@fireproof/core-test 0.24.2-dev-cloud-api → 0.24.3-dev-ensure-cloud-token

package/fireproof/utils.test.js

@@ -1,12 +1,13 @@
-import { runtimeFn, URI } from "@adviser/cement";
+import { Result, runtimeFn, URI } from "@adviser/cement";
 import { getFileName } from "@fireproof/core-gateways-base";
 import { ensureSuperThis, ensureSuperLog, getStore, inplaceFilter, makePartial, mimeBlockParser, sts, } from "@fireproof/core-runtime";
+import { importJWK } from "jose";
 import { SignJWT } from "jose/jwt/sign";
-import { exportJWK } from "jose/key/export";
-import { JWTPayloadSchema } from "use-fireproof";
+import { exportJWK, exportSPKI } from "jose/key/export";
+import { JWKPrivateSchema, JWKPublicSchema, JWTPayloadSchema } from "use-fireproof";
 import { UUID } from "uuidv7";
 import { describe, beforeAll, it, expect, assert, vi } from "vitest";
-import { z } from "zod";
+import { z } from "zod/v4";
 describe("utils", () => {
     const sthis = ensureSuperThis();
     const logger = ensureSuperLog(sthis, "getfilename");
@@ -158,6 +159,15 @@ describe("verifyToken", () => {
         test: z.string(),
         test1: z.number(),
     });
+    function parseSchema(payload) {
+        const r = claimSchema.safeParse(payload);
+        if (r.success) {
+            return Result.Ok(r.data);
+        }
+        else {
+            return Result.Err(r.error);
+        }
+    }
     beforeAll(async () => {
         pair = await sts.SessionTokenService.generateKeyPair();
         token = await new SignJWT({
@@ -172,30 +182,13 @@ describe("verifyToken", () => {
             .sign(pair.material.privateKey);
     });
     it("test coerceJWKPublic", async () => {
-        const pemKey = await exportJWK(pair.material.publicKey);
-        function encloseInPemBlock(jwkString) {
-            const lines = [];
-            const type = "PUBLIC KEY";
-            lines.push(`-----BEGIN ${type}-----`);
-            if (jwkString.startsWith("{")) {
-                lines.push(JSON.stringify(JSON.parse(jwkString), null, 2));
-            }
-            else {
-                for (let i = 0; i < jwkString.length; i += 64) {
-                    lines.push(jwkString.slice(i, i + 64));
-                }
-            }
-            lines.push(`-----END ${type}-----`);
-            return lines.join("\n");
-        }
-        const jsonString = JSON.stringify(pemKey);
+        const jwkKey = await exportJWK(pair.material.publicKey);
+        const jsonString = JSON.stringify(jwkKey);
         for (const input of [
-            pemKey,
-            ...[jsonString, sthis.txt.base64.encode(jsonString), sthis.txt.base58.encode(jsonString)]
-                .map((input) => [input, encloseInPemBlock(input)])
-                .flat(),
+            jwkKey,
+            ...[jsonString, sthis.txt.base64.encode(jsonString), sthis.txt.base58.encode(jsonString)].map((input) => [input]).flat(),
         ]) {
-            const result = await sts.verifyToken(token, [input], [], claimSchema);
+            const result = await sts.verifyToken(token, [input], [], { parseSchema });
             expect(result.isOk()).toBe(true);
         }
     });
@@ -203,7 +196,7 @@ describe("verifyToken", () => {
         const presetKeys = [await exportJWK(pair.material.publicKey)];
         const wellKnownUrl = ["https://example.com/.well-known/jwks.json"];
         const mockFetch = mockFetchFactory(presetKeys);
-        const result = await sts.verifyToken(token, presetKeys, wellKnownUrl, claimSchema, { fetch: mockFetch });
+        const result = await sts.verifyToken(token, presetKeys, wellKnownUrl, { fetch: mockFetch, parseSchema });
         expect(mockFetch).toHaveBeenCalledTimes(0);
         expect(result.isOk()).toBe(true);
         expect(result.Ok()).toEqual({
@@ -219,7 +212,7 @@ describe("verifyToken", () => {
         const presetKeys = [];
         const wellKnownUrl = ["https://example.com/.well-known/jwks.json"];
         const mockFetch = mockFetchFactory([await exportJWK(pair.material.publicKey)]);
-        const result = await sts.verifyToken(token, presetKeys, wellKnownUrl, claimSchema, { fetch: mockFetch });
+        const result = await sts.verifyToken(token, presetKeys, wellKnownUrl, { fetch: mockFetch, parseSchema });
         expect(mockFetch).toHaveBeenCalledTimes(1);
         expect(result.isOk()).toBe(true);
         expect(result.Ok()).toEqual({
@@ -243,13 +236,13 @@ describe("verifyToken", () => {
             .setAudience("http://test.com/")
             .setExpirationTime(~~((Date.now() + 60000) / 1000))
             .sign(pair.material.privateKey);
-        const result = await sts.verifyToken(token, presetKeys, [], claimSchema);
+        const result = await sts.verifyToken(token, presetKeys, [], { parseSchema });
         expect(result.isErr()).toBe(true);
     });
     it("invalid key", async () => {
