@draftlab/auth 0.4.1 → 0.6.0

package/dist/adapters/{node.js → node.mjs}

@@ -5,8 +5,7 @@ import { Readable } from "node:stream";
 * Converts Node.js IncomingMessage to Web Standards Request
 */
 const nodeRequestAdapter = (req) => {
-	const host = req.headers.host || "localhost";
-	const sanitizedHost = host.split(",")[0]?.trim();
+	const sanitizedHost = (req.headers.host || "localhost").split(",")[0]?.trim();
 	const url = new URL(req.url || "/", `http://${sanitizedHost}`);
 	const headers = new Headers();
 	for (const [key, value] of Object.entries(req.headers)) if (value !== void 0) if (Array.isArray(value)) for (const v of value) headers.append(key, v);
@@ -49,8 +48,7 @@ const nodeResponseAdapter = async (response, res) => {
 const createNodeHandler = (fetchHandler) => {
 	return (req, res) => {
 		try {
-			const request = nodeRequestAdapter(req);
-			fetchHandler(request).then((response) => nodeResponseAdapter(response, res)).catch((error) => {
+			fetchHandler(nodeRequestAdapter(req)).then((response) => nodeResponseAdapter(response, res)).catch((error) => {
 				console.error("Handler error:", error instanceof Error ? error.message : "Unknown error");
 				if (!res.headersSent) {
 					res.statusCode = 500;

package/dist/{allow.js → allow.mjs}

@@ -1,4 +1,4 @@
-import { isDomainMatch } from "./util.js";
+import { isDomainMatch } from "./util.mjs";
 
 //#region src/allow.ts
 /**

package/dist/{client.d.ts → client.d.mts}

@@ -1,5 +1,5 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
-import { SubjectSchema } from "./subject.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.mjs";
+import { SubjectSchema } from "./subject.mjs";
 import { StandardSchemaV1 } from "@standard-schema/spec";
 
 //#region src/client.d.ts
@@ -252,8 +252,24 @@ interface VerifyResult<T extends SubjectSchema> {
   } }[keyof T];
 }
 /**
- * Options for UserInfo requests.
+ * Options for token revocation.
  */
+interface RevokeOptions {
+  /**
+   * Optional hint about the token type.
+   * Can be "access_token" or "refresh_token".
+   *
+   * Helps the server optimize token lookup.
+   *
+   * @example
+   * ```ts
+   * {
+   *   tokenTypeHint: "refresh_token"
+   * }
+   * ```
+   */
+  tokenTypeHint?: "access_token" | "refresh_token";
+}
 /**
  * Draft Auth client with OAuth 2.0 operations.
  */
@@ -392,6 +408,33 @@ interface Client {
    * ```
    */
   verify<T extends SubjectSchema>(subjects: T, token: string, options?: VerifyOptions): Promise<Result<VerifyResult<T>, InvalidRefreshTokenError | InvalidAccessTokenError | InvalidSubjectError>>;
+  /**
+   * Revoke a token (access or refresh token).
+   *
+   * Once revoked, the token cannot be used to access resources or refresh.
+   * Useful for implementing logout functionality.
+   *
+   * @param token - The token to revoke
+   * @param opts - Additional revocation options
+   * @returns Empty result on success
+   *
+   * @example Logout with refresh token revocation
+   * ```ts
+   * const result = await client.revoke(refreshToken, {
+   *   tokenTypeHint: "refresh_token"
+   * })
+   *
+   * if (result.success) {
+   *   // Token revoked successfully, user is logged out
+   *   clearStoredTokens()
+   *   redirectToHome()
+   * } else {
+   *   // Revocation failed, but still clear tokens on client
+   *   clearStoredTokens()
+   * }
+   * ```
+   */
+  revoke(token: string, opts?: RevokeOptions): Promise<Result<void>>;
 }
 /**
  * Create a Draft Auth client.
@@ -409,4 +452,4 @@ interface Client {
  */
 declare const createClient: (input: ClientInput) => Client;
 //#endregion
-export { AuthorizeOptions, AuthorizeResult, Challenge, Client, ClientInput, RefreshOptions, Result, Tokens, VerifyOptions, VerifyResult, WellKnown, createClient };
+export { AuthorizeOptions, AuthorizeResult, Challenge, Client, ClientInput, RefreshOptions, Result, RevokeOptions, Tokens, VerifyOptions, VerifyResult, WellKnown, createClient };

