@lindorm/aegis 0.8.1 → 0.10.0

package/dist/internal/profiles/definitions/id-token.js

@@ -0,0 +1,26 @@
+export const idTokenProfile = {
+    name: "id_token",
+    typ: "JWT",
+    required: ["issuer", "subject", "audience", "expiresAt", "issuedAt"],
+    forbidden: [],
+    requiredWhen: [
+        {
+            claim: "accessTokenHash",
+            when: (claims, ctx) => ctx.accessTokenIssued === true || claims.accessTokenHash !== undefined,
+        },
+    ],
+    atLeastOneOf: [],
+    autoInject: { iat: true, jti: false, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: "1h",
+    encryptable: true,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+        crossField: true,
+        cnfShape: true,
+        actChainShape: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=id-token.js.map

package/dist/internal/profiles/definitions/id-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"id-token.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/id-token.ts"],"names":[],"mappings":"AAUA,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,IAAI,EAAE,UAAU;IAChB,GAAG,EAAE,KAAK;IACV,QAAQ,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,UAAU,CAAC;IACpE,SAAS,EAAE,EAAE;IACb,YAAY,EAAE;QACZ;YACE,KAAK,EAAE,iBAAiB;YACxB,IAAI,EAAE,CAAC,MAAY,EAAE,GAAgB,EAAE,EAAE,CACvC,GAAG,CAAC,iBAAiB,KAAK,IAAI,IAAI,MAAM,CAAC,eAAe,KAAK,SAAS;SACzE;KACF;IACD,YAAY,EAAE,EAAE;IAChB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC5D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,IAAI;IACd,WAAW,EAAE,IAAI;IACjB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,IAAI;QACd,aAAa,EAAE,IAAI;KACpB;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/definitions/introspection.d.ts

@@ -0,0 +1,3 @@
+import type { TokenProfile } from "../../../types/index.js";
+export declare const introspectionProfile: TokenProfile;
+//# sourceMappingURL=introspection.d.ts.map

package/dist/internal/profiles/definitions/introspection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspection.d.ts","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/introspection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAO5D,eAAO,MAAM,oBAAoB,EAAE,YAgBlC,CAAC"}

package/dist/internal/profiles/definitions/introspection.js

@@ -0,0 +1,18 @@
+export const introspectionProfile = {
+    name: "introspection",
+    typ: "application/token-introspection+jwt",
+    required: ["issuer", "audience", "issuedAt", "token_introspection"],
+    forbidden: [],
+    requiredWhen: [],
+    atLeastOneOf: [],
+    autoInject: { iat: true, jti: false, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: null,
+    encryptable: true,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=introspection.js.map

package/dist/internal/profiles/definitions/introspection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"introspection.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/introspection.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,oBAAoB,GAAiB;IAChD,IAAI,EAAE,eAAe;IACrB,GAAG,EAAE,qCAAqC;IAC1C,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,qBAAqB,CAAC;IACnE,SAAS,EAAE,EAAE;IACb,YAAY,EAAE,EAAE;IAChB,YAAY,EAAE,EAAE;IAChB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC5D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,IAAI;IACd,WAAW,EAAE,IAAI;IACjB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;KACb;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/definitions/jarm.d.ts

@@ -0,0 +1,3 @@
+import type { TokenProfile } from "../../../types/index.js";
+export declare const jarmProfile: TokenProfile;
+//# sourceMappingURL=jarm.d.ts.map

package/dist/internal/profiles/definitions/jarm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm.d.ts","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/jarm.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAQ5D,eAAO,MAAM,WAAW,EAAE,YAiBzB,CAAC"}

package/dist/internal/profiles/definitions/jarm.js

@@ -0,0 +1,19 @@
+export const jarmProfile = {
+    name: "jarm",
+    typ: null,
+    required: ["issuer", "audience", "expiresAt"],
+    forbidden: [],
+    requiredWhen: [],
+    atLeastOneOf: [],
+    autoInject: { iat: true, jti: false, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: "10m",
+    encryptable: true,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+        crossField: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=jarm.js.map

package/dist/internal/profiles/definitions/jarm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jarm.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/jarm.ts"],"names":[],"mappings":"AAQA,MAAM,CAAC,MAAM,WAAW,GAAiB;IACvC,IAAI,EAAE,MAAM;IACZ,GAAG,EAAE,IAAI;IACT,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,WAAW,CAAC;IAC7C,SAAS,EAAE,EAAE;IACb,YAAY,EAAE,EAAE;IAChB,YAAY,EAAE,EAAE;IAChB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC5D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,KAAK;IACf,WAAW,EAAE,IAAI;IACjB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI;KACjB;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/definitions/logout-token.d.ts

@@ -0,0 +1,3 @@
+import type { TokenProfile } from "../../../types/index.js";
+export declare const logoutTokenProfile: TokenProfile;
+//# sourceMappingURL=logout-token.d.ts.map

package/dist/internal/profiles/definitions/logout-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout-token.d.ts","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/logout-token.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAU5D,eAAO,MAAM,kBAAkB,EAAE,YAkBhC,CAAC"}

package/dist/internal/profiles/definitions/logout-token.js

@@ -0,0 +1,20 @@
+export const logoutTokenProfile = {
+    name: "logout_token",
+    typ: "application/logout+jwt",
+    required: ["issuer", "audience", "issuedAt", "expiresAt", "tokenId", "events"],
+    forbidden: ["nonce"],
+    requiredWhen: [],
+    atLeastOneOf: [["subject", "sessionId"]],
+    autoInject: { iat: true, jti: true, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: "2m",
+    encryptable: false,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+        crossField: true,
+        eventsShape: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=logout-token.js.map

package/dist/internal/profiles/definitions/logout-token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout-token.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/logout-token.ts"],"names":[],"mappings":"AAUA,MAAM,CAAC,MAAM,kBAAkB,GAAiB;IAC9C,IAAI,EAAE,cAAc;IACpB,GAAG,EAAE,wBAAwB;IAC7B,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;IAC9E,SAAS,EAAE,CAAC,OAAO,CAAC;IACpB,YAAY,EAAE,EAAE;IAChB,YAAY,EAAE,CAAC,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IACxC,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC3D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,IAAI;IACd,WAAW,EAAE,KAAK;IAClB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;KAClB;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/definitions/security-event.d.ts