         const defectKey = await sts.SessionTokenService.generateKeyPair();
         const presetKeys = [await exportJWK(defectKey.material.publicKey)];
-        const result = await sts.verifyToken(token, presetKeys, [], claimSchema);
+        const result = await sts.verifyToken(token, presetKeys, [], { parseSchema });
         expect(result.isErr()).toBe(true);
     });
 });
@@ -416,4 +409,732 @@ describe("mimeBlockParser", () => {
         expect(blocks[0].content).toBe("content");
     });
 });
+describe("coerceJWKPublic", () => {
+    const sthis = ensureSuperThis();
+    const jwk = {
+        kty: "RSA",
+        e: "AQAB",
+        n: "zuYkKADAu6UJeBq-G6MUerFLKEQVRUrQ8eJCFMWbh-JlCfr9uoEoxutWO3lpVAaFhq2vhRaYif8xoxCmvM74gCoNqE7DDUUrUTBt5kYSJyxAoLUpmVVg7pecJngcaqtPUekE_UGGJ2E2jHMRQ9thzF64BTaJFpddM45M4VEQs-PNEMnmo0NKWggikFXKCBWhakMsuygyBDtY7q73VLdG-jAG6YsVxDt_27DZ6Lv-iH2SMqM0-Xf4aYvCV_JxS75Emf1srsMC2C6_IJcIYSkxyfS6j_DE_dIzXPJ-quXhNrUgpzo2zvvMF44tDXrkeMQ5CQd06kTWe9_BxqkrVT3wLw",
+        alg: "RS256",
+    };
+    const jwkpub = {
+        ...jwk,
+        use: "sig",
+        kid: "ins_2olzJ4rRwcQ5lPbKNCYdwJ4GrFQ",
+    };
+    it("accepts JWK object", async () => {
+        expect(await sts.coerceJWKPublic(sthis, jwkpub)).toEqual([jwkpub]);
+    });
+    it("accepts JSON string", async () => {
+        expect(await sts.coerceJWKPublic(sthis, JSON.stringify(jwkpub))).toEqual([jwkpub]);
+    });
+    it("accepts base64 encoded JSON string", async () => {
+        expect(await sts.coerceJWKPublic(sthis, sthis.txt.base64.encode(JSON.stringify(jwkpub)))).toEqual([jwkpub]);
+    });
+    it("accepts base58 encoded JSON string", async () => {
+        expect(await sts.coerceJWKPublic(sthis, sthis.txt.base58.encode(JSON.stringify(jwkpub)))).toEqual([jwkpub]);
+    });
+    it("accepts PEM enclosed JSON string", async () => {
+        const pemWrapped = await exportSPKI((await importJWK(jwkpub, "RS256")));
+        expect(await sts.coerceJWKPublic(sthis, pemWrapped)).toEqual([jwk]);
+    });
+});
+describe("coerceJWK", () => {
+    const sthis = ensureSuperThis();
+    let jwkPublic;
+    let jwkPrivate;
+    let pair;
+    beforeAll(async () => {
+        pair = await sts.SessionTokenService.generateKeyPair("ES256", { extractable: true });
+        jwkPrivate = await exportJWK(pair.material.privateKey);
+        jwkPublic = await exportJWK(pair.material.publicKey);
+    });
+    describe("with public key", () => {
+        it("accepts public JWK object", async () => {
+            const result = await sts.coerceJWK(sthis, jwkPublic);
+            expect(result).toHaveLength(1);
+            expect(result[0]).toMatchObject({
+                kty: jwkPublic.kty,
+                crv: jwkPublic.crv,
+                x: jwkPublic.x,
+            });
+            expect(result[0]).not.toHaveProperty("d");
+        });
+        it("accepts public JWK as JSON string", async () => {
+            const result = await sts.coerceJWK(sthis, JSON.stringify(jwkPublic));
+            expect(result).toHaveLength(1);
+            expect(result[0]).not.toHaveProperty("d");
+        });
+        it("accepts public JWK as base64 encoded JSON", async () => {
+            const result = await sts.coerceJWK(sthis, sthis.txt.base64.encode(JSON.stringify(jwkPublic)));
+            expect(result).toHaveLength(1);
+            expect(result[0]).not.toHaveProperty("d");
+        });
+        it("accepts public JWK as base58 encoded JSON", async () => {
+            const result = await sts.coerceJWK(sthis, sthis.txt.base58.encode(JSON.stringify(jwkPublic)));
+            expect(result).toHaveLength(1);
+            expect(result[0]).not.toHaveProperty("d");
+        });
+        it("accepts public JWK via jwk2env", async () => {
+            const encoded = await sts.jwk2env(pair.material.publicKey, sthis);
+            const result = await sts.coerceJWK(sthis, encoded);
+            expect(result).toHaveLength(1);
+            expect(result[0]).not.toHaveProperty("d");
+        });
+    });
+    describe("with private key", () => {
+        it("accepts private JWK object", async () => {
+            const result = await sts.coerceJWK(sthis, jwkPrivate);
+            expect(result).toHaveLength(1);
+            expect(result[0]).toMatchObject({
+                kty: jwkPrivate.kty,
+                crv: jwkPrivate.crv,
+                x: jwkPrivate.x,
+                d: jwkPrivate.d,
+            });
+        });
+        it("accepts private JWK as JSON string", async () => {
+            const result = await sts.coerceJWK(sthis, JSON.stringify(jwkPrivate));
+            expect(result).toHaveLength(1);
+            expect(result[0]).toHaveProperty("d");
+        });
+        it("accepts private JWK as base64 encoded JSON", async () => {
+            const result = await sts.coerceJWK(sthis, sthis.txt.base64.encode(JSON.stringify(jwkPrivate)));
