npm - @kevisual/auth - Versions diffs - 1.0.5 → 2.0.0 - Mend

@kevisual/auth 1.0.5 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/bun.config.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import { resolvePath } from '@kevisual/use-config';
+import { execSync } from 'node:child_process';
+const entry = 'src/index.ts';
+const naming = 'app';
+const external = ['pm2'];
+await Bun.build({
+  target: 'browser',
+  format: 'esm',
+  entrypoints: [resolvePath(entry, { meta: import.meta })],
+  outdir: resolvePath('./dist', { meta: import.meta }),
+  naming: {
+    entry: `${naming}.js`,
+  },
+  external,
+});
+const cmd ='dts -i src/index.ts -o app.d.ts'
+execSync(cmd, { stdio: 'inherit' });
+console.log('Build completed.');

package/package.json CHANGED Viewed

@@ -1,62 +1,29 @@
 {
   "name": "@kevisual/auth",
-  "version": "1.0.5",
+  "version": "2.0.0",
   "description": "",
-  "main": "dist/index.js",
-  "type": "module",
-  "typings": "dist/index.d.js",
-  "private": false,
   "scripts": {
-    "build": "npm run clean &&rollup -c",
-    "clean": "rimraf dist"
+    "build": "bun run bun.config.ts"
   },
-  "files": [
-    "src",
-    "dist"
-  ],
-  "keywords": [
-    "router",
-    "auth"
-  ],
-  "author": "",
-  "license": "ISC",
+  "keywords": [],
+  "author": "abearxiong <xiongxiao@xiongxiao.me> (https://www.xiongxiao.me)",
+  "license": "MIT",
+  "packageManager": "pnpm@10.26.0",
+  "type": "module",
+  "dependencies": {},
   "devDependencies": {
-    "@rollup/plugin-commonjs": "^28.0.1",
-    "@rollup/plugin-node-resolve": "^15.3.0",
-    "@rollup/plugin-typescript": "^12.1.1",
-    "@types/crypto-js": "^4.2.2",
-    "@types/jsonwebtoken": "^9.0.7",
-    "crypto-js": "^4.2.0",
-    "jsonwebtoken": "^9.0.2",
-    "rollup": "^4.28.1",
-    "rollup-plugin-dts": "^6.1.1",
-    "tslib": "^2.8.1"
-  },
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/abearxiong/kevisual-router.git"
+    "@kevisual/types": "^0.0.12",
+    "@kevisual/use-config": "^1.0.28",
+    "@kevisual/query": "^0.0.38",
+    "@kevisual/router": "^0.0.60",
+    "@types/bun": "^1.3.6",
+    "@types/node": "^25.0.10",
+    "es-toolkit": "^1.44.0",
+    "jose": "^6.1.3"
   },
   "exports": {
-    ".": {
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.mjs"
-    },
-    "./token": {
-      "import": "./dist/create-token.mjs",
-      "require": "./dist/create-token.mjs"
-    },
-    "./salt": {
-      "import": "./dist/create-token.mjs",
-      "require": "./dist/create-token.mjs"
-    },
-    "./proxy": {
-      "import": "./dist/proxy.mjs",
-      "require": "./dist/proxy.mjs"
-    },
-    "./is-me": {
-      "import": "./dist/is-me.mjs",
-      "require": "./dist/is-me.mjs"
-    }
+    ".": "./dist/app.js",
+    "./src/*": "./dist/src/*"
   },
   "publishConfig": {
     "access": "public"

package/readme.md CHANGED Viewed

@@ -1,26 +1,53 @@
-# router query auth
+## JWT Configuration
-for kevisual/router
+### Convex auth.config.ts
-配置项
+issuer: https://convex.kevisual.cn
+applicationID: convex-app
-```json5
-{
-  tokenSercet: 'xx'
-}
+issuer必须与JWT中的iss字段匹配，applicationID必须与aud字段匹配。
+```ts
+import { AuthConfig } from 'convex/server';
+export default {
+  providers: [
+    {
+      type: 'customJwt',
