@naman_deep_singh/security 1.3.2 → 1.4.0

package/dist/cjs/core/password/passwordManager.js

@@ -27,25 +27,20 @@ class PasswordManager {
     async hash(password, salt) {
         try {
             (0, utils_1.ensureValidPassword)(password);
-            // Validate password meets basic requirements
             this.validate(password);
             const saltRounds = this.defaultConfig.saltRounds;
-            let passwordSalt = salt;
-            if (!passwordSalt) {
-                passwordSalt = await bcryptjs_1.default.genSalt(saltRounds);
+            let finalSalt = salt;
+            if (!finalSalt) {
+                finalSalt = await bcryptjs_1.default.genSalt(saltRounds);
             }
-            const hash = await bcryptjs_1.default.hash(password, passwordSalt);
-            return {
-                hash,
-                salt: passwordSalt,
-            };
+            const hash = await bcryptjs_1.default.hash(password, finalSalt);
+            return { hash, salt: finalSalt };
         }
         catch (error) {
-            if (error instanceof errors_utils_1.BadRequestError ||
-                error instanceof errors_utils_1.ValidationError) {
+            if (error instanceof errors_utils_1.BadRequestError || error instanceof errors_utils_1.ValidationError) {
                 throw error;
             }
-            throw new errors_utils_1.BadRequestError('Failed to hash password');
+            throw new errors_utils_1.BadRequestError({ message: 'Failed to hash password' }, error instanceof Error ? error : undefined);
         }
     }
     /**
@@ -53,19 +48,12 @@ class PasswordManager {
      */
     async verify(password, hash, salt) {
         try {
-            if (!password || !hash || !salt) {
+            if (!password || !hash || !salt)
                 return false;
-            }
-            // First verify with the provided salt
-            const isValid = await bcryptjs_1.default.compare(password, hash);
-            // If invalid and different salt was used, try regenerating hash with new salt
-            if (!isValid && salt !== this.defaultConfig.saltRounds?.toString()) {
-                const newHash = await bcryptjs_1.default.hash(password, salt);
-                return newHash === hash;
-            }
-            return isValid;
+            // bcrypt compare works directly with hash
+            return await bcryptjs_1.default.compare(password, hash);
         }
-        catch (error) {
+        catch {
             return false;
         }
     }
@@ -75,7 +63,7 @@ class PasswordManager {
     generate(length = 16, options = {}) {
         const config = { ...this.defaultConfig, ...options };
         if (length < config.minLength || length > config.maxLength) {
-            throw new errors_utils_1.ValidationError(`Password length must be between ${config.minLength} and ${config.maxLength}`);
+            throw new errors_utils_1.ValidationError({ message: `Password length must be between ${config.minLength} and ${config.maxLength}` });
         }
         let charset = 'abcdefghijklmnopqrstuvwxyz';
         if (config.requireUppercase)
@@ -84,24 +72,20 @@ class PasswordManager {
             charset += '0123456789';
         if (config.requireSpecialChars)
             charset += '!@#$%^&*()_+-=[]{}|;:,.<>?';
-        let password = '';
         const randomBytes = crypto_1.default.randomBytes(length);
+        let password = '';
         for (let i = 0; i < length; i++) {
             password += charset[randomBytes[i] % charset.length];
         }
-        // Ensure all requirements are met
-        if (config.requireUppercase && !/[A-Z]/.test(password)) {
+        // Ensure requirements
+        if (config.requireUppercase && !/[A-Z]/.test(password))
             password = password.replace(/[a-z]/, 'A');
-        }
-        if (config.requireLowercase && !/[a-z]/.test(password)) {
+        if (config.requireLowercase && !/[a-z]/.test(password))
             password = password.replace(/[A-Z]/, 'a');
-        }
-        if (config.requireNumbers && !/[0-9]/.test(password)) {
+        if (config.requireNumbers && !/[0-9]/.test(password))
             password = password.replace(/[A-Za-z]/, '0');
-        }
-        if (config.requireSpecialChars && !/[^A-Za-z0-9]/.test(password)) {
+        if (config.requireSpecialChars && !/[^A-Za-z0-9]/.test(password))
             password = password.replace(/[A-Za-z0-9]/, '!');
-        }
         return password;
     }
     /**
@@ -110,45 +94,27 @@ class PasswordManager {
     validate(password, config = {}) {
         const finalConfig = { ...this.defaultConfig, ...config };
         const errors = [];
-        // Basic validation
-        if (!password || typeof password !== 'string') {
+        if (!password || typeof password !== 'string')
             errors.push('Password must be a non-empty string');
-        }
-        // Length validation
-        if (password.length < finalConfig.minLength) {
-            errors.push(`Password must be at least ${finalConfig.minLength} characters long`);
