@naman_deep_singh/security 1.2.0 → 1.3.1

package/dist/esm/core/jwt/jwtManager.js

@@ -0,0 +1,292 @@
+import jwt from 'jsonwebtoken';
+import { signToken } from './signToken';
+import { safeVerifyToken, verifyToken } from './verify';
+import { BadRequestError, UnauthorizedError, ValidationError, } from '@naman_deep_singh/errors-utils';
+import { LRUCache } from '@naman_deep_singh/js-extensions';
+export class JWTManager {
+    constructor(config) {
+        this.accessSecret = config.accessSecret;
+        this.refreshSecret = config.refreshSecret;
+        this.accessExpiry = config.accessExpiry || '15m';
+        this.refreshExpiry = config.refreshExpiry || '7d';
+        this.cacheTTL = 5 * 60 * 1000; // 5 minutes default TTL
+        if (config.enableCaching) {
+            this.cache = new LRUCache(config.maxCacheSize || 100);
+        }
+    }
+    /**
+     * Generate both access and refresh tokens
+     */
+    async generateTokens(payload) {
+        try {
+            this.validatePayload(payload);
+            const accessToken = await this.generateAccessToken(payload);
+            const refreshToken = await this.generateRefreshToken(payload);
+            return {
+                accessToken,
+                refreshToken,
+            };
+        }
+        catch (error) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError('Failed to generate tokens');
+        }
+    }
+    /**
+     * Generate access token
+     */
+    async generateAccessToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, {
+                algorithm: 'HS256',
+            });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError('Failed to generate access token');
+        }
+    }
+    /**
+     * Generate refresh token
+     */
+    async generateRefreshToken(payload) {
+        try {
+            this.validatePayload(payload);
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, {
+                algorithm: 'HS256',
+            });
+            return token;
+        }
+        catch (error) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
+                throw error;
+            }
+            throw new BadRequestError('Failed to generate refresh token');
+        }
+    }
+    /**
+     * Verify access token
+     */
+    async verifyAccessToken(token) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Access token must be a non-empty string');
+            }
+            const cacheKey = `access_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError('Access token is invalid or expired');
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.accessSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, {
+                    valid: true,
+                    payload: decoded,
+                    timestamp: Date.now(),
+                });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new UnauthorizedError('Access token has expired');
+            }
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new UnauthorizedError('Access token is invalid');
+            }
+            throw new UnauthorizedError('Failed to verify access token');
+        }
+    }
+    /**
+     * Verify refresh token
+     */
+    async verifyRefreshToken(token) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Refresh token must be a non-empty string');
+            }
+            const cacheKey = `refresh_${token}`;
+            if (this.cache) {
+                const cached = this.cache.get(cacheKey);
+                if (cached) {
+                    if (!cached.valid) {
+                        throw new UnauthorizedError('Refresh token is invalid or expired');
+                    }
+                    return cached.payload;
+                }
+            }
+            const decoded = verifyToken(token, this.refreshSecret);
+            if (this.cache) {
+                this.cache.set(cacheKey, { valid: true, payload: decoded, timestamp: Date.now() });
+            }
+            return decoded;
+        }
+        catch (error) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
+                throw error;
+            }
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new UnauthorizedError('Refresh token has expired');
+            }
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new UnauthorizedError('Refresh token is invalid');
+            }
+            throw new UnauthorizedError('Failed to verify refresh token');
+        }
+    }
+    /**
+     * Decode token without verification
+     */
+    decodeToken(token, complete = false) {
+        try {
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Token must be a non-empty string');
+            }
+            return jwt.decode(token, { complete });
+        }
+        catch (error) {
+            if (error instanceof ValidationError) {
+                throw error;
+            }
+            return null;
+        }
+    }
+    /**
+     * Extract token from Authorization header
+     */
+    extractTokenFromHeader(authHeader) {
+        try {
+            if (!authHeader || typeof authHeader !== 'string') {
+                return null;
+            }
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0] !== 'Bearer') {
+                return null;
+            }
+            return parts[1];
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Validate token without throwing exceptions
+     */
+    validateToken(token, secret, options = {}) {
+        try {
+            if (!token || typeof token !== 'string') {
+                return false;
+            }
+            const result = safeVerifyToken(token, secret);
+            return result.valid;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Rotate refresh token
+     */
+    async rotateRefreshToken(oldToken) {
+        try {
+            if (!oldToken || typeof oldToken !== 'string') {
+                throw new ValidationError('Old refresh token must be a non-empty string');
+            }
+            const decoded = await this.verifyRefreshToken(oldToken);
+            if (typeof decoded === 'string') {
+                throw new ValidationError('Invalid token payload — expected JWT payload object');
+            }
+            // Create new payload without issued/expired timestamps
+            const payload = { ...decoded };
+            delete payload.iat;
+            delete payload.exp;
+            // Generate new refresh token
+            const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
+            return newToken;
+        }
+        catch (error) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
+                throw error;
+            }
+            throw new BadRequestError('Failed to rotate refresh token');
+        }
+    }
+    /**
+     * Check if token is expired
+     */
+    isTokenExpired(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return true;
+            }
+            const currentTime = Math.floor(Date.now() / 1000);
+            return decoded.exp < currentTime;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Get token expiration date
+     */
+    getTokenExpiration(token) {
+        try {
+            const decoded = this.decodeToken(token);
+            if (!decoded || !decoded.exp) {
+                return null;
+            }
+            return new Date(decoded.exp * 1000);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear token cache
+     */
+    clearCache() {
+        this.cache?.clear();
+    }
+    /**
+     * Get cache statistics
+     */
+    getCacheStats() {
+        if (!this.cache)
+            return null;
+        // Note: LRUCache doesn't expose internal size, so we return maxSize only
+        return {
+            size: -1, // Size not available from LRUCache
+            maxSize: this.cache.maxSize,
+        };
+    }
+    // Private helper methods
+    validatePayload(payload) {
+        if (!payload || typeof payload !== 'object') {
+            throw new ValidationError('Payload must be a non-null object');
+        }
+        if (Object.keys(payload).length === 0) {
+            throw new ValidationError('Payload cannot be empty');
+        }
+    }
+}

