@denodeio/seshat 0.0.38 → 1.0.1

package/README.md

@@ -1,55 +1,3 @@
-<h1 align="center">@denode/seshat</h1>
+# seshat
 
-## Overview
-
-<b>seshat</b> is a library that offers a collection of functions commonly used in Denode backend services.
-
-## Install
-
-To use functions in other services, download seshat as a package:
-
-```bash
-npm i @denodeio/seshat
-```
-
-## Local Build And Deploy
-
-To build the project locally and deploy, follow these steps:
-
-### 1. Build The Project
-
-Run the following command to build the project using Rollup.js, which compiles and generates a bundled version of the project:
-
-```bash
-pnpm build
-```
-
-This command outputs the compiled code to the "dist" folder, which is used for deployment.
-
-### 2. Update Package Version:
-
-Open the [package.json](package.json) file and update the version field. For example:
-
-```
-"version": "0.0.12"
-```
-
-Ensure that you increment the version number appropriately.
-
-### 3. Login to NPM Registry:
-
-Use the following command to log in to the [npm registry](https://www.npmjs.com):
-
-```bash
-npm login
-```
-
-This command will redirect you to the [npm registry](https://www.npmjs.com). Follow the login process on the browser
-
-### 4. Publish the New Version:
-
-After successful login, you can publish the new version to NPM with the following command:
-
-```bash
-npm publish
-```
+This library was generated with [Nx](https://nx.dev).

package/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./lib/seshat.js";
+//# sourceMappingURL=index.d.ts.map

package/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../libs/seshat/src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA"}

package/index.js

@@ -0,0 +1 @@
+export * from "./lib/seshat.js";

package/{build/cjs/dist/mjs/src/middleware/index.d.ts → lib/middleware.d.ts}

@@ -1,9 +1,10 @@
-export declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
+import { NextFunction, Request, Response } from "express";
 type OptionsInput = {
     fieldName?: string;
     barongJwtPublicKey?: string;
     jwtPublicKey?: string;
     issuer?: string;
 };
-export declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
+export declare const sessionVerifier: (options: OptionsInput) => (req: Request, res: Response, next: NextFunction) => void;
 export {};
+//# sourceMappingURL=middleware.d.ts.map

package/lib/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAGzD,KAAK,YAAY,GAAG;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,eAAO,MAAM,eAAe,GAAa,SAAS,YAAY,WAmB1B,OAAO,OAAO,QAAQ,QAAQ,YAAY,SA6B7E,CAAA"}

package/lib/middleware.js

@@ -0,0 +1,38 @@
+import jwt from "jsonwebtoken";
+export const sessionVerifier = function (options) {
+    const { fieldName = "session", ...actualOptions } = options;
+    if (!options || (!options.barongJwtPublicKey && !options.jwtPublicKey)) {
+        throw new Error("JWT Public key should be set");
+    }
+    const jwtPublicKey = options.barongJwtPublicKey || options.jwtPublicKey;
+    const defaultOptions = {
+        algorithms: ["RS256"],
+        issuer: "auth"
+    };
+    const verificationOptions = { ...defaultOptions, ...actualOptions };
+    const middleware = function (req, res, next) {
+        let authHeader;
+        try {
+            authHeader = (req.headers.authorization || "").split("Bearer ")[1];
+        }
+        catch (error) {
+            res.status(401);
+            res.send("Signature verification raised: Authorization header is missing or malformed");
+            return;
+        }
+        if (!jwtPublicKey) {
+            throw new Error("JWT Public key should be set");
+        }
+        try {
+            ;
+            req[fieldName] = jwt.verify(authHeader, jwtPublicKey, verificationOptions);
+        }
+        catch (error) {
+            res.status(403);
+            res.send(`Signature verification raised: ${error}`);
+            return;
+        }
+        next();
+    };
+    return middleware;
+};

package/lib/seshat.d.ts

@@ -0,0 +1,5 @@
+export * from "./middleware.js";
+export * from "./signer.js";
+export * from "./types.js";
+export * from "./validate.js";
+//# sourceMappingURL=seshat.d.ts.map

package/lib/seshat.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seshat.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/seshat.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA;AAC/B,cAAc,aAAa,CAAA;AAC3B,cAAc,YAAY,CAAA;AAC1B,cAAc,eAAe,CAAA"}

package/lib/seshat.js

@@ -0,0 +1,4 @@
+export * from "./middleware.js";
+export * from "./signer.js";
+export * from "./types.js";
+export * from "./validate.js";

