npm - @jmlq/auth - Versions diffs - 0.0.1-alpha.1 - Mend

@jmlq/auth 0.0.1-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/dist/tests/doman/object-values/role.spec.js ADDED Viewed

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const errors_1 = require("../../../src/domain/errors");
+const permission_1 = require("../../../src/domain/object-values/permission");
+const role_1 = require("../../../src/domain/object-values/role");
+describe("Role (Value Object)", () => {
+    const P = {
+        READ_USERS: permission_1.Permission.create("read:users"),
+        READ_ANY: permission_1.Permission.create("read:*"),
+        WRITE_POSTS: permission_1.Permission.create("write:posts"),
+        STAR: permission_1.Permission.create("*"),
+    };
+    describe("constructor & validRoles", () => {
+        it.each([null, undefined])("lanza si role es %p", (input) => {
+            expect(() => new role_1.Role(input)).toThrow(new errors_1.InvalidRoleError("Role cannot be null or undefined"));
+        });
+        it("lanza si role no es string", () => {
+            // @ts-expect-error (intencional para probar runtime)
+            expect(() => new role_1.Role(123)).toThrow(new errors_1.InvalidRoleError("Role must be a string"));
+        });
+        it("lanza si role está vacío tras trim", () => {
+            expect(() => new role_1.Role("   ")).toThrow(new errors_1.InvalidRoleError("Role cannot be empty"));
+        });
+        it("acepta cualquier role no vacío cuando no se provee validRoles", () => {
+            const r = new role_1.Role("  Admin  ");
+            expect(r.toString()).toBe("admin");
+        });
+        it("valida role contra validRoles (case-insensitive) y lanza si no está incluido", () => {
+            expect(() => new role_1.Role("manager", [], ["Admin", "User"])).toThrow(new errors_1.InvalidRoleError("Invalid role: manager. Valid roles are: Admin, User"));
+        });
+        it("valida role contra validRoles (case-insensitive) y permite si está incluido", () => {
+            const r = new role_1.Role("ADMIN", [], ["admin", "user"]);
+            expect(r.toString()).toBe("admin");
+        });
+        it("lanza si algún validRole no es string", () => {
+            expect(() => new role_1.Role("admin", [], ["user", null])).toThrow(new errors_1.InvalidRoleError("Valid roles must be strings"));
+        });
+    });
+    describe("permissions input", () => {
+        it("lanza si algún permission no es instancia de Permission", () => {
+            expect(() => new role_1.Role("admin", [P.READ_USERS, "write:posts"])).toThrow(new errors_1.InvalidPermissionError("Permissions must be Permission instances"));
+        });
+        it("almacena permisos normalizados y sin duplicados", () => {
+            const r = new role_1.Role("admin", [
+                permission_1.Permission.create("READ:USERS"),
+                permission_1.Permission.create("read:users"),
+            ]);
+            const { permissions } = r.getValue();
+            // Un solo elemento y normalizado
+            expect(permissions).toEqual(["read:users"]);
+        });
+        it("getPermissions devuelve nuevas instancias de Permission", () => {
+            const r = new role_1.Role("admin", [P.READ_USERS, P.WRITE_POSTS]);
+            const perms = r.getPermissions();
+            expect(perms).toHaveLength(2);
+            expect(perms[0]).toBeInstanceOf(permission_1.Permission);
+            expect(perms.map((p) => p.getValue())).toEqual(expect.arrayContaining(["read:users", "write:posts"]));
+        });
+    });
+    describe("consultas de permisos", () => {
+        it("hasPermission true para match exacto (string y Permission)", () => {
+            const r = new role_1.Role("user", [P.READ_USERS]);
+            expect(r.hasPermission("read:users")).toBe(true);
+            expect(r.hasPermission(permission_1.Permission.create("READ:USERS"))).toBe(true);
