@naman_deep_singh/security 1.3.0 → 1.3.2

package/dist/esm/core/jwt/jwtManager.js

@@ -1,52 +1,17 @@
-import jwt from "jsonwebtoken";
-import { signToken } from "./signToken";
-import { verifyToken, safeVerifyToken } from "./verify";
-import { BadRequestError, UnauthorizedError, ValidationError } from "@naman_deep_singh/errors-utils";
-// Simple LRU cache for token validation
-class TokenCache {
-    constructor(maxSize = 100, ttl = 5 * 60 * 1000) {
-        this.cache = new Map();
-        this.maxSize = maxSize;
-        this.ttl = ttl;
-    }
-    get(key) {
-        const entry = this.cache.get(key);
-        if (!entry)
-            return null;
-        if (Date.now() - entry.timestamp > this.ttl) {
-            this.cache.delete(key);
-            return null;
-        }
-        // Move to end (most recently used)
-        this.cache.delete(key);
-        this.cache.set(key, entry);
-        return { valid: entry.valid, payload: entry.payload };
-    }
-    set(key, value) {
-        if (this.cache.has(key)) {
-            this.cache.delete(key);
-        }
-        else if (this.cache.size >= this.maxSize) {
-            // Remove least recently used (first item)
-            const firstKey = this.cache.keys().next().value;
-            if (firstKey !== undefined) {
-                this.cache.delete(firstKey);
-            }
-        }
-        this.cache.set(key, { ...value, timestamp: Date.now() });
-    }
-    clear() {
-        this.cache.clear();
-    }
-}
+import jwt from 'jsonwebtoken';
+import { signToken } from './signToken';
+import { safeVerifyToken, verifyToken } from './verify';
+import { BadRequestError, UnauthorizedError, ValidationError, } from '@naman_deep_singh/errors-utils';
+import { LRUCache } from '@naman_deep_singh/js-extensions';
 export class JWTManager {
     constructor(config) {
         this.accessSecret = config.accessSecret;
         this.refreshSecret = config.refreshSecret;
-        this.accessExpiry = config.accessExpiry || "15m";
-        this.refreshExpiry = config.refreshExpiry || "7d";
+        this.accessExpiry = config.accessExpiry || '15m';
+        this.refreshExpiry = config.refreshExpiry || '7d';
+        this.cacheTTL = 5 * 60 * 1000; // 5 minutes default TTL
         if (config.enableCaching) {
-            this.cache = new TokenCache(config.maxCacheSize || 100);
+            this.cache = new LRUCache(config.maxCacheSize || 100);
         }
     }
     /**
@@ -63,10 +28,11 @@ export class JWTManager {
             };
         }
         catch (error) {
-            if (error instanceof BadRequestError || error instanceof ValidationError) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
                 throw error;
             }
-            throw new BadRequestError("Failed to generate tokens");
+            throw new BadRequestError('Failed to generate tokens');
         }
     }
     /**
@@ -75,14 +41,17 @@ export class JWTManager {
     async generateAccessToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.accessSecret, this.accessExpiry, { algorithm: "HS256" });
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, {
+                algorithm: 'HS256',
+            });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError || error instanceof ValidationError) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
                 throw error;
             }
-            throw new BadRequestError("Failed to generate access token");
+            throw new BadRequestError('Failed to generate access token');
         }
     }
     /**
@@ -91,14 +60,17 @@ export class JWTManager {
     async generateRefreshToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, { algorithm: "HS256" });
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, {
+                algorithm: 'HS256',
+            });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError || error instanceof ValidationError) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
                 throw error;
             }
-            throw new BadRequestError("Failed to generate refresh token");