package/lib/signer.d.ts

@@ -0,0 +1,21 @@
+import { KeyObject } from "crypto";
+type SignJwsResponse = {
+    payload: string;
+    signatures: {
+        protected: string;
+        header: {
+            kid: string;
+        };
+        signature: string;
+    }[];
+};
+export declare function signJws(payload: string, options: SignDataOptions): SignJwsResponse;
+export declare function signPayload(payload: object, options: SignDataOptions): string;
+type SignDataOptions = {
+    privateKey: KeyObject;
+    jwtExpirySeconds: number;
+    issuer: string;
+};
+export declare function signData(payload: any, options: SignDataOptions): SignJwsResponse;
+export {};
+//# sourceMappingURL=signer.d.ts.map

package/lib/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/signer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAc,MAAM,QAAQ,CAAA;AAG9C,KAAK,eAAe,GAAG;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE;QACV,SAAS,EAAE,MAAM,CAAA;QACjB,MAAM,EAAE;YACN,GAAG,EAAE,MAAM,CAAA;SACZ,CAAA;QACD,SAAS,EAAE,MAAM,CAAA;KAClB,EAAE,CAAA;CACJ,CAAA;AAED,wBAAgB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,eAAe,CAoBlF;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,eAAe,GAAG,MAAM,CAwB7E;AAED,KAAK,eAAe,GAAG;IACrB,UAAU,EAAE,SAAS,CAAA;IACrB,gBAAgB,EAAE,MAAM,CAAA;IACxB,MAAM,EAAE,MAAM,CAAA;CACf,CAAA;AAED,wBAAgB,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE,OAAO,EAAE,eAAe,GAAG,eAAe,CAIhF"}

package/lib/signer.js

@@ -0,0 +1,44 @@
+import { randomUUID } from "crypto";
+import { sign } from "jsonwebtoken";
+export function signJws(payload, options) {
+    const defaultOptions = {
+        jwtKid: options.issuer
+    };
+    const mergedOptions = { ...defaultOptions, ...options };
+    const requestParams = {
+        payload: payload.split(".")[1],
+        signatures: [
+            {
+                protected: payload.split(".")[0],
+                header: {
+                    kid: mergedOptions.jwtKid
+                },
+                signature: payload.split(".")[2]
+            }
+        ]
+    };
+    return requestParams;
+}
+export function signPayload(payload, options) {
+    const defaultOptions = {
+        jwtAlgorithm: "RS256",
+        jwtExpireSeconds: options.jwtExpirySeconds
+    };
+    const mergedOptions = {
+        ...defaultOptions,
+        ...options
+    };
+    const token = sign({
+        iss: options.issuer,
+        exp: Math.round(Date.now() / 1000) + mergedOptions.jwtExpireSeconds,
+        jti: randomUUID(),
+        ...payload
+    }, mergedOptions.privateKey, {
+        algorithm: mergedOptions.jwtAlgorithm
+    });
+    return token;
+}
+export function signData(payload, options) {
+    const signedPayload = signPayload(payload, options);
+    return signJws(signedPayload, options);
+}

package/{build/mjs/dist/mjs/src → lib}/types.d.ts

@@ -4,3 +4,4 @@ export type Key = {
     value: Secret | PublicKey;
 };
 export type Keychain = Map<string, Key>;
+//# sourceMappingURL=types.d.ts.map

package/lib/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,cAAc,CAAA;AAEhD,MAAM,MAAM,GAAG,GAAG;IAChB,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAA;CAC1B,CAAA;AAED,MAAM,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA"}

package/lib/types.js

@@ -0,0 +1 @@
+export {};

package/{build/cjs/dist/mjs/src → lib}/utils.d.ts

@@ -5,3 +5,4 @@ type ProtectedHeader = {
 export declare const base64Decode: (base64: string) => string;
 export declare const parseProtectedHeader: (protectedHeader: string) => ProtectedHeader;
 export {};
+//# sourceMappingURL=utils.d.ts.map

package/lib/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/utils.ts"],"names":[],"mappings":"AAAA,KAAK,eAAe,GAAG;IACrB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,eAAO,MAAM,YAAY,GAAI,QAAQ,MAAM,WAE1C,CAAA;AAED,eAAO,MAAM,oBAAoB,GAAI,iBAAiB,MAAM,KAAG,eAE9D,CAAA"}

package/lib/utils.js

@@ -0,0 +1,6 @@
+export const base64Decode = (base64) => {
+    return Buffer.from(base64, "base64").toString("utf8");
+};
+export const parseProtectedHeader = (protectedHeader) => {
+    return JSON.parse(base64Decode(protectedHeader));
+};

package/{build/cjs/dist/mjs/src → lib}/validate.d.ts

@@ -1,4 +1,4 @@
-import { Key, Keychain } from "./types";
+import { Key, Keychain } from "./types.js";
 type JwsSignature = {
     protected: string;
     header: {
@@ -28,3 +28,4 @@ export declare const validateJwsMultisig: <T>(keychain: Keychain, input: JwsPayl
     unverified: string[];
 };
 export {};
+//# sourceMappingURL=validate.d.ts.map

