@jmlq/auth 0.0.1-alpha.21 → 0.0.1-alpha.24
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/domain/services/helpers/optional-audience.helper.d.ts +13 -0
- package/dist/domain/services/helpers/optional-audience.helper.js +19 -4
- package/dist/domain/services/normalize-jwt-payload.service.d.ts +5 -1
- package/dist/domain/services/normalize-jwt-payload.service.js +13 -1
- package/dist/index.d.ts +12 -0
- package/dist/index.js +17 -6
- package/package.json +1 -1
|
@@ -1 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Regla canónica de dominio para el claim estándar `aud` (audience).
|
|
3
|
+
*
|
|
4
|
+
* Propósito:
|
|
5
|
+
* - Aceptar `aud` como string o string[] (según librería/plugin).
|
|
6
|
+
* - Rechazar valores vacíos.
|
|
7
|
+
* - Si es array: normalizar de forma determinista (dedupe + sort),
|
|
8
|
+
* útil para tests y debugging.
|
|
9
|
+
*
|
|
10
|
+
* Importante:
|
|
11
|
+
* - Esta validación es del CORE (@jmlq/auth).
|
|
12
|
+
* - Los plugins JWT NO deben validar audience; solo entregan payload verificado.
|
|
13
|
+
*/
|
|
1
14
|
export declare function optionalAudience(value: unknown): string | string[] | undefined;
|
|
@@ -2,9 +2,24 @@
|
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.optionalAudience = optionalAudience;
|
|
4
4
|
const errors_1 = require("../../errors");
|
|
5
|
+
/**
|
|
6
|
+
* Regla canónica de dominio para el claim estándar `aud` (audience).
|
|
7
|
+
*
|
|
8
|
+
* Propósito:
|
|
9
|
+
* - Aceptar `aud` como string o string[] (según librería/plugin).
|
|
10
|
+
* - Rechazar valores vacíos.
|
|
11
|
+
* - Si es array: normalizar de forma determinista (dedupe + sort),
|
|
12
|
+
* útil para tests y debugging.
|
|
13
|
+
*
|
|
14
|
+
* Importante:
|
|
15
|
+
* - Esta validación es del CORE (@jmlq/auth).
|
|
16
|
+
* - Los plugins JWT NO deben validar audience; solo entregan payload verificado.
|
|
17
|
+
*/
|
|
5
18
|
function optionalAudience(value) {
|
|
19
|
+
// aud ausente => ok
|
|
6
20
|
if (value == null)
|
|
7
21
|
return undefined;
|
|
22
|
+
// aud como string
|
|
8
23
|
if (typeof value === "string") {
|
|
9
24
|
const v = value.trim();
|
|
10
25
|
if (!v) {
|
|
@@ -14,19 +29,19 @@ function optionalAudience(value) {
|
|
|
14
29
|
}
|
|
15
30
|
return v;
|
|
16
31
|
}
|
|
32
|
+
// aud como string[]
|
|
17
33
|
if (Array.isArray(value)) {
|
|
18
34
|
const items = value
|
|
19
35
|
.filter((x) => typeof x === "string")
|
|
20
36
|
.map((x) => x.trim())
|
|
21
37
|
.filter((x) => x.length > 0);
|
|
22
38
|
if (items.length === 0) {
|
|
23
|
-
throw new errors_1.InvalidJwtPayloadError("JWT payload.aud must contain at least one non-empty string", {
|
|
24
|
-
field: "aud",
|
|
25
|
-
});
|
|
39
|
+
throw new errors_1.InvalidJwtPayloadError("JWT payload.aud must contain at least one non-empty string", { field: "aud" });
|
|
26
40
|
}
|
|
27
|
-
// Determinista
|
|
41
|
+
// Determinista: sin duplicados y ordenado
|
|
28
42
|
return Array.from(new Set(items)).sort((a, b) => a.localeCompare(b));
|
|
29
43
|
}
|
|
44
|
+
// Tipo inválido
|
|
30
45
|
throw new errors_1.InvalidJwtPayloadError("JWT payload.aud must be a string or string[]", {
|
|
31
46
|
field: "aud",
|
|
32
47
|
receivedType: typeof value,
|
|
@@ -4,12 +4,16 @@ import type { IJWTPayload } from "../ports";
|
|
|
4
4
|
* --------------
|
|
5
5
|
* Normaliza y valida un payload JWT según las reglas del dominio.