+            throw new BadRequestError('Failed to generate refresh token');
         }
     }
     /**
@@ -106,36 +78,41 @@ export class JWTManager {
      */
     async verifyAccessToken(token) {
         try {
-            if (!token || typeof token !== "string") {
-                throw new ValidationError("Access token must be a non-empty string");
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Access token must be a non-empty string');
             }
             const cacheKey = `access_${token}`;
             if (this.cache) {
                 const cached = this.cache.get(cacheKey);
-                if (cached) {
+                if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
                     if (!cached.valid) {
-                        throw new UnauthorizedError("Access token is invalid or expired");
+                        throw new UnauthorizedError('Access token is invalid or expired');
                     }
                     return cached.payload;
                 }
             }
             const decoded = verifyToken(token, this.accessSecret);
             if (this.cache) {
-                this.cache.set(cacheKey, { valid: true, payload: decoded });
+                this.cache.set(cacheKey, {
+                    valid: true,
+                    payload: decoded,
+                    timestamp: Date.now(),
+                });
             }
             return decoded;
         }
         catch (error) {
-            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
                 throw error;
             }
-            if (error instanceof Error && error.name === "TokenExpiredError") {
-                throw new UnauthorizedError("Access token has expired");
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new UnauthorizedError('Access token has expired');
             }
-            if (error instanceof Error && error.name === "JsonWebTokenError") {
-                throw new UnauthorizedError("Access token is invalid");
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new UnauthorizedError('Access token is invalid');
             }
-            throw new UnauthorizedError("Failed to verify access token");
+            throw new UnauthorizedError('Failed to verify access token');
         }
     }
     /**
@@ -143,36 +120,37 @@ export class JWTManager {
      */
     async verifyRefreshToken(token) {
         try {
-            if (!token || typeof token !== "string") {
-                throw new ValidationError("Refresh token must be a non-empty string");
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Refresh token must be a non-empty string');
             }
             const cacheKey = `refresh_${token}`;
             if (this.cache) {
                 const cached = this.cache.get(cacheKey);
                 if (cached) {
                     if (!cached.valid) {
-                        throw new UnauthorizedError("Refresh token is invalid or expired");
+                        throw new UnauthorizedError('Refresh token is invalid or expired');
                     }
                     return cached.payload;
                 }
             }
             const decoded = verifyToken(token, this.refreshSecret);
             if (this.cache) {
-                this.cache.set(cacheKey, { valid: true, payload: decoded });
+                this.cache.set(cacheKey, { valid: true, payload: decoded, timestamp: Date.now() });
             }
             return decoded;
         }
         catch (error) {
-            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
                 throw error;
             }
-            if (error instanceof Error && error.name === "TokenExpiredError") {
-                throw new UnauthorizedError("Refresh token has expired");
+            if (error instanceof Error && error.name === 'TokenExpiredError') {
+                throw new UnauthorizedError('Refresh token has expired');
             }
-            if (error instanceof Error && error.name === "JsonWebTokenError") {
-                throw new UnauthorizedError("Refresh token is invalid");
+            if (error instanceof Error && error.name === 'JsonWebTokenError') {
