@navios/jwt 0.4.0 → 0.7.0

package/lib/index.mjs

@@ -1,283 +1,623 @@
-import jwt from 'jsonwebtoken';
-import { z } from 'zod/v4';
-import { InjectionToken, Injectable, syncInject, Logger } from '@navios/core';
+import jwt from "jsonwebtoken";
+import { z } from "zod/v4";
+import { Injectable, InjectionToken, Logger, inject } from "@navios/core";
 
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __knownSymbol = (name, symbol) => (symbol = Symbol[name]) ? symbol : Symbol.for("Symbol." + name);
-var __typeError = (msg) => {
-  throw TypeError(msg);
-};
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-var __decoratorStart = (base) => [, , , __create(null)];
-var __decoratorStrings = ["class", "method", "getter", "setter", "accessor", "field", "value", "get", "set"];
-var __expectFn = (fn) => fn !== void 0 && typeof fn !== "function" ? __typeError("Function expected") : fn;
-var __decoratorContext = (kind, name, done, metadata, fns) => ({ kind: __decoratorStrings[kind], name, metadata, addInitializer: (fn) => done._ ? __typeError("Already initialized") : fns.push(__expectFn(fn || null)) });
-var __decoratorMetadata = (array, target) => __defNormalProp(target, __knownSymbol("metadata"), array[3]);
-var __runInitializers = (array, flags, self, value) => {
-  for (var i = 0, fns = array[flags >> 1], n = fns && fns.length; i < n; i++) fns[i].call(self) ;
-  return value;
-};
-var __decorateElement = (array, flags, name, decorators, target, extra) => {
-  var it, done, ctx, k = flags & 7, p = false;
-  var j = 0;
-  var extraInitializers = array[j] || (array[j] = []);
-  var desc = k && ((target = target.prototype), k < 5 && (k > 3 || !p) && __getOwnPropDesc(target , name));
-  __name(target, name);
-  for (var i = decorators.length - 1; i >= 0; i--) {
-    ctx = __decoratorContext(k, name, done = {}, array[3], extraInitializers);
-    it = (0, decorators[i])(target, ctx), done._ = 1;
-    __expectFn(it) && (target = it);
-  }
-  return __decoratorMetadata(array, target), desc && __defProp(target, name, desc), p ? k ^ 4 ? extra : desc : target;
-};
-var RequestType = /* @__PURE__ */ ((RequestType2) => {
-  RequestType2["Sign"] = "Sign";
-  RequestType2["Verify"] = "Verify";
-  return RequestType2;
-})(RequestType || {});
-var AlgorithmType = z.enum([
-  "HS256",
-  "HS384",
-  "HS512",
-  "RS256",
-  "RS384",
-  "RS512",
-  "ES256",
-  "ES384",
-  "ES512",
-  "PS256",
-  "PS384",
-  "PS512",
-  "none"
+//#region src/options/jwt-service.options.mts
+/**
+* Request type for secret or key provider functions.
+*
+* Used to distinguish between signing and verification operations when
+* dynamically resolving secrets or keys.
+*/ var RequestType = /* @__PURE__ */ function(RequestType$1) {
+	/** Request is for signing a token */ RequestType$1["Sign"] = "Sign";
+	/** Request is for verifying a token */ RequestType$1["Verify"] = "Verify";
+	return RequestType$1;
+}({});
+/**
+* Supported JWT algorithms.
+*
+* Includes symmetric (HMAC) and asymmetric (RSA, ECDSA, EdDSA) algorithms.
+*/ const AlgorithmType = z.enum([
+	"HS256",
+	"HS384",
+	"HS512",
+	"RS256",
+	"RS384",
+	"RS512",
+	"ES256",
+	"ES384",
+	"ES512",
+	"PS256",
+	"PS384",
+	"PS512",
+	"none"
 ]);
-var JwtHeaderSchema = z.object({
-  alg: AlgorithmType.or(z.string()),
-  typ: z.string().optional(),
-  cty: z.string().optional(),
-  crit: z.string().array().optional(),
-  kid: z.string().optional(),
-  jku: z.string().optional(),
-  x5u: z.union([z.string(), z.array(z.string())]).optional(),
-  "x5t#S256": z.string().optional(),
-  x5t: z.string().optional(),
-  x5c: z.union([z.string(), z.array(z.string())]).optional()
+/**
+* JWT header schema.
+*
+* Defines the structure of the JWT header with standard claims.
