@drmhse/authos-node 0.1.0

package/dist/index.js

@@ -0,0 +1,296 @@
+'use strict';
+
+var crypto2 = require('crypto');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var crypto2__namespace = /*#__PURE__*/_interopNamespace(crypto2);
+
+// src/jwks.ts
+var jwksCache = /* @__PURE__ */ new Map();
+var DEFAULT_CACHE_TTL = 60 * 60 * 1e3;
+function base64UrlDecode(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
+  return Buffer.from(padded, "base64");
+}
+function jwkToPem(jwk) {
+  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) {
+    throw new Error("Only RSA keys are supported");
+  }
+  const n = base64UrlDecode(jwk.n);
+  const e = base64UrlDecode(jwk.e);
+  const nInt = encodeASN1Integer(n);
+  const eInt = encodeASN1Integer(e);
+  const rsaPublicKey = encodeASN1Sequence(Buffer.concat([nInt, eInt]));
+  const bitString = Buffer.concat([
+    Buffer.from([3]),
+    encodeASN1Length(rsaPublicKey.length + 1),
+    Buffer.from([0]),
+    // no unused bits
+    rsaPublicKey
+  ]);
+  const algorithmIdentifier = Buffer.from([
+    48,
+    13,
+    // SEQUENCE
+    6,
+    9,
+    // OID
+    42,
+    134,
+    72,
+    134,
+    247,
+    13,
+    1,
+    1,
+    1,
+    // 1.2.840.113549.1.1.1
+    5,
+    0
+    // NULL
+  ]);
+  const subjectPublicKeyInfo = encodeASN1Sequence(
+    Buffer.concat([algorithmIdentifier, bitString])
+  );
+  const base64Key = subjectPublicKeyInfo.toString("base64");
+  const lines = base64Key.match(/.{1,64}/g) || [];
+  return `-----BEGIN PUBLIC KEY-----
+${lines.join("\n")}
+-----END PUBLIC KEY-----`;
+}
+function encodeASN1Length(length) {
+  if (length < 128) {
+    return Buffer.from([length]);
+  }
+  const bytes = [];
+  let len = length;
+  while (len > 0) {
+    bytes.unshift(len & 255);
+    len = len >> 8;
+  }
+  return Buffer.from([128 | bytes.length, ...bytes]);
+}
+function encodeASN1Integer(value) {
+  const needsPadding = value[0] & 128;
+  const content = needsPadding ? Buffer.concat([Buffer.from([0]), value]) : value;
+  return Buffer.concat([
+    Buffer.from([2]),
+    // INTEGER tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+function encodeASN1Sequence(content) {
+  return Buffer.concat([
+    Buffer.from([48]),
+    // SEQUENCE tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+async function fetchJWKS(baseURL) {
+  const url = `${baseURL.replace(/\/$/, "")}/.well-known/jwks.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);
+  }
+  return response.json();
+}
+async function getJWKS(baseURL, cacheTTL) {
+  const cached = jwksCache.get(baseURL);
+  const now = Date.now();
+  if (cached && now - cached.fetchedAt < cacheTTL) {
+    return cached.jwks;
+  }
+  const jwks = await fetchJWKS(baseURL);
+  jwksCache.set(baseURL, { jwks, fetchedAt: now });
+  return jwks;
+}
+function findKey(jwks, kid) {
+  return jwks.keys.find((key) => key.kid === kid) || null;
+}
+var TokenVerificationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "TokenVerificationError";
+  }
+};
+function parseJWT(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new TokenVerificationError("Invalid JWT format", "INVALID_TOKEN_FORMAT");
+  }
+  try {
+    const header = JSON.parse(base64UrlDecode(parts[0]).toString("utf8"));
+    const payload = JSON.parse(base64UrlDecode(parts[1]).toString("utf8"));
+    return { header, payload };
+  } catch {
+    throw new TokenVerificationError("Invalid JWT encoding", "INVALID_TOKEN_FORMAT");
+  }
+}
+function createTokenVerifier(options) {
+  const { baseURL, jwksCacheTTL = DEFAULT_CACHE_TTL } = options;
+  async function verifyToken(token, verifyOptions = {}) {
+    const { audience, issuer, clockTolerance = 0 } = verifyOptions;
+    const { header, payload } = parseJWT(token);
+    if (header.alg !== "RS256") {
+      throw new TokenVerificationError(
+        `Unsupported algorithm: ${header.alg}. Only RS256 is supported.`,
+        "INVALID_ALGORITHM"
+      );
+    }
+    const kid = header.kid;
+    if (!kid) {
