@bonapasogit-dev/jwt-manager 1.0.0

package/README.md

@@ -0,0 +1,234 @@
+# @bonapasogit-dev/jwt-manager
+
+High-performance JWT lifecycle management library with JTI validation for preventing replay attacks and enabling token revocation.
+
+## Features
+
+- ✅ **JTI Validation** - Unique token IDs using ULID for collision-free identification
+- ✅ **Token Revocation** - Blacklist tokens before expiry
+- ✅ **One-Time Tokens** - Single-use tokens with automatic invalidation
+- ✅ **Security-First** - Enforces `aud`, `iss`, `exp` claims on all tokens
+- ✅ **Multiple Algorithms** - RS256, ES256, HS256, and more
+- ✅ **TypeScript** - Full type safety with comprehensive types
+
+## Installation
+
+```bash
+npm install @bonapasogit-dev/jwt-manager
+```
+
+## Quick Start
+
+### Using HMAC (HS256)
+
+```typescript
+import { createJwtManager } from '@bonapasogit-dev/jwt-manager';
+
+const jwtManager = createJwtManager({
+    algorithm: 'HS256',
+    secret: 'your-secret-key-min-32-characters-long',
+});
+
+// Sign a token
+const token = jwtManager.sign({
+    subject: 'user-123',
+    audience: 'my-app',
+    issuer: 'auth-service',
+    expiresIn: 3600, // 1 hour
+    claims: {
+        role: 'admin',
+    },
+});
+
+// Verify a token
+const result = await jwtManager.verify(token);
+console.log(result.payload.sub); // 'user-123'
+console.log(result.payload.jti); // ULID (e.g., '01ARZ3NDEKTSV4RRFFQ69DT1FK')
+```
+
+### Using RSA (RS256) - Recommended for Production
+
+```typescript
+import { createJwtManager } from '@bonapasogit-dev/jwt-manager';
+import fs from 'fs';
+
+const jwtManager = createJwtManager({
+    algorithm: 'RS256',
+    privateKey: fs.readFileSync('./private.pem', 'utf-8'),
+    publicKey: fs.readFileSync('./public.pem', 'utf-8'),
+});
+```
+
+## Token Revocation
+
+Revoke tokens before their natural expiry:
+
+```typescript
+// Revoke by JTI
+const payload = jwtManager.decode(token);
+await jwtManager.revoke(payload.jti, payload.exp);
+
+// Or revoke directly from token
+await jwtManager.revokeToken(token);
+
+// Verification will now fail
+try {
+    await jwtManager.verify(token);
+} catch (error) {
+    if (error instanceof JwtRevokedError) {
+        console.log('Token has been revoked');
+    }
+}
+```
+
+## One-Time Tokens
+
+Create tokens that can only be used once (e.g., for password reset):
+
+```typescript
+const oneTimeToken = jwtManager.sign({
+    subject: 'user-123',
+    audience: 'password-reset',
+    issuer: 'auth-service',
+    expiresIn: 900, // 15 minutes
+    oneTimeToken: true,
+});
+
+// First verification succeeds
+const result = await jwtManager.verify(oneTimeToken);
+
+// Second verification throws JwtReplayError
+try {
+    await jwtManager.verify(oneTimeToken);
+} catch (error) {
+    if (error instanceof JwtReplayError) {
+        console.log('Token already used');
+    }
+}
+```
+
+## Custom Token Store
+
+For distributed systems, implement the `TokenStore` interface with Redis or PostgreSQL:
+
+```typescript
+import { TokenStore, createJwtManager } from '@bonapasogit-dev/jwt-manager';
+import Redis from 'ioredis';
+
+class RedisTokenStore implements TokenStore {
+    private redis: Redis;
+
+    constructor(redis: Redis) {
+        this.redis = redis;
+    }
+
+    async add(jti: string, expiresAt: number): Promise<void> {
+        const ttl = expiresAt - Math.floor(Date.now() / 1000);
+        if (ttl > 0) {
+            await this.redis.setex(`jwt:revoked:${jti}`, ttl, '1');
+        }
+    }
+
+    async has(jti: string): Promise<boolean> {
+        const exists = await this.redis.exists(`jwt:revoked:${jti}`);
+        return exists === 1;
+    }
+
+    async remove(jti: string): Promise<void> {
+        await this.redis.del(`jwt:revoked:${jti}`);
+    }
+
+    async cleanup(): Promise<void> {
+        // Redis handles TTL automatically
+    }
+}
+
+const jwtManager = createJwtManager({
+    algorithm: 'RS256',
+    privateKey: '...',
+    publicKey: '...',
+    tokenStore: new RedisTokenStore(new Redis()),
+});
+```
+
+## Error Handling
+
+```typescript
+import {
+    JwtExpiredError,
+    JwtRevokedError,
+    JwtReplayError,
+    JwtInvalidSignatureError,
+    JwtInvalidClaimsError,
+    JwtMalformedError,
+    isJwtError,
+    JwtErrorCode,
+} from '@bonapasogit-dev/jwt-manager';
+
+try {
+    const result = await jwtManager.verify(token);
+} catch (error) {
+    if (isJwtError(error)) {
+        switch (error.code) {
+            case JwtErrorCode.EXPIRED:
+                // Token has expired
+                break;
+            case JwtErrorCode.REVOKED:
+                // Token was revoked
+                break;
+            case JwtErrorCode.REPLAY:
+                // One-time token already used
+                break;
+            case JwtErrorCode.INVALID_SIGNATURE:
+                // Signature verification failed
+                break;
+            case JwtErrorCode.INVALID_CLAIMS:
+                // Missing or invalid claims
+                break;
+            case JwtErrorCode.MALFORMED:
+                // Token cannot be decoded
+                break;
+        }
+    }
+}
+```
+
+## API Reference
+
+### `JwtManager`
+
+#### `sign(options: SignOptions): string`
+
+Generate a JWT with auto-injected `jti`, `iat`, `exp` claims.
+
+#### `verify(token: string, options?: VerifyOptions): Promise<VerifyResult>`
+
+Verify a JWT's signature, expiry, and JTI status.
+
+#### `revoke(jti: string, expiresAt: number): Promise<void>`
+
+Add a JTI to the denylist.
+
+#### `revokeToken(token: string): Promise<void>`
+
+Revoke a token by decoding and extracting its JTI.
+
+#### `decode(token: string): JwtPayload | null`
+
+Decode without verification (for inspection only).
+
+#### `isRevoked(jti: string): Promise<boolean>`
+
+Check if a JTI has been revoked.
+
+## Security Best Practices
+
+1. **Use Asymmetric Algorithms** - RS256/ES256 for shared environments
+2. **Rotate Keys Regularly** - Every 24-48 hours for production
+3. **Keep Secrets Secure** - Use environment variables or secret managers
+4. **Set Reasonable Expiry** - Balance security with user experience
+5. **Implement Token Refresh** - Short-lived access tokens + long-lived refresh tokens
+
+## License
+
+MIT

