@pax2pay/model-banking 0.1.509 → 0.1.510

package/User/Access/Permission.ts

@@ -0,0 +1,47 @@
+import { isly } from "isly"
+import { typedly } from "typedly"
+
+export type Permission = Partial<Record<Permission.Collection, Permission.Level>>
+export namespace Permission {
+	export type Realm = Omit<Permission, "user">
+	export type Global = Pick<Permission, "user">
+	export function check(constraint: Permission, privilege: Permission): boolean {
+		return typedly.Object.entries(constraint).every(
+			([collection, level]) =>
+				Permission.Level.get(privilege[collection]) >= Permission.Level.get(level) ||
+				Permission.Level.get(privilege["*"]) >= Permission.Level.get(level)
+		)
+	}
+	export type Level = typeof Level.values[number]
+	export namespace Level {
+		export const values = ["read", "write", "developer", "admin"] as const
+		export const type = isly.string(values)
+		export function get(level: Level | undefined): number {
+			return level ? value[level] : 0
+		}
+		export const value: Record<Level, number> = {
+			read: 1,
+			write: 2,
+			developer: 3,
+			admin: 4,
+		} as const
+	}
+	export type Collection = typeof Collection.values[number]
+	export namespace Collection {
+		export const values = [
+			"account",
+			"card",
+			"log",
+			"operation",
+			"organization",
+			"rule", // realm rules
+			"settlement",
+			"transaction",
+			"treasury",
+			"user",
+			"*",
+		] as const
+		export const type = isly.string(values)
+	}
+	export const type = isly.record<Permission>(Collection.type, Level.type)
+}

package/User/Access/index.ts

@@ -0,0 +1,19 @@
+import { isly } from "isly"
+import { Permission as AccessPermission } from "./Permission"
+
+/** read < write < developer < admin */
+export interface Access {
+	uk?: Access.Permission.Realm
+	eea?: Access.Permission.Realm
+	test?: Access.Permission.Realm
+	"*"?: Access.Permission.Global
+}
+export namespace Access {
+	export import Permission = AccessPermission
+	export const type = isly.object({
+		uk: Access.Permission.type.optional(),
+		eea: Access.Permission.type.optional(),
+		test: Access.Permission.type.optional(),
+		"*": isly.object({ user: Access.Permission.Level.type.optional() }).optional(),
+	})
+}

package/User/Identity.ts

@@ -0,0 +1,32 @@
+import { gracely } from "gracely"
+import { http } from "cloudly-http"
+import { Realm } from "../Realm"
+import { Access } from "./Access"
+import { JWT } from "./JWT"
+
+export class Identity {
+	get realm(): Realm {
+		return this.payload.realm
+	}
+	constructor(public readonly payload: JWT.Payload, private readonly jwt: string) {}
+
+	authenticate(constraint: Access.Permission | Access.Permission[]): Identity | gracely.Error {
+		let allowed: boolean
+		if (Array.isArray(constraint))
+			allowed = constraint.some(c => this.authenticate(c))
+		else
+			allowed = Access.Permission.check(constraint, this.payload.permission)
+		return allowed ? this : gracely.client.forbidden()
+	}
+
+	/** Key will default to production jwt verification key */
+	static async open(
+		authorization: string | undefined,
+		options: { whitelist?: JWT.Whitelist; key?: string }
+	): Promise<Identity | gracely.Error> {
+		const jwt = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : undefined
+		const payload = jwt ? await JWT.open({ public: options.key }, options.whitelist).verify(jwt) : undefined
+		return jwt && payload ? new Identity(payload, jwt) : gracely.client.unauthorized()
+	}
+}
+export namespace Identity {}

