npm - @kagal/taistamp - Versions diffs - 0.1.0 → 0.1.2 - Mend

@kagal/taistamp 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -69,7 +69,7 @@ absent (no echo, no signature) per [spec §5.4][spec-nonce].
 Response headers on success:
 | Header | Value |
-|--------|-------|
+| ------ | ----- |
 | `Content-Type` | `application/tai64n` |
 | `Content-Length` | `25` |
 | `Cache-Control` | `no-store` |
@@ -99,7 +99,7 @@ newTaistampHandler({ cors: false });                 // CORS-specific headers of
 When CORS is enabled, responses carry:
 | Response | CORS headers added | `Vary: Origin` (scoped origin only) |
-|----------|--------------------|------|
+| -------- | ------------------ | ----------------------------------- |
 | `OPTIONS` 200 | `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods: GET, HEAD`, `Access-Control-Allow-Headers: TAI-Nonce`, `Access-Control-Expose-Headers: TAI-Leap-Seconds, TAI-Nonce, TAI-Key-Selector, TAI-Signature`, `Access-Control-Max-Age: 600` | yes |
 | `GET` / `HEAD` 200 | `Access-Control-Allow-Origin`, `Access-Control-Expose-Headers` (so browser JS can read the `TAI-*` headers) | yes |
 | `405` | `Access-Control-Allow-Origin` | yes |
@@ -215,7 +215,7 @@ v=tai1; k=ed25519; p=<base64-of-32-raw-pubkey-bytes>
 ```
 | Tag | Value |
-|-----|-------|
+| --- | ----- |
 | `v` | Protocol version. `tai1` for the framing in this README. |
 | `k` | Key algorithm. `ed25519` for the only algorithm currently defined. |
 | `p` | Public key, standard base64. For Ed25519: 32 raw bytes → 43-44 chars. |
@@ -239,14 +239,19 @@ or fall back to a strict-verify library such as
 ```typescript
 import {
   asNonce,
-  extractLeapSeconds,
   composeSignaturePayload,
+  extractLeapSeconds,
+  readLabel,
 } from '@kagal/taistamp';
 const response = await fetch(taistampURL, {
   headers: { 'TAI-Nonce': clientNonce },
 });
-const label = await response.text();
+// `application/tai64n` is octet-typed, not text. `readLabel`
+// reads the raw body and decodes the 25-octet ASCII label;
+// never `response.text()`, which UTF-8-decodes and would
+// mangle a non-ASCII octet instead of surfacing it.
+const label = await readLabel(response);
 const selector = response.headers.get('TAI-Key-Selector')!;
 const sigSf = response.headers.get('TAI-Signature')!;
@@ -342,6 +347,16 @@ Re-exported from `@kagal/ed25519-secret`:
 For verifier-side validation of a signed response
 (see [Verifying a signature](#verifying-a-signature)):
+- `readLabel(response, context?)` — read the TAI64N
+  label from a response body. Use this instead of
+  `response.text()`, which UTF-8-decodes the octet-typed
+  `application/tai64n` body. Throws `TypeError` unless
+  the body is exactly 25 ASCII octets; pass `context` to
+  prefix the error. Consumes the body.
+- `readASCII(response, context?)` — the unvalidated
+  reader behind `readLabel`: decode any response body as
+  7-bit ASCII, with no length check. Throws `TypeError`
+  on any byte ≥ `0x80`; consumes the body.
 - `composeSignaturePayload(label, leapSeconds,
   selector, nonce)` — reconstructs the exact byte
   sequence the server signed.
@@ -368,7 +383,7 @@ are re-exported for callers that need raw TAI64N
 construction:
 | Export | Description |
-|--------|-------------|
+| ------ | ----------- |
 | `now()` | Current TAI as `{ sec, nano, offset }` |
 | `fromUTC(utc)` | `Date.now()`-shaped milliseconds → TAI timestamp |
 | `tai64nLabel(t?)` | 25-byte label string for a timestamp (or `now()`) |
@@ -383,7 +398,7 @@ history.
 ### Constants
 | Name | Value |
-|------|-------|
+| ---- | ----- |
 | `TAISTAMP_PATH` | `/.well-known/taistamp` |
 | `TAI64N_CONTENT_TYPE` | `application/tai64n` |
 | `TAI64N_CONTENT_LENGTH` | `25` |