@logto/node 2.2.2 → 2.4.0

package/lib/edge/index.cjs

@@ -32,7 +32,7 @@ class LogtoClient extends client.default {
     }
 }
 
-Object.defineProperty(exports, 'PersistKey', {
+Object.defineProperty(exports, "PersistKey", {
     enumerable: true,
     get: function () { return BaseClient.PersistKey; }
 });

package/lib/src/client.cjs

@@ -12,7 +12,7 @@ var BaseClient__default = /*#__PURE__*/_interopDefault(BaseClient);
 class LogtoNodeBaseClient extends BaseClient__default.default {
     constructor() {
         super(...arguments);
-        this.getContext = async ({ getAccessToken, resource, fetchUserInfo, } = {}) => {
+        this.getContext = async ({ getAccessToken, resource, fetchUserInfo, getOrganizationToken, } = {}) => {
             const isAuthenticated = await this.isAuthenticated();
             if (!isAuthenticated) {
                 return {
@@ -20,58 +20,60 @@ class LogtoNodeBaseClient extends BaseClient__default.default {
                 };
             }
             const claims = await this.getIdTokenClaims();
-            if (!getAccessToken) {
-                return {
-                    isAuthenticated,
-                    claims,
-                    userInfo: essentials.conditional(fetchUserInfo && (await this.fetchUserInfo())),
-                };
-            }
-            try {
-                const accessToken = await this.getAccessToken(resource);
-                const accessTokenClaims = await this.getAccessTokenClaims(resource);
-                return {
-                    isAuthenticated,
-                    claims: await this.getIdTokenClaims(),
-                    userInfo: essentials.conditional(fetchUserInfo && (await this.fetchUserInfo())),
-                    accessToken,
-                    scopes: accessTokenClaims.scope?.split(' '),
-                };
-            }
-            catch {
+            const { accessToken, accessTokenClaims } = getAccessToken
+                ? {
+                    accessToken: await essentials.trySafe(async () => this.getAccessToken(resource)),
+                    accessTokenClaims: await essentials.trySafe(async () => this.getAccessTokenClaims(resource)),
+                }
+                : { accessToken: undefined, accessTokenClaims: undefined };
+            if (getAccessToken && !accessToken) {
+                // Failed to get access token, the user is not authenticated
                 return {
                     isAuthenticated: false,
                 };
             }
+            const organizationTokens = essentials.conditional(getOrganizationToken &&
+                claims.organizations &&
+                Object.fromEntries(await Promise.all(claims.organizations.map(async (organizationId) => [
+                    organizationId,
+                    await this.getOrganizationToken(organizationId),
+                ]))));
+            return {
+                isAuthenticated,
+                claims,
+                userInfo: essentials.conditional(fetchUserInfo && (await this.fetchUserInfo())),
+                ...essentials.conditional(getAccessToken && { accessToken, scopes: accessTokenClaims?.scope?.split(' ') }),
+                organizationTokens,
+            };
         };
     }
 }
 
-Object.defineProperty(exports, 'LogtoClientError', {
+Object.defineProperty(exports, "LogtoClientError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoClientError; }
 });
-Object.defineProperty(exports, 'LogtoError', {
+Object.defineProperty(exports, "LogtoError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoError; }
 });
-Object.defineProperty(exports, 'LogtoRequestError', {
+Object.defineProperty(exports, "LogtoRequestError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoRequestError; }
 });
-Object.defineProperty(exports, 'OidcError', {
+Object.defineProperty(exports, "OidcError", {
     enumerable: true,
     get: function () { return BaseClient.OidcError; }
 });
-Object.defineProperty(exports, 'Prompt', {
+Object.defineProperty(exports, "Prompt", {
     enumerable: true,
     get: function () { return BaseClient.Prompt; }
 });
-Object.defineProperty(exports, 'ReservedScope', {
+Object.defineProperty(exports, "ReservedScope", {
     enumerable: true,
     get: function () { return BaseClient.ReservedScope; }
 });
-Object.defineProperty(exports, 'UserScope', {
+Object.defineProperty(exports, "UserScope", {
     enumerable: true,
     get: function () { return BaseClient.UserScope; }
 });

