@kevisual/auth 1.0.5-alpha.1 → 2.0.0

package/bun.config.ts

@@ -0,0 +1,20 @@
+import { resolvePath } from '@kevisual/use-config';
+import { execSync } from 'node:child_process';
+
+const entry = 'src/index.ts';
+const naming = 'app';
+const external = ['pm2'];
+await Bun.build({
+  target: 'browser',
+  format: 'esm',
+  entrypoints: [resolvePath(entry, { meta: import.meta })],
+  outdir: resolvePath('./dist', { meta: import.meta }),
+  naming: {
+    entry: `${naming}.js`,
+  },
+  external,
+});
+
+const cmd ='dts -i src/index.ts -o app.d.ts'
+execSync(cmd, { stdio: 'inherit' });
+console.log('Build completed.');

package/package.json

@@ -1,61 +1,29 @@
 {
   "name": "@kevisual/auth",
-  "version": "1.0.5-alpha.1",
+  "version": "2.0.0",
   "description": "",
-  "main": "dist/index.js",
-  "type": "module",
-  "typings": "dist/index.d.js",
-  "private": false,
   "scripts": {
-    "build": "npm run clean &&rollup -c",
-    "clean": "rimraf dist"
-  },
-  "files": [
-    "src",
-    "dist"
-  ],
-  "keywords": [
-    "router",
-    "auth"
-  ],
-  "author": "",
-  "license": "ISC",
-  "peerDependencies": {
-    "@kevisual/router": ">=0.0.4"
+    "build": "bun run bun.config.ts"
   },
+  "keywords": [],
+  "author": "abearxiong <xiongxiao@xiongxiao.me> (https://www.xiongxiao.me)",
+  "license": "MIT",
+  "packageManager": "pnpm@10.26.0",
+  "type": "module",
+  "dependencies": {},
   "devDependencies": {
-    "@rollup/plugin-commonjs": "^28.0.1",
-    "@rollup/plugin-node-resolve": "^15.3.0",
-    "@rollup/plugin-typescript": "^12.1.1",
-    "@types/crypto-js": "^4.2.2",
-    "@types/jsonwebtoken": "^9.0.7",
-    "crypto-js": "^4.2.0",
-    "jsonwebtoken": "^9.0.2",
-    "rollup": "^4.27.2",
-    "rollup-plugin-dts": "^6.1.1",
-    "tslib": "^2.8.1"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/abearxiong/kevisual-router.git"
+    "@kevisual/types": "^0.0.12",
+    "@kevisual/use-config": "^1.0.28",
+    "@kevisual/query": "^0.0.38",
+    "@kevisual/router": "^0.0.60",
+    "@types/bun": "^1.3.6",
+    "@types/node": "^25.0.10",
+    "es-toolkit": "^1.44.0",
+    "jose": "^6.1.3"
   },
   "exports": {
-    ".": {
-      "import": "./dist/index.js",
-      "require": "./dist/index.js"
-    },
-    "./token": {
-      "import": "./dist/create-token.js",
-      "require": "./dist/create-token.js"
-    },
-    "./salt": {
-      "import": "./dist/create-token.js",
-      "require": "./dist/create-token.js"
-    },
-    "./proxy": {
-      "import": "./dist/proxy.js",
-      "require": "./dist/proxy.js"
-    }
+    ".": "./dist/app.js",
+    "./src/*": "./dist/src/*"
   },
   "publishConfig": {
     "access": "public"

package/readme.md

@@ -1,26 +1,53 @@
-# router query auth
+## JWT Configuration
 
-for kevisual/router
+### Convex auth.config.ts
 
-配置项
+issuer: https://convex.kevisual.cn  
+applicationID: convex-app
 
-```json5
-{
-  tokenSercet: 'xx'
-}
+issuer必须与JWT中的iss字段匹配，applicationID必须与aud字段匹配。
+
+```ts
+import { AuthConfig } from 'convex/server';
+
+export default {
+  providers: [
+    {
+      type: 'customJwt',
+      applicationID: 'convex-app',
+      issuer: 'https://convex.kevisual.cn',
+      jwks: 'https://api-convex.kevisual.cn/root/convex/jwks.json',
+      algorithm: 'RS256',
+    },
+  ],
+};
 ```
 
-## use
+### Payload 例子
+
+header必须包含kid字段以匹配jwks中的密钥ID。
 