package/User/JWT/Payload.ts

@@ -0,0 +1,56 @@
+import { authly } from "authly"
+import { isly } from "isly"
+import { Realm } from "../../Realm"
+import { Access } from "../Access"
+
+export type Payload = Payload.LongTerm | Payload.ShortTerm
+export namespace Payload {
+	export interface Creatable {
+		sub: string
+		permission: Access.Permission
+		realm: Realm
+	}
+	export namespace Creatable {
+		export const type = isly.object<Creatable>({
+			sub: isly.string(),
+			permission: Access.Permission.type,
+			realm: Realm.type,
+		})
+	}
+	export interface Base extends authly.Payload {
+		aud: string
+		iat: number
+		iss: string
+		sub: string
+		permission: Access.Permission
+		realm: Realm
+	}
+	export namespace Base {
+		export const type = isly.object<Payload>({
+			aud: isly.string(),
+			iat: isly.number(),
+			iss: isly.string(),
+			sub: isly.string(),
+			permission: Access.Permission.type,
+			realm: Realm.type,
+		})
+	}
+	export interface LongTerm extends Base {
+		id: string
+	}
+	export namespace LongTerm {
+		export const type = Base.type.extend<LongTerm>({ id: isly.string() })
+	}
+	export interface ShortTerm extends Base {
+		exp: number
+	}
+	export namespace ShortTerm {
+		export const type = Base.type.extend<ShortTerm>({ exp: isly.number() })
+	}
+
+	export const configuration = {
+		aud: "https://banking.pax2pay.app",
+		iss: "pax2pay",
+	}
+	export const type = isly.union<Payload>(LongTerm.type, ShortTerm.type)
+}

package/User/JWT/Signer.ts

@@ -0,0 +1,39 @@
+import { authly } from "authly"
+import { Payload } from "./Payload"
+
+export class Signer {
+	constructor(private readonly key?: { public?: string; private?: string }) {}
+
+	/** Duration in seconds */
+	async sign(data: Payload.Creatable, duration: number | "infinite" = 60 * 60 * 12): Promise<string | undefined> {
+		let result: string | undefined
+		if (duration === "infinite") {
+			const signer = Signer.create({ key: this.key })
+			result = await signer?.sign({ id: authly.Identifier.generate(16), ...data })
+		} else {
+			const signer = Signer.create({ key: this.key, duration })
+			result = await signer?.sign({ ...data })
+		}
+		return result
+	}
+
+	static open(key?: { public?: string; private?: string }): Signer {
+		return new this(key)
+	}
+}
+export namespace Signer {
+	export function create<T extends authly.Payload>(options: {
+		key?: { public?: string; private?: string }
+		duration?: number
+	}): authly.Issuer<T> | undefined {
+		const signer = authly.Issuer.create(
+			Payload.configuration.iss,
+			authly.Algorithm.RS256(options.key?.public, options.key?.private)
+		)
+		if (signer) {
+			signer.duration = options.duration
+			signer.audience = Payload.configuration.aud
+		}
+		return signer
+	}
+}

