@lindorm/aegis 0.4.4 → 0.5.0

package/dist/internal/utils/token-header.js

@@ -3,7 +3,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseTokenHeader = exports.mapTokenHeader = void 0;
 const is_1 = require("@lindorm/is");
 const utils_1 = require("@lindorm/utils");
-const mapTokenHeader = (options) => {
+const compute_typ_header_1 = require("./compute-typ-header");
+const mapTokenHeader = (options, cert = {}) => {
     const crit = options.critical
         ?.map((key) => {
         switch (key) {
@@ -33,14 +34,6 @@ const mapTokenHeader = (options) => {
                 return "epk";
             case "publicEncryptionTag":
                 return "tag";
-            case "x5c":
-                return "x5c";
-            case "x5t":
-                return "x5t";
-            case "x5u":
-                return "x5u";
-            case "x5tS256":
-                return "x5t#S256";
             default:
                 return key;
         }
@@ -61,10 +54,8 @@ const mapTokenHeader = (options) => {
         p2s: options.pbkdfSalt,
         tag: options.publicEncryptionTag,
         typ: options.headerType,
-        x5c: (0, is_1.isString)(options.x5c) ? options.x5c : undefined,
-        x5t: (0, is_1.isString)(options.x5t) ? options.x5t : undefined,
-        x5u: (0, is_1.isString)(options.x5u) ? options.x5u : undefined,
-        "x5t#S256": (0, is_1.isString)(options.x5tS256) ? options.x5tS256 : undefined,
+        x5c: Array.isArray(cert.x5c) ? cert.x5c : undefined,
+        "x5t#S256": (0, is_1.isString)(cert.x5tS256) ? cert.x5tS256 : undefined,
     });
 };
 exports.mapTokenHeader = mapTokenHeader;
@@ -102,8 +93,6 @@ const parseTokenHeader = (decoded) => {
                 return "x5c";
             case "x5t":
                 return "x5t";
-            case "x5u":
-                return "x5u";
             case "x5t#S256":
                 return "x5tS256";
             default:
@@ -113,6 +102,7 @@ const parseTokenHeader = (decoded) => {
         .sort() ?? [];
     return (0, utils_1.removeUndefined)({
         algorithm: decoded.alg,
+        baseFormat: (0, compute_typ_header_1.getBaseFormat)(decoded.typ),
         contentType: decoded.cty,
         critical,
         encryption: decoded.enc,
@@ -128,7 +118,6 @@ const parseTokenHeader = (decoded) => {
         publicEncryptionTag: decoded.tag,
         x5c: decoded.x5c,
         x5t: decoded.x5t,
-        x5u: decoded.x5u,
         x5tS256: decoded["x5t#S256"],
     });
 };