+            expect(r.hasPermission("read:posts")).toBe(false);
+        });
+        it("soporta comodín total '*'", () => {
+            const r = new role_1.Role("user", [P.STAR]);
+            expect(r.hasPermission("cualquier:cosa")).toBe(true);
+            expect(r.hasPermission("otra")).toBe(true);
+        });
+        it("soporta prefijo 'read:*'", () => {
+            const r = new role_1.Role("user", [P.READ_ANY]);
+            expect(r.hasPermission("read:users")).toBe(true);
+            expect(r.hasPermission("read:posts")).toBe(true);
+            expect(r.hasPermission("write:users")).toBe(false);
+        });
+        it("hasAnyPermission true si al menos uno coincide", () => {
+            const r = new role_1.Role("user", [P.READ_USERS]);
+            expect(r.hasAnyPermission(["read:posts", "read:users"])).toBe(true);
+            expect(r.hasAnyPermission(["write:posts", "write:users"])).toBe(false);
+        });
+        it("hasAllPermissions true si todos coinciden", () => {
+            const r = new role_1.Role("user", [P.READ_USERS, P.WRITE_POSTS]);
+            expect(r.hasAllPermissions(["read:users", "write:posts"])).toBe(true);
+            expect(r.hasAllPermissions(["read:users", "write:users"])).toBe(false);
+        });
+    });
+    describe("utilidades y estáticos", () => {
+        it("equals compara por nombre normalizado", () => {
+            const a = new role_1.Role("ADMIN");
+            const b = new role_1.Role("admin");
+            const c = new role_1.Role("user");
+            expect(a.equals(b)).toBe(true);
+            expect(a.equals(c)).toBe(false);
+        });
+        it("hasRole es case-insensitive", () => {
+            const r = new role_1.Role("manager");
+            expect(r.hasRole("  MANAGER ")).toBe(true);
+            expect(r.hasRole("user")).toBe(false);
+        });
+        it("toString devuelve el nombre del rol", () => {
+            expect(new role_1.Role("Admin").toString()).toBe("admin");
+        });
+        it("create crea sin validRoles, withValidRoles valida", () => {
+            const a = role_1.Role.create("User", [P.READ_USERS]);
+            expect(a.getValue()).toEqual({
+                role: "user",
+                permissions: ["read:users"],
+            });
+            const b = role_1.Role.withValidRoles("User", [P.READ_USERS], ["admin", "user"]);
+            expect(b.getValuePublic()).toEqual({ role: "user" });
+        });
+    });
+    describe("withPermissions y canPerform", () => {
+        it("withPermissions retorna un NUEVO Role sin mutar el original", () => {
+            const base = new role_1.Role("user", [P.READ_USERS]);
+            const added = base.withPermissions([P.WRITE_POSTS]);
+            // original intacto
+            expect(base.getValue().permissions).toEqual(["read:users"]);
+            // nuevo con ambos
+            expect(added.getValue().permissions).toEqual(expect.arrayContaining(["read:users", "write:posts"]));
+            // y siguen sin duplicados si se repiten
+            const again = added.withPermissions([permission_1.Permission.create("WRITE:POSTS")]);
+            expect(again.getValue().permissions).toEqual(expect.arrayContaining(["read:users", "write:posts"]));
+            expect(again.getValue().permissions).toHaveLength(2);
+        });
+        it("canPerform(action) delega a hasPermission con acción simple", () => {
+            const r = new role_1.Role("user", [permission_1.Permission.create("export")]);
+            expect(r.canPerform("export")).toBe(true);
+            expect(r.canPerform("import")).toBe(false);
+        });
+        it("canPerform(action, resource) compone 'action:resource'", () => {
+            const r = new role_1.Role("user", [permission_1.Permission.create("read:*")]);
+            expect(r.canPerform("read", "users")).toBe(true);
+            expect(r.canPerform("write", "users")).toBe(false);
+        });
+    });
+});

