@moq-web/cat 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,178 @@
1
+ /**
2
+ * @fileoverview CAT/C4M Token Types
3
+ *
4
+ * Type definitions for CBOR, COSE, CWT, and MoQT-specific token structures.
5
+ */
6
+ /**
7
+ * Represents any value that can be encoded/decoded as CBOR.
8
+ */
9
+ export type CborValue = number | bigint | string | Uint8Array | boolean | null | CborValue[] | Map<number | string, CborValue>;
10
+ /**
11
+ * CBOR tagged value.
12
+ */
13
+ export interface CborTagged {
14
+ tag: number;
15
+ value: CborValue;
16
+ }
17
+ /**
18
+ * COSE algorithm identifiers.
19
+ * @see RFC 9053 Section 2.1
20
+ */
21
+ export declare enum CoseAlgorithm {
22
+ /** ECDSA w/ SHA-256 on P-256 */
23
+ ES256 = -7,
24
+ /** ECDSA w/ SHA-384 on P-384 */
25
+ ES384 = -35,
26
+ /** ECDSA w/ SHA-512 on P-521 */
27
+ ES512 = -36,
28
+ /** HMAC w/ SHA-256 (full 256-bit tag) — COSE_Mac0 */
29
+ HMAC_256_256 = 5
30
+ }
31
+ /**
32
+ * COSE header parameter keys.
33
+ * @see RFC 9052 Section 3.1
34
+ */
35
+ export declare enum CoseHeaderParam {
36
+ /** Algorithm identifier */
37
+ ALG = 1,
38
+ /** Content type */
39
+ CTY = 3,
40
+ /** Key ID */
41
+ KID = 4
42
+ }
43
+ /**
44
+ * COSE_Sign1 structure.
45
+ * @see RFC 9052 Section 4.2
46
+ */
47
+ export interface CoseSign1 {
48
+ /** CBOR-encoded protected header (bstr) */
49
+ protectedHeader: Uint8Array;
50
+ /** Unprotected header (map) */
51
+ unprotectedHeader: Map<number, CborValue>;
52
+ /** Payload (bstr — CBOR-encoded CWT claims for CAT tokens) */
53
+ payload: Uint8Array;
54
+ /** Signature (bstr) */
55
+ signature: Uint8Array;
56
+ }
57
+ /**
58
+ * Maps CoseAlgorithm to WebCrypto parameters.
59
+ */
60
+ /**
61
+ * COSE algorithm parameter details.
62
+ */
63
+ export interface CoseAlgParams {
64
+ /** WebCrypto algorithm name */
65
+ name: string;
66
+ /** Hash algorithm */
67
+ hash: string;
68
+ /** EC named curve (ECDSA only) */
69
+ namedCurve?: string;
70
+ /** Expected signature/tag length in bytes */
71
+ sigLength: number;
72
+ /** Whether this is a MAC algorithm (COSE_Mac0) vs signing (COSE_Sign1) */
73
+ isMac: boolean;
74
+ }
75
+ export declare const COSE_ALG_PARAMS: Readonly<Record<CoseAlgorithm, Readonly<CoseAlgParams>>>;
76
+ /**
77
+ * CWT claim keys (integer-based per RFC 8392 Section 4).
78
+ */
79
+ export declare enum CwtClaimKey {
80
+ /** Issuer */
81
+ ISS = 1,
82
+ /** Subject */
83
+ SUB = 2,
84
+ /** Audience */
85
+ AUD = 3,
86
+ /** Expiration Time (NumericDate) */
87
+ EXP = 4,
88
+ /** Not Before (NumericDate) */
89
+ NBF = 5,
90
+ /** Issued At (NumericDate) */
91
+ IAT = 6,
92
+ /** CWT ID */
93
+ CTI = 7,
94
+ /** MoQT scopes (pending IANA assignment) */
95
+ MOQT = 327
96
+ }
97
+ /**
98
+ * CWT claims structure.
99
+ */
100
+ export interface CwtClaims {
101
+ iss?: string;
102
+ sub?: string;
103
+ aud?: string | string[];
104
+ exp?: number;
105
+ nbf?: number;
106
+ iat?: number;
107
+ cti?: Uint8Array;
108
+ moqt?: MoqtScope[];
109
+ /** Additional claims keyed by integer */
110
+ additionalClaims?: Map<number, CborValue>;
111
+ }
112
+ /**
113
+ * MoQT action codes for token scopes.
114
+ * @see draft-ietf-moq-transport
115
+ */
116
+ export declare enum MoqtAction {
117
+ ClientSetup = 0,
118
+ ServerSetup = 1,
119
+ PublishNamespace = 2,
120
+ SubscribeNamespace = 3,
121
+ Subscribe = 4,
122
+ RequestUpdate = 5,
123
+ Publish = 6,
124
+ Fetch = 7,
125
+ TrackStatus = 8
126
+ }
127
+ /**
128
+ * A single MoQT authorization scope.