@@ -0,0 +1,3 @@
+import type { TokenProfile } from "../../../types/index.js";
+export declare const securityEventProfile: TokenProfile;
+//# sourceMappingURL=security-event.d.ts.map

package/dist/internal/profiles/definitions/security-event.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-event.d.ts","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/security-event.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAW5D,eAAO,MAAM,oBAAoB,EAAE,YAkBlC,CAAC"}

package/dist/internal/profiles/definitions/security-event.js

@@ -0,0 +1,20 @@
+export const securityEventProfile = {
+    name: "security_event",
+    typ: "application/secevent+jwt",
+    required: ["issuer", "audience", "issuedAt", "tokenId", "subjectId", "events"],
+    forbidden: ["subject", "expiresAt", "nonce"],
+    requiredWhen: [],
+    atLeastOneOf: [],
+    autoInject: { iat: true, jti: true, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: null,
+    encryptable: false,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+        subIdShape: true,
+        eventsShape: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=security-event.js.map

package/dist/internal/profiles/definitions/security-event.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-event.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/security-event.ts"],"names":[],"mappings":"AAWA,MAAM,CAAC,MAAM,oBAAoB,GAAiB;IAChD,IAAI,EAAE,gBAAgB;IACtB,GAAG,EAAE,0BAA0B;IAC/B,QAAQ,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,WAAW,EAAE,QAAQ,CAAC;IAC9E,SAAS,EAAE,CAAC,SAAS,EAAE,WAAW,EAAE,OAAO,CAAC;IAC5C,YAAY,EAAE,EAAE;IAChB,YAAY,EAAE,EAAE;IAChB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC3D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,IAAI;IACd,WAAW,EAAE,KAAK;IAClB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;QACZ,UAAU,EAAE,IAAI;QAChB,WAAW,EAAE,IAAI;KAClB;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/definitions/userinfo.d.ts

@@ -0,0 +1,3 @@
+import type { TokenProfile } from "../../../types/index.js";
+export declare const userinfoProfile: TokenProfile;
+//# sourceMappingURL=userinfo.d.ts.map

package/dist/internal/profiles/definitions/userinfo.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"userinfo.d.ts","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/userinfo.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAO5D,eAAO,MAAM,eAAe,EAAE,YAgB7B,CAAC"}

package/dist/internal/profiles/definitions/userinfo.js

@@ -0,0 +1,18 @@
+export const userinfoProfile = {
+    name: "userinfo",
+    typ: null,
+    required: ["issuer", "subject", "audience"],
+    forbidden: [],
+    requiredWhen: [],
+    atLeastOneOf: [],
+    autoInject: { iat: false, jti: false, nbf: false, iss: true },
+    issuer: "platform",
+    lifetime: null,
+    encryptable: true,
+    algClass: "confidential",
+    rules: {
+        issUri: true,
+    },
+    validate: () => [],
+};
+//# sourceMappingURL=userinfo.js.map

package/dist/internal/profiles/definitions/userinfo.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"userinfo.js","sourceRoot":"","sources":["../../../../src/internal/profiles/definitions/userinfo.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,eAAe,GAAiB;IAC3C,IAAI,EAAE,UAAU;IAChB,GAAG,EAAE,IAAI;IACT,QAAQ,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,CAAC;IAC3C,SAAS,EAAE,EAAE;IACb,YAAY,EAAE,EAAE;IAChB,YAAY,EAAE,EAAE;IAChB,UAAU,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE;IAC7D,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,IAAI;IACd,WAAW,EAAE,IAAI;IACjB,QAAQ,EAAE,cAAc;IACxB,KAAK,EAAE;QACL,MAAM,EAAE,IAAI;KACb;IACD,QAAQ,EAAE,GAAG,EAAE,CAAC,EAAE;CACnB,CAAC"}

package/dist/internal/profiles/registry.d.ts

@@ -0,0 +1,4 @@
+import type { TokenProfile } from "../../types/index.js";
+export declare const registerProfile: (profile: TokenProfile) => void;
+export declare const resolveProfile: (name: string) => TokenProfile;
+//# sourceMappingURL=registry.d.ts.map

package/dist/internal/profiles/registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../../src/internal/profiles/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAqBzD,eAAO,MAAM,eAAe,GAAI,SAAS,YAAY,KAAG,IAEvD,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,KAAG,YAe7C,CAAC"}

