@hemia/jwt-manager 0.0.1 → 0.0.2

package/dist/hemia-jwt-manager.js

@@ -25,7 +25,7 @@ var safeBuffer = {exports: {}};
 
 /*! safe-buffer. MIT License. Feross Aboukhadijeh <https://feross.org/opensource> */
 
-(function (module, exports) {
+(function (module, exports$1) {
 	/* eslint-disable node/no-deprecated-api */
 	var buffer = require$$0;
 	var Buffer = buffer.Buffer;
@@ -40,8 +40,8 @@ var safeBuffer = {exports: {}};
 	  module.exports = buffer;
 	} else {
 	  // Copy properties from require('buffer')
-	  copyProps(buffer, exports);
-	  exports.Buffer = SafeBuffer;
+	  copyProps(buffer, exports$1);
+	  exports$1.Buffer = SafeBuffer;
 	}
 
 	function SafeBuffer (arg, encodingOrOffset, length) {
@@ -662,7 +662,7 @@ var jwa$2 = function jwa(algorithm) {
     es: createECDSAVerifer,
     none: createNoneVerifier,
   };
-  var match = algorithm.match(/^(RS|PS|ES|HS)(256|384|512)$|^(none)$/i);
+  var match = algorithm.match(/^(RS|PS|ES|HS)(256|384|512)$|^(none)$/);
   if (!match)
     throw typeError(MSG_INVALID_ALGORITHM, algorithm);
   var algo = (match[1] || match[3]).toLowerCase();
@@ -723,7 +723,12 @@ function jwsSign(opts) {
 }
 
 function SignStream$1(opts) {
-  var secret = opts.secret||opts.privateKey||opts.key;
+  var secret = opts.secret;
+  secret = secret == null ? opts.privateKey : secret;
+  secret = secret == null ? opts.key : secret;
+  if (/^hs/i.test(opts.header.alg) === true && secret == null) {
+    throw new TypeError('secret must be a string or buffer or a KeyObject')
+  }
   var secretStream = new DataStream$1(secret);
   this.readable = true;
   this.header = opts.header;
@@ -848,7 +853,12 @@ function jwsDecode(jwsSig, opts) {
 
 function VerifyStream$1(opts) {
   opts = opts || {};
-  var secretOrKey = opts.secret||opts.publicKey||opts.key;
+  var secretOrKey = opts.secret;
+  secretOrKey = secretOrKey == null ? opts.publicKey : secretOrKey;
+  secretOrKey = secretOrKey == null ? opts.key : secretOrKey;
+  if (/^hs/i.test(opts.algorithm) === true && secretOrKey == null) {
+    throw new TypeError('secret must be a string or buffer or a KeyObject')
+  }
   var secretStream = new DataStream(secretOrKey);
   this.readable = true;
   this.algorithm = opts.algorithm;
@@ -1216,7 +1226,7 @@ const debug$1 = (
 
 var debug_1 = debug$1;
 
-(function (module, exports) {
+(function (module, exports$1) {
 
 	const {
 	  MAX_SAFE_COMPONENT_LENGTH,
@@ -1224,14 +1234,14 @@ var debug_1 = debug$1;
 	  MAX_LENGTH,
 	} = constants$1;
 	const debug = debug_1;
-	exports = module.exports = {};
+	exports$1 = module.exports = {};
 
 	// The actual regexps go on exports.re
-	const re = exports.re = [];
-	const safeRe = exports.safeRe = [];
-	const src = exports.src = [];
-	const safeSrc = exports.safeSrc = [];
-	const t = exports.t = {};
+	const re = exports$1.re = [];
+	const safeRe = exports$1.safeRe = [];
+	const src = exports$1.src = [];
+	const safeSrc = exports$1.safeSrc = [];
+	const t = exports$1.t = {};
 	let R = 0;
 
 	const LETTERDASHNUMBER = '[a-zA-Z0-9-]';
@@ -1395,7 +1405,7 @@ var debug_1 = debug$1;
 	createToken('LONETILDE', '(?:~>?)');
 
 	createToken('TILDETRIM', `(\\s*)${src[t.LONETILDE]}\\s+`, true);
-	exports.tildeTrimReplace = '$1~';
+	exports$1.tildeTrimReplace = '$1~';
 
 	createToken('TILDE', `^${src[t.LONETILDE]}${src[t.XRANGEPLAIN]}$`);
 	createToken('TILDELOOSE', `^${src[t.LONETILDE]}${src[t.XRANGEPLAINLOOSE]}$`);
@@ -1405,7 +1415,7 @@ var debug_1 = debug$1;
 	createToken('LONECARET', '(?:\\^)');
 
