@keycardai/oauth 0.8.5 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqGhD"}
|
package/dist/cjs/jwt/verifier.js
CHANGED
|
@@ -82,16 +82,26 @@ class JWTVerifier {
|
|
|
82
82
|
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
83
83
|
throw new errors_js_1.InvalidTokenError("Untrusted issuer");
|
|
84
84
|
}
|
|
85
|
-
// Required claims per RFC 9068 § 2.2
|
|
85
|
+
// Required claims per RFC 9068 § 2.2: iss (above), sub, aud, exp, iat,
|
|
86
|
+
// client_id. Reject NaN / Infinity on the numeric claims explicitly —
|
|
86
87
|
// `typeof NaN === "number"` passes the type check but would make every
|
|
87
88
|
// comparison below false (and with `exp: NaN` that means effectively no
|
|
88
89
|
// expiration).
|
|
89
90
|
if (!Number.isFinite(jsonPayload.exp)) {
|
|
90
91
|
throw new errors_js_1.InvalidTokenError("JWT missing expiration (exp) claim");
|
|
91
92
|
}
|
|
93
|
+
if (!Number.isFinite(jsonPayload.iat)) {
|
|
94
|
+
throw new errors_js_1.InvalidTokenError("JWT missing issued-at (iat) claim");
|
|
95
|
+
}
|
|
96
|
+
if (!jsonPayload.sub) {
|
|
97
|
+
throw new errors_js_1.InvalidTokenError("JWT missing subject (sub) claim");
|
|
98
|
+
}
|
|
92
99
|
if (!jsonPayload.client_id) {
|
|
93
100
|
throw new errors_js_1.InvalidTokenError("JWT missing client_id claim");
|
|
94
101
|
}
|
|
102
|
+
if (jsonPayload.aud === undefined) {
|
|
103
|
+
throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
|
|
104
|
+
}
|
|
95
105
|
// Time-based claims.
|
|
96
106
|
const now = Math.floor(Date.now() / 1000);
|
|
97
107
|
if (now > jsonPayload.exp) {
|
|
@@ -105,13 +115,12 @@ class JWTVerifier {
|
|
|
105
115
|
throw new errors_js_1.InvalidTokenError("Token not yet valid");
|
|
106
116
|
}
|
|
107
117
|
}
|
|
108
|
-
// Audience
|
|
109
|
-
//
|
|
118
|
+
// Audience match against the configured allowlist. Presence of `aud` is
|
|
119
|
+
// already required above; an audience-scoped verifier additionally requires
|
|
120
|
+
// it to contain one of the configured audiences (RFC 8707 resource
|
|
121
|
+
// indicators).
|
|
110
122
|
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
111
123
|
const aud = jsonPayload.aud;
|
|
112
|
-
if (aud === undefined) {
|
|
113
|
-
throw new errors_js_1.InvalidTokenError("JWT missing audience (aud) claim");
|
|
114
|
-
}
|
|
115
124
|
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
116
125
|
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
117
126
|
if (!matched) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AACA,4CAAiD;AACjD,mEAAwC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAa,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,6BAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,6BAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,6BAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,6BAAiB,CAAC,kCAAkC,CAAC,CAAC;QAClE,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,6BAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,6BAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,4EAA4E;QAC5E,mEAAmE;QACnE,eAAe;QACf,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAI,CAAC;YAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,6BAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,sBAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,6BAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;AA1ID,kCA0IC;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG7C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7C,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,OAAO,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEpC;;;;OAIG;IACH,SAAS,CAAC,EAAE,MAAM,GAAG,SAAS,MAAM,EAAE,CAAC;IAEvC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAChC;AAUD,qBAAa,WAAW;;gBAMV,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,kBAAkB;IA+BxD,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;CAqGhD"}
|
package/dist/esm/jwt/verifier.js
CHANGED
|
@@ -76,16 +76,26 @@ export class JWTVerifier {
|
|
|
76
76
|
if (!__classPrivateFieldGet(this, _JWTVerifier_issuers, "f").has(jsonPayload.iss)) {
|
|
77
77
|
throw new InvalidTokenError("Untrusted issuer");
|
|
78
78
|
}
|
|
79
|
-
// Required claims per RFC 9068 § 2.2
|
|
79
|
+
// Required claims per RFC 9068 § 2.2: iss (above), sub, aud, exp, iat,
|
|
80
|
+
// client_id. Reject NaN / Infinity on the numeric claims explicitly —
|
|
80
81
|
// `typeof NaN === "number"` passes the type check but would make every
|
|
81
82
|
// comparison below false (and with `exp: NaN` that means effectively no
|
|
82
83
|
// expiration).
|
|
83
84
|
if (!Number.isFinite(jsonPayload.exp)) {
|
|
84
85
|
throw new InvalidTokenError("JWT missing expiration (exp) claim");
|
|
85
86
|
}
|
|
87
|
+
if (!Number.isFinite(jsonPayload.iat)) {
|
|
88
|
+
throw new InvalidTokenError("JWT missing issued-at (iat) claim");
|
|
89
|
+
}
|
|
90
|
+
if (!jsonPayload.sub) {
|
|
91
|
+
throw new InvalidTokenError("JWT missing subject (sub) claim");
|
|
92
|
+
}
|
|
86
93
|
if (!jsonPayload.client_id) {
|
|
87
94
|
throw new InvalidTokenError("JWT missing client_id claim");
|
|
88
95
|
}
|
|
96
|
+
if (jsonPayload.aud === undefined) {
|
|
97
|
+
throw new InvalidTokenError("JWT missing audience (aud) claim");
|
|
98
|
+
}
|
|
89
99
|
// Time-based claims.
