@denodeio/seshat 0.0.33 → 0.0.35

package/build/cjs/dist/mjs/src/index.d.ts

@@ -1,36 +1,4 @@
-import { PublicKey, Secret } from "jsonwebtoken";
-type JwsSignature = {
-    protected: string;
-    header: {
-        kid: string;
-    };
-    signature: string;
-};
-type JwsPayload = {
-    payload: string;
-    signatures: JwsSignature[];
-};
-export type Keychain = {
-    algorithm: string;
-    value: Secret | PublicKey;
-};
-type JwtPayload<T> = {
-    iss: string;
-    exp: number;
-    jti: string;
-    event: {
-        name: string;
-        record: T;
-    };
-    iat: number;
-};
+export * from "./middleware";
 export * from "./signer";
-type OptionsInput = {
-    fieldName?: string;
-    barongJwtPublicKey?: string;
-    jwtPublicKey?: string;
-    issuer?: string;
-};
-export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
-export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
-export declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
+export * from "./validate";
+export * from "./types";

package/build/cjs/dist/mjs/src/middleware/index.d.ts

@@ -0,0 +1,9 @@
+export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
+type OptionsInput = {
+    fieldName?: string;
+    barongJwtPublicKey?: string;
+    jwtPublicKey?: string;
+    issuer?: string;
+};
+export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
+export {};

package/build/cjs/dist/mjs/src/types.d.ts

@@ -0,0 +1,6 @@
+import { PublicKey, Secret } from "jsonwebtoken";
+export type Key = {
+    algorithm: string;
+    value: Secret | PublicKey;
+};
+export type Keychain = Map<string, Key>;

package/build/cjs/dist/mjs/src/utils.d.ts

@@ -0,0 +1,7 @@
+type ProtectedHeader = {
+    alg: string;
+    typ: string;
+};
+export declare const base64Decode: (base64: string) => string;
+export declare const parseProtectedHeader: (protectedHeader: string) => ProtectedHeader;
+export {};

package/build/cjs/dist/mjs/src/validate.d.ts

@@ -0,0 +1,30 @@
+import jwt from "jsonwebtoken";
+import { Key, Keychain } from "./types";
+type JwsSignature = {
+    protected: string;
+    header: {
+        kid: string;
+    };
+    signature: string;
+};
+type JwsPayload = {
+    payload: string;
+    signatures: JwsSignature[];
+};
+type JwtPayload<T> = {
+    iss: string;
+    exp: number;
+    jti: string;
+    event: {
+        name: string;
+        record: T;
+    };
+    iat: number;
+};
+export declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
+export declare const validateJwsMultisig: (keychain: Keychain, input: JwsPayload) => {
+    payload: string | jwt.JwtPayload | null;
+    verified: string[];
+    unverified: string[];
+};
+export {};

package/build/cjs/index.d.ts

@@ -1,4 +1,13 @@
-import { Secret, PublicKey } from 'jsonwebtoken';
+import jwt, { Secret, PublicKey } from 'jsonwebtoken';
+
+declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
+type OptionsInput = {
+    fieldName?: string;
+    barongJwtPublicKey?: string;
+    jwtPublicKey?: string;
+    issuer?: string;
+};
+declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
 
 type SignJwsResponse = {
     payload: string;
@@ -14,6 +23,12 @@ declare function signJws(payload: string, options: any): SignJwsResponse;
 declare function signPayload(payload: any, options: any): string;
 declare function signData(payload: object, options: any): SignJwsResponse;
 
+type Key = {
+    algorithm: string;
+    value: Secret | PublicKey;
+};
+type Keychain = Map<string, Key>;
+
 type JwsSignature = {
     protected: string;
     header: {
@@ -25,10 +40,6 @@ type JwsPayload = {
     payload: string;
     signatures: JwsSignature[];
 };
-type Keychain = {
-    algorithm: string;
-    value: Secret | PublicKey;
-};
 type JwtPayload<T> = {
     iss: string;
     exp: number;
@@ -39,15 +50,11 @@ type JwtPayload<T> = {
     };
     iat: number;
 };
-
-type OptionsInput = {
-    fieldName?: string;
-    barongJwtPublicKey?: string;
-    jwtPublicKey?: string;
-    issuer?: string;
+declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
+declare const validateJwsMultisig: (keychain: Keychain, input: JwsPayload) => {
+    payload: string | jwt.JwtPayload | null;
+    verified: string[];
+    unverified: string[];
 };
-declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
-declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
-declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
 