 ```ts
-import { App } from '@kevisual/router';
-import { createAuthRoute } from '@kevisual/auth';
-
-const app = new App();
-createAuthRoute({
-  app: app,
-  addToApp: true
-});
-app.listen(3000);
-// curl http://localhost:3000/api/router?path=auth
+import * as jose from "jose";
+// 加载测试私钥
+const keys = JSON.parse(await Bun.file("./jwt/privateKey.json").text());
+const privateKey = await jose.importJWK(keys, "RS256");
+
+// 生成 RS256 JWT
+const payload = {
+  iss: "https://convex.kevisual.cn",
+  sub: "user:8fa2be73c2229e85",
+  aud: "convex-app",
+  exp: Math.floor(Date.now() / 1000) + 3600,
+  name: "Test User AA",
+  email: "test@example.com",
+};
+const token = await new jose.SignJWT(payload)
+  .setProtectedHeader({
+    "alg": "RS256",
+    "typ": "JWT",
+    "kid": "kid-key-1"
+  })
+  .setIssuedAt()
+  .sign(privateKey);
 ```

package/src/auth.ts

@@ -0,0 +1,123 @@
+import * as jose from 'jose';
+
+/***
+ * 验证 JWT
+ * @param token JWT 字符串
+ * @param publicKey 公钥，可以是 CryptoKey、PEM 字符串或 JWK/JWKS 对象
+ * @returns 解码后的有效载荷
+ * @throws 如果验证失败或令牌无效，则抛出错误
+ */
+export async function verifyJWT(token: string, publicKey: jose.CryptoKey | string | jose.JWK) {
+  try {
+    let key: any;
+    if (typeof publicKey === 'string') {
+      key = await jose.importSPKI(publicKey, 'RS256')
+    } else if (typeof publicKey === 'object' && publicKey !== null && 'keys' in publicKey) {
+      // JWKS 格式
+      key = jose.createLocalJWKSet(publicKey as jose.JSONWebKeySet);
+    } else {
+      key = publicKey;
+    }
+
+    const { payload } = await jose.jwtVerify(token, key, {
+      algorithms: ['RS256'],
+    });
+    return payload;
+  } catch (error) {
+    if (error instanceof jose.errors.JWTExpired) {
+      console.error('JWT has expired:');
+      throw new Error('Token has expired');
+    }
+    console.error('JWT verification failed:', error);
+    throw new Error('Invalid token');
+  }
+}
+export type JWTPayload<T = {}> = {
+  /**
+   * 会设置默认值: "https://convex.kevisual.cn"
+   */
+  iss?: string,
+  /**
+   * "user:8fa2be73c2229e85"
+   * "ip:192.168.1.1"
+   */
+  sub: string,
+  /**
+   * 会设置默认值："convex-app"
+   */
+  aud?: string,
+  /**
+   * 会设置默认值：当前时间 + 2 小时
+   */
+  exp?: number,
+  /**
+   * 会设置默认值：当前时间
+   */
+  iat?: number,
+  /**
+   * 其他自定义字段
+   */
+  name?: string,
+  /**
+   * email
+   */
+  email?: string
+} & T;
+
+/***
+ * 签发 JWT
+ * @param payload 有效载荷
+ * @param privateKey 私钥，可以是 CryptoKey、PEM 字符串或 JWK 对象
+ * @returns 签发的 JWT 字符串
+ */
+export async function signJWT(payload: JWTPayload, privateKey: jose.CryptoKey | string | jose.JWK): Promise<string> {
+  const expirationTime = Math.floor(Date.now() / 1000) + (2 * 60 * 60); // 2 hour from now
+  if (!payload.exp) {
+    payload.exp = expirationTime;
+  }
+  let cryptoKey: jose.CryptoKey;
+  if (typeof privateKey === 'string') {
+    cryptoKey = await jose.importPKCS8(privateKey, "RS256") as jose.CryptoKey;
+  } else if (typeof privateKey === 'object' && privateKey !== null && 'kty' in privateKey) {