+*/ const JwtHeaderSchema = z.object({
+	alg: AlgorithmType.or(z.string()),
+	typ: z.string().optional(),
+	cty: z.string().optional(),
+	crit: z.string().array().optional(),
+	kid: z.string().optional(),
+	jku: z.string().optional(),
+	x5u: z.union([z.string(), z.array(z.string())]).optional(),
+	"x5t#S256": z.string().optional(),
+	x5t: z.string().optional(),
+	x5c: z.union([z.string(), z.array(z.string())]).optional()
 });
-var SignOptionsSchema = z.object({
-  algorithm: AlgorithmType.optional(),
-  keyid: z.string().optional(),
-  expiresIn: z.union([z.string(), z.number()]).optional(),
-  notBefore: z.union([z.string(), z.number()]).optional(),
-  audience: z.union([
-    z.string(),
-    z.instanceof(RegExp),
-    z.array(z.union([z.string(), z.instanceof(RegExp)]))
-  ]).optional(),
-  subject: z.string().optional(),
-  issuer: z.string().optional(),
-  jwtid: z.string().optional(),
-  mutatePayload: z.boolean().optional(),
-  noTimestamp: z.boolean().optional(),
-  header: JwtHeaderSchema.optional(),
-  encoding: z.string().optional(),
-  allowInsecureKeySizes: z.boolean().optional(),
-  allowInvalidAsymmetricKeyTypes: z.boolean().optional()
+/**
+* Schema for JWT signing options.
+*
+* Defines all available options for signing tokens including algorithm,
+* expiration, audience, issuer, and other standard JWT claims.
+*/ const SignOptionsSchema = z.object({
+	algorithm: AlgorithmType.optional(),
+	keyid: z.string().optional(),
+	expiresIn: z.union([z.string(), z.number()]).optional(),
+	notBefore: z.union([z.string(), z.number()]).optional(),
+	audience: z.union([
+		z.string(),
+		z.instanceof(RegExp),
+		z.array(z.union([z.string(), z.instanceof(RegExp)]))
+	]).optional(),
+	subject: z.string().optional(),
+	issuer: z.string().optional(),
+	jwtid: z.string().optional(),
+	mutatePayload: z.boolean().optional(),
+	noTimestamp: z.boolean().optional(),
+	header: JwtHeaderSchema.optional(),
+	encoding: z.string().optional(),
+	allowInsecureKeySizes: z.boolean().optional(),
+	allowInvalidAsymmetricKeyTypes: z.boolean().optional()
 });
-var VerifyOptionsSchema = z.object({
-  algorithms: AlgorithmType.array().optional(),
-  audience: z.union([
-    z.string(),
-    z.instanceof(RegExp),
-    z.array(z.union([z.string(), z.instanceof(RegExp)]))
-  ]).optional(),
-  clockTimestamp: z.number().optional(),
-  clockTolerance: z.number().optional(),
-  complete: z.boolean().optional(),
-  issuer: z.union([z.string(), z.string().array()]).optional(),
-  ignoreExpiration: z.boolean().optional(),
-  ignoreNotBefore: z.boolean().optional(),
-  jwtid: z.string().optional(),
-  nonce: z.string().optional(),
-  subject: z.string().optional(),
-  maxAge: z.union([z.string(), z.number()]).optional(),
-  allowInvalidAsymmetricKeyTypes: z.boolean().optional()
+/**
+* Schema for JWT verification options.
+*
+* Defines all available options for verifying tokens including allowed
+* algorithms, audience, issuer, expiration handling, and other validation rules.
+*/ const VerifyOptionsSchema = z.object({
+	algorithms: AlgorithmType.array().optional(),
+	audience: z.union([
+		z.string(),
+		z.instanceof(RegExp),
+		z.array(z.union([z.string(), z.instanceof(RegExp)]))
+	]).optional(),
+	clockTimestamp: z.number().optional(),
+	clockTolerance: z.number().optional(),
+	complete: z.boolean().optional(),
+	issuer: z.union([z.string(), z.string().array()]).optional(),
+	ignoreExpiration: z.boolean().optional(),
+	ignoreNotBefore: z.boolean().optional(),
+	jwtid: z.string().optional(),
+	nonce: z.string().optional(),
+	subject: z.string().optional(),
+	maxAge: z.union([z.string(), z.number()]).optional(),
+	allowInvalidAsymmetricKeyTypes: z.boolean().optional()
 });
-var SecretSchema = z.union([
-  z.string(),
-  z.instanceof(Buffer),
-  z.object({
-    type: z.string()
-  }).passthrough(),
-  z.object({
-    key: z.union([z.string(), z.instanceof(Buffer)]),
-    passphrase: z.string()
-  })
+/**
+* Schema for JWT secret/key types.
