@moon-x/node-sdk 0.1.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +12 -2
- package/dist/index.d.ts +12 -2
- package/dist/index.js +39 -0
- package/dist/index.mjs +39 -0
- package/package.json +3 -3
package/dist/index.d.mts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { AccessTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
2
|
-
export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
1
|
+
import { AccessTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
2
|
+
export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
3
3
|
|
|
4
4
|
interface AuthOptions {
|
|
5
5
|
baseUrl: string;
|
|
@@ -24,6 +24,16 @@ declare class Auth {
|
|
|
24
24
|
* success; throws a typed `MoonXError` subclass on any failure.
|
|
25
25
|
*/
|
|
26
26
|
verifyIdentityToken(token: string): Promise<IdentityTokenClaims>;
|
|
27
|
+
/**
|
|
28
|
+
* Verify a presence token. Enforces `tt === "presence"` so an access
|
|
29
|
+
* or identity token cannot be replayed as a step-up proof. Returns
|
|
30
|
+
* the claims (sub, cid, aud, iat, exp) on success.
|
|
31
|
+
*
|
|
32
|
+
* The token's `exp` already encodes the server's TTL window (5min
|
|
33
|
+
* default). Callers may impose a tighter window app-side by checking
|
|
34
|
+
* `iat` against their own clock for especially sensitive ops.
|
|
35
|
+
*/
|
|
36
|
+
verifyPresenceToken(token: string): Promise<PresenceTokenClaims>;
|
|
27
37
|
/**
|
|
28
38
|
* Verify both tokens (identity optional). Cross-checks that the
|
|
29
39
|
* identity token's subject matches the access token's subject so a
|
package/dist/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { AccessTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
2
|
-
export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
1
|
+
import { AccessTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
2
|
+
export { AccessTokenClaims, BaseTokenClaims, IdentityTokenClaims, PresenceTokenClaims, VerifiedSession } from '@moon-x/core/types';
|
|
3
3
|
|
|
4
4
|
interface AuthOptions {
|
|
5
5
|
baseUrl: string;
|
|
@@ -24,6 +24,16 @@ declare class Auth {
|
|
|
24
24
|
* success; throws a typed `MoonXError` subclass on any failure.
|
|
25
25
|
*/
|
|
26
26
|
verifyIdentityToken(token: string): Promise<IdentityTokenClaims>;
|
|
27
|
+
/**
|
|
28
|
+
* Verify a presence token. Enforces `tt === "presence"` so an access
|
|
29
|
+
* or identity token cannot be replayed as a step-up proof. Returns
|
|
30
|
+
* the claims (sub, cid, aud, iat, exp) on success.
|
|
31
|
+
*
|
|
32
|
+
* The token's `exp` already encodes the server's TTL window (5min
|
|
33
|
+
* default). Callers may impose a tighter window app-side by checking
|
|
34
|
+
* `iat` against their own clock for especially sensitive ops.
|
|
35
|
+
*/
|
|
36
|
+
verifyPresenceToken(token: string): Promise<PresenceTokenClaims>;
|
|
27
37
|
/**
|
|
28
38
|
* Verify both tokens (identity optional). Cross-checks that the
|
|
29
39
|
* identity token's subject matches the access token's subject so a
|
package/dist/index.js
CHANGED
|
@@ -324,10 +324,32 @@ async function verifyWithSig(token, ctx) {
|
|
|
324
324
|
}
|
|
325
325
|
async function verifyAccessToken(token, ctx) {
|
|
326
326
|
const claims = await verify(token, ctx);
|
|
327
|
+
if (claims.tt !== "access") {
|
|
328
|
+
throw new InvalidTokenError(
|
|
329
|
+
`expected access token, got tt=${String(claims.tt ?? "(missing)")}`
|
|
330
|
+
);
|
|
331
|
+
}
|
|
327
332
|
return claims;
|
|
328
333
|
}
|
|
329
334
|
async function verifyIdentityToken(token, ctx) {
|
|
330
335
|
const claims = await verify(token, ctx);
|
|
336
|
+
if (claims.tt !== "identity") {
|
|
337
|
+
throw new InvalidTokenError(
|
|
338
|
+
`expected identity token, got tt=${String(claims.tt ?? "(missing)")}`
|
|
339
|
+
);
|
|
340
|
+
}
|
|
341
|
+
return claims;
|
|
342
|
+
}
|
|
343
|
+
async function verifyPresenceToken(token, ctx) {
|
|
344
|
+
const claims = await verify(token, ctx);
|
|
345
|
+
if (claims.tt !== "presence") {
|
|
346
|
+
throw new InvalidTokenError(
|
|
347
|
+
`expected tt=presence, got ${String(claims.tt ?? "(missing)")}`
|
|
348
|
+
);
|
|
349
|
+
}
|
|
350
|
+
if (typeof claims.cid !== "string" || claims.cid.length === 0) {
|
|
351
|
+
throw new InvalidTokenError("presence token missing cid claim");
|
|
352
|
+
}
|
|
331
353
|
return claims;
|
|
332
354
|
}
|
|
333
355
|
async function verifySession(args, ctx) {
|
|
@@ -408,6 +430,23 @@ var Auth = class {
|
|
|
408
430
|
jwks: this.jwks
|
|
409
431
|
});
|
|
410
432
|
}
|
|
433
|
+
/**
|
|
434
|
+
* Verify a presence token. Enforces `tt === "presence"` so an access
|
|
435
|
+
* or identity token cannot be replayed as a step-up proof. Returns
|
|
436
|
+
* the claims (sub, cid, aud, iat, exp) on success.