package/dist/tests/helpers/make-jwt-subject.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { JwtUser } from "src/domain";
+/**
+ * Crea un sujeto JWT falso (id, email y roles)
+ * usado por JwtTokenGenerator en los tests.
+ * No requiere instanciar entidades reales ni VO con validaciones.
+ */
+export declare function makeJwtSubject(overrides?: Partial<JwtUser>): JwtUser;

package/dist/tests/helpers/make-jwt-subject.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeJwtSubject = makeJwtSubject;
+/**
+ * Crea un sujeto JWT falso (id, email y roles)
+ * usado por JwtTokenGenerator en los tests.
+ * No requiere instanciar entidades reales ni VO con validaciones.
+ */
+function makeJwtSubject(overrides = {}) {
+    return {
+        id: "user-123",
+        email: "john.doe@example.com",
+        roles: [{ role: "ADMIN" }, { role: "USER" }],
+        ...overrides,
+    };
+}

package/dist/tests/helpers/make-jwt-user.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { JwtUser } from "src/domain";
+/**
+ * Crea un sujeto JWT falso (id, email y roles)
+ * usado por JwtTokenGenerator en los tests.
+ * No requiere instanciar entidades reales ni VO con validaciones.
+ */
+export declare function makeJwtSubject(overrides?: Partial<JwtUser>): JwtUser;

package/dist/tests/helpers/make-jwt-user.js ADDED Viewed

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeJwtSubject = makeJwtSubject;
+/**
+ * Crea un sujeto JWT falso (id, email y roles)
+ * usado por JwtTokenGenerator en los tests.
+ * No requiere instanciar entidades reales ni VO con validaciones.
+ */
+function makeJwtSubject(overrides = {}) {
+    return {
+        id: "user-123",
+        email: "john.doe@example.com",
+        roles: [{ role: "ADMIN" }, { role: "USER" }],
+        ...overrides,
+    };
+}

package/dist/tests/helpers/make-user.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { User } from "src/domain";
2	+ export declare function makeUser565456456(): User;

package/dist/tests/helpers/make-user.js ADDED Viewed

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeUser565456456 = makeUser565456456;
+const domain_1 = require("src/domain");
+function makeUser565456456() {
+    return new domain_1.User({
+        id: new domain_1.Id("user-123"),
+        email: new domain_1.Email("john.doe@example.com"),
+        roles: [new domain_1.Role("admin"), new domain_1.Role("user")],
+        password: new domain_1.HashedPassword("$2b$10$W6X...cadenaValidaDeBcrypt.../"),
+        isActive: true,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+    });
+}

package/dist/tests/infrastructure/jwt/signature-strategy-factory.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/tests/infrastructure/jwt/signature-strategy-factory.spec.js ADDED Viewed

@@ -0,0 +1,127 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+// tests/infrastructure/jwt/signature-strategy-factory.spec.ts
+const domain_1 = require("src/domain");
+const shared_1 = require("src/shared");
+// 👇 Mockeamos el módulo ANTES de importar la factory.
+jest.mock("../../../src/infrastructure/jwt/strategies", () => {
+    return {
+        HmacSignatureStrategy: jest
+            .fn()
+            .mockImplementation((alg, enc) => ({
+            _type: "hmac",
+            alg,
+            enc,
+        })),
+        RsaSignatureStrategy: jest
+            .fn()
+            .mockImplementation((alg, enc) => ({
+            _type: "rsa",
+            alg,
+            enc,