+*
+* Supports string secrets, Buffer objects, and key objects with passphrases.
+*/ const SecretSchema = z.union([
+	z.string(),
+	z.instanceof(Buffer),
+	z.object({ type: z.string() }).passthrough(),
+	z.object({
+		key: z.union([z.string(), z.instanceof(Buffer)]),
+		passphrase: z.string()
+	})
 ]);
-var JwtServiceOptionsSchema = z.object({
-  signOptions: SignOptionsSchema.optional(),
-  secret: z.string().optional(),
-  publicKey: z.union([z.string(), z.instanceof(Buffer)]).optional(),
-  privateKey: SecretSchema.optional(),
-  verifyOptions: VerifyOptionsSchema.optional(),
-  secretOrKeyProvider: z.function({
-    input: [
-      z.enum(RequestType),
-      z.any(),
-      z.union([SignOptionsSchema, VerifyOptionsSchema]).optional()
-    ],
-    output: z.union([SecretSchema, z.promise(SecretSchema)])
-  }).optional()
+const JwtServiceOptionsSchema = z.object({
+	signOptions: SignOptionsSchema.optional(),
+	secret: z.string().optional(),
+	publicKey: z.union([z.string(), z.instanceof(Buffer)]).optional(),
+	privateKey: SecretSchema.optional(),
+	verifyOptions: VerifyOptionsSchema.optional(),
+	secretOrKeyProvider: z.function({
+		input: [
+			z.enum(RequestType),
+			z.any(),
+			z.union([SignOptionsSchema, VerifyOptionsSchema]).optional()
+		],
+		output: z.union([SecretSchema, z.promise(SecretSchema)])
+	}).optional()
 });
-var JwtServiceToken = InjectionToken.create(
-  Symbol.for("JwtService"),
-  JwtServiceOptionsSchema
-);
-var _JwtService_decorators, _init;
-_JwtService_decorators = [Injectable({
-  token: JwtServiceToken
-})];
-var _JwtService = class _JwtService {
-  constructor(options = {}) {
-    this.options = options;
-  }
-  logger = syncInject(Logger, {
-    context: _JwtService.name
-  });
-  sign(payload, options = {}) {
-    const signOptions = this.mergeJwtOptions(
-      { ...options },
-      "signOptions"
-    );
-    const secret = this.getSecretKey(
-      payload,
-      options,
-      "privateKey",
-      "Sign" /* Sign */
-    );
-    if (secret instanceof Promise) {
-      secret.catch(() => {
-      });
-      this.logger.warn(
-        'For async version of "secretOrKeyProvider", please use "signAsync".'
-      );
-      throw new Error();
-    }
-    const allowedSignOptKeys = ["secret", "privateKey"];
-    const signOptKeys = Object.keys(signOptions);
-    if (typeof payload === "string" && signOptKeys.some((k) => !allowedSignOptKeys.includes(k))) {
-      throw new Error(
-        "Payload as string is not allowed with the following sign options: " + signOptKeys.join(", ")
-      );
-    }
-    return jwt.sign(payload, secret, signOptions);
-  }
-  signAsync(payload, options = {}) {
-    const signOptions = this.mergeJwtOptions(
-      { ...options },
-      "signOptions"
-    );
-    const secret = this.getSecretKey(
-      payload,
-      options,
-      "privateKey",
-      "Sign" /* Sign */
-    );
-    const allowedSignOptKeys = ["secret", "privateKey"];
-    const signOptKeys = Object.keys(signOptions);
-    if (typeof payload === "string" && signOptKeys.some((k) => !allowedSignOptKeys.includes(k))) {
-      throw new Error(
-        "Payload as string is not allowed with the following sign options: " + signOptKeys.join(", ")
-      );
-    }
-    return new Promise(
-      (resolve, reject) => Promise.resolve().then(() => secret).then((scrt) => {
-        jwt.sign(
-          payload,
-          scrt,
-          signOptions,
-          (err, encoded) => err ? reject(err) : resolve(encoded)
-        );
-      })
-    );
-  }
-  verify(token, options = {}) {
-    const verifyOptions = this.mergeJwtOptions({ ...options }, "verifyOptions");
-    const secret = this.getSecretKey(
-      token,
-      options,
-      "publicKey",
-      "Verify" /* Verify */
-    );
-    if (secret instanceof Promise) {
-      secret.catch(() => {
-      });
-      this.logger.warn(
-        'For async version of "secretOrKeyProvider", please use "verifyAsync".'
