@lit-protocol/vincent-app-sdk 0.0.7-mma → 0.0.9-mma

package/dist/src/jwt/core/validate.js

@@ -1,143 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.verify = verify;
-exports.decode = decode;
-const tslib_1 = require("tslib");
-const secp256k1 = tslib_1.__importStar(require("@noble/secp256k1"));
-const didJWT = tslib_1.__importStar(require("did-jwt"));
-const did_jwt_1 = require("did-jwt");
-const ethers_1 = require("ethers");
-const utils_1 = require("ethers/lib/utils");
-const typeGuards_1 = require("../typeGuards");
-const isExpired_1 = require("./isExpired");
-const utils_2 = require("./utils");
-/**
- * Decodes and verifies an {@link VincentJWT} token in string form
- *
- * This function returns the decoded {@link VincentJWT} object only if:
- * 1. The JWT signature is valid
- * 2. The JWT is not expired
- * 3. All time claims (nbf, iat) are valid
- * 4. The JWT has an audience claim that includes the expected audience
- *
- * @param params
- * @param jwt - The JWT string to verify
- * @param expectedAudience - String that should be in the audience claim(s)
- * @param requiredAppId - The appId that should be in the payload of the JWT. If app is not defined, or app.id is different, this method will throw.
- *
- * @returns {VincentJWT} The decoded VincentJWT object if it was verified successfully
- *
- * @category API
- * @inline
- * @expand
- * @function
- *
- * @example
- * ```typescript
- *  import { verify } from '@lit-protocol/vincent-app-sdk/jwt';
- *
- *  try {
- *    const decodedAndVerifiedVincentJWT = verify({ jwt, expectedAudience: 'https://myapp.com', requiredAppId: 555 });
- *   } catch(e) {
- *    // Handle invalid/expired JWT casew
- *  }
- * ```
- */
-function verify({ jwt, expectedAudience, requiredAppId, }) {
-    if (!expectedAudience) {
-        throw new Error(`You must provide an expectedAudience`);
-    }
-    const decoded = decode({ jwt, requiredAppId });
-    const { aud, exp, pkp } = decoded.payload;
-    if (!exp) {
-        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT does not contain an expiration claim (exp)`);
-    }
-    const expired = (0, isExpired_1.isExpired)(decoded);
-    if (expired) {
-        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT expired at ${exp}`);
-    }
-    (0, utils_2.validateJWTTime)(decoded.payload, Math.floor(Date.now() / 1000));
-    // Always validate audience - reject if no audience claim or expected audience isn't included
-    if (!aud) {
-        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT does not contain an audience claim (aud)`);
-    }
-    const audiences = Array.isArray(aud) ? aud : [aud];
-    if (!audiences.includes(expectedAudience)) {
-        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_AUDIENCE}: Expected audience ${expectedAudience} not found in aud claim`);
-    }
-    try {
-        const { signedData, signature } = (0, utils_2.splitJWT)(jwt);
-        // Process signature from base64url to binary
-        const signatureBytes = (0, utils_2.processJWTSignature)(signature);
-        // Extract r and s values from the signature
-        const r = signatureBytes.slice(0, 32);
-        const s = signatureBytes.slice(32, 64);
-        const publicKeyBytes = (0, utils_1.arrayify)(pkp.publicKey);
-        // PKPEthersWallet.signMessage() adds Ethereum prefix, so we need to add it here too
-        const ethPrefixedMessage = '\x19Ethereum Signed Message:\n' + signedData.length + signedData;
-        const messageHash = ethers_1.ethers.utils.keccak256((0, utils_1.toUtf8Bytes)(ethPrefixedMessage));
-        const messageHashBytes = (0, utils_1.arrayify)(messageHash);
-        const signatureForSecp = new Uint8Array([...r, ...s]);
-        // Verify the signature against the public key
-        const isVerified = secp256k1.verify(signatureForSecp, messageHashBytes, publicKeyBytes);
-        if (!isVerified) {
-            throw new Error(`Signature verify() did not pass for ${signature}`);
-        }
-        return decoded;
-    }
-    catch (error) {
-        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_SIGNATURE}: Invalid signature: ${error.message}`);
-    }
-}
-/** Decodes a Vincent JWT in string form and returns an {@link VincentJWT} decoded object for your use
- *
- * @param jwt - The jwt in string form. It will be decoded and checked to be sure it is not malformed.
- * @param requiredAppId - The appId that should be in the payload of the JWT. If app is not defined, or app.id is different, this method will throw.
- *
- * <div class="box info-box">
- *   <p class="box-title info-box-title">
- *     <span class="box-icon info-icon">Info</span> Note
- *   </p>
- * This method only <i><b>decodes</b></i> the JWT_ -- you still need to {@link verify} the JWT to be sure it is valid!
- * If the JWT is expired, you need to use a {@link webAuthClient.WebAuthClient | WebAuthClient} to get a new JWT.
- *
- * See {@link webAuthClient.getWebAuthClient | getWebAuthClient}
- *
- * </div>
- * @inline
- * @expand
- * @function
- * @category API
- *
- * @example
- *  ```typescript
- *   import { decode, isExpired } from '@lit-protocol/vincent-app-sdk/jwt';
- *
- *   const decodedVincentJWT = decode({ jwt, requiredAppId: 555 });
- *   const isJWTExpired = isExpired(decodedVincentJWT);
- *
- *   if(!isJWTExpired) {
- *     // User is logged in
- *     // You still need to verify the JWT!
- *   } else {
- *     // User needs to get a new JWT
- *     webAuthClient.redirectToConnectPage({redirectUri: window.location.href });
- *   }
- *
- *  ```
- * */
-function decode({ jwt, requiredAppId, }) {
-    const decodedJwt = didJWT.decodeJWT(jwt);
-    (0, typeGuards_1.assertIsVincentJWT)(decodedJwt);
-    if (requiredAppId) {
-        if (!(0, typeGuards_1.isAppSpecificJWT)(decodedJwt)) {
-            throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT is not app specific; cannot verify requiredAppId`);
-        }
-        const { app } = decodedJwt.payload;
-        if (requiredAppId !== app.id) {
-            throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: appId in JWT does not match requiredAppId. Expected ${requiredAppId}, got ${app.id} `);
-        }
-    }
-    return decodedJwt;
-}
-//# sourceMappingURL=validate.js.map

