@byearlybird/crypto 0.2.0 → 0.4.0

package/dist/index.d.mts

@@ -10,6 +10,25 @@ type AuthPayload = {
   timestamp: number;
   bodyHash?: string;
 };
+type ParseSuccess = {
+  ok: true;
+  data: AuthPayload;
+  signature: string;
+};
+type ParseFailure = {
+  ok: false;
+  message: string;
+};
+type ParseResult = ParseSuccess | ParseFailure;
+type ValidateSuccess = {
+  ok: true;
+  data: AuthPayload;
+};
+type ValidateFailure = {
+  ok: false;
+  message: string;
+};
+type ValidateResult = ValidateSuccess | ValidateFailure;
 declare function deriveVaultId(publicKeyB64: string): Promise<string>;
 declare function createAuthHeader(args: {
   vaultId: string;
@@ -18,10 +37,14 @@ declare function createAuthHeader(args: {
   serializedBody?: string;
   privateKey: CryptoKey;
 }): Promise<string>;
-declare function parseAuthHeader(header: string): AuthPayload & {
-  signature: string;
-};
-declare function verifyAuthHeader(header: string, publicKey: CryptoKey): Promise<boolean>;
+declare function parseAuthHeader(header: string): ParseResult;
+declare function validateAuthPayload(payload: AuthPayload, options: {
+  vaultId: string;
+  method: string;
+  path: string;
+  ttl: number;
+  body?: string;
+}): Promise<ValidateResult>;
 //#endregion
 //#region src/encryption.d.ts
 declare function generateEncryptionKey(extractable?: boolean): Promise<crypto0.webcrypto.CryptoKey>;
@@ -44,4 +67,4 @@ declare function bytesToBase64(bytes: Uint8Array): string;
 declare function base64ToBytes(base64: string): Uint8Array;
 declare function hashString(value: string): Promise<string>;
 //#endregion
-export { AuthPayload, base64ToBytes, bytesToBase64, createAuthHeader, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, parseAuthHeader, sign, verify, verifyAuthHeader };
+export { AuthPayload, ParseFailure, ParseResult, ParseSuccess, ValidateFailure, ValidateResult, ValidateSuccess, base64ToBytes, bytesToBase64, createAuthHeader, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, parseAuthHeader, sign, validateAuthPayload, verify };

package/dist/index.mjs

@@ -1,6 +1,6 @@
 //#region src/signing.ts
 async function generateSigningKeyPair(extractable = false) {
-	return crypto.subtle.generateKey("Ed25519", extractable, ["sign", "verify"]);
+	return await crypto.subtle.generateKey("Ed25519", extractable, ["sign", "verify"]);
 }
 async function exportPublicKey(key) {
 	const spki = await crypto.subtle.exportKey("spki", key);
@@ -55,6 +55,49 @@ async function createAuthHeader(args) {
 	return makeAuthHeader(payload, await sign(makeCanonicalString(payload), privateKey));
 }
 function parseAuthHeader(header) {
+	try {
+		return parseAuthHeaderInternal(header);
+	} catch {
+		return {
+			ok: false,
+			message: "Malformed auth header"
+		};
+	}
+}
+async function validateAuthPayload(payload, options) {
+	if (payload.vaultId !== options.vaultId) return {
+		ok: false,
+		message: "Vault id mismatch"
+	};
+	if (payload.method !== options.method) return {
+		ok: false,
+		message: "Method mismatch"
+	};
+	if (payload.pathWithQuery !== options.path) return {
+		ok: false,
+		message: "Path mismatch"
+	};
+	if (Math.abs(Date.now() - payload.timestamp) > options.ttl) return {
+		ok: false,
+		message: "Expired"
+	};
+	if (payload.bodyHash) {
+		if (!options.body) return {
+			ok: false,
+			message: "Body hash mismatch"
+		};
+		const serverHash = await hashString(options.body);
+		if (payload.bodyHash !== serverHash) return {
+			ok: false,
+			message: "Body hash mismatch"
+		};
+	}
+	return {
+		ok: true,
+		data: payload
+	};
+}
+function parseAuthHeaderInternal(header) {
 	const spaceIdx = header.indexOf(" ");
 	if (spaceIdx === -1) throw new Error("Malformed auth header: missing scheme separator");
 	const scheme = header.slice(0, spaceIdx);
@@ -75,22 +118,21 @@ function parseAuthHeader(header) {
 	if (!vid || !n || !m || !p || !t || !sig) throw new Error("Malformed auth header: missing required params");
 	const timestamp = Number(t);
 	if (Number.isNaN(timestamp)) throw new Error("Malformed auth header: timestamp is not a number");
-	const result = {
+	const data = {
 		scheme,
 		vaultId: vid,
 		nonce: n,
 		method: m,
 		pathWithQuery: p,
-		timestamp,
-		signature: sig
+		timestamp
 	};
 	const bh = params.get("bh");
-	if (bh) result.bodyHash = bh;
-	return result;
-}
-async function verifyAuthHeader(header, publicKey) {
-	const { signature,...payload } = parseAuthHeader(header);
-	return verify(makeCanonicalString(payload), signature, publicKey);
+	if (bh) data.bodyHash = bh;
+	return {
+		ok: true,
+		data,
+		signature: sig
+	};
 }
 async function generateAuthPayload(args) {
 	const { serializedBody,...rest } = args;
@@ -168,4 +210,4 @@ async function decrypt(encoded, key) {
 }
 
 //#endregion
-export { base64ToBytes, bytesToBase64, createAuthHeader, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, parseAuthHeader, sign, verify, verifyAuthHeader };
+export { base64ToBytes, bytesToBase64, createAuthHeader, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, parseAuthHeader, sign, validateAuthPayload, verify };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@byearlybird/crypto",
-	"version": "0.2.0",
+	"version": "0.4.0",
 	"description": "Lightweight E2EE toolkit for web apps - zero dependencies + vault key security",
 	"type": "module",
 	"license": "MIT",