package/User/JWT/index.ts

@@ -0,0 +1,57 @@
+import { authly } from "authly"
+import { Realm } from "../../Realm"
+import { Payload as JWTPayload } from "./Payload"
+import { Signer as JWTSigner } from "./Signer"
+
+export class JWT {
+	#verifier?: authly.Verifier<JWT.Payload>
+	private get verifier(): authly.Verifier<JWT.Payload> | undefined {
+		if (!this.#verifier && this.key?.public) {
+			const algorithm = authly.Algorithm.RS256(this.key.public)
+			this.#verifier = algorithm ? authly.Verifier.create(algorithm) : undefined
+		}
+		return this.#verifier
+	}
+	#signer?: JWTSigner
+	private get signer(): JWTSigner | undefined {
+		return this.key?.private ? (this.#signer ??= JWTSigner.open(this.key)) : undefined
+	}
+	get sign() {
+		return this.signer?.sign
+	}
+	private constructor(
+		private readonly key?: { public?: string; private?: string },
+		readonly whitelist?: JWT.Whitelist
+	) {}
+
+	async verify(token: string): Promise<JWT.Payload | undefined> {
+		const verified = await this.verifier?.verify(token, JWT.Payload.configuration.aud)
+		delete verified?.token
+		return JWT.Payload.type.is(verified) &&
+			verified?.iss == JWT.Payload.configuration.iss &&
+			(verified.exp || (verified.id && this.whitelist?.[verified.realm]?.some(e => e.id === verified.id)))
+			? verified
+			: undefined
+	}
+	async unpack(token: string): Promise<JWT.Payload | undefined> {
+		const unpacked = await JWT.unpack(token)
+		delete unpacked?.token
+		return unpacked
+	}
+
+	static open(key?: { private?: string; public?: string }, whitelist?: JWT.Whitelist): JWT {
+		return new this({ private: key?.private, public: key?.public ?? JWT.key }, whitelist)
+	}
+}
+export namespace JWT {
+	export import Signer = JWTSigner
+	export type Whitelist = Partial<Record<Realm, Payload.LongTerm[]>>
+	export async function unpack(token: string): Promise<JWT.Payload | undefined> {
+		const algorithm = authly.Algorithm.RS256(undefined)
+		const verifier = algorithm ? authly.Verifier.create<JWT.Payload>(algorithm) : undefined
+		return verifier?.unpack(token)
+	}
+	export import Payload = JWTPayload
+	export const key =
+		"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2W8CD2kpfS4QIRV2/rgm4NVvsvJsYNMHtnIl9ADvO3A81hAmRKvOAPVoXICe6+EuZ47jGjGL7f48GEoQuITfBPv/MosCDj1YhJ56ILDynCSd8FlxDrhv8pl5IquST7tcL6Hc6m+vuvoTLrFQ5QqNxv0a5eDd/YTrWv7SUuRfBEhYd/wMysGynN3QauHqy5ceBCt1nv1MJLGlSzczMRK7wjy1zi2g9NCHZBOoo1HXOpi727Xh+YXHc9EP2TN0oOXyxykv45nkGIDI0Qek3/pfkavClBffc1sEqA+rUx7YqRN9KGYxwLMLug+NOOh3ptqjfobXbR5fx/sUWhvcjUMTE1JreTrWYbGmVnjd/SeYSClfmGhdTBUfqnZbaABv0ruTXva18qRhP4y143vHMk/k8HzbuROTKAzrtEeLIjgwUgDcnE+JwDqcb8tKSGV6i++TiTldlSBCRTT4dK2hpHJje80b2abqtrbCkxbJlT98UsAAoiq2eW1X6lYmCfiGCJPkfswibQ2tPAKKNe/2xuHPsjx4FuXGmV0dbzmCwSIQoApXqOvKzoNFi6AaKIjxfNmiEigLwKpNrw08H0lVZbq/9MMxI3TzMTZjY9QmBKVLSGy3Z6IJqZpyK22lv7whJcllG0Qw8tv8+7wmC8SR3+4jpuxuFGZ+69CW+otx+CPMJjcCAwEAAQ=="
+}

package/User/Me.ts

@@ -0,0 +1,15 @@
+import { isly } from "isly"
+import { Realm } from "../Realm"
+
+export interface Me {
+	email: string
+	password: string
+	realm: Realm
+}
+export namespace Me {
+	export const type = isly.object<Me>({
+		email: isly.string(),
+		password: isly.string(),
+		realm: Realm.type,
+	})
+}