package/lib/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../../libs/seshat/src/lib/validate.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAG1C,KAAK,YAAY,GAAG;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAA;KACZ,CAAA;IACD,SAAS,EAAE,MAAM,CAAA;CAClB,CAAA;AAED,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE,YAAY,EAAE,CAAA;CAC3B,CAAA;AAED,KAAK,UAAU,CAAC,CAAC,IAAI;IACnB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,EAAE;QACL,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,CAAC,CAAA;KACV,CAAA;IACD,GAAG,EAAE,MAAM,CAAA;CACZ,CAAA;AAED,eAAO,MAAM,WAAW,GAAI,CAAC,EAAE,KAAK,GAAG,EAAE,OAAO,UAAU,8BAuBzD,CAAA;AAmCD,eAAO,MAAM,mBAAmB,GAAI,CAAC,EAAE,UAAU,QAAQ,EAAE,OAAO,UAAU;;;;;CAuB3E,CAAA"}

package/lib/validate.js

@@ -0,0 +1,72 @@
+import jwt from "jsonwebtoken";
+import { parseProtectedHeader } from "./utils.js";
+export const validateJws = (key, input) => {
+    for (const signature of input.signatures) {
+        const decodedProtectedHeader = parseProtectedHeader(signature.protected);
+        if (key === undefined) {
+            throw new Error("Invalid key");
+        }
+        if (key.algorithm !== decodedProtectedHeader.alg) {
+            throw new Error("Algorithm mismatch");
+        }
+        const verified = jwt.verify(`${signature.protected}.${input.payload}.${signature.signature}`, key.value, 
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        { algorithms: [key.algorithm] });
+        return verified;
+    }
+    return undefined;
+};
+/*
+ * Verifies JWT.
+ *
+ * @param jwt [Hash]
+ *   The JWT in the format as defined in RFC 7515.
+ *   Example:
+ *     { "payload" => "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ",
+ *       "signatures" => [
+ *         { "protected" => "eyJhbGciOiJSUzI1NiJ9",
+ *           "header" => { "kid" => "2010-12-29" },
+ *           "signature" => "cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqvhJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrBp0igcN_IoypGlUPQGe77Rw"
+ *         },
+ *         { "protected" => "eyJhbGciOiJFUzI1NiJ9",
+ *           "header" => { "kid" => "e9bc097a-ce51-4036-9562-d2ade882db0d" },
+ *           "signature" => "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8ISlSApmWQxfKTUJqPP3-Kg6NU1Q"
+ *         }
+ *       ]
+ *     }
+ * @param public_keychain [Hash]
+ *   The hash which consists of pairs: key ID => public key.
+ *   The key may be presented as string in PEM format or as instance of {OpenSSL::PKey::PKey}.
+ *   The implementation only verifies signatures for which public key exists in keychain.
+ * @param options [Hash]
+ *   The rules for verifying JWT. The variable «algorithms» is always overwritten by the value from JWS header.
+ * @return [Hash]
+ *   The returning value contains payload, list of verified, and unverified signatures (key ID).
+ *   Example:
+ *     { payload:    { sub: "session", profile: { email: "username@mailbox.example" },
+ *       verified:   [:"backend-1.mycompany.example", :"backend-3.mycompany.example"],
+ *       unverified: [:"backend-2.mycompany.example"] }
+ *     }
+ * @raise [JWT::DecodeError]
+ */
+export const validateJwsMultisig = (keychain, input) => {
+    const verified = [];
+    const unverified = [];
+    const payload = JSON.parse(Buffer.from(input.payload, "base64").toString());
+    for (const signature of input.signatures) {
+        const key = keychain.get(signature.header.kid);
+        if (key) {
+            validateJws(key, input);
+            verified.push(signature.header.kid);
+        }
+        else {
+            unverified.push(signature.header.kid);
+        }
+    }
+    return {
+        isVerified: verified.length > 0,
+        payload,
+        verified,
+        unverified
+    };
+};