+    cryptoKey = await jose.importJWK(privateKey, "RS256") as jose.CryptoKey;
+  } else {
+    cryptoKey = privateKey as jose.CryptoKey;
+  }
+  const iss = payload.iss || "https://convex.kevisual.cn";
+  if (!payload.iss) {
+    payload.iss = iss;
+  }
+  if (!payload.iat) {
+    payload.iat = Math.floor(Date.now() / 1000);
+  }
+  if (!payload.aud) {
+    payload.aud = "convex-app";
+  }
+
+  const token = await new jose.SignJWT(payload)
+    .setProtectedHeader({
+      "alg": "RS256",
+      "typ": "JWT",
+      "kid": "kid-key-1"
+    })
+    .setIssuedAt()
+    .setExpirationTime(payload.exp)
+    .setIssuer(iss)
+    .setSubject(payload.sub || "")
+    .sign(cryptoKey);
+  return token;
+}
+
+/**
+ * 单独解码 JWT，不验证签名
+ * @param token 
+ * @returns 
+ */
+export const decodeJWT = (token: string): JWTPayload => {
+  try {
+    const decoded = jose.decodeJwt(token);
+    return decoded as JWTPayload;
+  } catch (error) {
+    throw new Error('Invalid token');
+  }
+}

package/src/generate.ts

@@ -0,0 +1,39 @@
+import * as jose from 'jose';
+
+async function generateKeyPair() {
+  const { privateKey, publicKey } = await jose.generateKeyPair('RS256', {
+    modulusLength: 2048,
+    extractable: true,
+  });
+
+  return { privateKey, publicKey };
+}
+
+async function createJWKS(publicKey: CryptoKey, kid?: string) {
+  const jwk = await jose.exportJWK(publicKey);
+  // 添加 kid 字段
+  jwk.kid = kid || 'kid-key-1';
+  const jwks = {
+    keys: [jwk]
+  };
+  return jwks;
+}
+
+type GenerateOpts = {
+  kid?: string;
+}
+export const generate = async (opts: GenerateOpts = {}) => {
+  const { privateKey, publicKey } = await generateKeyPair();
+  const jwks = await createJWKS(publicKey, opts.kid);
+
+  // 将私钥和 JWKS 保存到文件
+  const privateJWK = await jose.exportJWK(privateKey);
+  const privatePEM = await jose.exportPKCS8(privateKey);
+  const publicPEM = await jose.exportSPKI(publicKey);
+  return {
+    jwks,
+    privateJWK,
+    privatePEM,
+    publicPEM
+  }
+}

package/src/index.ts

@@ -1,6 +1 @@
-import { getRandomSalt, cryptPwd, checkPwd } from './salt.ts';
-import { createToken, checkToken } from './create-token.ts';
-
-export { getRandomSalt, cryptPwd, checkPwd, createToken, checkToken };
-
-export { createAuthRoute } from './route.ts';
+export * from './auth.ts';

package/src/jwks/common.ts

@@ -0,0 +1,8 @@
+import path from 'node:path';
+const dir = path.join(process.cwd(), 'jwt');
+
+export const JWKS_PATH = path.join(dir, 'jwks.json');
+export const PRIVATE_JWK_PATH = path.join(dir, 'privateKey.json');
+
+export const PRIVATE_KEY_PATH = path.join(dir, 'privateKey.txt');
+export const PUBLIC_KEY_PATH = path.join(dir, 'publicKey.txt');

package/src/jwks/create.ts

@@ -0,0 +1,23 @@
+
+import fs from 'node:fs'
+import path from 'node:path'
+import * as common from './common.ts';
+import { generate } from '../generate.ts'
+
+async function main() {
+  const { jwks, privateJWK, privatePEM, publicPEM } = await generate();
