@naman_deep_singh/security 1.3.2 → 1.4.0

package/dist/esm/core/jwt/jwtManager.d.ts

@@ -1,5 +1,5 @@
 import { type JwtPayload, type Secret } from 'jsonwebtoken';
-import type { AccessToken, ITokenManager, JWTConfig, RefreshToken, TokenPair, TokenValidationOptions } from '../../interfaces/jwt.interface';
+import type { AccessToken, ITokenManager, JWTConfig, RefreshToken, TokenPair } from '../../interfaces/jwt.interface';
 export declare class JWTManager implements ITokenManager {
     private accessSecret;
     private refreshSecret;
@@ -8,60 +8,36 @@ export declare class JWTManager implements ITokenManager {
     private cache?;
     private cacheTTL;
     constructor(config: JWTConfig);
-    /**
-     * Generate both access and refresh tokens
-     */
+    /** Generate both access and refresh tokens */
     generateTokens(payload: Record<string, unknown>): Promise<TokenPair>;
-    /**
-     * Generate access token
-     */
+    /** Generate access token */
     generateAccessToken(payload: Record<string, unknown>): Promise<AccessToken>;
-    /**
-     * Generate refresh token
-     */
+    /** Generate refresh token */
     generateRefreshToken(payload: Record<string, unknown>): Promise<RefreshToken>;
-    /**
-     * Verify access token
-     */
-    verifyAccessToken(token: string): Promise<JwtPayload | string>;
-    /**
-     * Verify refresh token
-     */
-    verifyRefreshToken(token: string): Promise<JwtPayload | string>;
-    /**
-     * Decode token without verification
-     */
+    /** Verify access token */
+    verifyAccessToken(token: string): Promise<JwtPayload>;
+    /** Verify refresh token */
+    verifyRefreshToken(token: string): Promise<JwtPayload>;
+    /** Decode token without verification */
     decodeToken(token: string, complete?: boolean): JwtPayload | string | null;
-    /**
-     * Extract token from Authorization header
-     */
+    /** Extract token from Authorization header */
     extractTokenFromHeader(authHeader: string): string | null;
-    /**
-     * Validate token without throwing exceptions
-     */
-    validateToken(token: string, secret: Secret, options?: TokenValidationOptions): boolean;
-    /**
-     * Rotate refresh token
-     */
+    /** Validate token without throwing exceptions */
+    validateToken(token: string, secret: Secret): boolean;
+    /** Rotate refresh token */
     rotateRefreshToken(oldToken: string): Promise<RefreshToken>;
-    /**
-     * Check if token is expired
-     */
+    /** Check if token is expired */
     isTokenExpired(token: string): boolean;
-    /**
-     * Get token expiration date
-     */
+    /** Get token expiration date */
     getTokenExpiration(token: string): Date | null;
-    /**
-     * Clear token cache
-     */
+    /** Clear token cache */
     clearCache(): void;
-    /**
-     * Get cache statistics
-     */
+    /** Get cache statistics */
     getCacheStats(): {
         size: number;
         maxSize: number;
     } | null;
+    /** Private helper methods */
     private validatePayload;
+    private verifyTokenWithCache;
 }