-      );
-      throw new Error();
-    }
-    return jwt.verify(token, secret, verifyOptions);
-  }
-  verifyAsync(token, options = {}) {
-    const verifyOptions = this.mergeJwtOptions({ ...options }, "verifyOptions");
-    const secret = this.getSecretKey(
-      token,
-      options,
-      "publicKey",
-      "Verify" /* Verify */
-    );
-    return new Promise(
-      (resolve, reject) => Promise.resolve().then(() => secret).then((scrt) => {
-        jwt.verify(
-          token,
-          scrt,
-          verifyOptions,
-          (err, decoded) => err ? reject(err) : resolve(decoded)
-        );
-      }).catch(reject)
-    );
-  }
-  decode(token, options) {
-    return jwt.decode(token, options);
-  }
-  mergeJwtOptions(options, key) {
-    delete options.secret;
-    if (key === "signOptions") {
-      delete options.privateKey;
-    } else {
-      delete options.publicKey;
-    }
-    return options ? {
-      ...this.options[key] || {},
-      ...options
-    } : (
-      // @ts-expect-error We check it
-      this.options[key]
-    );
-  }
-  getSecretKey(token, options, key, secretRequestType) {
-    const secret = this.options.secretOrKeyProvider ? this.options.secretOrKeyProvider(secretRequestType, token, options) : options?.secret || this.options.secret || (key === "privateKey" ? options?.privateKey || this.options.privateKey : options?.publicKey || this.options.publicKey) || this.options[key];
-    return secret;
-  }
+
+//#endregion
+//#region src/jwt.service.mts
+function applyDecs2203RFactory() {
+	function createAddInitializerMethod(initializers, decoratorFinishedRef) {
+		return function addInitializer(initializer) {
+			assertNotFinished(decoratorFinishedRef, "addInitializer");
+			assertCallable(initializer, "An initializer");
+			initializers.push(initializer);
+		};
+	}
+	function memberDec(dec, name, desc, initializers, kind, isStatic, isPrivate, metadata, value) {
+		var kindStr;
+		switch (kind) {
+			case 1:
+				kindStr = "accessor";
+				break;
+			case 2:
+				kindStr = "method";
+				break;
+			case 3:
+				kindStr = "getter";
+				break;
+			case 4:
+				kindStr = "setter";
+				break;
+			default: kindStr = "field";
+		}
+		var ctx = {
+			kind: kindStr,
+			name: isPrivate ? "#" + name : name,
+			static: isStatic,
+			private: isPrivate,
+			metadata
+		};
+		var decoratorFinishedRef = { v: false };
+		ctx.addInitializer = createAddInitializerMethod(initializers, decoratorFinishedRef);
+		var get, set;
+		if (kind === 0) if (isPrivate) {
+			get = desc.get;
+			set = desc.set;
+		} else {
+			get = function() {
+				return this[name];
+			};
+			set = function(v) {
+				this[name] = v;
+			};
+		}
+		else if (kind === 2) get = function() {
+			return desc.value;
+		};
+		else {
+			if (kind === 1 || kind === 3) get = function() {
+				return desc.get.call(this);
+			};
+			if (kind === 1 || kind === 4) set = function(v) {
+				desc.set.call(this, v);
+			};
+		}
+		ctx.access = get && set ? {
+			get,
+			set
+		} : get ? { get } : { set };
+		try {
+			return dec(value, ctx);
+		} finally {
+			decoratorFinishedRef.v = true;
+		}
+	}
+	function assertNotFinished(decoratorFinishedRef, fnName) {
+		if (decoratorFinishedRef.v) throw new Error("attempted to call " + fnName + " after decoration was finished");
+	}
+	function assertCallable(fn, hint) {
+		if (typeof fn !== "function") throw new TypeError(hint + " must be a function");
+	}
+	function assertValidReturnValue(kind, value) {
+		var type = typeof value;
+		if (kind === 1) {
+			if (type !== "object" || value === null) throw new TypeError("accessor decorators must return an object with get, set, or init properties or void 0");
+			if (value.get !== void 0) assertCallable(value.get, "accessor.get");
+			if (value.set !== void 0) assertCallable(value.set, "accessor.set");