package/lib/src/client.d.ts

@@ -4,5 +4,5 @@ export type { LogtoContext, GetContextParameters } from './types.js';
 export type { IdTokenClaims, LogtoErrorCode, LogtoConfig, LogtoClientErrorCode, Storage, StorageKey, InteractionMode, } from '@logto/client';
 export { LogtoError, LogtoRequestError, LogtoClientError, OidcError, Prompt, ReservedScope, UserScope, } from '@logto/client';
 export default class LogtoNodeBaseClient extends BaseClient {
-    getContext: ({ getAccessToken, resource, fetchUserInfo, }?: GetContextParameters) => Promise<LogtoContext>;
+    getContext: ({ getAccessToken, resource, fetchUserInfo, getOrganizationToken, }?: GetContextParameters) => Promise<LogtoContext>;
 }

package/lib/src/client.js

@@ -1,11 +1,11 @@
 import BaseClient from '@logto/client';
 export { LogtoClientError, LogtoError, LogtoRequestError, OidcError, Prompt, ReservedScope, UserScope } from '@logto/client';
-import { conditional } from '@silverhand/essentials';
+import { trySafe, conditional } from '@silverhand/essentials';
 
 class LogtoNodeBaseClient extends BaseClient {
     constructor() {
         super(...arguments);
-        this.getContext = async ({ getAccessToken, resource, fetchUserInfo, } = {}) => {
+        this.getContext = async ({ getAccessToken, resource, fetchUserInfo, getOrganizationToken, } = {}) => {
             const isAuthenticated = await this.isAuthenticated();
             if (!isAuthenticated) {
                 return {
@@ -13,29 +13,31 @@ class LogtoNodeBaseClient extends BaseClient {
                 };
             }
             const claims = await this.getIdTokenClaims();
-            if (!getAccessToken) {
-                return {
-                    isAuthenticated,
-                    claims,
-                    userInfo: conditional(fetchUserInfo && (await this.fetchUserInfo())),
-                };
-            }
-            try {
-                const accessToken = await this.getAccessToken(resource);
-                const accessTokenClaims = await this.getAccessTokenClaims(resource);
-                return {
-                    isAuthenticated,
-                    claims: await this.getIdTokenClaims(),
-                    userInfo: conditional(fetchUserInfo && (await this.fetchUserInfo())),
-                    accessToken,
-                    scopes: accessTokenClaims.scope?.split(' '),
-                };
-            }
-            catch {
+            const { accessToken, accessTokenClaims } = getAccessToken
+                ? {
+                    accessToken: await trySafe(async () => this.getAccessToken(resource)),
+                    accessTokenClaims: await trySafe(async () => this.getAccessTokenClaims(resource)),
+                }
+                : { accessToken: undefined, accessTokenClaims: undefined };
+            if (getAccessToken && !accessToken) {
+                // Failed to get access token, the user is not authenticated
                 return {
                     isAuthenticated: false,
                 };
             }
+            const organizationTokens = conditional(getOrganizationToken &&
+                claims.organizations &&
+                Object.fromEntries(await Promise.all(claims.organizations.map(async (organizationId) => [
+                    organizationId,
+                    await this.getOrganizationToken(organizationId),
+                ]))));
+            return {
+                isAuthenticated,
+                claims,
+                userInfo: conditional(fetchUserInfo && (await this.fetchUserInfo())),
+                ...conditional(getAccessToken && { accessToken, scopes: accessTokenClaims?.scope?.split(' ') }),
+                organizationTokens,
+            };
         };
     }
 }

package/lib/src/index.cjs

@@ -3,22 +3,18 @@
 Object.defineProperty(exports, '__esModule', { value: true });
 
 var BaseClient = require('@logto/client');
-var fetch = require('node-fetch');
+var generators = require('../edge/generators.cjs');
 var client = require('./client.cjs');
-var generators = require('./utils/generators.cjs');
-
-function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
-
-var fetch__default = /*#__PURE__*/_interopDefault(fetch);
+var session = require('./utils/session.cjs');
+var cookieStorage = require('./utils/cookie-storage.cjs');
 
 class LogtoClient extends client.default {
-    constructor(config, adapter) {
+    constructor(config, adapter, buildJwtVerifier) {
         super(config, {
-            ...adapter,
             requester: BaseClient.createRequester(config.appSecret
                 ? async (...args) => {
                     const [input, init] = args;
-                    return fetch__default.default(input, {
+                    return fetch(input, {
                         ...init,
                         headers: {
                             Authorization: `Basic ${Buffer.from(
@@ -28,60 +24,69 @@ class LogtoClient extends client.default {
                         },
                     });
                 }
-                : fetch__default.default),
+                : fetch),
             generateCodeChallenge: generators.generateCodeChallenge,
             generateCodeVerifier: generators.generateCodeVerifier,
             generateState: generators.generateState,
-        });
+            ...adapter,
+        }, buildJwtVerifier);
     }
 }
 