package/dist/{client.js → client.mjs}

@@ -1,9 +1,58 @@
-import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.js";
-import { generatePKCE } from "./pkce.js";
+import { InvalidAccessTokenError, InvalidAuthorizationCodeError, InvalidRefreshTokenError, InvalidSubjectError } from "./error.mjs";
+import { generatePKCE } from "./pkce.mjs";
 import { createLocalJWKSet, errors, jwtVerify } from "jose";
 
 //#region src/client.ts
 /**
+* Draft Auth client for OAuth 2.0 authentication.
+*
+* ## Quick Start
+*
+* First, create a client.
+*
+* ```ts title="client.ts"
+* import { createClient } from "@draftlab/auth/client"
+*
+* const client = createClient({
+*   clientID: "my-client",
+*   issuer: "https://auth.myserver.com"
+* })
+* ```
+*
+* Start the OAuth flow by calling `authorize`.
+*
+* ```ts
+* const result = await client.authorize(
+*   "https://myapp.com/callback",
+*   "code"
+* )
+* if (result.success) {
+*   window.location.href = result.data.url
+* }
+* ```
+*
+* When the user completes the flow, exchange the code for tokens.
+*
+* ```ts
+* const result = await client.exchange(code, redirectUri)
+* if (result.success) {
+*   const { access, refresh } = result.data
+*   // Store tokens securely
+* }
+* ```
+*
+* Verify tokens to get user information.
+*
+* ```ts
+* const result = await client.verify(subjects, accessToken)
+* if (result.success) {
+*   // Access user properties: result.data.subject.properties
+* }
+* ```
+*
+* @packageDocumentation
+*/
+/**
 * Create a Draft Auth client.
 *
 * @param input - Client configuration
@@ -34,8 +83,7 @@ const createClient = (input) => {
 		const wk = await getIssuer();
 		const cached = jwksCache.get(issuer);
 		if (cached) return cached;
-		const keyset = await f(wk.jwks_uri).then((r) => r.json());
-		const result = createLocalJWKSet(keyset);
+		const result = createLocalJWKSet(await f(wk.jwks_uri).then((r) => r.json()));
 		jwksCache.set(issuer, result);
 		return result;
 	};
@@ -72,8 +120,7 @@ const createClient = (input) => {
 		},
 		async exchange(code, redirectURI, verifier) {
 			try {
-				const wk = await getIssuer();
-				const response = await f(wk.token_endpoint, {
+				const response = await f((await getIssuer()).token_endpoint, {
 					method: "POST",
 					headers: { "Content-Type": "application/x-www-form-urlencoded" },
 					body: new URLSearchParams({
@@ -124,8 +171,7 @@ const createClient = (input) => {
 						data: {}
 					};
 				} catch {}
-				const wk = await getIssuer();
-				const response = await f(wk.token_endpoint, {
+				const response = await f((await getIssuer()).token_endpoint, {
 					method: "POST",
 					headers: { "Content-Type": "application/x-www-form-urlencoded" },
 					body: new URLSearchParams({
@@ -155,8 +201,7 @@ const createClient = (input) => {
 		},
 		async verify(subjects, token, options) {
 			try {
-				const jwks = await getJWKS();
-				const jwtResult = await jwtVerify(token, jwks, { issuer });
+				const jwtResult = await jwtVerify(token, await getJWKS(), { issuer });
 				const validated = await subjects[jwtResult.payload.type]?.["~standard"].validate(jwtResult.payload.properties);
 				if (!validated?.issues && jwtResult.payload.mode === "access") return {
 					success: true,
@@ -200,6 +245,32 @@ const createClient = (input) => {
 					error: new InvalidAccessTokenError()
 				};
 			}
+		},
+		async revoke(token, opts) {
+			try {
+				const wk = await getIssuer();
+				const body = new URLSearchParams({
+					token,
+					...opts?.tokenTypeHint ? { token_type_hint: opts.tokenTypeHint } : {}
+				});
+				if ((await f(wk.token_endpoint.replace("/token", "/revoke"), {
+					method: "POST",
+					headers: { "Content-Type": "application/x-www-form-urlencoded" },
+					body: body.toString()
+				})).ok) return {
+					success: true,
+					data: void 0
+				};
+				return {
+					success: false,
+					error: /* @__PURE__ */ new Error("Failed to revoke token")
+				};
+			} catch (error) {
+				return {
+					success: false,
+					error
+				};
+			}
 		}
 	};
 	return client;