 	createToken('CARETTRIM', `(\\s*)${src[t.LONECARET]}\\s+`, true);
-	exports.caretTrimReplace = '$1^';
+	exports$1.caretTrimReplace = '$1^';
 
 	createToken('CARET', `^${src[t.LONECARET]}${src[t.XRANGEPLAIN]}$`);
 	createToken('CARETLOOSE', `^${src[t.LONECARET]}${src[t.XRANGEPLAINLOOSE]}$`);
@@ -1418,7 +1428,7 @@ var debug_1 = debug$1;
 	// it modifies, so that `> 1.2.3` ==> `>1.2.3`
 	createToken('COMPARATORTRIM', `(\\s*)${src[t.GTLT]
 	}\\s*(${src[t.LOOSEPLAIN]}|${src[t.XRANGEPLAIN]})`, true);
-	exports.comparatorTrimReplace = '$1$2$3';
+	exports$1.comparatorTrimReplace = '$1$2$3';
 
 	// Something like `1.2.3 - 1.2.4`
 	// Note that these all use the loose form, because they'll be
@@ -1461,6 +1471,10 @@ var parseOptions_1 = parseOptions$1;
 
 const numeric = /^[0-9]+$/;
 const compareIdentifiers$1 = (a, b) => {
+  if (typeof a === 'number' && typeof b === 'number') {
+    return a === b ? 0 : a < b ? -1 : 1
+  }
+
   const anum = numeric.test(a);
   const bnum = numeric.test(b);
 
@@ -1594,11 +1608,25 @@ let SemVer$d = class SemVer {
       other = new SemVer(other, this.options);
     }
 
-    return (
-      compareIdentifiers(this.major, other.major) ||
-      compareIdentifiers(this.minor, other.minor) ||
-      compareIdentifiers(this.patch, other.patch)
-    )
+    if (this.major < other.major) {
+      return -1
+    }
+    if (this.major > other.major) {
+      return 1
+    }
+    if (this.minor < other.minor) {
+      return -1
+    }
+    if (this.minor > other.minor) {
+      return 1
+    }
+    if (this.patch < other.patch) {
+      return -1
+    }
+    if (this.patch > other.patch) {
+      return 1
+    }
+    return 0
   }
 
   comparePre (other) {
@@ -2410,6 +2438,7 @@ function requireRange () {
 	// already replaced the hyphen ranges
 	// turn into a set of JUST comparators.
 	const parseComparator = (comp, options) => {
+	  comp = comp.replace(re[t.BUILD], '');
 	  debug('comp', comp, options);
 	  comp = replaceCarets(comp, options);
 	  debug('caret', comp);
@@ -5797,20 +5826,78 @@ var jwt = /*@__PURE__*/getDefaultExportFromCjs(jsonwebtoken);
 
 class Mixin {
     createBasicToken(payload, secret, expiresIn, options) {
-        const finalOptions = Object.assign(Object.assign({}, (options || {})), { expiresIn });
+        const finalOptions = Object.assign(Object.assign({}, (options || {})), { expiresIn, issuer: (options === null || options === void 0 ? void 0 : options.issuer) || process.env.JWT_ISSUER || 'hemia-app', audience: (options === null || options === void 0 ? void 0 : options.audience) || process.env.JWT_AUDIENCE || 'hemia-api', algorithm: (options === null || options === void 0 ? void 0 : options.algorithm) || 'HS256' });
         return jwt.sign(payload, secret, finalOptions);
     }
-    validateTokenBase(token, secretKey) {
+    validateTokenBase(token, secretKey, options) {
         try {
-            return jwt.verify(token, secretKey);