package/dist/internal/utils/token-header.js.map

@@ -1 +1 @@
-{"version":3,"file":"token-header.js","sourceRoot":"","sources":["../../../src/internal/utils/token-header.ts"],"names":[],"mappings":";;;AAAA,oCAAsE;AACtE,0CAAiD;AAQ1C,MAAM,cAAc,GAAG,CAAC,OAA2B,EAAwB,EAAE;IAClF,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ;QAC3B,EAAE,GAAG,CAAC,CAAC,GAAG,EAAU,EAAE;QACpB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,WAAW;gBACd,OAAO,KAAK,CAAC;YACf,KAAK,aAAa;gBAChB,OAAO,KAAK,CAAC;YACf,KAAK,YAAY;gBACf,OAAO,KAAK,CAAC;YACf,KAAK,YAAY;gBACf,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,SAAS;gBACZ,OAAO,KAAK,CAAC;YACf,KAAK,OAAO;gBACV,OAAO,KAAK,CAAC;YACf,KAAK,UAAU;gBACb,OAAO,KAAK,CAAC;YACf,KAAK,iBAAiB;gBACpB,OAAO,KAAK,CAAC;YACf,KAAK,WAAW;gBACd,OAAO,KAAK,CAAC;YACf,KAAK,sBAAsB;gBACzB,OAAO,IAAI,CAAC;YACd,KAAK,qBAAqB;gBACxB,OAAO,KAAK,CAAC;YACf,KAAK,qBAAqB;gBACxB,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,SAAS;gBACZ,OAAO,UAAU,CAAC;YACpB;gBACE,OAAO,GAAG,CAAC;QACf,CAAC;IACH,CAAC,CAAC;SACD,IAAI,EAAE,CAAC;IAEV,OAAO,IAAA,uBAAe,EAAC;QACrB,GAAG,EAAE,OAAO,CAAC,SAAS;QACtB,IAAI;QACJ,GAAG,EAAE,OAAO,CAAC,WAAW;QACxB,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QAClE,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS;QACpF,EAAE,EAAE,OAAO,CAAC,oBAAoB;QAChC,GAAG,EAAE,IAAA,cAAS,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC7D,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACpD,GAAG,EAAE,OAAO,CAAC,KAAK;QAClB,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;QAC5E,GAAG,EAAE,OAAO,CAAC,SAAS;QACtB,GAAG,EAAE,OAAO,CAAC,mBAAmB;QAChC,GAAG,EAAE,OAAO,CAAC,UAAU;QACvB,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACpD,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACpD,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACpD,UAAU,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;KACpE,CAAC,CAAC;AACL,CAAC,CAAC;AAhEW,QAAA,cAAc,kBAgEzB;AAEK,MAAM,gBAAgB,GAAG,CAC9B,OAA2B,EACxB,EAAE;IACL,MAAM,QAAQ,GACX,OAAO,CAAC,IAAI;QACX,EAAE,GAAG,CAAC,CAAC,GAAG,EAAU,EAAE;QACpB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,KAAK;gBACR,OAAO,WAAW,CAAC;YACrB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC;YACvB,KAAK,KAAK;gBACR,OAAO,YAAY,CAAC;YACtB,KAAK,KAAK;gBACR,OAAO,qBAAqB,CAAC;YAC/B,KAAK,IAAI;gBACP,OAAO,sBAAsB,CAAC;YAChC,KAAK,KAAK;gBACR,OAAO,SAAS,CAAC;YACnB,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,OAAO,CAAC;YACjB,KAAK,KAAK;gBACR,OAAO,UAAU,CAAC;YACpB,KAAK,KAAK;gBACR,OAAO,iBAAiB,CAAC;YAC3B,KAAK,KAAK;gBACR,OAAO,WAAW,CAAC;YACrB,KAAK,KAAK;gBACR,OAAO,qBAAqB,CAAC;YAC/B,KAAK,KAAK;gBACR,OAAO,YAAY,CAAC;YACtB,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,UAAU;gBACb,OAAO,SAAS,CAAC;YACnB;gBACE,OAAO,GAAG,CAAC;QACf,CAAC;IACH,CAAC,CAAC;SACD,IAAI,EAAoC,IAAI,EAAE,CAAC;IAEpD,OAAO,IAAA,uBAAe,EAAC;QACrB,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,WAAW,EAAE,OAAO,CAAC,GAAG;QACxB,QAAQ;QACR,UAAU,EAAE,OAAO,CAAC,GAAG;QACvB,UAAU,EAAE,OAAO,CAAC,GAAG;QACvB,oBAAoB,EAAE,OAAO,CAAC,EAAE;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,GAAG;QACpB,KAAK,EAAE,OAAO,CAAC,GAAG;QAClB,QAAQ,EAAE,OAAO,CAAC,GAAG;QACrB,eAAe,EAAE,OAAO,CAAC,GAAG;QAC5B,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,mBAAmB,EAAE,OAAO,CAAC,GAAG;QAChC,mBAAmB,EAAE,OAAO,CAAC,GAAG;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC;KAC7B,CAAM,CAAC;AACV,CAAC,CAAC;AAnEW,QAAA,gBAAgB,oBAmE3B"}
+{"version":3,"file":"token-header.js","sourceRoot":"","sources":["../../../src/internal/utils/token-header.ts"],"names":[],"mappings":";;;AAAA,oCAAsE;AACtE,0CAAiD;AAQjD,6DAAqD;AAE9C,MAAM,cAAc,GAAG,CAC5B,OAA2B,EAC3B,OAAgC,EAAE,EACZ,EAAE;IACxB,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ;QAC3B,EAAE,GAAG,CAAC,CAAC,GAAG,EAAU,EAAE;QACpB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,WAAW;gBACd,OAAO,KAAK,CAAC;YACf,KAAK,aAAa;gBAChB,OAAO,KAAK,CAAC;YACf,KAAK,YAAY;gBACf,OAAO,KAAK,CAAC;YACf,KAAK,YAAY;gBACf,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,SAAS;gBACZ,OAAO,KAAK,CAAC;YACf,KAAK,OAAO;gBACV,OAAO,KAAK,CAAC;YACf,KAAK,UAAU;gBACb,OAAO,KAAK,CAAC;YACf,KAAK,iBAAiB;gBACpB,OAAO,KAAK,CAAC;YACf,KAAK,WAAW;gBACd,OAAO,KAAK,CAAC;YACf,KAAK,sBAAsB;gBACzB,OAAO,IAAI,CAAC;YACd,KAAK,qBAAqB;gBACxB,OAAO,KAAK,CAAC;YACf,KAAK,qBAAqB;gBACxB,OAAO,KAAK,CAAC;YACf;gBACE,OAAO,GAAG,CAAC;QACf,CAAC;IACH,CAAC,CAAC;SACD,IAAI,EAAE,CAAC;IAEV,OAAO,IAAA,uBAAe,EAAC;QACrB,GAAG,EAAE,OAAO,CAAC,SAAS;QACtB,IAAI;QACJ,GAAG,EAAE,OAAO,CAAC,WAAW;QACxB,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;QAClE,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS;QACpF,EAAE,EAAE,OAAO,CAAC,oBAAoB;QAChC,GAAG,EAAE,IAAA,cAAS,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;QAC7D,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACpD,GAAG,EAAE,OAAO,CAAC,KAAK;QAClB,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;QAC9D,GAAG,EAAE,IAAA,aAAQ,EAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS;QAC5E,GAAG,EAAE,OAAO,CAAC,SAAS;QACtB,GAAG,EAAE,OAAO,CAAC,mBAAmB;QAChC,GAAG,EAAE,OAAO,CAAC,UAAU;QACvB,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS;QACnD,UAAU,EAAE,IAAA,aAAQ,EAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS;KAC9D,CAAC,CAAC;AACL,CAAC,CAAC;AAzDW,QAAA,cAAc,kBAyDzB;AAEK,MAAM,gBAAgB,GAAG,CAC9B,OAA2B,EACxB,EAAE;IACL,MAAM,QAAQ,GACX,OAAO,CAAC,IAAI;QACX,EAAE,GAAG,CAAC,CAAC,GAAG,EAAU,EAAE;QACpB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,KAAK;gBACR,OAAO,WAAW,CAAC;YACrB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC;YACvB,KAAK,KAAK;gBACR,OAAO,YAAY,CAAC;YACtB,KAAK,KAAK;gBACR,OAAO,qBAAqB,CAAC;YAC/B,KAAK,IAAI;gBACP,OAAO,sBAAsB,CAAC;YAChC,KAAK,KAAK;gBACR,OAAO,SAAS,CAAC;YACnB,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,OAAO,CAAC;YACjB,KAAK,KAAK;gBACR,OAAO,UAAU,CAAC;YACpB,KAAK,KAAK;gBACR,OAAO,iBAAiB,CAAC;YAC3B,KAAK,KAAK;gBACR,OAAO,WAAW,CAAC;YACrB,KAAK,KAAK;gBACR,OAAO,qBAAqB,CAAC;YAC/B,KAAK,KAAK;gBACR,OAAO,YAAY,CAAC;YACtB,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,KAAK;gBACR,OAAO,KAAK,CAAC;YACf,KAAK,UAAU;gBACb,OAAO,SAAS,CAAC;YACnB;gBACE,OAAO,GAAG,CAAC;QACf,CAAC;IACH,CAAC,CAAC;SACD,IAAI,EAAoC,IAAI,EAAE,CAAC;IAEpD,OAAO,IAAA,uBAAe,EAAC;QACrB,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,UAAU,EAAE,IAAA,kCAAa,EAAC,OAAO,CAAC,GAAG,CAAC;QACtC,WAAW,EAAE,OAAO,CAAC,GAAG;QACxB,QAAQ;QACR,UAAU,EAAE,OAAO,CAAC,GAAG;QACvB,UAAU,EAAE,OAAO,CAAC,GAAG;QACvB,oBAAoB,EAAE,OAAO,CAAC,EAAE;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,GAAG;QACpB,KAAK,EAAE,OAAO,CAAC,GAAG;QAClB,QAAQ,EAAE,OAAO,CAAC,GAAG;QACrB,eAAe,EAAE,OAAO,CAAC,GAAG;QAC5B,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,mBAAmB,EAAE,OAAO,CAAC,GAAG;QAChC,mBAAmB,EAAE,OAAO,CAAC,GAAG;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE,OAAO,CAAC,UAAU,CAAC;KAC7B,CAAM,CAAC;AACV,CAAC,CAAC;AAjEW,QAAA,gBAAgB,oBAiE3B"}