package/dist/internal/profiles/registry.js

@@ -0,0 +1,41 @@
+import { JwtError } from "../../errors/index.js";
+import { accessTokenProfile } from "./definitions/access-token.js";
+import { clientAssertionProfile } from "./definitions/client-assertion.js";
+import { defaultProfile } from "./definitions/default.js";
+import { delegationProfile } from "./definitions/delegation.js";
+import { erasureTokenProfile } from "./definitions/erasure-token.js";
+import { idTokenProfile } from "./definitions/id-token.js";
+import { introspectionProfile } from "./definitions/introspection.js";
+import { jarmProfile } from "./definitions/jarm.js";
+import { logoutTokenProfile } from "./definitions/logout-token.js";
+import { securityEventProfile } from "./definitions/security-event.js";
+import { userinfoProfile } from "./definitions/userinfo.js";
+const registry = new Map();
+export const registerProfile = (profile) => {
+    registry.set(profile.name, profile);
+};
+export const resolveProfile = (name) => {
+    const profile = registry.get(name);
+    if (!profile) {
+        throw new JwtError(`Unknown token profile: ${name}`, {
+            code: "jwt_unknown_profile",
+            data: { name },
+            debug: { available: [...registry.keys()] },
+            title: "JWT Unknown Profile",
+            details: "No token profile is registered under that name. Register a custom profile with registerProfile() or use a built-in.",
+        });
+    }
+    return profile;
+};
+registerProfile(accessTokenProfile);
+registerProfile(clientAssertionProfile);
+registerProfile(defaultProfile);
+registerProfile(delegationProfile);
+registerProfile(erasureTokenProfile);
+registerProfile(idTokenProfile);
+registerProfile(introspectionProfile);
+registerProfile(jarmProfile);
+registerProfile(logoutTokenProfile);
+registerProfile(securityEventProfile);
+registerProfile(userinfoProfile);
+//# sourceMappingURL=registry.js.map

package/dist/internal/profiles/registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../../src/internal/profiles/registry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAC3D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAC;AACtE,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAO5D,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAwB,CAAC;AAEjD,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,OAAqB,EAAQ,EAAE;IAC7D,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACtC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,IAAY,EAAgB,EAAE;IAC3D,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAEnC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,QAAQ,CAAC,0BAA0B,IAAI,EAAE,EAAE;YACnD,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,EAAE,IAAI,EAAE;YACd,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,EAAE;YAC1C,KAAK,EAAE,qBAAqB;YAC5B,OAAO,EACL,qHAAqH;SACxH,CAAC,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC,CAAC;AAEF,eAAe,CAAC,kBAAkB,CAAC,CAAC;AACpC,eAAe,CAAC,sBAAsB,CAAC,CAAC;AACxC,eAAe,CAAC,cAAc,CAAC,CAAC;AAChC,eAAe,CAAC,iBAAiB,CAAC,CAAC;AACnC,eAAe,CAAC,mBAAmB,CAAC,CAAC;AACrC,eAAe,CAAC,cAAc,CAAC,CAAC;AAChC,eAAe,CAAC,oBAAoB,CAAC,CAAC;AACtC,eAAe,CAAC,WAAW,CAAC,CAAC;AAC7B,eAAe,CAAC,kBAAkB,CAAC,CAAC;AACpC,eAAe,CAAC,oBAAoB,CAAC,CAAC;AACtC,eAAe,CAAC,eAAe,CAAC,CAAC"}

package/dist/internal/utils/assemble-common-claims.d.ts

@@ -0,0 +1,12 @@
+import type { KryptosAlgorithm } from "@lindorm/kryptos";
+import type { Dict } from "@lindorm/types";
+import type { ProfileSignOptions, SignContent, TokenProfile } from "../../types/index.js";
+export type AssembleCommonContext = {
+    algorithm: KryptosAlgorithm;
+    issuer: string | null;
+    now?: Date;
+};
+export declare const assembleCommonClaims: (ctx: AssembleCommonContext, profile: TokenProfile, content: SignContent & {
+    claims?: Dict;
+}, options?: ProfileSignOptions) => Dict;
+//# sourceMappingURL=assemble-common-claims.d.ts.map

package/dist/internal/utils/assemble-common-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assemble-common-claims.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/assemble-common-claims.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAW1F,MAAM,MAAM,qBAAqB,GAAG;IAClC,SAAS,EAAE,gBAAgB,CAAC;IAC5B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,CAAC;AAeF,eAAO,MAAM,oBAAoB,GAC/B,KAAK,qBAAqB,EAC1B,SAAS,YAAY,EACrB,SAAS,WAAW,GAAG;IAAE,MAAM,CAAC,EAAE,IAAI,CAAA;CAAE,EACxC,UAAS,kBAAuB,KAC/B,IAyEF,CAAC"}

package/dist/internal/utils/assemble-common-claims.js

@@ -0,0 +1,66 @@
+import { expires } from "@lindorm/date";
+import { isDate, isString } from "@lindorm/is";
+import { removeUndefined } from "@lindorm/utils";
+import { CLAIM_REGISTRY } from "../claims/registry.js";
+import { enforceProfilePolicy } from "./build-profile-claims.js";
+import { createAccessTokenHash, createCodeHash, createStateHash } from "./create-hash.js";
+import { generateTokenId } from "./generate-token-id.js";
+export const assembleCommonClaims = (ctx, profile, content, options = {}) => {
+    const now = ctx.now ?? new Date();
+    const optIssuedAt = isDate(options.issuedAt) ? options.issuedAt : undefined;
+    const issuedAt = profile.autoInject.iat ? (optIssuedAt ?? now) : optIssuedAt;
+    const contentNotBefore = isDate(content.notBefore) ? content.notBefore : undefined;
+    const notBefore = profile.autoInject.nbf ? (contentNotBefore ?? now) : contentNotBefore;
+    const optTokenId = isString(options.tokenId) ? options.tokenId : undefined;
+    const tokenId = profile.autoInject.jti ? (optTokenId ?? generateTokenId()) : optTokenId;
+    const expiresAt = content.expires
+        ? expires(content.expires).expiresAt
+        : profile.lifetime != null
+            ? expires(profile.lifetime, now).expiresAt
+            : undefined;
+    const issuer = resolveIssuer(ctx, profile, content);
+    const accessTokenHash = isString(options.accessTokenHash)
+        ? options.accessTokenHash
+        : isString(content.accessToken)
+            ? createAccessTokenHash(ctx.algorithm, content.accessToken)
+            : undefined;
+    const codeHash = isString(options.codeHash)
+        ? options.codeHash
+        : isString(content.authCode)
+            ? createCodeHash(ctx.algorithm, content.authCode)
+            : undefined;
+    const stateHash = isString(options.stateHash)
+        ? options.stateHash
+        : isString(content.authState)
+            ? createStateHash(ctx.algorithm, content.authState)
+            : undefined;
+    const picked = {};
+    for (const spec of CLAIM_REGISTRY) {
+        const value = content[spec.domain];
+        if (value !== undefined)
+            picked[spec.domain] = value;
+    }
+    const common = removeUndefined({
+        ...picked,
+        issuedAt,
+        notBefore,
+        tokenId,
+        expiresAt,
+        issuer,
+        accessTokenHash,
+        codeHash,
+        stateHash,
+        ...(content.claims ?? {}),
+    });
+    enforceProfilePolicy(profile, common, options.context ?? {});
+    return common;
+};
+const resolveIssuer = (ctx, profile, content) => {
+    const contentIssuer = isString(content.issuer) ? content.issuer : undefined;
+    if (profile.issuer === "per-token")
+        return contentIssuer;
+    if (!profile.autoInject.iss)
+        return contentIssuer;
+    return ctx.issuer ?? contentIssuer;
+};
+//# sourceMappingURL=assemble-common-claims.js.map