+      applicationID: 'convex-app',
+      issuer: 'https://convex.kevisual.cn',
+      jwks: 'https://api-convex.kevisual.cn/root/convex/jwks.json',
+      algorithm: 'RS256',
+    },
+  ],
+};
 ```
-## use
+### Payload 例子
+header必须包含kid字段以匹配jwks中的密钥ID。
 ```ts
-import { App } from '@kevisual/router';
-import { createAuthRoute } from '@kevisual/auth';
-const app = new App();
-createAuthRoute({
-  app: app,
-  addToApp: true
-});
-app.listen(3000);
-// curl http://localhost:3000/api/router?path=auth
+import * as jose from "jose";
+// 加载测试私钥
+const keys = JSON.parse(await Bun.file("./jwt/privateKey.json").text());
+const privateKey = await jose.importJWK(keys, "RS256");
+// 生成 RS256 JWT
+const payload = {
+  iss: "https://convex.kevisual.cn",
+  sub: "user:8fa2be73c2229e85",
+  aud: "convex-app",
+  exp: Math.floor(Date.now() / 1000) + 3600,
+  name: "Test User AA",
+  email: "test@example.com",
+};
+const token = await new jose.SignJWT(payload)
+  .setProtectedHeader({
+    "alg": "RS256",
+    "typ": "JWT",
+    "kid": "kid-key-1"
+  })
+  .setIssuedAt()
+  .sign(privateKey);
 ```

package/src/auth.ts ADDED Viewed

@@ -0,0 +1,123 @@
+import * as jose from 'jose';
+/***
+ * 验证 JWT
+ * @param token JWT 字符串
+ * @param publicKey 公钥，可以是 CryptoKey、PEM 字符串或 JWK/JWKS 对象
+ * @returns 解码后的有效载荷
+ * @throws 如果验证失败或令牌无效，则抛出错误
+ */
+export async function verifyJWT(token: string, publicKey: jose.CryptoKey | string | jose.JWK) {
+  try {
+    let key: any;
+    if (typeof publicKey === 'string') {
+      key = await jose.importSPKI(publicKey, 'RS256')
+    } else if (typeof publicKey === 'object' && publicKey !== null && 'keys' in publicKey) {
+      // JWKS 格式
+      key = jose.createLocalJWKSet(publicKey as jose.JSONWebKeySet);
+    } else {
+      key = publicKey;
+    }
+    const { payload } = await jose.jwtVerify(token, key, {
+      algorithms: ['RS256'],
+    });
+    return payload;
+  } catch (error) {
+    if (error instanceof jose.errors.JWTExpired) {
+      console.error('JWT has expired:');
+      throw new Error('Token has expired');
+    }
+    console.error('JWT verification failed:', error);
+    throw new Error('Invalid token');
+  }
+}
+export type JWTPayload<T = {}> = {
+  /**
+   * 会设置默认值: "https://convex.kevisual.cn"
+   */
+  iss?: string,
+  /**
+   * "user:8fa2be73c2229e85"
+   * "ip:192.168.1.1"
+   */
+  sub: string,
+  /**
+   * 会设置默认值："convex-app"
+   */
+  aud?: string,
+  /**
+   * 会设置默认值：当前时间 + 2 小时
+   */
+  exp?: number,
+  /**
+   * 会设置默认值：当前时间
+   */
+  iat?: number,
+  /**
+   * 其他自定义字段
+   */
+  name?: string,
+  /**
+   * email
+   */
+  email?: string
+} & T;
+/***
+ * 签发 JWT
+ * @param payload 有效载荷
+ * @param privateKey 私钥，可以是 CryptoKey、PEM 字符串或 JWK 对象
+ * @returns 签发的 JWT 字符串
+ */
+export async function signJWT(payload: JWTPayload, privateKey: jose.CryptoKey | string | jose.JWK): Promise<string> {
+  const expirationTime = Math.floor(Date.now() / 1000) + (2 * 60 * 60); // 2 hour from now
+  if (!payload.exp) {
+    payload.exp = expirationTime;
+  }
+  let cryptoKey: jose.CryptoKey;
+  if (typeof privateKey === 'string') {
+    cryptoKey = await jose.importPKCS8(privateKey, "RS256") as jose.CryptoKey;
