@lit-protocol/vincent-app-sdk 1.0.0-1

package/dist/src/jwt/core/utils/index.d.ts

@@ -0,0 +1,6 @@
+export { isDefinedObject } from './definedObject';
+export { isJWTExpired } from './isJWTExpired';
+export { validateJWTTime } from './validateJWTTime';
+export { splitJWT } from './splitJWT';
+export { processJWTSignature } from './processJWTSignature';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/jwt/core/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACtC,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/src/jwt/core/utils/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processJWTSignature = exports.splitJWT = exports.validateJWTTime = exports.isJWTExpired = exports.isDefinedObject = void 0;
+var definedObject_1 = require("./definedObject");
+Object.defineProperty(exports, "isDefinedObject", { enumerable: true, get: function () { return definedObject_1.isDefinedObject; } });
+var isJWTExpired_1 = require("./isJWTExpired");
+Object.defineProperty(exports, "isJWTExpired", { enumerable: true, get: function () { return isJWTExpired_1.isJWTExpired; } });
+var validateJWTTime_1 = require("./validateJWTTime");
+Object.defineProperty(exports, "validateJWTTime", { enumerable: true, get: function () { return validateJWTTime_1.validateJWTTime; } });
+var splitJWT_1 = require("./splitJWT");
+Object.defineProperty(exports, "splitJWT", { enumerable: true, get: function () { return splitJWT_1.splitJWT; } });
+var processJWTSignature_1 = require("./processJWTSignature");
+Object.defineProperty(exports, "processJWTSignature", { enumerable: true, get: function () { return processJWTSignature_1.processJWTSignature; } });
+//# sourceMappingURL=index.js.map

package/dist/src/jwt/core/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/index.ts"],"names":[],"mappings":";;;AAAA,iDAAkD;AAAzC,gHAAA,eAAe,OAAA;AACxB,+CAA8C;AAArC,4GAAA,YAAY,OAAA;AACrB,qDAAoD;AAA3C,kHAAA,eAAe,OAAA;AACxB,uCAAsC;AAA7B,oGAAA,QAAQ,OAAA;AACjB,6DAA4D;AAAnD,0HAAA,mBAAmB,OAAA"}

package/dist/src/jwt/core/utils/isJWTExpired.d.ts

@@ -0,0 +1,8 @@
+import { VincentJWT } from '../../types';
+/** Checks if a JWT is expired based on its 'exp' claim
+ *
+ * @returns true if expired, false otherwise
+ * @param decodedJWT
+ */
+export declare function isJWTExpired(decodedJWT: VincentJWT): boolean;
+//# sourceMappingURL=isJWTExpired.d.ts.map

package/dist/src/jwt/core/utils/isJWTExpired.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"isJWTExpired.d.ts","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/isJWTExpired.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,UAAU,GAAG,OAAO,CAW5D"}

package/dist/src/jwt/core/utils/isJWTExpired.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isJWTExpired = isJWTExpired;
+/** Checks if a JWT is expired based on its 'exp' claim
+ *
+ * @returns true if expired, false otherwise
+ * @param decodedJWT
+ */
+function isJWTExpired(decodedJWT) {
+    const { payload } = decodedJWT;
+    // Tokens that never expire are treated as expired for security.
+    if (!payload.exp) {
+        return true;
+    }
+    // JWT exp is in seconds, Date.now() is in milliseconds
+    const currentTime = Math.floor(Date.now() / 1000);
+    return currentTime >= payload.exp;
+}
+//# sourceMappingURL=isJWTExpired.js.map

package/dist/src/jwt/core/utils/isJWTExpired.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isJWTExpired.js","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/isJWTExpired.ts"],"names":[],"mappings":";;AAOA,oCAWC;AAhBD;;;;GAIG;AACH,SAAgB,YAAY,CAAC,UAAsB;IACjD,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,CAAC;IAE/B,gEAAgE;IAChE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uDAAuD;IACvD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAClD,OAAO,WAAW,IAAI,OAAO,CAAC,GAAG,CAAC;AACpC,CAAC"}