+                throw new UnauthorizedError('Refresh token is invalid');
             }
-            throw new UnauthorizedError("Failed to verify refresh token");
+            throw new UnauthorizedError('Failed to verify refresh token');
         }
     }
     /**
@@ -180,8 +158,8 @@ export class JWTManager {
      */
     decodeToken(token, complete = false) {
         try {
-            if (!token || typeof token !== "string") {
-                throw new ValidationError("Token must be a non-empty string");
+            if (!token || typeof token !== 'string') {
+                throw new ValidationError('Token must be a non-empty string');
             }
             return jwt.decode(token, { complete });
         }
@@ -197,11 +175,11 @@ export class JWTManager {
      */
     extractTokenFromHeader(authHeader) {
         try {
-            if (!authHeader || typeof authHeader !== "string") {
+            if (!authHeader || typeof authHeader !== 'string') {
                 return null;
             }
-            const parts = authHeader.split(" ");
-            if (parts.length !== 2 || parts[0] !== "Bearer") {
+            const parts = authHeader.split(' ');
+            if (parts.length !== 2 || parts[0] !== 'Bearer') {
                 return null;
             }
             return parts[1];
@@ -215,7 +193,7 @@ export class JWTManager {
      */
     validateToken(token, secret, options = {}) {
         try {
-            if (!token || typeof token !== "string") {
+            if (!token || typeof token !== 'string') {
                 return false;
             }
             const result = safeVerifyToken(token, secret);
@@ -230,12 +208,12 @@ export class JWTManager {
      */
     async rotateRefreshToken(oldToken) {
         try {
-            if (!oldToken || typeof oldToken !== "string") {
-                throw new ValidationError("Old refresh token must be a non-empty string");
+            if (!oldToken || typeof oldToken !== 'string') {
+                throw new ValidationError('Old refresh token must be a non-empty string');
             }
             const decoded = await this.verifyRefreshToken(oldToken);
-            if (typeof decoded === "string") {
-                throw new ValidationError("Invalid token payload — expected JWT payload object");
+            if (typeof decoded === 'string') {
+                throw new ValidationError('Invalid token payload — expected JWT payload object');
             }
             // Create new payload without issued/expired timestamps
             const payload = { ...decoded };
@@ -246,10 +224,11 @@ export class JWTManager {
             return newToken;
         }
         catch (error) {
-            if (error instanceof ValidationError || error instanceof UnauthorizedError) {
+            if (error instanceof ValidationError ||
+                error instanceof UnauthorizedError) {
                 throw error;
             }
-            throw new BadRequestError("Failed to rotate refresh token");
+            throw new BadRequestError('Failed to rotate refresh token');
         }
     }
     /**
@@ -295,18 +274,19 @@ export class JWTManager {
     getCacheStats() {
         if (!this.cache)
             return null;
+        // Note: LRUCache doesn't expose internal size, so we return maxSize only
         return {
-            size: this.cache.cache.size,
-            maxSize: this.cache.maxSize
+            size: -1, // Size not available from LRUCache
+            maxSize: this.cache.maxSize,
         };
     }
     // Private helper methods
     validatePayload(payload) {
-        if (!payload || typeof payload !== "object") {
-            throw new ValidationError("Payload must be a non-null object");
+        if (!payload || typeof payload !== 'object') {
+            throw new ValidationError('Payload must be a non-null object');
         }
         if (Object.keys(payload).length === 0) {
-            throw new ValidationError("Payload cannot be empty");
+            throw new ValidationError('Payload cannot be empty');
         }
     }
 }