|
|
6
6
|
*
|
|
7
|
-
* - Entrada: unknown (claims verificados por infraestructura)
|
|
7
|
+
* - Entrada: unknown (claims verificados por infraestructura/plugin)
|
|
8
8
|
* - Salida: IJWTPayload tipado y confiable
|
|
9
9
|
*
|
|
10
10
|
* Importante:
|
|
11
11
|
* - NO verifica firma
|
|
12
12
|
* - NO parsea JWT
|
|
13
13
|
* - Define únicamente reglas de dominio
|
|
14
|
+
*
|
|
15
|
+
* Contrato:
|
|
16
|
+
* - `aud` se valida exclusivamente aquí vía `optionalAudience()`.
|
|
17
|
+
* - Cualquier error de `aud` debe provenir de `InvalidJwtPayloadError`.
|
|
14
18
|
*/
|
|
15
19
|
export declare function normalizeJwtPayload(input: unknown): IJWTPayload;
|
|
@@ -8,13 +8,17 @@ const helpers_1 = require("./helpers");
|
|
|
8
8
|
* --------------
|
|
9
9
|
* Normaliza y valida un payload JWT según las reglas del dominio.
|
|
10
10
|
*
|
|
11
|
-
* - Entrada: unknown (claims verificados por infraestructura)
|
|
11
|
+
* - Entrada: unknown (claims verificados por infraestructura/plugin)
|
|
12
12
|
* - Salida: IJWTPayload tipado y confiable
|
|
13
13
|
*
|
|
14
14
|
* Importante:
|
|
15
15
|
* - NO verifica firma
|
|
16
16
|
* - NO parsea JWT
|
|
17
17
|
* - Define únicamente reglas de dominio
|
|
18
|
+
*
|
|
19
|
+
* Contrato:
|
|
20
|
+
* - `aud` se valida exclusivamente aquí vía `optionalAudience()`.
|
|
21
|
+
* - Cualquier error de `aud` debe provenir de `InvalidJwtPayloadError`.
|
|
18
22
|
*/
|
|
19
23
|
function normalizeJwtPayload(input) {
|
|
20
24
|
if (input == null || typeof input !== "object") {
|
|
@@ -23,12 +27,20 @@ function normalizeJwtPayload(input) {
|
|
|
23
27
|
});
|
|
24
28
|
}
|
|
25
29
|
const obj = input;
|
|
30
|
+
// Required
|
|
26
31
|
const sub = (0, helpers_1.requireNonEmptyString)(obj.sub, "sub");
|
|
27
32
|
const sid = (0, helpers_1.requireNonEmptyString)(obj.sid, "sid");
|
|
28
33
|
const jti = (0, helpers_1.requireNonEmptyString)(obj.jti, "jti");
|
|
29
34
|
const iat = (0, helpers_1.requireFiniteNumber)(obj.iat, "iat");
|
|
30
35
|
const exp = (0, helpers_1.requireFiniteNumber)(obj.exp, "exp");
|
|
36
|
+
// Optional
|
|
31
37
|
const iss = (0, helpers_1.optionalNonEmptyString)(obj.iss);
|
|
38
|
+
/**
|
|
39
|
+
* Canonical audience rule (core):
|
|
40
|
+
* - string | string[] | undefined
|
|
41
|
+
* - empty string or empty array => InvalidJwtPayloadError
|
|
42
|
+
* - array => dedupe + sort
|
|
43
|
+
*/
|
|
32
44
|
const aud = (0, helpers_1.optionalAudience)(obj.aud);
|
|
33
45
|
const roles = (0, helpers_1.optionalRoles)(obj.roles);
|
|
34
46
|
const customClaims = (0, helpers_1.optionalRecord)(obj.customClaims, "customClaims");
|
package/dist/index.d.ts
CHANGED
|
@@ -1,5 +1,17 @@
|
|
|
1
1
|
export type { IAuthServiceContainer } from "./infrastructure/types";
|
|
2
2
|
export { AuthServiceFactoryOptions } from "./application/types";
|
|
3
|
+
/**
|
|
4
|
+
* Contrato público (JWT payload):
|
|
5
|
+
* - Los plugins devuelven payload verificado criptográficamente como unknown.