package/dist/src/jwt/core/utils/processJWTSignature.d.ts

@@ -0,0 +1,8 @@
+/** Processes a JWT signature from base64url to binary
+ * @ignore
+ *
+ * @param signature - The base64url encoded signature string
+ * @returns A Uint8Array of the binary signature
+ */
+export declare function processJWTSignature(signature: string): Uint8Array;
+//# sourceMappingURL=processJWTSignature.d.ts.map

package/dist/src/jwt/core/utils/processJWTSignature.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"processJWTSignature.d.ts","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/processJWTSignature.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,SAAS,EAAE,MAAM,GAAG,UAAU,CAYjE"}

package/dist/src/jwt/core/utils/processJWTSignature.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.processJWTSignature = processJWTSignature;
+/** Processes a JWT signature from base64url to binary
+ * @ignore
+ *
+ * @param signature - The base64url encoded signature string
+ * @returns A Uint8Array of the binary signature
+ */
+function processJWTSignature(signature) {
+    // Convert base64url to base64
+    let base64 = signature.replace(/-/g, '+').replace(/_/g, '/');
+    // Pad with '=' if needed
+    while (base64.length % 4) {
+        base64 += '=';
+    }
+    // Decode base64 to binary
+    const binary = Buffer.from(base64, 'base64');
+    return new Uint8Array(binary);
+}
+//# sourceMappingURL=processJWTSignature.js.map

package/dist/src/jwt/core/utils/processJWTSignature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"processJWTSignature.js","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/processJWTSignature.ts"],"names":[],"mappings":";;AAMA,kDAYC;AAlBD;;;;;GAKG;AACH,SAAgB,mBAAmB,CAAC,SAAiB;IACnD,8BAA8B;IAC9B,IAAI,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAE7D,yBAAyB;IACzB,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC;IAChB,CAAC;IAED,0BAA0B;IAC1B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC"}

package/dist/src/jwt/core/utils/splitJWT.d.ts

@@ -0,0 +1,11 @@
+/** Splits a JWT into its signed data portion and signature
+ * @ignore
+ *
+ * @param jwt - The JWT string
+ * @returns An object with signedData and signature
+ */
+export declare function splitJWT(jwt: string): {
+    signedData: string;
+    signature: string;
+};
+//# sourceMappingURL=splitJWT.d.ts.map

package/dist/src/jwt/core/utils/splitJWT.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"splitJWT.d.ts","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/splitJWT.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,CAU/E"}

package/dist/src/jwt/core/utils/splitJWT.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.splitJWT = splitJWT;
+const did_jwt_1 = require("did-jwt");
+/** Splits a JWT into its signed data portion and signature
+ * @ignore
+ *
+ * @param jwt - The JWT string
+ * @returns An object with signedData and signature
+ */
+function splitJWT(jwt) {
+    const parts = jwt.split('.');
+    if (parts.length !== 3) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT format: must contain 3 parts separated by "."`);
+    }
+    return {
+        signedData: `${parts[0]}.${parts[1]}`,
+        signature: parts[2],
+    };
+}
+//# sourceMappingURL=splitJWT.js.map

package/dist/src/jwt/core/utils/splitJWT.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"splitJWT.js","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/splitJWT.ts"],"names":[],"mappings":";;AAQA,4BAUC;AAlBD,qCAAoC;AAEpC;;;;;GAKG;AACH,SAAgB,QAAQ,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,qDAAqD,CAAC,CAAC;IACjG,CAAC;IAED,OAAO;QACL,UAAU,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE;QACrC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC;KACpB,CAAC;AACJ,CAAC"}

package/dist/src/jwt/core/utils/validateJWTTime.d.ts

@@ -0,0 +1,12 @@
+/** Validates JWT time claims (iat and nbf)
+ * @ignore
+ *
+ * @param payload - The decoded JWT payload
+ * @param currentTime The time to compare the claims against
+ * @returns true if time claims are valid, false otherwise
+ */
+export declare function validateJWTTime(payload: {
+    nbf?: number;
+    iat?: number;
+}, currentTime: number): boolean;
+//# sourceMappingURL=validateJWTTime.d.ts.map