-        }
-        if (password.length > finalConfig.maxLength) {
+        if (password.length < finalConfig.minLength)
+            errors.push(`Password must be at least ${finalConfig.minLength} characters`);
+        if (password.length > finalConfig.maxLength)
             errors.push(`Password must not exceed ${finalConfig.maxLength} characters`);
-        }
-        // Complexity requirements
-        if (finalConfig.requireUppercase && !/[A-Z]/.test(password)) {
+        if (finalConfig.requireUppercase && !/[A-Z]/.test(password))
             errors.push('Password must contain at least one uppercase letter');
-        }
-        if (finalConfig.requireLowercase && !/[a-z]/.test(password)) {
+        if (finalConfig.requireLowercase && !/[a-z]/.test(password))
             errors.push('Password must contain at least one lowercase letter');
-        }
-        if (finalConfig.requireNumbers && !/[0-9]/.test(password)) {
+        if (finalConfig.requireNumbers && !/[0-9]/.test(password))
             errors.push('Password must contain at least one number');
-        }
-        if (finalConfig.requireSpecialChars && !/[^A-Za-z0-9]/.test(password)) {
+        if (finalConfig.requireSpecialChars && !/[^A-Za-z0-9]/.test(password))
             errors.push('Password must contain at least one special character');
-        }
-        // Custom rules
         if (finalConfig.customRules) {
             finalConfig.customRules.forEach((rule) => {
-                if (!rule.test(password)) {
+                if (!rule.test(password))
                     errors.push(rule.message);
-                }
             });
         }
-        const strength = this.checkStrength(password);
-        const isValid = errors.length === 0;
-        return {
-            isValid,
-            errors,
-            strength,
-        };
+        return { isValid: errors.length === 0, errors, strength: this.checkStrength(password) };
     }
     /**
      * Check password strength
@@ -158,14 +124,20 @@ class PasswordManager {
         let score = 0;
         const feedback = [];
         const suggestions = [];
-        // Length scoring
-        if (password.length >= 8)
+        if (entropy < 28) {
+            feedback.push('Password is easy to guess');
+            suggestions.push('Use more unique characters and length');
+        }
+        else if (entropy < 36)
             score++;
+        else if (entropy < 60)
+            score += 2;
+        else
+            score += 3;
         if (password.length >= 12)
             score++;
         if (password.length >= 16)
             score++;
-        // Character variety scoring
         if (/[a-z]/.test(password))
             score++;
         if (/[A-Z]/.test(password))
@@ -174,10 +146,9 @@ class PasswordManager {
             score++;
         if (/[^A-Za-z0-9]/.test(password))
             score++;
-        // Common patterns deduction
         if (/^[A-Za-z]+$/.test(password)) {
             score--;
-            feedback.push('Consider adding numbers and symbols');
+            feedback.push('Consider adding numbers or symbols');
         }
         if (/^[0-9]+$/.test(password)) {
             score -= 2;
@@ -191,13 +162,11 @@ class PasswordManager {
             score--;
             feedback.push('Avoid sequential patterns');
         }
-        // Common passwords check
         const commonPasswords = ['password', '123456', 'qwerty', 'admin', 'letmein'];
         if (commonPasswords.some((common) => password.toLowerCase().includes(common))) {
             score = 0;
             feedback.push('Avoid common passwords');
         }
-        // Clamp score and determine label
         score = Math.max(0, Math.min(4, score));
         let label;
         switch (score) {
@@ -211,7 +180,7 @@ class PasswordManager {
                 break;
             case 2:
                 label = 'fair';
-                suggestions.push('Consider adding more length or character types');
+                suggestions.push('Consider increasing length or randomness');
                 break;
             case 3:
                 label = 'good';
@@ -221,22 +190,14 @@ class PasswordManager {
                 label = 'strong';
                 suggestions.push('Your password is very secure');
                 break;
-            default:
-                label = 'very-weak';
+            default: label = 'very-weak';
         }
-        return {
-            score,
-            label,
-            feedback,
-            suggestions,
-        };
+        return { score, label, feedback, suggestions };
     }
     /**
-     * Check if password hash needs upgrade (different salt rounds)
+     * Check if password hash needs upgrade (saltRounds change)
      */
-    needsUpgrade(hash, currentConfig) {
-        // Simple heuristic: if the hash doesn't match current salt rounds pattern
-        // In practice, you'd need to store the salt rounds with the hash
+    needsUpgrade(_hash, _currentConfig) {
         return false;
     }
 }