package/dist/{core.d.ts → core.d.mts}

@@ -1,11 +1,11 @@
-import { AllowCheckInput } from "./allow.js";
-import { UnknownStateError } from "./error.js";
-import { Prettify } from "./util.js";
-import { SubjectPayload, SubjectSchema } from "./subject.js";
-import { StorageAdapter } from "./storage/storage.js";
-import { Plugin } from "./plugin/types.js";
-import { Provider } from "./provider/provider.js";
-import { Theme } from "./themes/theme.js";
+import { AllowCheckInput } from "./allow.mjs";
+import { UnknownStateError } from "./error.mjs";
+import { Prettify } from "./util.mjs";
+import { SubjectPayload, SubjectSchema } from "./subject.mjs";
+import { StorageAdapter } from "./storage/storage.mjs";
+import { Plugin } from "./plugin/types.mjs";
+import { Provider } from "./provider/provider.mjs";
+import { Theme } from "./themes/theme.mjs";
 import { Router } from "@draftlab/auth-router";
 
 //#region src/core.d.ts
@@ -13,11 +13,11 @@ import { Router } from "@draftlab/auth-router";
 /**
  * Sets the subject payload in the JWT token and returns the response.
  */
-interface OnSuccessResponder<T extends {
+interface OnSuccessResponder<T$1 extends {
   type: string;
   properties: unknown;
 }> {
-  subject<Type extends T["type"]>(type: Type, properties: Extract<T, {
+  subject<Type extends T$1["type"]>(type: Type, properties: Extract<T$1, {
     type: Type;
   }>["properties"], opts?: {
     ttl?: {

package/dist/{core.js → core.mjs}

@@ -1,13 +1,14 @@
-import { getRelativeUrl, lazy } from "./util.js";
-import { defaultAllowCheck } from "./allow.js";
-import { MissingParameterError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error.js";
-import { validatePKCE } from "./pkce.js";
-import { generateSecureToken } from "./random.js";
-import { Storage } from "./storage/storage.js";
-import { encryptionKeys, signingKeys } from "./keys.js";
-import { PluginManager } from "./plugin/manager.js";
-import { setTheme } from "./themes/theme.js";
-import { Select } from "./ui/select.js";
+import { getRelativeUrl, lazy } from "./util.mjs";
+import { defaultAllowCheck } from "./allow.mjs";
+import { MissingParameterError, OauthError, UnauthorizedClientError, UnknownStateError } from "./error.mjs";
+import { validatePKCE } from "./pkce.mjs";
+import { generateSecureToken } from "./random.mjs";
+import { Storage } from "./storage/storage.mjs";
+import { encryptionKeys, signingKeys } from "./keys.mjs";
+import { PluginManager } from "./plugin/manager.mjs";
+import { Revocation } from "./revocation.mjs";
+import { setTheme } from "./themes/theme.mjs";
+import { Select } from "./ui/select.mjs";
 import { CompactEncrypt, SignJWT, compactDecrypt } from "jose";
 import { Router } from "@draftlab/auth-router";
 import { deleteCookie, getCookie, setCookie } from "@draftlab/auth-router/cookies";
@@ -15,6 +16,33 @@ import { cors } from "@draftlab/auth-router/middleware/cors";
 