-Object.defineProperty(exports, 'LogtoClientError', {
+Object.defineProperty(exports, "LogtoClientError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoClientError; }
 });
-Object.defineProperty(exports, 'LogtoError', {
+Object.defineProperty(exports, "LogtoError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoError; }
 });
-Object.defineProperty(exports, 'LogtoRequestError', {
+Object.defineProperty(exports, "LogtoRequestError", {
     enumerable: true,
     get: function () { return BaseClient.LogtoRequestError; }
 });
-Object.defineProperty(exports, 'OidcError', {
+Object.defineProperty(exports, "OidcError", {
     enumerable: true,
     get: function () { return BaseClient.OidcError; }
 });
-Object.defineProperty(exports, 'PersistKey', {
+Object.defineProperty(exports, "PersistKey", {
     enumerable: true,
     get: function () { return BaseClient.PersistKey; }
 });
-Object.defineProperty(exports, 'Prompt', {
+Object.defineProperty(exports, "Prompt", {
     enumerable: true,
     get: function () { return BaseClient.Prompt; }
 });
-Object.defineProperty(exports, 'ReservedResource', {
+Object.defineProperty(exports, "ReservedResource", {
     enumerable: true,
     get: function () { return BaseClient.ReservedResource; }
 });
-Object.defineProperty(exports, 'ReservedScope', {
+Object.defineProperty(exports, "ReservedScope", {
     enumerable: true,
     get: function () { return BaseClient.ReservedScope; }
 });
-Object.defineProperty(exports, 'UserScope', {
+Object.defineProperty(exports, "StandardLogtoClient", {
+    enumerable: true,
+    get: function () { return BaseClient.StandardLogtoClient; }
+});
+Object.defineProperty(exports, "UserScope", {
     enumerable: true,
     get: function () { return BaseClient.UserScope; }
 });
-Object.defineProperty(exports, 'buildOrganizationUrn', {
+Object.defineProperty(exports, "buildOrganizationUrn", {
     enumerable: true,
     get: function () { return BaseClient.buildOrganizationUrn; }
 });
-Object.defineProperty(exports, 'getOrganizationIdFromUrn', {
+Object.defineProperty(exports, "getOrganizationIdFromUrn", {
     enumerable: true,
     get: function () { return BaseClient.getOrganizationIdFromUrn; }
 });
-Object.defineProperty(exports, 'organizationUrnPrefix', {
+Object.defineProperty(exports, "organizationUrnPrefix", {
     enumerable: true,
     get: function () { return BaseClient.organizationUrnPrefix; }
 });
+exports.createSession = session.createSession;
+exports.unwrapSession = session.unwrapSession;
+exports.wrapSession = session.wrapSession;
+exports.CookieStorage = cookieStorage.CookieStorage;
 exports.default = LogtoClient;

package/lib/src/index.d.ts

@@ -1,8 +1,10 @@
-import type { LogtoConfig, ClientAdapter } from '@logto/client';
+import type { LogtoConfig, ClientAdapter, StandardLogtoClient, JwtVerifier } from '@logto/client';
 import BaseClient from './client.js';
 export type { LogtoContext, GetContextParameters } from './types.js';
-export type { IdTokenClaims, LogtoErrorCode, LogtoConfig, LogtoClientErrorCode, Storage, StorageKey, InteractionMode, } from '@logto/client';
-export { LogtoError, LogtoRequestError, LogtoClientError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, PersistKey, } from '@logto/client';
+export * from './utils/session.js';
+export * from './utils/cookie-storage.js';
+export type { IdTokenClaims, LogtoErrorCode, LogtoConfig, LogtoClientErrorCode, Storage, StorageKey, InteractionMode, ClientAdapter, JwtVerifier, UserInfoResponse, } from '@logto/client';
+export { LogtoError, LogtoRequestError, LogtoClientError, OidcError, Prompt, ReservedScope, ReservedResource, UserScope, organizationUrnPrefix, buildOrganizationUrn, getOrganizationIdFromUrn, PersistKey, StandardLogtoClient, } from '@logto/client';
 export default class LogtoClient extends BaseClient {
-    constructor(config: LogtoConfig, adapter: Pick<ClientAdapter, 'navigate' | 'storage'>);
+    constructor(config: LogtoConfig, adapter: Partial<ClientAdapter> & Pick<ClientAdapter, 'navigate' | 'storage'>, buildJwtVerifier?: (client: StandardLogtoClient) => JwtVerifier);
 }