+            const verifyOptions = Object.assign(Object.assign({}, options), { algorithms: ['HS256', 'RS256'], issuer: (options === null || options === void 0 ? void 0 : options.issuer) || process.env.JWT_ISSUER, audience: (options === null || options === void 0 ? void 0 : options.audience) || process.env.JWT_AUDIENCE, clockTolerance: 30 });
+            return jwt.verify(token, secretKey, verifyOptions);
         }
         catch (error) {
-            console.error('Token inválido:', error);
+            if (error instanceof jwt.TokenExpiredError) {
+                console.error('Token expirado:', error.expiredAt);
+            }
+            else if (error instanceof jwt.JsonWebTokenError) {
+                console.error('Token inválido:', error.message);
+            }
+            else if (error instanceof jwt.NotBeforeError) {
+                console.error('Token no válido aún:', error.date);
+            }
+            else {
+                console.error('Error de validación:', error);
+            }
             return null;
         }
     }
-    decodeToken(token) {
-        return jwt.decode(token);
+    validateTokenDetailed(token, secretKey, options) {
+        try {
+            const verifyOptions = Object.assign(Object.assign({}, options), { algorithms: ['HS256', 'RS256'], issuer: (options === null || options === void 0 ? void 0 : options.issuer) || process.env.JWT_ISSUER, audience: (options === null || options === void 0 ? void 0 : options.audience) || process.env.JWT_AUDIENCE, clockTolerance: 30 });
+            const payload = jwt.verify(token, secretKey, verifyOptions);
+            return {
+                valid: true,
+                payload
+            };
+        }
+        catch (error) {
+            if (error instanceof jwt.TokenExpiredError) {
+                return {
+                    valid: false,
+                    error: `Token expirado en: ${error.expiredAt}`,
+                    errorType: 'expired'
+                };
+            }
+            else if (error instanceof jwt.JsonWebTokenError) {
+                return {
+                    valid: false,
+                    error: error.message,
+                    errorType: error.message.includes('signature') ? 'signature_invalid' : 'invalid'
+                };
+            }
+            else if (error instanceof jwt.NotBeforeError) {
+                return {
+                    valid: false,
+                    error: `Token no válido hasta: ${error.date}`,
+                    errorType: 'not_before'
+                };
+            }
+            else {
+                return {
+                    valid: false,
+                    error: 'Error desconocido al validar token',
+                    errorType: 'malformed'
+                };
+            }
+        }
+    }
+    decodeToken(token, complete = false) {
+        try {
+            return jwt.decode(token, { complete });
+        }
+        catch (error) {
+            console.error('Error al decodificar token:', error);
+            return null;
+        }
     }
 }
 