package/dist/esm/core/jwt/parseDuration.js

@@ -3,16 +3,16 @@ const TIME_UNITS = {
     m: 60,
     h: 3600,
     d: 86400,
-    w: 604800
+    w: 604800,
 };
 export function parseDuration(input) {
-    if (typeof input === "number")
+    if (typeof input === 'number')
         return input;
     const regex = /(\d+)\s*(s|m|h|d|w)/gi;
     let totalSeconds = 0;
     let match;
     while ((match = regex.exec(input)) !== null) {
-        const value = parseInt(match[1], 10);
+        const value = Number.parseInt(match[1], 10);
         const unit = match[2].toLowerCase();
         if (!TIME_UNITS[unit]) {
             throw new Error(`Invalid time unit: ${unit}`);

package/dist/esm/core/jwt/signToken.d.ts

@@ -1,2 +1,2 @@
-import { Secret, SignOptions } from "jsonwebtoken";
+import { type Secret, type SignOptions } from 'jsonwebtoken';
 export declare const signToken: (payload: Record<string, unknown>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;

package/dist/esm/core/jwt/signToken.js

@@ -1,22 +1,22 @@
-import { sign } from "jsonwebtoken";
-import { parseDuration } from "./parseDuration";
+import { sign } from 'jsonwebtoken';
+import { parseDuration } from './parseDuration';
 function getExpiryTimestamp(seconds) {
     return Math.floor(Date.now() / 1000) + seconds;
 }
-export const signToken = (payload, secret, expiresIn = "1h", options = {}) => {
+export const signToken = (payload, secret, expiresIn = '1h', options = {}) => {
     const seconds = parseDuration(expiresIn);
     if (!seconds || seconds < 10) {
-        throw new Error("Token expiry too small");
+        throw new Error('Token expiry too small');
     }
     const tokenPayload = {
-        ...payload
+        ...payload,
     };
-    if (!("exp" in payload))
+    if (!('exp' in payload))
         tokenPayload.exp = getExpiryTimestamp(seconds);
-    if (!("iat" in payload))
+    if (!('iat' in payload))
         tokenPayload.iat = Math.floor(Date.now() / 1000);
     return sign(tokenPayload, secret, {
-        algorithm: "HS256",
-        ...options
+        algorithm: 'HS256',
+        ...options,
     });
 };