package/dist/errors.d.ts

@@ -0,0 +1,78 @@
+import { JwtErrorCode } from './types';
+/**
+ * Base error class for all JWT-related errors.
+ */
+export declare abstract class JwtError extends Error {
+    abstract readonly code: JwtErrorCode;
+    constructor(message: string);
+    /**
+     * Convert error to a structured object for logging/API responses.
+     */
+    toJSON(): {
+        code: JwtErrorCode;
+        message: string;
+        name: string;
+    };
+}
+/**
+ * Token has expired (exp claim is in the past).
+ */
+export declare class JwtExpiredError extends JwtError {
+    readonly code = JwtErrorCode.EXPIRED;
+    readonly expiredAt: Date;
+    constructor(expiredAt: Date);
+}
+/**
+ * Token has been revoked (JTI found in denylist).
+ */
+export declare class JwtRevokedError extends JwtError {
+    readonly code = JwtErrorCode.REVOKED;
+    readonly jti: string;
+    constructor(jti: string);
+}
+/**
+ * One-time token has already been used (replay attack detected).
+ */
+export declare class JwtReplayError extends JwtError {
+    readonly code = JwtErrorCode.REPLAY;
+    readonly jti: string;
+    constructor(jti: string);
+}
+/**
+ * Token signature is invalid.
+ */
+export declare class JwtInvalidSignatureError extends JwtError {
+    readonly code = JwtErrorCode.INVALID_SIGNATURE;
+    constructor();
+}
+/**
+ * Token claims validation failed (missing or invalid aud, iss, etc).
+ */
+export declare class JwtInvalidClaimsError extends JwtError {
+    readonly code = JwtErrorCode.INVALID_CLAIMS;
+    readonly claim: string;
+    constructor(claim: string, reason: string);
+}
+/**
+ * Token is malformed or cannot be decoded.
+ */
+export declare class JwtMalformedError extends JwtError {
+    readonly code = JwtErrorCode.MALFORMED;
+    constructor(reason?: string);
+}
+/**
+ * Type guard to check if an error is a JwtError.
+ */
+export declare function isJwtError(error: unknown): error is JwtError;
+/**
+ * Map of error codes to error classes for programmatic handling.
+ */
+export declare const JwtErrors: {
+    readonly JwtExpiredError: typeof JwtExpiredError;
+    readonly JwtRevokedError: typeof JwtRevokedError;
+    readonly JwtReplayError: typeof JwtReplayError;
+    readonly JwtInvalidSignatureError: typeof JwtInvalidSignatureError;
+    readonly JwtInvalidClaimsError: typeof JwtInvalidClaimsError;
+    readonly JwtMalformedError: typeof JwtMalformedError;
+};
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC;;GAEG;AACH,8BAAsB,QAAS,SAAQ,KAAK;IACxC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;gBAEzB,OAAO,EAAE,MAAM;IAM3B;;OAEG;IACH,MAAM,IAAI;QAAE,IAAI,EAAE,YAAY,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE;CAOlE;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,QAAQ;IACzC,QAAQ,CAAC,IAAI,wBAAwB;IACrC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;gBAEb,SAAS,EAAE,IAAI;CAI9B;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,QAAQ;IACzC,QAAQ,CAAC,IAAI,wBAAwB;IACrC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;gBAET,GAAG,EAAE,MAAM;CAI1B;AAED;;GAEG;AACH,qBAAa,cAAe,SAAQ,QAAQ;IACxC,QAAQ,CAAC,IAAI,uBAAuB;IACpC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;gBAET,GAAG,EAAE,MAAM;CAI1B;AAED;;GAEG;AACH,qBAAa,wBAAyB,SAAQ,QAAQ;IAClD,QAAQ,CAAC,IAAI,kCAAkC;;CAKlD;AAED;;GAEG;AACH,qBAAa,qBAAsB,SAAQ,QAAQ;IAC/C,QAAQ,CAAC,IAAI,+BAA+B;IAC5C,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;gBAEX,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAI5C;AAED;;GAEG;AACH,qBAAa,iBAAkB,SAAQ,QAAQ;IAC3C,QAAQ,CAAC,IAAI,0BAA0B;gBAE3B,MAAM,CAAC,EAAE,MAAM;CAG9B;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAE5D;AAED;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;CAOZ,CAAC"}