package/dist/esm/core/jwt/jwtManager.js

@@ -1,6 +1,6 @@
 import jwt from 'jsonwebtoken';
 import { signToken } from './signToken';
-import { safeVerifyToken, verifyToken } from './verify';
+import { safeVerifyToken } from './verify';
 import { BadRequestError, UnauthorizedError, ValidationError, } from '@naman_deep_singh/errors-utils';
 import { LRUCache } from '@naman_deep_singh/js-extensions';
 export class JWTManager {
@@ -9,284 +9,154 @@ export class JWTManager {
         this.refreshSecret = config.refreshSecret;
         this.accessExpiry = config.accessExpiry || '15m';
         this.refreshExpiry = config.refreshExpiry || '7d';
-        this.cacheTTL = 5 * 60 * 1000; // 5 minutes default TTL
+        this.cacheTTL = 5 * 60 * 1000; // 5 minutes
         if (config.enableCaching) {
             this.cache = new LRUCache(config.maxCacheSize || 100);
         }
     }
-    /**
-     * Generate both access and refresh tokens
-     */
+    /** Generate both access and refresh tokens */
     async generateTokens(payload) {
         try {
             this.validatePayload(payload);
             const accessToken = await this.generateAccessToken(payload);
             const refreshToken = await this.generateRefreshToken(payload);
-            return {
-                accessToken,
-                refreshToken,
-            };
+            return { accessToken, refreshToken };
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate tokens');
+            throw new BadRequestError({ message: 'Failed to generate tokens' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Generate access token
-     */
+    /** Generate access token */
     async generateAccessToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.accessSecret, this.accessExpiry, {
-                algorithm: 'HS256',
-            });
+            const token = signToken(payload, this.accessSecret, this.accessExpiry, { algorithm: 'HS256' });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate access token');
+            throw new BadRequestError({ message: 'Failed to generate access token' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Generate refresh token
-     */
+    /** Generate refresh token */
     async generateRefreshToken(payload) {
         try {
             this.validatePayload(payload);
-            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, {
-                algorithm: 'HS256',
-            });
+            const token = signToken(payload, this.refreshSecret, this.refreshExpiry, { algorithm: 'HS256' });
             return token;
         }
         catch (error) {
-            if (error instanceof BadRequestError ||
-                error instanceof ValidationError) {
+            if (error instanceof BadRequestError || error instanceof ValidationError)
                 throw error;
-            }
-            throw new BadRequestError('Failed to generate refresh token');
+            throw new BadRequestError({ message: 'Failed to generate refresh token' }, error instanceof Error ? error : undefined);
         }
     }
-    /**
-     * Verify access token
-     */
+    /** Verify access token */
     async verifyAccessToken(token) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Access token must be a non-empty string');
-            }
-            const cacheKey = `access_${token}`;
-            if (this.cache) {
-                const cached = this.cache.get(cacheKey);
-                if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
-                    if (!cached.valid) {
-                        throw new UnauthorizedError('Access token is invalid or expired');
-                    }
-                    return cached.payload;
-                }
-            }
-            const decoded = verifyToken(token, this.accessSecret);
-            if (this.cache) {
-                this.cache.set(cacheKey, {
-                    valid: true,
-                    payload: decoded,
-                    timestamp: Date.now(),
-                });
-            }
-            return decoded;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            if (error instanceof Error && error.name === 'TokenExpiredError') {
-                throw new UnauthorizedError('Access token has expired');
-            }
-            if (error instanceof Error && error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedError('Access token is invalid');
-            }
-            throw new UnauthorizedError('Failed to verify access token');
-        }
+        return this.verifyTokenWithCache(token, this.accessSecret, 'access');
     }
-    /**
-     * Verify refresh token
-     */
+    /** Verify refresh token */
     async verifyRefreshToken(token) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Refresh token must be a non-empty string');
-            }
-            const cacheKey = `refresh_${token}`;
-            if (this.cache) {
-                const cached = this.cache.get(cacheKey);
-                if (cached) {
-                    if (!cached.valid) {
-                        throw new UnauthorizedError('Refresh token is invalid or expired');
-                    }
-                    return cached.payload;
-                }
-            }
-            const decoded = verifyToken(token, this.refreshSecret);
-            if (this.cache) {
-                this.cache.set(cacheKey, { valid: true, payload: decoded, timestamp: Date.now() });
-            }
-            return decoded;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            if (error instanceof Error && error.name === 'TokenExpiredError') {
-                throw new UnauthorizedError('Refresh token has expired');
-            }
-            if (error instanceof Error && error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedError('Refresh token is invalid');
-            }
-            throw new UnauthorizedError('Failed to verify refresh token');
-        }
+        return this.verifyTokenWithCache(token, this.refreshSecret, 'refresh');
     }
-    /**
-     * Decode token without verification
-     */
+    /** Decode token without verification */
     decodeToken(token, complete = false) {
-        try {
-            if (!token || typeof token !== 'string') {
-                throw new ValidationError('Token must be a non-empty string');
-            }
-            return jwt.decode(token, { complete });
-        }