|
|
437
|
+
*
|
|
438
|
+
* The token's `exp` already encodes the server's TTL window (5min
|
|
439
|
+
* default). Callers may impose a tighter window app-side by checking
|
|
440
|
+
* `iat` against their own clock for especially sensitive ops.
|
|
441
|
+
*/
|
|
442
|
+
async verifyPresenceToken(token) {
|
|
443
|
+
const pinnedAppId = await this.resolver.resolve();
|
|
444
|
+
return verifyPresenceToken(token, {
|
|
445
|
+
pinnedAppId,
|
|
446
|
+
expectedIssuer: this.expectedIssuer,
|
|
447
|
+
jwks: this.jwks
|
|
448
|
+
});
|
|
449
|
+
}
|
|
411
450
|
/**
|
|
412
451
|
* Verify both tokens (identity optional). Cross-checks that the
|
|
413
452
|
* identity token's subject matches the access token's subject so a
|
package/dist/index.mjs
CHANGED
|
@@ -286,10 +286,32 @@ async function verifyWithSig(token, ctx) {
|
|
|
286
286
|
}
|
|
287
287
|
async function verifyAccessToken(token, ctx) {
|
|
288
288
|
const claims = await verify(token, ctx);
|
|
289
|
+
if (claims.tt !== "access") {
|
|
290
|
+
throw new InvalidTokenError(
|
|
291
|
+
`expected access token, got tt=${String(claims.tt ?? "(missing)")}`
|
|
292
|
+
);
|
|
293
|
+
}
|
|
289
294
|
return claims;
|
|
290
295
|
}
|
|
291
296
|
async function verifyIdentityToken(token, ctx) {
|
|
292
297
|
const claims = await verify(token, ctx);
|
|
298
|
+
if (claims.tt !== "identity") {
|
|
299
|
+
throw new InvalidTokenError(
|
|
300
|
+
`expected identity token, got tt=${String(claims.tt ?? "(missing)")}`
|
|
301
|
+
);
|
|
302
|
+
}
|
|
303
|
+
return claims;
|
|
304
|
+
}
|
|
305
|
+
async function verifyPresenceToken(token, ctx) {
|
|
306
|
+
const claims = await verify(token, ctx);
|
|
307
|
+
if (claims.tt !== "presence") {
|
|
308
|
+
throw new InvalidTokenError(
|
|
309
|
+
`expected tt=presence, got ${String(claims.tt ?? "(missing)")}`
|
|
310
|
+
);
|
|
311
|
+
}
|
|
312
|
+
if (typeof claims.cid !== "string" || claims.cid.length === 0) {
|
|
313
|
+
throw new InvalidTokenError("presence token missing cid claim");
|
|
314
|
+
}
|
|
293
315
|
return claims;
|
|
294
316
|
}
|
|
295
317
|
async function verifySession(args, ctx) {
|
|
@@ -370,6 +392,23 @@ var Auth = class {
|
|
|
370
392
|
jwks: this.jwks
|
|
371
393
|
});
|
|
372
394
|
}
|
|
395
|
+
/**
|
|
396
|
+
* Verify a presence token. Enforces `tt === "presence"` so an access
|
|
397
|
+
* or identity token cannot be replayed as a step-up proof. Returns
|
|
398
|
+
* the claims (sub, cid, aud, iat, exp) on success.
|
|
399
|
+
*
|
|
400
|
+
* The token's `exp` already encodes the server's TTL window (5min
|
|
401
|
+
* default). Callers may impose a tighter window app-side by checking
|
|
402
|
+
* `iat` against their own clock for especially sensitive ops.
|
|
403
|
+
*/
|
|
404
|
+
async verifyPresenceToken(token) {
|
|
405
|
+
const pinnedAppId = await this.resolver.resolve();
|
|
406
|
+
return verifyPresenceToken(token, {
|
|
407
|
+
pinnedAppId,
|
|
408
|
+
expectedIssuer: this.expectedIssuer,
|
|
409
|
+
jwks: this.jwks
|
|
410
|
+
});
|
|
411
|
+
}
|
|
373
412
|
/**
|
|
374
413
|
* Verify both tokens (identity optional). Cross-checks that the
|
|
375
414
|
* identity token's subject matches the access token's subject so a
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@moon-x/node-sdk",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.3.0",
|
|
4
4
|
"description": "MoonX server-side SDK for Node.js. Verify MoonX-issued access + identity tokens with zero runtime dependencies.",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"module": "dist/index.mjs",
|
|
@@ -25,12 +25,12 @@
|
|
|
25
25
|
"wallet",
|
|
26
26
|
"sdk"
|
|
27
27
|
],
|
|
28
|
-
"license": "
|
|
28
|
+
"license": "UNLICENSED",
|
|
29
29
|
"publishConfig": {
|
|
30
30
|
"access": "public"
|
|
31
31
|
},
|
|
32
32
|
"dependencies": {
|
|
33
|
-
"@moon-x/core": "0.
|
|
33
|
+
"@moon-x/core": "0.4.0"
|
|
34
34
|
},
|
|
35
35
|
"devDependencies": {
|
|
36
36
|
"tsup": "8.5.1",
|