package/dist/errors.js

@@ -0,0 +1,108 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtErrors = exports.JwtMalformedError = exports.JwtInvalidClaimsError = exports.JwtInvalidSignatureError = exports.JwtReplayError = exports.JwtRevokedError = exports.JwtExpiredError = exports.JwtError = void 0;
+exports.isJwtError = isJwtError;
+const types_1 = require("./types");
+/**
+ * Base error class for all JWT-related errors.
+ */
+class JwtError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+        Error.captureStackTrace(this, this.constructor);
+    }
+    /**
+     * Convert error to a structured object for logging/API responses.
+     */
+    toJSON() {
+        return {
+            code: this.code,
+            message: this.message,
+            name: this.name,
+        };
+    }
+}
+exports.JwtError = JwtError;
+/**
+ * Token has expired (exp claim is in the past).
+ */
+class JwtExpiredError extends JwtError {
+    constructor(expiredAt) {
+        super(`Token expired at ${expiredAt.toISOString()}`);
+        this.code = types_1.JwtErrorCode.EXPIRED;
+        this.expiredAt = expiredAt;
+    }
+}
+exports.JwtExpiredError = JwtExpiredError;
+/**
+ * Token has been revoked (JTI found in denylist).
+ */
+class JwtRevokedError extends JwtError {
+    constructor(jti) {
+        super(`Token with JTI "${jti}" has been revoked`);
+        this.code = types_1.JwtErrorCode.REVOKED;
+        this.jti = jti;
+    }
+}
+exports.JwtRevokedError = JwtRevokedError;
+/**
+ * One-time token has already been used (replay attack detected).
+ */
+class JwtReplayError extends JwtError {
+    constructor(jti) {
+        super(`Token with JTI "${jti}" has already been used`);
+        this.code = types_1.JwtErrorCode.REPLAY;
+        this.jti = jti;
+    }
+}
+exports.JwtReplayError = JwtReplayError;
+/**
+ * Token signature is invalid.
+ */
+class JwtInvalidSignatureError extends JwtError {
+    constructor() {
+        super('Token signature is invalid');
+        this.code = types_1.JwtErrorCode.INVALID_SIGNATURE;
+    }
+}
+exports.JwtInvalidSignatureError = JwtInvalidSignatureError;
+/**
+ * Token claims validation failed (missing or invalid aud, iss, etc).
+ */
+class JwtInvalidClaimsError extends JwtError {
+    constructor(claim, reason) {
+        super(`Invalid claim "${claim}": ${reason}`);
+        this.code = types_1.JwtErrorCode.INVALID_CLAIMS;
+        this.claim = claim;
+    }
+}
+exports.JwtInvalidClaimsError = JwtInvalidClaimsError;
+/**
+ * Token is malformed or cannot be decoded.
+ */
+class JwtMalformedError extends JwtError {
+    constructor(reason) {
+        super(reason ? `Malformed token: ${reason}` : 'Token is malformed');
+        this.code = types_1.JwtErrorCode.MALFORMED;
+    }
+}
+exports.JwtMalformedError = JwtMalformedError;
+/**
+ * Type guard to check if an error is a JwtError.
+ */
+function isJwtError(error) {
+    return error instanceof JwtError;
+}
+/**
+ * Map of error codes to error classes for programmatic handling.
+ */
+exports.JwtErrors = {
+    JwtExpiredError,
+    JwtRevokedError,
+    JwtReplayError,
+    JwtInvalidSignatureError,
+    JwtInvalidClaimsError,
+    JwtMalformedError,
+};
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAuGA,gCAEC;AAzGD,mCAAuC;AAEvC;;GAEG;AACH,MAAsB,QAAS,SAAQ,KAAK;IAGxC,YAAY,OAAe;QACvB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;QAClC,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,MAAM;QACF,OAAO;YACH,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;SAClB,CAAC;IACN,CAAC;CACJ;AAnBD,4BAmBC;AAED;;GAEG;AACH,MAAa,eAAgB,SAAQ,QAAQ;IAIzC,YAAY,SAAe;QACvB,KAAK,CAAC,oBAAoB,SAAS,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAJhD,SAAI,GAAG,oBAAY,CAAC,OAAO,CAAC;QAKjC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC/B,CAAC;CACJ;AARD,0CAQC;AAED;;GAEG;AACH,MAAa,eAAgB,SAAQ,QAAQ;IAIzC,YAAY,GAAW;QACnB,KAAK,CAAC,mBAAmB,GAAG,oBAAoB,CAAC,CAAC;QAJ7C,SAAI,GAAG,oBAAY,CAAC,OAAO,CAAC;QAKjC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;CACJ;AARD,0CAQC;AAED;;GAEG;AACH,MAAa,cAAe,SAAQ,QAAQ;IAIxC,YAAY,GAAW;QACnB,KAAK,CAAC,mBAAmB,GAAG,yBAAyB,CAAC,CAAC;QAJlD,SAAI,GAAG,oBAAY,CAAC,MAAM,CAAC;QAKhC,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;CACJ;AARD,wCAQC;AAED;;GAEG;AACH,MAAa,wBAAyB,SAAQ,QAAQ;IAGlD;QACI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAH/B,SAAI,GAAG,oBAAY,CAAC,iBAAiB,CAAC;IAI/C,CAAC;CACJ;AAND,4DAMC;AAED;;GAEG;AACH,MAAa,qBAAsB,SAAQ,QAAQ;IAI/C,YAAY,KAAa,EAAE,MAAc;QACrC,KAAK,CAAC,kBAAkB,KAAK,MAAM,MAAM,EAAE,CAAC,CAAC;QAJxC,SAAI,GAAG,oBAAY,CAAC,cAAc,CAAC;QAKxC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACvB,CAAC;CACJ;AARD,sDAQC;AAED;;GAEG;AACH,MAAa,iBAAkB,SAAQ,QAAQ;IAG3C,YAAY,MAAe;QACvB,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC;QAH/D,SAAI,GAAG,oBAAY,CAAC,SAAS,CAAC;IAIvC,CAAC;CACJ;AAND,8CAMC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,KAAc;IACrC,OAAO,KAAK,YAAY,QAAQ,CAAC;AACrC,CAAC;AAED;;GAEG;AACU,QAAA,SAAS,GAAG;IACrB,eAAe;IACf,eAAe;IACf,cAAc;IACd,wBAAwB;IACxB,qBAAqB;IACrB,iBAAiB;CACX,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * @bonapasogit-dev/jwt-manager
+ * High-performance JWT lifecycle management with JTI validation.
+ */
+export { JwtManager, createJwtManager } from './jwtManager';
+export { InMemoryTokenStore, createInMemoryTokenStore } from './tokenStore';
+export type { Algorithm, JwtManagerConfig, JwtPayload, SignOptions, TokenStore, VerifyOptions, VerifyResult, } from './types';
+export { JwtErrorCode } from './types';
+export { JwtError, JwtExpiredError, JwtRevokedError, JwtReplayError, JwtInvalidSignatureError, JwtInvalidClaimsError, JwtMalformedError, JwtErrors, isJwtError, } from './errors';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAG5D,OAAO,EAAE,kBAAkB,EAAE,wBAAwB,EAAE,MAAM,cAAc,CAAC;AAG5E,YAAY,EACR,SAAS,EACT,gBAAgB,EAChB,UAAU,EACV,WAAW,EACX,UAAU,EACV,aAAa,EACb,YAAY,GACf,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAGvC,OAAO,EACH,QAAQ,EACR,eAAe,EACf,eAAe,EACf,cAAc,EACd,wBAAwB,EACxB,qBAAqB,EACrB,iBAAiB,EACjB,SAAS,EACT,UAAU,GACb,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,29 @@
+"use strict";
+/**
+ * @bonapasogit-dev/jwt-manager
+ * High-performance JWT lifecycle management with JTI validation.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isJwtError = exports.JwtErrors = exports.JwtMalformedError = exports.JwtInvalidClaimsError = exports.JwtInvalidSignatureError = exports.JwtReplayError = exports.JwtRevokedError = exports.JwtExpiredError = exports.JwtError = exports.JwtErrorCode = exports.createInMemoryTokenStore = exports.InMemoryTokenStore = exports.createJwtManager = exports.JwtManager = void 0;
+// Core manager
+var jwtManager_1 = require("./jwtManager");
+Object.defineProperty(exports, "JwtManager", { enumerable: true, get: function () { return jwtManager_1.JwtManager; } });
+Object.defineProperty(exports, "createJwtManager", { enumerable: true, get: function () { return jwtManager_1.createJwtManager; } });
+// Token store implementations
+var tokenStore_1 = require("./tokenStore");
+Object.defineProperty(exports, "InMemoryTokenStore", { enumerable: true, get: function () { return tokenStore_1.InMemoryTokenStore; } });
+Object.defineProperty(exports, "createInMemoryTokenStore", { enumerable: true, get: function () { return tokenStore_1.createInMemoryTokenStore; } });
+var types_1 = require("./types");
+Object.defineProperty(exports, "JwtErrorCode", { enumerable: true, get: function () { return types_1.JwtErrorCode; } });
+// Errors
+var errors_1 = require("./errors");
+Object.defineProperty(exports, "JwtError", { enumerable: true, get: function () { return errors_1.JwtError; } });
+Object.defineProperty(exports, "JwtExpiredError", { enumerable: true, get: function () { return errors_1.JwtExpiredError; } });
+Object.defineProperty(exports, "JwtRevokedError", { enumerable: true, get: function () { return errors_1.JwtRevokedError; } });
+Object.defineProperty(exports, "JwtReplayError", { enumerable: true, get: function () { return errors_1.JwtReplayError; } });
+Object.defineProperty(exports, "JwtInvalidSignatureError", { enumerable: true, get: function () { return errors_1.JwtInvalidSignatureError; } });
+Object.defineProperty(exports, "JwtInvalidClaimsError", { enumerable: true, get: function () { return errors_1.JwtInvalidClaimsError; } });
+Object.defineProperty(exports, "JwtMalformedError", { enumerable: true, get: function () { return errors_1.JwtMalformedError; } });
+Object.defineProperty(exports, "JwtErrors", { enumerable: true, get: function () { return errors_1.JwtErrors; } });
+Object.defineProperty(exports, "isJwtError", { enumerable: true, get: function () { return errors_1.isJwtError; } });
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,eAAe;AACf,2CAA4D;AAAnD,wGAAA,UAAU,OAAA;AAAE,8GAAA,gBAAgB,OAAA;AAErC,8BAA8B;AAC9B,2CAA4E;AAAnE,gHAAA,kBAAkB,OAAA;AAAE,sHAAA,wBAAwB,OAAA;AAYrD,iCAAuC;AAA9B,qGAAA,YAAY,OAAA;AAErB,SAAS;AACT,mCAUkB;AATd,kGAAA,QAAQ,OAAA;AACR,yGAAA,eAAe,OAAA;AACf,yGAAA,eAAe,OAAA;AACf,wGAAA,cAAc,OAAA;AACd,kHAAA,wBAAwB,OAAA;AACxB,+GAAA,qBAAqB,OAAA;AACrB,2GAAA,iBAAiB,OAAA;AACjB,mGAAA,SAAS,OAAA;AACT,oGAAA,UAAU,OAAA"}

