@denodeio/seshat 0.0.32 → 0.0.34

package/build/mjs/dist/mjs/src/index.d.ts

@@ -1,36 +1,4 @@
-/// <reference types="node" />
-type JwsSignature = {
-    protected: string;
-    header: {
-        kid: string;
-    };
-    signature: string;
-};
-type JwsPayload = {
-    payload: string;
-    signatures: JwsSignature[];
-};
-type Keychain = {
-    algorithm: string;
-    value: Buffer;
-};
-type JwtPayload<T> = {
-    iss: string;
-    exp: number;
-    jti: string;
-    event: {
-        name: string;
-        record: T;
-    };
-    iat: number;
-};
+export * from "./middleware";
 export * from "./signer";
-type OptionsInput = {
-    fieldName?: string;
-    barongJwtPublicKey?: string;
-    jwtPublicKey?: string;
-    issuer?: string;
-};
-export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
-export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
-export declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
+export * from "./validate";
+export * from "./types";

package/build/mjs/dist/mjs/src/middleware/index.d.ts

@@ -0,0 +1,9 @@
+export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
+type OptionsInput = {
+    fieldName?: string;
+    barongJwtPublicKey?: string;
+    jwtPublicKey?: string;
+    issuer?: string;
+};
+export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
+export {};

package/build/mjs/dist/mjs/src/types.d.ts

@@ -0,0 +1,6 @@
+import { PublicKey, Secret } from "jsonwebtoken";
+export type Key = {
+    algorithm: string;
+    value: Secret | PublicKey;
+};
+export type Keychain = Map<string, Key>;

package/build/mjs/dist/mjs/src/utils.d.ts

@@ -0,0 +1,7 @@
+type ProtectedHeader = {
+    alg: string;
+    typ: string;
+};
+export declare const base64Decode: (base64: string) => string;
+export declare const parseProtectedHeader: (protectedHeader: string) => ProtectedHeader;
+export {};

package/build/mjs/dist/mjs/src/validate.d.ts

@@ -0,0 +1,28 @@
+import { Key, Keychain } from "./types";
+type JwsSignature = {
+    protected: string;
+    header: {
+        kid: string;
+    };
+    signature: string;
+};
+type JwsPayload = {
+    payload: string;
+    signatures: JwsSignature[];
+};
+type JwtPayload<T> = {
+    iss: string;
+    exp: number;
+    jti: string;
+    event: {
+        name: string;
+        record: T;
+    };
+    iat: number;
+};
+export declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
+export declare const validateJwsMultisig: <T>(keychain: Keychain, input: JwsPayload) => {
+    verified: string[];
+    unverified: string[];
+};
+export {};

package/build/mjs/index.d.ts

@@ -1,4 +1,14 @@
-/// <reference types="node" />
+import { Secret, PublicKey } from 'jsonwebtoken';
+
+declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
+type OptionsInput = {
+    fieldName?: string;
+    barongJwtPublicKey?: string;
+    jwtPublicKey?: string;
+    issuer?: string;
+};
+declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
+
 type SignJwsResponse = {
     payload: string;
     signatures: {
@@ -13,6 +23,12 @@ declare function signJws(payload: string, options: any): SignJwsResponse;
 declare function signPayload(payload: any, options: any): string;
 declare function signData(payload: object, options: any): SignJwsResponse;
 
+type Key = {
+    algorithm: string;
+    value: Secret | PublicKey;
+};
+type Keychain = Map<string, Key>;
+
 type JwsSignature = {
     protected: string;
     header: {
@@ -24,10 +40,6 @@ type JwsPayload = {
     payload: string;
     signatures: JwsSignature[];
 };
-type Keychain = {
-    algorithm: string;
-    value: Buffer;
-};
 type JwtPayload<T> = {
     iss: string;
     exp: number;
@@ -38,15 +50,10 @@ type JwtPayload<T> = {
     };
     iat: number;
 };
-
-type OptionsInput = {
-    fieldName?: string;
-    barongJwtPublicKey?: string;
-    jwtPublicKey?: string;
-    issuer?: string;
+declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
+declare const validateJwsMultisig: <T>(keychain: Keychain, input: JwsPayload) => {
+    verified: string[];
+    unverified: string[];
 };
-declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
-declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
-declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
 
-export { managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws };
+export { type Key, type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };

package/build/mjs/index.js

@@ -6507,6 +6507,33 @@ function signData(payload, options) {
     return signJws(signedPayload, options);
 }
 