@@ -5818,30 +5905,133 @@ class JwtManager extends Mixin {
     constructor() {
         super();
         this._secretKey = '';
+        this._issuer = '';
+        this._audience = '';
         this._secretKey = process.env.JWT_SECRET || jwtConfig.cleanCredentialSecret;
+        this._issuer = process.env.JWT_ISSUER || 'hemia-app';
+        this._audience = process.env.JWT_AUDIENCE || 'hemia-api';
         if (!this._secretKey) {
             throw new Error("JWT secret key is required.");
         }
     }
+    createToken(payload, expiresIn, options) {
+        return this.createBasicToken(payload, this._secretKey, expiresIn || jwtConfig.expiresIn, Object.assign(Object.assign({}, options), { issuer: (options === null || options === void 0 ? void 0 : options.issuer) || this._issuer, audience: (options === null || options === void 0 ? void 0 : options.audience) || this._audience }));
+    }
+    createTokenWithSecret(payload, secretKey, expiresIn, options) {
+        return this.createBasicToken(payload, secretKey, expiresIn || jwtConfig.expiresIn, Object.assign(Object.assign({}, options), { issuer: (options === null || options === void 0 ? void 0 : options.issuer) || this._issuer, audience: (options === null || options === void 0 ? void 0 : options.audience) || this._audience }));
+    }
+    createCleanCredentialsToken(operative = exports.Operatives.CATALOG, expiresIn) {
+        const payload = { accessType: operative };
+        return this.createBasicToken(payload, this._secretKey, expiresIn || jwtConfig.expiresIn);
+    }
     getTokenWithoutKey(payload, expiresIn, options) {
-        return this.createBasicToken(payload, this._secretKey, expiresIn || jwtConfig.expiresIn, options);
+        return this.createToken(payload, expiresIn, options);
     }
     getTokenWithKey(payload, secretKey, expiresIn, options) {
-        return this.createBasicToken(payload, secretKey, expiresIn || jwtConfig.expiresIn, options);
+        return this.createTokenWithSecret(payload, secretKey, expiresIn, options);
     }
     getTokenCleanCredentials(operative = exports.Operatives.CATALOG, expiresIn) {
-        const payload = { accessType: operative };
-        return this.createBasicToken(payload, this._secretKey, expiresIn || jwtConfig.expiresIn);
+        return this.createCleanCredentialsToken(operative, expiresIn);
     }
-    validateToken(token, secretKey) {
-        return this.validateTokenBase(token, secretKey || this._secretKey);
+    createIdToken(claims, expiresIn) {
+        if (!claims.sub) {
+            throw new Error('sub (subject) claim is required for ID tokens');
+        }
+        const payload = Object.assign(Object.assign({}, claims), { iss: this._issuer, aud: this._audience, iat: Math.floor(Date.now() / 1000) });
+        return this.createBasicToken(payload, this._secretKey, expiresIn || jwtConfig.expiresIn, { issuer: this._issuer, audience: this._audience });
     }
-    decode(token) {
-        return this.decodeToken(token);
+    createAccessToken(sub, scopes, expiresIn) {
+        const payload = {
+            sub,
+            scope: scopes.join(' '),
+            iss: this._issuer,
+            aud: this._audience,
+            iat: Math.floor(Date.now() / 1000),
+        };
+        return this.createBasicToken(payload, this._secretKey, expiresIn || '15m', { issuer: this._issuer, audience: this._audience });
+    }
+    createRefreshToken(sub, expiresIn) {
+        const payload = {
+            sub,
+            type: 'refresh',
+            iss: this._issuer,
+            aud: this._audience,
+            iat: Math.floor(Date.now() / 1000),
+        };
+        return this.createBasicToken(payload, this._secretKey, expiresIn || '30d', {
+            issuer: this._issuer,
+            audience: this._audience,
+            jwtid: this.generateJti()
+        });
+    }
+    verify(token, secretKey, options) {
+        return this.validateTokenBase(token, secretKey || this._secretKey, Object.assign(Object.assign({}, options), { issuer: (options === null || options === void 0 ? void 0 : options.issuer) || this._issuer, audience: (options === null || options === void 0 ? void 0 : options.audience) || this._audience }));
+    }
+    verifyDetailed(token, secretKey, options) {
+        return super.validateTokenDetailed(token, secretKey || this._secretKey, Object.assign(Object.assign({}, options), { issuer: (options === null || options === void 0 ? void 0 : options.issuer) || this._issuer, audience: (options === null || options === void 0 ? void 0 : options.audience) || this._audience }));
+    }
+    validateToken(token, secretKey, options) {
+        return this.verify(token, secretKey, options);
+    }
+    validateTokenDetailed(token, secretKey, options) {
+        return this.verifyDetailed(token, secretKey, options);
+    }
+    decode(token, complete = false) {
+        return this.decodeToken(token, complete);
+    }
+    getClaims(token) {
+        const decoded = this.decodeToken(token);
+        if (!decoded)
+            return null;
+        const { sub, name, given_name, family_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at, email, email_verified, phone_number, phone_number_verified, address } = decoded;
+        return {
+            sub,
+            name,
+            given_name,
+            family_name,
+            middle_name,
+            nickname,
+            preferred_username,
+            profile,
+            picture,
+            website,
+            gender,
+            birthdate,
+            zoneinfo,
+            locale,
+            updated_at,
+            email,
+            email_verified,
+            phone_number,
+            phone_number_verified,
+            address
+        };
+    }
+    getStandardClaims(token) {
+        return this.getClaims(token);
+    }
+    hasScope(token, requiredScope) {
+        const payload = this.verify(token);
+        if (!payload || !payload.scope)
+            return false;
+        const scopes = typeof payload.scope === 'string'
+            ? payload.scope.split(' ')
+            : [];
+        return scopes.includes(requiredScope);
+    }
+    generateJti() {
+        return `${Date.now()}-${Math.random().toString(36).substr(2, 9)}`;
     }
     getJwtKey() {
         return this._secretKey;
     }
 }
 