package/dist/jwtManager.d.ts

@@ -0,0 +1,78 @@
+import type { JwtManagerConfig, JwtPayload, SignOptions, VerifyOptions, VerifyResult } from './types';
+/**
+ * High-performance JWT manager with JTI validation.
+ * Implements secure token lifecycle with revocation support.
+ */
+export declare class JwtManager {
+    private readonly algorithm;
+    private readonly secret?;
+    private readonly privateKey?;
+    private readonly publicKey?;
+    private readonly tokenStore;
+    private readonly defaultExpiresIn;
+    constructor(config: JwtManagerConfig);
+    /**
+     * Validate configuration on initialization.
+     */
+    private validateConfig;
+    /**
+     * Get the signing key based on algorithm type.
+     */
+    private getSigningKey;
+    /**
+     * Get the verification key based on algorithm type.
+     */
+    private getVerifyKey;
+    /**
+     * Sign a new JWT with auto-injected jti, iat, exp claims.
+     * All tokens include required security claims (jti, aud, iss, exp).
+     */
+    sign(options: SignOptions): string;
+    /**
+     * Verify a JWT's signature, expiry, and JTI status.
+     * Returns decoded payload if valid.
+     * @throws {JwtExpiredError} Token has expired
+     * @throws {JwtRevokedError} Token JTI is in denylist
+     * @throws {JwtReplayError} One-time token already used
+     * @throws {JwtInvalidSignatureError} Signature verification failed
+     * @throws {JwtInvalidClaimsError} Required claims missing/invalid
+     * @throws {JwtMalformedError} Token cannot be decoded
+     */
+    verify(token: string, options?: VerifyOptions): Promise<VerifyResult>;
+    /**
+     * Validate that required claims are present in the payload.
+     */
+    private validateRequiredClaims;
+    /**
+     * Revoke a token by adding its JTI to the denylist.
+     * Token will be rejected on future verification attempts.
+     * @param jti - The JWT ID to revoke
+     * @param expiresAt - When this revocation can be removed (should match token exp)
+     */
+    revoke(jti: string, expiresAt: number): Promise<void>;
+    /**
+     * Revoke a token by decoding it and extracting the JTI.
+     * @param token - The JWT string to revoke
+     */
+    revokeToken(token: string): Promise<void>;
+    /**
+     * Decode a JWT without verification.
+     * Use for inspection only, never trust the payload without verification.
+     */
+    decode(token: string): JwtPayload | null;
+    /**
+     * Check if a specific JTI has been revoked.
+     */
+    isRevoked(jti: string): Promise<boolean>;
+    /**
+     * Unrevoke a token by removing its JTI from the denylist.
+     * Use with caution - this re-enables a previously revoked token.
+     */
+    unrevoke(jti: string): Promise<void>;
+}
+/**
+ * Create a new JwtManager instance.
+ * Factory function for convenience.
+ */
+export declare function createJwtManager(config: JwtManagerConfig): JwtManager;
+//# sourceMappingURL=jwtManager.d.ts.map

package/dist/jwtManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtManager.d.ts","sourceRoot":"","sources":["../src/jwtManager.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAER,gBAAgB,EAChB,UAAU,EACV,WAAW,EAEX,aAAa,EACb,YAAY,EACf,MAAM,SAAS,CAAC;AAcjB;;;GAGG;AACH,qBAAa,UAAU;IACnB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAS;gBAE9B,MAAM,EAAE,gBAAgB;IAWpC;;OAEG;IACH,OAAO,CAAC,cAAc;IAiBtB;;OAEG;IACH,OAAO,CAAC,aAAa;IAIrB;;OAEG;IACH,OAAO,CAAC,YAAY;IAIpB;;;OAGG;IACH,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,MAAM;IA0BlC;;;;;;;;;OASG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC;IA8D3E;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAe9B;;;;;OAKG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI3D;;;OAGG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQ/C;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;IASxC;;OAEG;IACG,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI9C;;;OAGG;IACG,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG7C;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,gBAAgB,GAAG,UAAU,CAErE"}

