@naman_deep_singh/security 1.0.3 → 1.1.0

package/dist/cjs/core/jwt/parseDuration.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseDuration = parseDuration;
+const TIME_UNITS = {
+    s: 1,
+    m: 60,
+    h: 3600,
+    d: 86400,
+    w: 604800
+};
+function parseDuration(input) {
+    if (typeof input === "number")
+        return input;
+    const regex = /(\d+)\s*(s|m|h|d|w)/gi;
+    let totalSeconds = 0;
+    let match;
+    while ((match = regex.exec(input)) !== null) {
+        const value = parseInt(match[1], 10);
+        const unit = match[2].toLowerCase();
+        if (!TIME_UNITS[unit]) {
+            throw new Error(`Invalid time unit: ${unit}`);
+        }
+        totalSeconds += value * TIME_UNITS[unit];
+    }
+    if (totalSeconds === 0) {
+        throw new Error(`Invalid expiry format: "${input}"`);
+    }
+    return totalSeconds;
+}

package/dist/cjs/core/jwt/signToken.d.ts

@@ -0,0 +1,2 @@
+import { Secret, SignOptions } from "jsonwebtoken";
+export declare const signToken: (payload: Record<string, any>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;

package/dist/cjs/core/jwt/signToken.js

@@ -0,0 +1,26 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.signToken = void 0;
+const jsonwebtoken_1 = require("jsonwebtoken");
+const parseDuration_1 = require("./parseDuration");
+function getExpiryTimestamp(seconds) {
+    return Math.floor(Date.now() / 1000) + seconds;
+}
+const signToken = (payload, secret, expiresIn = "1h", options = {}) => {
+    const seconds = (0, parseDuration_1.parseDuration)(expiresIn);
+    if (!seconds || seconds < 10) {
+        throw new Error("Token expiry too small");
+    }
+    const tokenPayload = {
+        ...payload
+    };
+    if (!("exp" in payload))
+        tokenPayload.exp = getExpiryTimestamp(seconds);
+    if (!("iat" in payload))
+        tokenPayload.iat = Math.floor(Date.now() / 1000);
+    return (0, jsonwebtoken_1.sign)(tokenPayload, secret, {
+        algorithm: "HS256",
+        ...options
+    });
+};
+exports.signToken = signToken;

package/dist/cjs/core/jwt/validateToken.d.ts

@@ -0,0 +1,13 @@
+import { JwtPayload } from "node_modules/@types/jsonwebtoken";
+export interface TokenRequirements {
+    requiredFields?: string[];
+    forbiddenFields?: string[];
+    validateTypes?: Record<string, "string" | "number" | "boolean">;
+}
+export declare function validateTokenPayload(payload: Record<string, any>, rules?: TokenRequirements): {
+    valid: true;
+} | {
+    valid: false;
+    error: string;
+};
+export declare function isTokenExpired(payload: JwtPayload): boolean;

package/dist/cjs/core/jwt/validateToken.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateTokenPayload = validateTokenPayload;
+exports.isTokenExpired = isTokenExpired;
+function validateTokenPayload(payload, rules = {
+    requiredFields: ["exp", "iat"]
+}) {
+    const { requiredFields = [], forbiddenFields = [], validateTypes = {} } = rules;
+    // 1. Required fields
+    for (const field of requiredFields) {
+        if (!(field in payload)) {
+            return { valid: false, error: `Missing required field: ${field}` };
+        }
+    }
+    // 2. Forbidden fields
+    for (const field of forbiddenFields) {
+        if (field in payload) {
+            return { valid: false, error: `Forbidden field in token: ${field}` };
+        }
+    }
+    // 3. Type validation
+    for (const key in validateTypes) {
+        const expectedType = validateTypes[key];
+        if (key in payload && typeof payload[key] !== expectedType) {
+            return {
+                valid: false,
+                error: `Invalid type for ${key}. Expected ${expectedType}.`
+            };
+        }
+    }
+    return { valid: true };
+}
+function isTokenExpired(payload) {
+    if (!payload.exp)
+        return true;
+    return Date.now() >= payload.exp * 1000;
+}

package/dist/cjs/core/jwt/verify.d.ts

@@ -0,0 +1,13 @@
+import { Secret, JwtPayload } from "jsonwebtoken";
+/**
+ * Verify token (throws if invalid or expired)
+ */
+export declare const verifyToken: (token: string, secret: Secret) => string | JwtPayload;
+/**
+ * Safe verify — never throws, returns { valid, payload?, error? }
+ */
+export declare const safeVerifyToken: (token: string, secret: Secret) => {
+    valid: boolean;
+    payload?: string | JwtPayload;
+    error?: unknown;
+};