+			if (value.init !== void 0) assertCallable(value.init, "accessor.init");
+		} else if (type !== "function") {
+			var hint;
+			if (kind === 0) hint = "field";
+			else if (kind === 10) hint = "class";
+			else hint = "method";
+			throw new TypeError(hint + " decorators must return a function or void 0");
+		}
+	}
+	function applyMemberDec(ret, base, decInfo, name, kind, isStatic, isPrivate, initializers, metadata) {
+		var decs = decInfo[0];
+		var desc, init, value;
+		if (isPrivate) if (kind === 0 || kind === 1) desc = {
+			get: decInfo[3],
+			set: decInfo[4]
+		};
+		else if (kind === 3) desc = { get: decInfo[3] };
+		else if (kind === 4) desc = { set: decInfo[3] };
+		else desc = { value: decInfo[3] };
+		else if (kind !== 0) desc = Object.getOwnPropertyDescriptor(base, name);
+		if (kind === 1) value = {
+			get: desc.get,
+			set: desc.set
+		};
+		else if (kind === 2) value = desc.value;
+		else if (kind === 3) value = desc.get;
+		else if (kind === 4) value = desc.set;
+		var newValue, get, set;
+		if (typeof decs === "function") {
+			newValue = memberDec(decs, name, desc, initializers, kind, isStatic, isPrivate, metadata, value);
+			if (newValue !== void 0) {
+				assertValidReturnValue(kind, newValue);
+				if (kind === 0) init = newValue;
+				else if (kind === 1) {
+					init = newValue.init;
+					get = newValue.get || value.get;
+					set = newValue.set || value.set;
+					value = {
+						get,
+						set
+					};
+				} else value = newValue;
+			}
+		} else for (var i = decs.length - 1; i >= 0; i--) {
+			var dec = decs[i];
+			newValue = memberDec(dec, name, desc, initializers, kind, isStatic, isPrivate, metadata, value);
+			if (newValue !== void 0) {
+				assertValidReturnValue(kind, newValue);
+				var newInit;
+				if (kind === 0) newInit = newValue;
+				else if (kind === 1) {
+					newInit = newValue.init;
+					get = newValue.get || value.get;
+					set = newValue.set || value.set;
+					value = {
+						get,
+						set
+					};
+				} else value = newValue;
+				if (newInit !== void 0) if (init === void 0) init = newInit;
+				else if (typeof init === "function") init = [init, newInit];
+				else init.push(newInit);
+			}
+		}
+		if (kind === 0 || kind === 1) {
+			if (init === void 0) init = function(instance, init$1) {
+				return init$1;
+			};
+			else if (typeof init !== "function") {
+				var ownInitializers = init;
+				init = function(instance, init$1) {
+					var value$1 = init$1;
+					for (var i$1 = 0; i$1 < ownInitializers.length; i$1++) value$1 = ownInitializers[i$1].call(instance, value$1);
+					return value$1;
+				};
+			} else {
+				var originalInitializer = init;
+				init = function(instance, init$1) {
+					return originalInitializer.call(instance, init$1);
+				};
+			}
+			ret.push(init);
+		}
+		if (kind !== 0) {
+			if (kind === 1) {
+				desc.get = value.get;
+				desc.set = value.set;
+			} else if (kind === 2) desc.value = value;
+			else if (kind === 3) desc.get = value;
+			else if (kind === 4) desc.set = value;
+			if (isPrivate) if (kind === 1) {
+				ret.push(function(instance, args) {
+					return value.get.call(instance, args);
+				});
+				ret.push(function(instance, args) {
+					return value.set.call(instance, args);
+				});
+			} else if (kind === 2) ret.push(value);
+			else ret.push(function(instance, args) {
+				return value.call(instance, args);
+			});
+			else Object.defineProperty(base, name, desc);
+		}
+	}
+	function applyMemberDecs(Class, decInfos, metadata) {
+		var ret = [];
+		var protoInitializers;
+		var staticInitializers;
+		var existingProtoNonFields = /* @__PURE__ */ new Map();
+		var existingStaticNonFields = /* @__PURE__ */ new Map();
+		for (var i = 0; i < decInfos.length; i++) {
+			var decInfo = decInfos[i];
+			if (!Array.isArray(decInfo)) continue;