+  } else if (typeof privateKey === 'object' && privateKey !== null && 'kty' in privateKey) {
+    cryptoKey = await jose.importJWK(privateKey, "RS256") as jose.CryptoKey;
+  } else {
+    cryptoKey = privateKey as jose.CryptoKey;
+  }
+  const iss = payload.iss || "https://convex.kevisual.cn";
+  if (!payload.iss) {
+    payload.iss = iss;
+  }
+  if (!payload.iat) {
+    payload.iat = Math.floor(Date.now() / 1000);
+  }
+  if (!payload.aud) {
+    payload.aud = "convex-app";
+  }
+  const token = await new jose.SignJWT(payload)
+    .setProtectedHeader({
+      "alg": "RS256",
+      "typ": "JWT",
+      "kid": "kid-key-1"
+    })
+    .setIssuedAt()
+    .setExpirationTime(payload.exp)
+    .setIssuer(iss)
+    .setSubject(payload.sub || "")
+    .sign(cryptoKey);
+  return token;
+}
+/**
+ * 单独解码 JWT，不验证签名
+ * @param token
+ * @returns
+ */
+export const decodeJWT = (token: string): JWTPayload => {
+  try {
+    const decoded = jose.decodeJwt(token);
+    return decoded as JWTPayload;
+  } catch (error) {
+    throw new Error('Invalid token');
+  }
+}

package/src/generate.ts ADDED Viewed

@@ -0,0 +1,39 @@
+import * as jose from 'jose';
+async function generateKeyPair() {
+  const { privateKey, publicKey } = await jose.generateKeyPair('RS256', {
+    modulusLength: 2048,
+    extractable: true,
+  });
+  return { privateKey, publicKey };
+}
+async function createJWKS(publicKey: CryptoKey, kid?: string) {
+  const jwk = await jose.exportJWK(publicKey);
+  // 添加 kid 字段
+  jwk.kid = kid || 'kid-key-1';
+  const jwks = {
+    keys: [jwk]
+  };
+  return jwks;
+}
+type GenerateOpts = {
+  kid?: string;
+}
+export const generate = async (opts: GenerateOpts = {}) => {
+  const { privateKey, publicKey } = await generateKeyPair();
+  const jwks = await createJWKS(publicKey, opts.kid);
+  // 将私钥和 JWKS 保存到文件
+  const privateJWK = await jose.exportJWK(privateKey);
+  const privatePEM = await jose.exportPKCS8(privateKey);
+  const publicPEM = await jose.exportSPKI(publicKey);
+  return {
+    jwks,
+    privateJWK,
+    privatePEM,
+    publicPEM
+  }
+}

package/src/index.ts CHANGED Viewed

@@ -1,6 +1 @@
-import { getRandomSalt, cryptPwd, checkPwd } from './salt.ts';
-import { createToken, checkToken } from './create-token.ts';
-export { getRandomSalt, cryptPwd, checkPwd, createToken, checkToken };
-export { createAuthRoute } from './route.ts';
+export * from './auth.ts';

package/src/jwks/common.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import path from 'node:path';
+const dir = path.join(process.cwd(), 'jwt');
+export const JWKS_PATH = path.join(dir, 'jwks.json');
+export const PRIVATE_JWK_PATH = path.join(dir, 'privateKey.json');
+export const PRIVATE_KEY_PATH = path.join(dir, 'privateKey.txt');
+export const PUBLIC_KEY_PATH = path.join(dir, 'publicKey.txt');

package/src/jwks/create.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import fs from 'node:fs'
+import path from 'node:path'
+import * as common from './common.ts';
+import { generate } from '../generate.ts'
+async function main() {
+  const { jwks, privateJWK, privatePEM, publicPEM } = await generate();
+  const dir = path.join(process.cwd(), 'jwt');
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir);
+  }
+  fs.writeFileSync(common.PUBLIC_KEY_PATH, publicPEM);