|
|
90
100
|
const now = Math.floor(Date.now() / 1000);
|
|
91
101
|
if (now > jsonPayload.exp) {
|
|
@@ -99,13 +109,12 @@ export class JWTVerifier {
|
|
|
99
109
|
throw new InvalidTokenError("Token not yet valid");
|
|
100
110
|
}
|
|
101
111
|
}
|
|
102
|
-
// Audience
|
|
103
|
-
//
|
|
112
|
+
// Audience match against the configured allowlist. Presence of `aud` is
|
|
113
|
+
// already required above; an audience-scoped verifier additionally requires
|
|
114
|
+
// it to contain one of the configured audiences (RFC 8707 resource
|
|
115
|
+
// indicators).
|
|
104
116
|
if (__classPrivateFieldGet(this, _JWTVerifier_audiences, "f")) {
|
|
105
117
|
const aud = jsonPayload.aud;
|
|
106
|
-
if (aud === undefined) {
|
|
107
|
-
throw new InvalidTokenError("JWT missing audience (aud) claim");
|
|
108
|
-
}
|
|
109
118
|
const audValues = Array.isArray(aud) ? aud : [aud];
|
|
110
119
|
const matched = audValues.some((a) => __classPrivateFieldGet(this, _JWTVerifier_audiences, "f").has(a));
|
|
111
120
|
if (!matched) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,
|
|
1
|
+
{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../../../src/jwt/verifier.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,SAAS,MAAM,iBAAiB,CAAC;AA2BxC,uEAAuE;AACvE,6EAA6E;AAC7E,2EAA2E;AAC3E,0EAA0E;AAC1E,+BAA+B;AAC/B,MAAM,oBAAoB,GAAG,CAAC,OAAO,CAAU,CAAC;AAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAS,oBAAoB,CAAC,CAAC;AAEtE,MAAM,OAAO,WAAW;IAMtB,YAAY,OAAqB,EAAE,OAA2B;QAL9D,uCAAuB;QACvB,uCAA8B;QAC9B,yCAAiC;QACjC,0CAAiC;QAG/B,MAAM,UAAU,GACd,OAAO,OAAO,EAAE,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;QACpF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ;YACnC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC;YACrB,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;QAE9B,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,oBAAoB,CAAC;QACjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,KAAK,CACb,8DAA8D,GAAG,KAAK;oBACpE,cAAc,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACnD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uBAAA,IAAI,wBAAY,OAAO,MAAA,CAAC;QACxB,uBAAA,IAAI,wBAAY,IAAI,GAAG,CAAC,UAAU,CAAC,MAAA,CAAC;QACpC,yEAAyE;QACzE,wEAAwE;QACxE,+CAA+C;QAC/C,uBAAA,IAAI,0BAAc,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,MAAA,CAAC;QAC9E,uBAAA,IAAI,2BAAe,IAAI,GAAG,CAAC,aAAa,CAAC,MAAA,CAAC;IAC5C,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,KAAa;QACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAE3C,IAAI,UAA0C,CAAC;QAC/C,IAAI,WAAsB,CAAC;QAC3B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACvC,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QAED,wEAAwE;QACxE,yBAAyB;QACzB,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,UAAU,CAAC,GAAG,KAAK,MAAM,IAAI,CAAC,uBAAA,IAAI,+BAAY,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,MAAM,IAAI,iBAAiB,CAAC,8BAA8B,UAAU,CAAC,GAAG,IAAI,MAAM,EAAE,CAAC,CAAC;QACxF,CAAC;QAED,0EAA0E;QAC1E,uEAAuE;QACvE,iBAAiB;QACjB,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,gCAAgC,CAAC,CAAC;QAChE,CAAC;QACD,IAAI,CAAC,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,CAAC,CAAC;QAClD,CAAC;QAED,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,eAAe;QACf,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,oCAAoC,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,mCAAmC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACrB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC3B,MAAM,IAAI,iBAAiB,CAAC,6BAA6B,CAAC,CAAC;QAC7D,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,iBAAiB,CAAC,kCAAkC,CAAC,CAAC;QAClE,CAAC;QAED,qBAAqB;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;YACtC,MAAM,IAAI,iBAAiB,CAAC,eAAe,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,WAAW,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,wCAAwC,CAAC,CAAC;YACxE,CAAC;YACD,IAAI,GAAG,GAAI,WAAW,CAAC,GAAc,EAAE,CAAC;gBACtC,MAAM,IAAI,iBAAiB,CAAC,qBAAqB,CAAC,CAAC;YACrD,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,4EAA4E;QAC5E,mEAAmE;QACnE,eAAe;QACf,IAAI,uBAAA,IAAI,8BAAW,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,WAAW,CAAC,GAAI,CAAC;YAC7B,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;YACnD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,uBAAA,IAAI,8BAAY,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;YACpB,MAAM,IAAI,iBAAiB,CAAC,iCAAiC,CAAC,CAAC;QACjE,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,uBAAA,IAAI,4BAAS,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC;QAErE,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACzC;YACE,IAAI,EAAE,mBAAmB;YACzB,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC1B,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,EAC3B,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC,CACjD,CAAC;QACF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAiB,CAAC,mBAAmB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF;;AAED,SAAS,KAAK,CAAC,IAAY;IACzB,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAC1D,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@keycardai/oauth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.9.0",
|
|
4
4
|
"description": "[Preview] OAuth 2.0 primitives for Keycard: JWKS keyring, JWT signing/verification, server-tier token verifier, AccessContext, ClientSecret credentials, and impersonation via RFC 8693 token exchange",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|