+			var kind = decInfo[1];
+			var name = decInfo[2];
+			var isPrivate = decInfo.length > 3;
+			var isStatic = kind >= 5;
+			var base;
+			var initializers;
+			if (isStatic) {
+				base = Class;
+				kind = kind - 5;
+				staticInitializers = staticInitializers || [];
+				initializers = staticInitializers;
+			} else {
+				base = Class.prototype;
+				protoInitializers = protoInitializers || [];
+				initializers = protoInitializers;
+			}
+			if (kind !== 0 && !isPrivate) {
+				var existingNonFields = isStatic ? existingStaticNonFields : existingProtoNonFields;
+				var existingKind = existingNonFields.get(name) || 0;
+				if (existingKind === true || existingKind === 3 && kind !== 4 || existingKind === 4 && kind !== 3) throw new Error("Attempted to decorate a public method/accessor that has the same name as a previously decorated public method/accessor. This is not currently supported by the decorators plugin. Property name was: " + name);
+				else if (!existingKind && kind > 2) existingNonFields.set(name, kind);
+				else existingNonFields.set(name, true);
+			}
+			applyMemberDec(ret, base, decInfo, name, kind, isStatic, isPrivate, initializers, metadata);
+		}
+		pushInitializers(ret, protoInitializers);
+		pushInitializers(ret, staticInitializers);
+		return ret;
+	}
+	function pushInitializers(ret, initializers) {
+		if (initializers) ret.push(function(instance) {
+			for (var i = 0; i < initializers.length; i++) initializers[i].call(instance);
+			return instance;
+		});
+	}
+	function applyClassDecs(targetClass, classDecs, metadata) {
+		if (classDecs.length > 0) {
+			var initializers = [];
+			var newClass = targetClass;
+			var name = targetClass.name;
+			for (var i = classDecs.length - 1; i >= 0; i--) {
+				var decoratorFinishedRef = { v: false };
+				try {
+					var nextNewClass = classDecs[i](newClass, {
+						kind: "class",
+						name,
+						addInitializer: createAddInitializerMethod(initializers, decoratorFinishedRef),
+						metadata
+					});
+				} finally {
+					decoratorFinishedRef.v = true;
+				}
+				if (nextNewClass !== void 0) {
+					assertValidReturnValue(10, nextNewClass);
+					newClass = nextNewClass;
+				}
+			}
+			return [defineMetadata(newClass, metadata), function() {
+				for (var i$1 = 0; i$1 < initializers.length; i$1++) initializers[i$1].call(newClass);
+			}];
+		}
+	}
+	function defineMetadata(Class, metadata) {
+		return Object.defineProperty(Class, Symbol.metadata || Symbol.for("Symbol.metadata"), {
+			configurable: true,
+			enumerable: true,
+			value: metadata
+		});
+	}
+	return function applyDecs2203R(targetClass, memberDecs, classDecs, parentClass) {
+		if (parentClass !== void 0) var parentMetadata = parentClass[Symbol.metadata || Symbol.for("Symbol.metadata")];
+		var metadata = Object.create(parentMetadata === void 0 ? null : parentMetadata);
+		var e = applyMemberDecs(targetClass, memberDecs, metadata);
+		if (!classDecs.length) defineMetadata(targetClass, metadata);
+		return {
+			e,
+			get c() {
+				return applyClassDecs(targetClass, classDecs, metadata);
+			}
+		};
+	};
+}
+function _apply_decs_2203_r(targetClass, memberDecs, classDecs, parentClass) {
+	return (_apply_decs_2203_r = applyDecs2203RFactory())(targetClass, memberDecs, classDecs, parentClass);
+}
+var _dec, _initClass;
+/**
+* Injection token for JwtService.
+*
+* Used internally by the dependency injection system to register and resolve JwtService instances.
+*/ const JwtServiceToken = InjectionToken.create(Symbol.for("JwtService"), JwtServiceOptionsSchema);
+let _JwtService;
+_dec = Injectable({ token: JwtServiceToken });
+var JwtService = class {
+	options;
+	static {
+		({c: [_JwtService, _initClass]} = _apply_decs_2203_r(this, [], [_dec]));
+	}
+	/**
+	* Creates a new JwtService instance.
