@opys/bifrost 0.1.2

package/dist/index.cjs

@@ -0,0 +1,80 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+let node_crypto = require("node:crypto");
+
+//#region lib/index.ts
+/**
+* Mint a [Bifrost](https://gitlab.com/harmoniya/bifrost)-compatible JWT
+* locally so opys's `runClient` can launch Minecraft against a self-hosted
+* Yggdrasil server without going through the OAuth `/token` flow.
+*
+* Bifrost validates incoming bearer tokens with a single Ed25519 public key
+* and only requires two claims: `uuid` and `username`. We sign here with
+* the matching Ed25519 private key — same alg (`EdDSA`), same payload shape
+* as Bifrost's own `/token` endpoint (`{ uuid, username, iat, exp }`).
+*/
+const DEFAULT_TTL_SECONDS = 1440 * 60;
+function normalizePrivateKey(raw) {
+	if (!raw) throw new Error("bifrost: privateKey is required (got empty/undefined). Set BIFROST_PRIVATE_KEY in your environment, e.g. `export BIFROST_PRIVATE_KEY=\"$(cat path/to/key.pem)\"`.");
+	const unescaped = raw.replace(/\\n/g, "\n").trim();
+	const key = (0, node_crypto.createPrivateKey)({
+		key: unescaped.includes("-----BEGIN ") ? unescaped : `-----BEGIN PRIVATE KEY-----\n${unescaped}\n-----END PRIVATE KEY-----`,
+		format: "pem"
+	});
+	if (key.asymmetricKeyType !== "ed25519") throw new Error(`Bifrost private key must be Ed25519; got ${key.asymmetricKeyType ?? "unknown"}`);
+	return key;
+}
+function base64url(input) {
+	const buf = typeof input === "string" ? Buffer.from(input, "utf8") : input;
+	return Buffer.from(buf).toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function unixSeconds(t) {
+	if (t === void 0) return Math.floor(Date.now() / 1e3);
+	const ms = t instanceof Date ? t.getTime() : t;
+	return Math.floor(ms / 1e3);
+}
+function sanitizeUuid(uuid) {
+	return uuid.replace(/-/g, "").toLowerCase();
+}
+/**
+* Sign an Ed25519 JWT with `{ uuid, username, iat, exp }` claims and return
+* an auth object ready to spread into `runClient.vars`.
+*
+* ```ts
+* const auth = resolveBifrost({
+*   privateKey: process.env.BIFROST_PRIVATE_KEY,
+*   username: 'Player',
+*   uuid: '00000000-0000-0000-0000-000000000000',
+* });
+* // auth = { username, uuid, token }
+* ```
+*
+* The token mirrors what Bifrost's own `/token` endpoint mints, so it
+* passes `authMiddleware` validation against the matching public key.
+*/
+function resolveBifrost(options) {
+	const key = normalizePrivateKey(options.privateKey);
+	const uuid = sanitizeUuid(options.uuid);
+	const username = options.username;
+	const iat = unixSeconds(options.now);
+	const ttl = options.expiresIn ?? DEFAULT_TTL_SECONDS;
+	const exp = ttl > 0 ? iat + ttl : null;
+	const header = {
+		alg: "EdDSA",
+		typ: "JWT"
+	};
+	const payload = {
+		uuid,
+		username,
+		iat
+	};
+	if (exp !== null) payload.exp = exp;
+	const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(payload))}`;
+	return {
+		username,
+		uuid,
+		token: `${signingInput}.${base64url((0, node_crypto.sign)(null, Buffer.from(signingInput), key))}`
+	};
+}
+
+//#endregion
+exports.resolveBifrost = resolveBifrost;