package/dist/cjs/core/jwt/verify.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.safeVerifyToken = exports.verifyToken = void 0;
+const jsonwebtoken_1 = require("jsonwebtoken");
+/**
+ * Verify token (throws if invalid or expired)
+ */
+const verifyToken = (token, secret) => {
+    return (0, jsonwebtoken_1.verify)(token, secret);
+};
+exports.verifyToken = verifyToken;
+/**
+ * Safe verify — never throws, returns { valid, payload?, error? }
+ */
+const safeVerifyToken = (token, secret) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.verify)(token, secret);
+        return { valid: true, payload: decoded };
+    }
+    catch (error) {
+        return { valid: false, error };
+    }
+};
+exports.safeVerifyToken = safeVerifyToken;

package/dist/cjs/core/password/hash.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Hash a password asynchronously using bcrypt.
+ */
+export declare const hashPassword: (password: string, saltRounds?: number) => Promise<string>;
+export declare function hashPasswordWithPepper(password: string, pepper: string): Promise<string>;
+/**
+ * Hash a password synchronously using bcrypt.
+ */
+export declare const hashPasswordSync: (password: string, saltRounds?: number) => string;
+export declare function hashPasswordWithPepperSync(password: string, pepper: string): string;

package/dist/cjs/core/password/hash.js

@@ -0,0 +1,45 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashPasswordSync = exports.hashPassword = void 0;
+exports.hashPasswordWithPepper = hashPasswordWithPepper;
+exports.hashPasswordWithPepperSync = hashPasswordWithPepperSync;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const utils_1 = require("./utils");
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+/**
+ * Hash a password asynchronously using bcrypt.
+ */
+const hashPassword = async (password, saltRounds = 10) => {
+    try {
+        (0, utils_1.ensureValidPassword)(password);
+        const salt = await bcryptjs_1.default.genSalt(saltRounds);
+        return bcryptjs_1.default.hash(password, salt);
+    }
+    catch (err) {
+        throw new errors_utils_1.InternalServerError('Password hashing failed');
+    }
+};
+exports.hashPassword = hashPassword;
+function hashPasswordWithPepper(password, pepper) {
+    return (0, exports.hashPassword)(password + pepper);
+}
+/**
+ * Hash a password synchronously using bcrypt.
+ */
+const hashPasswordSync = (password, saltRounds = 10) => {
+    try {
+        (0, utils_1.ensureValidPassword)(password);
+        const salt = bcryptjs_1.default.genSaltSync(saltRounds);
+        return bcryptjs_1.default.hashSync(password, salt);
+    }
+    catch (error) {
+        throw new errors_utils_1.InternalServerError('Password hashing failed');
+    }
+};
+exports.hashPasswordSync = hashPasswordSync;
+function hashPasswordWithPepperSync(password, pepper) {
+    return (0, exports.hashPasswordSync)(password + pepper);
+}

package/dist/cjs/core/password/index.d.ts

@@ -0,0 +1,3 @@
+export * from "./hash";
+export * from "./strength";
+export * from "./verify";

package/dist/cjs/core/password/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./hash"), exports);
+__exportStar(require("./strength"), exports);
+__exportStar(require("./verify"), exports);

package/dist/cjs/core/password/strength.d.ts

@@ -0,0 +1,2 @@
+import { PasswordStrengthOptions } from "./types";
+export declare const isPasswordStrong: (password: string, options?: PasswordStrengthOptions) => boolean;

package/dist/cjs/core/password/strength.js

@@ -0,0 +1,21 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isPasswordStrong = void 0;
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+const isPasswordStrong = (password, options = {}) => {
+    if (!password)
+        throw new errors_utils_1.BadRequestError('Invalid password provided');
+    const { minLength = 8, requireUppercase = true, requireLowercase = true, requireNumbers = true, requireSymbols = false, } = options;
+    if (password.length < minLength)
+        throw new errors_utils_1.ValidationError(`Password must be at least ${minLength} characters`);
+    if (requireUppercase && !/[A-Z]/.test(password))
+        throw new errors_utils_1.ValidationError("Password must include uppercase letters");
+    if (requireLowercase && !/[a-z]/.test(password))
+        throw new errors_utils_1.ValidationError("Password must include lowercase letters");
+    if (requireNumbers && !/[0-9]/.test(password))
+        throw new errors_utils_1.ValidationError("Password must include numbers");
+    if (requireSymbols && !/[^A-Za-z0-9]/.test(password))
+        throw new errors_utils_1.ValidationError("Password must include symbols");
+    return true;
+};
+exports.isPasswordStrong = isPasswordStrong;

package/dist/cjs/core/password/types.d.ts

@@ -0,0 +1,7 @@
+export interface PasswordStrengthOptions {
+    minLength?: number;
+    requireUppercase?: boolean;
+    requireLowercase?: boolean;
+    requireNumbers?: boolean;
+    requireSymbols?: boolean;
+}

package/dist/cjs/core/password/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/core/password/utils.d.ts