package/lib/src/index.js

@@ -1,13 +1,13 @@
 import { createRequester } from '@logto/client';
-export { LogtoClientError, LogtoError, LogtoRequestError, OidcError, PersistKey, Prompt, ReservedResource, ReservedScope, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/client';
-import fetch from 'node-fetch';
+export { LogtoClientError, LogtoError, LogtoRequestError, OidcError, PersistKey, Prompt, ReservedResource, ReservedScope, StandardLogtoClient, UserScope, buildOrganizationUrn, getOrganizationIdFromUrn, organizationUrnPrefix } from '@logto/client';
+import { generateCodeChallenge, generateCodeVerifier, generateState } from '../edge/generators.js';
 import LogtoNodeBaseClient from './client.js';
-import { generateCodeChallenge, generateCodeVerifier, generateState } from './utils/generators.js';
+export { createSession, unwrapSession, wrapSession } from './utils/session.js';
+export { CookieStorage } from './utils/cookie-storage.js';
 
 class LogtoClient extends LogtoNodeBaseClient {
-    constructor(config, adapter) {
+    constructor(config, adapter, buildJwtVerifier) {
         super(config, {
-            ...adapter,
             requester: createRequester(config.appSecret
                 ? async (...args) => {
                     const [input, init] = args;
@@ -25,7 +25,8 @@ class LogtoClient extends LogtoNodeBaseClient {
             generateCodeChallenge,
             generateCodeVerifier,
             generateState,
-        });
+            ...adapter,
+        }, buildJwtVerifier);
     }
 }
 

package/lib/src/types.d.ts

@@ -10,9 +10,11 @@ export type LogtoContext = {
     accessToken?: string;
     userInfo?: UserInfoResponse;
     scopes?: string[];
+    organizationTokens?: Record<string, string>;
 };
 export type GetContextParameters = {
     fetchUserInfo?: boolean;
     getAccessToken?: boolean;
     resource?: string;
+    getOrganizationToken?: boolean;
 };

package/lib/src/utils/cookie-storage.cjs

@@ -0,0 +1,61 @@
+'use strict';
+
+var promiseQueue = require('./promise-queue.cjs');
+var session = require('./session.cjs');
+
+/**
+ * A storage that persists data in cookies with encryption.
+ */
+class CookieStorage {
+    get cookieOptions() {
+        return Object.freeze({
+            httpOnly: true,
+            path: '/',
+            sameSite: 'lax',
+            secure: this.#isSecure,
+            maxAge: 14 * 24 * 3600, // 14 days
+        });
+    }
+    get cookieKey() {
+        return this.config.cookieKey ?? 'logtoCookies';
+    }
+    get data() {
+        return this.sessionData;
+    }
+    #isSecure;
+    constructor(config, request) {
+        this.config = config;
+        this.sessionData = {};
+        this.saveQueue = new promiseQueue.PromiseQueue();
+        if (!config.encryptionKey) {
+            throw new TypeError('The `encryptionKey` string is required for `CookieStorage`');
+        }
+        this.#isSecure =
+            request.headers.get('x-forwarded-proto') === 'https' || request.url.startsWith('https');
+    }
+    async init() {
+        const { encryptionKey } = this.config;
+        this.sessionData = await session.unwrapSession(this.config.getCookie(this.cookieKey) ?? '', encryptionKey);
+    }
+    async getItem(key) {
+        return this.sessionData[key] ?? null;
+    }
+    async setItem(key, value) {
+        this.sessionData[key] = value;
+        await this.save();
+    }
+    async removeItem(key) {
+        // eslint-disable-next-line @silverhand/fp/no-delete, @typescript-eslint/no-dynamic-delete
+        delete this.sessionData[key];
+        await this.save();
+    }
+    async save() {
+        return this.saveQueue.enqueue(async () => this.write());
+    }
+    async write(data = this.sessionData) {
+        const { encryptionKey } = this.config;
+        this.config.setCookie(this.cookieKey, await session.wrapSession(data, encryptionKey), this.cookieOptions);
+    }
+}
+
+exports.CookieStorage = CookieStorage;