package/dist/internal/utils/validate-actor.d.ts

@@ -0,0 +1,3 @@
+import { TokenDelegation, VerifyActorOptions } from "../../types/jwt";
+export declare const validateActor: (delegation: TokenDelegation, options: VerifyActorOptions | undefined) => string | null;
+//# sourceMappingURL=validate-actor.d.ts.map

package/dist/internal/utils/validate-actor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-actor.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,eAAO,MAAM,aAAa,GACxB,YAAY,eAAe,EAC3B,SAAS,kBAAkB,GAAG,SAAS,KACtC,MAAM,GAAG,IA2BX,CAAC"}

package/dist/internal/utils/validate-actor.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateActor = void 0;
+const validateActor = (delegation, options) => {
+    if (!options)
+        return null;
+    if (options.required && !delegation.isDelegated) {
+        return "Expected delegated token with act claim";
+    }
+    if (options.forbidden && delegation.isDelegated) {
+        return "Expected non-delegated token";
+    }
+    if (options.maxChainDepth !== undefined &&
+        delegation.actorChain.length > options.maxChainDepth) {
+        return `Actor chain exceeds maximum depth of ${options.maxChainDepth}`;
+    }
+    if (options.allowedSubjects) {
+        for (const entry of delegation.actorChain) {
+            if (!entry.subject || !options.allowedSubjects.includes(entry.subject)) {
+                return `Actor subject not allowed: ${entry.subject ?? "undefined"}`;
+            }
+        }
+    }
+    return null;
+};
+exports.validateActor = validateActor;
+//# sourceMappingURL=validate-actor.js.map

package/dist/internal/utils/validate-actor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-actor.js","sourceRoot":"","sources":["../../../src/internal/utils/validate-actor.ts"],"names":[],"mappings":";;;AAEO,MAAM,aAAa,GAAG,CAC3B,UAA2B,EAC3B,OAAuC,EACxB,EAAE;IACjB,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,OAAO,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,yCAAyC,CAAC;IACnD,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC;QAChD,OAAO,8BAA8B,CAAC;IACxC,CAAC;IAED,IACE,OAAO,CAAC,aAAa,KAAK,SAAS;QACnC,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,OAAO,CAAC,aAAa,EACpD,CAAC;QACD,OAAO,wCAAwC,OAAO,CAAC,aAAa,EAAE,CAAC;IACzE,CAAC;IAED,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5B,KAAK,MAAM,KAAK,IAAI,UAAU,CAAC,UAAU,EAAE,CAAC;YAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;gBACvE,OAAO,8BAA8B,KAAK,CAAC,OAAO,IAAI,WAAW,EAAE,CAAC;YACtE,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AA9BW,QAAA,aAAa,iBA8BxB"}

package/dist/internal/utils/validate-crit.d.ts

@@ -0,0 +1,4 @@
+export declare const validateCrit: (decoded: {
+    crit?: unknown;
+} & Record<string, unknown>) => string | null;
+//# sourceMappingURL=validate-crit.d.ts.map

package/dist/internal/utils/validate-crit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-crit.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/validate-crit.ts"],"names":[],"mappings":"AAoDA,eAAO,MAAM,YAAY,GACvB,SAAS;IAAE,IAAI,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KACpD,MAAM,GAAG,IAoCX,CAAC"}