-        catch (error) {
-            if (error instanceof ValidationError) {
-                throw error;
-            }
+        if (!token || typeof token !== 'string')
             return null;
-        }
+        return jwt.decode(token, { complete });
     }
-    /**
-     * Extract token from Authorization header
-     */
+    /** Extract token from Authorization header */
     extractTokenFromHeader(authHeader) {
-        try {
-            if (!authHeader || typeof authHeader !== 'string') {
-                return null;
-            }
-            const parts = authHeader.split(' ');
-            if (parts.length !== 2 || parts[0] !== 'Bearer') {
-                return null;
-            }
-            return parts[1];
-        }
-        catch {
+        if (!authHeader || typeof authHeader !== 'string')
             return null;
-        }
+        const parts = authHeader.split(' ');
+        if (parts.length !== 2 || parts[0] !== 'Bearer')
+            return null;
+        return parts[1];
     }
-    /**
-     * Validate token without throwing exceptions
-     */
-    validateToken(token, secret, options = {}) {
-        try {
-            if (!token || typeof token !== 'string') {
-                return false;
-            }
-            const result = safeVerifyToken(token, secret);
-            return result.valid;
-        }
-        catch {
+    /** Validate token without throwing exceptions */
+    validateToken(token, secret) {
+        if (!token || typeof token !== 'string')
             return false;
-        }
+        return safeVerifyToken(token, secret).valid;
     }
-    /**
-     * Rotate refresh token
-     */
+    /** Rotate refresh token */
     async rotateRefreshToken(oldToken) {
-        try {
-            if (!oldToken || typeof oldToken !== 'string') {
-                throw new ValidationError('Old refresh token must be a non-empty string');
-            }
-            const decoded = await this.verifyRefreshToken(oldToken);
-            if (typeof decoded === 'string') {
-                throw new ValidationError('Invalid token payload — expected JWT payload object');
-            }
-            // Create new payload without issued/expired timestamps
-            const payload = { ...decoded };
-            delete payload.iat;
-            delete payload.exp;
-            // Generate new refresh token
-            const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
-            return newToken;
-        }
-        catch (error) {
-            if (error instanceof ValidationError ||
-                error instanceof UnauthorizedError) {
-                throw error;
-            }
-            throw new BadRequestError('Failed to rotate refresh token');
-        }
+        if (!oldToken || typeof oldToken !== 'string') {
+            throw new ValidationError({ message: 'Old refresh token must be a non-empty string' });
+        }
+        const decoded = await this.verifyRefreshToken(oldToken);
+        const payload = { ...decoded };
+        delete payload.iat;
+        delete payload.exp;
+        const newToken = signToken(payload, this.refreshSecret, this.refreshExpiry);
+        return newToken;
     }
-    /**
-     * Check if token is expired
-     */
+    /** Check if token is expired */
     isTokenExpired(token) {
         try {
             const decoded = this.decodeToken(token);
-            if (!decoded || !decoded.exp) {
+            if (!decoded || !decoded.exp)
                 return true;
-            }
-            const currentTime = Math.floor(Date.now() / 1000);
-            return decoded.exp < currentTime;
+            return decoded.exp < Math.floor(Date.now() / 1000);
         }
         catch {
             return true;
         }
     }
-    /**
-     * Get token expiration date
-     */
+    /** Get token expiration date */
     getTokenExpiration(token) {
         try {
             const decoded = this.decodeToken(token);
-            if (!decoded || !decoded.exp) {
+            if (!decoded || !decoded.exp)
                 return null;
-            }
             return new Date(decoded.exp * 1000);
         }
         catch {
             return null;
         }
     }
-    /**
-     * Clear token cache
-     */
+    /** Clear token cache */
     clearCache() {
         this.cache?.clear();
     }
-    /**
-     * Get cache statistics
-     */
+    /** Get cache statistics */
     getCacheStats() {
         if (!this.cache)
             return null;
-        // Note: LRUCache doesn't expose internal size, so we return maxSize only
-        return {
-            size: -1, // Size not available from LRUCache
-            maxSize: this.cache.maxSize,
-        };
+        return { size: -1, maxSize: this.cache.maxSize };
     }
-    // Private helper methods
+    /** Private helper methods */
     validatePayload(payload) {
         if (!payload || typeof payload !== 'object') {
-            throw new ValidationError('Payload must be a non-null object');
+            throw new ValidationError({ message: 'Payload must be a non-null object' });
         }
         if (Object.keys(payload).length === 0) {
-            throw new ValidationError('Payload cannot be empty');
+            throw new ValidationError({ message: 'Payload cannot be empty' });
         }
     }
+    async verifyTokenWithCache(token, secret, type) {
+        if (!token || typeof token !== 'string') {
+            throw new ValidationError({ message: `${type} token must be a non-empty string` });
+        }
+        const cacheKey = `${type}_${token}`;
+        if (this.cache) {
+            const cached = this.cache.get(cacheKey);
+            if (cached && Date.now() - cached.timestamp <= this.cacheTTL) {
+                if (!cached.valid)
+                    throw new UnauthorizedError({ message: `${type} token is invalid or expired` });
+                return cached.payload;
+            }
+        }
+        const { valid, payload, error } = safeVerifyToken(token, secret);
+        if (!valid || !payload || typeof payload === 'string') {
+            this.cache?.set(cacheKey, { valid: false, payload: {}, timestamp: Date.now() });
+            throw new UnauthorizedError({ message: `${type} token is invalid or expired`, cause: error });
+        }
+        this.cache?.set(cacheKey, { valid: true, payload, timestamp: Date.now() });
+        return payload;
+    }
 }