-export { type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws };
+export { type Key, type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };

package/build/cjs/index.js

@@ -13,6 +13,8 @@ function getDefaultExportFromCjs (x) {
 
 var src = {};
 
+var middleware = {};
+
 var jws$3 = {};
 
 var safeBuffer = {exports: {}};
@@ -6241,7 +6243,7 @@ const registered_claims_schema = {
   nbf: { isValid: isNumber, message: '"nbf" should be a number of seconds' }
 };
 
-function validate(schema, allowUnknown, object, parameterName) {
+function validate$1(schema, allowUnknown, object, parameterName) {
   if (!isPlainObject(object)) {
     throw new Error('Expected "' + parameterName + '" to be a plain object.');
   }
@@ -6261,11 +6263,11 @@ function validate(schema, allowUnknown, object, parameterName) {
 }
 
 function validateOptions(options) {
-  return validate(sign_options_schema, false, options, 'options');
+  return validate$1(sign_options_schema, false, options, 'options');
 }
 
 function validatePayload(payload) {
-  return validate(registered_claims_schema, true, payload, 'payload');
+  return validate$1(registered_claims_schema, true, payload, 'payload');
 }
 
 const options_to_payload = {
@@ -6467,7 +6469,7 @@ var signer = {};
 
 Object.defineProperty(signer, "__esModule", { value: true });
 signer.signData = signer.signPayload = signer.signJws = void 0;
-const jsonwebtoken_1 = jsonwebtoken;
+const jsonwebtoken_1$1 = jsonwebtoken;
 const crypto_1 = require$$2;
 // export type CSignOptions = {
 //   privateKey: Secret
@@ -6503,7 +6505,7 @@ function signPayload(payload, options) {
         ...defaultOptions,
         ...options
     };
-    const token = (0, jsonwebtoken_1.sign)({
+    const token = (0, jsonwebtoken_1$1.sign)({
         iss: options.issuer,
         exp: Math.round(Date.now() / 1000) + mergedOptions.jwtExpireSeconds,
         jti: (0, crypto_1.randomUUID)(),
@@ -6520,122 +6522,200 @@ function signData(payload, options) {
 }
 signer.signData = signData;
 