|
|
6
|
+
* - El core normaliza/valida y expone API estable para consumo externo.
|
|
7
|
+
*/
|
|
8
|
+
export { normalizeJwtPayload } from "./domain/services";
|
|
9
|
+
/**
|
|
10
|
+
* Export explícito (contractual):
|
|
11
|
+
* Aunque ya se exporta vía `export * from "./domain/errors"`,
|
|
12
|
+
* se expone de forma directa para que el host/plugins lo consuman sin ambigüedad.
|
|
13
|
+
*/
|
|
14
|
+
export { InvalidJwtPayloadError } from "./domain/errors";
|
|
3
15
|
export * from "./domain/ports";
|
|
4
16
|
export * from "./domain/entities";
|
|
5
17
|
export * from "./domain/object-values";
|
package/dist/index.js
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
// export { BcryptPasswordHasher } from "./infrastructure/security";
|
|
3
2
|
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
4
3
|
if (k2 === undefined) k2 = k;
|
|
5
4
|
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
@@ -15,20 +14,32 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
|
15
14
|
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
16
15
|
};
|
|
17
16
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
+
exports.InvalidJwtPayloadError = exports.normalizeJwtPayload = void 0;
|
|
18
|
+
/**
|
|
19
|
+
* Contrato público (JWT payload):
|
|
20
|
+
* - Los plugins devuelven payload verificado criptográficamente como unknown.
|
|
21
|
+
* - El core normaliza/valida y expone API estable para consumo externo.
|
|
22
|
+
*/
|
|
23
|
+
var services_1 = require("./domain/services");
|
|
24
|
+
Object.defineProperty(exports, "normalizeJwtPayload", { enumerable: true, get: function () { return services_1.normalizeJwtPayload; } });
|
|
25
|
+
/**
|
|
26
|
+
* Export explícito (contractual):
|
|
27
|
+
* Aunque ya se exporta vía `export * from "./domain/errors"`,
|
|
28
|
+
* se expone de forma directa para que el host/plugins lo consuman sin ambigüedad.
|
|
29
|
+
*/
|
|
30
|
+
var errors_1 = require("./domain/errors");
|
|
31
|
+
Object.defineProperty(exports, "InvalidJwtPayloadError", { enumerable: true, get: function () { return errors_1.InvalidJwtPayloadError; } });
|
|
18
32
|
// Contratos (ports) + config
|
|
19
33
|
__exportStar(require("./domain/ports"), exports);
|
|
20
34
|
// Entities
|
|
21
35
|
__exportStar(require("./domain/entities"), exports);
|
|
22
36
|
// VOs
|
|
23
37
|
__exportStar(require("./domain/object-values"), exports);
|
|
24
|
-
//
|
|
38
|
+
// Props (JWT generation inputs, etc.)
|
|
25
39
|
__exportStar(require("./domain/props"), exports);
|
|
26
40
|
// Errores públicos
|
|
27
41
|
__exportStar(require("./domain/errors"), exports);
|
|
28
42
|
// DTOs (solo types)
|
|
29
43
|
__exportStar(require("./application/dtos"), exports);
|
|
30
|
-
//
|
|
31
|
-
// export * from "./application/factories";
|
|
44
|
+
// Facades (entrypoint recomendado para hosts)
|
|
32
45
|
__exportStar(require("./application/facades"), exports);
|
|
33
|
-
// adapters útiles para tests/demos
|
|
34
|
-
// export * from "./infrastructure/repositories/in-memory";
|