129
+ */
130
+ export interface MoqtScope {
131
+ /** Permitted actions */
132
+ actions: MoqtAction[];
133
+ /** Namespace prefix to match (optional — null means any) */
134
+ namespaceMatch?: (string | Uint8Array)[];
135
+ /** Track name to match (optional — null means any) */
136
+ trackMatch?: string | Uint8Array;
137
+ }
138
+ /**
139
+ * C4M token type identifier (ASCII "c4m").
140
+ */
141
+ export declare const C4M_TOKEN_TYPE = 6501485;
142
+ /**
143
+ * Decoded CAT token.
144
+ */
145
+ export interface CatToken {
146
+ /** Decoded protected header as map */
147
+ header: Map<number, CborValue>;
148
+ /** Decoded CWT claims */
149
+ claims: CwtClaims;
150
+ /** Raw COSE_Sign1 structure */
151
+ coseSign1: CoseSign1;
152
+ /** Algorithm used for signing */
153
+ algorithm: CoseAlgorithm;
154
+ }
155
+ /**
156
+ * Result of CAT token validation.
157
+ */
158
+ export interface CatValidationResult {
159
+ valid: boolean;
160
+ token?: CatToken;
161
+ error?: string;
162
+ expired?: boolean;
163
+ }
164
+ /**
165
+ * Options for CAT token validation.
166
+ */
167
+ export interface CatValidationOptions {
168
+ /** Clock skew tolerance in seconds (default: 60) */
169
+ clockSkewSeconds?: number;
170
+ /** Required audience value */
171
+ requiredAudience?: string;
172
+ /** Override current time for testing (Unix timestamp seconds) */
173
+ now?: number;
174
+ /** Required algorithm — rejects tokens using a different algorithm */
175
+ requiredAlgorithm?: CoseAlgorithm;
176
+ /** Require exp claim to be present (default: true) */
177
+ requireExp?: boolean;
178
+ }
package/dist/types.js ADDED
@@ -0,0 +1,91 @@
1
+ // SPDX-FileCopyrightText: Copyright (c) 2025 Cisco Systems
2
+ // SPDX-License-Identifier: BSD-2-Clause
3
+ // ============================================================================
4
+ // COSE Types (RFC 9052)
5
+ // ============================================================================
6
+ /**
7
+ * COSE algorithm identifiers.
8
+ * @see RFC 9053 Section 2.1
9
+ */
10
+ export var CoseAlgorithm;
11
+ (function (CoseAlgorithm) {
12
+ /** ECDSA w/ SHA-256 on P-256 */
13
+ CoseAlgorithm[CoseAlgorithm["ES256"] = -7] = "ES256";
14
+ /** ECDSA w/ SHA-384 on P-384 */
15
+ CoseAlgorithm[CoseAlgorithm["ES384"] = -35] = "ES384";
16
+ /** ECDSA w/ SHA-512 on P-521 */
17
+ CoseAlgorithm[CoseAlgorithm["ES512"] = -36] = "ES512";
18
+ /** HMAC w/ SHA-256 (full 256-bit tag) — COSE_Mac0 */
19
+ CoseAlgorithm[CoseAlgorithm["HMAC_256_256"] = 5] = "HMAC_256_256";
20
+ })(CoseAlgorithm || (CoseAlgorithm = {}));
21
+ /**
22
+ * COSE header parameter keys.
23
+ * @see RFC 9052 Section 3.1
24
+ */
25
+ export var CoseHeaderParam;
26
+ (function (CoseHeaderParam) {
27
+ /** Algorithm identifier */
28
+ CoseHeaderParam[CoseHeaderParam["ALG"] = 1] = "ALG";
29
+ /** Content type */
30
+ CoseHeaderParam[CoseHeaderParam["CTY"] = 3] = "CTY";
31
+ /** Key ID */
32
+ CoseHeaderParam[CoseHeaderParam["KID"] = 4] = "KID";
33
+ })(CoseHeaderParam || (CoseHeaderParam = {}));
34
+ // Frozen to prevent runtime mutation of algorithm parameters
35
+ export const COSE_ALG_PARAMS = Object.freeze({
36
+ [CoseAlgorithm.ES256]: Object.freeze({ name: 'ECDSA', hash: 'SHA-256', namedCurve: 'P-256', sigLength: 64, isMac: false }),
37
+ [CoseAlgorithm.ES384]: Object.freeze({ name: 'ECDSA', hash: 'SHA-384', namedCurve: 'P-384', sigLength: 96, isMac: false }),
38
+ [CoseAlgorithm.ES512]: Object.freeze({ name: 'ECDSA', hash: 'SHA-512', namedCurve: 'P-521', sigLength: 132, isMac: false }),
39
+ [CoseAlgorithm.HMAC_256_256]: Object.freeze({ name: 'HMAC', hash: 'SHA-256', sigLength: 32, isMac: true }),
40
+ });
41
+ // ============================================================================
42
+ // CWT Types (RFC 8392)
43
+ // ============================================================================
44
+ /**
45
+ * CWT claim keys (integer-based per RFC 8392 Section 4).