package/dist/src/jwt/core/utils/validateJWTTime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validateJWTTime.d.ts","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/validateJWTTime.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,wBAAgB,eAAe,CAC7B,OAAO,EAAE;IAAE,GAAG,CAAC,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,EACvC,WAAW,EAAE,MAAM,GAClB,OAAO,CAeT"}

package/dist/src/jwt/core/utils/validateJWTTime.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateJWTTime = validateJWTTime;
+const did_jwt_1 = require("did-jwt");
+/** Validates JWT time claims (iat and nbf)
+ * @ignore
+ *
+ * @param payload - The decoded JWT payload
+ * @param currentTime The time to compare the claims against
+ * @returns true if time claims are valid, false otherwise
+ */
+function validateJWTTime(payload, currentTime) {
+    // Check 'not before' claim if present
+    if (payload.nbf && currentTime < payload.nbf) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: Token not yet valid (nbf claim is in the future)`);
+    }
+    // Check 'issued at' claim if present
+    // Allow a small leeway (30 seconds) for clock skew
+    if (payload.iat && currentTime < payload.iat - 30) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: Token issued in the future (iat claim is ahead of current time)`);
+    }
+    return true;
+}
+//# sourceMappingURL=validateJWTTime.js.map

package/dist/src/jwt/core/utils/validateJWTTime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validateJWTTime.js","sourceRoot":"","sources":["../../../../../src/jwt/core/utils/validateJWTTime.ts"],"names":[],"mappings":";;AASA,0CAkBC;AA3BD,qCAAoC;AAEpC;;;;;;GAMG;AACH,SAAgB,eAAe,CAC7B,OAAuC,EACvC,WAAmB;IAEnB,sCAAsC;IACtC,IAAI,OAAO,CAAC,GAAG,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,oDAAoD,CAAC,CAAC;IAChG,CAAC;IAED,qCAAqC;IACrC,mDAAmD;IACnD,IAAI,OAAO,CAAC,GAAG,IAAI,WAAW,GAAG,OAAO,CAAC,GAAG,GAAG,EAAE,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,WAAW,mEAAmE,CAC5F,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/src/jwt/core/validate.d.ts

@@ -0,0 +1,23 @@
+import { VincentJWT } from '../types';
+/**
+ * Decodes and verifies an {@link VincentJWT} token in string form
+ *
+ * This function returns the decoded {@link VincentJWT} object only if:
+ * 1. The JWT signature is valid
+ * 2. The JWT is not expired
+ * 3. All time claims (nbf, iat) are valid
+ * 4. The JWT has an audience claim that includes the expected audience
+ *
+ * @param {string} jwt - The JWT string to verify
+ * @param {string} expectedAudience - String that should be in the audience claim(s)
+ *
+ * @returns {VincentJWT} The decoded VincentJWT object if it was verified successfully
+ */
+export declare function verifyJWT(jwt: string, expectedAudience: string): VincentJWT;
+/** This function uses the did-jwt library to decode a JWT string into its payload adding any extra Vincent fields
+ *
+ * @param {string} jwt - The JWT string to decode
+ * @returns The decoded Vincent JWT fields
+ */
+export declare function decodeJWT(jwt: string): VincentJWT;
+//# sourceMappingURL=validate.d.ts.map

package/dist/src/jwt/core/validate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.d.ts","sourceRoot":"","sources":["../../../../src/jwt/core/validate.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAStC;;;;;;;;;;;;;GAaG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,UAAU,CAwE3E;AAED;;;;GAIG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAgBjD"}