package/dist/jwtManager.js

@@ -0,0 +1,251 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtManager = void 0;
+exports.createJwtManager = createJwtManager;
+const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+const ulid_1 = require("ulid");
+const errors_1 = require("./errors");
+const tokenStore_1 = require("./tokenStore");
+/** One-time token marker in payload */
+const ONE_TIME_TOKEN_KEY = '_ott';
+/**
+ * High-performance JWT manager with JTI validation.
+ * Implements secure token lifecycle with revocation support.
+ */
+class JwtManager {
+    constructor(config) {
+        this.algorithm = config.algorithm;
+        this.secret = config.secret;
+        this.privateKey = config.privateKey;
+        this.publicKey = config.publicKey;
+        this.tokenStore = config.tokenStore ?? new tokenStore_1.InMemoryTokenStore();
+        this.defaultExpiresIn = config.defaultExpiresIn ?? 3600;
+        this.validateConfig();
+    }
+    /**
+     * Validate configuration on initialization.
+     */
+    validateConfig() {
+        const isHmac = this.algorithm.startsWith('HS');
+        if (isHmac) {
+            if (!this.secret) {
+                throw new Error(`HMAC algorithm ${this.algorithm} requires a secret`);
+            }
+        }
+        else {
+            if (!this.privateKey) {
+                throw new Error(`Asymmetric algorithm ${this.algorithm} requires a privateKey`);
+            }
+            if (!this.publicKey) {
+                throw new Error(`Asymmetric algorithm ${this.algorithm} requires a publicKey`);
+            }
+        }
+    }
+    /**
+     * Get the signing key based on algorithm type.
+     */
+    getSigningKey() {
+        return this.algorithm.startsWith('HS') ? this.secret : this.privateKey;
+    }
+    /**
+     * Get the verification key based on algorithm type.
+     */
+    getVerifyKey() {
+        return this.algorithm.startsWith('HS') ? this.secret : this.publicKey;
+    }
+    /**
+     * Sign a new JWT with auto-injected jti, iat, exp claims.
+     * All tokens include required security claims (jti, aud, iss, exp).
+     */
+    sign(options) {
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = options.expiresIn ?? this.defaultExpiresIn;
+        const payload = {
+            ...options.claims,
+            jti: (0, ulid_1.ulid)(),
+            aud: options.audience,
+            iss: options.issuer,
+            iat: now,
+            exp: now + expiresIn,
+        };
+        if (options.subject) {
+            payload.sub = options.subject;
+        }
+        if (options.oneTimeToken) {
+            payload[ONE_TIME_TOKEN_KEY] = true;
+        }
+        return jsonwebtoken_1.default.sign(payload, this.getSigningKey(), {
+            algorithm: this.algorithm,
+        });
+    }
+    /**
+     * Verify a JWT's signature, expiry, and JTI status.
+     * Returns decoded payload if valid.
+     * @throws {JwtExpiredError} Token has expired
+     * @throws {JwtRevokedError} Token JTI is in denylist
+     * @throws {JwtReplayError} One-time token already used
+     * @throws {JwtInvalidSignatureError} Signature verification failed
+     * @throws {JwtInvalidClaimsError} Required claims missing/invalid
+     * @throws {JwtMalformedError} Token cannot be decoded
+     */
+    async verify(token, options) {
+        let payload;
+        try {
+            const verifyOpts = {
+                algorithms: [this.algorithm],
+                clockTolerance: options?.clockTolerance ?? 0,
+            };
+            if (options?.audience !== undefined) {
+                // eslint-disable-next-line @typescript-eslint/no-explicit-any
+                verifyOpts.audience = options.audience;
+            }
+            if (options?.issuer !== undefined) {
+                verifyOpts.issuer = options.issuer;
+            }
+            payload = jsonwebtoken_1.default.verify(token, this.getVerifyKey(), verifyOpts);
+        }
+        catch (error) {
+            if (error instanceof jsonwebtoken_1.TokenExpiredError) {
+                throw new errors_1.JwtExpiredError(error.expiredAt);
+            }
+            if (error instanceof jsonwebtoken_1.JsonWebTokenError) {
+                if (error.message.includes('invalid signature')) {
+                    throw new errors_1.JwtInvalidSignatureError();
+                }
+                if (error.message.includes('jwt malformed')) {
+                    throw new errors_1.JwtMalformedError();
+                }
+                throw new errors_1.JwtMalformedError(error.message);
+            }
+            if (error instanceof jsonwebtoken_1.NotBeforeError) {
+                throw new errors_1.JwtInvalidClaimsError('nbf', 'Token not yet valid');
+            }
+            throw error;
+        }
+        // Validate required claims
+        this.validateRequiredClaims(payload);
+        // Check if JTI is revoked
+        const isRevoked = await this.tokenStore.has(payload.jti);
+        if (isRevoked) {
+            const isOneTimeToken = payload[ONE_TIME_TOKEN_KEY] === true;
+            if (isOneTimeToken) {
+                throw new errors_1.JwtReplayError(payload.jti);
+            }
+            throw new errors_1.JwtRevokedError(payload.jti);
+        }
+        // Handle one-time tokens - mark as used after first verification
+        const isOneTimeToken = payload[ONE_TIME_TOKEN_KEY] === true;
+        if (isOneTimeToken) {
+            await this.tokenStore.add(payload.jti, payload.exp);
+        }
+        return {
+            payload,
+            isOneTimeToken,
+        };
+    }
+    /**
+     * Validate that required claims are present in the payload.
+     */
+    validateRequiredClaims(payload) {
+        if (!payload.jti) {
+            throw new errors_1.JwtInvalidClaimsError('jti', 'Missing required claim');
+        }
+        if (!payload.aud) {
+            throw new errors_1.JwtInvalidClaimsError('aud', 'Missing required claim');
+        }
+        if (!payload.iss) {
+            throw new errors_1.JwtInvalidClaimsError('iss', 'Missing required claim');
+        }
+        if (typeof payload.exp !== 'number') {
+            throw new errors_1.JwtInvalidClaimsError('exp', 'Missing or invalid');
+        }
+    }
+    /**
+     * Revoke a token by adding its JTI to the denylist.
+     * Token will be rejected on future verification attempts.
+     * @param jti - The JWT ID to revoke
+     * @param expiresAt - When this revocation can be removed (should match token exp)
+     */
+    async revoke(jti, expiresAt) {
+        await this.tokenStore.add(jti, expiresAt);
+    }
+    /**
+     * Revoke a token by decoding it and extracting the JTI.
+     * @param token - The JWT string to revoke
+     */
+    async revokeToken(token) {
+        const payload = this.decode(token);
+        if (!payload || !payload.jti || typeof payload.exp !== 'number') {
+            throw new errors_1.JwtMalformedError('Cannot revoke token: invalid or missing claims');
+        }
+        await this.revoke(payload.jti, payload.exp);
+    }
+    /**
+     * Decode a JWT without verification.
+     * Use for inspection only, never trust the payload without verification.
+     */
+    decode(token) {
+        try {
+            const decoded = jsonwebtoken_1.default.decode(token, { json: true });
+            return decoded;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Check if a specific JTI has been revoked.
+     */
+    async isRevoked(jti) {
+        return this.tokenStore.has(jti);
+    }
+    /**
+     * Unrevoke a token by removing its JTI from the denylist.
+     * Use with caution - this re-enables a previously revoked token.
+     */
+    async unrevoke(jti) {
+        await this.tokenStore.remove(jti);
+    }
+}
+exports.JwtManager = JwtManager;
+/**
+ * Create a new JwtManager instance.
+ * Factory function for convenience.
+ */
+function createJwtManager(config) {
+    return new JwtManager(config);
+}
+//# sourceMappingURL=jwtManager.js.map