+            expect(result).toHaveLength(1);
+            expect(result[0]).toHaveProperty("d");
+        });
+        it("accepts private JWK as base58 encoded JSON", async () => {
+            const result = await sts.coerceJWK(sthis, sthis.txt.base58.encode(JSON.stringify(jwkPrivate)));
+            expect(result).toHaveLength(1);
+            expect(result[0]).toHaveProperty("d");
+        });
+        it("accepts private JWK via jwk2env", async () => {
+            const encoded = await sts.jwk2env(pair.material.privateKey, sthis);
+            const result = await sts.coerceJWK(sthis, encoded);
+            expect(result).toHaveLength(1);
+            expect(result[0]).toHaveProperty("d");
+        });
+        it("preserves private key through env2jwk", async () => {
+            const encoded = await sts.jwk2env(pair.material.privateKey, sthis);
+            const cryptoKeys = await sts.env2jwk(encoded, undefined, sthis);
+            expect(cryptoKeys).toHaveLength(1);
+            const exported = await exportJWK(cryptoKeys[0]);
+            expect(exported).toHaveProperty("d");
+        });
+    });
+    describe("with multiple keys", () => {
+        it("accepts array of mixed public and private keys", async () => {
+            const result = await sts.coerceJWK(sthis, [jwkPrivate, jwkPublic]);
+            expect(result).toHaveLength(2);
+            expect(result[0]).toHaveProperty("d");
+            expect(result[1]).not.toHaveProperty("d");
+        });
+    });
+});
+describe("coerceJWKPrivate", () => {
+    const sthis = ensureSuperThis();
+    let jwkPrivate;
+    let jwkPublic;
+    let pair;
+    beforeAll(async () => {
+        pair = await sts.SessionTokenService.generateKeyPair("ES256", { extractable: true });
+        jwkPrivate = await exportJWK(pair.material.privateKey);
+        jwkPublic = await exportJWK(pair.material.publicKey);
+    });
+    it("accepts private JWK object", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, jwkPrivate);
+        expect(result).toHaveLength(1);
+        expect(result[0]).toMatchObject({
+            kty: jwkPrivate.kty,
+            crv: jwkPrivate.crv,
+            d: jwkPrivate.d,
+        });
+    });
+    it("accepts private JWK as JSON string", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, JSON.stringify(jwkPrivate));
+        expect(result).toHaveLength(1);
+        expect(result[0]).toHaveProperty("d");
+    });
+    it("accepts private JWK as base64 encoded JSON", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, sthis.txt.base64.encode(JSON.stringify(jwkPrivate)));
+        expect(result).toHaveLength(1);
+        expect(result[0]).toHaveProperty("d");
+    });
+    it("accepts private JWK as base58 encoded JSON", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, sthis.txt.base58.encode(JSON.stringify(jwkPrivate)));
+        expect(result).toHaveLength(1);
+        expect(result[0]).toHaveProperty("d");
+    });
+    it("accepts private JWK via jwk2env", async () => {
+        const encoded = await sts.jwk2env(pair.material.privateKey, sthis);
+        const result = await sts.coerceJWKPrivate(sthis, encoded);
+        expect(result).toHaveLength(1);
+        expect(result[0]).toHaveProperty("d");
+    });
+    it("rejects public JWK (missing private key component)", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, jwkPublic);
+        expect(result).toHaveLength(0);
+    });
+    it("rejects public JWK as JSON string", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, JSON.stringify(jwkPublic));
+        expect(result).toHaveLength(0);
+    });
+    it("rejects public JWK via jwk2env", async () => {
+        const encoded = await sts.jwk2env(pair.material.publicKey, sthis);
+        const result = await sts.coerceJWKPrivate(sthis, encoded);
+        expect(result).toHaveLength(0);
+    });
+    it("filters out public keys from mixed array", async () => {
+        const result = await sts.coerceJWKPrivate(sthis, [jwkPrivate, jwkPublic]);
+        expect(result).toHaveLength(1);
+        expect(result[0]).toHaveProperty("d");
+    });
+});
+describe("coerceJWKWithSchema - mixed Private/Public keys in { keys: [...] } arrays", () => {
+    const sthis = ensureSuperThis();
+    let rsaPrivateKey;
+    let rsaPublicKey;
+    let ecPrivateKey;
+    let ecPublicKey;
+    let rsaPair;
+    let ecPair;
+    beforeAll(async () => {
+        rsaPair = await sts.SessionTokenService.generateKeyPair("RS256", { extractable: true });
+        rsaPrivateKey = await exportJWK(rsaPair.material.privateKey);
+        rsaPublicKey = await exportJWK(rsaPair.material.publicKey);
+        ecPair = await sts.SessionTokenService.generateKeyPair("ES256", { extractable: true });
+        ecPrivateKey = await exportJWK(ecPair.material.privateKey);
+        ecPublicKey = await exportJWK(ecPair.material.publicKey);