 //#region src/core.ts
 /**
+* Core issuer implementation.
+*/
+/**
+* Performs an operation with guaranteed minimum execution time.
+* Adds random jitter to prevent timing-based attacks even if operation completes quickly.
+*
+* Used for validating sensitive data where timing differences could leak information
+* (e.g., authorization codes, refresh tokens).
+*
+* @param fn - Async function to execute
+* @param minTimeMs - Minimum execution time in milliseconds (default: 100ms)
+* @returns Result of the function, guaranteed to take at least minTimeMs
+*/
+const normalizeTimingAsync = async (fn, minTimeMs = 100) => {
+	const startTime = performance.now();
+	const result = await fn();
+	const elapsed = performance.now() - startTime;
+	const remainingTime = Math.max(0, minTimeMs - elapsed);
+	if (remainingTime > 0) {
+		const jitterBuffer = new Uint32Array(1);
+		crypto.getRandomValues(jitterBuffer);
+		const totalDelay = remainingTime + (jitterBuffer[0] ?? 0) / 4294967295 * 20;
+		await new Promise((resolve) => setTimeout(resolve, totalDelay));
+	}
+	return result;
+};
+/**
 * Determines if the incoming request is using HTTPS protocol.
 * Checks multiple proxy headers to handle load balancers and reverse proxies.
 *
@@ -60,8 +88,7 @@ const issuer = (input) => {
 	const issuer$1 = (ctx) => {
 		const baseUrl = new URL(getRelativeUrl(ctx, "/"));
 		if (input.basePath) {
-			const normalizedBasePath = input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`;
-			baseUrl.pathname = normalizedBasePath.replace(/\/$/, "");
+			baseUrl.pathname = (input.basePath.startsWith("/") ? input.basePath : `/${input.basePath}`).replace(/\/$/, "");
 			return baseUrl.href;
 		}
 		return baseUrl.origin;
@@ -90,12 +117,9 @@ const issuer = (input) => {
 	*/
 	const resolveSubject = async (type, properties) => {
 		const jsonString = JSON.stringify(properties);
-		const encoder = new TextEncoder();
-		const data = encoder.encode(jsonString);
+		const data = new TextEncoder().encode(jsonString);
 		const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-		const hashArray = Array.from(new Uint8Array(hashBuffer));
-		const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
-		return `${type}:${hashHex.slice(0, 16)}`;
+		return `${type}:${Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 16)}`;
 	};
 	/**
 	* Generates access and refresh tokens for OAuth 2.0.
@@ -128,23 +152,21 @@ const issuer = (input) => {
 		if (!signingKeyData) throw new Error("Signing key not available");
 		const now = Math.floor(Date.now() / 1e3);
 		if (!value.clientID.trim()) throw new Error("Invalid audience: client ID cannot be empty");
-		const accessPayload = {
-			type: value.type,
-			properties: value.properties,
-			sub: value.subject,
-			aud: value.clientID,
-			iss: issuer$1(ctx),
-			exp: now + value.ttl.access,
-			iat: now,
-			mode: "access"
-		};
-		const access = await new SignJWT(accessPayload).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
-			alg: signingKeyData.alg,
-			kid: signingKeyData.id,
-			typ: "JWT"
-		}).sign(signingKeyData.private);
 		return {
-			access,
+			access: await new SignJWT({
+				type: value.type,
+				properties: value.properties,
+				sub: value.subject,
+				aud: value.clientID,
+				iss: issuer$1(ctx),
+				exp: now + value.ttl.access,
+				iat: now,
+				mode: "access"
+			}).setExpirationTime(Math.floor(now + value.ttl.access)).setProtectedHeader({
+				alg: signingKeyData.alg,
+				kid: signingKeyData.id,
+				typ: "JWT"
+			}).sign(signingKeyData.private),
 			refresh: [value.subject, refreshToken].join(":"),
 			expiresIn: Math.floor(now + value.ttl.access - Date.now() / 1e3)
 		};
@@ -227,8 +249,7 @@ const issuer = (input) => {
 		},
 		async set(ctx, key, maxAge, value) {
 			const isHttps = isHttpsRequest(ctx);
-			const encryptedValue = await encrypt(value);
-			setCookie(ctx, key, encryptedValue, {
+			setCookie(ctx, key, await encrypt(value), {
 				maxAge,
 				httpOnly: true,
 				secure: isHttps,
@@ -238,13 +259,12 @@ const issuer = (input) => {
 		},
 		async get(ctx, key) {
 			const raw = getCookie(ctx, key);
-			if (!raw) return void 0;
+			if (!raw) return;
 			try {
-				const decrypted = await decrypt(raw);
-				return decrypted;
+				return await decrypt(raw);
 			} catch {
 				deleteCookie(ctx, key, { path: input.basePath || "/" });
-				return void 0;
+				return;
 			}
 		},
 		async unset(ctx, key) {
@@ -281,8 +301,7 @@ const issuer = (input) => {
 			credentials: false
 		})],
 		handler: async (c) => {
-			const signingKeys$1 = await allSigning();
-			const jwksDocument = { keys: signingKeys$1.map((keyInfo) => ({