package/dist/esm/core/jwt/parseDuration.js

@@ -3,16 +3,16 @@ const TIME_UNITS = {
     m: 60,
     h: 3600,
     d: 86400,
-    w: 604800
+    w: 604800,
 };
 export function parseDuration(input) {
-    if (typeof input === "number")
+    if (typeof input === 'number')
         return input;
     const regex = /(\d+)\s*(s|m|h|d|w)/gi;
     let totalSeconds = 0;
     let match;
     while ((match = regex.exec(input)) !== null) {
-        const value = parseInt(match[1], 10);
+        const value = Number.parseInt(match[1], 10);
         const unit = match[2].toLowerCase();
         if (!TIME_UNITS[unit]) {
             throw new Error(`Invalid time unit: ${unit}`);

package/dist/esm/core/jwt/signToken.d.ts

@@ -1,2 +1,2 @@
-import { Secret, SignOptions } from "jsonwebtoken";
+import { type Secret, type SignOptions } from 'jsonwebtoken';
 export declare const signToken: (payload: Record<string, unknown>, secret: Secret, expiresIn?: string | number, options?: SignOptions) => string;

package/dist/esm/core/jwt/signToken.js

@@ -1,22 +1,22 @@
-import { sign } from "jsonwebtoken";
-import { parseDuration } from "./parseDuration";
+import { sign } from 'jsonwebtoken';
+import { parseDuration } from './parseDuration';
 function getExpiryTimestamp(seconds) {
     return Math.floor(Date.now() / 1000) + seconds;
 }
-export const signToken = (payload, secret, expiresIn = "1h", options = {}) => {
+export const signToken = (payload, secret, expiresIn = '1h', options = {}) => {
     const seconds = parseDuration(expiresIn);
     if (!seconds || seconds < 10) {
-        throw new Error("Token expiry too small");
+        throw new Error('Token expiry too small');
     }
     const tokenPayload = {
-        ...payload
+        ...payload,
     };
-    if (!("exp" in payload))
+    if (!('exp' in payload))
         tokenPayload.exp = getExpiryTimestamp(seconds);
-    if (!("iat" in payload))
+    if (!('iat' in payload))
         tokenPayload.iat = Math.floor(Date.now() / 1000);
     return sign(tokenPayload, secret, {
-        algorithm: "HS256",
-        ...options
+        algorithm: 'HS256',
+        ...options,
     });
 };

package/dist/esm/core/jwt/types.d.ts

@@ -1,4 +1,4 @@
-import { JwtPayload } from "jsonwebtoken";
+import type { JwtPayload } from 'jsonwebtoken';
 export interface AccessTokenBrand {
     readonly access: unique symbol;
 }

package/dist/esm/core/jwt/validateToken.d.ts

@@ -1,8 +1,8 @@
-import { JwtPayload } from "node_modules/@types/jsonwebtoken";
+import type { JwtPayload } from 'node_modules/@types/jsonwebtoken';
 export interface TokenRequirements {
     requiredFields?: string[];
     forbiddenFields?: string[];
-    validateTypes?: Record<string, "string" | "number" | "boolean">;
+    validateTypes?: Record<string, 'string' | 'number' | 'boolean'>;
 }
 export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
     valid: true;

package/dist/esm/core/jwt/validateToken.js

@@ -1,7 +1,7 @@
 export function validateTokenPayload(payload, rules = {
-    requiredFields: ["exp", "iat"]
+    requiredFields: ['exp', 'iat'],
 }) {
-    const { requiredFields = [], forbiddenFields = [], validateTypes = {} } = rules;
+    const { requiredFields = [], forbiddenFields = [], validateTypes = {}, } = rules;
     // 1. Required fields
     for (const field of requiredFields) {
         if (!(field in payload)) {
@@ -20,7 +20,7 @@ export function validateTokenPayload(payload, rules = {
         if (key in payload && typeof payload[key] !== expectedType) {
             return {
                 valid: false,
-                error: `Invalid type for ${key}. Expected ${expectedType}.`
+                error: `Invalid type for ${key}. Expected ${expectedType}.`,
             };
         }
     }

package/dist/esm/core/jwt/verify.d.ts

@@ -1,5 +1,6 @@
-import jwt, { Secret, JwtPayload } from "jsonwebtoken";
-import { VerificationResult } from "./types";
+import type jwt from 'jsonwebtoken';
+import { type JwtPayload, type Secret } from 'jsonwebtoken';
+import type { VerificationResult } from './types';
 /**
  * Verify token (throws if invalid or expired)
  */

package/dist/esm/core/jwt/verify.js

@@ -1,4 +1,4 @@
-import { verify } from "jsonwebtoken";
+import { verify } from 'jsonwebtoken';
 /**
  * Verify token (throws if invalid or expired)
  */

package/dist/esm/core/password/hash.js

@@ -1,6 +1,6 @@
-import bcrypt from "bcryptjs";
-import { ensureValidPassword } from "./utils";
-import { InternalServerError } from "@naman_deep_singh/errors-utils";
+import { InternalServerError } from '@naman_deep_singh/errors-utils';
+import bcrypt from 'bcryptjs';
+import { ensureValidPassword } from './utils';
 /**
  * Hash a password asynchronously using bcrypt.
  */