package/lib/src/utils/cookie-storage.d.ts

@@ -0,0 +1,45 @@
+import { type PersistKey, type Storage } from '@logto/client';
+import type { CookieSerializeOptions } from 'cookie';
+import { PromiseQueue } from './promise-queue.js';
+import { type SessionData } from './session.js';
+type Nullable<T> = T | null;
+export type CookieConfig = {
+    /** The encryption key to encrypt the session data. It should be a random string. */
+    encryptionKey: string;
+    /** The name of the cookie key. Default to `logtoCookies`. */
+    cookieKey?: string;
+    getCookie: (name: string) => string | undefined;
+    setCookie: (name: string, value: string, options: CookieSerializeOptions & {
+        path: string;
+    }) => void;
+};
+export type PartialRequest = {
+    headers: Headers;
+    url: string;
+};
+/**
+ * A storage that persists data in cookies with encryption.
+ */
+export declare class CookieStorage implements Storage<PersistKey> {
+    #private;
+    config: CookieConfig;
+    protected get cookieOptions(): Readonly<{
+        httpOnly: true;
+        path: string;
+        sameSite: "lax";
+        secure: boolean;
+        maxAge: number;
+    }>;
+    protected get cookieKey(): string;
+    get data(): SessionData;
+    protected sessionData: SessionData;
+    protected saveQueue: PromiseQueue;
+    constructor(config: CookieConfig, request: PartialRequest);
+    init(): Promise<void>;
+    getItem(key: PersistKey): Promise<Nullable<string>>;
+    setItem(key: PersistKey, value: string): Promise<void>;
+    removeItem(key: PersistKey): Promise<void>;
+    protected save(): Promise<void>;
+    protected write(data?: SessionData): Promise<void>;
+}
+export {};

package/lib/src/utils/cookie-storage.js

@@ -0,0 +1,59 @@
+import { PromiseQueue } from './promise-queue.js';
+import { unwrapSession, wrapSession } from './session.js';
+
+/**
+ * A storage that persists data in cookies with encryption.
+ */
+class CookieStorage {
+    get cookieOptions() {
+        return Object.freeze({
+            httpOnly: true,
+            path: '/',
+            sameSite: 'lax',
+            secure: this.#isSecure,
+            maxAge: 14 * 24 * 3600, // 14 days
+        });
+    }
+    get cookieKey() {
+        return this.config.cookieKey ?? 'logtoCookies';
+    }
+    get data() {
+        return this.sessionData;
+    }
+    #isSecure;
+    constructor(config, request) {
+        this.config = config;
+        this.sessionData = {};
+        this.saveQueue = new PromiseQueue();
+        if (!config.encryptionKey) {
+            throw new TypeError('The `encryptionKey` string is required for `CookieStorage`');
+        }
+        this.#isSecure =
+            request.headers.get('x-forwarded-proto') === 'https' || request.url.startsWith('https');
+    }
+    async init() {
+        const { encryptionKey } = this.config;
+        this.sessionData = await unwrapSession(this.config.getCookie(this.cookieKey) ?? '', encryptionKey);
+    }
+    async getItem(key) {
+        return this.sessionData[key] ?? null;
+    }
+    async setItem(key, value) {
+        this.sessionData[key] = value;
+        await this.save();
+    }
+    async removeItem(key) {
+        // eslint-disable-next-line @silverhand/fp/no-delete, @typescript-eslint/no-dynamic-delete
+        delete this.sessionData[key];
+        await this.save();
+    }
+    async save() {
+        return this.saveQueue.enqueue(async () => this.write());
+    }
+    async write(data = this.sessionData) {
+        const { encryptionKey } = this.config;
+        this.config.setCookie(this.cookieKey, await wrapSession(data, encryptionKey), this.cookieOptions);
+    }
+}
+
+export { CookieStorage };

package/lib/src/utils/promise-queue.cjs

@@ -0,0 +1,46 @@
+'use strict';
+
+/**
+ * A simple promise queue that processes tasks sequentially in the order they are enqueued.
+ */
+class PromiseQueue {
+    constructor() {
+        this.queue = [];
+        this.processing = false;
+    }
+    async enqueue(task) {
+        return new Promise((resolve, reject) => {
+            // Wrap the task along with its resolve and reject callbacks
+            const wrappedTask = async () => {
+                try {
+                    resolve(await task());
+                }
+                catch (error) {
+                    reject(error);
+                }
+            };
+            // eslint-disable-next-line @silverhand/fp/no-mutating-methods
+            this.queue.push(wrappedTask);
+            if (!this.processing) {
+                void this.processQueue();
+            }
+        });
+    }
+    async processQueue() {
+        if (this.processing) {
+            return;
+        }
+        this.processing = true;
+        while (this.queue.length > 0) {
+            // eslint-disable-next-line @silverhand/fp/no-mutating-methods
+            const task = this.queue.shift();
+            if (task) {
+                // eslint-disable-next-line no-await-in-loop
+                await task();
+            }
+        }
+        this.processing = false;
+    }
+}
+
+exports.PromiseQueue = PromiseQueue;