@@ -0,0 +1,4 @@
+export declare function ensureValidPassword(password: string): void;
+export declare function safeCompare(a: string, b: string): boolean;
+export declare function estimatePasswordEntropy(password: string): number;
+export declare function normalizePassword(password: string): string;

package/dist/cjs/core/password/utils.js

@@ -0,0 +1,38 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ensureValidPassword = ensureValidPassword;
+exports.safeCompare = safeCompare;
+exports.estimatePasswordEntropy = estimatePasswordEntropy;
+exports.normalizePassword = normalizePassword;
+const crypto_1 = __importDefault(require("crypto"));
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+function ensureValidPassword(password) {
+    if (!password || typeof password !== "string") {
+        throw new errors_utils_1.BadRequestError('Invalid password provided');
+    }
+}
+function safeCompare(a, b) {
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    if (bufA.length !== bufB.length)
+        return false;
+    return crypto_1.default.timingSafeEqual(bufA, bufB);
+}
+function estimatePasswordEntropy(password) {
+    let pool = 0;
+    if (/[a-z]/.test(password))
+        pool += 26;
+    if (/[A-Z]/.test(password))
+        pool += 26;
+    if (/[0-9]/.test(password))
+        pool += 10;
+    if (/[^A-Za-z0-9]/.test(password))
+        pool += 32;
+    return password.length * Math.log2(pool);
+}
+function normalizePassword(password) {
+    return password.normalize("NFKC");
+}

package/dist/cjs/core/password/verify.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Compare a password with a stored hash asynchronously.
+ */
+export declare const verifyPassword: (password: string, hash: string) => Promise<boolean>;
+export declare function verifyPasswordWithPepper(password: string, pepper: string, hash: string): Promise<boolean>;
+/**
+ * Compare a password with a stored hash synchronously.
+ */
+export declare const verifyPasswordSync: (password: string, hash: string) => boolean;
+export declare function verifyPasswordWithPepperSync(password: string, pepper: string, hash: string): Promise<boolean>;

package/dist/cjs/core/password/verify.js

@@ -0,0 +1,46 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyPasswordSync = exports.verifyPassword = void 0;
+exports.verifyPasswordWithPepper = verifyPasswordWithPepper;
+exports.verifyPasswordWithPepperSync = verifyPasswordWithPepperSync;
+const bcryptjs_1 = __importDefault(require("bcryptjs"));
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+/**
+ * Compare a password with a stored hash asynchronously.
+ */
+const verifyPassword = async (password, hash) => {
+    try {
+        const result = await bcryptjs_1.default.compare(password, hash);
+        if (!result)
+            throw new errors_utils_1.UnauthorizedError('Password verification failed');
+        return result;
+    }
+    catch {
+        throw new errors_utils_1.UnauthorizedError('Password verification failed');
+    }
+};
+exports.verifyPassword = verifyPassword;
+async function verifyPasswordWithPepper(password, pepper, hash) {
+    return (0, exports.verifyPassword)(password + pepper, hash);
+}
+/**
+ * Compare a password with a stored hash synchronously.
+ */
+const verifyPasswordSync = (password, hash) => {
+    try {
+        const result = bcryptjs_1.default.compareSync(password, hash);
+        if (!result)
+            throw new errors_utils_1.UnauthorizedError('Password verification failed');
+        return result;
+    }
+    catch (error) {
+        throw new errors_utils_1.UnauthorizedError('Password verification failed');
+    }
+};
+exports.verifyPasswordSync = verifyPasswordSync;
+async function verifyPasswordWithPepperSync(password, pepper, hash) {
+    return (0, exports.verifyPasswordSync)(password + pepper, hash);
+}

