // Break chunk into sixteen 32-bit big-endian words
+        for (let i = 0; i < 16; i++) {
+            const offset = chunkStart + i * 4;
+            w[i] = (padded[offset] << 24) | (padded[offset + 1] << 16) |
+                (padded[offset + 2] << 8) | padded[offset + 3];
+        }
+        // Extend the sixteen 32-bit words into sixty-four 32-bit words
+        for (let i = 16; i < 64; i++) {
+            const s0 = rotr(7, w[i - 15]) ^ rotr(18, w[i - 15]) ^ (w[i - 15] >>> 3);
+            const s1 = rotr(17, w[i - 2]) ^ rotr(19, w[i - 2]) ^ (w[i - 2] >>> 10);
+            w[i] = (w[i - 16] + s0 + w[i - 7] + s1) >>> 0;
+        }
+        // Initialize working variables
+        let a = h[0], b = h[1], c = h[2], d = h[3];
+        let e = h[4], f = h[5], g = h[6], hh = h[7];
+        // Main compression loop
+        for (let i = 0; i < 64; i++) {
+            const S1 = rotr(6, e) ^ rotr(11, e) ^ rotr(25, e);
+            const ch = (e & f) ^ (~e & g);
+            const temp1 = (hh + S1 + ch + K[i] + w[i]) >>> 0;
+            const S0 = rotr(2, a) ^ rotr(13, a) ^ rotr(22, a);
+            const maj = (a & b) ^ (a & c) ^ (b & c);
+            const temp2 = (S0 + maj) >>> 0;
+            hh = g;
+            g = f;
+            f = e;
+            e = (d + temp1) >>> 0;
+            d = c;
+            c = b;
+            b = a;
+            a = (temp1 + temp2) >>> 0;
+        }
+        // Add compressed chunk to current hash value
+        h[0] = (h[0] + a) >>> 0;
+        h[1] = (h[1] + b) >>> 0;
+        h[2] = (h[2] + c) >>> 0;
+        h[3] = (h[3] + d) >>> 0;
+        h[4] = (h[4] + e) >>> 0;
+        h[5] = (h[5] + f) >>> 0;
+        h[6] = (h[6] + g) >>> 0;
+        h[7] = (h[7] + hh) >>> 0;
+    }
+    // Produce the final hash value (big-endian)
+    const hash = new Uint8Array(32);
+    for (let i = 0; i < 8; i++) {
+        hash[i * 4 + 0] = (h[i] >>> 24) & 0xff;
+        hash[i * 4 + 1] = (h[i] >>> 16) & 0xff;
+        hash[i * 4 + 2] = (h[i] >>> 8) & 0xff;
+        hash[i * 4 + 3] = h[i] & 0xff;
+    }
+    return hash;
+}

package/package.json

@@ -1,12 +1,17 @@
 {
   "name": "@bb-labs/pkce",
-  "version": "0.0.3",
-  "description": "A library for PKCE",
+  "version": "0.0.4",
+  "description": "Zero-dependency PKCE library using Web Crypto API for Node.js, browsers, React Native, and Expo",
   "homepage": "https://github.com/beepbop-labs/pkce",
   "keywords": [
     "pkce",
     "pkce-challenge",
-    "pkce-verifier"
+    "pkce-verifier",
+    "oauth",
+    "oauth2",
+    "web-crypto",
+    "react-native",
+    "expo"
   ],
   "author": "Beepbop",
   "license": "MIT",
@@ -20,18 +25,14 @@
     "README.md"
   ],
   "exports": {
-    ".": "./dist/index.js",
-    "./node": "./dist/node/index.js",
-    "./expo": "./dist/expo/index.js"
+    ".": "./dist/index.js"
   },
   "scripts": {
     "clean": "rm -rf dist",
     "build": "npm run clean && tsc -p tsconfig.json",
-    "pack": "npm run build && rm -rf archive && mkdir -p archive && bun pm pack --destination ./archive && find ./archive -name '*.tgz' -exec mv {} ./archive/archive2.tgz \\;"
-  },
-  "dependencies": {
-    "@noble/hashes": "^1.3.0"
+    "pack": "npm run build && rm -rf archive && mkdir -p archive && bun pm pack --destination ./archive && find ./archive -name '*.tgz' -exec mv {} ./archive/archive7.tgz \\;"
   },
+  "dependencies": {},
   "devDependencies": {
     "@types/bun": "latest"
   },