package/dist/index.d.cts

@@ -0,0 +1,58 @@
+//#region lib/index.d.ts
+/**
+ * Mint a [Bifrost](https://gitlab.com/harmoniya/bifrost)-compatible JWT
+ * locally so opys's `runClient` can launch Minecraft against a self-hosted
+ * Yggdrasil server without going through the OAuth `/token` flow.
+ *
+ * Bifrost validates incoming bearer tokens with a single Ed25519 public key
+ * and only requires two claims: `uuid` and `username`. We sign here with
+ * the matching Ed25519 private key — same alg (`EdDSA`), same payload shape
+ * as Bifrost's own `/token` endpoint (`{ uuid, username, iat, exp }`).
+ */
+interface BifrostOptions {
+  /**
+   * PEM-encoded Ed25519 private key (PKCS8). Single-line keys with literal
+   * `\n` separators are accepted (env-var-friendly); a missing
+   * `-----BEGIN PRIVATE KEY-----` header is added automatically.
+   */
+  privateKey: string;
+  /** Player username — used as the `username` claim and mirrored to the result. */
+  username: string;
+  /** Player UUID. Dashes are stripped before signing (matches Bifrost). */
+  uuid: string;
+  /**
+   * Token lifetime in seconds. Default `86400` (24h, matches Bifrost's
+   * `/token`). Pass `0` to omit `exp` entirely.
+   */
+  expiresIn?: number;
+  /** Override the issued-at timestamp (ms since epoch or `Date`). Defaults to `Date.now()`. */
+  now?: number | Date;
+}
+interface BifrostAuth {
+  /** Player username, mirrored from input. */
+  username: string;
+  /** Dashless UUID (32 hex chars). */
+  uuid: string;
+  /** Signed Ed25519 JWT. Pass as `${token}` in your launch vars. */
+  token: string;
+}
+/**
+ * Sign an Ed25519 JWT with `{ uuid, username, iat, exp }` claims and return
+ * an auth object ready to spread into `runClient.vars`.
+ *
+ * ```ts
+ * const auth = resolveBifrost({
+ *   privateKey: process.env.BIFROST_PRIVATE_KEY,
+ *   username: 'Player',
+ *   uuid: '00000000-0000-0000-0000-000000000000',
+ * });
+ * // auth = { username, uuid, token }
+ * ```
+ *
+ * The token mirrors what Bifrost's own `/token` endpoint mints, so it
+ * passes `authMiddleware` validation against the matching public key.
+ */
+declare function resolveBifrost(options: BifrostOptions): BifrostAuth;
+//#endregion
+export { BifrostAuth, BifrostOptions, resolveBifrost };
+//# sourceMappingURL=index.d.cts.map

package/dist/index.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.cts","names":[],"sources":["../lib/index.ts"],"mappings":";;AAaA;;;;;;;;;UAAiB,cAAA;EAiBI;;AAGrB;;;EAdE,UAAA;EAgBA;EAdA,QAAA;EAkBA;EAhBA,IAAA;EAgBK;AA6DP;;;EAxEE,SAAA;EAwEsC;EAtEtC,GAAA,YAAe,IAAA;AAAA;AAAA,UAGA,WAAA;EAmEmD;EAjElE,QAAA;;EAEA,IAAA;;EAEA,KAAA;AAAA;;;;;;;;;;;;;;;;;iBA6Dc,cAAA,CAAe,OAAA,EAAS,cAAA,GAAiB,WAAA"}

package/dist/index.d.mts

@@ -0,0 +1,58 @@
+//#region lib/index.d.ts
+/**
+ * Mint a [Bifrost](https://gitlab.com/harmoniya/bifrost)-compatible JWT
+ * locally so opys's `runClient` can launch Minecraft against a self-hosted
+ * Yggdrasil server without going through the OAuth `/token` flow.
+ *
+ * Bifrost validates incoming bearer tokens with a single Ed25519 public key
+ * and only requires two claims: `uuid` and `username`. We sign here with
+ * the matching Ed25519 private key — same alg (`EdDSA`), same payload shape
+ * as Bifrost's own `/token` endpoint (`{ uuid, username, iat, exp }`).
+ */
+interface BifrostOptions {
+  /**
+   * PEM-encoded Ed25519 private key (PKCS8). Single-line keys with literal
+   * `\n` separators are accepted (env-var-friendly); a missing
+   * `-----BEGIN PRIVATE KEY-----` header is added automatically.
+   */
+  privateKey: string;
+  /** Player username — used as the `username` claim and mirrored to the result. */
+  username: string;
+  /** Player UUID. Dashes are stripped before signing (matches Bifrost). */
+  uuid: string;
+  /**
+   * Token lifetime in seconds. Default `86400` (24h, matches Bifrost's
+   * `/token`). Pass `0` to omit `exp` entirely.
+   */
+  expiresIn?: number;
+  /** Override the issued-at timestamp (ms since epoch or `Date`). Defaults to `Date.now()`. */
+  now?: number | Date;
+}
+interface BifrostAuth {
+  /** Player username, mirrored from input. */
+  username: string;
+  /** Dashless UUID (32 hex chars). */
+  uuid: string;
+  /** Signed Ed25519 JWT. Pass as `${token}` in your launch vars. */
+  token: string;
+}
+/**
+ * Sign an Ed25519 JWT with `{ uuid, username, iat, exp }` claims and return
+ * an auth object ready to spread into `runClient.vars`.
+ *
+ * ```ts
+ * const auth = resolveBifrost({
+ *   privateKey: process.env.BIFROST_PRIVATE_KEY,
+ *   username: 'Player',
+ *   uuid: '00000000-0000-0000-0000-000000000000',
+ * });
+ * // auth = { username, uuid, token }
+ * ```
+ *
+ * The token mirrors what Bifrost's own `/token` endpoint mints, so it
+ * passes `authMiddleware` validation against the matching public key.
+ */
+declare function resolveBifrost(options: BifrostOptions): BifrostAuth;
+//#endregion
+export { BifrostAuth, BifrostOptions, resolveBifrost };
+//# sourceMappingURL=index.d.mts.map