package/dist/internal/utils/assemble-common-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assemble-common-claims.js","sourceRoot":"","sources":["../../../src/internal/utils/assemble-common-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAG/C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAEvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AACjE,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAC1F,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AA2BzD,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAClC,GAA0B,EAC1B,OAAqB,EACrB,OAAwC,EACxC,UAA8B,EAAE,EAC1B,EAAE;IACR,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IAKlC,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC;IAC5E,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAE7E,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC;IACnF,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC;IAExF,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,MAAM,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAExF,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO;QAC/B,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,SAAS;QACpC,CAAC,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI;YACxB,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,SAAS;YAC1C,CAAC,CAAC,SAAS,CAAC;IAEhB,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAIpD,MAAM,eAAe,GAAG,QAAQ,CAAC,OAAO,CAAC,eAAe,CAAC;QACvD,CAAC,CAAC,OAAO,CAAC,eAAe;QACzB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC;YAC7B,CAAC,CAAC,qBAAqB,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,WAAW,CAAC;YAC3D,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,QAAQ,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;QACzC,CAAC,CAAC,OAAO,CAAC,QAAQ;QAClB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;YAC1B,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,QAAQ,CAAC;YACjD,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;QAC3C,CAAC,CAAC,OAAO,CAAC,SAAS;QACnB,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,CAAC;YAC3B,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC;YACnD,CAAC,CAAC,SAAS,CAAC;IAMhB,MAAM,MAAM,GAAS,EAAE,CAAC;IACxB,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,MAAM,KAAK,GAAI,OAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,KAAK,KAAK,SAAS;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,KAAK,CAAC;IACvD,CAAC;IAKD,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,MAAM;QACT,QAAQ;QACR,SAAS;QACT,OAAO;QACP,SAAS;QACT,MAAM;QACN,eAAe;QACf,QAAQ;QACR,SAAS;QACT,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;KAC1B,CAAS,CAAC;IAKX,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IAE7D,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CACpB,GAA0B,EAC1B,OAAqB,EACrB,OAAoB,EACA,EAAE;IACtB,MAAM,aAAa,GAAG,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IAE5E,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW;QAAE,OAAO,aAAa,CAAC;IACzD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG;QAAE,OAAO,aAAa,CAAC;IAElD,OAAO,GAAG,CAAC,MAAM,IAAI,aAAa,CAAC;AACrC,CAAC,CAAC"}

package/dist/internal/utils/build-profile-claims.d.ts

@@ -0,0 +1,14 @@
+import type { KryptosAlgorithm } from "@lindorm/kryptos";
+import type { Dict } from "@lindorm/types";
+import type { ProfileSignOptions, SignContent, SignContext, TokenProfile } from "../../types/index.js";
+export type BuildProfileContext = {
+    algorithm: KryptosAlgorithm;
+    issuer: string | null;
+    now?: Date;
+};
+declare const enforcePolicy: (profile: TokenProfile, claims: Dict, ctx: SignContext) => void;
+export declare const buildProfileClaims: <C extends Dict = Dict>(ctx: BuildProfileContext, profile: TokenProfile, content: SignContent & {
+    claims?: C;
+}, options?: ProfileSignOptions) => Dict;
+export { enforcePolicy as enforceProfilePolicy };
+//# sourceMappingURL=build-profile-claims.d.ts.map

package/dist/internal/utils/build-profile-claims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-profile-claims.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/build-profile-claims.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACzD,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAG3C,OAAO,KAAK,EAEV,kBAAkB,EAClB,WAAW,EACX,WAAW,EACX,YAAY,EACb,MAAM,sBAAsB,CAAC;AAU9B,MAAM,MAAM,mBAAmB,GAAG;IAChC,SAAS,EAAE,gBAAgB,CAAC;IAC5B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,GAAG,CAAC,EAAE,IAAI,CAAC;CACZ,CAAC;AAEF,QAAA,MAAM,aAAa,GAAI,SAAS,YAAY,EAAE,QAAQ,IAAI,EAAE,KAAK,WAAW,KAAG,IA2C9E,CAAC;AAcF,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,IAAI,GAAG,IAAI,EACtD,KAAK,mBAAmB,EACxB,SAAS,YAAY,EACrB,SAAS,WAAW,GAAG;IAAE,MAAM,CAAC,EAAE,CAAC,CAAA;CAAE,EACrC,UAAS,kBAAuB,KAC/B,IAuCF,CAAC;AAqBF,OAAO,EAAE,aAAa,IAAI,oBAAoB,EAAE,CAAC"}

