npm - @dofe/infra-jwt - Versions diffs - 0.1.40 → 0.1.41 - Mend

@dofe/infra-jwt 0.1.40 → 0.1.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,2 +1,3 @@
 export { JwtModule } from './jwt.module';
+export { JwksClient } from './jwks-client';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../packages/jwt/src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../packages/jwt/src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.JwtModule = void 0;
+exports.JwksClient = exports.JwtModule = void 0;
 var jwt_module_1 = require("./jwt.module");
 Object.defineProperty(exports, "JwtModule", { enumerable: true, get: function () { return jwt_module_1.JwtModule; } });
+var jwks_client_1 = require("./jwks-client");
+Object.defineProperty(exports, "JwksClient", { enumerable: true, get: function () { return jwks_client_1.JwksClient; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../packages/jwt/src/index.ts"],"names":[],"mappings":";;;AAAA,2CAAyC;AAAhC,uGAAA,SAAS,OAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../packages/jwt/src/index.ts"],"names":[],"mappings":";;;AAAA,2CAAyC;AAAhC,uGAAA,SAAS,OAAA;AAClB,6CAA2C;AAAlC,yGAAA,UAAU,OAAA"}

package/dist/jwks-client.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+/**
+ * Simple JWKS client — fetches and caches public keys from an OIDC JWKS endpoint.
+ * Converts JWK RSA keys to PEM format for use with JWT verification.
+ *
+ * Features:
+ * - In-memory cache with configurable TTL
+ * - Graceful stale cache on fetch failure
+ * - Zero external dependencies (no `jose`, `node-jose`, etc.)
+ */
+export declare class JwksClient {
+    private readonly jwksUri;
+    private readonly cacheTtlMs;
+    private cache;
+    constructor(jwksUri: string, cacheTtlMs?: number);
+    /**
+     * Get a PEM public key by key ID (kid).
+     * Fetches and caches JWKS on first call or cache expiry.
+     * Returns null if no matching key is found.
+     */
+    getPublicKey(kid: string): Promise<string | null>;
+    private ensureCache;
+    /**
+     * Convert a JWK RSA public key to PEM format (PKCS#1).
+     * Uses minimal ASN.1 DER encoding — no external dependencies.
+     */
+    private jwkToPem;
+    private encodeAsn1Length;
+    private encodeAsn1Integer;
+    private encodeAsn1Sequence;
+}
+//# sourceMappingURL=jwks-client.d.ts.map

package/dist/jwks-client.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks-client.d.ts","sourceRoot":"","sources":["../../../packages/jwt/src/jwks-client.ts"],"names":[],"mappings":"AAgBA;;;;;;;;GAQG;AACH,qBAAa,UAAU;IAInB,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,UAAU;IAJ7B,OAAO,CAAC,KAAK,CAAiE;gBAG3D,OAAO,EAAE,MAAM,EACf,UAAU,SAAgB;IAG7C;;;;OAIG;IACG,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;YAKzC,WAAW;IA0BzB;;;OAGG;IACH,OAAO,CAAC,QAAQ;IAyBhB,OAAO,CAAC,gBAAgB;IAaxB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,kBAAkB;CAO3B"}

package/dist/jwks-client.js ADDED Viewed

@@ -0,0 +1,106 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwksClient = void 0;
+/**
+ * Simple JWKS client — fetches and caches public keys from an OIDC JWKS endpoint.
+ * Converts JWK RSA keys to PEM format for use with JWT verification.
+ *
+ * Features:
+ * - In-memory cache with configurable TTL
+ * - Graceful stale cache on fetch failure
+ * - Zero external dependencies (no `jose`, `node-jose`, etc.)
+ */
+class JwksClient {
+    jwksUri;
+    cacheTtlMs;
+    cache = null;
+    constructor(jwksUri, cacheTtlMs = 5 * 60 * 1000) {
+        this.jwksUri = jwksUri;
+        this.cacheTtlMs = cacheTtlMs;
+    }
+    /**
+     * Get a PEM public key by key ID (kid).
+     * Fetches and caches JWKS on first call or cache expiry.
+     * Returns null if no matching key is found.
+     */
+    async getPublicKey(kid) {
+        await this.ensureCache();
+        return this.cache?.keys.get(kid) ?? null;
+    }
+    async ensureCache() {
+        if (this.cache && Date.now() < this.cache.expiresAt)
+            return;
+        try {
+            const response = await fetch(this.jwksUri);
+            if (!response.ok) {
+                throw new Error(`JWKS fetch failed: ${response.status}`);
+            }
+            const jwks = (await response.json());
+            const keys = new Map();
+            for (const jwk of jwks.keys) {
+                if (jwk.kid) {
+                    keys.set(jwk.kid, this.jwkToPem(jwk));
+                }
+            }
+            this.cache = { keys, expiresAt: Date.now() + this.cacheTtlMs };
+        }
+        catch (error) {
+            // On fetch failure, keep stale cache if available
+            if (!this.cache) {
+                throw error;
+            }
+        }
+    }
+    /**
+     * Convert a JWK RSA public key to PEM format (PKCS#1).
+     * Uses minimal ASN.1 DER encoding — no external dependencies.
+     */
+    jwkToPem(jwk) {
+        if (jwk.kty !== 'RSA' || !jwk.n || !jwk.e) {
+            throw new Error(`Unsupported JWK key type: ${jwk.kty}`);
+        }
+        const base64UrlDecode = (str) => {
+            let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+            while (base64.length % 4 !== 0)
+                base64 += '=';
+            return Buffer.from(base64, 'base64');
+        };
+        const modulus = base64UrlDecode(jwk.n);
+        const exponent = base64UrlDecode(jwk.e);
+        const modulusBytes = this.encodeAsn1Integer(modulus);
+        const exponentBytes = this.encodeAsn1Integer(exponent);
+        const sequence = this.encodeAsn1Sequence(Buffer.concat([modulusBytes, exponentBytes]));
+        const base64Der = sequence.toString('base64');
+        const lines = base64Der.match(/.{1,64}/g) ?? [base64Der];
+        return `-----BEGIN RSA PUBLIC KEY-----\n${lines.join('\n')}\n-----END RSA PUBLIC KEY-----`;
+    }
+    encodeAsn1Length(length) {
+        if (length < 128) {
+            return Buffer.from([length]);
+        }
+        const bytes = [];
+        let len = length;
+        while (len > 0) {
+            bytes.unshift(len & 0xff);
+            len >>= 8;
+        }
+        return Buffer.from([0x80 | bytes.length, ...bytes]);
+    }
+    encodeAsn1Integer(value) {
+        const data = value[0] & 0x80 ? Buffer.concat([Buffer.from([0x00]), value]) : value;
+        return Buffer.concat([
+            Buffer.from([0x02]),
+            this.encodeAsn1Length(data.length),
+            data,
+        ]);
+    }
+    encodeAsn1Sequence(contents) {
+        return Buffer.concat([
+            Buffer.from([0x30]),
+            this.encodeAsn1Length(contents.length),
+            contents,
+        ]);
+    }
+}
+exports.JwksClient = JwksClient;
+//# sourceMappingURL=jwks-client.js.map