+        })),
+        EcdsaSignatureStrategy: jest
+            .fn()
+            .mockImplementation((alg, enc) => ({
+            _type: "ecdsa",
+            alg,
+            enc,
+        })),
+    };
+});
+// importamos la factory y el módulo mockeado
+const strategies = __importStar(require("../../../src/infrastructure/jwt/strategies"));
+const infrastructure_1 = require("src/infrastructure");
+describe("SignatureStrategyFactory", () => {
+    let encoder;
+    let factory;
+    beforeEach(() => {
+        jest.clearAllMocks();
+        encoder = new shared_1.Base64UrlEncoder();
+        factory = new infrastructure_1.SignatureStrategyFactory(encoder);
+    });
+    it("instancia HmacSignatureStrategy cuando algoritmo es HS*", () => {
+        const hsAlg = Object.values(shared_1.algorithms.hmac)[0] ?? "HS256";
+        const result = factory.create(hsAlg);
+        expect(strategies.HmacSignatureStrategy).toHaveBeenCalledTimes(1);
+        expect(strategies.HmacSignatureStrategy).toHaveBeenCalledWith(hsAlg.toUpperCase(), encoder);
+        expect(result).toMatchObject({
+            _type: "hmac",
+            alg: hsAlg.toUpperCase(),
+            enc: encoder,
+        });
+        expect(strategies.RsaSignatureStrategy).not.toHaveBeenCalled();
+        expect(strategies.EcdsaSignatureStrategy).not.toHaveBeenCalled();
+    });
+    it("instancia RsaSignatureStrategy cuando algoritmo es RS*", () => {
+        const rsAlg = Object.values(shared_1.algorithms.rsa)[0] ?? "RS256";
+        const result = factory.create(rsAlg);
+        expect(strategies.RsaSignatureStrategy).toHaveBeenCalledTimes(1);
+        expect(strategies.RsaSignatureStrategy).toHaveBeenCalledWith(rsAlg.toUpperCase(), encoder);
+        expect(result).toMatchObject({
+            _type: "rsa",
+            alg: rsAlg.toUpperCase(),
+            enc: encoder,
+        });
+        expect(strategies.HmacSignatureStrategy).not.toHaveBeenCalled();
+        expect(strategies.EcdsaSignatureStrategy).not.toHaveBeenCalled();
+    });
+    it("instancia EcdsaSignatureStrategy cuando algoritmo es ES*", () => {
+        const esAlg = Object.values(shared_1.algorithms.ecdsa)[0] ?? "ES256";
+        const result = factory.create(esAlg);
+        expect(strategies.EcdsaSignatureStrategy).toHaveBeenCalledTimes(1);
+        expect(strategies.EcdsaSignatureStrategy).toHaveBeenCalledWith(esAlg.toUpperCase(), encoder);
+        expect(result).toMatchObject({
+            _type: "ecdsa",
+            alg: esAlg.toUpperCase(),
+            enc: encoder,
+        });
+        expect(strategies.HmacSignatureStrategy).not.toHaveBeenCalled();
+        expect(strategies.RsaSignatureStrategy).not.toHaveBeenCalled();
+    });
+    it("es case-insensitive (toUpperCase defensivo)", () => {
+        const hsAlg = (Object.values(shared_1.algorithms.hmac)[0] ?? "HS256").toLowerCase();
+        factory.create(hsAlg);
+        expect(strategies.HmacSignatureStrategy).toHaveBeenCalledWith(hsAlg.toUpperCase(), encoder);
+    });
+    it("lanza UnsupportedAlgorithmError si no está soportado", () => {
+        const unsupported = "PS256";
+        expect(() => factory.create(unsupported)).toThrow(domain_1.UnsupportedAlgorithmError);
+        expect(strategies.HmacSignatureStrategy).not.toHaveBeenCalled();
+        expect(strategies.RsaSignatureStrategy).not.toHaveBeenCalled();
+        expect(strategies.EcdsaSignatureStrategy).not.toHaveBeenCalled();
+    });
+});