package/dist/internal/utils/validate-crit.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateCrit = void 0;
+const IANA_REGISTERED_JOSE_HEADER_PARAMS = new Set([
+    "alg",
+    "jku",
+    "jwk",
+    "kid",
+    "x5u",
+    "x5c",
+    "x5t",
+    "x5t#S256",
+    "typ",
+    "cty",
+    "crit",
+    "enc",
+    "zip",
+    "epk",
+    "apu",
+    "apv",
+    "iv",
+    "tag",
+    "p2s",
+    "p2c",
+    "b64",
+    "ppt",
+    "url",
+    "nonce",
+    "svt",
+]);
+const validateCrit = (decoded) => {
+    const crit = decoded.crit;
+    if (crit === undefined)
+        return null;
+    if (!Array.isArray(crit)) {
+        return "crit must be an array";
+    }
+    if (crit.length === 0) {
+        return "crit must not be an empty array when present";
+    }
+    for (const name of crit) {
+        if (typeof name !== "string") {
+            return "crit entries must be strings";
+        }
+        if (IANA_REGISTERED_JOSE_HEADER_PARAMS.has(name)) {
+            return `crit must not contain the IANA-registered header parameter "${name}"`;
+        }
+        if (!(name in decoded)) {
+            return `crit listed parameter "${name}" is not present in the header`;
+        }
+    }
+    return null;
+};
+exports.validateCrit = validateCrit;
+//# sourceMappingURL=validate-crit.js.map

package/dist/internal/utils/validate-crit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate-crit.js","sourceRoot":"","sources":["../../../src/internal/utils/validate-crit.ts"],"names":[],"mappings":";;;AAOA,MAAM,kCAAkC,GAAG,IAAI,GAAG,CAAC;IAEjD,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;IACL,UAAU;IACV,KAAK;IACL,KAAK;IACL,MAAM;IAEN,KAAK;IACL,KAAK;IAEL,KAAK;IACL,KAAK;IACL,KAAK;IACL,IAAI;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IAEL,KAAK;IAEL,KAAK;IAEL,KAAK;IACL,OAAO;IAEP,KAAK;CACN,CAAC,CAAC;AAYI,MAAM,YAAY,GAAG,CAC1B,OAAqD,EACtC,EAAE;IACjB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAE1B,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,uBAAuB,CAAC;IACjC,CAAC;IAGD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,8CAA8C,CAAC;IACxD,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,OAAO,8BAA8B,CAAC;QACxC,CAAC;QAID,IAAI,kCAAkC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,OAAO,+DAA+D,IAAI,GAAG,CAAC;QAChF,CAAC;QAOD,IAAI,CAAC,CAAC,IAAI,IAAI,OAAO,CAAC,EAAE,CAAC;YACvB,OAAO,0BAA0B,IAAI,gCAAgC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC,CAAC;AAtCW,QAAA,YAAY,gBAsCvB"}

package/dist/internal/utils/verify-cert-binding.d.ts

@@ -0,0 +1,14 @@
+import { IKryptos } from "@lindorm/kryptos";
+import { ILogger } from "@lindorm/logger";
+import { CertBindingMode } from "../../types";
+type VerifyCertBindingOptions = {
+    header: {
+        x5tS256: string | undefined;
+    };
+    kryptos: IKryptos;
+    logger: ILogger;
+    mode: CertBindingMode;
+};
+export declare const verifyCertBinding: ({ header, kryptos, logger, mode, }: VerifyCertBindingOptions) => void;
+export {};
+//# sourceMappingURL=verify-cert-binding.d.ts.map

package/dist/internal/utils/verify-cert-binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-cert-binding.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C,KAAK,wBAAwB,GAAG;IAC9B,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;KAAE,CAAC;IACxC,OAAO,EAAE,QAAQ,CAAC;IAClB,MAAM,EAAE,OAAO,CAAC;IAChB,IAAI,EAAE,eAAe,CAAC;CACvB,CAAC;AAqBF,eAAO,MAAM,iBAAiB,GAAI,oCAK/B,wBAAwB,KAAG,IAyB7B,CAAC"}

package/dist/internal/utils/verify-cert-binding.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyCertBinding = void 0;
+const errors_1 = require("../../errors");
+const verifyCertBinding = ({ header, kryptos, logger, mode, }) => {
+    if (header.x5tS256 === undefined)
+        return;
+    if (kryptos.certificateThumbprint === null) {
+        if (mode === "strict") {
+            throw new errors_1.AegisError("token header x5t#S256 present but signing kryptos has no certificateChain", { debug: { kryptosId: kryptos.id } });
+        }
+        logger.warn("Cert binding: token header x5t#S256 present but signing kryptos has no certificateChain (lax mode — passing through)", { kryptosId: kryptos.id });
+        return;
+    }
+    if (header.x5tS256 !== kryptos.certificateThumbprint) {
+        throw new errors_1.AegisError("signing certificate thumbprint mismatch", {
+            debug: {
+                expected: kryptos.certificateThumbprint,
+                received: header.x5tS256,
+            },
+        });
+    }
+};
+exports.verifyCertBinding = verifyCertBinding;
+//# sourceMappingURL=verify-cert-binding.js.map

package/dist/internal/utils/verify-cert-binding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-cert-binding.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-cert-binding.ts"],"names":[],"mappings":";;;AAEA,yCAA0C;AA6BnC,MAAM,iBAAiB,GAAG,CAAC,EAChC,MAAM,EACN,OAAO,EACP,MAAM,EACN,IAAI,GACqB,EAAQ,EAAE;IACnC,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO;IAEzC,IAAI,OAAO,CAAC,qBAAqB,KAAK,IAAI,EAAE,CAAC;QAC3C,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtB,MAAM,IAAI,mBAAU,CAClB,2EAA2E,EAC3E,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,CACrC,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,IAAI,CACT,sHAAsH,EACtH,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,CAC1B,CAAC;QACF,OAAO;IACT,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,KAAK,OAAO,CAAC,qBAAqB,EAAE,CAAC;QACrD,MAAM,IAAI,mBAAU,CAAC,yCAAyC,EAAE;YAC9D,KAAK,EAAE;gBACL,QAAQ,EAAE,OAAO,CAAC,qBAAqB;gBACvC,QAAQ,EAAE,MAAM,CAAC,OAAO;aACzB;SACF,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC;AA9BW,QAAA,iBAAiB,qBA8B5B"}