package/dist/esm/core/jwt/types.d.ts

@@ -1,4 +1,4 @@
-import { JwtPayload } from "jsonwebtoken";
+import type { JwtPayload } from 'jsonwebtoken';
 export interface AccessTokenBrand {
     readonly access: unique symbol;
 }

package/dist/esm/core/jwt/validateToken.d.ts

@@ -1,8 +1,8 @@
-import { JwtPayload } from "node_modules/@types/jsonwebtoken";
+import type { JwtPayload } from 'node_modules/@types/jsonwebtoken';
 export interface TokenRequirements {
     requiredFields?: string[];
     forbiddenFields?: string[];
-    validateTypes?: Record<string, "string" | "number" | "boolean">;
+    validateTypes?: Record<string, 'string' | 'number' | 'boolean'>;
 }
 export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
     valid: true;

package/dist/esm/core/jwt/validateToken.js

@@ -1,7 +1,7 @@
 export function validateTokenPayload(payload, rules = {
-    requiredFields: ["exp", "iat"]
+    requiredFields: ['exp', 'iat'],
 }) {
-    const { requiredFields = [], forbiddenFields = [], validateTypes = {} } = rules;
+    const { requiredFields = [], forbiddenFields = [], validateTypes = {}, } = rules;
     // 1. Required fields
     for (const field of requiredFields) {
         if (!(field in payload)) {
@@ -20,7 +20,7 @@ export function validateTokenPayload(payload, rules = {
         if (key in payload && typeof payload[key] !== expectedType) {
             return {
                 valid: false,
-                error: `Invalid type for ${key}. Expected ${expectedType}.`
+                error: `Invalid type for ${key}. Expected ${expectedType}.`,
             };
         }
     }

package/dist/esm/core/jwt/verify.d.ts

@@ -1,5 +1,6 @@
-import jwt, { Secret, JwtPayload } from "jsonwebtoken";
-import { VerificationResult } from "./types";
+import type jwt from 'jsonwebtoken';
+import { type JwtPayload, type Secret } from 'jsonwebtoken';
+import type { VerificationResult } from './types';
 /**
  * Verify token (throws if invalid or expired)
  */

package/dist/esm/core/jwt/verify.js

@@ -1,4 +1,4 @@
-import { verify } from "jsonwebtoken";
+import { verify } from 'jsonwebtoken';
 /**
  * Verify token (throws if invalid or expired)
  */

package/dist/esm/core/password/hash.js

@@ -1,6 +1,6 @@
-import bcrypt from "bcryptjs";
-import { ensureValidPassword } from "./utils";
-import { InternalServerError } from "@naman_deep_singh/errors-utils";
+import { InternalServerError } from '@naman_deep_singh/errors-utils';
+import bcrypt from 'bcryptjs';
+import { ensureValidPassword } from './utils';
 /**
  * Hash a password asynchronously using bcrypt.
  */

package/dist/esm/core/password/index.d.ts

@@ -1,3 +1,3 @@
-export * from "./hash";
-export * from "./strength";
-export * from "./verify";
+export * from './hash';
+export * from './strength';
+export * from './verify';

package/dist/esm/core/password/index.js

@@ -1,3 +1,3 @@
-export * from "./hash";
-export * from "./strength";
-export * from "./verify";
+export * from './hash';
+export * from './strength';
+export * from './verify';

package/dist/esm/core/password/passwordManager.d.ts

@@ -0,0 +1,29 @@
+import type { HashedPassword, IPasswordManager, PasswordConfig, PasswordStrength, PasswordValidationResult } from '../../interfaces/password.interface';
+export declare class PasswordManager implements IPasswordManager {
+    private defaultConfig;
+    constructor(config?: PasswordConfig);
+    /**
+     * Hash a password asynchronously using bcrypt
+     */
+    hash(password: string, salt?: string): Promise<HashedPassword>;
+    /**
+     * Verify password against hash and salt
+     */
+    verify(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate a random password
+     */
+    generate(length?: number, options?: PasswordConfig): string;
+    /**
+     * Validate password against configuration
+     */
+    validate(password: string, config?: PasswordConfig): PasswordValidationResult;
+    /**
+     * Check password strength
+     */
+    checkStrength(password: string): PasswordStrength;
+    /**
+     * Check if password hash needs upgrade (different salt rounds)
+     */
+    needsUpgrade(hash: string, currentConfig: PasswordConfig): boolean;
+}