package/User/Password.ts

@@ -0,0 +1,43 @@
+import { cryptly } from "cryptly"
+import { gracely } from "gracely"
+import { isoly } from "isoly"
+import { isly } from "isly"
+
+export interface Password {
+	hash: cryptly.Password.Hash
+	changed: isoly.DateTime
+}
+export namespace Password {
+	export interface Creatable {
+		new: string
+		repeat: string
+	}
+	export namespace Creatable {
+		export const type = isly.object<Creatable>({
+			new: isly.string(),
+			repeat: isly.string(),
+		})
+	}
+	export async function create(creatable: Creatable, pepper: string | undefined): Promise<Password | gracely.Error> {
+		let result: Awaited<ReturnType<typeof create>>
+		if (creatable.new !== creatable.repeat)
+			result = gracely.client.forbidden("The new password and the repeated password do not match.")
+		else if (!pepper)
+			result = gracely.server.backendFailure("The password cannot be created without a pepper.")
+		else
+			result = { hash: await hash(creatable.new, pepper), changed: isoly.DateTime.now() }
+		return result
+	}
+	export function salt(): string {
+		return cryptly.Base64.encode(cryptly.RandomValue.generate(new Uint8Array(64)).toString())
+	}
+	export async function hash(password: string, pepper: string): Promise<cryptly.Password.Hash> {
+		return cryptly.Password.hash(signer(pepper), password, salt())
+	}
+	export async function verify(password: string, hash: cryptly.Password.Hash, pepper: string): Promise<boolean> {
+		return cryptly.Password.verify(signer(pepper), hash, password)
+	}
+	function signer(pepper: string): { sign: (data: string) => Promise<string> } {
+		return cryptly.Signer.create("HMAC", "SHA-512", pepper)
+	}
+}

package/User/index.ts

@@ -0,0 +1,68 @@
+import { isoly } from "isoly"
+import { isly } from "isly"
+import { Realm } from "../Realm"
+import { Access as UserAccess } from "./Access"
+import { Identity as UserIdentity } from "./Identity"
+import { JWT as UserJWT } from "./JWT"
+import { Me as UserMe } from "./Me"
+import { Password as UserPassword } from "./Password"
+
+export interface User {
+	email: string
+	access: User.Access
+	changed: isoly.DateTime
+	created: isoly.DateTime
+	password: {
+		changed: isoly.DateTime
+	}
+}
+export namespace User {
+	export import Access = UserAccess
+	export import Identity = UserIdentity
+	export import JWT = UserJWT
+	export import Me = UserMe
+	export import Password = UserPassword
+	export function fromInvite(invite: Invite): User {
+		const now = isoly.DateTime.now()
+		return {
+			email: invite.email,
+			access: invite.access,
+			changed: now,
+			created: now,
+			password: {
+				changed: now,
+			},
+		}
+	}
+	export function toJWTPayloadCreatable(user: User, realm: Realm): User.JWT.Payload.Creatable {
+		return {
+			sub: user.email,
+			permission: { ...(user.access[realm] ?? {}), ...(user.access["*"] ?? {}) },
+			realm,
+		}
+	}
+	export interface Creatable {
+		invite: string
+		password: Password.Creatable
+	}
+	export namespace Creatable {
+		export const type = isly.object<Creatable>({
+			invite: isly.string(),
+			password: isly.object({ new: isly.string(), repeat: isly.string() }),
+		})
+	}
+	export interface Invite {
+		id: string
+		email: string
+		access: Access
+	}
+	export namespace Invite {
+		export interface Creatable {
+			email: string
+			access: Access
+		}
+		export namespace Creatable {
+			export const type = isly.object<Creatable>({ email: isly.string(), access: Access.type })
+		}
+	}
+}

package/dist/cjs/User/Access/Permission.d.ts

@@ -0,0 +1,20 @@
+import { isly } from "isly";
+export type Permission = Partial<Record<Permission.Collection, Permission.Level>>;
+export declare namespace Permission {
+    type Realm = Omit<Permission, "user">;
+    type Global = Pick<Permission, "user">;
+    function check(constraint: Permission, privilege: Permission): boolean;
+    type Level = typeof Level.values[number];
+    namespace Level {
+        const values: readonly ["read", "write", "developer", "admin"];
+        const type: isly.Type<"admin" | "read" | "write" | "developer">;
+        function get(level: Level | undefined): number;
+        const value: Record<Level, number>;
+    }
+    type Collection = typeof Collection.values[number];
+    namespace Collection {
+        const values: readonly ["account", "card", "log", "operation", "organization", "rule", "settlement", "transaction", "treasury", "user", "*"];
+        const type: isly.Type<"rule" | "card" | "transaction" | "account" | "settlement" | "organization" | "log" | "user" | "operation" | "treasury" | "*">;
+    }
+    const type: isly.Type<Partial<Record<"rule" | "card" | "transaction" | "account" | "settlement" | "organization" | "log" | "user" | "operation" | "treasury" | "*", "admin" | "read" | "write" | "developer">>>;
+}