package/dist/src/jwt/core/validate.js

@@ -0,0 +1,96 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyJWT = verifyJWT;
+exports.decodeJWT = decodeJWT;
+const tslib_1 = require("tslib");
+const secp256k1 = tslib_1.__importStar(require("@noble/secp256k1"));
+const didJWT = tslib_1.__importStar(require("did-jwt"));
+const did_jwt_1 = require("did-jwt");
+const ethers_1 = require("ethers");
+const utils_1 = require("./utils");
+/**
+ * Decodes and verifies an {@link VincentJWT} token in string form
+ *
+ * This function returns the decoded {@link VincentJWT} object only if:
+ * 1. The JWT signature is valid
+ * 2. The JWT is not expired
+ * 3. All time claims (nbf, iat) are valid
+ * 4. The JWT has an audience claim that includes the expected audience
+ *
+ * @param {string} jwt - The JWT string to verify
+ * @param {string} expectedAudience - String that should be in the audience claim(s)
+ *
+ * @returns {VincentJWT} The decoded VincentJWT object if it was verified successfully
+ */
+function verifyJWT(jwt, expectedAudience) {
+    if (!expectedAudience) {
+        throw new Error(`You must provide an expectedAudience`);
+    }
+    const decoded = decodeJWT(jwt);
+    const { aud, exp, pkp } = decoded.payload;
+    if (!exp) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT does not contain an expiration claim (exp)`);
+    }
+    const isExpired = (0, utils_1.isJWTExpired)(decoded);
+    if (isExpired) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT expired at ${exp}`);
+    }
+    (0, utils_1.validateJWTTime)(decoded.payload, Math.floor(Date.now() / 1000));
+    // Always validate audience - reject if no audience claim or expected audience isn't included
+    if (!aud) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: JWT does not contain an audience claim (aud)`);
+    }
+    const audiences = Array.isArray(aud) ? aud : [aud];
+    if (!audiences.includes(expectedAudience)) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_AUDIENCE}: Expected audience ${expectedAudience} not found in aud claim`);
+    }
+    try {
+        const { signedData, signature } = (0, utils_1.splitJWT)(jwt);
+        // Process signature from base64url to binary
+        const signatureBytes = (0, utils_1.processJWTSignature)(signature);
+        // Extract r and s values from the signature
+        const r = signatureBytes.slice(0, 32);
+        const s = signatureBytes.slice(32, 64);
+        // Process public key
+        let publicKey = pkp.publicKey;
+        if (publicKey.startsWith('0x')) {
+            publicKey = publicKey.substring(2);
+        }
+        const publicKeyBytes = Buffer.from(publicKey, 'hex');
+        // PKPEthersWallet.signMessage() adds Ethereum prefix, so we need to add it here too
+        const ethPrefixedMessage = '\x19Ethereum Signed Message:\n' + signedData.length + signedData;
+        const messageBuffer = Buffer.from(ethPrefixedMessage, 'utf8');
+        const messageHash = ethers_1.ethers.utils.keccak256(messageBuffer);
+        const messageHashBytes = Buffer.from(messageHash.substring(2), 'hex');
+        const signatureForSecp = new Uint8Array([...r, ...s]);
+        // Verify the signature against the public key
+        const isVerified = secp256k1.verify(signatureForSecp, messageHashBytes, publicKeyBytes);
+        if (!isVerified) {
+            throw new Error(`Signature verify() did not pass for ${signature}`);
+        }
+        return decoded;
+    }
+    catch (error) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_SIGNATURE}: Invalid signature: ${error.message}`);
+    }
+}
+/** This function uses the did-jwt library to decode a JWT string into its payload adding any extra Vincent fields
+ *
+ * @param {string} jwt - The JWT string to decode
+ * @returns The decoded Vincent JWT fields
+ */
+function decodeJWT(jwt) {
+    const decodedJwt = didJWT.decodeJWT(jwt);
+    const { app, authentication, pkp } = decodedJwt.payload;
+    if (!(0, utils_1.isDefinedObject)(app)) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: Missing "app" field in JWT payload.`);
+    }
+    if (!(0, utils_1.isDefinedObject)(authentication)) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: Missing "authentication" field in JWT payload.`);
+    }
+    if (!(0, utils_1.isDefinedObject)(pkp)) {
+        throw new Error(`${did_jwt_1.JWT_ERROR.INVALID_JWT}: Missing "pkp" field in JWT payload.`);
+    }
+    return decodedJwt;
+}
+//# sourceMappingURL=validate.js.map