+var __importDefault = (commonjsGlobal && commonjsGlobal.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(middleware, "__esModule", { value: true });
+middleware.sessionVerifier = middleware.managementSigner = void 0;
+const jsonwebtoken_1 = __importDefault(jsonwebtoken);
+const signer_1 = signer;
+const managementSigner = function (options) {
+    if (!options.privateKey)
+        throw new Error("Application's private key should be set");
+    const middleware = function (req, res, next) {
+        if (!req.management.payload)
+            console.error("No payload to be signed");
+        const payload = req.management.payload;
+        let signedPayload;
+        try {
+            signedPayload = (0, signer_1.signPayload)(payload, options);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Unable to sign payload: ${error}`);
+            return;
+        }
+        try {
+            req.body = (0, signer_1.signJws)(signedPayload, options);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Unable to correctly format signed payload: ${error}`);
+        }
+        next();
+    };
+    return middleware;
+};
+middleware.managementSigner = managementSigner;
+const sessionVerifier = function (options) {
+    const { fieldName = "session", ...actualOptions } = options;
+    if (!options || (!options.barongJwtPublicKey && !options.jwtPublicKey)) {
+        throw new Error("JWT Public key should be set");
+    }
+    const jwtPublicKey = options.barongJwtPublicKey || options.jwtPublicKey;
+    const defaultOptions = {
+        algorithms: ["RS256"],
+        issuer: "auth"
+    };
+    const verificationOptions = { ...defaultOptions, ...actualOptions };
+    const middleware = function (req, res, next) {
+        let authHeader;
+        try {
+            authHeader = req.headers.authorization.split("Bearer ")[1];
+        }
+        catch (error) {
+            res.status(401);
+            res.send("Signature verification raised: Authorization header is missing or malformed");
+            return;
+        }
+        if (!jwtPublicKey) {
+            throw new Error("JWT Public key should be set");
+        }
+        try {
+            req[fieldName] = jsonwebtoken_1.default.verify(authHeader, jwtPublicKey, verificationOptions);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Signature verification raised: ${error}`);
+            return;
+        }
+        next();
+    };
+    return middleware;
+};
+middleware.sessionVerifier = sessionVerifier;
+
+var validate = {};
+
+var utils = {};
+
 (function (exports) {
-	var __createBinding = (commonjsGlobal && commonjsGlobal.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-	    if (k2 === undefined) k2 = k;
-	    var desc = Object.getOwnPropertyDescriptor(m, k);
-	    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-	      desc = { enumerable: true, get: function() { return m[k]; } };
-	    }
-	    Object.defineProperty(o, k2, desc);
-	}) : (function(o, m, k, k2) {
-	    if (k2 === undefined) k2 = k;
-	    o[k2] = m[k];
-	}));
-	var __exportStar = (commonjsGlobal && commonjsGlobal.__exportStar) || function(m, exports) {
-	    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-	};
-	var __importDefault = (commonjsGlobal && commonjsGlobal.__importDefault) || function (mod) {
-	    return (mod && mod.__esModule) ? mod : { "default": mod };
-	};
 	Object.defineProperty(exports, "__esModule", { value: true });
-	exports.validateJws = exports.managementSigner = exports.sessionVerifier = void 0;
-	const jsonwebtoken_1 = __importDefault(jsonwebtoken);
-	const signer_1 = signer;
-	__exportStar(signer, exports);
-	const sessionVerifier = function (options) {
-	    const { fieldName = "session", ...actualOptions } = options;
-	    if (!options || (!options.barongJwtPublicKey && !options.jwtPublicKey)) {
-	        throw new Error("JWT Public key should be set");
-	    }
-	    const jwtPublicKey = options.barongJwtPublicKey || options.jwtPublicKey;
-	    const defaultOptions = {
-	        algorithms: ["RS256"],
-	        issuer: "auth"
-	    };
-	    const verificationOptions = { ...defaultOptions, ...actualOptions };
-	    const middleware = function (req, res, next) {
-	        let authHeader;
-	        try {
-	            authHeader = req.headers.authorization.split("Bearer ")[1];
-	        }
-	        catch (error) {
-	            res.status(401);
-	            res.send("Signature verification raised: Authorization header is missing or malformed");
-	            return;
-	        }
-	        if (!jwtPublicKey) {
-	            throw new Error("JWT Public key should be set");
-	        }
-	        try {
-	            req[fieldName] = jsonwebtoken_1.default.verify(authHeader, jwtPublicKey, verificationOptions);
-	        }
-	        catch (error) {
-	            res.status(403);
-	            res.send(`Signature verification raised: ${error}`);
-	            return;
-	        }
-	        next();
-	    };
-	    return middleware;
-	};
-	exports.sessionVerifier = sessionVerifier;
-	const managementSigner = function (options) {
-	    if (!options.privateKey)
-	        throw new Error("Application's private key should be set");
-	    const middleware = function (req, res, next) {
-	        if (!req.management.payload)
-	            console.error("No payload to be signed");
-	        const payload = req.management.payload;
-	        let signedPayload;
-	        try {
-	            signedPayload = (0, signer_1.signPayload)(payload, options);
-	        }
-	        catch (error) {
-	            res.status(403);
-	            res.send(`Unable to sign payload: ${error}`);
-	            return;