package/dist/cjs/core/password/strength.js

@@ -4,18 +4,18 @@ exports.isPasswordStrong = void 0;
 const errors_utils_1 = require("@naman_deep_singh/errors-utils");
 const isPasswordStrong = (password, options = {}) => {
     if (!password)
-        throw new errors_utils_1.BadRequestError('Invalid password provided');
+        throw new errors_utils_1.BadRequestError({ message: 'Invalid password provided' });
     const { minLength = 8, requireUppercase = true, requireLowercase = true, requireNumbers = true, requireSymbols = false, } = options;
     if (password.length < minLength)
         throw new errors_utils_1.ValidationError(`Password must be at least ${minLength} characters`);
     if (requireUppercase && !/[A-Z]/.test(password))
-        throw new errors_utils_1.ValidationError('Password must include uppercase letters');
+        throw new errors_utils_1.ValidationError({ message: 'Password must include uppercase letters' });
     if (requireLowercase && !/[a-z]/.test(password))
-        throw new errors_utils_1.ValidationError('Password must include lowercase letters');
+        throw new errors_utils_1.ValidationError({ message: 'Password must include lowercase letters' });
     if (requireNumbers && !/[0-9]/.test(password))
-        throw new errors_utils_1.ValidationError('Password must include numbers');
+        throw new errors_utils_1.ValidationError({ message: 'Password must include numbers' });
     if (requireSymbols && !/[^A-Za-z0-9]/.test(password))
-        throw new errors_utils_1.ValidationError('Password must include symbols');
+        throw new errors_utils_1.ValidationError({ message: 'Password must include symbols' });
     return true;
 };
 exports.isPasswordStrong = isPasswordStrong;

package/dist/cjs/core/password/utils.d.ts

@@ -1,4 +1,16 @@
+/**
+ * Ensure password is a valid non-empty string
+ */
 export declare function ensureValidPassword(password: string): void;
+/**
+ * Timing-safe comparison between two strings
+ */
 export declare function safeCompare(a: string, b: string): boolean;
+/**
+ * Estimate password entropy based on character pool
+ */
 export declare function estimatePasswordEntropy(password: string): number;
+/**
+ * Normalize password string to a consistent form
+ */
 export declare function normalizePassword(password: string): string;

package/dist/cjs/core/password/utils.js

@@ -9,11 +9,17 @@ exports.estimatePasswordEntropy = estimatePasswordEntropy;
 exports.normalizePassword = normalizePassword;
 const crypto_1 = __importDefault(require("crypto"));
 const errors_utils_1 = require("@naman_deep_singh/errors-utils");
+/**
+ * Ensure password is a valid non-empty string
+ */
 function ensureValidPassword(password) {
     if (!password || typeof password !== 'string') {
-        throw new errors_utils_1.BadRequestError('Invalid password provided');
+        throw new errors_utils_1.BadRequestError({ message: 'Invalid password provided' });
     }
 }
+/**
+ * Timing-safe comparison between two strings
+ */
 function safeCompare(a, b) {
     const bufA = Buffer.from(a);
     const bufB = Buffer.from(b);
@@ -21,6 +27,9 @@ function safeCompare(a, b) {
         return false;
     return crypto_1.default.timingSafeEqual(bufA, bufB);
 }
+/**
+ * Estimate password entropy based on character pool
+ */
 function estimatePasswordEntropy(password) {
     let pool = 0;
     if (/[a-z]/.test(password))
@@ -31,8 +40,14 @@ function estimatePasswordEntropy(password) {
         pool += 10;
     if (/[^A-Za-z0-9]/.test(password))
         pool += 32;
+    // If no characters matched, fallback to 1 to avoid log2(0)
+    if (pool === 0)
+        pool = 1;
     return password.length * Math.log2(pool);
 }
+/**
+ * Normalize password string to a consistent form
+ */
 function normalizePassword(password) {
     return password.normalize('NFKC');
 }