+	*
+	* @param options - Configuration options for the JWT service
+	*/ constructor(options = {}) {
+		this.options = options;
+	}
+	logger = inject(Logger, { context: _JwtService.name });
+	sign(payload, options = {}) {
+		const signOptions = this.mergeJwtOptions({ ...options }, "signOptions");
+		const secret = this.getSecretKey(payload, options, "privateKey", RequestType.Sign);
+		if (secret instanceof Promise) {
+			secret.catch(() => {});
+			this.logger.warn("For async version of \"secretOrKeyProvider\", please use \"signAsync\".");
+			throw new Error();
+		}
+		const allowedSignOptKeys = ["secret", "privateKey"];
+		const signOptKeys = Object.keys(signOptions);
+		if (typeof payload === "string" && signOptKeys.some((k) => !allowedSignOptKeys.includes(k))) throw new Error("Payload as string is not allowed with the following sign options: " + signOptKeys.join(", "));
+		return jwt.sign(payload, secret, signOptions);
+	}
+	signAsync(payload, options = {}) {
+		const signOptions = this.mergeJwtOptions({ ...options }, "signOptions");
+		const secret = this.getSecretKey(payload, options, "privateKey", RequestType.Sign);
+		const allowedSignOptKeys = ["secret", "privateKey"];
+		const signOptKeys = Object.keys(signOptions);
+		if (typeof payload === "string" && signOptKeys.some((k) => !allowedSignOptKeys.includes(k))) throw new Error("Payload as string is not allowed with the following sign options: " + signOptKeys.join(", "));
+		return new Promise((resolve, reject) => Promise.resolve().then(() => secret).then((scrt) => {
+			jwt.sign(payload, scrt, signOptions, (err, encoded) => err ? reject(err) : resolve(encoded));
+		}));
+	}
+	/**
+	* Verifies and decodes a JWT token synchronously.
+	*
+	* This method validates the token's signature, expiration, and other claims
+	* according to the provided options. If verification fails, an error is thrown.
+	*
+	* @template T - The expected type of the decoded payload
+	* @param token - The JWT token string to verify
+	* @param options - Verification options including algorithms, audience, issuer, etc.
+	* @returns The decoded payload as type T
+	* @throws {TokenExpiredError} If the token has expired
+	* @throws {NotBeforeError} If the token is not yet valid (nbf claim)
+	* @throws {JsonWebTokenError} If the token is invalid or malformed
+	* @throws {Error} If `secretOrKeyProvider` returns a Promise (use `verifyAsync` instead)
+	*
+	* @example
+	* ```ts
+	* try {
+	*   const payload = jwtService.verify<{ userId: string; role: string }>(token)
+	*   console.log(payload.userId) // '123'
+	* } catch (error) {
+	*   if (error instanceof TokenExpiredError) {
+	*     console.error('Token expired')
+	*   }
+	* }
+	* ```
+	*/ verify(token, options = {}) {
+		const verifyOptions = this.mergeJwtOptions({ ...options }, "verifyOptions");
+		const secret = this.getSecretKey(token, options, "publicKey", RequestType.Verify);
+		if (secret instanceof Promise) {
+			secret.catch(() => {});
+			this.logger.warn("For async version of \"secretOrKeyProvider\", please use \"verifyAsync\".");
+			throw new Error();
+		}
+		return jwt.verify(token, secret, verifyOptions);
+	}
+	/**
+	* Verifies and decodes a JWT token asynchronously.
+	*
+	* Use this method when `secretOrKeyProvider` returns a Promise or when you need
+	* to handle async key resolution. Provides the same validation as `verify()`.
+	*
+	* @template T - The expected type of the decoded payload
+	* @param token - The JWT token string to verify
+	* @param options - Verification options including algorithms, audience, issuer, etc.
+	* @returns A Promise that resolves to the decoded payload as type T
+	* @throws {TokenExpiredError} If the token has expired
+	* @throws {NotBeforeError} If the token is not yet valid (nbf claim)
+	* @throws {JsonWebTokenError} If the token is invalid or malformed
+	*
+	* @example
+	* ```ts
+	* try {
+	*   const payload = await jwtService.verifyAsync<{ userId: string }>(token)
+	*   console.log(payload.userId)
+	* } catch (error) {
+	*   if (error instanceof TokenExpiredError) {
+	*     console.error('Token expired')
+	*   }
+	* }
+	* ```
+	*/ verifyAsync(token, options = {}) {
+		const verifyOptions = this.mergeJwtOptions({ ...options }, "verifyOptions");
+		const secret = this.getSecretKey(token, options, "publicKey", RequestType.Verify);
+		return new Promise((resolve, reject) => Promise.resolve().then(() => secret).then((scrt) => {
+			jwt.verify(token, scrt, verifyOptions, (err, decoded) => err ? reject(err) : resolve(decoded));
+		}).catch(reject));
+	}
+	/**
+	* Decodes a JWT token without verification.
+	*
+	* This method decodes the token without validating its signature or claims.
+	* Use this only when you need to inspect the token contents without verification.