package/package.json

@@ -1,54 +1,25 @@
 {
   "name": "@denodeio/seshat",
+  "version": "1.0.1",
   "private": false,
-  "version": "0.0.38",
   "description": "Functions' Library for Denode Ecosystem.",
-  "main": "build/cjs/index.js",
-  "module": "build/mjs/index.js",
-  "types": "build/mjs/index.d.ts",
+  "type": "module",
+  "main": "./index.js",
+  "types": "./index.d.ts",
   "files": [
-    "./build/"
+    "./"
   ],
   "exports": {
     ".": {
-      "import": "./build/mjs/index.js",
-      "require": "./build/cjs/index.js",
-      "types": "./build/mjs/index.d.ts"
-    }
+      "types": "./index.d.ts",
+      "import": "./index.js"
+    },
+    "./package.json": "./package.json"
   },
   "keywords": [],
   "author": "",
   "license": "UNLICENSED",
-  "devDependencies": {
-    "@rollup/plugin-commonjs": "^25.0.7",
-    "@rollup/plugin-node-resolve": "^15.2.3",
-    "@rollup/plugin-terser": "^0.4.4",
-    "@rollup/plugin-typescript": "^11.1.5",
-    "@types/jsonwebtoken": "^9.0.7",
-    "@types/node": "^20.9.3",
-    "@typescript-eslint/eslint-plugin": "^6.12.0",
-    "@typescript-eslint/parser": "^6.12.0",
-    "eslint": "^8.54.0",
-    "eslint-config-prettier": "^9.0.0",
-    "eslint-plugin-prettier": "^5.0.1",
-    "prettier": "3.1.0",
-    "rollup": "^4.5.0",
-    "rollup-plugin-dts": "^6.1.0",
-    "rollup-plugin-peer-deps-external": "^2.2.4",
-    "ts-node": "^10.9.1",
-    "tslib": "^2.6.2",
-    "typescript": "^5.3.2"
-  },
   "peerDependencies": {
     "jsonwebtoken": "^9.0.2"
-  },
-  "scripts": {
-    "build": "pnpm run clean && pnpm run cjs-compile && pnpm run esm-compile && pnpm run rollup-build && ./exportFix",
-    "clean": "rm -fr dist/* && rm -fr build/*",
-    "cjs-compile": "tsc -p tsconfig-cjs.json",
-    "esm-compile": "tsc -p tsconfig.json",
-    "rollup-build": "rollup -c --bundleConfigAsCjs",
-    "lint": "eslint . --ext .ts",
-    "lintfix": "eslint --fix --ignore-path .gitignore --ext .ts ."
   }
-}
+}

package/build/cjs/dist/mjs/src/index.d.ts

@@ -1,4 +0,0 @@
-export * from "./middleware";
-export * from "./signer";
-export * from "./validate";
-export * from "./types";

package/build/cjs/dist/mjs/src/signer.d.ts

@@ -1,14 +0,0 @@
-type SignJwsResponse = {
-    payload: string;
-    signatures: {
-        protected: string;
-        header: {
-            kid: string;
-        };
-        signature: string;
-    }[];
-};
-export declare function signJws(payload: string, options: any): SignJwsResponse;
-export declare function signPayload(payload: any, options: any): string;
-export declare function signData(payload: object, options: any): SignJwsResponse;
-export {};

package/build/cjs/dist/mjs/src/types.d.ts

@@ -1,6 +0,0 @@
-import { PublicKey, Secret } from "jsonwebtoken";
-export type Key = {
-    algorithm: string;
-    value: Secret | PublicKey;
-};
-export type Keychain = Map<string, Key>;

package/build/cjs/index.d.ts

@@ -1,61 +0,0 @@
-import { Secret, PublicKey } from 'jsonwebtoken';
-
-declare const managementSigner: (options: any) => (req: any, res: any, next: any) => void;
-type OptionsInput = {
-    fieldName?: string;
-    barongJwtPublicKey?: string;
-    jwtPublicKey?: string;
-    issuer?: string;
-};
-declare const sessionVerifier: (options: OptionsInput) => (req: any, res: any, next: any) => void;
-
-type SignJwsResponse = {
-    payload: string;
-    signatures: {
-        protected: string;
-        header: {
-            kid: string;
-        };
-        signature: string;
-    }[];
-};
-declare function signJws(payload: string, options: any): SignJwsResponse;
-declare function signPayload(payload: any, options: any): string;
-declare function signData(payload: object, options: any): SignJwsResponse;
-
-type Key = {
-    algorithm: string;
-    value: Secret | PublicKey;
-};
-type Keychain = Map<string, Key>;
-
-type JwsSignature = {
-    protected: string;
-    header: {
-        kid: string;
-    };
-    signature: string;
-};
-type JwsPayload = {
-    payload: string;
-    signatures: JwsSignature[];
-};
-type JwtPayload<T> = {
-    iss: string;
-    exp: number;
-    jti: string;
-    event: {
-        name: string;
-        record: T;
-    };
-    iat: number;
-};
-declare const validateJws: <T>(key: Key, input: JwsPayload) => JwtPayload<T> | undefined;
-declare const validateJwsMultisig: <T>(keychain: Keychain, input: JwsPayload) => {
-    isVerified: boolean;
-    payload: T;
-    verified: string[];
-    unverified: string[];
-};
-
-export { type Key, type Keychain, managementSigner, sessionVerifier, signData, signJws, signPayload, validateJws, validateJwsMultisig };