package/dist/index.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.mts","names":[],"sources":["../lib/index.ts"],"mappings":";;AAaA;;;;;;;;;UAAiB,cAAA;EAiBI;;AAGrB;;;EAdE,UAAA;EAgBA;EAdA,QAAA;EAkBA;EAhBA,IAAA;EAgBK;AA6DP;;;EAxEE,SAAA;EAwEsC;EAtEtC,GAAA,YAAe,IAAA;AAAA;AAAA,UAGA,WAAA;EAmEmD;EAjElE,QAAA;;EAEA,IAAA;;EAEA,KAAA;AAAA;;;;;;;;;;;;;;;;;iBA6Dc,cAAA,CAAe,OAAA,EAAS,cAAA,GAAiB,WAAA"}

package/dist/index.mjs

@@ -0,0 +1,80 @@
+import { createPrivateKey, sign } from "node:crypto";
+
+//#region lib/index.ts
+/**
+* Mint a [Bifrost](https://gitlab.com/harmoniya/bifrost)-compatible JWT
+* locally so opys's `runClient` can launch Minecraft against a self-hosted
+* Yggdrasil server without going through the OAuth `/token` flow.
+*
+* Bifrost validates incoming bearer tokens with a single Ed25519 public key
+* and only requires two claims: `uuid` and `username`. We sign here with
+* the matching Ed25519 private key — same alg (`EdDSA`), same payload shape
+* as Bifrost's own `/token` endpoint (`{ uuid, username, iat, exp }`).
+*/
+const DEFAULT_TTL_SECONDS = 1440 * 60;
+function normalizePrivateKey(raw) {
+	if (!raw) throw new Error("bifrost: privateKey is required (got empty/undefined). Set BIFROST_PRIVATE_KEY in your environment, e.g. `export BIFROST_PRIVATE_KEY=\"$(cat path/to/key.pem)\"`.");
+	const unescaped = raw.replace(/\\n/g, "\n").trim();
+	const key = createPrivateKey({
+		key: unescaped.includes("-----BEGIN ") ? unescaped : `-----BEGIN PRIVATE KEY-----\n${unescaped}\n-----END PRIVATE KEY-----`,
+		format: "pem"
+	});
+	if (key.asymmetricKeyType !== "ed25519") throw new Error(`Bifrost private key must be Ed25519; got ${key.asymmetricKeyType ?? "unknown"}`);
+	return key;
+}
+function base64url(input) {
+	const buf = typeof input === "string" ? Buffer.from(input, "utf8") : input;
+	return Buffer.from(buf).toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function unixSeconds(t) {
+	if (t === void 0) return Math.floor(Date.now() / 1e3);
+	const ms = t instanceof Date ? t.getTime() : t;
+	return Math.floor(ms / 1e3);
+}
+function sanitizeUuid(uuid) {
+	return uuid.replace(/-/g, "").toLowerCase();
+}
+/**
+* Sign an Ed25519 JWT with `{ uuid, username, iat, exp }` claims and return
+* an auth object ready to spread into `runClient.vars`.
+*
+* ```ts
+* const auth = resolveBifrost({
+*   privateKey: process.env.BIFROST_PRIVATE_KEY,
+*   username: 'Player',
+*   uuid: '00000000-0000-0000-0000-000000000000',
+* });
+* // auth = { username, uuid, token }
+* ```
+*
+* The token mirrors what Bifrost's own `/token` endpoint mints, so it
+* passes `authMiddleware` validation against the matching public key.
+*/
+function resolveBifrost(options) {
+	const key = normalizePrivateKey(options.privateKey);
+	const uuid = sanitizeUuid(options.uuid);
+	const username = options.username;
+	const iat = unixSeconds(options.now);
+	const ttl = options.expiresIn ?? DEFAULT_TTL_SECONDS;
+	const exp = ttl > 0 ? iat + ttl : null;
+	const header = {
+		alg: "EdDSA",
+		typ: "JWT"
+	};
+	const payload = {
+		uuid,
+		username,
+		iat
+	};
+	if (exp !== null) payload.exp = exp;
+	const signingInput = `${base64url(JSON.stringify(header))}.${base64url(JSON.stringify(payload))}`;
+	return {
+		username,
+		uuid,
+		token: `${signingInput}.${base64url(sign(null, Buffer.from(signingInput), key))}`
+	};
+}
+
+//#endregion
+export { resolveBifrost };
+//# sourceMappingURL=index.mjs.map

