@denodeio/seshat 0.0.33 → 0.0.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/cjs/dist/mjs/src/index.d.ts +3 -35
- package/build/cjs/dist/mjs/src/middleware/index.d.ts +9 -0
- package/build/cjs/dist/mjs/src/types.d.ts +6 -0
- package/build/cjs/dist/mjs/src/utils.d.ts +7 -0
- package/build/cjs/dist/mjs/src/validate.d.ts +30 -0
- package/build/cjs/index.d.ts +22 -15
- package/build/cjs/index.js +182 -102
- package/build/cjs/index.js.map +1 -1
- package/build/mjs/dist/mjs/src/index.d.ts +3 -35
- package/build/mjs/dist/mjs/src/middleware/index.d.ts +9 -0
- package/build/mjs/dist/mjs/src/types.d.ts +6 -0
- package/build/mjs/dist/mjs/src/utils.d.ts +7 -0
- package/build/mjs/dist/mjs/src/validate.d.ts +30 -0
- package/build/mjs/index.d.ts +22 -15
- package/build/mjs/index.js +85 -36
- package/build/mjs/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -1,36 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
type JwsSignature = {
|
|
3
|
-
protected: string;
|
|
4
|
-
header: {
|
|
5
|
-
kid: string;
|
|
6
|
-
};
|
|
7
|
-
signature: string;
|
|
8
|
-
};
|
|
9
|
-
type JwsPayload = {
|
|
10
|
-
payload: string;
|
|
11
|
-
signatures: JwsSignature[];
|
|
12
|
-
};
|
|
13
|
-
export type Keychain = {
|
|
14
|
-
algorithm: string;
|
|
15
|
-
value: Secret | PublicKey;
|
|
16
|
-
};
|
|
17
|
-
type JwtPayload<T> = {
|
|
18
|
-
iss: string;
|
|
19
|
-
exp: number;
|
|
20
|
-
jti: string;
|
|
21
|
-
event: {
|
|
22
|
-
name: string;
|
|
23
|
-
record: T;
|
|
24
|
-
};
|
|
25
|
-
iat: number;
|
|
26
|
-
};
|
|
1
|
+
export * from "./middleware";
|
|
27
2
|
export * from "./signer";
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
barongJwtPublicKey?: string;
|
|
31
|
-
jwtPublicKey?: string;
|
|
32
|
-
issuer?: string;
|
|
33
|
-
};
|
|
34
|
-
export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
|
|
35
|
-
export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
|
|
36
|
-
export declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
|
|
3
|
+
export * from "./validate";
|
|
4
|
+
export * from "./types";
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
|
|
2
|
+
type OptionsInput = {
|
|
3
|
+
fieldName?: string;
|
|
4
|
+
barongJwtPublicKey?: string;
|
|
5
|
+
jwtPublicKey?: string;
|
|
6
|
+
issuer?: string;
|
|
7
|
+
};
|
|
8
|
+
export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
|
|
9
|
+
export {};
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import jwt from "jsonwebtoken";
|
|
2
|
+
import { Key, Keychain } from "./types";
|
|
3
|
+
type JwsSignature = {
|
|
4
|
+
protected: string;
|
|
5
|
+
header: {
|
|
6
|
+
kid: string;
|
|
7
|
+
};
|
|
8
|
+
signature: string;
|
|
9
|
+
};
|
|
10
|
+
type JwsPayload = {
|
|
11
|
+
payload: string;
|
|
12
|
+
signatures: JwsSignature[];
|
|
13
|
+
};
|
|
14
|
+
type JwtPayload<T> = {
|
|
15
|
+
iss: string;
|
|
16
|
+
exp: number;
|
|
17
|
+
jti: string;
|
|
18
|
+
event: {
|
|
19
|
+
name: string;
|
|
20
|
+
record: T;
|
|
21
|
+
};
|
|
22
|
+
iat: number;
|
|
23
|
+
};
|
|
24
|
+
export declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
|
|
25
|