package/dist/internal/utils/build-profile-claims.js

@@ -0,0 +1,75 @@
+import { expires, getUnixTime } from "@lindorm/date";
+import { removeUndefined } from "@lindorm/utils";
+import { JwtError } from "../../errors/index.js";
+import { generateTokenId } from "./generate-token-id.js";
+import { mapContentToClaims } from "./map-content-to-claims.js";
+const enforcePolicy = (profile, claims, ctx) => {
+    const invalid = [];
+    for (const key of profile.required) {
+        if (claims[key] === undefined) {
+            invalid.push({ key, message: `Required claim "${key}" is missing` });
+        }
+    }
+    for (const key of profile.forbidden) {
+        if (claims[key] !== undefined) {
+            invalid.push({ key, message: `Forbidden claim "${key}" is present` });
+        }
+    }
+    for (const group of profile.atLeastOneOf) {
+        if (!group.some((key) => claims[key] !== undefined)) {
+            invalid.push({
+                key: group.join("|"),
+                message: `At least one of [${group.join(", ")}] is required`,
+            });
+        }
+    }
+    for (const { claim, when } of profile.requiredWhen) {
+        if (claims[claim] === undefined && when(claims, ctx)) {
+            invalid.push({
+                key: claim,
+                message: `Conditionally required claim "${claim}" is missing`,
+            });
+        }
+    }
+    if (invalid.length > 0) {
+        throw new JwtError("Invalid token", {
+            code: "jwt_claims_invalid",
+            data: { invalid },
+            debug: { invalid, profile: profile.name },
+            title: "JWT Claims Invalid",
+            details: "The assembled claims do not satisfy the profile's required/forbidden/conditional rules.",
+        });
+    }
+};
+export const buildProfileClaims = (ctx, profile, content, options = {}) => {
+    const now = ctx.now ?? new Date();
+    const nowUnix = getUnixTime(now);
+    const mapped = mapContentToClaims({ algorithm: ctx.algorithm }, content, options);
+    const iat = profile.autoInject.iat ? (mapped.iat ?? nowUnix) : mapped.iat;
+    const nbf = profile.autoInject.nbf ? (mapped.nbf ?? nowUnix) : mapped.nbf;
+    const jti = profile.autoInject.jti ? (mapped.jti ?? generateTokenId()) : mapped.jti;
+    const exp = mapped.exp ??
+        (profile.lifetime != null ? expires(profile.lifetime, now).expiresOn : undefined);
+    const iss = resolveIssuer(ctx, profile, mapped);
+    const claims = removeUndefined({
+        ...mapped,
+        ...(content.claims ?? {}),
+        iat,
+        nbf,
+        jti,
+        exp,
+        iss,
+    });
+    return claims;
+};
+const resolveIssuer = (ctx, profile, mapped) => {
+    if (profile.issuer === "per-token") {
+        return mapped.iss;
+    }
+    if (!profile.autoInject.iss) {
+        return mapped.iss;
+    }
+    return ctx.issuer ?? mapped.iss;
+};
+export { enforcePolicy as enforceProfilePolicy };
+//# sourceMappingURL=build-profile-claims.js.map

package/dist/internal/utils/build-profile-claims.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-profile-claims.js","sourceRoot":"","sources":["../../../src/internal/utils/build-profile-claims.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAGrD,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAQjD,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAchE,MAAM,aAAa,GAAG,CAAC,OAAqB,EAAE,MAAY,EAAE,GAAgB,EAAQ,EAAE;IACpF,MAAM,OAAO,GAAwB,EAAE,CAAC;IAExC,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACnC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,mBAAmB,GAAG,cAAc,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACpC,IAAI,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,oBAAoB,GAAG,cAAc,EAAE,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACzC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,EAAE,CAAC;YACpD,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;gBACpB,OAAO,EAAE,oBAAoB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,eAAe;aAC7D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACnD,IAAI,MAAM,CAAC,KAAK,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,CAAC,IAAI,CAAC;gBACX,GAAG,EAAE,KAAK;gBACV,OAAO,EAAE,iCAAiC,KAAK,cAAc;aAC9D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,QAAQ,CAAC,eAAe,EAAE;YAClC,IAAI,EAAE,oBAAoB;YAC1B,IAAI,EAAE,EAAE,OAAO,EAAE;YACjB,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,IAAI,EAAE;YACzC,KAAK,EAAE,oBAAoB;YAC3B,OAAO,EACL,yFAAyF;SAC5F,CAAC,CAAC;IACL,CAAC;AACH,CAAC,CAAC;AAcF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAChC,GAAwB,EACxB,OAAqB,EACrB,OAAqC,EACrC,UAA8B,EAAE,EAC1B,EAAE;IACR,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAEjC,MAAM,MAAM,GAAG,kBAAkB,CAC/B,EAAE,SAAS,EAAE,GAAG,CAAC,SAAS,EAAE,EAC5B,OAAc,EACd,OAAO,CACR,CAAC;IAEF,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IAC1E,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IAC1E,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,IAAI,eAAe,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IAEpF,MAAM,GAAG,GACP,MAAM,CAAC,GAAG;QACV,CAAC,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAEpF,MAAM,GAAG,GAAG,aAAa,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAMhD,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,MAAM;QACT,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;QACzB,GAAG;QACH,GAAG;QACH,GAAG;QACH,GAAG;QACH,GAAG;KACJ,CAAS,CAAC;IAMX,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF,MAAM,aAAa,GAAG,CACpB,GAAwB,EACxB,OAAqB,EACrB,MAAY,EACQ,EAAE;IAItB,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC,GAAyB,CAAC;IAC1C,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAC,GAAyB,CAAC;IAC1C,CAAC;IAED,OAAO,GAAG,CAAC,MAAM,IAAK,MAAM,CAAC,GAA0B,CAAC;AAC1D,CAAC,CAAC;AAEF,OAAO,EAAE,aAAa,IAAI,oBAAoB,EAAE,CAAC"}