package/dist/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.mjs","names":[],"sources":["../lib/index.ts"],"sourcesContent":["/**\n * Mint a [Bifrost](https://gitlab.com/harmoniya/bifrost)-compatible JWT\n * locally so opys's `runClient` can launch Minecraft against a self-hosted\n * Yggdrasil server without going through the OAuth `/token` flow.\n *\n * Bifrost validates incoming bearer tokens with a single Ed25519 public key\n * and only requires two claims: `uuid` and `username`. We sign here with\n * the matching Ed25519 private key — same alg (`EdDSA`), same payload shape\n * as Bifrost's own `/token` endpoint (`{ uuid, username, iat, exp }`).\n */\n\nimport { createPrivateKey, sign, type KeyObject } from 'node:crypto';\n\nexport interface BifrostOptions {\n  /**\n   * PEM-encoded Ed25519 private key (PKCS8). Single-line keys with literal\n   * `\\n` separators are accepted (env-var-friendly); a missing\n   * `-----BEGIN PRIVATE KEY-----` header is added automatically.\n   */\n  privateKey: string;\n  /** Player username — used as the `username` claim and mirrored to the result. */\n  username: string;\n  /** Player UUID. Dashes are stripped before signing (matches Bifrost). */\n  uuid: string;\n  /**\n   * Token lifetime in seconds. Default `86400` (24h, matches Bifrost's\n   * `/token`). Pass `0` to omit `exp` entirely.\n   */\n  expiresIn?: number;\n  /** Override the issued-at timestamp (ms since epoch or `Date`). Defaults to `Date.now()`. */\n  now?: number | Date;\n}\n\nexport interface BifrostAuth {\n  /** Player username, mirrored from input. */\n  username: string;\n  /** Dashless UUID (32 hex chars). */\n  uuid: string;\n  /** Signed Ed25519 JWT. Pass as `${token}` in your launch vars. */\n  token: string;\n}\n\nconst DEFAULT_TTL_SECONDS = 24 * 60 * 60;\n\nfunction normalizePrivateKey(raw: string): KeyObject {\n  if (!raw) {\n    throw new Error(\n      'bifrost: privateKey is required (got empty/undefined). ' +\n        'Set BIFROST_PRIVATE_KEY in your environment, e.g. ' +\n        '`export BIFROST_PRIVATE_KEY=\"$(cat path/to/key.pem)\"`.',\n    );\n  }\n  const unescaped = raw.replace(/\\\\n/g, '\\n').trim();\n  const pem = unescaped.includes('-----BEGIN ')\n    ? unescaped\n    : `-----BEGIN PRIVATE KEY-----\\n${unescaped}\\n-----END PRIVATE KEY-----`;\n  const key = createPrivateKey({ key: pem, format: 'pem' });\n  if (key.asymmetricKeyType !== 'ed25519') {\n    throw new Error(\n      `Bifrost private key must be Ed25519; got ${key.asymmetricKeyType ?? 'unknown'}`,\n    );\n  }\n  return key;\n}\n\nfunction base64url(input: string | Uint8Array): string {\n  const buf = typeof input === 'string' ? Buffer.from(input, 'utf8') : input;\n  return Buffer.from(buf)\n    .toString('base64')\n    .replace(/=+$/, '')\n    .replace(/\\+/g, '-')\n    .replace(/\\//g, '_');\n}\n\nfunction unixSeconds(t: number | Date | undefined): number {\n  if (t === undefined) return Math.floor(Date.now() / 1000);\n  const ms = t instanceof Date ? t.getTime() : t;\n  return Math.floor(ms / 1000);\n}\n\nfunction sanitizeUuid(uuid: string): string {\n  return uuid.replace(/-/g, '').toLowerCase();\n}\n\n/**\n * Sign an Ed25519 JWT with `{ uuid, username, iat, exp }` claims and return\n * an auth object ready to spread into `runClient.vars`.