+
export declare const validateJwsMultisig: (keychain: Keychain, input: JwsPayload) => {
|
|
26
|
+
payload: string | jwt.JwtPayload | null;
|
|
27
|
+
verified: string[];
|
|
28
|
+
unverified: string[];
|
|
29
|
+
};
|
|
30
|
+
export {};
|
package/build/mjs/index.d.ts
CHANGED
|
@@ -1,4 +1,13 @@
|
|
|
1
|
-
import { Secret, PublicKey } from 'jsonwebtoken';
|
|
1
|
+
import jwt, { Secret, PublicKey } from 'jsonwebtoken';
|
|
2
|
+
|
|
3
|
+
declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
|
|
4
|
+
type OptionsInput = {
|
|
5
|
+
fieldName?: string;
|
|
6
|
+
barongJwtPublicKey?: string;
|
|
7
|
+
jwtPublicKey?: string;
|
|
8
|
+
issuer?: string;
|
|
9
|
+
};
|
|
10
|
+
declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
|
|
2
11
|
|
|
3
12
|
type SignJwsResponse = {
|
|
4
13
|
payload: string;
|
|
@@ -14,6 +23,12 @@ declare function signJws(payload: string, options: any): SignJwsResponse;
|
|
|
14
23
|
declare function signPayload(payload: any, options: any): string;
|
|
15
24
|
declare function signData(payload: object, options: any): SignJwsResponse;
|
|
16
25
|
|
|
26
|
+
type Key = {
|
|
27
|
+
algorithm: string;
|
|
28
|
+
value: Secret | PublicKey;
|
|
29
|
+
};
|
|
30
|
+
type Keychain = Map<string, Key>;
|
|
31
|
+
|
|
17
32
|
type JwsSignature = {
|
|
18
33
|
protected: string;
|
|
19
34
|
header: {
|
|
@@ -25,10 +40,6 @@ type JwsPayload = {
|
|
|
25
40
|
payload: string;
|
|
26
41
|
signatures: JwsSignature[];
|
|
27
42
|
};
|
|
28
|
-
type Keychain = {
|
|
29
|
-
algorithm: string;
|
|
30
|
-
value: Secret | PublicKey;
|
|
31
|
-
};
|
|
32
43
|
type JwtPayload<T> = {
|
|
33
44
|
iss: string;
|
|
34
45
|
exp: number;
|
|
@@ -39,15 +50,11 @@ type JwtPayload<T> = {
|
|
|
39
50
|
};
|
|
40
51
|
iat: number;
|
|
41
52
|
};
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
issuer?: string;
|
|
53
|
+
declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
|
|
54
|
+
declare const validateJwsMultisig: (keychain: Keychain, input: JwsPayload) => {
|
|
55
|
+
payload: string | jwt.JwtPayload | null;
|
|
56
|
+
verified: string[];
|
|
57
|
+
unverified: string[];
|
|
48
58
|
};
|
|
49
|
-
declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
|
|
50
|
-
declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
|
|
51
|
-
declare const validateJws: <T>(key: Keychain, input: JwsPayload) => JwtPayload<T> | undefined;
|
|
52
59
|
|
|
53
|
-
export { type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws };
|
|
60
|
+
export { type Key, type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };
|
package/build/mjs/index.js
CHANGED
|
@@ -6507,6 +6507,33 @@ function signData(payload, options) {
|
|
|
6507
6507
|
return signJws(signedPayload, options);
|
|
6508
6508
|
}
|
|
6509
6509
|
|
|
6510
|
+
const managementSigner = function (options) {
|
|
6511
|
+
if (!options.privateKey)
|
|
6512
|
+
throw new Error("Application's private key should be set");
|
|
6513
|
+
const middleware = function (req, res, next) {
|
|
6514
|
+
if (!req.management.payload)
|
|
6515
|
+
console.error("No payload to be signed");
|
|
6516