46
+ */
47
+ export var CwtClaimKey;
48
+ (function (CwtClaimKey) {
49
+ /** Issuer */
50
+ CwtClaimKey[CwtClaimKey["ISS"] = 1] = "ISS";
51
+ /** Subject */
52
+ CwtClaimKey[CwtClaimKey["SUB"] = 2] = "SUB";
53
+ /** Audience */
54
+ CwtClaimKey[CwtClaimKey["AUD"] = 3] = "AUD";
55
+ /** Expiration Time (NumericDate) */
56
+ CwtClaimKey[CwtClaimKey["EXP"] = 4] = "EXP";
57
+ /** Not Before (NumericDate) */
58
+ CwtClaimKey[CwtClaimKey["NBF"] = 5] = "NBF";
59
+ /** Issued At (NumericDate) */
60
+ CwtClaimKey[CwtClaimKey["IAT"] = 6] = "IAT";
61
+ /** CWT ID */
62
+ CwtClaimKey[CwtClaimKey["CTI"] = 7] = "CTI";
63
+ /** MoQT scopes (pending IANA assignment) */
64
+ CwtClaimKey[CwtClaimKey["MOQT"] = 327] = "MOQT";
65
+ })(CwtClaimKey || (CwtClaimKey = {}));
66
+ // ============================================================================
67
+ // MoQT Auth Types
68
+ // ============================================================================
69
+ /**
70
+ * MoQT action codes for token scopes.
71
+ * @see draft-ietf-moq-transport
72
+ */
73
+ export var MoqtAction;
74
+ (function (MoqtAction) {
75
+ MoqtAction[MoqtAction["ClientSetup"] = 0] = "ClientSetup";
76
+ MoqtAction[MoqtAction["ServerSetup"] = 1] = "ServerSetup";
77
+ MoqtAction[MoqtAction["PublishNamespace"] = 2] = "PublishNamespace";
78
+ MoqtAction[MoqtAction["SubscribeNamespace"] = 3] = "SubscribeNamespace";
79
+ MoqtAction[MoqtAction["Subscribe"] = 4] = "Subscribe";
80
+ MoqtAction[MoqtAction["RequestUpdate"] = 5] = "RequestUpdate";
81
+ MoqtAction[MoqtAction["Publish"] = 6] = "Publish";
82
+ MoqtAction[MoqtAction["Fetch"] = 7] = "Fetch";
83
+ MoqtAction[MoqtAction["TrackStatus"] = 8] = "TrackStatus";
84
+ })(MoqtAction || (MoqtAction = {}));
85
+ // ============================================================================
86
+ // CAT Token Types
87
+ // ============================================================================
88
+ /**
89
+ * C4M token type identifier (ASCII "c4m").
90
+ */
91
+ export const C4M_TOKEN_TYPE = 0x63346d;
package/package.json ADDED
@@ -0,0 +1,38 @@
1
+ {
2
+ "name": "@moq-web/cat",
3
+ "version": "0.1.0",
4
+ "description": "Common Access Token (CAT/C4M) for MoQ Transport — CBOR/COSE/CWT token library",
5
+ "type": "module",
6
+ "main": "./dist/index.js",
7
+ "module": "./dist/index.js",
8
+ "types": "./dist/index.d.ts",
9
+ "exports": {
10
+ ".": {
11
+ "types": "./dist/index.d.ts",
12
+ "import": "./dist/index.js"
13
+ }
14
+ },
15
+ "files": [
16
+ "dist"
17
+ ],
18
+ "scripts": {
19
+ "build": "tsc",
20
+ "test": "vitest run",
21
+ "test:watch": "vitest",
22
+ "lint": "eslint src --ext .ts",
23
+ "clean": "rm -rf dist"
24
+ },
25
+ "devDependencies": {
26
+ "vitest": "^4.0.18"
27
+ },
28
+ "keywords": [
29
+ "moqt",
30
+ "cat",
31
+ "cose",
32
+ "cwt",
33
+ "cbor",
34
+ "auth",
35
+ "token"
36
+ ],
37
+ "license": "BSD-2-Clause"
38
+ }