package/dist/internal/utils/verify-dpop-proof.d.ts

@@ -0,0 +1,10 @@
+import { ParsedDpopProof } from "../../types/jwt/jwt-dpop";
+type Options = {
+    proof: string;
+    accessToken: string;
+    expectedThumbprint: string;
+    dpopMaxSkew: number;
+};
+export declare const verifyDpopProof: (options: Options) => ParsedDpopProof;
+export {};
+//# sourceMappingURL=verify-dpop-proof.d.ts.map

package/dist/internal/utils/verify-dpop-proof.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-dpop-proof.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAM3D,KAAK,OAAO,GAAG;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;CACrB,CAAC;AAkBF,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,eA8ElD,CAAC"}

package/dist/internal/utils/verify-dpop-proof.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyDpopProof = void 0;
+const kryptos_1 = require("@lindorm/kryptos");
+const sha_1 = require("@lindorm/sha");
+const errors_1 = require("../../errors");
+const compute_jwk_thumbprint_1 = require("./compute-jwk-thumbprint");
+const jose_header_1 = require("./jose-header");
+const jose_signature_1 = require("./jose-signature");
+const jwt_payload_1 = require("./jwt-payload");
+const assertString = (value, claim) => {
+    if (typeof value !== "string" || value.length === 0) {
+        throw new errors_1.JwtError(`Invalid DPoP proof: "${claim}" claim is required`);
+    }
+    return value;
+};
+const verifyDpopProof = (options) => {
+    const { proof, accessToken, expectedThumbprint, dpopMaxSkew } = options;
+    const parts = proof.split(".");
+    if (parts.length !== 3) {
+        throw new errors_1.JwtError("Invalid DPoP proof: not a compact JWS");
+    }
+    const [headerB64, payloadB64] = parts;
+    const header = (0, jose_header_1.decodeJoseHeader)(headerB64);
+    if (header.typ !== "dpop+jwt") {
+        throw new errors_1.JwtError("Invalid DPoP proof: header typ must be dpop+jwt", {
+            data: { typ: header.typ },
+        });
+    }
+    if (!header.jwk) {
+        throw new errors_1.JwtError("Invalid DPoP proof: header jwk is required");
+    }
+    const rawJwk = header.jwk;
+    const thumbprint = (0, compute_jwk_thumbprint_1.computeJwkThumbprint)(rawJwk);
+    if (thumbprint !== expectedThumbprint) {
+        throw new errors_1.JwtError("Invalid DPoP proof: thumbprint does not match cnf.jkt", {
+            data: { expected: expectedThumbprint, actual: thumbprint },
+        });
+    }
+    const proofKryptos = kryptos_1.KryptosKit.from.jwk({
+        ...rawJwk,
+        alg: header.alg,
+        use: "sig",
+    });
+    if (!(0, jose_signature_1.verifyJoseSignature)(proofKryptos, proof)) {
+        throw new errors_1.JwtError("Invalid DPoP proof: signature verification failed");
+    }
+    const payload = (0, jwt_payload_1.decodeJwtPayload)(payloadB64);
+    const tokenId = assertString(payload.jti, "jti");
+    const httpMethod = assertString(payload.htm, "htm");
+    const httpUri = assertString(payload.htu, "htu");
+    if (typeof payload.iat !== "number") {
+        throw new errors_1.JwtError("Invalid DPoP proof: iat claim is required");
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (Math.abs(now - payload.iat) > dpopMaxSkew) {
+        throw new errors_1.JwtError("Invalid DPoP proof: iat is outside the allowed skew window", {
+            data: { iat: payload.iat, now, dpopMaxSkew },
+        });
+    }
+    const expectedAth = sha_1.ShaKit.S256(accessToken);
+    if (payload.ath !== expectedAth) {
+        throw new errors_1.JwtError("Invalid DPoP proof: ath does not match access token hash");
+    }
+    return {
+        thumbprint,
+        tokenId,
+        httpMethod,
+        httpUri,
+        issuedAt: new Date(payload.iat * 1000),
+        accessTokenHash: expectedAth,
+        nonce: typeof payload.nonce === "string" ? payload.nonce : undefined,
+    };
+};
+exports.verifyDpopProof = verifyDpopProof;
+//# sourceMappingURL=verify-dpop-proof.js.map