+exports.TokenType = void 0;
+(function (TokenType) {
+    TokenType["ID_TOKEN"] = "id_token";
+    TokenType["ACCESS_TOKEN"] = "access_token";
+    TokenType["REFRESH_TOKEN"] = "refresh_token";
+})(exports.TokenType || (exports.TokenType = {}));
+
 exports.JwtManager = JwtManager;

package/dist/types/index.d.ts

@@ -1,3 +1,5 @@
 export { JwtManager } from './services/jwt.service';
 export { Operatives } from './Enums/Enums';
-export { SignOptions, JwtPayload } from 'jsonwebtoken';
+export { SignOptions, JwtPayload, VerifyOptions } from 'jsonwebtoken';
+export { StandardClaims, JwtClaims, TokenPayload } from './interfaces/oidc-claims';
+export { TokenType, TokenValidationResult } from './types/token-validation';

package/dist/types/interfaces/oidc-claims.d.ts

@@ -0,0 +1,42 @@
+export interface StandardClaims {
+    sub: string;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    middle_name?: string;
+    nickname?: string;
+    preferred_username?: string;
+    profile?: string;
+    picture?: string;
+    website?: string;
+    gender?: string;
+    birthdate?: string;
+    zoneinfo?: string;
+    locale?: string;
+    updated_at?: number;
+    email?: string;
+    email_verified?: boolean;
+    phone_number?: string;
+    phone_number_verified?: boolean;
+    address?: {
+        formatted?: string;
+        street_address?: string;
+        locality?: string;
+        region?: string;
+        postal_code?: string;
+        country?: string;
+    };
+}
+export interface JwtClaims {
+    iss?: string;
+    aud?: string | string[];
+    exp?: number;
+    nbf?: number;
+    iat?: number;
+    jti?: string;
+}
+export interface TokenPayload extends JwtClaims, Partial<StandardClaims> {
+    scope?: string;
+    type?: string;
+    [key: string]: any;
+}

package/dist/types/mixin/jwt.mixin.d.ts

@@ -1,6 +1,8 @@
-import { SignOptions, JwtPayload } from 'jsonwebtoken';
+import { SignOptions, JwtPayload, VerifyOptions } from 'jsonwebtoken';
+import { TokenValidationResult } from '../types/token-validation';
 export declare class Mixin {
     protected createBasicToken(payload: string | Buffer | object, secret: string, expiresIn: any | number, options?: SignOptions): string;
-    protected validateTokenBase(token: string, secretKey: string): JwtPayload | null;
-    decodeToken(token: string): JwtPayload | null;
+    protected validateTokenBase(token: string, secretKey: string, options?: VerifyOptions): JwtPayload | null;
+    protected validateTokenDetailed(token: string, secretKey: string, options?: VerifyOptions): TokenValidationResult;
+    decodeToken(token: string, complete?: boolean): JwtPayload | null;
 }

package/dist/types/services/jwt.service.d.ts

@@ -1,13 +1,30 @@
-import { SignOptions, JwtPayload } from 'jsonwebtoken';
+import { SignOptions, JwtPayload, VerifyOptions } from 'jsonwebtoken';
 import { Operatives } from '../Enums/Enums';
 import { Mixin } from '../mixin/jwt.mixin';
+import { StandardClaims } from '../interfaces/oidc-claims';
+import { TokenValidationResult } from '../types/token-validation';
 export declare class JwtManager extends Mixin {
     private _secretKey;
+    private _issuer;
+    private _audience;
     constructor();
+    createToken(payload: object, expiresIn?: string | number, options?: SignOptions): string;
+    createTokenWithSecret(payload: object, secretKey: string, expiresIn?: string | number, options?: SignOptions): string;
+    createCleanCredentialsToken(operative?: Operatives, expiresIn?: string | number): string;
     getTokenWithoutKey(payload: object, expiresIn?: string | number, options?: SignOptions): string;
     getTokenWithKey(payload: object, secretKey: string, expiresIn?: string | number, options?: SignOptions): string;
     getTokenCleanCredentials(operative?: Operatives, expiresIn?: string | number): string;
-    validateToken(token: string, secretKey?: string): JwtPayload | null;
-    decode(token: string): JwtPayload | null;
+    createIdToken(claims: StandardClaims, expiresIn?: string | number): string;
+    createAccessToken(sub: string, scopes: string[], expiresIn?: string | number): string;
+    createRefreshToken(sub: string, expiresIn?: string | number): string;
+    verify(token: string, secretKey?: string, options?: VerifyOptions): JwtPayload | null;
+    verifyDetailed(token: string, secretKey?: string, options?: VerifyOptions): TokenValidationResult;
+    validateToken(token: string, secretKey?: string, options?: VerifyOptions): JwtPayload | null;
+    validateTokenDetailed(token: string, secretKey?: string, options?: VerifyOptions): TokenValidationResult;
+    decode(token: string, complete?: boolean): JwtPayload | null;
+    getClaims(token: string): StandardClaims | null;
+    getStandardClaims(token: string): StandardClaims | null;
+    hasScope(token: string, requiredScope: string): boolean;
+    private generateJti;
     getJwtKey(): string;
 }

package/dist/types/types/token-validation.d.ts

@@ -0,0 +1,11 @@
+export declare enum TokenType {
+    ID_TOKEN = "id_token",
+    ACCESS_TOKEN = "access_token",
+    REFRESH_TOKEN = "refresh_token"
+}
+export interface TokenValidationResult {
+    valid: boolean;
+    payload?: any;
+    error?: string;
+    errorType?: 'expired' | 'invalid' | 'not_before' | 'malformed' | 'signature_invalid';
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hemia/jwt-manager",
-  "version": "0.0.1",
+  "version": "0.0.2",
   "description": "Gestor de JWT seguro y extensible para aplicaciones Node.js",
   "main": "dist/hemia-jwt-manager.js",
   "module": "dist/hemia-jwt-manager.esm.js",