package/dist/cjs/index.d.ts

@@ -0,0 +1,43 @@
+export * from "./core/password";
+export * from "./core/jwt";
+export * from "./core/crypto";
+export { BadRequestError, UnauthorizedError, ValidationError, InternalServerError } from "@naman_deep_singh/errors-utils";
+import * as JWTUtils from "./core/jwt";
+declare const _default: {
+    decrypt: (data: string, secret: string) => string;
+    encrypt: (text: string, secret: string) => string;
+    hmacSign: (message: string, secret: string) => string;
+    hmacVerify: (message: string, secret: string, signature: string) => boolean;
+    randomToken: (length?: number) => string;
+    generateStrongPassword: (length?: number) => string;
+    decodeToken(token: string): null | string | import("node_modules/@types/jsonwebtoken").JwtPayload;
+    decodeTokenStrict(token: string): import("node_modules/@types/jsonwebtoken").JwtPayload;
+    extractToken(sources: JWTUtils.TokenSources): string | null;
+    rotateRefreshToken(oldToken: string, secret: import("node_modules/@types/jsonwebtoken").Secret): string;
+    generateTokens: (payload: object, accessSecret: import("node_modules/@types/jsonwebtoken").Secret, refreshSecret: import("node_modules/@types/jsonwebtoken").Secret, accessExpiry?: string | number, refreshExpiry?: string | number) => JWTUtils.TokenPair;
+    parseDuration(input: string | number): number;
+    signToken: (payload: Record<string, any>, secret: import("node_modules/@types/jsonwebtoken").Secret, expiresIn?: string | number, options?: import("node_modules/@types/jsonwebtoken").SignOptions) => string;
+    validateTokenPayload(payload: Record<string, any>, rules?: JWTUtils.TokenRequirements): {
+        valid: true;
+    } | {
+        valid: false;
+        error: string;
+    };
+    isTokenExpired(payload: import("node_modules/@types/jsonwebtoken").JwtPayload): boolean;
+    verifyToken: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret) => string | import("node_modules/@types/jsonwebtoken").JwtPayload;
+    safeVerifyToken: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret) => {
+        valid: boolean;
+        payload?: string | import("node_modules/@types/jsonwebtoken").JwtPayload;
+        error?: unknown;
+    };
+    hashPasswordWithPepper(password: string, pepper: string): Promise<string>;
+    hashPasswordWithPepperSync(password: string, pepper: string): string;
+    hashPassword: (password: string, saltRounds?: number) => Promise<string>;
+    hashPasswordSync: (password: string, saltRounds?: number) => string;
+    isPasswordStrong: (password: string, options?: import("./core/password/types").PasswordStrengthOptions) => boolean;
+    verifyPasswordWithPepper(password: string, pepper: string, hash: string): Promise<boolean>;
+    verifyPasswordWithPepperSync(password: string, pepper: string, hash: string): Promise<boolean>;
+    verifyPassword: (password: string, hash: string) => Promise<boolean>;
+    verifyPasswordSync: (password: string, hash: string) => boolean;
+};
+export default _default;

package/dist/cjs/index.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InternalServerError = exports.ValidationError = exports.UnauthorizedError = exports.BadRequestError = void 0;
+__exportStar(require("./core/password"), exports);
+__exportStar(require("./core/jwt"), exports);
+__exportStar(require("./core/crypto"), exports);
+// Re-export common errors for convenience
+var errors_utils_1 = require("@naman_deep_singh/errors-utils");
+Object.defineProperty(exports, "BadRequestError", { enumerable: true, get: function () { return errors_utils_1.BadRequestError; } });
+Object.defineProperty(exports, "UnauthorizedError", { enumerable: true, get: function () { return errors_utils_1.UnauthorizedError; } });
+Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return errors_utils_1.ValidationError; } });
+Object.defineProperty(exports, "InternalServerError", { enumerable: true, get: function () { return errors_utils_1.InternalServerError; } });
+const PasswordUtils = __importStar(require("./core/password"));
+const JWTUtils = __importStar(require("./core/jwt"));
+const CryptoUtils = __importStar(require("./core/crypto"));
+exports.default = {
+    ...PasswordUtils,
+    ...JWTUtils,
+    ...CryptoUtils,
+};

package/dist/esm/core/crypto/decrypt.d.ts

@@ -0,0 +1 @@
+export declare const decrypt: (data: string, secret: string) => string;

package/dist/esm/core/crypto/decrypt.js

@@ -0,0 +1,14 @@
+import crypto from "crypto";
+const ALGO = "AES-256-GCM";
+export const decrypt = (data, secret) => {
+    const [ivHex, encryptedHex] = data.split(":");
+    const iv = Buffer.from(ivHex, "hex");
+    const encrypted = Buffer.from(encryptedHex, "hex");
+    const key = crypto.createHash("sha256").update(secret).digest();
+    const decipher = crypto.createDecipheriv(ALGO, key, iv);
+    const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final(),
+    ]);
+    return decrypted.toString("utf8");
+};