+      throw new TokenVerificationError("Token missing kid header", "MISSING_KID");
+    }
+    const jwks = await getJWKS(baseURL, jwksCacheTTL);
+    const jwk = findKey(jwks, kid);
+    if (!jwk) {
+      const freshJwks = await fetchJWKS(baseURL);
+      jwksCache.set(baseURL, { jwks: freshJwks, fetchedAt: Date.now() });
+      const freshJwk = findKey(freshJwks, kid);
+      if (!freshJwk) {
+        throw new TokenVerificationError(
+          `No matching key found for kid: ${kid}`,
+          "KEY_NOT_FOUND"
+        );
+      }
+      return verifyWithKey(token, freshJwk, payload, { audience, issuer, clockTolerance });
+    }
+    return verifyWithKey(token, jwk, payload, { audience, issuer, clockTolerance });
+  }
+  return { verifyToken };
+}
+function verifyWithKey(token, jwk, payload, options) {
+  const { audience, issuer, clockTolerance } = options;
+  const pem = jwkToPem(jwk);
+  const parts = token.split(".");
+  const signatureInput = `${parts[0]}.${parts[1]}`;
+  const signature = base64UrlDecode(parts[2]);
+  const verifier = crypto2__namespace.createVerify("RSA-SHA256");
+  verifier.update(signatureInput);
+  if (!verifier.verify(pem, signature)) {
+    throw new TokenVerificationError("Invalid token signature", "INVALID_SIGNATURE");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp && payload.exp + clockTolerance < now) {
+    throw new TokenVerificationError("Token has expired", "TOKEN_EXPIRED");
+  }
+  if (payload.iat && payload.iat - clockTolerance > now) {
+    throw new TokenVerificationError("Token is not yet valid", "TOKEN_NOT_YET_VALID");
+  }
+  if (audience) {
+    const tokenAud = payload.aud;
+    const validAud = Array.isArray(tokenAud) ? tokenAud.includes(audience) : tokenAud === audience;
+    if (!validAud) {
+      throw new TokenVerificationError("Invalid token audience", "INVALID_AUDIENCE");
+    }
+  }
+  if (issuer) {
+    const tokenIss = payload.iss;
+    if (tokenIss !== issuer) {
+      throw new TokenVerificationError("Invalid token issuer", "INVALID_ISSUER");
+    }
+  }
+  return { claims: payload, token };
+}
+function clearJWKSCache() {
+  jwksCache.clear();
+}
+var DEFAULT_TOLERANCE = 5 * 60 * 1e3;
+var WebhookVerificationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "WebhookVerificationError";
+  }
+};
+function parseSignatureHeader(header) {
+  const parts = header.split(",");
+  let timestamp = 0;
+  const signatures = [];
+  for (const part of parts) {
+    const [key, value] = part.split("=", 2);
+    if (key === "t") {
+      timestamp = parseInt(value, 10);
+    } else if (key === "v1") {
+      signatures.push(value);
+    }
+  }
+  return { timestamp, signatures };
+}
+function computeSignature(timestamp, payload, secret) {
+  const signedPayload = `${timestamp}.${payload}`;
+  return crypto2__namespace.createHmac("sha256", secret).update(signedPayload).digest("hex");
+}
+function secureCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  return crypto2__namespace.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+function verifyWebhookSignature(signatureHeader, payload, secret, options = {}) {
+  const { tolerance = DEFAULT_TOLERANCE } = options;
+  if (!signatureHeader) {
+    throw new WebhookVerificationError("Missing signature header", "MISSING_SIGNATURE");
+  }
+  if (!payload) {
+    throw new WebhookVerificationError("Missing payload", "MISSING_PAYLOAD");
+  }
+  if (!secret) {
+    throw new WebhookVerificationError("Missing webhook secret", "MISSING_SECRET");
+  }
+  const { timestamp, signatures } = parseSignatureHeader(signatureHeader);
+  if (!timestamp) {
+    throw new WebhookVerificationError("Missing timestamp in signature", "MISSING_TIMESTAMP");
+  }
+  if (signatures.length === 0) {
+    throw new WebhookVerificationError("No signatures found in header", "NO_SIGNATURES");
+  }
+  const now = Date.now();
+  const timestampMs = timestamp * 1e3;
+  if (Math.abs(now - timestampMs) > tolerance) {
+    throw new WebhookVerificationError(