package/dist/internal/utils/compute-jwk-thumbprint.js

@@ -6,6 +6,8 @@ export const computeJwkThumbprint = (jwk) => {
 };
 const computeCanonicalJwk = (jwk) => {
     switch (jwk.kty) {
+        case "AKP":
+            return { alg: jwk.alg, kty: jwk.kty, pub: jwk.pub };
         case "EC":
             return { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
         case "RSA":
@@ -15,7 +17,12 @@ const computeCanonicalJwk = (jwk) => {
         case "oct":
             return { k: jwk.k, kty: jwk.kty };
         default:
-            throw new JwtError(`Cannot compute JWK thumbprint: unsupported kty "${String(jwk.kty)}"`);
+            throw new JwtError(`Cannot compute JWK thumbprint: unsupported kty "${String(jwk.kty)}"`, {
+                code: "jwt_jwk_unsupported_kty",
+                data: { kty: jwk.kty },
+                title: "JWT JWK Unsupported Kty",
+                details: "A JWK thumbprint can only be computed for kty EC, RSA, OKP, or oct keys; this kty is not one of them.",
+            });
     }
 };
 //# sourceMappingURL=compute-jwk-thumbprint.js.map

package/dist/internal/utils/compute-jwk-thumbprint.js.map

@@ -1 +1 @@
-{"version":3,"file":"compute-jwk-thumbprint.js","sourceRoot":"","sources":["../../../src/internal/utils/compute-jwk-thumbprint.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAUjD,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAU,EAAE;IAC1D,MAAM,SAAS,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,GAAW,EAA2B,EAAE;IACnE,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI;YACP,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAE5D,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAE9C,KAAK,KAAK;YACR,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAElD,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;QAEpC;YACE,MAAM,IAAI,QAAQ,CAChB,mDAAmD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CACtE,CAAC;IACN,CAAC;AACH,CAAC,CAAC"}
+{"version":3,"file":"compute-jwk-thumbprint.js","sourceRoot":"","sources":["../../../src/internal/utils/compute-jwk-thumbprint.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,uBAAuB,CAAC;AAUjD,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAU,EAAE;IAC1D,MAAM,SAAS,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;AAChD,CAAC,CAAC;AAEF,MAAM,mBAAmB,GAAG,CAAC,GAAW,EAA2B,EAAE;IACnE,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,KAAK;YACR,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;QAEtD,KAAK,IAAI;YACP,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAE5D,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAE9C,KAAK,KAAK;YACR,OAAO,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,CAAC;QAElD,KAAK,KAAK;YACR,OAAO,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;QAEpC;YACE,MAAM,IAAI,QAAQ,CAChB,mDAAmD,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EACrE;gBACE,IAAI,EAAE,yBAAyB;gBAC/B,IAAI,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE;gBACtB,KAAK,EAAE,yBAAyB;gBAChC,OAAO,EACL,uGAAuG;aAC1G,CACF,CAAC;IACN,CAAC;AACH,CAAC,CAAC"}

package/dist/internal/utils/compute-typ-header.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"compute-typ-header.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/compute-typ-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4B,KAAK,SAAS,EAAE,MAAM,+BAA+B,CAAC;AACzF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAc9C,eAAO,MAAM,gBAAgB,GAC3B,WAAW,SAAS,GAAG,SAAS,EAChC,WAAW,SAAS,KACnB,MAsBF,CAAC;AAOF,eAAO,MAAM,sBAAsB,GACjC,KAAK,MAAM,GAAG,SAAS,EACvB,WAAW,SAAS,KACnB,MAAM,GAAG,SAeX,CAAC;AAQF,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,GAAG,SAAS,KAAG,eAAe,GAAG,SAczE,CAAC"}
+{"version":3,"file":"compute-typ-header.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/compute-typ-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAA4B,KAAK,SAAS,EAAE,MAAM,+BAA+B,CAAC;AAEzF,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAE7D,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC;AAc9C,eAAO,MAAM,gBAAgB,GAC3B,WAAW,SAAS,GAAG,SAAS,EAChC,WAAW,SAAS,KACnB,MA4CF,CAAC;AAOF,eAAO,MAAM,sBAAsB,GACjC,KAAK,MAAM,GAAG,SAAS,EACvB,WAAW,SAAS,KACnB,MAAM,GAAG,SAiBX,CAAC;AAQF,eAAO,MAAM,aAAa,GAAI,KAAK,MAAM,GAAG,SAAS,KAAG,eAAe,GAAG,SAczE,CAAC"}