+const managementSigner = function (options) {
+    if (!options.privateKey)
+        throw new Error("Application's private key should be set");
+    const middleware = function (req, res, next) {
+        if (!req.management.payload)
+            console.error("No payload to be signed");
+        const payload = req.management.payload;
+        let signedPayload;
+        try {
+            signedPayload = signPayload(payload, options);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Unable to sign payload: ${error}`);
+            return;
+        }
+        try {
+            req.body = signJws(signedPayload, options);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Unable to correctly format signed payload: ${error}`);
+        }
+        next();
+    };
+    return middleware;
+};
 const sessionVerifier = function (options) {
     const { fieldName = "session", ...actualOptions } = options;
     if (!options || (!options.barongJwtPublicKey && !options.jwtPublicKey)) {
@@ -6528,6 +6555,9 @@ const sessionVerifier = function (options) {
             res.send("Signature verification raised: Authorization header is missing or malformed");
             return;
         }
+        if (!jwtPublicKey) {
+            throw new Error("JWT Public key should be set");
+        }
         try {
             req[fieldName] = jwt.verify(authHeader, jwtPublicKey, verificationOptions);
         }
@@ -6540,39 +6570,14 @@ const sessionVerifier = function (options) {
     };
     return middleware;
 };
-const managementSigner = function (options) {
-    if (!options.privateKey)
-        throw new Error("Application's private key should be set");
-    const middleware = function (req, res, next) {
-        if (!req.management.payload)
-            console.error("No payload to be signed");
-        const payload = req.management.payload;
-        let signedPayload;
-        try {
-            signedPayload = signPayload(payload, options);
-        }
-        catch (error) {
-            res.status(403);
-            res.send(`Unable to sign payload: ${error}`);
-            return;
-        }
-        try {
-            req.body = signJws(signedPayload, options);
-        }
-        catch (error) {
-            res.status(403);
-            res.send(`Unable to correctly format signed payload: ${error}`);
-        }
-        next();
-    };
-    return middleware;
-};
+
 const base64Decode = (base64) => {
     return Buffer.from(base64, "base64").toString("utf8");
 };
 const parseProtectedHeader = (protectedHeader) => {
     return JSON.parse(base64Decode(protectedHeader));
 };
+
 const validateJws = (key, input) => {
     for (const signature of input.signatures) {
         const decodedProtectedHeader = parseProtectedHeader(signature.protected);
@@ -6582,18 +6587,63 @@ const validateJws = (key, input) => {
         if (key.algorithm !== decodedProtectedHeader.alg) {
             throw new Error("Algorithm mismatch");
         }
-        try {
-            const verified = jwt.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value, 
-            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-            { algorithms: [key.algorithm] });
-            return verified;
+        const verified = jwt.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value, 
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        { algorithms: [key.algorithm] });
+        return verified;
+    }
+};
+/*
+ * Verifies JWT.
+ *
+ * @param jwt [Hash]
+ *   The JWT in the format as defined in RFC 7515.
+ *   Example:
+ *     { "payload" => "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
+ *       "signatures" => [
+ *         { "protected" => "eyJhbGciOiJSUzI1NiJ9",
+ *           "header" => { "kid" => "2010-12-29" },
+ *           "signature" => "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"
+ *         },
+ *         { "protected" => "eyJhbGciOiJFUzI1NiJ9",
+ *           "header" => { "kid" => "e9bc097a-ce51-4036-9562-d2ade882db0d" },
+ *           "signature" => "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
+ *         }
+ *       ]
+ *     }
+ * @param public_keychain [Hash]
+ *   The hash which consists of pairs: key ID => public key.
+ *   The key may be presented as string in PEM format or as instance of {OpenSSL::PKey::PKey}.
+ *   The implementation only verifies signatures for which public key exists in keychain.
+ * @param options [Hash]
+ *   The rules for verifying JWT. The variable «algorithms» is always overwritten by the value from JWS header.
+ * @return [Hash]
+ *   The returning value contains payload, list of verified, and unverified signatures (key ID).
+ *   Example:
+ *     { payload:    { sub: "session", profile: { email: "username@mailbox.example" },
+ *       verified:   [:"backend-1.mycompany.example", :"backend-3.mycompany.example"],
+ *       unverified: [:"backend-2.mycompany.example"] }
+ *     }
+ * @raise [JWT::DecodeError]
+ */
+const validateJwsMultisig = (keychain, input) => {
+    const verified = [];
+    const unverified = [];
+    for (const signature of input.signatures) {
+        const key = keychain.get(signature.header.kid);
+        if (key) {
+            validateJws(key, input);
+            verified.push(signature.header.kid);
         }
-        catch (error) {
-            console.error(error);
-            return undefined;
+        else {
+            unverified.push(signature.header.kid);
         }
     }
+    return {
+        verified,
+        unverified
+    };
 };
 
-export { managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws };
+export { managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };
 //# sourceMappingURL=index.js.map