package/dist/cjs/core/password/verify.js

@@ -15,11 +15,11 @@ const verifyPassword = async (password, hash) => {
     try {
         const result = await bcryptjs_1.default.compare(password, hash);
         if (!result)
-            throw new errors_utils_1.UnauthorizedError('Password verification failed');
+            throw new errors_utils_1.UnauthorizedError({ message: 'Password verification failed' });
         return result;
     }
     catch {
-        throw new errors_utils_1.UnauthorizedError('Password verification failed');
+        throw new errors_utils_1.UnauthorizedError({ message: 'Password verification failed' });
     }
 };
 exports.verifyPassword = verifyPassword;
@@ -33,11 +33,11 @@ const verifyPasswordSync = (password, hash) => {
     try {
         const result = bcryptjs_1.default.compareSync(password, hash);
         if (!result)
-            throw new errors_utils_1.UnauthorizedError('Password verification failed');
+            throw new errors_utils_1.UnauthorizedError({ message: 'Password verification failed' });
         return result;
     }
-    catch (error) {
-        throw new errors_utils_1.UnauthorizedError('Password verification failed');
+    catch (_error) {
+        throw new errors_utils_1.UnauthorizedError({ message: 'Password verification failed' });
     }
 };
 exports.verifyPasswordSync = verifyPasswordSync;

package/dist/cjs/index.d.ts

@@ -21,16 +21,11 @@ declare const _default: {
     generateTokens: (payload: Record<string, unknown>, accessSecret: import("node_modules/@types/jsonwebtoken").Secret, refreshSecret: import("node_modules/@types/jsonwebtoken").Secret, accessExpiry?: string | number, refreshExpiry?: string | number) => JWTUtils.TokenPair;
     parseDuration(input: string | number): number;
     signToken: (payload: Record<string, unknown>, secret: import("node_modules/@types/jsonwebtoken").Secret, expiresIn?: string | number, options?: import("node_modules/@types/jsonwebtoken").SignOptions) => string;
-    validateTokenPayload(payload: Record<string, unknown>, rules?: JWTUtils.TokenRequirements): {
-        valid: true;
-    } | {
-        valid: false;
-        error: string;
-    };
+    validateTokenPayload(payload: Record<string, unknown>, rules?: JWTUtils.TokenRequirements): void;
     isTokenExpired(payload: import("node_modules/@types/jsonwebtoken").JwtPayload): boolean;
     verifyToken: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret) => string | import("node_modules/@types/jsonwebtoken").JwtPayload;
-    safeVerifyToken: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret) => JWTUtils.VerificationResult;
     verifyTokenWithOptions: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret, options?: import("node_modules/@types/jsonwebtoken").VerifyOptions) => string | import("node_modules/@types/jsonwebtoken").JwtPayload;
+    safeVerifyToken: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret) => JWTUtils.VerificationResult;
     safeVerifyTokenWithOptions: (token: string, secret: import("node_modules/@types/jsonwebtoken").Secret, options?: import("node_modules/@types/jsonwebtoken").VerifyOptions) => JWTUtils.VerificationResult;
     hashPasswordWithPepper(password: string, pepper: string): Promise<string>;
     hashPasswordWithPepperSync(password: string, pepper: string): string;

package/dist/esm/core/crypto/cryptoManager.d.ts

@@ -24,7 +24,7 @@ export declare class CryptoManager {
     /**
      * Encrypt data using the default or specified algorithm
      */
-    encrypt(plaintext: string, key: string, options?: {
+    encrypt(plaintext: string, key: string, _options?: {
         algorithm?: string;
         encoding?: BufferEncoding;
         iv?: string;
@@ -32,7 +32,7 @@ export declare class CryptoManager {
     /**
      * Decrypt data using the default or specified algorithm
      */
-    decrypt(encryptedData: string, key: string, options?: {
+    decrypt(encryptedData: string, key: string, _options?: {
         algorithm?: string;
         encoding?: BufferEncoding;
         iv?: string;
@@ -40,18 +40,18 @@ export declare class CryptoManager {
     /**
      * Generate HMAC signature
      */
-    generateHmac(data: string, secret: string, options?: {
+    generateHmac(data: string, secret: string, _options?: {
         algorithm?: string;
         encoding?: BufferEncoding;
     }): string;
     /**
      * Generate cryptographically secure random bytes
      */
-    generateSecureRandom(length: number, encoding?: BufferEncoding): string;
+    generateSecureRandom(length: number, _encoding?: BufferEncoding): string;
     /**
      * Verify HMAC signature
      */
-    verifyHmac(data: string, secret: string, signature: string, options?: {
+    verifyHmac(data: string, secret: string, signature: string, _options?: {
         algorithm?: string;
         encoding?: BufferEncoding;
     }): boolean;