+    });
+    const encodings = [
+        {
+            name: "plain object",
+            encode: (obj) => obj,
+        },
+        {
+            name: "JSON string",
+            encode: (obj) => JSON.stringify(obj),
+        },
+        {
+            name: "base64",
+            encode: (obj) => sthis.txt.base64.encode(JSON.stringify(obj)),
+        },
+        {
+            name: "base58",
+            encode: (obj) => sthis.txt.base58.encode(JSON.stringify(obj)),
+        },
+    ];
+    describe.each(encodings)("with encoding: $name", ({ encode }) => {
+        describe("JWKPrivateSchema validation", () => {
+            it("accepts { keys: [private] }", async () => {
+                const input = encode({ keys: [rsaPrivateKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("rejects { keys: [public] }", async () => {
+                const input = encode({ keys: [rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isErr()).toBe(true);
+            });
+            it("handles { keys: [private, public] } - accepts only private", async () => {
+                const input = encode({ keys: [rsaPrivateKey, rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(2);
+                expect(results[0].isOk()).toBe(true);
+                expect(results[1].isErr()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).toHaveProperty("d");
+                }
+            });
+            it("handles { keys: [public, private] } - reversed order", async () => {
+                const input = encode({ keys: [ecPublicKey, ecPrivateKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(2);
+                expect(results[0].isErr()).toBe(true);
+                expect(results[1].isOk()).toBe(true);
+                if (results[1].isOk()) {
+                    expect(results[1].Ok()).toHaveProperty("d");
+                    expect(results[1].Ok().kty).toBe("EC");
+                }
+            });
+            it("handles { keys: [rsaPrivate, ecPrivate] } - multiple private keys", async () => {
+                const input = encode({ keys: [rsaPrivateKey, ecPrivateKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(2);
+                expect(results[0].isOk()).toBe(true);
+                expect(results[1].isOk()).toBe(true);
+                if (results[0].isOk() && results[1].isOk()) {
+                    expect(results[0].Ok()).toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                    expect(results[1].Ok()).toHaveProperty("d");
+                    expect(results[1].Ok().kty).toBe("EC");
+                }
+            });
+            it("handles { keys: [rsaPrivate, ecPublic, ecPrivate, rsaPublic] } - complex mix", async () => {
+                const input = encode({ keys: [rsaPrivateKey, ecPublicKey, ecPrivateKey, rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(4);
+                expect(results[0].isOk()).toBe(true);
+                expect(results[1].isErr()).toBe(true);
+                expect(results[2].isOk()).toBe(true);
+                expect(results[3].isErr()).toBe(true);
+            });
+        });
+        describe("JWKPublicSchema validation", () => {
+            it("accepts { keys: [public] }", async () => {
+                const input = encode({ keys: [rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("strips private component from { keys: [private] }", async () => {
+                const input = encode({ keys: [rsaPrivateKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("handles { keys: [private, public] } - accepts both, strips private from first", async () => {
+                const input = encode({ keys: [rsaPrivateKey, rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(2);
+                expect(results[0].isOk()).toBe(true);
+                expect(results[1].isOk()).toBe(true);
+                if (results[0].isOk() && results[1].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[1].Ok()).not.toHaveProperty("d");
+                }
+            });
+            it("handles { keys: [public, private, public] }", async () => {
+                const input = encode({ keys: [ecPublicKey, ecPrivateKey, rsaPublicKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(3);
+                expect(results[0].isOk()).toBe(true);
+                expect(results[1].isOk()).toBe(true);
+                expect(results[2].isOk()).toBe(true);
+                if (results[0].isOk() && results[1].isOk() && results[2].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[1].Ok()).not.toHaveProperty("d");
+                    expect(results[2].Ok()).not.toHaveProperty("d");
+                }
+            });
+            it("handles { keys: [rsaPrivate, ecPublic, rsaPublic, ecPrivate] } - complex mix", async () => {
+                const input = encode({ keys: [rsaPrivateKey, ecPublicKey, rsaPublicKey, ecPrivateKey] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(4);