+			const jwksDocument = { keys: (await allSigning()).map((keyInfo) => ({
 				...keyInfo.jwk,
 				alg: keyInfo.alg,
 				exp: keyInfo.expired ? Math.floor(keyInfo.expired.getTime() / 1e3) : void 0
@@ -326,19 +345,20 @@ const issuer = (input) => {
 					return c.json(error$1.toJSON(), { status: 400 });
 				}
 				const key = ["oauth:code", code.toString()];
-				const payload = await Storage.get(storage, key);
-				if (!payload) {
+				const { isValid, payload } = await normalizeTimingAsync(async () => {
+					const data = await Storage.get(storage, key);
+					const redirectUri = form.get("redirect_uri");
+					const clientId = form.get("client_id");
+					const valid = !!(data && data.redirectURI === redirectUri && data.clientID === clientId);
+					return {
+						isValid: valid,
+						payload: valid ? data : void 0
+					};
+				});
+				if (!isValid || !payload) {
 					const error$1 = new OauthError("invalid_grant", "Authorization code has been used or expired");
 					return c.json(error$1.toJSON(), { status: 400 });
 				}
-				if (payload.redirectURI !== form.get("redirect_uri")) {
-					const error$1 = new OauthError("invalid_redirect_uri", "Redirect URI mismatch");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
-				if (payload.clientID !== form.get("client_id")) {
-					const error$1 = new OauthError("unauthorized_client", "Client is not authorized to use this authorization code");
-					return c.json(error$1.toJSON(), { status: 400 });
-				}
 				if (payload.pkce) {
 					const codeVerifier = form.get("code_verifier")?.toString();
 					if (!codeVerifier) {
@@ -365,7 +385,12 @@ const issuer = (input) => {
 					const error$1 = new OauthError("invalid_request", "Missing refresh_token");
 					return c.json(error$1.toJSON(), { status: 400 });
 				}
-				const splits = refreshToken.toString().split(":");
+				const refreshTokenStr = refreshToken.toString();
+				if (await Revocation.isRevoked(storage, refreshTokenStr)) {
+					const error$1 = new OauthError("invalid_grant", "Refresh token has been revoked");
+					return c.json(error$1.toJSON(), { status: 400 });
+				}
+				const splits = refreshTokenStr.split(":");
 				const token = splits.pop();
 				if (!token) throw new Error("Invalid refresh token format");
 				const subject = splits.join(":");
@@ -398,7 +423,6 @@ const issuer = (input) => {
 					payload.properties = refreshResult.properties;
 					if (refreshResult.subject) payload.subject = refreshResult.subject;
 					if (refreshResult.scopes) payload.scopes = refreshResult.scopes;
-					payload.properties = refreshResult.properties;
 				} catch {
 					return c.json({
 						error: "server_error",
@@ -440,6 +464,31 @@ const issuer = (input) => {
 			}, { status: 400 });
 		}
 	});
+	app.post("/revoke", {
+		middleware: [cors({
+			origin: "*",
+			allowHeaders: ["Content-Type"],
+			allowMethods: ["POST"],
+			credentials: false
+		})],
+		handler: async (c) => {
+			const token = (await c.formData()).get("token")?.toString();
+			if (!token) {
+				const error$1 = new OauthError("invalid_request", "Missing token parameter");
+				return c.json(error$1.toJSON(), { status: 400 });
+			}
+			try {
+				const expiresAt = Date.now() + ttlRefresh * 1e3;
+				await Revocation.revoke(storage, token, expiresAt);
+				return c.json({});
+			} catch (_err) {
+				return c.json({
+					error: "server_error",
+					error_description: "Token revocation failed"
+				}, { status: 500 });
+			}
+		}
+	});
 	app.get("/authorize", async (c) => {
 		const provider = c.query("provider");
 		const response_type = c.query("response_type");
@@ -449,14 +498,13 @@ const issuer = (input) => {
 		const audience = c.query("audience");
 		const code_challenge = c.query("code_challenge");
 		const code_challenge_method = c.query("code_challenge_method");
-		const scope = c.query("scope");
 		const authorization = {
 			response_type,
 			redirect_uri,
 			state,
 			client_id,
 			audience,
-			scope,
+			scope: c.query("scope"),
 			...code_challenge && code_challenge_method && { pkce: {
 				challenge: code_challenge,
 				method: code_challenge_method
@@ -472,7 +520,7 @@ const issuer = (input) => {
 			redirectURI: redirect_uri,
 			audience
 		}, c.request)) throw new UnauthorizedClientError(client_id, redirect_uri);
-		await auth.set(c, "authorization", 3600 * 24, authorization);
+		await auth.set(c, "authorization", 900, authorization);
 		if (provider) return c.redirect(`${provider}/authorize`);
 		const availableProviders = Object.keys(input.providers);
 		if (availableProviders.length === 1) return c.redirect(`${availableProviders[0]}/authorize`);