package/dist/cjs/User/Access/Permission.js

@@ -0,0 +1,47 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Permission = void 0;
+const isly_1 = require("isly");
+const typedly_1 = require("typedly");
+var Permission;
+(function (Permission) {
+    function check(constraint, privilege) {
+        return typedly_1.typedly.Object.entries(constraint).every(([collection, level]) => Permission.Level.get(privilege[collection]) >= Permission.Level.get(level) ||
+            Permission.Level.get(privilege["*"]) >= Permission.Level.get(level));
+    }
+    Permission.check = check;
+    let Level;
+    (function (Level) {
+        Level.values = ["read", "write", "developer", "admin"];
+        Level.type = isly_1.isly.string(Level.values);
+        function get(level) {
+            return level ? Level.value[level] : 0;
+        }
+        Level.get = get;
+        Level.value = {
+            read: 1,
+            write: 2,
+            developer: 3,
+            admin: 4,
+        };
+    })(Level = Permission.Level || (Permission.Level = {}));
+    let Collection;
+    (function (Collection) {
+        Collection.values = [
+            "account",
+            "card",
+            "log",
+            "operation",
+            "organization",
+            "rule",
+            "settlement",
+            "transaction",
+            "treasury",
+            "user",
+            "*",
+        ];
+        Collection.type = isly_1.isly.string(Collection.values);
+    })(Collection = Permission.Collection || (Permission.Collection = {}));
+    Permission.type = isly_1.isly.record(Collection.type, Level.type);
+})(Permission || (exports.Permission = Permission = {}));
+//# sourceMappingURL=Permission.js.map

package/dist/cjs/User/Access/Permission.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Permission.js","sourceRoot":"","sources":["../../../../User/Access/Permission.ts"],"names":[],"mappings":";;;AAAA,+BAA2B;AAC3B,qCAAiC;AAGjC,IAAiB,UAAU,CA0C1B;AA1CD,WAAiB,UAAU;IAG1B,SAAgB,KAAK,CAAC,UAAsB,EAAE,SAAqB;QAClE,OAAO,iBAAO,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,KAAK,CAC9C,CAAC,CAAC,UAAU,EAAE,KAAK,CAAC,EAAE,EAAE,CACvB,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC;YAC1E,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,IAAI,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CACpE,CAAA;IACF,CAAC;IANe,gBAAK,QAMpB,CAAA;IAED,IAAiB,KAAK,CAYrB;IAZD,WAAiB,KAAK;QACR,YAAM,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAU,CAAA;QACzD,UAAI,GAAG,WAAI,CAAC,MAAM,CAAC,MAAA,MAAM,CAAC,CAAA;QACvC,SAAgB,GAAG,CAAC,KAAwB;YAC3C,OAAO,KAAK,CAAC,CAAC,CAAC,MAAA,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAChC,CAAC;QAFe,SAAG,MAElB,CAAA;QACY,WAAK,GAA0B;YAC3C,IAAI,EAAE,CAAC;YACP,KAAK,EAAE,CAAC;YACR,SAAS,EAAE,CAAC;YACZ,KAAK,EAAE,CAAC;SACC,CAAA;IACX,CAAC,EAZgB,KAAK,GAAL,gBAAK,KAAL,gBAAK,QAYrB;IAED,IAAiB,UAAU,CAe1B;IAfD,WAAiB,UAAU;QACb,iBAAM,GAAG;YACrB,SAAS;YACT,MAAM;YACN,KAAK;YACL,WAAW;YACX,cAAc;YACd,MAAM;YACN,YAAY;YACZ,aAAa;YACb,UAAU;YACV,MAAM;YACN,GAAG;SACM,CAAA;QACG,eAAI,GAAG,WAAI,CAAC,MAAM,CAAC,WAAA,MAAM,CAAC,CAAA;IACxC,CAAC,EAfgB,UAAU,GAAV,qBAAU,KAAV,qBAAU,QAe1B;IACY,eAAI,GAAG,WAAI,CAAC,MAAM,CAAa,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,CAAA;AACzE,CAAC,EA1CgB,UAAU,0BAAV,UAAU,QA0C1B"}