package/dist/esm/core/crypto/cryptoManager.js

@@ -1,3 +1,4 @@
+import { InternalServerError } from '@naman_deep_singh/errors-utils';
 import { decrypt as functionalDecrypt, encrypt as functionalEncrypt, hmacSign as functionalHmacSign, hmacVerify as functionalHmacVerify, randomToken as functionalRandomToken, } from './index';
 /**
  * Default configuration
@@ -30,23 +31,33 @@ export class CryptoManager {
     /**
      * Encrypt data using the default or specified algorithm
      */
-    encrypt(plaintext, key, options) {
-        // For now, use the basic encrypt function
-        // TODO: Enhance to support different algorithms and options
-        return functionalEncrypt(plaintext, key);
+    encrypt(plaintext, key, _options) {
+        try {
+            return functionalEncrypt(plaintext, key);
+        }
+        catch (err) {
+            throw new InternalServerError(undefined, {
+                message: 'Encryption failed',
+            }, err instanceof Error ? err : undefined);
+        }
     }
     /**
      * Decrypt data using the default or specified algorithm
      */
-    decrypt(encryptedData, key, options) {
-        // For now, use the basic decrypt function
-        // TODO: Enhance to support different algorithms and options
-        return functionalDecrypt(encryptedData, key);
+    decrypt(encryptedData, key, _options) {
+        try {
+            return functionalDecrypt(encryptedData, key);
+        }
+        catch (err) {
+            throw new InternalServerError(undefined, {
+                message: 'Decryption failed',
+            }, err instanceof Error ? err : undefined);
+        }
     }
     /**
      * Generate HMAC signature
      */
-    generateHmac(data, secret, options) {
+    generateHmac(data, secret, _options) {
         // Use the basic HMAC sign function for now
         // TODO: Add support for different algorithms
         return functionalHmacSign(data, secret);
@@ -54,14 +65,14 @@ export class CryptoManager {
     /**
      * Generate cryptographically secure random bytes
      */
-    generateSecureRandom(length, encoding = 'hex') {
+    generateSecureRandom(length, _encoding = 'hex') {
         // Use the basic random token function
         return functionalRandomToken(length);
     }
     /**
      * Verify HMAC signature
      */
-    verifyHmac(data, secret, signature, options) {
+    verifyHmac(data, secret, signature, _options) {
         // Use the basic HMAC verify function
         return functionalHmacVerify(data, secret, signature);
     }
@@ -73,7 +84,9 @@ export class CryptoManager {
             const crypto = require('crypto');
             crypto.pbkdf2(password, salt, iterations, keyLength, 'sha256', (err, derivedKey) => {
                 if (err) {
-                    reject(err);
+                    reject(new InternalServerError(undefined, {
+                        message: 'Key derivation failed',
+                    }, err instanceof Error ? err : undefined));
                 }
                 else {
                     resolve(derivedKey.toString('hex'));
@@ -99,7 +112,7 @@ export class CryptoManager {
      * Generate a secure key pair for asymmetric encryption
      */
     generateKeyPair(options) {
-        return new Promise((resolve, reject) => {
+        return new Promise((resolve, _reject) => {
             const crypto = require('crypto');
             const keyPair = crypto.generateKeyPairSync('rsa', {
                 modulusLength: options?.modulusLength || 2048,
@@ -119,7 +132,7 @@ export class CryptoManager {
      * Encrypt data using RSA public key
      */
     rsaEncrypt(data, publicKey) {
-        return new Promise((resolve, reject) => {
+        return new Promise((resolve, _reject) => {
             const crypto = require('crypto');
             const buffer = Buffer.from(data, 'utf8');
             const encrypted = crypto.publicEncrypt(publicKey, buffer);
@@ -130,7 +143,7 @@ export class CryptoManager {
      * Decrypt data using RSA private key
      */
     rsaDecrypt(encryptedData, privateKey) {
-        return new Promise((resolve, reject) => {
+        return new Promise((resolve, _reject) => {
             const crypto = require('crypto');
             const buffer = Buffer.from(encryptedData, 'base64');
             const decrypted = crypto.privateDecrypt(privateKey, buffer);
@@ -143,15 +156,17 @@ export class CryptoManager {
     rsaSign(data, privateKey, algorithm = 'sha256') {
         return new Promise((resolve, reject) => {
             const crypto = require('crypto');
-            const sign = crypto.createSign(algorithm);
-            sign.update(data);
-            sign.end();
             try {
+                const sign = crypto.createSign(algorithm);
+                sign.update(data);
+                sign.end();
                 const signature = sign.sign(privateKey, 'base64');
                 resolve(signature);
             }
-            catch (error) {
-                reject(error);
+            catch (err) {
+                reject(new InternalServerError(undefined, {
+                    message: 'RSA signing failed',
+                }, err instanceof Error ? err : undefined));
             }
         });
     }
@@ -161,15 +176,17 @@ export class CryptoManager {
     rsaVerify(data, signature, publicKey, algorithm = 'sha256') {
         return new Promise((resolve, reject) => {
             const crypto = require('crypto');
-            const verify = crypto.createVerify(algorithm);
-            verify.update(data);
-            verify.end();
             try {
+                const verify = crypto.createVerify(algorithm);
+                verify.update(data);
+                verify.end();
                 const isValid = verify.verify(publicKey, signature, 'base64');
                 resolve(isValid);
             }
-            catch (error) {
-                reject(error);
+            catch (err) {
+                reject(new InternalServerError(undefined, {
+                    message: 'RSA verification failed',
+                }, err instanceof Error ? err : undefined));
             }
         });
     }