+                results.forEach((result) => {
+                    expect(result.isOk()).toBe(true);
+                    if (result.isOk()) {
+                        expect(result.Ok()).not.toHaveProperty("d");
+                    }
+                });
+            });
+        });
+        describe("edge cases", () => {
+            it("handles empty { keys: [] }", async () => {
+                const input = encode({ keys: [] });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(0);
+            });
+            it("handles many mixed keys", async () => {
+                const input = encode({
+                    keys: [
+                        rsaPrivateKey,
+                        rsaPublicKey,
+                        ecPrivateKey,
+                        ecPublicKey,
+                        rsaPrivateKey, // duplicate
+                        ecPublicKey,
+                    ],
+                });
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(6);
+                results.forEach((result) => {
+                    expect(result.isOk()).toBe(true);
+                    if (result.isOk()) {
+                        expect(result.Ok()).not.toHaveProperty("d");
+                    }
+                });
+            });
+        });
+    });
+    describe("multiple inputs (not encoding-specific)", () => {
+        it("handles multiple { keys: [...] } objects as separate arguments", async () => {
+            const input1 = { keys: [rsaPrivateKey, rsaPublicKey] };
+            const input2 = { keys: [ecPrivateKey] };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input1, input2);
+            expect(results).toHaveLength(3);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isOk()).toBe(true);
+        });
+        it("handles array of { keys: [...] } objects", async () => {
+            const inputs = [{ keys: [rsaPrivateKey, rsaPublicKey] }, { keys: [ecPrivateKey, ecPublicKey] }];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, inputs);
+            expect(results).toHaveLength(4);
+            results.forEach((result) => {
+                expect(result.isOk()).toBe(true);
+            });
+        });
+        it("handles mix of plain keys and { keys: [...] }", async () => {
+            const inputs = [rsaPrivateKey, { keys: [ecPrivateKey, ecPublicKey] }, rsaPublicKey];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, inputs);
+            expect(results).toHaveLength(4);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isOk()).toBe(true);
+            expect(results[2].isErr()).toBe(true);
+            expect(results[3].isErr()).toBe(true);
+        });
+    });
+});
+describe("coerceJWKWithSchema - single key objects (not { keys: [...] } wrapped)", () => {
+    const sthis = ensureSuperThis();
+    let rsaPrivateKey;
+    let rsaPublicKey;
+    let ecPrivateKey;
+    let ecPublicKey;
+    let rsaPair;
+    let ecPair;
+    beforeAll(async () => {
+        rsaPair = await sts.SessionTokenService.generateKeyPair("RS256", { extractable: true });
+        rsaPrivateKey = await exportJWK(rsaPair.material.privateKey);
+        rsaPublicKey = await exportJWK(rsaPair.material.publicKey);
+        ecPair = await sts.SessionTokenService.generateKeyPair("ES256", { extractable: true });
+        ecPrivateKey = await exportJWK(ecPair.material.privateKey);
+        ecPublicKey = await exportJWK(ecPair.material.publicKey);
+    });
+    const encodings = [
+        {
+            name: "plain JWK object",
+            encode: (jwk) => jwk,
+        },
+        {
+            name: "JSON string",
+            encode: (jwk) => JSON.stringify(jwk),
+        },
+        {
+            name: "base64",
+            encode: (jwk) => sthis.txt.base64.encode(JSON.stringify(jwk)),
+        },
+        {
+            name: "base58",
+            encode: (jwk) => sthis.txt.base58.encode(JSON.stringify(jwk)),
+        },
+    ];
+    describe.each(encodings)("with encoding: $name", ({ encode }) => {
+        describe("JWKPrivateSchema validation", () => {
+            it("accepts private key", async () => {
+                const input = encode(rsaPrivateKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("rejects public key", async () => {
+                const input = encode(rsaPublicKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isErr()).toBe(true);
+            });
+            it("accepts EC private key", async () => {
+                const input = encode(ecPrivateKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("EC");
+                }
+            });
+        });
+        describe("JWKPublicSchema validation", () => {
+            it("accepts public key", async () => {
+                const input = encode(rsaPublicKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("strips private component from private key", async () => {