package/dist/internal/utils/verify-dpop-proof.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-dpop-proof.js","sourceRoot":"","sources":["../../../src/internal/utils/verify-dpop-proof.ts"],"names":[],"mappings":";;;AAAA,8CAA8C;AAC9C,sCAAsC;AACtC,yCAAwC;AAExC,qEAAgE;AAChE,+CAAiD;AACjD,qDAAuD;AACvD,+CAAiD;AAkBjD,MAAM,YAAY,GAAG,CAAC,KAAc,EAAE,KAAa,EAAU,EAAE;IAC7D,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,iBAAQ,CAAC,wBAAwB,KAAK,qBAAqB,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC,CAAC;AAEK,MAAM,eAAe,GAAG,CAAC,OAAgB,EAAmB,EAAE;IACnE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;IAExE,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,iBAAQ,CAAC,uCAAuC,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEtC,MAAM,MAAM,GAAG,IAAA,8BAAgB,EAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,MAAM,CAAC,GAAG,KAAK,UAAU,EAAE,CAAC;QAC9B,MAAM,IAAI,iBAAQ,CAAC,iDAAiD,EAAE;YACpE,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,IAAI,iBAAQ,CAAC,4CAA4C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,CAAC,GAA8B,CAAC;IAIrD,MAAM,UAAU,GAAG,IAAA,6CAAoB,EAAC,MAAM,CAAC,CAAC;IAEhD,IAAI,UAAU,KAAK,kBAAkB,EAAE,CAAC;QACtC,MAAM,IAAI,iBAAQ,CAAC,uDAAuD,EAAE;YAC1E,IAAI,EAAE,EAAE,QAAQ,EAAE,kBAAkB,EAAE,MAAM,EAAE,UAAU,EAAE;SAC3D,CAAC,CAAC;IACL,CAAC;IAOD,MAAM,YAAY,GAAG,oBAAU,CAAC,IAAI,CAAC,GAAG,CAAC;QACvC,GAAG,MAAM;QACT,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,GAAG,EAAE,KAAK;KACkC,CAAC,CAAC;IAEhD,IAAI,CAAC,IAAA,oCAAmB,EAAC,YAAY,EAAE,KAAK,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,iBAAQ,CAAC,mDAAmD,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,8BAAgB,EAAmB,UAAU,CAAC,CAAC;IAE/D,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAEjD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,iBAAQ,CAAC,2CAA2C,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,EAAE,CAAC;QAC9C,MAAM,IAAI,iBAAQ,CAAC,4DAA4D,EAAE;YAC/E,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,WAAW,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,MAAM,WAAW,GAAG,YAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC7C,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW,EAAE,CAAC;QAChC,MAAM,IAAI,iBAAQ,CAAC,0DAA0D,CAAC,CAAC;IACjF,CAAC;IAED,OAAO;QACL,UAAU;QACV,OAAO;QACP,UAAU;QACV,OAAO;QACP,QAAQ,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;QACtC,eAAe,EAAE,WAAW;QAC5B,KAAK,EAAE,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACrE,CAAC;AACJ,CAAC,CAAC;AA9EW,QAAA,eAAe,mBA8E1B"}

package/dist/mocks/create-mock-aegis.d.ts

@@ -1,3 +1,4 @@
 import { IAegis } from "../interfaces";
-export declare const createMockAegis: () => IAegis;
+export type MockAegis = jest.Mocked<IAegis>;
+export declare const createMockAegis: () => MockAegis;
 //# sourceMappingURL=create-mock-aegis.d.ts.map

package/dist/mocks/create-mock-aegis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-mock-aegis.d.ts","sourceRoot":"","sources":["../../src/mocks/create-mock-aegis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAEvC,eAAO,MAAM,eAAe,QAAO,MAoFjC,CAAC"}
+{"version":3,"file":"create-mock-aegis.d.ts","sourceRoot":"","sources":["../../src/mocks/create-mock-aegis.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAEvC,MAAM,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAE5C,eAAO,MAAM,eAAe,QAAO,SA0DlC,CAAC"}

package/dist/mocks/create-mock-aegis.js

@@ -1,85 +1,59 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createMockAegis = void 0;
-const createMockAegis = () => ({
-    issuer: "https://test.lindorm.io/",
-    aes: {
-        encrypt: jest.fn().mockResolvedValue("mocked_encryption"),
-        decrypt: jest.fn().mockResolvedValue("mocked_decryption"),
-    },
-    jwe: {
-        encrypt: jest.fn().mockResolvedValue({ token: "mocked_token" }),
-        decrypt: jest.fn().mockResolvedValue({
-            decoded: {},
-            header: {},
-            payload: "mocked_payload",
-        }),
-    },
-    jws: {
-        sign: jest.fn().mockResolvedValue({
-            objectId: "mocked_object_id",
-            token: "mocked_token",
-        }),
-        verify: jest.fn().mockResolvedValue({
-            decoded: {},
-            header: {},
-            payload: "verified_payload",
-        }),
-    },
-    jwt: {
-        sign: jest.fn().mockResolvedValue({
-            expiresAt: new Date("2999-01-01T00:00:00.000Z"),
-            expiresIn: 999,
-            expiresOn: 9999,
-            objectId: "mocked_object_id",
-            token: "mocked_token",
-            tokenId: "mocked_token_id",
-        }),
+const aes_1 = require("@lindorm/aes");
+const createMockAegis = () => {
+    const mockAesKit = (0, aes_1.createMockAesKit)();
+    return {
+        issuer: "https://test.lindorm.io/",
+        aes: {
+            encrypt: jest
+                .fn()
+                .mockImplementation((data, mode) => Promise.resolve(mockAesKit.encrypt(data, mode))),
+            decrypt: jest
+                .fn()
+                .mockImplementation((data) => Promise.resolve(mockAesKit.decrypt(data))),
+        },
+        jwe: {
+            encrypt: jest.fn().mockResolvedValue({ token: "mocked_token" }),
+            decrypt: jest.fn().mockResolvedValue({
+                decoded: {},
+                header: {},
+                payload: "mocked_payload",
+            }),
+        },
+        jws: {
+            sign: jest.fn().mockResolvedValue({
+                objectId: "mocked_object_id",
+                token: "mocked_token",
+            }),
+            verify: jest.fn().mockResolvedValue({
+                decoded: {},
+                header: {},
+                payload: "verified_payload",
+            }),
+        },
+        jwt: {
+            sign: jest.fn().mockResolvedValue({
+                expiresAt: new Date("2999-01-01T00:00:00.000Z"),
+                expiresIn: 999,
+                expiresOn: 9999,
+                objectId: "mocked_object_id",
+                token: "mocked_token",
+                tokenId: "mocked_token_id",
+            }),
+            verify: jest.fn().mockResolvedValue({
+                decoded: {},
+                header: {},
+                payload: { subject: "verified_subject" },
+            }),
+        },
         verify: jest.fn().mockResolvedValue({
             decoded: {},
             header: {},
             payload: { subject: "verified_subject" },
         }),
-    },
-    cwe: {
-        encrypt: jest
-            .fn()
-            .mockResolvedValue({ buffer: Buffer.alloc(0), token: "mocked_token" }),
-        decrypt: jest.fn().mockResolvedValue({
-            decoded: {},
-            header: {},
-            payload: "mocked_payload",
-        }),
-    },
-    cwt: {
-        sign: jest.fn().mockResolvedValue({
-            buffer: Buffer.alloc(0),
-            objectId: "mocked_object_id",
-            token: "mocked_token",
-        }),
-        verify: jest.fn().mockResolvedValue({
-            decoded: {},
-            header: {},
-            payload: "verified_payload",
-        }),
-    },
-    cws: {
-        sign: jest.fn().mockResolvedValue({
-            buffer: Buffer.alloc(0),
-            objectId: "mocked_object_id",
-            token: "mocked_token",
-        }),
-        verify: jest.fn().mockResolvedValue({
-            decoded: {},
-            header: {},
-            payload: "verified_payload",
-        }),
-    },
-    verify: jest.fn().mockResolvedValue({
-        decoded: {},
-        header: {},
-        payload: { subject: "verified_subject" },
-    }),
-});
+    };
+};
 exports.createMockAegis = createMockAegis;
 //# sourceMappingURL=create-mock-aegis.js.map

