@naman_deep_singh/security 1.1.0 → 1.3.0

package/dist/cjs/core/jwt/jwtManager.js

@@ -0,0 +1,319 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTManager = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const signToken_1 = require("./signToken");
+const verify_1 = require("./verify");
+const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+// Simple LRU cache for token validation
+class TokenCache {
+    constructor(maxSize = 100, ttl = 5 * 60 * 1000) {
+        this.cache = new Map();
+        this.maxSize = maxSize;
+        this.ttl = ttl;
+    }
+    get(key) {
+        const entry = this.cache.get(key);
+        if (!entry)
+            return null;
+        if (Date.now() - entry.timestamp > this.ttl) {
+            this.cache.delete(key);
+            return null;
+        }
+        // Move to end (most recently used)
+        this.cache.delete(key);
+        this.cache.set(key, entry);
+        return { valid: entry.valid, payload: entry.payload };
+    }
+    set(key, value) {
+        if (this.cache.has(key)) {
+            this.cache.delete(key);
+        }
+        else if (this.cache.size >= this.maxSize) {
+            // Remove least recently used (first item)
+            const firstKey = this.cache.keys().next().value;
+            if (firstKey !== undefined) {
+                this.cache.delete(firstKey);
+            }
+        }
+        this.cache.set(key, { ...value, timestamp: Date.now() });
+    }
+    clear() {
+        this.cache.clear();
+    }
+}
+class JWTManager {
+    constructor(config) {
+        this.accessSecret = config.accessSecret;
+        this.refreshSecret = config.refreshSecret;
+        this.accessExpiry = config.accessExpiry || "15m";
+        this.refreshExpiry = config.refreshExpiry || "7d";
+        if (config.enableCaching) {
+            this.cache = new TokenCache(config.maxCacheSize || 100);
+        }
+    }
+    /**
+     * Generate both access and refresh tokens
+     */
+    async generateTokens(payload) {
+        try {
+            this.validatePayload(payload);
+            const accessToken = await this.generateAccessToken(payload);
+            const refreshToken = await this.generateRefreshToken(payload);
+            return {
+                accessToken,
+                refreshToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError || error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError("Failed to generate tokens");
+        }
+    }
+    /**
+     * Generate access token
+     */
+    async generateAccessToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = (0, signToken_1.signToken)(payload, this.accessSecret, this.accessExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError || error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError("Failed to generate access token");
+        }
+    }
+    /**
+     * Generate refresh token
+     */
+    async generateRefreshToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = (0, signToken_1.signToken)(payload, this.refreshSecret, this.refreshExpiry, { algorithm: "HS256" });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.BadRequestError || error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError("Failed to generate refresh token");
+        }
+    }
+    /**
+     * Verify access token
+     */
+    async verifyAccessToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new errors_utils_1.ValidationError("Access token must be a non-empty string");
+            }
+            const cacheKey = `access_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new errors_utils_1.UnauthorizedError("Access token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = (0, verify_1.verifyToken)(token, this.accessSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError || error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new errors_utils_1.UnauthorizedError("Access token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new errors_utils_1.UnauthorizedError("Access token is invalid");
+            }
+            throw new errors_utils_1.UnauthorizedError("Failed to verify access token");
+        }
+    }
+    /**
+     * Verify refresh token
+     */