+                const input = encode(rsaPrivateKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("RSA");
+                }
+            });
+            it("accepts and processes EC public key", async () => {
+                const input = encode(ecPublicKey);
+                const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, input);
+                expect(results).toHaveLength(1);
+                expect(results[0].isOk()).toBe(true);
+                if (results[0].isOk()) {
+                    expect(results[0].Ok()).not.toHaveProperty("d");
+                    expect(results[0].Ok().kty).toBe("EC");
+                }
+            });
+        });
+    });
+    describe("multiple single key inputs", () => {
+        it("handles array of plain JWK objects with private schema", async () => {
+            const inputs = [rsaPrivateKey, ecPrivateKey];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, inputs);
+            expect(results).toHaveLength(2);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isOk()).toBe(true);
+        });
+        it("handles array of mixed plain JWK objects with private schema", async () => {
+            const inputs = [rsaPrivateKey, rsaPublicKey, ecPrivateKey];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, inputs);
+            expect(results).toHaveLength(3);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isOk()).toBe(true);
+        });
+        it("handles array of mixed plain JWK objects with public schema", async () => {
+            const inputs = [rsaPrivateKey, rsaPublicKey, ecPublicKey];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, inputs);
+            expect(results).toHaveLength(3);
+            results.forEach((result) => {
+                expect(result.isOk()).toBe(true);
+                if (result.isOk()) {
+                    expect(result.Ok()).not.toHaveProperty("d");
+                }
+            });
+        });
+        it("handles separate arguments (not array)", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPrivateSchema, rsaPrivateKey, ecPrivateKey);
+            expect(results).toHaveLength(2);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isOk()).toBe(true);
+        });
+    });
+});
+describe("coerceJWKWithSchema - error cases and invalid inputs", () => {
+    const sthis = ensureSuperThis();
+    let rsaPrivateKey;
+    let rsaPublicKey;
+    beforeAll(async () => {
+        const rsaPair = await sts.SessionTokenService.generateKeyPair("RS256", { extractable: true });
+        rsaPrivateKey = await exportJWK(rsaPair.material.privateKey);
+        rsaPublicKey = await exportJWK(rsaPair.material.publicKey);
+    });
+    describe("invalid JSON strings", () => {
+        it("handles invalid JSON string", async () => {
+            const invalidJson = "{ this is not valid json }";
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJson);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles base64 encoded invalid JSON", async () => {
+            const invalidJson = "{ not valid json either }";
+            const encoded = sthis.txt.base64.encode(invalidJson);
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, encoded);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles base58 encoded invalid JSON", async () => {
+            const invalidJson = "{ malformed: json }";
+            const encoded = sthis.txt.base58.encode(invalidJson);
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, encoded);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles truncated JSON string", async () => {
+            const truncated = JSON.stringify(rsaPublicKey).slice(0, -10);
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, truncated);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+    });
+    describe("invalid JWK structures", () => {
+        it("rejects JWK missing required 'kty' field", async () => {
+            const invalidJwk = { e: "AQAB", n: "somevalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects JWK with invalid 'kty' value", async () => {
+            const invalidJwk = { kty: "INVALID", e: "AQAB", n: "somevalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects RSA key missing required 'n' field", async () => {
+            const invalidJwk = { kty: "RSA", e: "AQAB" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects RSA key missing required 'e' field", async () => {
+            const invalidJwk = { kty: "RSA", n: "somevalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects EC key missing required 'x' field", async () => {
+            const invalidJwk = { kty: "EC", crv: "P-256", y: "somevalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects EC key missing required 'crv' field", async () => {
+            const invalidJwk = { kty: "EC", x: "somevalue", y: "anothervalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects EC key with invalid curve", async () => {