package/dist/src/jwt/core/validate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validate.js","sourceRoot":"","sources":["../../../../src/jwt/core/validate.ts"],"names":[],"mappings":";;AA2BA,8BAwEC;AAOD,8BAgBC;;AA1HD,oEAA8C;AAC9C,wDAAkC;AAClC,qCAAoC;AACpC,mCAAgC;AAEhC,mCAMiB;AAEjB;;;;;;;;;;;;;GAaG;AACH,SAAgB,SAAS,CAAC,GAAW,EAAE,gBAAwB;IAC7D,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,OAAO,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAE1C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,kDAAkD,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,oBAAY,EAAC,OAAO,CAAC,CAAC;IACxC,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,oBAAoB,GAAG,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,IAAA,uBAAe,EAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAEhE,6FAA6F;IAC7F,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,gDAAgD,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEnD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,gBAAgB,uBAAuB,gBAAgB,yBAAyB,CAC9F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,IAAA,gBAAQ,EAAC,GAAG,CAAC,CAAC;QAEhD,6CAA6C;QAC7C,MAAM,cAAc,GAAG,IAAA,2BAAmB,EAAC,SAAS,CAAC,CAAC;QAEtD,4CAA4C;QAC5C,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAEvC,qBAAqB;QACrB,IAAI,SAAS,GAAG,GAAG,CAAC,SAAS,CAAC;QAC9B,IAAI,SAAS,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAErD,oFAAoF;QACpF,MAAM,kBAAkB,GAAG,gCAAgC,GAAG,UAAU,CAAC,MAAM,GAAG,UAAU,CAAC;QAC7F,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;QAE9D,MAAM,WAAW,GAAG,eAAM,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAEtE,MAAM,gBAAgB,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QAEtD,8CAA8C;QAC9C,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,cAAc,CAAC,CAAC;QAExF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,uCAAuC,SAAS,EAAE,CAAC,CAAC;QACtE,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,GAAG,mBAAS,CAAC,iBAAiB,wBAAyB,KAAe,CAAC,OAAO,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAgB,SAAS,CAAC,GAAW;IACnC,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAEzC,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC;IAExD,IAAI,CAAC,IAAA,uBAAe,EAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,uCAAuC,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,IAAA,uBAAe,EAAC,cAAc,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,kDAAkD,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,CAAC,IAAA,uBAAe,EAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,GAAG,mBAAS,CAAC,WAAW,uCAAuC,CAAC,CAAC;IACnF,CAAC;IAED,OAAO,UAAwB,CAAC;AAClC,CAAC"}

package/dist/src/jwt/index.d.ts

@@ -0,0 +1,69 @@
+/** Helper methods for working with Vincent-issues JWTs.
+ *
+ * @module jwt
+ * @namespace
+ * @inline
+ * @category Vincent SDK API
+ */
+import { createPKPSignedJWT } from './core/create';
+import { decodeJWT, verifyJWT } from './core/validate';
+import { isJWTExpired } from './core/utils';
+/** @function
+ * @hidden
+ * */
+export declare const create: typeof createPKPSignedJWT;
+/** Decodes a Vincent JWT in string form and returns an {@link VincentJWT} decoded object for your use
+ *
+ * @function
+ * @example
+ * ```typescript
+ *   try {
+ *     const decodedVincentJWT = decode(jwt);
+ *   } catch(e) {
+ *    // Handle malformed JWT string case
+ *   }
+ *
+ *   // You still need to verify the JWT!
+ *  ```
+ * */
+export declare const decode: typeof decodeJWT;
+/**
+ * @inline
+ * @expand
+ * @function
+ *
+ * @example
+ * ```typescript
+ *  try {
+ *    const decodedAndVerifiedVincentJWT = verify(jwt, 'https://myapp.com');
+ *   } catch(e) {
+ *    // Handle invalid/expired JWT casew
+ *  }
+ * ```
+ * */
+export declare const verify: typeof verifyJWT;
+/**
+ * When a JWT is expired, you need to use {@link VincentWebAppClient.redirectToConsentPage} to get a new JWT
+ * @inline
+ * @expand
+ * @function
+ *
+ * @example
+ *  ```typescript
+ *   import { jwt } from '@lit-protocol/vincent-app-sdk';
+ *
+ *   const { decode, isExpired } = jwt;
+ *
+ *   const decodedVincentJWT = decode(jwt);
+ *   const isJWTExpired = isExpired(decodedVincentJWT);
+ *
+ *   if(!isJWTExpired) {
+ *     // User is logged in
+ *   } else {
+ *     // User needs to get a new JWT
+ *     vincentWebAppClient.redirectToConsentPage({redirectUri: window.location.href });
+ *   }
+ * ```
+ * */
+export declare const isExpired: typeof isJWTExpired;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/jwt/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/jwt/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C;;KAEK;AACL,eAAO,MAAM,MAAM,2BAAqB,CAAC;AAEzC;;;;;;;;;;;;;KAaK;AACL,eAAO,MAAM,MAAM,kBAAY,CAAC;AAEhC;;;;;;;;;;;;;KAaK;AACL,eAAO,MAAM,MAAM,kBAAY,CAAC;AAEhC;;;;;;;;;;;;;;;;;;;;;;KAsBK;AACL,eAAO,MAAM,SAAS,qBAAe,CAAC"}