package/dist/index.d.mts

@@ -0,0 +1,2 @@
+import { issuer } from "./core.mjs";
+export { issuer };

package/dist/index.mjs

@@ -0,0 +1,3 @@
+import { issuer } from "./core.mjs";
+
+export { issuer };

package/dist/{keys.d.ts → keys.d.mts}

@@ -1,4 +1,4 @@
-import { StorageAdapter } from "./storage/storage.js";
+import { StorageAdapter } from "./storage/storage.mjs";
 import { CryptoKey, JWK } from "jose";
 
 //#region src/keys.d.ts

package/dist/{keys.js → keys.mjs}

@@ -1,5 +1,5 @@
-import { generateSecureToken } from "./random.js";
-import { Storage } from "./storage/storage.js";
+import { generateSecureToken } from "./random.mjs";
+import { Storage } from "./storage/storage.mjs";
 import { exportJWK, exportPKCS8, exportSPKI, generateKeyPair, importPKCS8, importSPKI } from "jose";
 
 //#region src/keys.ts
@@ -63,7 +63,7 @@ const signingKeys = async (storage) => {
 	const jwk = await exportJWK(key.publicKey);
 	jwk.kid = serialized.id;
 	jwk.use = "sig";
-	const newKeyPair = {
+	return [{
 		id: serialized.id,
 		alg: signingAlg,
 		created: new Date(serialized.created),
@@ -71,8 +71,7 @@ const signingKeys = async (storage) => {
 		public: key.publicKey,
 		private: key.privateKey,
 		jwk
-	};
-	return [newKeyPair, ...results];
+	}, ...results];
 };
 /**
 * Loads or generates encryption keys for token encryption operations.
@@ -124,7 +123,7 @@ const encryptionKeys = async (storage) => {
 	await Storage.set(storage, ["encryption:key", serialized.id], serialized);
 	const jwk = await exportJWK(key.publicKey);
 	jwk.kid = serialized.id;
-	const newKeyPair = {
+	return [{
 		id: serialized.id,
 		alg: encryptionAlg,
 		created: new Date(serialized.created),
@@ -132,8 +131,7 @@ const encryptionKeys = async (storage) => {
 		public: key.publicKey,
 		private: key.privateKey,
 		jwk
-	};
-	return [newKeyPair, ...results];
+	}, ...results];
 };
 