+            const invalidJwk = { kty: "EC", crv: "INVALID-CURVE", x: "somevalue", y: "anothervalue" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalidJwk);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+    });
+    describe("invalid { keys: [...] } structures", () => {
+        it("rejects { keys: 'not-an-array' }", async () => {
+            const invalid = { keys: "not an array" };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalid);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects { keys: null }", async () => {
+            const invalid = { keys: null };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalid);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects { keys: {} }", async () => {
+            const invalid = { keys: {} };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, invalid);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles { keys: [...] } with mix of valid and invalid JWKs", async () => {
+            const mixed = {
+                keys: [
+                    rsaPublicKey, // valid
+                    { kty: "INVALID" }, // invalid
+                    rsaPrivateKey,
+                ],
+            };
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, mixed);
+            expect(results).toHaveLength(3);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isOk()).toBe(true);
+        });
+        it("handles JSON stringified { keys: [...] } with invalid entries", async () => {
+            const mixed = JSON.stringify({
+                keys: [rsaPublicKey, { invalid: "structure" }],
+            });
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, mixed);
+            expect(results).toHaveLength(2);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+        });
+    });
+    describe("completely invalid data types", () => {
+        it("rejects number input", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, 12345);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects boolean input", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, true);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects array of invalid types", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, [123, true, "invalid"]);
+            expect(results).toHaveLength(3);
+            expect(results[0].isErr()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isErr()).toBe(true);
+        });
+        it("rejects empty object", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, {});
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects null", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, null);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("rejects undefined", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, undefined);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+    });
+    describe("edge cases with encoding", () => {
+        it("handles corrupted base64 string", async () => {
+            const corrupted = "!!!invalid-base64!!!";
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, corrupted);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles empty string", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, "");
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles whitespace-only string", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, "   \n\t  ");
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+        it("handles string that looks like JSON but isn't", async () => {
+            const fakeJson = "{looks like json but missing quotes and commas}";
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, fakeJson);
+            expect(results).toHaveLength(1);
+            expect(results[0].isErr()).toBe(true);
+        });
+    });
+    describe("mixed valid and invalid inputs", () => {
+        it("processes array with mix of valid keys and invalid data", async () => {
+            const mixed = [
+                rsaPublicKey, // valid
+                "invalid string", // invalid
+                rsaPrivateKey, // valid
+                { invalid: "object" },
+            ];
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, mixed);
+            expect(results).toHaveLength(4);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isOk()).toBe(true);
+            expect(results[3].isErr()).toBe(true);
+        });
+        it("processes multiple arguments with some invalid", async () => {
+            const results = await sts.coerceJWKWithSchema(sthis, JWKPublicSchema, rsaPublicKey, "invalid", rsaPrivateKey);
+            expect(results).toHaveLength(3);
+            expect(results[0].isOk()).toBe(true);
+            expect(results[1].isErr()).toBe(true);
+            expect(results[2].isOk()).toBe(true);
+        });
+    });
+});
 //# sourceMappingURL=utils.test.js.map