package/dist/src/jwt/index.js

@@ -0,0 +1,72 @@
+"use strict";
+/** Helper methods for working with Vincent-issues JWTs.
+ *
+ * @module jwt
+ * @namespace
+ * @inline
+ * @category Vincent SDK API
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isExpired = exports.verify = exports.decode = exports.create = void 0;
+const create_1 = require("./core/create");
+const validate_1 = require("./core/validate");
+const utils_1 = require("./core/utils");
+/** @function
+ * @hidden
+ * */
+exports.create = create_1.createPKPSignedJWT;
+/** Decodes a Vincent JWT in string form and returns an {@link VincentJWT} decoded object for your use
+ *
+ * @function
+ * @example
+ * ```typescript
+ *   try {
+ *     const decodedVincentJWT = decode(jwt);
+ *   } catch(e) {
+ *    // Handle malformed JWT string case
+ *   }
+ *
+ *   // You still need to verify the JWT!
+ *  ```
+ * */
+exports.decode = validate_1.decodeJWT;
+/**
+ * @inline
+ * @expand
+ * @function
+ *
+ * @example
+ * ```typescript
+ *  try {
+ *    const decodedAndVerifiedVincentJWT = verify(jwt, 'https://myapp.com');
+ *   } catch(e) {
+ *    // Handle invalid/expired JWT casew
+ *  }
+ * ```
+ * */
+exports.verify = validate_1.verifyJWT;
+/**
+ * When a JWT is expired, you need to use {@link VincentWebAppClient.redirectToConsentPage} to get a new JWT
+ * @inline
+ * @expand
+ * @function
+ *
+ * @example
+ *  ```typescript
+ *   import { jwt } from '@lit-protocol/vincent-app-sdk';
+ *
+ *   const { decode, isExpired } = jwt;
+ *
+ *   const decodedVincentJWT = decode(jwt);
+ *   const isJWTExpired = isExpired(decodedVincentJWT);
+ *
+ *   if(!isJWTExpired) {
+ *     // User is logged in
+ *   } else {
+ *     // User needs to get a new JWT
+ *     vincentWebAppClient.redirectToConsentPage({redirectUri: window.location.href });
+ *   }
+ * ```
+ * */
+exports.isExpired = utils_1.isJWTExpired;
+//# sourceMappingURL=index.js.map

package/dist/src/jwt/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/jwt/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,0CAAmD;AACnD,8CAAuD;AACvD,wCAA4C;AAE5C;;KAEK;AACQ,QAAA,MAAM,GAAG,2BAAkB,CAAC;AAEzC;;;;;;;;;;;;;KAaK;AACQ,QAAA,MAAM,GAAG,oBAAS,CAAC;AAEhC;;;;;;;;;;;;;KAaK;AACQ,QAAA,MAAM,GAAG,oBAAS,CAAC;AAEhC;;;;;;;;;;;;;;;;;;;;;;KAsBK;AACQ,QAAA,SAAS,GAAG,oBAAY,CAAC"}

