@moon-x/node-sdk 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -1,5 +1,5 @@
1
- import { AccessTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
2
- export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
1
+ import { AccessTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
2
+ export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
3
3
 
4
4
  interface AuthOptions {
5
5
  baseUrl: string;
@@ -24,6 +24,16 @@ declare class Auth {
24
24
  * success; throws a typed `MoonXError` subclass on any failure.
25
25
  */
26
26
  verifyIdentityToken(token: string): Promise<IdentityTokenClaims>;
27
+ /**
28
+ * Verify a presence token. Enforces `tt === "presence"` so an access
29
+ * or identity token cannot be replayed as a step-up proof. Returns
30
+ * the claims (sub, cid, aud, iat, exp) on success.
31
+ *
32
+ * The token's `exp` already encodes the server's TTL window (5min
33
+ * default). Callers may impose a tighter window app-side by checking
34
+ * `iat` against their own clock for especially sensitive ops.
35
+ */
36
+ verifyPresenceToken(token: string): Promise<PresenceTokenClaims>;
27
37
  /**
28
38
  * Verify both tokens (identity optional). Cross-checks that the
29
39
  * identity token's subject matches the access token's subject so a
package/dist/index.d.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { AccessTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
2
- export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
1
+ import { AccessTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
2
+ export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
3
3
 
4
4
  interface AuthOptions {
5
5
  baseUrl: string;
@@ -24,6 +24,16 @@ declare class Auth {
24
24
  * success; throws a typed `MoonXError` subclass on any failure.
25
25
  */
26
26
  verifyIdentityToken(token: string): Promise<IdentityTokenClaims>;
27
+ /**
28
+ * Verify a presence token. Enforces `tt === "presence"` so an access
29
+ * or identity token cannot be replayed as a step-up proof. Returns
30
+ * the claims (sub, cid, aud, iat, exp) on success.
31
+ *
32
+ * The token's `exp` already encodes the server's TTL window (5min
33
+ * default). Callers may impose a tighter window app-side by checking
34
+ * `iat` against their own clock for especially sensitive ops.
35
+ */
36
+ verifyPresenceToken(token: string): Promise<PresenceTokenClaims>;
27
37
  /**
28
38
  * Verify both tokens (identity optional). Cross-checks that the
29
39
  * identity token's subject matches the access token's subject so a
package/dist/index.js CHANGED
@@ -324,10 +324,32 @@ async function verifyWithSig(token, ctx) {
324
324
  }
325
325
  async function verifyAccessToken(token, ctx) {
326
326
  const claims = await verify(token, ctx);
327
+ if (claims.tt !== "access") {
328
+ throw new InvalidTokenError(
329
+ `expected access token, got tt=${String(claims.tt ?? "(missing)")}`
330
+ );
331
+ }
327
332
  return claims;
328
333
  }
329
334
  async function verifyIdentityToken(token, ctx) {
330
335
  const claims = await verify(token, ctx);
336
+ if (claims.tt !== "identity") {
337
+ throw new InvalidTokenError(
338
+ `expected identity token, got tt=${String(claims.tt ?? "(missing)")}`
339
+ );
340
+ }
341
+ return claims;
342
+ }
343
+ async function verifyPresenceToken(token, ctx) {
344
+ const claims = await verify(token, ctx);
345
+ if (claims.tt !== "presence") {
346
+ throw new InvalidTokenError(
347
+ `expected tt=presence, got ${String(claims.tt ?? "(missing)")}`
348
+ );
349
+ }
350
+ if (typeof claims.cid !== "string" || claims.cid.length === 0) {
351
+ throw new InvalidTokenError("presence token missing cid claim");
352
+ }
331
353
  return claims;
332
354
  }
333
355
  async function verifySession(args, ctx) {
@@ -408,6 +430,23 @@ var Auth = class {
408
430
  jwks: this.jwks
409
431
  });
410
432
  }
433
+ /**
434
+ * Verify a presence token. Enforces `tt === "presence"` so an access
435
+ * or identity token cannot be replayed as a step-up proof. Returns
436
+ * the claims (sub, cid, aud, iat, exp) on success.