package/dist/cjs/User/Access/index.d.ts

@@ -0,0 +1,11 @@
+import { Permission as AccessPermission } from "./Permission";
+export interface Access {
+    uk?: Access.Permission.Realm;
+    eea?: Access.Permission.Realm;
+    test?: Access.Permission.Realm;
+    "*"?: Access.Permission.Global;
+}
+export declare namespace Access {
+    export import Permission = AccessPermission;
+    const type: import("isly/dist/cjs/object").IslyObject<object, object>;
+}

package/dist/cjs/User/Access/index.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Access = void 0;
+const isly_1 = require("isly");
+const Permission_1 = require("./Permission");
+var Access;
+(function (Access) {
+    Access.Permission = Permission_1.Permission;
+    Access.type = isly_1.isly.object({
+        uk: Access.Permission.type.optional(),
+        eea: Access.Permission.type.optional(),
+        test: Access.Permission.type.optional(),
+        "*": isly_1.isly.object({ user: Access.Permission.Level.type.optional() }).optional(),
+    });
+})(Access || (exports.Access = Access = {}));
+//# sourceMappingURL=index.js.map

package/dist/cjs/User/Access/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../User/Access/index.ts"],"names":[],"mappings":";;;AAAA,+BAA2B;AAC3B,6CAA6D;AAS7D,IAAiB,MAAM,CAQtB;AARD,WAAiB,MAAM;IACR,iBAAU,GAAG,uBAAgB,CAAA;IAC9B,WAAI,GAAG,WAAI,CAAC,MAAM,CAAC;QAC/B,EAAE,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE;QACrC,GAAG,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE;QACtC,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE;QACvC,GAAG,EAAE,WAAI,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE;KAC9E,CAAC,CAAA;AACH,CAAC,EARgB,MAAM,sBAAN,MAAM,QAQtB"}

package/dist/cjs/User/Identity.d.ts

@@ -0,0 +1,16 @@
+import { gracely } from "gracely";
+import { Realm } from "../Realm";
+import { Access } from "./Access";
+import { JWT } from "./JWT";
+export declare class Identity {
+    readonly payload: JWT.Payload;
+    private readonly jwt;
+    get realm(): Realm;
+    constructor(payload: JWT.Payload, jwt: string);
+    authenticate(constraint: Access.Permission | Access.Permission[]): Identity | gracely.Error;
+    static open(authorization: string | undefined, options: {
+        whitelist?: JWT.Whitelist;
+        key?: string;
+    }): Promise<Identity | gracely.Error>;
+}
+export declare namespace Identity { }

package/dist/cjs/User/Identity.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Identity = void 0;
+const gracely_1 = require("gracely");
+const Access_1 = require("./Access");
+const JWT_1 = require("./JWT");
+class Identity {
+    payload;
+    jwt;
+    get realm() {
+        return this.payload.realm;
+    }
+    constructor(payload, jwt) {
+        this.payload = payload;
+        this.jwt = jwt;
+    }
+    authenticate(constraint) {
+        let allowed;
+        if (Array.isArray(constraint))
+            allowed = constraint.some(c => this.authenticate(c));
+        else
+            allowed = Access_1.Access.Permission.check(constraint, this.payload.permission);
+        return allowed ? this : gracely_1.gracely.client.forbidden();
+    }
+    static async open(authorization, options) {
+        const jwt = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : undefined;
+        const payload = jwt ? await JWT_1.JWT.open({ public: options.key }, options.whitelist).verify(jwt) : undefined;
+        return jwt && payload ? new Identity(payload, jwt) : gracely_1.gracely.client.unauthorized();
+    }
+}
+exports.Identity = Identity;
+//# sourceMappingURL=Identity.js.map