 //#endregion

package/dist/{pkce.js → pkce.mjs}

@@ -57,8 +57,7 @@ const generateVerifier = (length) => {
 */
 const generateChallenge = async (verifier, method) => {
 	if (method === "plain") return verifier;
-	const encoder = new TextEncoder();
-	const data = encoder.encode(verifier);
+	const data = new TextEncoder().encode(verifier);
 	const hash = await crypto.subtle.digest("SHA-256", data);
 	return base64url.encode(new Uint8Array(hash));
 };
@@ -89,10 +88,9 @@ const generatePKCE = async (length = 48) => {
 	const verifier = generateVerifier(length);
 	if (verifier.length < 43 || verifier.length > 128) throw new Error("Generated verifier does not meet requirements");
 	if (!/^[A-Za-z0-9_-]+$/.test(verifier)) throw new Error("Generated verifier is not valid base64url format");
-	const challenge = await generateChallenge(verifier, "S256");
 	return {
 		verifier,
-		challenge,
+		challenge: await generateChallenge(verifier, "S256"),
 		method: "S256"
 	};
 };
@@ -129,19 +127,16 @@ const validatePKCE = async (verifier, challenge, method = "S256") => {
 	let hasEarlyFailure = false;
 	const normalizedVerifier = String(verifier || "");
 	const normalizedChallenge = String(challenge || "");
-	const validations = [
+	hasEarlyFailure = ![
 		typeof verifier === "string" && typeof challenge === "string" && verifier && challenge,
 		normalizedVerifier.length >= 43 && normalizedVerifier.length <= 128,
 		normalizedChallenge.length >= 43 && normalizedChallenge.length <= 128,
 		/^[A-Za-z0-9_-]+$/.test(normalizedVerifier),
 		/^[A-Za-z0-9_-]+$/.test(normalizedChallenge)
-	];
-	hasEarlyFailure = !validations.every(Boolean);
+	].every(Boolean);
 	const verifierToUse = hasEarlyFailure ? "dummyverifier_".repeat(6) : normalizedVerifier;
 	try {
-		const generatedChallenge = await generateChallenge(verifierToUse, method);
-		const challengeToCompare = hasEarlyFailure ? "dummychallenge_".repeat(6) : normalizedChallenge;
-		const comparisonResult = timingSafeCompare(generatedChallenge, challengeToCompare);
+		const comparisonResult = timingSafeCompare(await generateChallenge(verifierToUse, method), hasEarlyFailure ? "dummychallenge_".repeat(6) : normalizedChallenge);
 		isValid = !hasEarlyFailure && comparisonResult;
 	} catch {
 		isValid = false;

package/dist/plugin/{builder.d.ts → builder.d.mts}

@@ -1,4 +1,4 @@
-import { PluginBuilder } from "./plugin.js";
+import { PluginBuilder } from "./plugin.mjs";
 
 //#region src/plugin/builder.d.ts
 

package/dist/plugin/{manager.d.ts → manager.d.mts}

@@ -1,5 +1,5 @@
-import { StorageAdapter } from "../storage/storage.js";
-import { Plugin } from "./types.js";
+import { StorageAdapter } from "../storage/storage.mjs";
+import { Plugin } from "./types.mjs";
 import { Router } from "@draftlab/auth-router";
 
 //#region src/plugin/manager.d.ts

package/dist/plugin/{manager.js → manager.mjs}

@@ -1,4 +1,4 @@
-import { PluginError } from "./types.js";
+import { PluginError } from "./types.mjs";
 
 //#region src/plugin/manager.ts
 var PluginManager = class {

package/dist/plugin/{plugin.d.ts → plugin.d.mts}

@@ -1,4 +1,4 @@
-import { Plugin, PluginRouteHandler } from "./types.js";
+import { Plugin, PluginRouteHandler } from "./types.mjs";
 
 //#region src/plugin/plugin.d.ts