package/lib/src/utils/promise-queue.d.ts

@@ -0,0 +1,9 @@
+/**
+ * A simple promise queue that processes tasks sequentially in the order they are enqueued.
+ */
+export declare class PromiseQueue {
+    private readonly queue;
+    private processing;
+    enqueue<T>(task: () => Promise<T>): Promise<T>;
+    private processQueue;
+}

package/lib/src/utils/promise-queue.js

@@ -0,0 +1,44 @@
+/**
+ * A simple promise queue that processes tasks sequentially in the order they are enqueued.
+ */
+class PromiseQueue {
+    constructor() {
+        this.queue = [];
+        this.processing = false;
+    }
+    async enqueue(task) {
+        return new Promise((resolve, reject) => {
+            // Wrap the task along with its resolve and reject callbacks
+            const wrappedTask = async () => {
+                try {
+                    resolve(await task());
+                }
+                catch (error) {
+                    reject(error);
+                }
+            };
+            // eslint-disable-next-line @silverhand/fp/no-mutating-methods
+            this.queue.push(wrappedTask);
+            if (!this.processing) {
+                void this.processQueue();
+            }
+        });
+    }
+    async processQueue() {
+        if (this.processing) {
+            return;
+        }
+        this.processing = true;
+        while (this.queue.length > 0) {
+            // eslint-disable-next-line @silverhand/fp/no-mutating-methods
+            const task = this.queue.shift();
+            if (task) {
+                // eslint-disable-next-line no-await-in-loop
+                await task();
+            }
+        }
+        this.processing = false;
+    }
+}
+
+export { PromiseQueue };

package/lib/src/utils/session.cjs

@@ -0,0 +1,73 @@
+'use strict';
+
+async function getKeyFromPassword(password, crypto) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(password);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    // Convert the hash to a hex string
+    return Array.from(new Uint8Array(hash))
+        .map((byte) => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+async function encrypt(text, password, crypto) {
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const encodedPlaintext = new TextEncoder().encode(text);
+    const secretKey = await crypto.subtle.importKey('raw', Buffer.from(await getKeyFromPassword(password, crypto), 'hex'), {
+        name: 'AES-GCM',
+        length: 256,
+    }, true, ['encrypt', 'decrypt']);
+    const ciphertext = await crypto.subtle.encrypt({
+        name: 'AES-GCM',
+        iv,
+    }, secretKey, encodedPlaintext);
+    return {
+        ciphertext: Buffer.from(ciphertext).toString('base64'),
+        iv: Buffer.from(iv).toString('base64'),
+    };
+}
+async function decrypt(ciphertext, iv, password, crypto) {
+    const secretKey = await crypto.subtle.importKey('raw', Buffer.from(await getKeyFromPassword(password, crypto), 'hex'), {
+        name: 'AES-GCM',
+        length: 256,
+    }, true, ['encrypt', 'decrypt']);
+    const cleartext = await crypto.subtle.decrypt({
+        name: 'AES-GCM',
+        iv: Buffer.from(iv, 'base64'),
+    }, secretKey, Buffer.from(ciphertext, 'base64'));
+    return new TextDecoder().decode(cleartext);
+}
+const unwrapSession = async (cookie, secret, crypto = global.crypto) => {
+    try {
+        const [ciphertext, iv] = cookie.split('.');
+        if (!ciphertext || !iv) {
+            return {};
+        }
+        const decrypted = await decrypt(ciphertext, iv, secret, crypto);
+        // eslint-disable-next-line no-restricted-syntax
+        return JSON.parse(decrypted);
+    }
+    catch {
+        // Ignore invalid session
+    }
+    return {};
+};
+const wrapSession = async (session, secret, crypto = global.crypto) => {
+    const { ciphertext, iv } = await encrypt(JSON.stringify(session), secret, crypto);
+    return `${ciphertext}.${iv}`;
+};
+const createSession = async ({ secret, crypto }, cookie, setCookie) => {
+    const data = await unwrapSession(cookie, secret, crypto);
+    const getValues = async () => wrapSession(session, secret, crypto);
+    const session = {
+        ...data,
+        save: async () => {
+            setCookie?.(await getValues());
+        },
+        getValues,
+    };
+    return session;
+};
+
+exports.createSession = createSession;
+exports.unwrapSession = unwrapSession;
+exports.wrapSession = wrapSession;