package/dist/src/jwt/core/validate.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../src/jwt/core/validate.ts"],"names":[],"mappings":";;AAyEA,wBAwEC;AA+DD,wBA2BC;;AA3OD,oEAA8C;AAC9C,wDAAkC;AAClC,qCAAoC;AACpC,mCAAgC;AAChC,4CAAyD;AAIzD,8CAAqE;AACrE,2CAAwC;AACxC,mCAAyE;AA+BzE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,SAAgB,MAAM,CAAC,EACrB,GAAG,EACH,gBAAgB,EAChB,aAAa,GAKd;IACC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,CAAC,EAAE,GAAG,EAAE,aAAa,EAAE,CAAC,CAAC;IAC/C,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAE1C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,kDAAkD,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,qBAAS,EAAC,OAAO,CAAC,CAAC;IACnC,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,oBAAoB,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,IAAA,uBAAe,EAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAEhE,6FAA6F;IAC7F,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,gDAAgD,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEnD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,gBAAgB,uBAAuB,gBAAgB,yBAAyB,CAC9F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAEhD,6CAA6C;QAC7C,MAAM,cAAc,GAAG,IAAA,2BAAmB,EAAC,SAAS,CAAC,CAAC;QAEtD,4CAA4C;QAC5C,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAEvC,MAAM,cAAc,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE/C,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,gCAAgC,GAAG,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;QAC7F,MAAM,WAAW,GAAG,eAAM,CAAC,KAAK,CAAC,SAAS,CAAC,IAAA,mBAAW,EAAC,kBAAkB,CAAC,CAAC,CAAC;QAC5E,MAAM,gBAAgB,GAAG,IAAA,gBAAQ,EAAC,WAAW,CAAC,CAAC;QAE/C,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QAEtD,8CAA8C;QAC9C,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAExF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,SAAS,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,iBAAiB,wBAAyB,KAAe,CAAC,OAAO,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AA0BD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;KAoCK;AACL,SAAgB,MAAM,CAAC,EACrB,GAAG,EACH,aAAa,GAId;IACC,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEzC,IAAA,+BAAkB,EAAC,UAAU,CAAC,CAAC;IAE/B,IAAI,aAAa,EAAE,CAAC;QAClB,IAAI,CAAC,IAAA,6BAAgB,EAAC,UAAU,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,WAAW,wDAAwD,CACjF,CAAC;QACJ,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC;QACnC,IAAI,aAAa,KAAK,GAAG,CAAC,EAAE,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,WAAW,yDAAyD,aAAa,SAAS,GAAG,CAAC,EAAE,GAAG,CACjH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC"}