package/dist/mocks/create-mock-aegis.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-mock-aegis.js","sourceRoot":"","sources":["../../src/mocks/create-mock-aegis.ts"],"names":[],"mappings":";;;AAEO,MAAM,eAAe,GAAG,GAAW,EAAE,CAAC,CAAC;IAC5C,MAAM,EAAE,0BAA0B;IAElC,GAAG,EAAE;QACH,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,mBAAmB,CAAC;QACzD,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,mBAAmB,CAAC;KAC1D;IAED,GAAG,EAAE;QACH,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QAC/D,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YACnC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,gBAAgB;SAC1B,CAAC;KACH;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAChC,QAAQ,EAAE,kBAAkB;YAC5B,KAAK,EAAE,cAAc;SACtB,CAAC;QACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAClC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,kBAAkB;SAC5B,CAAC;KACH;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAChC,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;YAC/C,SAAS,EAAE,GAAG;YACd,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,kBAAkB;YAC5B,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,iBAAiB;SAC3B,CAAC;QACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAClC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE,OAAO,EAAE,kBAAkB,EAAE;SACzC,CAAC;KACH;IAED,GAAG,EAAE;QACH,OAAO,EAAE,IAAI;aACV,EAAE,EAAE;aACJ,iBAAiB,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;QACxE,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YACnC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,gBAAgB;SAC1B,CAAC;KACH;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACvB,QAAQ,EAAE,kBAAkB;YAC5B,KAAK,EAAE,cAAc;SACtB,CAAC;QACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAClC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,kBAAkB;SAC5B,CAAC;KACH;IACD,GAAG,EAAE;QACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAChC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACvB,QAAQ,EAAE,kBAAkB;YAC5B,KAAK,EAAE,cAAc;SACtB,CAAC;QACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAClC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,kBAAkB;SAC5B,CAAC;KACH;IAGD,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;QAClC,OAAO,EAAE,EAAE;QACX,MAAM,EAAE,EAAE;QACV,OAAO,EAAE,EAAE,OAAO,EAAE,kBAAkB,EAAE;KACzC,CAAC;CACH,CAAC,CAAC;AApFU,QAAA,eAAe,mBAoFzB"}
+{"version":3,"file":"create-mock-aegis.js","sourceRoot":"","sources":["../../src/mocks/create-mock-aegis.ts"],"names":[],"mappings":";;;AAAA,sCAAgD;AAKzC,MAAM,eAAe,GAAG,GAAc,EAAE;IAC7C,MAAM,UAAU,GAAG,IAAA,sBAAgB,GAAE,CAAC;IAEtC,OAAO;QACL,MAAM,EAAE,0BAA0B;QAElC,GAAG,EAAE;YACH,OAAO,EAAE,IAAI;iBACV,EAAE,EAAE;iBACJ,kBAAkB,CAAC,CAAC,IAAS,EAAE,IAAa,EAAE,EAAE,CAC/C,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,IAAW,CAAC,CAAC,CACvD;YACH,OAAO,EAAE,IAAI;iBACV,EAAE,EAAE;iBACJ,kBAAkB,CAAC,CAAC,IAAS,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;SAChF;QAED,GAAG,EAAE;YACH,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;YAC/D,OAAO,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBACnC,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,gBAAgB;aAC1B,CAAC;SACH;QACD,GAAG,EAAE;YACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAChC,QAAQ,EAAE,kBAAkB;gBAC5B,KAAK,EAAE,cAAc;aACtB,CAAC;YACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,kBAAkB;aAC5B,CAAC;SACH;QACD,GAAG,EAAE;YACH,IAAI,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAChC,SAAS,EAAE,IAAI,IAAI,CAAC,0BAA0B,CAAC;gBAC/C,SAAS,EAAE,GAAG;gBACd,SAAS,EAAE,IAAI;gBACf,QAAQ,EAAE,kBAAkB;gBAC5B,KAAK,EAAE,cAAc;gBACrB,OAAO,EAAE,iBAAiB;aAC3B,CAAC;YACF,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;gBAClC,OAAO,EAAE,EAAE;gBACX,MAAM,EAAE,EAAE;gBACV,OAAO,EAAE,EAAE,OAAO,EAAE,kBAAkB,EAAE;aACzC,CAAC;SACH;QAED,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC;YAClC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,OAAO,EAAE,EAAE,OAAO,EAAE,kBAAkB,EAAE;SACzC,CAAC;KACH,CAAC;AACJ,CAAC,CAAC;AA1DW,QAAA,eAAe,mBA0D1B"}

package/dist/mocks/index.d.ts

@@ -1,2 +1,2 @@
-export * from "./create-mock-aegis";
+export { createMockAegis, type MockAegis } from "./create-mock-aegis";
 //# sourceMappingURL=index.d.ts.map

package/dist/mocks/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mocks/index.ts"],"names":[],"mappings":"AAAA,cAAc,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mocks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,KAAK,SAAS,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/mocks/index.js