package/dist/internal/utils/compute-typ-header.js

@@ -1,4 +1,5 @@
 import { TOKEN_TYPE_TO_SHORT_NAME } from "../../constants/token-type.js";
+import { AegisError } from "../../errors/index.js";
 const FORMAT_FALLBACK = {
     jwt: "JWT",
     jws: "JWS",
@@ -13,18 +14,32 @@ export const computeTypHeader = (tokenType, kitFormat) => {
     if (tokenType === undefined)
         return FORMAT_FALLBACK[kitFormat];
     if (tokenType === "") {
-        throw new Error("tokenType cannot be an empty string");
+        throw new AegisError("tokenType cannot be an empty string", {
+            code: "invalid_token_type_value",
+            title: "Invalid Token Type Value",
+            details: "tokenType was an empty string; pass a non-empty bare type such as access_token, or omit it to use the default typ.",
+        });
     }
     if (tokenType.trim() !== tokenType || /\s/.test(tokenType)) {
-        throw new Error("tokenType cannot contain whitespace");
+        throw new AegisError("tokenType cannot contain whitespace", {
+            code: "invalid_token_type_value",
+            data: { tokenType },
+            title: "Invalid Token Type Value",
+            details: "tokenType contains whitespace; pass a single bare type token with no leading, trailing, or interior spaces.",
+        });
     }
     if (tokenType.includes("+")) {
-        throw new Error('tokenType cannot contain \'+\' — pass the bare type (e.g. "access_token"), not the full typ header (e.g. "at+jwt")');
+        throw new AegisError('tokenType cannot contain \'+\' — pass the bare type (e.g. "access_token"), not the full typ header (e.g. "at+jwt")', {
+            code: "invalid_token_type_value",
+            data: { tokenType },
+            title: "Invalid Token Type Value",
+            details: "tokenType contains a '+'; pass the bare type such as access_token, not a full typ header like at+jwt.",
+        });
     }
     const shortName = TOKEN_TYPE_TO_SHORT_NAME[tokenType] ?? tokenType;
     if (shortName === "JWT")
         return "JWT";
-    return `${shortName}${FORMAT_SUFFIX[kitFormat]}`;
+    return `application/${shortName}${FORMAT_SUFFIX[kitFormat]}`;
 };
 export const decodeTokenTypeFromTyp = (typ, kitFormat) => {
     if (!typ)
@@ -33,7 +48,7 @@ export const decodeTokenTypeFromTyp = (typ, kitFormat) => {
         return undefined;
     const suffix = FORMAT_SUFFIX[kitFormat];
     if (typ.endsWith(suffix)) {
-        const shortName = typ.slice(0, -suffix.length);
+        const shortName = typ.slice(0, -suffix.length).replace(/^application\//, "");
         for (const [tokenType, known] of Object.entries(TOKEN_TYPE_TO_SHORT_NAME)) {
             if (known === shortName)
                 return tokenType;

package/dist/internal/utils/compute-typ-header.js.map

@@ -1 +1 @@
-{"version":3,"file":"compute-typ-header.js","sourceRoot":"","sources":["../../../src/internal/utils/compute-typ-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAkB,MAAM,+BAA+B,CAAC;AAKzF,MAAM,eAAe,GAA8B;IACjD,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,MAAM,aAAa,GAA8B;IAC/C,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;CACZ,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,SAAgC,EAChC,SAAoB,EACZ,EAAE;IACV,IAAI,SAAS,KAAK,SAAS;QAAE,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC;IAE/D,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,oHAAoH,CACrH,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GACZ,wBAAmD,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;IAG/E,IAAI,SAAS,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAEtC,OAAO,GAAG,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AACnD,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,GAAuB,EACvB,SAAoB,EACA,EAAE;IACtB,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,GAAG,KAAK,eAAe,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAEzD,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACzB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAE/C,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC1E,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAQF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAuB,EAA+B,EAAE;IACpF,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAG3B,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAGhC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAEvC,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC"}
+{"version":3,"file":"compute-typ-header.js","sourceRoot":"","sources":["../../../src/internal/utils/compute-typ-header.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,wBAAwB,EAAkB,MAAM,+BAA+B,CAAC;AACzF,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAKnD,MAAM,eAAe,GAA8B;IACjD,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;IACV,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,MAAM,aAAa,GAA8B;IAC/C,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;IACX,GAAG,EAAE,MAAM;CACZ,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,SAAgC,EAChC,SAAoB,EACZ,EAAE;IACV,IAAI,SAAS,KAAK,SAAS;QAAE,OAAO,eAAe,CAAC,SAAS,CAAC,CAAC;IAE/D,IAAI,SAAS,KAAK,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAAC,qCAAqC,EAAE;YAC1D,IAAI,EAAE,0BAA0B;YAChC,KAAK,EAAE,0BAA0B;YACjC,OAAO,EACL,oHAAoH;SACvH,CAAC,CAAC;IACL,CAAC;IACD,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3D,MAAM,IAAI,UAAU,CAAC,qCAAqC,EAAE;YAC1D,IAAI,EAAE,0BAA0B;YAChC,IAAI,EAAE,EAAE,SAAS,EAAE;YACnB,KAAK,EAAE,0BAA0B;YACjC,OAAO,EACL,6GAA6G;SAChH,CAAC,CAAC;IACL,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,UAAU,CAClB,oHAAoH,EACpH;YACE,IAAI,EAAE,0BAA0B;YAChC,IAAI,EAAE,EAAE,SAAS,EAAE;YACnB,KAAK,EAAE,0BAA0B;YACjC,OAAO,EACL,uGAAuG;SAC1G,CACF,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GACZ,wBAAmD,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC;IAK/E,IAAI,SAAS,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAItC,OAAO,eAAe,SAAS,GAAG,aAAa,CAAC,SAAS,CAAC,EAAE,CAAC;AAC/D,CAAC,CAAC;AAOF,MAAM,CAAC,MAAM,sBAAsB,GAAG,CACpC,GAAuB,EACvB,SAAoB,EACA,EAAE;IACtB,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAC3B,IAAI,GAAG,KAAK,eAAe,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAEzD,MAAM,MAAM,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAGzB,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;QAE7E,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC1E,IAAI,KAAK,KAAK,SAAS;gBAAE,OAAO,SAAS,CAAC;QAC5C,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAQF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAuB,EAA+B,EAAE;IACpF,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAG3B,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAGhC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAEvC,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC"}