437
+ *
438
+ * The token's `exp` already encodes the server's TTL window (5min
439
+ * default). Callers may impose a tighter window app-side by checking
440
+ * `iat` against their own clock for especially sensitive ops.
441
+ */
442
+ async verifyPresenceToken(token) {
443
+ const pinnedAppId = await this.resolver.resolve();
444
+ return verifyPresenceToken(token, {
445
+ pinnedAppId,
446
+ expectedIssuer: this.expectedIssuer,
447
+ jwks: this.jwks
448
+ });
449
+ }
411
450
  /**
412
451
  * Verify both tokens (identity optional). Cross-checks that the
413
452
  * identity token's subject matches the access token's subject so a
package/dist/index.mjs CHANGED
@@ -286,10 +286,32 @@ async function verifyWithSig(token, ctx) {
286
286
  }
287
287
  async function verifyAccessToken(token, ctx) {
288
288
  const claims = await verify(token, ctx);
289
+ if (claims.tt !== "access") {
290
+ throw new InvalidTokenError(
291
+ `expected access token, got tt=${String(claims.tt ?? "(missing)")}`
292
+ );
293
+ }
289
294
  return claims;
290
295
  }
291
296
  async function verifyIdentityToken(token, ctx) {
292
297
  const claims = await verify(token, ctx);
298
+ if (claims.tt !== "identity") {
299
+ throw new InvalidTokenError(
300
+ `expected identity token, got tt=${String(claims.tt ?? "(missing)")}`
301
+ );
302
+ }
303
+ return claims;
304
+ }
305
+ async function verifyPresenceToken(token, ctx) {
306
+ const claims = await verify(token, ctx);
307
+ if (claims.tt !== "presence") {
308
+ throw new InvalidTokenError(
309
+ `expected tt=presence, got ${String(claims.tt ?? "(missing)")}`
310
+ );
311
+ }
312
+ if (typeof claims.cid !== "string" || claims.cid.length === 0) {
313
+ throw new InvalidTokenError("presence token missing cid claim");
314
+ }
293
315
  return claims;
294
316
  }
295
317
  async function verifySession(args, ctx) {
@@ -370,6 +392,23 @@ var Auth = class {
370
392
  jwks: this.jwks
371
393
  });
372
394
  }
395
+ /**
396
+ * Verify a presence token. Enforces `tt === "presence"` so an access
397
+ * or identity token cannot be replayed as a step-up proof. Returns
398
+ * the claims (sub, cid, aud, iat, exp) on success.
399
+ *
400
+ * The token's `exp` already encodes the server's TTL window (5min
401
+ * default). Callers may impose a tighter window app-side by checking
402
+ * `iat` against their own clock for especially sensitive ops.
403
+ */
404
+ async verifyPresenceToken(token) {
405
+ const pinnedAppId = await this.resolver.resolve();
406
+ return verifyPresenceToken(token, {
407
+ pinnedAppId,
408
+ expectedIssuer: this.expectedIssuer,
409
+ jwks: this.jwks
410
+ });
411
+ }
373
412
  /**
374
413
  * Verify both tokens (identity optional). Cross-checks that the
375
414
  * identity token's subject matches the access token's subject so a
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@moon-x/node-sdk",
3
- "version": "0.1.0",
3
+ "version": "0.2.0",
4
4
  "description": "MoonX server-side SDK for Node.js. Verify MoonX-issued access + identity tokens with zero runtime dependencies.",
5
5
  "main": "dist/index.js",
6
6
  "module": "dist/index.mjs",
@@ -25,12 +25,12 @@
25
25
  "wallet",
26
26
  "sdk"
27
27
  ],
28
- "license": "MIT",
28
+ "license": "UNLICENSED",
29
29
  "publishConfig": {
30
30
  "access": "public"
31
31
  },
32
32
  "dependencies": {
33
- "@moon-x/core": "0.2.0"
33
+ "@moon-x/core": "0.3.0"
34
34
  },
35
35
  "devDependencies": {
36
36
  "tsup": "8.5.1",