@@ -1,18 +1,6 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __exportStar = (this && this.__exportStar) || function(m, exports) {
-    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
-};
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./create-mock-aegis"), exports);
+exports.createMockAegis = void 0;
+var create_mock_aegis_1 = require("./create-mock-aegis");
+Object.defineProperty(exports, "createMockAegis", { enumerable: true, get: function () { return create_mock_aegis_1.createMockAegis; } });
 //# sourceMappingURL=index.js.map

package/dist/mocks/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mocks/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,sDAAoC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/mocks/index.ts"],"names":[],"mappings":";;;AAAA,yDAAsE;AAA7D,oHAAA,eAAe,OAAA"}

package/dist/types/aegis.d.ts

@@ -2,10 +2,13 @@ import { AmphoraQuery, IAmphora } from "@lindorm/amphora";
 import { KryptosEncAlgorithm, KryptosEncryption, KryptosSigAlgorithm } from "@lindorm/kryptos";
 import { ILogger } from "@lindorm/logger";
 import { Predicate } from "@lindorm/types";
+import { CertBindingMode } from "./header";
 export type AegisPredicate = Predicate<Pick<AmphoraQuery, "id" | "curve" | "purpose" | "type" | "use" | "ownerId">>;
 export type AegisOptions = {
     amphora: IAmphora;
+    certBindingMode?: CertBindingMode;
     clockTolerance?: number;
+    dpopMaxSkew?: number;
     encAlgorithm?: KryptosEncAlgorithm;
     encryption?: KryptosEncryption;
     issuer?: string;

package/dist/types/aegis.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"aegis.d.ts","sourceRoot":"","sources":["../../src/types/aegis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAE3C,MAAM,MAAM,cAAc,GAAG,SAAS,CACpC,IAAI,CAAC,YAAY,EAAE,IAAI,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC,CAC5E,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,OAAO,EAAE,QAAQ,CAAC;IAClB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC,CAAC"}
+{"version":3,"file":"aegis.d.ts","sourceRoot":"","sources":["../../src/types/aegis.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACpB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAE3C,MAAM,MAAM,cAAc,GAAG,SAAS,CACpC,IAAI,CAAC,YAAY,EAAE,IAAI,GAAG,OAAO,GAAG,SAAS,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC,CAC5E,CAAC;AAEF,MAAM,MAAM,YAAY,GAAG;IACzB,OAAO,EAAE,QAAQ,CAAC;IAClB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC,UAAU,CAAC,EAAE,iBAAiB,CAAC;IAC/B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,OAAO,CAAC;IAChB,YAAY,CAAC,EAAE,mBAAmB,CAAC;CACpC,CAAC"}

package/dist/types/claims/act-claim.d.ts

@@ -0,0 +1,8 @@
+export type ActClaim = {
+    subject?: string;
+    issuer?: string;
+    audience?: Array<string>;
+    clientId?: string;
+    act?: ActClaim;
+};
+//# sourceMappingURL=act-claim.d.ts.map

package/dist/types/claims/act-claim.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"act-claim.d.ts","sourceRoot":"","sources":["../../../src/types/claims/act-claim.ts"],"names":[],"mappings":"AAMA,MAAM,MAAM,QAAQ,GAAG;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,GAAG,CAAC,EAAE,QAAQ,CAAC;CAChB,CAAC"}

package/dist/{interfaces/CwtKit.js → types/claims/act-claim.js}

@@ -1,3 +1,3 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-//# sourceMappingURL=CwtKit.js.map
+//# sourceMappingURL=act-claim.js.map

package/dist/types/claims/act-claim.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"act-claim.js","sourceRoot":"","sources":["../../../src/types/claims/act-claim.ts"],"names":[],"mappings":""}

package/dist/types/claims/aegis-introspection.d.ts

@@ -0,0 +1,16 @@
+import { LindormClaims } from "./lindorm-claims";
+import { OAuthClaims } from "./oauth-claims";
+import { OidcClaims } from "./oidc-claims";
+import { PopClaims } from "./pop-claims";
+import { DelegationClaims } from "./delegation-claims";
+import { StdClaims } from "./std-claims";
+export type AegisIntrospectionActive = StdClaims & OidcClaims & PopClaims & DelegationClaims & OAuthClaims & LindormClaims & {
+    active: true;
+    tokenType?: string;
+    username?: string;
+};
+export type AegisIntrospectionInactive = {
+    active: false;
+};
+export type AegisIntrospection = AegisIntrospectionActive | AegisIntrospectionInactive;
+//# sourceMappingURL=aegis-introspection.d.ts.map

package/dist/types/claims/aegis-introspection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aegis-introspection.d.ts","sourceRoot":"","sources":["../../../src/types/claims/aegis-introspection.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAKzC,MAAM,MAAM,wBAAwB,GAAG,SAAS,GAC9C,UAAU,GACV,SAAS,GACT,gBAAgB,GAChB,WAAW,GACX,aAAa,GAAG;IACd,MAAM,EAAE,IAAI,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAIJ,MAAM,MAAM,0BAA0B,GAAG;IACvC,MAAM,EAAE,KAAK,CAAC;CACf,CAAC;AAIF,MAAM,MAAM,kBAAkB,GAAG,wBAAwB,GAAG,0BAA0B,CAAC"}

package/dist/types/claims/aegis-introspection.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=aegis-introspection.js.map

package/dist/types/claims/aegis-introspection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aegis-introspection.js","sourceRoot":"","sources":["../../../src/types/claims/aegis-introspection.ts"],"names":[],"mappings":""}