package/dist/internal/utils/create-hash.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create-hash.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/create-hash.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAIzD,KAAK,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEnD,eAAO,MAAM,YAAY,GAAI,WAAW,gBAAgB,KAAG,YAM1D,CAAC;AAgBF,eAAO,MAAM,qBAAqB,GAChC,WAAW,gBAAgB,EAC3B,MAAM,MAAM,KACX,MAA0C,CAAC;AAE9C,eAAO,MAAM,cAAc,GAAI,WAAW,gBAAgB,EAAE,MAAM,MAAM,KAAG,MACzC,CAAC;AAEnC,eAAO,MAAM,eAAe,GAAI,WAAW,gBAAgB,EAAE,MAAM,MAAM,KAAG,MAC1C,CAAC"}
+{"version":3,"file":"create-hash.d.ts","sourceRoot":"","sources":["../../../src/internal/utils/create-hash.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAIzD,KAAK,YAAY,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEnD,eAAO,MAAM,YAAY,GAAI,WAAW,gBAAgB,KAAG,YAM1D,CAAC;AAeF,eAAO,MAAM,qBAAqB,GAChC,WAAW,gBAAgB,EAC3B,MAAM,MAAM,KACX,MAAqC,CAAC;AAEzC,eAAO,MAAM,cAAc,GAAI,WAAW,gBAAgB,EAAE,MAAM,MAAM,KAAG,MAC9C,CAAC;AAE9B,eAAO,MAAM,eAAe,GAAI,WAAW,gBAAgB,EAAE,MAAM,MAAM,KAAG,MAC/C,CAAC"}

package/dist/internal/utils/create-hash.js

@@ -8,17 +8,17 @@ export const shaAlgorithm = (algorithm) => {
         return "SHA384";
     if (algorithm.endsWith("512"))
         return "SHA512";
-    return "SHA256";
+    return "SHA512";
 };
 const createHashBuffer = (algorithm, data) => cryptoHash(algorithm).update(data, "utf8").digest();
-const getLeftBits = (buffer, bits) => buffer.subarray(0, bits / 8);
-const createHash = (algorithm, data, bits) => {
+const getLeftHalf = (buffer) => buffer.subarray(0, buffer.length / 2);
+const createHash = (algorithm, data) => {
     const sha = shaAlgorithm(algorithm);
     const buffer = createHashBuffer(sha, data);
-    const left = getLeftBits(buffer, bits);
+    const left = getLeftHalf(buffer);
     return B64.encode(left, B64U);
 };
-export const createAccessTokenHash = (algorithm, data) => createHash(algorithm, data, 128);
-export const createCodeHash = (algorithm, data) => createHash(algorithm, data, 256);
-export const createStateHash = (algorithm, data) => createHash(algorithm, data, 128);
+export const createAccessTokenHash = (algorithm, data) => createHash(algorithm, data);
+export const createCodeHash = (algorithm, data) => createHash(algorithm, data);
+export const createStateHash = (algorithm, data) => createHash(algorithm, data);
 //# sourceMappingURL=create-hash.js.map

package/dist/internal/utils/create-hash.js.map

@@ -1 +1 @@
-{"version":3,"file":"create-hash.js","sourceRoot":"","sources":["../../../src/internal/utils/create-hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,UAAU,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,wBAAwB,CAAC;AAI9C,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,SAA2B,EAAgB,EAAE;IACxE,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE/C,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,SAAuB,EAAE,IAAY,EAAU,EAAE,CACzE,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,MAAc,EAAE,IAAY,EAAU,EAAE,CAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;AAE/B,MAAM,UAAU,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAE,IAAY,EAAU,EAAE;IACrF,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAEvC,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACnC,SAA2B,EAC3B,IAAY,EACJ,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;AAE9C,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAU,EAAE,CAClF,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;AAEnC,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAU,EAAE,CACnF,UAAU,CAAC,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC"}
+{"version":3,"file":"create-hash.js","sourceRoot":"","sources":["../../../src/internal/utils/create-hash.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAEnC,OAAO,EAAE,UAAU,IAAI,UAAU,EAAE,MAAM,QAAQ,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,wBAAwB,CAAC;AAI9C,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,SAA2B,EAAgB,EAAE;IACxE,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC/C,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAE/C,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,SAAuB,EAAE,IAAY,EAAU,EAAE,CACzE,UAAU,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;AAEtD,MAAM,WAAW,GAAG,CAAC,MAAc,EAAU,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;AAEtF,MAAM,UAAU,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAU,EAAE;IACvE,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IAEjC,OAAO,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAChC,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,CACnC,SAA2B,EAC3B,IAAY,EACJ,EAAE,CAAC,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;AAEzC,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAU,EAAE,CAClF,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;AAE9B,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,SAA2B,EAAE,IAAY,EAAU,EAAE,CACnF,UAAU,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC"}

package/dist/internal/utils/enforce-verify-floor.d.ts

@@ -0,0 +1,12 @@
+import type { Dict } from "@lindorm/types";
+import type { TokenProfile } from "../../types/index.js";
+export type VerifyFloorInput = {
+    audience: string;
+    decodedTyp: string | undefined;
+    expectedTyp?: string | undefined;
+    expectedIssuer: string | undefined;
+    payload: Dict;
+    profile: TokenProfile;
+};
+export declare const enforceVerifyFloor: (input: VerifyFloorInput) => void;
+//# sourceMappingURL=enforce-verify-floor.d.ts.map