package/dist/esm/core/crypto/encrypt.d.ts

@@ -0,0 +1 @@
+export declare const encrypt: (text: string, secret: string) => string;

package/dist/esm/core/crypto/encrypt.js

@@ -0,0 +1,9 @@
+import crypto from "crypto";
+const ALGO = "AES-256-GCM";
+export const encrypt = (text, secret) => {
+    const key = crypto.createHash("sha256").update(secret).digest();
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv(ALGO, key, iv);
+    const encrypted = Buffer.concat([cipher.update(text, "utf8"), cipher.final()]);
+    return `${iv.toString("hex")}:${encrypted.toString("hex")}`;
+};

package/dist/esm/core/crypto/hmac.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Sign message using HMAC SHA-256
+ */
+export declare const hmacSign: (message: string, secret: string) => string;
+/**
+ * Verify HMAC signature
+ */
+export declare const hmacVerify: (message: string, secret: string, signature: string) => boolean;

package/dist/esm/core/crypto/hmac.js

@@ -0,0 +1,16 @@
+import crypto from "crypto";
+/**
+ * Sign message using HMAC SHA-256
+ */
+export const hmacSign = (message, secret) => {
+    return crypto.createHmac("sha256", secret).update(message).digest("hex");
+};
+/**
+ * Verify HMAC signature
+ */
+export const hmacVerify = (message, secret, signature) => {
+    const expected = hmacSign(message, secret);
+    if (signature.length !== expected.length)
+        return false;
+    return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
+};

package/dist/esm/core/crypto/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./decrypt";
+export * from "./encrypt";
+export * from "./hmac";
+export * from "./random";

package/dist/esm/core/crypto/index.js

@@ -0,0 +1,4 @@
+export * from "./decrypt";
+export * from "./encrypt";
+export * from "./hmac";
+export * from "./random";

package/dist/esm/core/crypto/random.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Generate cryptographically secure random string
+ */
+export declare const randomToken: (length?: number) => string;
+/**
+ * Generate a strong random password
+ */
+export declare const generateStrongPassword: (length?: number) => string;

package/dist/esm/core/crypto/random.js

@@ -0,0 +1,13 @@
+import crypto from "crypto";
+/**
+ * Generate cryptographically secure random string
+ */
+export const randomToken = (length = 32) => {
+    return crypto.randomBytes(length).toString("hex");
+};
+/**
+ * Generate a strong random password
+ */
+export const generateStrongPassword = (length = 16) => {
+    return crypto.randomBytes(length).toString("hex").slice(0, length);
+};

package/dist/esm/core/jwt/decode.d.ts

@@ -0,0 +1,12 @@
+import { JwtPayload } from "jsonwebtoken";
+/**
+ * Flexible decode
+ * Returns: null | string | JwtPayload
+ * Mirrors jsonwebtoken.decode()
+ */
+export declare function decodeToken(token: string): null | string | JwtPayload;
+/**
+ * Strict decode
+ * Always returns JwtPayload or throws error
+ */
+export declare function decodeTokenStrict(token: string): JwtPayload;

package/dist/esm/core/jwt/decode.js

@@ -0,0 +1,21 @@
+// src/jwt/decodeToken.ts
+import { decode } from "jsonwebtoken";
+/**
+ * Flexible decode
+ * Returns: null | string | JwtPayload
+ * Mirrors jsonwebtoken.decode()
+ */
+export function decodeToken(token) {
+    return decode(token);
+}
+/**
+ * Strict decode
+ * Always returns JwtPayload or throws error
+ */
+export function decodeTokenStrict(token) {
+    const decoded = decode(token);
+    if (!decoded || typeof decoded === "string") {
+        throw new Error("Invalid JWT payload structure");
+    }
+    return decoded;
+}

package/dist/esm/core/jwt/extractToken.d.ts

@@ -0,0 +1,11 @@
+export interface TokenSources {
+    header?: string | undefined | null;
+    cookies?: Record<string, string> | undefined;
+    query?: Record<string, string | undefined> | undefined;
+    body?: Record<string, any> | undefined;
+    wsMessage?: string | Record<string, any> | undefined;
+}
+/**
+ * Universal token extractor
+ */
+export declare function extractToken(sources: TokenSources): string | null;