package/dist/esm/core/jwt/decode.js

@@ -1,5 +1,6 @@
 // src/jwt/decodeToken.ts
 import { decode } from 'jsonwebtoken';
+import { BadRequestError } from '@naman_deep_singh/errors-utils';
 /**
  * Flexible decode
  * Returns: null | string | JwtPayload
@@ -15,7 +16,9 @@ export function decodeToken(token) {
 export function decodeTokenStrict(token) {
     const decoded = decode(token);
     if (!decoded || typeof decoded === 'string') {
-        throw new Error('Invalid JWT payload structure');
+        throw new BadRequestError({
+            message: 'Invalid JWT payload structure',
+        });
     }
     return decoded;
 }

package/dist/esm/core/jwt/generateTokens.d.ts

@@ -1,4 +1,4 @@
-import { type Secret } from 'jsonwebtoken';
+import type { Secret } from 'jsonwebtoken';
 import type { RefreshToken, TokenPair } from './types';
 export declare const generateTokens: (payload: Record<string, unknown>, accessSecret: Secret, refreshSecret: Secret, accessExpiry?: string | number, refreshExpiry?: string | number) => TokenPair;
 export declare function rotateRefreshToken(oldToken: string, secret: Secret): RefreshToken;

package/dist/esm/core/jwt/generateTokens.js

@@ -1,9 +1,10 @@
 import { signToken } from './signToken';
 import { verifyToken } from './verify';
+import { TokenMalformedError } from '@naman_deep_singh/errors-utils';
 // Helper function to create branded tokens
-const createBrandedToken = (token, _brand) => {
-    return token;
-};
+/* const createBrandedToken = <T extends string>(token: string, _brand: T): T => {
+    return token as T
+} */
 export const generateTokens = (payload, accessSecret, refreshSecret, accessExpiry = '15m', refreshExpiry = '7d') => {
     const accessToken = signToken(payload, accessSecret, accessExpiry, {
         algorithm: 'HS256',
@@ -19,7 +20,9 @@ export const generateTokens = (payload, accessSecret, refreshSecret, accessExpir
 export function rotateRefreshToken(oldToken, secret) {
     const decoded = verifyToken(oldToken, secret);
     if (typeof decoded === 'string') {
-        throw new Error('Invalid token payload — expected JWT payload object');
+        throw new TokenMalformedError({
+            message: 'Invalid token payload — expected JWT payload object',
+        });
     }
     const payload = { ...decoded };
     delete payload.iat;