package/dist/tests/infrastructure/jwt/strategies/ecdsa-signature-strategy.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/tests/infrastructure/jwt/strategies/ecdsa-signature-strategy.spec.js ADDED Viewed

@@ -0,0 +1,157 @@
+"use strict";
+// tests/infrastructure/jwt/strategies/EcdsaSignatureStrategy.spec.ts
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto = __importStar(require("crypto"));
+const strategies_1 = require("src/infrastructure/jwt/strategies");
+const shared_1 = require("src/shared");
+describe("EcdsaSignatureStrategy", () => {
+    // Función auxiliar para generar par de claves ECDSA
+    const makeKeys = (curve) => crypto.generateKeyPairSync("ec", {
+        namedCurve: curve,
+        publicKeyEncoding: { type: "spki", format: "pem" },
+        privateKeyEncoding: { type: "pkcs8", format: "pem" },
+    });
+    // Datos base para firmar
+    const baseData = "header.payload";
+    // Vectores de prueba para cada algoritmo ECDSA
+    const vectors = [
+        { alg: shared_1.algorithms.ecdsa.ES256, curve: "P-256" },
+        { alg: shared_1.algorithms.ecdsa.ES384, curve: "P-384" },
+        { alg: shared_1.algorithms.ecdsa.ES512, curve: "P-521" },
+    ];
+    // Casos positivos
+    it.each(vectors)("sign/verify OK para %s", ({ alg, curve }) => {
+        // Genera par de claves
+        const { publicKey, privateKey } = makeKeys(curve);
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strat.sign(baseData, privateKey);
+        // Debe ser Base64URL (sin +, /, =)
+        expect(sig).toMatch(/^[A-Za-z0-9\-_]+$/);
+        // verify OK con los mismos datos/clave
+        expect(strat.verify(baseData, sig, publicKey)).toBe(true);
+    });
+    // Casos negativos
+    it.each(vectors)("verify=false si los datos se alteran (%s)", ({ alg, curve }) => {
+        // Genera par de claves
+        const { publicKey, privateKey } = makeKeys(curve);
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strat.sign(baseData, privateKey);
+        // verify debe fallar si se alteran los datos
+        expect(strat.verify(baseData + ".tampered", sig, publicKey)).toBe(false);
+    });
+    // Casos negativos - firma alterada
+    it.each(vectors)("verify=false si la firma se altera (%s)", ({ alg, curve }) => {
+        // Genera par de claves
+        const { publicKey, privateKey } = makeKeys(curve);
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strat.sign(baseData, privateKey);
+        // Decodificamos a base64 estándar y luego a bytes
+        const stdB64 = encoder.decode(sig);
+        const buf = Buffer.from(stdB64, "base64");
+        // Flip de un byte en el medio (afecta r/s con alta probabilidad)
+        const i = Math.floor(buf.length / 2);
+        buf[i] ^= 0x01;
+        // Re-encode a base64url para pasar por la API pública de la estrategia
+        const tampered = encoder.encode(Buffer.from(buf).toString("base64"));
+        expect(strat.verify(baseData, tampered, publicKey)).toBe(false);
+    });
+    // Pruebas adicionales
+    it("getSupportedAlgorithm() devuelve el algoritmo configurado", () => {
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(shared_1.algorithms.ecdsa.ES256, encoder);
+        // Debe devolver el algoritmo configurado
+        expect(strat.getSupportedAlgorithm()).toBe("ES256");
+    });
+    // Casos de error - algoritmo no soportado
+    it("sign lanza y verify devuelve false para algoritmo no soportado", () => {
+        // Crea la estrategia con un algoritmo inválido
+        const badAlg = "ES999";
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(badAlg, encoder);
+        // Genera par de claves válidas
+        const { publicKey, privateKey } = makeKeys("P-256");
+        // sign debe lanzar error
+        expect(() => strat.sign(baseData, privateKey)).toThrow(/Unsupported ECDSA algorithm/i);
+        // verify debe devolver false
+        expect(strat.verify(baseData, "abc", publicKey)).toBe(false);
+    });
+    // Prueba que se usa el encoder correctamente
+    it("usa el encoder para encode (sign) y decode (verify)", () => {
+        // Mocks del encoder
+        const encoder = {
+            encode: jest.fn((b64) => b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "")),
+            decode: jest.fn((b64url) => {
+                const pad = b64url.length % 4;
+                let std = b64url.replace(/-/g, "+").replace(/_/g, "/");
+                if (pad)
+                    std += "=".repeat(4 - pad);
+                return std;
+            }),
+        };
+        // Genera par de claves válidas
+        const { publicKey, privateKey } = makeKeys("P-256");
+        // Crea la estrategia
+        const strat = new strategies_1.EcdsaSignatureStrategy(shared_1.algorithms.ecdsa.ES256, encoder);
+        // Firma
+        const sig = strat.sign(baseData, privateKey);
+        // Verifica que se llamó al encoder
+        expect(encoder.encode).toHaveBeenCalledTimes(1);
+        // El resultado debe ser string
+        expect(typeof sig).toBe("string");
+        // Verifica
+        const ok = strat.verify(baseData, sig, publicKey);
+        // Verifica que se llamó al decoder
+        expect(encoder.decode).toHaveBeenCalledTimes(1);
+        // El resultado debe ser true
+        expect(ok).toBe(true);
+    });
+});

package/dist/tests/infrastructure/jwt/strategies/hmac-signature-strategy.spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/tests/infrastructure/jwt/strategies/hmac-signature-strategy.spec.js ADDED Viewed