package/dist/src/jwt/types.d.ts

@@ -0,0 +1,68 @@
+import type { PKPEthersWallet } from '@lit-protocol/pkp-ethers';
+import type { IRelayPKP } from '@lit-protocol/types';
+import type { JWTHeader, JWTPayload } from 'did-jwt';
+interface JWTDecoded {
+    header: JWTHeader;
+    payload: JWTPayload;
+    signature: string;
+    data: string;
+}
+/**
+ * Configuration interface for creating a JWT (JSON Web Token) signed by a PKP wallet.
+ * Vincent App developers will likely never need this function, as the provider of the JWT is the Vincent consent page frontend
+ *
+ * @interface JWTConfig
+ * @hidden
+ * @property {PKPEthersWallet} pkpWallet - The PKP Ethers wallet instance used for signing the JWT
+ * @property {IRelayPKP} pkp - The PKP object
+ * @property {Record<string, unknown>} payload - Custom claims to include in the JWT payload
+ * @property {number} expiresInMinutes - Token expiration time in minutes from current time
+ * @property {string} audience - The domain(s) this token is intended for (aud claim)
+ */
+export interface JWTConfig {
+    pkpWallet: PKPEthersWallet;
+    pkp: IRelayPKP;
+    payload: Record<string, unknown>;
+    expiresInMinutes: number;
+    audience: string | string[];
+    app: {
+        id: string;
+        version: number;
+    };
+    authentication: {
+        type: string;
+        value?: string;
+    };
+}
+/**
+ * Extended payload interface for Vincent-specific JWTs.
+ *
+ * @interface VincentJWTPayload
+ * @extends {JWTPayload} Extends the JWTPayload type from `did-jwt` with Vincent-specific properties
+ * @property {string} app - The app associated with the JWT.
+ * @property {string} pkp - The PKP associated with the JWT.
+ * @property {string} authentication - The authentication method used to generate the JWT.
+ */
+export interface VincentJWTPayload extends JWTPayload {
+    pkp: IRelayPKP;
+    app: {
+        id: string;
+        version: number;
+    };
+    authentication: {
+        type: string;
+        value?: string;
+    };
+}
+/**
+ * Interface representing a decoded Vincent JWT
+ *
+ * @interface VincentJWT
+ * @extends { JWTDecoded } Extends the payload provided by the JWTDecoded type from `did-jwt` with Vincent-specific properties
+ * @property {VincentJWTPayload} payload - The payload of the JWT
+ */
+export interface VincentJWT extends JWTDecoded {
+    payload: VincentJWTPayload;
+}
+export {};
+//# sourceMappingURL=types.d.ts.map

package/dist/src/jwt/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/jwt/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAChE,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrD,UAAU,UAAU;IAClB,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,UAAU,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,SAAS;IACxB,SAAS,EAAE,eAAe,CAAC;IAC3B,GAAG,EAAE,SAAS,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC5B,GAAG,EAAE;QACH,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,cAAc,EAAE;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAkB,SAAQ,UAAU;IACnD,GAAG,EAAE,SAAS,CAAC;IACf,GAAG,EAAE;QACH,EAAE,EAAE,MAAM,CAAC;QACX,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,cAAc,EAAE;QACd,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;;;;;GAMG;AACH,MAAM,WAAW,UAAW,SAAQ,UAAU;IAC5C,OAAO,EAAE,iBAAiB,CAAC;CAC5B"}

package/dist/src/jwt/types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/src/jwt/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/jwt/types.ts"],"names":[],"mappings":""}

package/dist/src/toolClient/index.d.ts

@@ -0,0 +1,2 @@
+export { getVincentToolClient } from './vincentToolClient';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/toolClient/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/toolClient/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC"}

package/dist/src/toolClient/index.js

@@ -0,0 +1,6 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getVincentToolClient = void 0;
+var vincentToolClient_1 = require("./vincentToolClient");
+Object.defineProperty(exports, "getVincentToolClient", { enumerable: true, get: function () { return vincentToolClient_1.getVincentToolClient; } });
+//# sourceMappingURL=index.js.map

package/dist/src/toolClient/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/toolClient/index.ts"],"names":[],"mappings":";;;AAAA,yDAA2D;AAAlD,yHAAA,oBAAoB,OAAA"}