package/lib/src/utils/session.d.ts

@@ -0,0 +1,19 @@
+import { type PersistKey } from '@logto/client';
+export type SessionData = {
+    [PersistKey.AccessToken]?: string;
+    [PersistKey.IdToken]?: string;
+    [PersistKey.SignInSession]?: string;
+    [PersistKey.RefreshToken]?: string;
+};
+export type Session = SessionData & {
+    save: () => Promise<void>;
+    getValues?: () => Promise<string>;
+};
+export declare const unwrapSession: (cookie: string, secret: string, crypto?: Crypto) => Promise<SessionData>;
+export declare const wrapSession: (session: SessionData, secret: string, crypto?: Crypto) => Promise<string>;
+type SessionConfigs = {
+    secret: string;
+    crypto: Crypto;
+};
+export declare const createSession: ({ secret, crypto }: SessionConfigs, cookie: string, setCookie?: ((value: string) => void) | undefined) => Promise<Session>;
+export {};

package/lib/src/utils/session.js

@@ -0,0 +1,69 @@
+async function getKeyFromPassword(password, crypto) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(password);
+    const hash = await crypto.subtle.digest('SHA-256', data);
+    // Convert the hash to a hex string
+    return Array.from(new Uint8Array(hash))
+        .map((byte) => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+async function encrypt(text, password, crypto) {
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const encodedPlaintext = new TextEncoder().encode(text);
+    const secretKey = await crypto.subtle.importKey('raw', Buffer.from(await getKeyFromPassword(password, crypto), 'hex'), {
+        name: 'AES-GCM',
+        length: 256,
+    }, true, ['encrypt', 'decrypt']);
+    const ciphertext = await crypto.subtle.encrypt({
+        name: 'AES-GCM',
+        iv,
+    }, secretKey, encodedPlaintext);
+    return {
+        ciphertext: Buffer.from(ciphertext).toString('base64'),
+        iv: Buffer.from(iv).toString('base64'),
+    };
+}
+async function decrypt(ciphertext, iv, password, crypto) {
+    const secretKey = await crypto.subtle.importKey('raw', Buffer.from(await getKeyFromPassword(password, crypto), 'hex'), {
+        name: 'AES-GCM',
+        length: 256,
+    }, true, ['encrypt', 'decrypt']);
+    const cleartext = await crypto.subtle.decrypt({
+        name: 'AES-GCM',
+        iv: Buffer.from(iv, 'base64'),
+    }, secretKey, Buffer.from(ciphertext, 'base64'));
+    return new TextDecoder().decode(cleartext);
+}
+const unwrapSession = async (cookie, secret, crypto = global.crypto) => {
+    try {
+        const [ciphertext, iv] = cookie.split('.');
+        if (!ciphertext || !iv) {
+            return {};
+        }
+        const decrypted = await decrypt(ciphertext, iv, secret, crypto);
+        // eslint-disable-next-line no-restricted-syntax
+        return JSON.parse(decrypted);
+    }
+    catch {
+        // Ignore invalid session
+    }
+    return {};
+};
+const wrapSession = async (session, secret, crypto = global.crypto) => {
+    const { ciphertext, iv } = await encrypt(JSON.stringify(session), secret, crypto);
+    return `${ciphertext}.${iv}`;
+};
+const createSession = async ({ secret, crypto }, cookie, setCookie) => {
+    const data = await unwrapSession(cookie, secret, crypto);
+    const getValues = async () => wrapSession(session, secret, crypto);
+    const session = {
+        ...data,
+        save: async () => {
+            setCookie?.(await getValues());
+        },
+        getValues,
+    };
+    return session;
+};
+
+export { createSession, unwrapSession, wrapSession };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/node",
-  "version": "2.2.2",
+  "version": "2.4.0",
   "type": "module",
   "main": "./lib/src/index.cjs",
   "module": "./lib/src/index.js",
@@ -27,25 +27,25 @@
     "directory": "packages/node"
   },
   "dependencies": {
-    "@logto/client": "^2.3.1",
-    "@silverhand/essentials": "^2.6.2",
-    "js-base64": "^3.7.4",
-    "node-fetch": "^2.6.7"
+    "@logto/client": "^2.4.0",
+    "@silverhand/essentials": "^2.8.7",
+    "js-base64": "^3.7.4"
   },
   "devDependencies": {
-    "@silverhand/eslint-config": "^4.0.1",
-    "@silverhand/ts-config": "^4.0.0",
+    "@silverhand/eslint-config": "^5.0.0",
+    "@silverhand/ts-config": "^5.0.0",
     "@swc/core": "^1.3.7",
     "@swc/jest": "^0.2.24",
+    "@types/cookie": "^0.6.0",
     "@types/jest": "^29.5.0",
-    "@types/node": "^18.15.11",
+    "@types/node": "^20.11.19",
     "eslint": "^8.44.0",
     "jest": "^29.5.0",
     "jest-location-mock": "^2.0.0",
     "jest-matcher-specific-error": "^1.0.0",
     "lint-staged": "^15.0.0",
     "prettier": "^3.0.0",
-    "typescript": "^5.0.0"
+    "typescript": "^5.3.3"
   },
   "eslintConfig": {
     "extends": "@silverhand",