-	        }
-	        try {
-	            req.body = (0, signer_1.signJws)(signedPayload, options);
-	        }
-	        catch (error) {
-	            res.status(403);
-	            res.send(`Unable to correctly format signed payload: ${error}`);
-	        }
-	        next();
-	    };
-	    return middleware;
-	};
-	exports.managementSigner = managementSigner;
+	exports.parseProtectedHeader = exports.base64Decode = void 0;
 	const base64Decode = (base64) => {
 	    return Buffer.from(base64, "base64").toString("utf8");
 	};
+	exports.base64Decode = base64Decode;
 	const parseProtectedHeader = (protectedHeader) => {
-	    return JSON.parse(base64Decode(protectedHeader));
+	    return JSON.parse((0, exports.base64Decode)(protectedHeader));
 	};
+	exports.parseProtectedHeader = parseProtectedHeader; 
+} (utils));
+
+(function (exports) {
+	var __importDefault = (commonjsGlobal && commonjsGlobal.__importDefault) || function (mod) {
+	    return (mod && mod.__esModule) ? mod : { "default": mod };
+	};
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.validateJwsMultisig = exports.validateJws = void 0;
+	const jsonwebtoken_1 = __importDefault(jsonwebtoken);
+	const utils_1 = utils;
 	const validateJws = (key, input) => {
 	    for (const signature of input.signatures) {
-	        const decodedProtectedHeader = parseProtectedHeader(signature.protected);
+	        const decodedProtectedHeader = (0, utils_1.parseProtectedHeader)(signature.protected);
 	        if (key === undefined) {
 	            throw new Error("Invalid key");
 	        }
 	        if (key.algorithm !== decodedProtectedHeader.alg) {
 	            throw new Error("Algorithm mismatch");
 	        }
-	        try {
-	            const verified = jsonwebtoken_1.default.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value, 
-	            // eslint-disable-next-line @typescript-eslint/no-explicit-any
-	            { algorithms: [key.algorithm] });
-	            return verified;
+	        const verified = jsonwebtoken_1.default.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value, 
+	        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+	        { algorithms: [key.algorithm] });
+	        return verified;
+	    }
+	};
+	exports.validateJws = validateJws;
+	/*
+	 * Verifies JWT.
+	 *
+	 * @param jwt [Hash]
+	 *   The JWT in the format as defined in RFC 7515.
+	 *   Example:
+	 *     { "payload" => "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
+	 *       "signatures" => [
+	 *         { "protected" => "eyJhbGciOiJSUzI1NiJ9",
+	 *           "header" => { "kid" => "2010-12-29" },
+	 *           "signature" => "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"
+	 *         },
+	 *         { "protected" => "eyJhbGciOiJFUzI1NiJ9",
+	 *           "header" => { "kid" => "e9bc097a-ce51-4036-9562-d2ade882db0d" },
+	 *           "signature" => "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
+	 *         }
+	 *       ]
+	 *     }
+	 * @param public_keychain [Hash]
+	 *   The hash which consists of pairs: key ID => public key.
+	 *   The key may be presented as string in PEM format or as instance of {OpenSSL::PKey::PKey}.
+	 *   The implementation only verifies signatures for which public key exists in keychain.
+	 * @param options [Hash]
+	 *   The rules for verifying JWT. The variable «algorithms» is always overwritten by the value from JWS header.
+	 * @return [Hash]
+	 *   The returning value contains payload, list of verified, and unverified signatures (key ID).
+	 *   Example:
+	 *     { payload:    { sub: "session", profile: { email: "username@mailbox.example" },
+	 *       verified:   [:"backend-1.mycompany.example", :"backend-3.mycompany.example"],
+	 *       unverified: [:"backend-2.mycompany.example"] }
+	 *     }
+	 * @raise [JWT::DecodeError]
+	 */
+	const validateJwsMultisig = (keychain, input) => {
+	    const verified = [];
+	    const unverified = [];
+	    const payload = jsonwebtoken_1.default.decode(input.payload);
+	    for (const signature of input.signatures) {
+	        const key = keychain.get(signature.header.kid);
+	        if (key) {
+	            (0, exports.validateJws)(key, input);
+	            verified.push(signature.header.kid);
 	        }
-	        catch (error) {
-	            console.error(error);
-	            return undefined;
+	        else {
+	            unverified.push(signature.header.kid);
 	        }
 	    }
+	    return {
+	        payload,
+	        verified,
+	        unverified
+	    };
+	};
+	exports.validateJwsMultisig = validateJwsMultisig; 
+} (validate));
+
+var types = {};
+
+Object.defineProperty(types, "__esModule", { value: true });
+
+(function (exports) {
+	var __createBinding = (commonjsGlobal && commonjsGlobal.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+	    if (k2 === undefined) k2 = k;
+	    var desc = Object.getOwnPropertyDescriptor(m, k);
+	    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+	      desc = { enumerable: true, get: function() { return m[k]; } };
+	    }
+	    Object.defineProperty(o, k2, desc);
+	}) : (function(o, m, k, k2) {
+	    if (k2 === undefined) k2 = k;
+	    o[k2] = m[k];
+	}));
+	var __exportStar = (commonjsGlobal && commonjsGlobal.__exportStar) || function(m, exports) {
+	    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 	};
-	exports.validateJws = validateJws; 
+	Object.defineProperty(exports, "__esModule", { value: true });
+	__exportStar(middleware, exports);
+	__exportStar(signer, exports);
+	__exportStar(validate, exports);
+	__exportStar(types, exports); 
 } (src));
 
 var index = /*@__PURE__*/getDefaultExportFromCjs(src);