package/dist/esm/core/jwt/parseDuration.js

@@ -1,3 +1,4 @@
+import { ValidationError } from "@naman_deep_singh/errors-utils";
 const TIME_UNITS = {
     s: 1,
     m: 60,
@@ -15,12 +16,12 @@ export function parseDuration(input) {
         const value = Number.parseInt(match[1], 10);
         const unit = match[2].toLowerCase();
         if (!TIME_UNITS[unit]) {
-            throw new Error(`Invalid time unit: ${unit}`);
+            throw new ValidationError({ message: `Invalid time unit: ${unit}` });
         }
         totalSeconds += value * TIME_UNITS[unit];
     }
     if (totalSeconds === 0) {
-        throw new Error(`Invalid expiry format: "${input}"`);
+        throw new ValidationError({ message: `Invalid expiry format: "${input}"` });
     }
     return totalSeconds;
 }

package/dist/esm/core/jwt/signToken.js

@@ -1,12 +1,13 @@
 import { sign } from 'jsonwebtoken';
 import { parseDuration } from './parseDuration';
+import { ValidationError } from '@naman_deep_singh/errors-utils';
 function getExpiryTimestamp(seconds) {
     return Math.floor(Date.now() / 1000) + seconds;
 }
 export const signToken = (payload, secret, expiresIn = '1h', options = {}) => {
     const seconds = parseDuration(expiresIn);
     if (!seconds || seconds < 10) {
-        throw new Error('Token expiry too small');
+        throw new ValidationError({ message: 'Token expiry too small' });
     }
     const tokenPayload = {
         ...payload,