package/dist/jwks-client.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwks-client.js","sourceRoot":"","sources":["../../../packages/jwt/src/jwks-client.ts"],"names":[],"mappings":";;;AAgBA;;;;;;;;GAQG;AACH,MAAa,UAAU;IAIF;IACA;IAJX,KAAK,GAA4D,IAAI,CAAC;IAE9E,YACmB,OAAe,EACf,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI;QAD1B,YAAO,GAAP,OAAO,CAAQ;QACf,eAAU,GAAV,UAAU,CAAgB;IAC1C,CAAC;IAEJ;;;;OAIG;IACH,KAAK,CAAC,YAAY,CAAC,GAAW;QAC5B,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IAC3C,CAAC;IAEO,KAAK,CAAC,WAAW;QACvB,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS;YAAE,OAAO;QAE5D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAC3D,CAAC;YACD,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiB,CAAC;YACrD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;YAEvC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,IAAI,GAAG,CAAC,GAAG,EAAE,CAAC;oBACZ,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxC,CAAC;YACH,CAAC;YAED,IAAI,CAAC,KAAK,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,kDAAkD;YAClD,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;gBAChB,MAAM,KAAK,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,QAAQ,CAAC,GAAQ;QACvB,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,MAAM,eAAe,GAAG,CAAC,GAAW,EAAU,EAAE;YAC9C,IAAI,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YACvD,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;gBAAE,MAAM,IAAI,GAAG,CAAC;YAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvC,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACvC,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAExC,MAAM,YAAY,GAAG,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,aAAa,GAAG,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,IAAI,CAAC,kBAAkB,CACtC,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,EAAE,aAAa,CAAC,CAAC,CAC7C,CAAC;QAEF,MAAM,SAAS,GAAG,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzD,OAAO,mCAAmC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,CAAC;IAC7F,CAAC;IAEO,gBAAgB,CAAC,MAAc;QACrC,IAAI,MAAM,GAAG,GAAG,EAAE,CAAC;YACjB,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;QAC/B,CAAC;QACD,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,GAAG,GAAG,MAAM,CAAC;QACjB,OAAO,GAAG,GAAG,CAAC,EAAE,CAAC;YACf,KAAK,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC;YAC1B,GAAG,KAAK,CAAC,CAAC;QACZ,CAAC;QACD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC;IACtD,CAAC;IAEO,iBAAiB,CAAC,KAAa;QACrC,MAAM,IAAI,GACR,KAAK,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;QACxE,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;YACnB,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC;YAClC,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAEO,kBAAkB,CAAC,QAAgB;QACzC,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;YACnB,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;CACF;AAvGD,gCAuGC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@dofe/infra-jwt",
-  "version": "0.1.40",
+  "version": "0.1.41",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -8,6 +8,10 @@
       "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
+    "./jwks-client": {
+      "types": "./dist/jwks-client.d.ts",
+      "default": "./dist/jwks-client.js"
+    },
     "./jwt.module": {
       "types": "./dist/jwt.module.d.ts",
       "default": "./dist/jwt.module.js"
@@ -19,7 +23,7 @@
     "@nestjs/jwt": "^11.0.0",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.0",
-    "@dofe/infra-common": "^0.1.40"
+    "@dofe/infra-common": "^0.1.41"
   },
   "devDependencies": {
     "rimraf": "^6.1.3",