package/dist/jwtManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwtManager.js","sourceRoot":"","sources":["../src/jwtManager.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgQA,4CAEC;AAlQD,6DAAyF;AACzF,+BAA4B;AAU5B,qCAOkB;AAClB,6CAAkD;AAElD,uCAAuC;AACvC,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC;;;GAGG;AACH,MAAa,UAAU;IAQnB,YAAY,MAAwB;QAChC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,+BAAkB,EAAE,CAAC;QAChE,IAAI,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,IAAI,IAAI,CAAC;QAExD,IAAI,CAAC,cAAc,EAAE,CAAC;IAC1B,CAAC;IAED;;OAEG;IACK,cAAc;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAE/C,IAAI,MAAM,EAAE,CAAC;YACT,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,kBAAkB,IAAI,CAAC,SAAS,oBAAoB,CAAC,CAAC;YAC1E,CAAC;QACL,CAAC;aAAM,CAAC;YACJ,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnB,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,SAAS,wBAAwB,CAAC,CAAC;YACpF,CAAC;YACD,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,wBAAwB,IAAI,CAAC,SAAS,uBAAuB,CAAC,CAAC;YACnF,CAAC;QACL,CAAC;IACL,CAAC;IAED;;OAEG;IACK,aAAa;QACjB,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAO,CAAC,CAAC,CAAC,IAAI,CAAC,UAAW,CAAC;IAC7E,CAAC;IAED;;OAEG;IACK,YAAY;QAChB,OAAO,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAU,CAAC;IAC5E,CAAC;IAED;;;OAGG;IACH,IAAI,CAAC,OAAoB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,IAAI,CAAC,gBAAgB,CAAC;QAE7D,MAAM,OAAO,GAA4B;YACrC,GAAG,OAAO,CAAC,MAAM;YACjB,GAAG,EAAE,IAAA,WAAI,GAAE;YACX,GAAG,EAAE,OAAO,CAAC,QAAQ;YACrB,GAAG,EAAE,OAAO,CAAC,MAAM;YACnB,GAAG,EAAE,GAAG;YACR,GAAG,EAAE,GAAG,GAAG,SAAS;SACvB,CAAC;QAEF,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC;QAClC,CAAC;QAED,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,CAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC;QACvC,CAAC;QAED,OAAO,sBAAG,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,EAAE;YAC3C,SAAS,EAAE,IAAI,CAAC,SAAS;SAC5B,CAAC,CAAC;IACP,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,MAAM,CAAC,KAAa,EAAE,OAAuB;QAC/C,IAAI,OAAmB,CAAC;QAExB,IAAI,CAAC;YACD,MAAM,UAAU,GAAsB;gBAClC,UAAU,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC5B,cAAc,EAAE,OAAO,EAAE,cAAc,IAAI,CAAC;aAC/C,CAAC;YAEF,IAAI,OAAO,EAAE,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClC,8DAA8D;gBAC7D,UAAkB,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;YACpD,CAAC;YACD,IAAI,OAAO,EAAE,MAAM,KAAK,SAAS,EAAE,CAAC;gBAChC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;YACvC,CAAC;YAED,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,YAAY,EAAE,EAAE,UAAU,CAAe,CAAC;QAC/E,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,IAAI,KAAK,YAAY,gCAAiB,EAAE,CAAC;gBACrC,MAAM,IAAI,wBAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,KAAK,YAAY,gCAAiB,EAAE,CAAC;gBACrC,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;oBAC9C,MAAM,IAAI,iCAAwB,EAAE,CAAC;gBACzC,CAAC;gBACD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;oBAC1C,MAAM,IAAI,0BAAiB,EAAE,CAAC;gBAClC,CAAC;gBACD,MAAM,IAAI,0BAAiB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAC/C,CAAC;YACD,IAAI,KAAK,YAAY,6BAAc,EAAE,CAAC;gBAClC,MAAM,IAAI,8BAAqB,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;YAClE,CAAC;YACD,MAAM,KAAK,CAAC;QAChB,CAAC;QAED,2BAA2B;QAC3B,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAErC,0BAA0B;QAC1B,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACzD,IAAI,SAAS,EAAE,CAAC;YACZ,MAAM,cAAc,GAAG,OAAO,CAAC,kBAAkB,CAAC,KAAK,IAAI,CAAC;YAC5D,IAAI,cAAc,EAAE,CAAC;gBACjB,MAAM,IAAI,uBAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,IAAI,wBAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC3C,CAAC;QAED,iEAAiE;QACjE,MAAM,cAAc,GAAG,OAAO,CAAC,kBAAkB,CAAC,KAAK,IAAI,CAAC;QAC5D,IAAI,cAAc,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QACxD,CAAC;QAED,OAAO;YACH,OAAO;YACP,cAAc;SACjB,CAAC;IACN,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,OAAmB;QAC9C,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACf,MAAM,IAAI,8BAAqB,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACf,MAAM,IAAI,8BAAqB,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACf,MAAM,IAAI,8BAAqB,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,8BAAqB,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;QACjE,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,GAAW,EAAE,SAAiB;QACvC,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAW,CAAC,KAAa;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC9D,MAAM,IAAI,0BAAiB,CAAC,gDAAgD,CAAC,CAAC;QAClF,CAAC;QACD,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAChD,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAa;QAChB,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,sBAAG,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAClD,OAAO,OAA4B,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,SAAS,CAAC,GAAW;QACvB,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,QAAQ,CAAC,GAAW;QACtB,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACtC,CAAC;CACJ;AA9ND,gCA8NC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,MAAwB;IACrD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC"}

package/dist/tokenStore.d.ts

@@ -0,0 +1,53 @@
+import type { TokenStore } from './types';
+/**
+ * In-memory implementation of TokenStore.
+ * Suitable for development and single-instance deployments.
+ * For production with multiple instances, use Redis or PostgreSQL.
+ */
+export declare class InMemoryTokenStore implements TokenStore {
+    private readonly store;
+    private cleanupInterval;
+    /**
+     * Create a new InMemoryTokenStore.
+     * @param autoCleanupInterval - Interval in ms to auto-cleanup expired entries (default: 60000)
+     */
+    constructor(autoCleanupInterval?: number);
+    /**
+     * Add a JTI to the denylist with expiration time.
+     */
+    add(jti: string, expiresAt: number): Promise<void>;
+    /**
+     * Check if a JTI is in the denylist and not expired.
+     */
+    has(jti: string): Promise<boolean>;
+    /**
+     * Remove a JTI from the denylist.
+     */
+    remove(jti: string): Promise<void>;
+    /**
+     * Remove all expired entries from the store.
+     */
+    cleanup(): Promise<void>;
+    /**
+     * Get the current size of the denylist.
+     */
+    size(): number;
+    /**
+     * Clear all entries from the store.
+     */
+    clear(): void;
+    /**
+     * Stop the automatic cleanup interval.
+     */
+    destroy(): void;
+    /**
+     * Start automatic cleanup of expired entries.
+     */
+    private startAutoCleanup;
+}
+/**
+ * Create a new InMemoryTokenStore instance.
+ * Factory function for convenience.
+ */
+export declare function createInMemoryTokenStore(autoCleanupInterval?: number): InMemoryTokenStore;
+//# sourceMappingURL=tokenStore.d.ts.map