package/dist/esm/core/password/index.d.ts

@@ -1,3 +1,3 @@
-export * from "./hash";
-export * from "./strength";
-export * from "./verify";
+export * from './hash';
+export * from './strength';
+export * from './verify';

package/dist/esm/core/password/index.js

@@ -1,3 +1,3 @@
-export * from "./hash";
-export * from "./strength";
-export * from "./verify";
+export * from './hash';
+export * from './strength';
+export * from './verify';

package/dist/esm/core/password/passwordManager.d.ts

@@ -1,4 +1,4 @@
-import { IPasswordManager, PasswordConfig, PasswordValidationResult, HashedPassword, PasswordStrength } from "../../interfaces/password.interface";
+import type { HashedPassword, IPasswordManager, PasswordConfig, PasswordStrength, PasswordValidationResult } from '../../interfaces/password.interface';
 export declare class PasswordManager implements IPasswordManager {
     private defaultConfig;
     constructor(config?: PasswordConfig);

package/dist/esm/core/password/passwordManager.js

@@ -1,7 +1,7 @@
-import bcrypt from "bcryptjs";
-import crypto from "crypto";
-import { ensureValidPassword, estimatePasswordEntropy } from "./utils";
-import { BadRequestError, ValidationError } from "@naman_deep_singh/errors-utils";
+import crypto from 'crypto';
+import bcrypt from 'bcryptjs';
+import { BadRequestError, ValidationError, } from '@naman_deep_singh/errors-utils';
+import { ensureValidPassword, estimatePasswordEntropy } from './utils';
 export class PasswordManager {
     constructor(config = {}) {
         this.defaultConfig = {
@@ -12,7 +12,7 @@ export class PasswordManager {
             requireLowercase: true,
             requireNumbers: true,
             requireSpecialChars: false,
-            ...config
+            ...config,
         };
     }
     /**
@@ -31,14 +31,15 @@ export class PasswordManager {
             const hash = await bcrypt.hash(password, passwordSalt);
             return {
                 hash,
-                salt: passwordSalt
+                salt: passwordSalt,
             };
         }
         catch (error) {
-            if (error instanceof BadRequestError || error instanceof ValidationError) {
+            if (error instanceof BadRequestError ||
+                error instanceof ValidationError) {
                 throw error;
             }
-            throw new BadRequestError("Failed to hash password");
+            throw new BadRequestError('Failed to hash password');
         }
     }
     /**
@@ -70,14 +71,14 @@ export class PasswordManager {
         if (length < config.minLength || length > config.maxLength) {
             throw new ValidationError(`Password length must be between ${config.minLength} and ${config.maxLength}`);
         }
-        let charset = "abcdefghijklmnopqrstuvwxyz";
+        let charset = 'abcdefghijklmnopqrstuvwxyz';
         if (config.requireUppercase)
-            charset += "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+            charset += 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
         if (config.requireNumbers)
-            charset += "0123456789";
+            charset += '0123456789';
         if (config.requireSpecialChars)
-            charset += "!@#$%^&*()_+-=[]{}|;:,.<>?";
-        let password = "";
+            charset += '!@#$%^&*()_+-=[]{}|;:,.<>?';
+        let password = '';
         const randomBytes = crypto.randomBytes(length);
         for (let i = 0; i < length; i++) {
             password += charset[randomBytes[i] % charset.length];
@@ -104,8 +105,8 @@ export class PasswordManager {
         const finalConfig = { ...this.defaultConfig, ...config };
         const errors = [];
         // Basic validation
-        if (!password || typeof password !== "string") {
-            errors.push("Password must be a non-empty string");
+        if (!password || typeof password !== 'string') {
+            errors.push('Password must be a non-empty string');
         }
         // Length validation
         if (password.length < finalConfig.minLength) {
@@ -116,20 +117,20 @@ export class PasswordManager {
         }
         // Complexity requirements
         if (finalConfig.requireUppercase && !/[A-Z]/.test(password)) {
-            errors.push("Password must contain at least one uppercase letter");
+            errors.push('Password must contain at least one uppercase letter');
         }