package/dist/cjs/User/Identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Identity.js","sourceRoot":"","sources":["../../../User/Identity.ts"],"names":[],"mappings":";;;AAAA,qCAAiC;AAGjC,qCAAiC;AACjC,+BAA2B;AAE3B,MAAa,QAAQ;IAIQ;IAAuC;IAHnE,IAAI,KAAK;QACR,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,CAAA;IAC1B,CAAC;IACD,YAA4B,OAAoB,EAAmB,GAAW;QAAlD,YAAO,GAAP,OAAO,CAAa;QAAmB,QAAG,GAAH,GAAG,CAAQ;IAAG,CAAC;IAElF,YAAY,CAAC,UAAmD;QAC/D,IAAI,OAAgB,CAAA;QACpB,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC;YAC5B,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAA;;YAEpD,OAAO,GAAG,eAAM,CAAC,UAAU,CAAC,KAAK,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QACvE,OAAO,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,iBAAO,CAAC,MAAM,CAAC,SAAS,EAAE,CAAA;IACnD,CAAC;IAGD,MAAM,CAAC,KAAK,CAAC,IAAI,CAChB,aAAiC,EACjC,OAAoD;QAEpD,MAAM,GAAG,GAAG,aAAa,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACnG,MAAM,OAAO,GAAG,GAAG,CAAC,CAAC,CAAC,MAAM,SAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAA;QACxG,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,iBAAO,CAAC,MAAM,CAAC,YAAY,EAAE,CAAA;IACnF,CAAC;CACD;AAxBD,4BAwBC"}

package/dist/cjs/User/JWT/Payload.d.ts

@@ -0,0 +1,43 @@
+import { authly } from "authly";
+import { isly } from "isly";
+import { Realm } from "../../Realm";
+import { Access } from "../Access";
+export type Payload = Payload.LongTerm | Payload.ShortTerm;
+export declare namespace Payload {
+    interface Creatable {
+        sub: string;
+        permission: Access.Permission;
+        realm: Realm;
+    }
+    namespace Creatable {
+        const type: import("isly/dist/cjs/object").IslyObject<Creatable, object>;
+    }
+    interface Base extends authly.Payload {
+        aud: string;
+        iat: number;
+        iss: string;
+        sub: string;
+        permission: Access.Permission;
+        realm: Realm;
+    }
+    namespace Base {
+        const type: import("isly/dist/cjs/object").IslyObject<Payload, object>;
+    }
+    interface LongTerm extends Base {
+        id: string;
+    }
+    namespace LongTerm {
+        const type: import("isly/dist/cjs/object").IslyObject<LongTerm, Payload>;
+    }
+    interface ShortTerm extends Base {
+        exp: number;
+    }
+    namespace ShortTerm {
+        const type: import("isly/dist/cjs/object").IslyObject<ShortTerm, Payload>;
+    }
+    const configuration: {
+        aud: string;
+        iss: string;
+    };
+    const type: isly.Type<Payload>;
+}