package/dist/tokenStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenStore.d.ts","sourceRoot":"","sources":["../src/tokenStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAE1C;;;;GAIG;AACH,qBAAa,kBAAmB,YAAW,UAAU;IACjD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAkC;IACxD,OAAO,CAAC,eAAe,CAA+C;IAEtE;;;OAGG;gBACS,mBAAmB,GAAE,MAAc;IAM/C;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxD;;OAEG;IACG,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAgBxC;;OAEG;IACG,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIxC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAS9B;;OAEG;IACH,IAAI,IAAI,MAAM;IAId;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,OAAO,IAAI,IAAI;IAOf;;OAEG;IACH,OAAO,CAAC,gBAAgB;CAY3B;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,mBAAmB,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAEzF"}

package/dist/tokenStore.js

@@ -0,0 +1,105 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryTokenStore = void 0;
+exports.createInMemoryTokenStore = createInMemoryTokenStore;
+/**
+ * In-memory implementation of TokenStore.
+ * Suitable for development and single-instance deployments.
+ * For production with multiple instances, use Redis or PostgreSQL.
+ */
+class InMemoryTokenStore {
+    /**
+     * Create a new InMemoryTokenStore.
+     * @param autoCleanupInterval - Interval in ms to auto-cleanup expired entries (default: 60000)
+     */
+    constructor(autoCleanupInterval = 60000) {
+        this.store = new Map();
+        this.cleanupInterval = null;
+        if (autoCleanupInterval > 0) {
+            this.startAutoCleanup(autoCleanupInterval);
+        }
+    }
+    /**
+     * Add a JTI to the denylist with expiration time.
+     */
+    async add(jti, expiresAt) {
+        this.store.set(jti, expiresAt);
+    }
+    /**
+     * Check if a JTI is in the denylist and not expired.
+     */
+    async has(jti) {
+        const expiresAt = this.store.get(jti);
+        if (expiresAt === undefined) {
+            return false;
+        }
+        const now = Math.floor(Date.now() / 1000);
+        if (expiresAt < now) {
+            // Entry has expired, remove it
+            this.store.delete(jti);
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Remove a JTI from the denylist.
+     */
+    async remove(jti) {
+        this.store.delete(jti);
+    }
+    /**
+     * Remove all expired entries from the store.
+     */
+    async cleanup() {
+        const now = Math.floor(Date.now() / 1000);
+        for (const [jti, expiresAt] of this.store.entries()) {
+            if (expiresAt < now) {
+                this.store.delete(jti);
+            }
+        }
+    }
+    /**
+     * Get the current size of the denylist.
+     */
+    size() {
+        return this.store.size;
+    }
+    /**
+     * Clear all entries from the store.
+     */
+    clear() {
+        this.store.clear();
+    }
+    /**
+     * Stop the automatic cleanup interval.
+     */
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+    }
+    /**
+     * Start automatic cleanup of expired entries.
+     */
+    startAutoCleanup(intervalMs) {
+        this.cleanupInterval = setInterval(() => {
+            this.cleanup().catch(() => {
+                // Ignore cleanup errors in background task
+            });
+        }, intervalMs);
+        // Allow the process to exit even if cleanup is scheduled
+        if (this.cleanupInterval.unref) {
+            this.cleanupInterval.unref();
+        }
+    }
+}
+exports.InMemoryTokenStore = InMemoryTokenStore;
+/**
+ * Create a new InMemoryTokenStore instance.
+ * Factory function for convenience.
+ */
+function createInMemoryTokenStore(autoCleanupInterval) {
+    return new InMemoryTokenStore(autoCleanupInterval);
+}
+//# sourceMappingURL=tokenStore.js.map