         if (finalConfig.requireLowercase && !/[a-z]/.test(password)) {
-            errors.push("Password must contain at least one lowercase letter");
+            errors.push('Password must contain at least one lowercase letter');
         }
         if (finalConfig.requireNumbers && !/[0-9]/.test(password)) {
-            errors.push("Password must contain at least one number");
+            errors.push('Password must contain at least one number');
         }
         if (finalConfig.requireSpecialChars && !/[^A-Za-z0-9]/.test(password)) {
-            errors.push("Password must contain at least one special character");
+            errors.push('Password must contain at least one special character');
         }
         // Custom rules
         if (finalConfig.customRules) {
-            finalConfig.customRules.forEach(rule => {
+            finalConfig.customRules.forEach((rule) => {
                 if (!rule.test(password)) {
                     errors.push(rule.message);
                 }
@@ -140,7 +141,7 @@ export class PasswordManager {
         return {
             isValid,
             errors,
-            strength
+            strength,
         };
     }
     /**
@@ -170,25 +171,25 @@ export class PasswordManager {
         // Common patterns deduction
         if (/^[A-Za-z]+$/.test(password)) {
             score--;
-            feedback.push("Consider adding numbers and symbols");
+            feedback.push('Consider adding numbers and symbols');
         }
         if (/^[0-9]+$/.test(password)) {
             score -= 2;
-            feedback.push("Avoid using only numbers");
+            feedback.push('Avoid using only numbers');
         }
         if (/([a-zA-Z0-9])\1{2,}/.test(password)) {
             score--;
-            feedback.push("Avoid repeated characters");
+            feedback.push('Avoid repeated characters');
         }
         if (/(?:012|123|234|345|456|567|678|789)/.test(password)) {
             score--;
-            feedback.push("Avoid sequential patterns");
+            feedback.push('Avoid sequential patterns');
         }
         // Common passwords check
         const commonPasswords = ['password', '123456', 'qwerty', 'admin', 'letmein'];
-        if (commonPasswords.some(common => password.toLowerCase().includes(common))) {
+        if (commonPasswords.some((common) => password.toLowerCase().includes(common))) {
             score = 0;
-            feedback.push("Avoid common passwords");
+            feedback.push('Avoid common passwords');
         }
         // Clamp score and determine label
         score = Math.max(0, Math.min(4, score));
@@ -196,23 +197,23 @@ export class PasswordManager {
         switch (score) {
             case 0:
                 label = 'very-weak';
-                suggestions.push("Use a longer password with mixed characters");
+                suggestions.push('Use a longer password with mixed characters');
                 break;
             case 1:
                 label = 'weak';
-                suggestions.push("Add more character variety");
+                suggestions.push('Add more character variety');
                 break;
             case 2:
                 label = 'fair';
-                suggestions.push("Consider adding more length or character types");
+                suggestions.push('Consider adding more length or character types');
                 break;
             case 3:
                 label = 'good';
-                suggestions.push("Your password is reasonably secure");
+                suggestions.push('Your password is reasonably secure');
                 break;
             case 4:
                 label = 'strong';
-                suggestions.push("Your password is very secure");
+                suggestions.push('Your password is very secure');
                 break;
             default:
                 label = 'very-weak';
@@ -221,7 +222,7 @@ export class PasswordManager {
             score,
             label,
             feedback,
-            suggestions
+            suggestions,
         };
     }
     /**

package/dist/esm/core/password/strength.d.ts

@@ -1,2 +1,2 @@
-import { PasswordStrengthOptions } from "./types";
+import type { PasswordStrengthOptions } from './types';
 export declare const isPasswordStrong: (password: string, options?: PasswordStrengthOptions) => boolean;