package/dist/cjs/User/JWT/Payload.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Payload = void 0;
+const isly_1 = require("isly");
+const Realm_1 = require("../../Realm");
+const Access_1 = require("../Access");
+var Payload;
+(function (Payload) {
+    let Creatable;
+    (function (Creatable) {
+        Creatable.type = isly_1.isly.object({
+            sub: isly_1.isly.string(),
+            permission: Access_1.Access.Permission.type,
+            realm: Realm_1.Realm.type,
+        });
+    })(Creatable = Payload.Creatable || (Payload.Creatable = {}));
+    let Base;
+    (function (Base) {
+        Base.type = isly_1.isly.object({
+            aud: isly_1.isly.string(),
+            iat: isly_1.isly.number(),
+            iss: isly_1.isly.string(),
+            sub: isly_1.isly.string(),
+            permission: Access_1.Access.Permission.type,
+            realm: Realm_1.Realm.type,
+        });
+    })(Base = Payload.Base || (Payload.Base = {}));
+    let LongTerm;
+    (function (LongTerm) {
+        LongTerm.type = Base.type.extend({ id: isly_1.isly.string() });
+    })(LongTerm = Payload.LongTerm || (Payload.LongTerm = {}));
+    let ShortTerm;
+    (function (ShortTerm) {
+        ShortTerm.type = Base.type.extend({ exp: isly_1.isly.number() });
+    })(ShortTerm = Payload.ShortTerm || (Payload.ShortTerm = {}));
+    Payload.configuration = {
+        aud: "https://banking.pax2pay.app",
+        iss: "pax2pay",
+    };
+    Payload.type = isly_1.isly.union(LongTerm.type, ShortTerm.type);
+})(Payload || (exports.Payload = Payload = {}));
+//# sourceMappingURL=Payload.js.map

package/dist/cjs/User/JWT/Payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Payload.js","sourceRoot":"","sources":["../../../../User/JWT/Payload.ts"],"names":[],"mappings":";;;AACA,+BAA2B;AAC3B,uCAAmC;AACnC,sCAAkC;AAGlC,IAAiB,OAAO,CAiDvB;AAjDD,WAAiB,OAAO;IAMvB,IAAiB,SAAS,CAMzB;IAND,WAAiB,SAAS;QACZ,cAAI,GAAG,WAAI,CAAC,MAAM,CAAY;YAC1C,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE;YAClB,UAAU,EAAE,eAAM,CAAC,UAAU,CAAC,IAAI;YAClC,KAAK,EAAE,aAAK,CAAC,IAAI;SACjB,CAAC,CAAA;IACH,CAAC,EANgB,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAMzB;IASD,IAAiB,IAAI,CASpB;IATD,WAAiB,IAAI;QACP,SAAI,GAAG,WAAI,CAAC,MAAM,CAAU;YACxC,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE;YAClB,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE;YAClB,UAAU,EAAE,eAAM,CAAC,UAAU,CAAC,IAAI;YAClC,KAAK,EAAE,aAAK,CAAC,IAAI;SACjB,CAAC,CAAA;IACH,CAAC,EATgB,IAAI,GAAJ,YAAI,KAAJ,YAAI,QASpB;IAID,IAAiB,QAAQ,CAExB;IAFD,WAAiB,QAAQ;QACX,aAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAW,EAAE,EAAE,EAAE,WAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACtE,CAAC,EAFgB,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QAExB;IAID,IAAiB,SAAS,CAEzB;IAFD,WAAiB,SAAS;QACZ,cAAI,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAY,EAAE,GAAG,EAAE,WAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IACxE,CAAC,EAFgB,SAAS,GAAT,iBAAS,KAAT,iBAAS,QAEzB;IAEY,qBAAa,GAAG;QAC5B,GAAG,EAAE,6BAA6B;QAClC,GAAG,EAAE,SAAS;KACd,CAAA;IACY,YAAI,GAAG,WAAI,CAAC,KAAK,CAAU,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,CAAA;AACvE,CAAC,EAjDgB,OAAO,uBAAP,OAAO,QAiDvB"}

package/dist/cjs/User/JWT/Signer.d.ts

@@ -0,0 +1,23 @@
+import { authly } from "authly";
+import { Payload } from "./Payload";
+export declare class Signer {
+    private readonly key?;
+    constructor(key?: {
+        public?: string;
+        private?: string;
+    } | undefined);
+    sign(data: Payload.Creatable, duration?: number | "infinite"): Promise<string | undefined>;
+    static open(key?: {
+        public?: string;
+        private?: string;
+    }): Signer;
+}
+export declare namespace Signer {
+    function create<T extends authly.Payload>(options: {
+        key?: {
+            public?: string;
+            private?: string;
+        };
+        duration?: number;
+    }): authly.Issuer<T> | undefined;
+}