+  fs.writeFileSync(common.PRIVATE_KEY_PATH, privatePEM);
+  fs.writeFileSync(common.PRIVATE_JWK_PATH, JSON.stringify(privateJWK, null, 2));
+  fs.writeFileSync(common.JWKS_PATH, JSON.stringify(jwks, null, 2));
+  console.log('Private key and JWKS have been saved to files.');
+}
+main().catch(console.error);

package/src/jwks/get.ts ADDED Viewed

@@ -0,0 +1,22 @@
+import fs from 'node:fs'
+import path from 'node:path'
+import * as common from './common.ts';
+export const getValues = () => {
+  if (!fs.existsSync(common.JWKS_PATH)) {
+    throw new Error('JWKS file does not exist. Please create it first.');
+  }
+  const jwksData = fs.readFileSync(common.JWKS_PATH, 'utf-8');
+  const privateJWKData = fs.readFileSync(common.PRIVATE_JWK_PATH, 'utf-8');
+  const publicKeyPEM = fs.readFileSync(common.PUBLIC_KEY_PATH, 'utf-8');
+  const privateKeyPEM = fs.readFileSync(common.PRIVATE_KEY_PATH, 'utf-8');
+  return {
+    jwks: JSON.parse(jwksData),
+    privateJWK: JSON.parse(privateJWKData),
+    publicKeyPEM,
+    privateKeyPEM
+  }
+}

package/src/router.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import type { App } from '@kevisual/router';
2	+

package/test/create.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import * as jose from 'jose';
+import { signJWT, decodeJWT, verifyJWT } from '../src/auth.ts';
+import { getValues } from '../src/jwks/get.ts';
+const payload = {
+  iss: "https://convex.kevisual.cn",
+  sub: "user:123456",
+  aud: "convex-app",
+  name: "John Doe",
+  email: "john.doe@example.com",
+  // exp: Math.floor(Date.now() / 1000) - (2 * 60 * 60) // 2 hours from now
+}
+const createToken = async () => {
+  const { privateJWK, privateKeyPEM } = getValues();
+  const token = await signJWT(payload, privateKeyPEM);
+  console.log('Generated JWT:', token);
+  // console.log('expited at:', new Date(payload.exp * 1000).toLocaleString());
+  return token;
+}
+const token = await createToken()
+const decode = decodeJWT(token)
+console.log('Decoded JWT:', decode);
+const verify = async () => {
+  const { publicKeyPEM, privateJWK, jwks } = getValues();
+  try {
+    const verifiedPayload = await verifyJWT(token, publicKeyPEM);
+    console.log('Verified JWT payload:', verifiedPayload);
+  } catch (error) {
+    console.error('Verification failed:', error);
+  }
+}
+await verify();

package/dist/create-token.d.ts DELETED Viewed

@@ -1,31 +0,0 @@
-import jwt from 'jsonwebtoken';
-/**
- *
- * @param user
- * @param secret
- *
- * @param expiresIn default 7d expressed in seconds or a string describing a time span [zeit/ms](https://github.com/zeit/ms.js).  Eg: 60, "2 days", "10h", "7d"
- * @returns
- */
-declare const createToken: (user: {
-    id: string;
-    username: string;
-    [key: string]: any;
-}, secret: string, expiresIn?: string) => Promise<string>;
-/**
- * check token
- * @param token
- * @param secret
- * @returns
- */
-declare const checkToken: (token: string, secret: string) => Promise<jwt.Jwt>;
-/**
- * check auth and return token user
- * @param token
- * @param secret
- * @returns
- */
-declare const checkTokenUser: (token: string, secret: string) => Promise<string | jwt.JwtPayload>;
-export { checkToken, checkTokenUser, createToken };