@@ -0,0 +1,150 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto = __importStar(require("crypto"));
+const infrastructure_1 = require("src/infrastructure");
+const shared_1 = require("src/shared");
+describe("HmacSignatureStrategy", () => {
+    // 🔑 Clave simétrica compartida
+    const makeSecret = (length = 32) => crypto.randomBytes(length).toString("base64url");
+    // Datos base para firmar
+    const baseData = "header.payload";
+    // Vectores de prueba para cada algoritmo HMAC
+    const vectors = [
+        { alg: shared_1.algorithms.hmac.HS256, hash: "sha256" },
+        { alg: shared_1.algorithms.hmac.HS384, hash: "sha384" },
+        { alg: shared_1.algorithms.hmac.HS512, hash: "sha512" },
+    ];
+    // Casos positivos
+    it.each(vectors)("firma y verifica correctamente con %s", ({ alg }) => {
+        // Genera clave secreta
+        const secret = makeSecret();
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        const strategy = new infrastructure_1.HmacSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strategy.sign(baseData, secret);
+        // Debe ser Base64URL (sin +, /, =)
+        const valid = strategy.verify(baseData, sig, secret);
+        // Debe ser válido
+        expect(valid).toBe(true);
+    });
+    //   Casos negativos
+    it.each(vectors)("verify=false si los datos se alteran (%s)", ({ alg }) => {
+        // Genera clave secreta
+        const secret = makeSecret();
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        const strategy = new infrastructure_1.HmacSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strategy.sign(baseData, secret);
+        // verify debe fallar si se alteran los datos
+        expect(strategy.verify(baseData + ".tampered", sig, secret)).toBe(false);
+    });
+    // Casos negativos - firma alterada
+    it.each(vectors)("verify=false si la firma se altera (%s)", ({ alg }) => {
+        // Genera clave secreta
+        const secret = makeSecret();
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        const strategy = new infrastructure_1.HmacSignatureStrategy(alg, encoder);
+        // Firma
+        const sig = strategy.sign(baseData, secret);
+        // Decodificamos a base64 estándar y luego a bytes
+        const stdB64 = encoder.decode(sig);
+        const buf = Buffer.from(stdB64, "base64");
+        // Flip de un byte en el medio (afecta r/s con alta probabilidad)
+        const i = Math.floor(buf.length / 2);
+        buf[i] ^= 0x01;
+        // Re-encode a base64url para pasar por la API pública de la estrategia
+        const tampered = encoder.encode(Buffer.from(buf).toString("base64"));
+        expect(strategy.verify(baseData, tampered, secret)).toBe(false);
+    });
+    // Pruebas adicionales
+    it("getSupportedAlgorithm() devuelve el algoritmo configurado", () => {
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new infrastructure_1.HmacSignatureStrategy(shared_1.algorithms.hmac.HS256, encoder);
+        // Debe devolver el algoritmo configurado
+        expect(strat.getSupportedAlgorithm()).toBe("HS256");
+    });
+    // Casos de error - algoritmo no soportado
+    it("sign lanza y verify devuelve false para algoritmo no soportado", () => {
+        // Crea la estrategia con un algoritmo inválido
+        const badAlg = "HS999";
+        // Crea la estrategia
+        const encoder = new shared_1.Base64UrlEncoder();
+        // Crea la estrategia
+        const strat = new infrastructure_1.HmacSignatureStrategy(badAlg, encoder);
+        // Genera par de claves válidas
+        const secret = makeSecret();
+        // sign debe lanzar error
+        expect(() => strat.sign(baseData, secret)).toThrow(/Unsupported HMAC algorithm/i);
+        // verify debe devolver false
+        expect(strat.verify(baseData, "abc", secret)).toBe(false);
+    });
+    // Prueba que se usa el encoder correctamente
+    it("usa el encoder para encode (sign) y decode (verify)", () => {
+        // Mocks del encoder
+        const encoder = {
+            encode: jest.fn((b64) => b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "")),
+            decode: jest.fn((b64url) => {
+                const pad = b64url.length % 4;
+                let std = b64url.replace(/-/g, "+").replace(/_/g, "/");
+                if (pad)
+                    std += "=".repeat(4 - pad);
+                return std;
+            }),
+        };
+        // Genera clave secreta
+        const secret = makeSecret();
+        // Crea la estrategia
+        // Crea la estrategia
+        const strat = new infrastructure_1.HmacSignatureStrategy(shared_1.algorithms.hmac.HS256, encoder);
+        // Firma
+        const sig = strat.sign(baseData, secret);
+        // Verifica que se llamó al encoder
+        expect(encoder.encode).toHaveBeenCalledTimes(1);
+        // El resultado debe ser string
+        expect(typeof sig).toBe("string");
+        // Verifica
+        const ok = strat.verify(baseData, sig, secret);
+        // Verifica que se no se llamó al decoder (no lo necesita HMAC)
+        expect(encoder.decode).toHaveBeenCalledTimes(0);
+        // El resultado debe ser true
+        expect(ok).toBe(true);
+    });
+});

package/dist/tests/infrastructure/jwt/strategies/rsa-signature-strategy..spec.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};