|
+
const payload = req.management.payload;
|
|
6517
|
+
let signedPayload;
|
|
6518
|
+
try {
|
|
6519
|
+
signedPayload = signPayload(payload, options);
|
|
6520
|
+
}
|
|
6521
|
+
catch (error) {
|
|
6522
|
+
res.status(403);
|
|
6523
|
+
res.send(`Unable to sign payload: ${error}`);
|
|
6524
|
+
return;
|
|
6525
|
+
}
|
|
6526
|
+
try {
|
|
6527
|
+
req.body = signJws(signedPayload, options);
|
|
6528
|
+
}
|
|
6529
|
+
catch (error) {
|
|
6530
|
+
res.status(403);
|
|
6531
|
+
res.send(`Unable to correctly format signed payload: ${error}`);
|
|
6532
|
+
}
|
|
6533
|
+
next();
|
|
6534
|
+
};
|
|
6535
|
+
return middleware;
|
|
6536
|
+
};
|
|
6510
6537
|
const sessionVerifier = function (options) {
|
|
6511
6538
|
const { fieldName = "session", ...actualOptions } = options;
|
|
6512
6539
|
if (!options || (!options.barongJwtPublicKey && !options.jwtPublicKey)) {
|
|
@@ -6543,39 +6570,14 @@ const sessionVerifier = function (options) {
|
|
|
6543
6570
|
};
|
|
6544
6571
|
return middleware;
|
|
6545
6572
|
};
|
|
6546
|
-
|
|
6547
|
-
if (!options.privateKey)
|
|
6548
|
-
throw new Error("Application's private key should be set");
|
|
6549
|
-
const middleware = function (req, res, next) {
|
|
6550
|
-
if (!req.management.payload)
|
|
6551
|
-
console.error("No payload to be signed");
|
|
6552
|
-
const payload = req.management.payload;
|
|
6553
|
-
let signedPayload;
|
|
6554
|
-
try {
|
|
6555
|
-
signedPayload = signPayload(payload, options);
|
|
6556
|
-
}
|
|
6557
|
-
catch (error) {
|
|
6558
|
-
res.status(403);
|
|
6559
|
-
res.send(`Unable to sign payload: ${error}`);
|
|
6560
|
-
return;
|
|
6561
|
-
}
|
|
6562
|
-
try {
|
|
6563
|
-
req.body = signJws(signedPayload, options);
|
|
6564
|
-
}
|
|
6565
|
-
catch (error) {
|
|
6566
|
-
res.status(403);
|
|
6567
|
-
res.send(`Unable to correctly format signed payload: ${error}`);
|
|
6568
|
-
}
|
|
6569
|
-
next();
|
|
6570
|
-
};
|
|
6571
|
-
return middleware;
|
|
6572
|
-
};
|
|
6573
|
+
|
|
6573
6574
|
const base64Decode = (base64) => {
|
|
6574
6575
|
return Buffer.from(base64, "base64").toString("utf8");
|
|
6575
6576
|
};
|
|
6576
6577
|
const parseProtectedHeader = (protectedHeader) => {
|
|
6577
6578
|
return JSON.parse(base64Decode(protectedHeader));
|
|
6578
6579
|
};
|
|
6580
|
+
|
|
6579
6581
|
const validateJws = (key, input) => {
|
|
6580
6582
|
for (const signature of input.signatures) {
|
|
6581
6583
|
const decodedProtectedHeader = parseProtectedHeader(signature.protected);
|
|
@@ -6585,18 +6587,65 @@ const validateJws = (key, input) => {
|
|
|
6585
6587
|
if (key.algorithm !== decodedProtectedHeader.alg) {
|
|
6586
6588
|
throw new Error("Algorithm mismatch");
|
|
6587
6589
|
}
|
|
6588
|
-
|
|
6589
|
-
|
|
6590
|
-
|
|
6591
|
-
|
|
6592
|
-
|
|
6590
|
+
const verified = jwt.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value,
|
|
6591
|
+
// eslint-disable-next-line @typescript-eslint/no-explicit-any
|
|
6592
|
+
{ algorithms: [key.algorithm] });
|
|
6593
|
+
return verified;
|
|
6594
|
+
}
|
|
6595
|
+
};
|
|
6596
|
+
/*
|
|
6597
|
+
* Verifies JWT.