+      "Webhook timestamp is outside tolerance window",
+      "TIMESTAMP_EXPIRED"
+    );
+  }
+  const expectedSignature = computeSignature(timestamp, payload, secret);
+  const isValid = signatures.some((sig) => secureCompare(sig, expectedSignature));
+  if (!isValid) {
+    throw new WebhookVerificationError("Invalid webhook signature", "INVALID_SIGNATURE");
+  }
+  return true;
+}
+function createWebhookSignature(payload, secret, timestamp) {
+  const ts = timestamp ?? Math.floor(Date.now() / 1e3);
+  const signature = computeSignature(ts, payload, secret);
+  return `t=${ts},v1=${signature}`;
+}
+
+exports.TokenVerificationError = TokenVerificationError;
+exports.WebhookVerificationError = WebhookVerificationError;
+exports.clearJWKSCache = clearJWKSCache;
+exports.createTokenVerifier = createTokenVerifier;
+exports.createWebhookSignature = createWebhookSignature;
+exports.verifyWebhookSignature = verifyWebhookSignature;

package/dist/index.mjs

@@ -0,0 +1,269 @@
+import * as crypto2 from 'crypto';
+
+// src/jwks.ts
+var jwksCache = /* @__PURE__ */ new Map();
+var DEFAULT_CACHE_TTL = 60 * 60 * 1e3;
+function base64UrlDecode(input) {
+  const base64 = input.replace(/-/g, "+").replace(/_/g, "/");
+  const pad = base64.length % 4;
+  const padded = pad ? base64 + "=".repeat(4 - pad) : base64;
+  return Buffer.from(padded, "base64");
+}
+function jwkToPem(jwk) {
+  if (jwk.kty !== "RSA" || !jwk.n || !jwk.e) {
+    throw new Error("Only RSA keys are supported");
+  }
+  const n = base64UrlDecode(jwk.n);
+  const e = base64UrlDecode(jwk.e);
+  const nInt = encodeASN1Integer(n);
+  const eInt = encodeASN1Integer(e);
+  const rsaPublicKey = encodeASN1Sequence(Buffer.concat([nInt, eInt]));
+  const bitString = Buffer.concat([
+    Buffer.from([3]),
+    encodeASN1Length(rsaPublicKey.length + 1),
+    Buffer.from([0]),
+    // no unused bits
+    rsaPublicKey
+  ]);
+  const algorithmIdentifier = Buffer.from([
+    48,
+    13,
+    // SEQUENCE
+    6,
+    9,
+    // OID
+    42,
+    134,
+    72,
+    134,
+    247,
+    13,
+    1,
+    1,
+    1,
+    // 1.2.840.113549.1.1.1
+    5,
+    0
+    // NULL
+  ]);
+  const subjectPublicKeyInfo = encodeASN1Sequence(
+    Buffer.concat([algorithmIdentifier, bitString])
+  );
+  const base64Key = subjectPublicKeyInfo.toString("base64");
+  const lines = base64Key.match(/.{1,64}/g) || [];
+  return `-----BEGIN PUBLIC KEY-----
+${lines.join("\n")}
+-----END PUBLIC KEY-----`;
+}
+function encodeASN1Length(length) {
+  if (length < 128) {
+    return Buffer.from([length]);
+  }
+  const bytes = [];
+  let len = length;
+  while (len > 0) {
+    bytes.unshift(len & 255);
+    len = len >> 8;
+  }
+  return Buffer.from([128 | bytes.length, ...bytes]);
+}
+function encodeASN1Integer(value) {
+  const needsPadding = value[0] & 128;
+  const content = needsPadding ? Buffer.concat([Buffer.from([0]), value]) : value;
+  return Buffer.concat([
+    Buffer.from([2]),
+    // INTEGER tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+function encodeASN1Sequence(content) {
+  return Buffer.concat([
+    Buffer.from([48]),
+    // SEQUENCE tag
+    encodeASN1Length(content.length),
+    content
+  ]);
+}
+async function fetchJWKS(baseURL) {
+  const url = `${baseURL.replace(/\/$/, "")}/.well-known/jwks.json`;
+  const response = await fetch(url);
+  if (!response.ok) {
+    throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);
+  }
+  return response.json();
+}
+async function getJWKS(baseURL, cacheTTL) {
+  const cached = jwksCache.get(baseURL);
+  const now = Date.now();
+  if (cached && now - cached.fetchedAt < cacheTTL) {
+    return cached.jwks;
+  }
+  const jwks = await fetchJWKS(baseURL);
+  jwksCache.set(baseURL, { jwks, fetchedAt: now });
+  return jwks;
+}
+function findKey(jwks, kid) {
+  return jwks.keys.find((key) => key.kid === kid) || null;
+}
+var TokenVerificationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "TokenVerificationError";
+  }
+};