package/dist/tokenStore.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenStore.js","sourceRoot":"","sources":["../src/tokenStore.ts"],"names":[],"mappings":";;;AA+GA,4DAEC;AA/GD;;;;GAIG;AACH,MAAa,kBAAkB;IAI3B;;;OAGG;IACH,YAAY,sBAA8B,KAAK;QAP9B,UAAK,GAAwB,IAAI,GAAG,EAAE,CAAC;QAChD,oBAAe,GAA0C,IAAI,CAAC;QAOlE,IAAI,mBAAmB,GAAG,CAAC,EAAE,CAAC;YAC1B,IAAI,CAAC,gBAAgB,CAAC,mBAAmB,CAAC,CAAC;QAC/C,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,SAAiB;QACpC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC1B,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,SAAS,GAAG,GAAG,EAAE,CAAC;YAClB,+BAA+B;YAC/B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO;QACT,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,KAAK,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAClD,IAAI,SAAS,GAAG,GAAG,EAAE,CAAC;gBAClB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACL,CAAC;IACL,CAAC;IAED;;OAEG;IACH,IAAI;QACA,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IAC3B,CAAC;IAED;;OAEG;IACH,KAAK;QACD,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,OAAO;QACH,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACvB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAChC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,UAAkB;QACvC,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE;YACpC,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;gBACtB,2CAA2C;YAC/C,CAAC,CAAC,CAAC;QACP,CAAC,EAAE,UAAU,CAAC,CAAC;QAEf,yDAAyD;QACzD,IAAI,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC7B,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QACjC,CAAC;IACL,CAAC;CACJ;AAlGD,gDAkGC;AAED;;;GAGG;AACH,SAAgB,wBAAwB,CAAC,mBAA4B;IACjE,OAAO,IAAI,kBAAkB,CAAC,mBAAmB,CAAC,CAAC;AACvD,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,120 @@
+import type { JwtPayload as BaseJwtPayload } from 'jsonwebtoken';
+/**
+ * Supported signing algorithms.
+ * RS256/ES256 preferred for shared environments.
+ */
+export type Algorithm = 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512';
+/**
+ * JWT payload with required security claims.
+ * All tokens MUST include jti, aud, iss, and exp.
+ */
+export interface JwtPayload extends BaseJwtPayload {
+    /** JWT ID - unique identifier for this token (ULID) */
+    jti: string;
+    /** Audience - intended recipient(s) of the token */
+    aud: string | string[];
+    /** Issuer - who issued this token */
+    iss: string;
+    /** Expiration time (Unix timestamp) */
+    exp: number;
+    /** Issued at (Unix timestamp) */
+    iat: number;
+    /** Subject - typically the user ID */
+    sub?: string;
+    /** Custom claims */
+    [key: string]: unknown;
+}
+/**
+ * Options for signing a new token.
+ */
+export interface SignOptions {
+    /** Token subject (e.g., user ID) */
+    subject?: string;
+    /** Token audience */
+    audience: string | string[];
+    /** Token issuer */
+    issuer: string;
+    /** Expiration time in seconds (default: 3600) */
+    expiresIn?: number;
+    /** Additional custom claims */
+    claims?: Record<string, unknown>;
+    /** Enable one-time token mode (JTI added to denylist after first use) */
+    oneTimeToken?: boolean;
+}
+/**
+ * Options for verifying a token.
+ */
+export interface VerifyOptions {
+    /** Expected audience(s) */
+    audience?: string | string[];
+    /** Expected issuer */
+    issuer?: string;
+    /** Clock tolerance in seconds for exp/nbf checks */
+    clockTolerance?: number;
+}
+/**
+ * Result of a successful token verification.
+ */
+export interface VerifyResult {
+    /** Decoded payload */
+    payload: JwtPayload;
+    /** Whether this is a one-time token */
+    isOneTimeToken: boolean;
+}
+/**
+ * Configuration for JwtManager.
+ */
+export interface JwtManagerConfig {
+    /** Signing algorithm (default: RS256) */
+    algorithm: Algorithm;
+    /** Secret key for HMAC algorithms (HS256, HS384, HS512) */
+    secret?: string;
+    /** Private key for RSA/EC algorithms (RS256, RS384, RS512, ES256, etc.) */
+    privateKey?: string;
+    /** Public key for RSA/EC algorithms (RS256, RS384, RS512, ES256, etc.) */
+    publicKey?: string;
+    /** Token store for JTI denylist */
+    tokenStore?: TokenStore;
+    /** Default token expiration in seconds (default: 3600) */
+    defaultExpiresIn?: number;
+}
+/**
+ * Abstract interface for JTI storage (denylist/whitelist).
+ * Implementations can use Redis, PostgreSQL, or in-memory storage.
+ */
+export interface TokenStore {
+    /**
+     * Add a JTI to the denylist.
+     * @param jti - The JWT ID to blacklist
+     * @param expiresAt - Unix timestamp when this entry can be removed
+     */
+    add(jti: string, expiresAt: number): Promise<void>;
+    /**
+     * Check if a JTI is in the denylist.
+     * @param jti - The JWT ID to check
+     * @returns true if JTI is blacklisted
+     */
+    has(jti: string): Promise<boolean>;
+    /**
+     * Remove a JTI from the denylist.
+     * @param jti - The JWT ID to remove
+     */
+    remove(jti: string): Promise<void>;
+    /**
+     * Clean up expired entries from the store.
+     * Should be called periodically.
+     */
+    cleanup(): Promise<void>;
+}
+/**
+ * Error codes for JWT operations.
+ */
+export declare enum JwtErrorCode {
+    EXPIRED = "ERR_JWT_EXPIRED",
+    REVOKED = "ERR_JWT_REVOKED",
+    REPLAY = "ERR_JWT_REPLAY",
+    INVALID_SIGNATURE = "ERR_JWT_INVALID_SIGNATURE",
+    INVALID_CLAIMS = "ERR_JWT_INVALID_CLAIMS",
+    MALFORMED = "ERR_JWT_MALFORMED"
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,IAAI,cAAc,EAAE,MAAM,cAAc,CAAC;AAEjE;;;GAGG;AACH,MAAM,MAAM,SAAS,GACf,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,GACP,OAAO,CAAC;AAEd;;;GAGG;AACH,MAAM,WAAW,UAAW,SAAQ,cAAc;IAC9C,uDAAuD;IACvD,GAAG,EAAE,MAAM,CAAC;IACZ,oDAAoD;IACpD,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,sCAAsC;IACtC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,oBAAoB;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,oCAAoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,qBAAqB;IACrB,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,yEAAyE;IACzE,YAAY,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC1B,2BAA2B;IAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,sBAAsB;IACtB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,oDAAoD;IACpD,cAAc,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,sBAAsB;IACtB,OAAO,EAAE,UAAU,CAAC;IACpB,uCAAuC;IACvC,cAAc,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,yCAAyC;IACzC,SAAS,EAAE,SAAS,CAAC;IACrB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0EAA0E;IAC1E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,0DAA0D;IAC1D,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACvB;;;;OAIG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnD;;;;OAIG;IACH,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEnC;;;OAGG;IACH,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEnC;;;OAGG;IACH,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CAC5B;AAED;;GAEG;AACH,oBAAY,YAAY;IACpB,OAAO,oBAAoB;IAC3B,OAAO,oBAAoB;IAC3B,MAAM,mBAAmB;IACzB,iBAAiB,8BAA8B;IAC/C,cAAc,2BAA2B;IACzC,SAAS,sBAAsB;CAClC"}

package/dist/types.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtErrorCode = void 0;
+/**
+ * Error codes for JWT operations.
+ */
+var JwtErrorCode;
+(function (JwtErrorCode) {
+    JwtErrorCode["EXPIRED"] = "ERR_JWT_EXPIRED";
+    JwtErrorCode["REVOKED"] = "ERR_JWT_REVOKED";
+    JwtErrorCode["REPLAY"] = "ERR_JWT_REPLAY";
+    JwtErrorCode["INVALID_SIGNATURE"] = "ERR_JWT_INVALID_SIGNATURE";
+    JwtErrorCode["INVALID_CLAIMS"] = "ERR_JWT_INVALID_CLAIMS";
+    JwtErrorCode["MALFORMED"] = "ERR_JWT_MALFORMED";
+})(JwtErrorCode || (exports.JwtErrorCode = JwtErrorCode = {}));
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":";;;AAgIA;;GAEG;AACH,IAAY,YAOX;AAPD,WAAY,YAAY;IACpB,2CAA2B,CAAA;IAC3B,2CAA2B,CAAA;IAC3B,yCAAyB,CAAA;IACzB,+DAA+C,CAAA;IAC/C,yDAAyC,CAAA;IACzC,+CAA+B,CAAA;AACnC,CAAC,EAPW,YAAY,4BAAZ,YAAY,QAOvB"}

package/package.json

@@ -0,0 +1,42 @@
+{
+    "name": "@bonapasogit-dev/jwt-manager",
+    "version": "1.0.0",
+    "description": "High-performance JWT lifecycle management with JTI validation",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/bonapasogit-dev/bonatools.git"
+    },
+    "files": [
+        "dist"
+    ],
+    "scripts": {
+        "build": "npx tsc",
+        "test": "vitest run",
+        "test:watch": "vitest",
+        "prepublishOnly": "npm run build"
+    },
+    "keywords": [
+        "jwt",
+        "jti",
+        "token",
+        "authentication",
+        "security"
+    ],
+    "author": "",
+    "license": "MIT",
+    "dependencies": {
+        "jsonwebtoken": "^9.0.2",
+        "ulid": "^2.3.0"
+    },
+    "devDependencies": {
+        "@types/jsonwebtoken": "^9.0.6",
+        "@types/node": "^20.11.0",
+        "typescript": "^5.3.3",
+        "vitest": "^1.2.0"
+    },
+    "engines": {
+        "node": ">=18.0.0"
+    }
+}