+	* For secure token validation, use `verify()` or `verifyAsync()` instead.
+	*
+	* @template T - The expected type of the decoded payload
+	* @param token - The JWT token string to decode
+	* @param options - Decode options (complete, json, etc.)
+	* @returns The decoded payload as type T, or null if decoding fails
+	*
+	* @example
+	* ```ts
+	* // Decode without verification (not recommended for production)
+	* const payload = jwtService.decode<{ userId: string }>(token)
+	* if (payload) {
+	*   console.log(payload.userId)
+	* }
+	* ```
+	*/ decode(token, options) {
+		return jwt.decode(token, options);
+	}
+	mergeJwtOptions(options, key) {
+		delete options.secret;
+		if (key === "signOptions") delete options.privateKey;
+		else delete options.publicKey;
+		return options ? {
+			...this.options[key],
+			...options
+		} : this.options[key];
+	}
+	getSecretKey(token, options, key, secretRequestType) {
+		return this.options.secretOrKeyProvider ? this.options.secretOrKeyProvider(secretRequestType, token, options) : options?.secret || this.options.secret || (key === "privateKey" ? options?.privateKey || this.options.privateKey : options?.publicKey || this.options.publicKey) || this.options[key];
+	}
+	static {
+		_initClass();
+	}
 };
-_init = __decoratorStart();
-_JwtService = __decorateElement(_init, 0, "JwtService", _JwtService_decorators, _JwtService);
-__runInitializers(_init, 1, _JwtService);
-var JwtService = _JwtService;
+
+//#endregion
+//#region src/jwt-service.provider.mts
 function provideJwtService(config) {
-  if (typeof config === "function") {
-    return InjectionToken.factory(JwtServiceToken, config);
-  }
-  return InjectionToken.bound(JwtServiceToken, config);
+	if (typeof config === "function") return InjectionToken.factory(JwtServiceToken, config);
+	return InjectionToken.bound(JwtServiceToken, config);
 }
 
-// src/index.mts
-var TokenExpiredError = jwt.TokenExpiredError;
-var NotBeforeError = jwt.NotBeforeError;
-var JsonWebTokenError = jwt.JsonWebTokenError;
+//#endregion
+//#region src/index.mts
+/**
+* Error thrown when a JWT token has expired.
+*
+* This error is thrown by `verify()` and `verifyAsync()` when the token's
+* expiration time (exp claim) has passed.
+*
+* @example
+* ```ts
+* try {
+*   jwtService.verify(token)
+* } catch (error) {
+*   if (error instanceof TokenExpiredError) {
+*     console.error('Token expired at:', error.expiredAt)
+*   }
+* }
+* ```
+*/ const TokenExpiredError = jwt.TokenExpiredError;
+/**
+* Error thrown when a JWT token is not yet valid.
+*
+* This error is thrown by `verify()` and `verifyAsync()` when the token's
+* "not before" time (nbf claim) is in the future.
+*
+* @example
+* ```ts
+* try {
+*   jwtService.verify(token)
+* } catch (error) {
+*   if (error instanceof NotBeforeError) {
+*     console.error('Token not valid until:', error.date)
+*   }
+* }
+* ```
+*/ const NotBeforeError = jwt.NotBeforeError;
+/**
+* Base error class for JWT-related errors.
+*
+* This is the base class for all JWT errors including `TokenExpiredError`
+* and `NotBeforeError`. It's thrown for invalid or malformed tokens.
+*
+* @example
+* ```ts
+* try {
+*   jwtService.verify(token)
+* } catch (error) {
+*   if (error instanceof JsonWebTokenError) {
+*     console.error('JWT error:', error.message)
+*   }
+* }
+* ```
+*/ const JsonWebTokenError = jwt.JsonWebTokenError;
 
-export { AlgorithmType, JsonWebTokenError, JwtHeaderSchema, JwtService, JwtServiceOptionsSchema, JwtServiceToken, NotBeforeError, RequestType, SecretSchema, SignOptionsSchema, TokenExpiredError, VerifyOptionsSchema, provideJwtService };
-//# sourceMappingURL=index.mjs.map
+//#endregion
+export { AlgorithmType, JsonWebTokenError, JwtHeaderSchema, _JwtService as JwtService, JwtServiceOptionsSchema, JwtServiceToken, NotBeforeError, RequestType, SecretSchema, SignOptionsSchema, TokenExpiredError, VerifyOptionsSchema, provideJwtService };
 //# sourceMappingURL=index.mjs.map