package/lib/src/index.test.d.ts

@@ -1 +0,0 @@
-export {};

package/lib/src/utils/generators.cjs

@@ -1,37 +0,0 @@
-'use strict';
-
-var crypto = require('crypto');
-var jsBase64 = require('js-base64');
-
-/** @link [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) */
-/**
- * @param length The length of the raw random data.
- */
-const generateRandomString = (length = 64) => jsBase64.fromUint8Array(crypto.randomFillSync(new Uint8Array(length)), true);
-/**
- * Generates random string for state and encodes them in url safe base64
- */
-const generateState = () => generateRandomString();
-/**
- * Generates code verifier
- *
- * @link [Client Creates a Code Verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
- */
-const generateCodeVerifier = () => generateRandomString();
-/**
- * Calculates the S256 PKCE code challenge for an arbitrary code verifier and encodes it in url safe base64
- *
- * @param {String} codeVerifier Code verifier to calculate the S256 code challenge for
- * @link [Client Creates the Code Challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2)
- */
-const generateCodeChallenge = async (codeVerifier) => {
-    const encodedCodeVerifier = new TextEncoder().encode(codeVerifier);
-    const hash = crypto.createHash('sha256');
-    hash.update(encodedCodeVerifier);
-    const codeChallenge = hash.digest();
-    return jsBase64.fromUint8Array(codeChallenge, true);
-};
-
-exports.generateCodeChallenge = generateCodeChallenge;
-exports.generateCodeVerifier = generateCodeVerifier;
-exports.generateState = generateState;

package/lib/src/utils/generators.d.ts

@@ -1,17 +0,0 @@
-/**
- * Generates random string for state and encodes them in url safe base64
- */
-export declare const generateState: () => string;
-/**
- * Generates code verifier
- *
- * @link [Client Creates a Code Verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
- */
-export declare const generateCodeVerifier: () => string;
-/**
- * Calculates the S256 PKCE code challenge for an arbitrary code verifier and encodes it in url safe base64
- *
- * @param {String} codeVerifier Code verifier to calculate the S256 code challenge for
- * @link [Client Creates the Code Challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2)
- */
-export declare const generateCodeChallenge: (codeVerifier: string) => Promise<string>;

package/lib/src/utils/generators.js

@@ -1,33 +0,0 @@
-import { createHash, randomFillSync } from 'crypto';
-import { fromUint8Array } from 'js-base64';
-
-/** @link [Proof Key for Code Exchange by OAuth Public Clients](https://datatracker.ietf.org/doc/html/rfc7636) */
-/**
- * @param length The length of the raw random data.
- */
-const generateRandomString = (length = 64) => fromUint8Array(randomFillSync(new Uint8Array(length)), true);
-/**
- * Generates random string for state and encodes them in url safe base64
- */
-const generateState = () => generateRandomString();
-/**
- * Generates code verifier
- *
- * @link [Client Creates a Code Verifier](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1)
- */
-const generateCodeVerifier = () => generateRandomString();
-/**
- * Calculates the S256 PKCE code challenge for an arbitrary code verifier and encodes it in url safe base64
- *
- * @param {String} codeVerifier Code verifier to calculate the S256 code challenge for
- * @link [Client Creates the Code Challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2)
- */
-const generateCodeChallenge = async (codeVerifier) => {
-    const encodedCodeVerifier = new TextEncoder().encode(codeVerifier);
-    const hash = createHash('sha256');
-    hash.update(encodedCodeVerifier);
-    const codeChallenge = hash.digest();
-    return fromUint8Array(codeChallenge, true);
-};
-
-export { generateCodeChallenge, generateCodeVerifier, generateState };

package/lib/src/utils/generators.test.d.ts

@@ -1 +0,0 @@
-export {};