+function parseJWT(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new TokenVerificationError("Invalid JWT format", "INVALID_TOKEN_FORMAT");
+  }
+  try {
+    const header = JSON.parse(base64UrlDecode(parts[0]).toString("utf8"));
+    const payload = JSON.parse(base64UrlDecode(parts[1]).toString("utf8"));
+    return { header, payload };
+  } catch {
+    throw new TokenVerificationError("Invalid JWT encoding", "INVALID_TOKEN_FORMAT");
+  }
+}
+function createTokenVerifier(options) {
+  const { baseURL, jwksCacheTTL = DEFAULT_CACHE_TTL } = options;
+  async function verifyToken(token, verifyOptions = {}) {
+    const { audience, issuer, clockTolerance = 0 } = verifyOptions;
+    const { header, payload } = parseJWT(token);
+    if (header.alg !== "RS256") {
+      throw new TokenVerificationError(
+        `Unsupported algorithm: ${header.alg}. Only RS256 is supported.`,
+        "INVALID_ALGORITHM"
+      );
+    }
+    const kid = header.kid;
+    if (!kid) {
+      throw new TokenVerificationError("Token missing kid header", "MISSING_KID");
+    }
+    const jwks = await getJWKS(baseURL, jwksCacheTTL);
+    const jwk = findKey(jwks, kid);
+    if (!jwk) {
+      const freshJwks = await fetchJWKS(baseURL);
+      jwksCache.set(baseURL, { jwks: freshJwks, fetchedAt: Date.now() });
+      const freshJwk = findKey(freshJwks, kid);
+      if (!freshJwk) {
+        throw new TokenVerificationError(
+          `No matching key found for kid: ${kid}`,
+          "KEY_NOT_FOUND"
+        );
+      }
+      return verifyWithKey(token, freshJwk, payload, { audience, issuer, clockTolerance });
+    }
+    return verifyWithKey(token, jwk, payload, { audience, issuer, clockTolerance });
+  }
+  return { verifyToken };
+}
+function verifyWithKey(token, jwk, payload, options) {
+  const { audience, issuer, clockTolerance } = options;
+  const pem = jwkToPem(jwk);
+  const parts = token.split(".");
+  const signatureInput = `${parts[0]}.${parts[1]}`;
+  const signature = base64UrlDecode(parts[2]);
+  const verifier = crypto2.createVerify("RSA-SHA256");
+  verifier.update(signatureInput);
+  if (!verifier.verify(pem, signature)) {
+    throw new TokenVerificationError("Invalid token signature", "INVALID_SIGNATURE");
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  if (payload.exp && payload.exp + clockTolerance < now) {
+    throw new TokenVerificationError("Token has expired", "TOKEN_EXPIRED");
+  }
+  if (payload.iat && payload.iat - clockTolerance > now) {
+    throw new TokenVerificationError("Token is not yet valid", "TOKEN_NOT_YET_VALID");
+  }
+  if (audience) {
+    const tokenAud = payload.aud;
+    const validAud = Array.isArray(tokenAud) ? tokenAud.includes(audience) : tokenAud === audience;
+    if (!validAud) {
+      throw new TokenVerificationError("Invalid token audience", "INVALID_AUDIENCE");
+    }
+  }
+  if (issuer) {
+    const tokenIss = payload.iss;
+    if (tokenIss !== issuer) {
+      throw new TokenVerificationError("Invalid token issuer", "INVALID_ISSUER");
+    }
+  }
+  return { claims: payload, token };
+}
+function clearJWKSCache() {
+  jwksCache.clear();
+}
+var DEFAULT_TOLERANCE = 5 * 60 * 1e3;
+var WebhookVerificationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "WebhookVerificationError";
+  }
+};
+function parseSignatureHeader(header) {
+  const parts = header.split(",");
+  let timestamp = 0;
+  const signatures = [];
+  for (const part of parts) {
+    const [key, value] = part.split("=", 2);
+    if (key === "t") {
+      timestamp = parseInt(value, 10);
+    } else if (key === "v1") {
+      signatures.push(value);
+    }
+  }
+  return { timestamp, signatures };
+}
+function computeSignature(timestamp, payload, secret) {
+  const signedPayload = `${timestamp}.${payload}`;
+  return crypto2.createHmac("sha256", secret).update(signedPayload).digest("hex");
+}