|
|
6598
|
+
*
|
|
6599
|
+
* @param jwt [Hash]
|
|
6600
|
+
* The JWT in the format as defined in RFC 7515.
|
|
6601
|
+
* Example:
|
|
6602
|
+
* { "payload" => "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
|
|
6603
|
+
* "signatures" => [
|
|
6604
|
+
* { "protected" => "eyJhbGciOiJSUzI1NiJ9",
|
|
6605
|
+
* "header" => { "kid" => "2010-12-29" },
|
|
6606
|
+
* "signature" => "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"
|
|
6607
|
+
* },
|
|
6608
|
+
* { "protected" => "eyJhbGciOiJFUzI1NiJ9",
|
|
6609
|
+
* "header" => { "kid" => "e9bc097a-ce51-4036-9562-d2ade882db0d" },
|
|
6610
|
+
* "signature" => "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
|
|
6611
|
+
* }
|
|
6612
|
+
* ]
|
|
6613
|
+
* }
|
|
6614
|
+
* @param public_keychain [Hash]
|
|
6615
|
+
* The hash which consists of pairs: key ID => public key.
|
|
6616
|
+
* The key may be presented as string in PEM format or as instance of {OpenSSL::PKey::PKey}.
|
|
6617
|
+
* The implementation only verifies signatures for which public key exists in keychain.
|
|
6618
|
+
* @param options [Hash]
|
|
6619
|
+
* The rules for verifying JWT. The variable «algorithms» is always overwritten by the value from JWS header.
|
|
6620
|
+
* @return [Hash]
|
|
6621
|
+
* The returning value contains payload, list of verified, and unverified signatures (key ID).
|
|
6622
|
+
* Example:
|
|
6623
|
+
* { payload: { sub: "session", profile: { email: "username@mailbox.example" },
|
|
6624
|
+
* verified: [:"backend-1.mycompany.example", :"backend-3.mycompany.example"],
|
|
6625
|
+
* unverified: [:"backend-2.mycompany.example"] }
|
|
6626
|
+
* }
|
|
6627
|
+
* @raise [JWT::DecodeError]
|
|
6628
|
+
*/
|
|
6629
|
+
const validateJwsMultisig = (keychain, input) => {
|
|
6630
|
+
const verified = [];
|
|
6631
|
+
const unverified = [];
|
|
6632
|
+
const payload = jwt.decode(input.payload);
|
|
6633
|
+
for (const signature of input.signatures) {
|
|
6634
|
+
const key = keychain.get(signature.header.kid);
|
|
6635
|
+
if (key) {
|
|
6636
|
+
validateJws(key, input);
|
|
6637
|
+
verified.push(signature.header.kid);
|
|
6593
6638
|
}
|
|
6594
|
-
|
|
6595
|
-
|
|
6596
|
-
return undefined;
|
|
6639
|
+
else {
|
|
6640
|
+
unverified.push(signature.header.kid);
|
|
6597
6641
|
}
|
|
6598
6642
|
}
|
|
6643
|
+
return {
|
|
6644
|
+
payload,
|
|
6645
|
+
verified,
|
|
6646
|
+
unverified
|
|
6647
|
+
};
|
|
6599
6648
|
};
|
|
6600
6649
|
|
|
6601
|
-
export { managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws };
|
|
6650
|
+
export { managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };
|
|
6602
6651
|
//# sourceMappingURL=index.js.map
|