+  const dir = path.join(process.cwd(), 'jwt');
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir);
+  }
+  fs.writeFileSync(common.PUBLIC_KEY_PATH, publicPEM);
+
+  fs.writeFileSync(common.PRIVATE_KEY_PATH, privatePEM);
+
+  fs.writeFileSync(common.PRIVATE_JWK_PATH, JSON.stringify(privateJWK, null, 2));
+  fs.writeFileSync(common.JWKS_PATH, JSON.stringify(jwks, null, 2));
+
+  console.log('Private key and JWKS have been saved to files.');
+}
+
+main().catch(console.error);

package/src/jwks/get.ts

@@ -0,0 +1,22 @@
+
+import fs from 'node:fs'
+import path from 'node:path'
+import * as common from './common.ts';
+
+export const getValues = () => {
+  if (!fs.existsSync(common.JWKS_PATH)) {
+    throw new Error('JWKS file does not exist. Please create it first.');
+  }
+  const jwksData = fs.readFileSync(common.JWKS_PATH, 'utf-8');
+  const privateJWKData = fs.readFileSync(common.PRIVATE_JWK_PATH, 'utf-8');
+  const publicKeyPEM = fs.readFileSync(common.PUBLIC_KEY_PATH, 'utf-8');
+  const privateKeyPEM = fs.readFileSync(common.PRIVATE_KEY_PATH, 'utf-8');
+
+  return {
+    jwks: JSON.parse(jwksData),
+    privateJWK: JSON.parse(privateJWKData),
+    publicKeyPEM,
+    privateKeyPEM
+  }
+}
+

package/src/router.ts

@@ -0,0 +1,2 @@
+import type { App } from '@kevisual/router';
+

package/test/create.ts

@@ -0,0 +1,38 @@
+import * as jose from 'jose';
+import { signJWT, decodeJWT, verifyJWT } from '../src/auth.ts';
+import { getValues } from '../src/jwks/get.ts';
+
+const payload = {
+  iss: "https://convex.kevisual.cn",
+  sub: "user:123456",
+  aud: "convex-app",
+  name: "John Doe",
+  email: "john.doe@example.com",
+  // exp: Math.floor(Date.now() / 1000) - (2 * 60 * 60) // 2 hours from now
+}
+
+const createToken = async () => {
+  const { privateJWK, privateKeyPEM } = getValues();
+  const token = await signJWT(payload, privateKeyPEM);
+  console.log('Generated JWT:', token);
+
+  // console.log('expited at:', new Date(payload.exp * 1000).toLocaleString());
+  return token;
+}
+const token = await createToken()
+
+const decode = decodeJWT(token)
+
+console.log('Decoded JWT:', decode);
+
+const verify = async () => {
+  const { publicKeyPEM, privateJWK, jwks } = getValues();
+  try {
+    const verifiedPayload = await verifyJWT(token, publicKeyPEM);
+    console.log('Verified JWT payload:', verifiedPayload);
+  } catch (error) {
+    console.error('Verification failed:', error);
+  }
+}
+
+await verify();

package/dist/create-token.d.ts

@@ -1,18 +0,0 @@
-import jwt from 'jsonwebtoken';
-
-/**
- *
- * @param user
- * @param secret
- *
- * @param expiresIn default 7d expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms.js).  Eg: 60, "2 days", "10h", "7d"
- * @returns
- */
-declare const createToken: (user: {
-    id: string;
-    username: string;
-    [key: string]: any;
-}, secret: string, expiresIn?: string) => Promise<string>;
-declare const checkToken: (token: string, secret: string) => Promise<jwt.Jwt>;
-
-export { checkToken, createToken };