\n *\n * ```ts\n * const auth = resolveBifrost({\n *   privateKey: process.env.BIFROST_PRIVATE_KEY,\n *   username: 'Player',\n *   uuid: '00000000-0000-0000-0000-000000000000',\n * });\n * // auth = { username, uuid, token }\n * ```\n *\n * The token mirrors what Bifrost's own `/token` endpoint mints, so it\n * passes `authMiddleware` validation against the matching public key.\n */\nexport function resolveBifrost(options: BifrostOptions): BifrostAuth {\n  const key = normalizePrivateKey(options.privateKey);\n  const uuid = sanitizeUuid(options.uuid);\n  const username = options.username;\n\n  const iat = unixSeconds(options.now);\n  const ttl = options.expiresIn ?? DEFAULT_TTL_SECONDS;\n  const exp = ttl > 0 ? iat + ttl : null;\n\n  const header = { alg: 'EdDSA', typ: 'JWT' };\n  const payload: Record<string, unknown> = { uuid, username, iat };\n  if (exp !== null) payload.exp = exp;\n\n  const headerB64 = base64url(JSON.stringify(header));\n  const payloadB64 = base64url(JSON.stringify(payload));\n  const signingInput = `${headerB64}.${payloadB64}`;\n  const signature = sign(null, Buffer.from(signingInput), key);\n  const token = `${signingInput}.${base64url(signature)}`;\n\n  return { username, uuid, token };\n}\n"],"mappings":";;;;;;;;;;;;;AA0CA,MAAM,sBAAsB,OAAU;AAEtC,SAAS,oBAAoB,KAAwB;AACnD,KAAI,CAAC,IACH,OAAM,IAAI,MACR,oKAGD;CAEH,MAAM,YAAY,IAAI,QAAQ,QAAQ,KAAK,CAAC,MAAM;CAIlD,MAAM,MAAM,iBAAiB;EAAE,KAHnB,UAAU,SAAS,cAAc,GACzC,YACA,gCAAgC,UAAU;EACL,QAAQ;EAAO,CAAC;AACzD,KAAI,IAAI,sBAAsB,UAC5B,OAAM,IAAI,MACR,4CAA4C,IAAI,qBAAqB,YACtE;AAEH,QAAO;;AAGT,SAAS,UAAU,OAAoC;CACrD,MAAM,MAAM,OAAO,UAAU,WAAW,OAAO,KAAK,OAAO,OAAO,GAAG;AACrE,QAAO,OAAO,KAAK,IAAI,CACpB,SAAS,SAAS,CAClB,QAAQ,OAAO,GAAG,CAClB,QAAQ,OAAO,IAAI,CACnB,QAAQ,OAAO,IAAI;;AAGxB,SAAS,YAAY,GAAsC;AACzD,KAAI,MAAM,OAAW,QAAO,KAAK,MAAM,KAAK,KAAK,GAAG,IAAK;CACzD,MAAM,KAAK,aAAa,OAAO,EAAE,SAAS,GAAG;AAC7C,QAAO,KAAK,MAAM,KAAK,IAAK;;AAG9B,SAAS,aAAa,MAAsB;AAC1C,QAAO,KAAK,QAAQ,MAAM,GAAG,CAAC,aAAa;;;;;;;;;;;;;;;;;;AAmB7C,SAAgB,eAAe,SAAsC;CACnE,MAAM,MAAM,oBAAoB,QAAQ,WAAW;CACnD,MAAM,OAAO,aAAa,QAAQ,KAAK;CACvC,MAAM,WAAW,QAAQ;CAEzB,MAAM,MAAM,YAAY,QAAQ,IAAI;CACpC,MAAM,MAAM,QAAQ,aAAa;CACjC,MAAM,MAAM,MAAM,IAAI,MAAM,MAAM;CAElC,MAAM,SAAS;EAAE,KAAK;EAAS,KAAK;EAAO;CAC3C,MAAM,UAAmC;EAAE;EAAM;EAAU;EAAK;AAChE,KAAI,QAAQ,KAAM,SAAQ,MAAM;CAIhC,MAAM,eAAe,GAFH,UAAU,KAAK,UAAU,OAAO,CAAC,CAEjB,GADf,UAAU,KAAK,UAAU,QAAQ,CAAC;AAKrD,QAAO;EAAE;EAAU;EAAM,OAFX,GAAG,aAAa,GAAG,UADf,KAAK,MAAM,OAAO,KAAK,aAAa,EAAE,IAAI,CACP;EAErB"}

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@opys/bifrost",
+  "version": "0.1.2",
+  "type": "module",
+  "main": "./dist/index.js",
+  "exports": {
+    ".": {
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "scripts": {
+    "build": "tsdown lib/index.ts --format esm,cjs --dts --clean",
+    "typecheck": "tsc --noEmit -p tsconfig.json",
+    "test": "vitest run tests/unit --passWithNoTests"
+  },
+  "devDependencies": {
+    "tsdown": "*",
+    "vitest": "*"
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/harmoniya-net/opys.git",
+    "directory": "packages/bifrost"
+  }
+}