package/dist/esm/core/jwt/validateToken.d.ts

@@ -1,13 +1,16 @@
-import type { JwtPayload } from 'node_modules/@types/jsonwebtoken';
+import type { JwtPayload } from 'jsonwebtoken';
 export interface TokenRequirements {
     requiredFields?: string[];
     forbiddenFields?: string[];
     validateTypes?: Record<string, 'string' | 'number' | 'boolean'>;
 }
-export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): {
-    valid: true;
-} | {
-    valid: false;
-    error: string;
-};
+/**
+ * Validates a JWT payload according to the provided rules.
+ * Throws ValidationError if validation fails.
+ */
+export declare function validateTokenPayload(payload: Record<string, unknown>, rules?: TokenRequirements): void;
+/**
+ * Checks if a JWT payload is expired.
+ * Returns true if expired or missing 'exp'.
+ */
 export declare function isTokenExpired(payload: JwtPayload): boolean;

package/dist/esm/core/jwt/validateToken.js

@@ -1,31 +1,34 @@
-export function validateTokenPayload(payload, rules = {
-    requiredFields: ['exp', 'iat'],
-}) {
-    const { requiredFields = [], forbiddenFields = [], validateTypes = {}, } = rules;
+import { ValidationError } from '@naman_deep_singh/errors-utils';
+/**
+ * Validates a JWT payload according to the provided rules.
+ * Throws ValidationError if validation fails.
+ */
+export function validateTokenPayload(payload, rules = { requiredFields: ['exp', 'iat'] }) {
+    const { requiredFields = [], forbiddenFields = [], validateTypes = {} } = rules;
     // 1. Required fields
     for (const field of requiredFields) {
         if (!(field in payload)) {
-            return { valid: false, error: `Missing required field: ${field}` };
+            throw new ValidationError(`Missing required field: ${field}`);
         }
     }
     // 2. Forbidden fields
     for (const field of forbiddenFields) {
         if (field in payload) {
-            return { valid: false, error: `Forbidden field in token: ${field}` };
+            throw new ValidationError(`Forbidden field in token: ${field}`);
         }
     }
     // 3. Type validation
     for (const key in validateTypes) {
         const expectedType = validateTypes[key];
         if (key in payload && typeof payload[key] !== expectedType) {
-            return {
-                valid: false,
-                error: `Invalid type for ${key}. Expected ${expectedType}.`,
-            };
+            throw new ValidationError(`Invalid type for ${key}. Expected ${expectedType}, got ${typeof payload[key]}`);
         }
     }
-    return { valid: true };
 }
+/**
+ * Checks if a JWT payload is expired.
+ * Returns true if expired or missing 'exp'.
+ */
 export function isTokenExpired(payload) {
     if (!payload.exp)
         return true;

package/dist/esm/core/jwt/verify.d.ts

@@ -1,19 +1,18 @@
-import type jwt from 'jsonwebtoken';
-import { type JwtPayload, type Secret } from 'jsonwebtoken';
-import type { VerificationResult } from './types';
+import { type JwtPayload, type Secret, VerifyOptions } from 'jsonwebtoken';
+import { VerificationResult } from './types';
 /**
- * Verify token (throws if invalid or expired)
+ * Verify token (throws UnauthorizedError if invalid or expired)
  */
 export declare const verifyToken: (token: string, secret: Secret) => string | JwtPayload;
 /**
- * Safe verify — never throws, returns structured result
+ * Verify token with options
  */
-export declare const safeVerifyToken: (token: string, secret: Secret) => VerificationResult;
+export declare const verifyTokenWithOptions: (token: string, secret: Secret, options?: VerifyOptions) => string | JwtPayload;
 /**
- * Verify token with validation options
+ * Safe verify — never throws, returns structured result with UnauthorizedError on failure
  */
-export declare const verifyTokenWithOptions: (token: string, secret: Secret, options?: jwt.VerifyOptions) => string | JwtPayload;
+export declare const safeVerifyToken: (token: string, secret: Secret) => VerificationResult;
 /**
- * Safe verify with validation options
+ * Safe verify with options — never throws, returns structured result with UnauthorizedError on failure
  */
-export declare const safeVerifyTokenWithOptions: (token: string, secret: Secret, options?: jwt.VerifyOptions) => VerificationResult;
+export declare const safeVerifyTokenWithOptions: (token: string, secret: Secret, options?: VerifyOptions) => VerificationResult;