+    async verifyRefreshToken(token) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new errors_utils_1.ValidationError("Refresh token must be a non-empty string");
+            }
+            const cacheKey = `refresh_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new errors_utils_1.UnauthorizedError("Refresh token is invalid or expired");
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = (0, verify_1.verifyToken)(token, this.refreshSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError || error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === "TokenExpiredError") {
+                throw new errors_utils_1.UnauthorizedError("Refresh token has expired");
+            }
+            if (error instanceof Error && error.name === "JsonWebTokenError") {
+                throw new errors_utils_1.UnauthorizedError("Refresh token is invalid");
+            }
+            throw new errors_utils_1.UnauthorizedError("Failed to verify refresh token");
+        }
+    }
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token, complete = false) {
+        try {
+            if (!token || typeof token !== "string") {
+                throw new errors_utils_1.ValidationError("Token must be a non-empty string");
+            }
+            return jsonwebtoken_1.default.decode(token, { complete });
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError) {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader) {
+        try {
+            if (!authHeader || typeof authHeader !== "string") {
+                return null;
+            }
+            const parts = authHeader.split(" ");
+            if (parts.length !== 2 || parts[0] !== "Bearer") {
+                return null;
+            }
+            return parts[1];
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token, secret, options = {}) {
+        try {
+            if (!token || typeof token !== "string") {
+                return false;
+            }
+            const result = (0, verify_1.safeVerifyToken)(token, secret);
+            return result.valid;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Rotate refresh token
+     */
+    async rotateRefreshToken(oldToken) {
+        try {
+            if (!oldToken || typeof oldToken !== "string") {
+                throw new errors_utils_1.ValidationError("Old refresh token must be a non-empty string");
+            }
+            const decoded = await this.verifyRefreshToken(oldToken);
+            if (typeof decoded === "string") {
+                throw new errors_utils_1.ValidationError("Invalid token payload — expected JWT payload object");
+            }
+            // Create new payload without issued/expired timestamps
+            const payload = { ...decoded };
+            delete payload.iat;
+            delete payload.exp;
+            // Generate new refresh token
+            const newToken = (0, signToken_1.signToken)(payload, this.refreshSecret, this.refreshExpiry);
+            return newToken;
+        }
+        catch (error) {
+            if (error instanceof errors_utils_1.ValidationError || error instanceof errors_utils_1.UnauthorizedError) {
+                throw error;
+            }
+            throw new errors_utils_1.BadRequestError("Failed to rotate refresh token");
+        }
+    }
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return true;
+            }
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return null;
+            }
+            return new Date(decoded.exp * 1000);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear token cache
+     */
+    clearCache() {
+        this.cache?.clear();
+    }
+    /**
+     * Get cache statistics
+     */
+    getCacheStats() {
+        if (!this.cache)
+            return null;
+        return {
+            size: this.cache.cache.size,
+            maxSize: this.cache.maxSize
+        };
+    }
+    // Private helper methods
+    validatePayload(payload) {
+        if (!payload || typeof payload !== "object") {
+            throw new errors_utils_1.ValidationError("Payload must be a non-null object");
+        }
+        if (Object.keys(payload).length === 0) {
+            throw new errors_utils_1.ValidationError("Payload cannot be empty");
+        }
+    }
+}
+exports.JWTManager = JWTManager;

