@jmlq/auth-plugin-jose 0.0.1-alpha.8 → 0.0.1-alpha.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/infrastructure/services/internal/index.d.ts +1 -0
- package/dist/infrastructure/services/internal/index.js +1 -0
- package/dist/infrastructure/services/internal/strip-sensitive-custom-claims.d.ts +5 -0
- package/dist/infrastructure/services/internal/strip-sensitive-custom-claims.js +16 -0
- package/dist/infrastructure/services/jose-token.service.js +10 -5
- package/package.json +2 -2
|
@@ -18,3 +18,4 @@ __exportStar(require("./normalize-key-material"), exports);
|
|
|
18
18
|
__exportStar(require("./jwt-expiration-reader"), exports);
|
|
19
19
|
__exportStar(require("./get-alg-from-key-material"), exports);
|
|
20
20
|
__exportStar(require("./build-jose-ctx"), exports);
|
|
21
|
+
__exportStar(require("./strip-sensitive-custom-claims"), exports);
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.stripSensitiveCustomClaims = stripSensitiveCustomClaims;
|
|
4
|
+
/**
|
|
5
|
+
* Elimina claims sensibles que NO deben viajar en JWT.
|
|
6
|
+
* - permissions: deben resolverse en BDD en cada request.
|
|
7
|
+
*/
|
|
8
|
+
function stripSensitiveCustomClaims(input) {
|
|
9
|
+
const out = {};
|
|
10
|
+
for (const [k, v] of Object.entries(input)) {
|
|
11
|
+
if (k === "permissions")
|
|
12
|
+
continue;
|
|
13
|
+
out[k] = v;
|
|
14
|
+
}
|
|
15
|
+
return out;
|
|
16
|
+
}
|
|
@@ -134,12 +134,13 @@ class JoseTokenService {
|
|
|
134
134
|
operation,
|
|
135
135
|
});
|
|
136
136
|
// 2) Claims estándar
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
137
|
+
// - NO emitimos `roles` en el JWT.
|
|
138
|
+
// - Mantenemos customClaims, pero filtramos `permissions`.
|
|
139
|
+
const customClaimsInput = (0, auth_1.readCustomClaims)(props.customClaims) ?? {};
|
|
140
|
+
const customClaims = (0, internal_2.stripSensitiveCustomClaims)(customClaimsInput);
|
|
141
|
+
// 3) Session Id (sid)
|
|
140
142
|
const sid = (0, auth_1.readSessionId)(props.sessionId);
|
|
141
143
|
if (!sid) {
|
|
142
|
-
// Nota: aquí usamos createAuthError para mantener consistencia del core.
|
|
143
144
|
throw this.createAuthError({
|
|
144
145
|
code: "JWT_PAYLOAD_INVALID",
|
|
145
146
|
message: "sessionId is required",
|
|
@@ -148,7 +149,11 @@ class JoseTokenService {
|
|
|
148
149
|
}
|
|
149
150
|
// 4) Firmar
|
|
150
151
|
const keys = await this.getNormalizedKeys();
|
|
151
|
-
const
|
|
152
|
+
const body = { sid };
|
|
153
|
+
if (Object.keys(customClaims).length > 0) {
|
|
154
|
+
body.customClaims = customClaims;
|
|
155
|
+
}
|
|
156
|
+
const jwt = new jose_1.SignJWT(body)
|
|
152
157
|
.setProtectedHeader({ alg: keys.alg })
|
|
153
158
|
.setSubject(props.user.id)
|
|
154
159
|
.setJti((0, auth_1.createJwtId)())
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@jmlq/auth-plugin-jose",
|
|
3
3
|
"description": "Infrastructure plugin that integrates the jose library with @jmlq/auth, providing JWT token generation and verification following Clean Architecture principles.",
|
|
4
|
-
"version": "0.0.1-alpha.
|
|
4
|
+
"version": "0.0.1-alpha.9",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
7
7
|
"scripts": {
|
|
@@ -29,7 +29,7 @@
|
|
|
29
29
|
"author": "MLahuasi",
|
|
30
30
|
"license": "MIT",
|
|
31
31
|
"dependencies": {
|
|
32
|
-
"@jmlq/auth": "^0.0.1-alpha.
|
|
32
|
+
"@jmlq/auth": "^0.0.1-alpha.30",
|
|
33
33
|
"jose": "^6.1.3"
|
|
34
34
|
},
|
|
35
35
|
"devDependencies": {
|