+function secureCompare(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  return crypto2.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+function verifyWebhookSignature(signatureHeader, payload, secret, options = {}) {
+  const { tolerance = DEFAULT_TOLERANCE } = options;
+  if (!signatureHeader) {
+    throw new WebhookVerificationError("Missing signature header", "MISSING_SIGNATURE");
+  }
+  if (!payload) {
+    throw new WebhookVerificationError("Missing payload", "MISSING_PAYLOAD");
+  }
+  if (!secret) {
+    throw new WebhookVerificationError("Missing webhook secret", "MISSING_SECRET");
+  }
+  const { timestamp, signatures } = parseSignatureHeader(signatureHeader);
+  if (!timestamp) {
+    throw new WebhookVerificationError("Missing timestamp in signature", "MISSING_TIMESTAMP");
+  }
+  if (signatures.length === 0) {
+    throw new WebhookVerificationError("No signatures found in header", "NO_SIGNATURES");
+  }
+  const now = Date.now();
+  const timestampMs = timestamp * 1e3;
+  if (Math.abs(now - timestampMs) > tolerance) {
+    throw new WebhookVerificationError(
+      "Webhook timestamp is outside tolerance window",
+      "TIMESTAMP_EXPIRED"
+    );
+  }
+  const expectedSignature = computeSignature(timestamp, payload, secret);
+  const isValid = signatures.some((sig) => secureCompare(sig, expectedSignature));
+  if (!isValid) {
+    throw new WebhookVerificationError("Invalid webhook signature", "INVALID_SIGNATURE");
+  }
+  return true;
+}
+function createWebhookSignature(payload, secret, timestamp) {
+  const ts = timestamp ?? Math.floor(Date.now() / 1e3);
+  const signature = computeSignature(ts, payload, secret);
+  return `t=${ts},v1=${signature}`;
+}
+
+export { TokenVerificationError, WebhookVerificationError, clearJWKSCache, createTokenVerifier, createWebhookSignature, verifyWebhookSignature };

package/dist/types-C4aDSNcp.d.mts

@@ -0,0 +1,98 @@
+import { JwtClaims } from '@drmhse/sso-sdk';
+
+/**
+ * Configuration options for the AuthOS Node.js adapter
+ */
+interface AuthOSNodeOptions {
+    /**
+     * Base URL of the AuthOS API service
+     */
+    baseURL: string;
+    /**
+     * Cache TTL for JWKS in milliseconds. Default: 1 hour (3600000ms)
+     */
+    jwksCacheTTL?: number;
+}
+/**
+ * JSON Web Key structure
+ */
+interface JWK {
+    kty: string;
+    kid: string;
+    use?: string;
+    alg?: string;
+    n?: string;
+    e?: string;
+}
+/**
+ * JSON Web Key Set structure
+ */
+interface JWKS {
+    keys: JWK[];
+}
+/**
+ * Verified token result
+ */
+interface VerifiedToken {
+    /**
+     * The decoded JWT claims
+     */
+    claims: JwtClaims;
+    /**
+     * The raw token string
+     */
+    token: string;
+}
+/**
+ * Express request with auth context attached
+ */
+interface AuthenticatedRequest {
+    auth: VerifiedToken;
+}
+/**
+ * Token verification options
+ */
+interface VerifyTokenOptions {
+    /**
+     * Required audience (aud) claim
+     */
+    audience?: string;
+    /**
+     * Required issuer (iss) claim
+     */
+    issuer?: string;
+    /**
+     * Clock tolerance in seconds for exp/iat validation. Default: 0
+     */
+    clockTolerance?: number;
+}
+/**
+ * Webhook verification options
+ */
+interface WebhookVerifyOptions {
+    /**
+     * Tolerance window in milliseconds for timestamp validation. Default: 5 minutes (300000ms)
+     */
+    tolerance?: number;
+}
+/**
+ * Express middleware options for requireAuth
+ */
+interface RequireAuthOptions extends VerifyTokenOptions {
+    /**
+     * Custom function to extract token from request.
+     * Default: extracts from Authorization: Bearer header
+     */
+    getToken?: (req: unknown) => string | null;
+}
+/**
+ * Express middleware options for requirePermission
+ */
+interface RequirePermissionOptions {
+    /**
+     * Custom 403 error message
+     */
+    message?: string;
+}
+
+export type { AuthOSNodeOptions as A, JWK as J, RequireAuthOptions as R, VerifyTokenOptions as V, WebhookVerifyOptions as W, VerifiedToken as a, JWKS as b, AuthenticatedRequest as c, RequirePermissionOptions as d };