package/dist/cjs/core/jwt/signToken.d.ts

@@ -1,2 +1,2 @@
 import { Secret, SignOptions } from "jsonwebtoken";
-export declare const signToken: (payload: Record<string, any>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;
+export declare const signToken: (payload: Record<string, unknown>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;

package/dist/cjs/core/jwt/types.d.ts

@@ -0,0 +1,22 @@
+import { JwtPayload } from "jsonwebtoken";
+export interface AccessTokenBrand {
+    readonly access: unique symbol;
+}
+export interface RefreshTokenBrand {
+    readonly refresh: unique symbol;
+}
+export type AccessToken = string & AccessTokenBrand;
+export type RefreshToken = string & RefreshTokenBrand;
+export interface TokenPair {
+    accessToken: AccessToken;
+    refreshToken: RefreshToken;
+}
+export interface VerificationResult<T = JwtPayload> {
+    valid: boolean;
+    payload?: T | string;
+    error?: Error;
+}
+export interface TokenValidationOptions {
+    ignoreExpiration?: boolean;
+    ignoreIssuedAt?: boolean;
+}

package/dist/cjs/core/jwt/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/cjs/core/jwt/validateToken.d.ts

@@ -4,7 +4,7 @@ export interface TokenRequirements {
     forbiddenFields?: string[];
     validateTypes?: Record<string, "string" | "number" | "boolean">;
 }
-export declare function validateTokenPayload(payload: Record<string, any>, rules?: TokenRequirements): {
+export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
     valid: true;
 } | {
     valid: false;

package/dist/cjs/core/jwt/verify.d.ts

@@ -1,13 +1,18 @@
-import { Secret, JwtPayload } from "jsonwebtoken";
+import jwt, { Secret, JwtPayload } from "jsonwebtoken";
+import { VerificationResult } from "./types";
 /**
  * Verify token (throws if invalid or expired)
  */
 export declare const verifyToken: (token: string, secret: Secret) => string | JwtPayload;
 /**
- * Safe verify — never throws, returns { valid, payload?, error? }
+ * Safe verify — never throws, returns structured result
  */
-export declare const safeVerifyToken: (token: string, secret: Secret) => {
-    valid: boolean;
-    payload?: string | JwtPayload;
-    error?: unknown;
-};
+export declare const safeVerifyToken: (token: string, secret: Secret) => VerificationResult;
+/**
+ * Verify token with validation options
+ */
+export declare const verifyTokenWithOptions: (token: string, secret: Secret, options?: jwt.VerifyOptions) => string | JwtPayload;
+/**
+ * Safe verify with validation options
+ */
+export declare const safeVerifyTokenWithOptions: (token: string, secret: Secret, options?: jwt.VerifyOptions) => VerificationResult;

package/dist/cjs/core/jwt/verify.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.safeVerifyToken = exports.verifyToken = void 0;
+exports.safeVerifyTokenWithOptions = exports.verifyTokenWithOptions = exports.safeVerifyToken = exports.verifyToken = void 0;
 const jsonwebtoken_1 = require("jsonwebtoken");
 /**
  * Verify token (throws if invalid or expired)
@@ -10,7 +10,7 @@ const verifyToken = (token, secret) => {
 };
 exports.verifyToken = verifyToken;
 /**
- * Safe verify — never throws, returns { valid, payload?, error? }
+ * Safe verify — never throws, returns structured result
  */
 const safeVerifyToken = (token, secret) => {
     try {
@@ -18,7 +18,27 @@ const safeVerifyToken = (token, secret) => {
         return { valid: true, payload: decoded };
     }
     catch (error) {
-        return { valid: false, error };
+        return { valid: false, error: error };
     }
 };
 exports.safeVerifyToken = safeVerifyToken;
+/**
+ * Verify token with validation options
+ */
+const verifyTokenWithOptions = (token, secret, options = {}) => {
+    return (0, jsonwebtoken_1.verify)(token, secret, options);
+};
+exports.verifyTokenWithOptions = verifyTokenWithOptions;
+/**
+ * Safe verify with validation options
+ */
+const safeVerifyTokenWithOptions = (token, secret, options = {}) => {
+    try {
+        const decoded = (0, jsonwebtoken_1.verify)(token, secret, options);
+        return { valid: true, payload: decoded };
+    }
+    catch (error) {
+        return { valid: false, error: error };
+    }
+};
+exports.safeVerifyTokenWithOptions = safeVerifyTokenWithOptions;

package/dist/cjs/core/password/passwordManager.d.ts

@@ -0,0 +1,29 @@
+import { IPasswordManager, PasswordConfig, PasswordValidationResult, HashedPassword, PasswordStrength } from "../../interfaces/password.interface";
+export declare class PasswordManager implements IPasswordManager {
+    private defaultConfig;
+    constructor(config?: PasswordConfig);
+    /**
+     * Hash a password asynchronously using bcrypt
+     */
+    hash(password: string, salt?: string): Promise<HashedPassword>;
+    /**
+     * Verify password against hash and salt
+     */
+    verify(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate a random password
+     */
+    generate(length?: number, options?: PasswordConfig): string;
+    /**
+     * Validate password against configuration
+     */
+    validate(password: string, config?: PasswordConfig): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Check if password hash needs upgrade (different salt rounds)
+     */
+    needsUpgrade(hash: string, currentConfig: PasswordConfig): boolean;
+}