@payello-module/jwt 0.1.6 → 0.2.0

package/dist/JWT.js

@@ -49,17 +49,17 @@ export class JWT {
         if (bits.length !== 3) {
             throw new JwtError(`Invalid number of parts in JWT string. Expected 3 but got ${bits.length}`);
         }
-        const header = JSON.parse(atob(bits[0]));
+        const header = JSON.parse(bits[0]);
         if (!header || !header.typ || header.typ !== "JWT") {
             throw new JwtError("Header invalid or type is not JWT");
         }
-        const payload = JSON.parse(atob(bits[1]));
+        const payload = JSON.parse(bits[1]);
         if (!payload || !payload.jti) {
             throw new JwtError("Payload invalid or missing jti value");
         }
         // Validates the present of required properties in the payload.
         const requiredProps = opts.requiredProps || ["jti", "iss", "iat"];
-        for (const prop of requiredProps) {
+        for (const prop in requiredProps) {
             if (!payload[prop]) {
                 throw new JwtError(`Payload missing ${prop} value`);
             }
@@ -67,9 +67,7 @@ export class JWT {
         // Returns an object containing the extracted components of the JWT.
         return {
             header: header,
-            headerRaw: bits[0],
             payload: payload,
-            payloadRaw: bits[1],
             signature: bits[2]
         };
     }
@@ -88,14 +86,14 @@ export class JWT {
         }
         let verify = false;
         // Preparation of the data to verify the signature.
-        const data = `${extracted.headerRaw}.${extracted.payloadRaw}`;
+        const data = `${btoa(JSON.stringify(extracted.header))}.${btoa(JSON.stringify(extracted.payload))}`;
         // Verification of the signature based on the algorithm specified in the header.
         switch (extracted.header.alg) {
             case 'HS256':
-                verify = extracted.signature === btoa(await HmacSha256.encrypt(data, secretKey)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+                verify = await HmacSha256.verify(data, extracted.signature, secretKey);
                 break;
             case 'HS512':
-                verify = extracted.signature === btoa(await HmacSha512.encrypt(data, secretKey)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+                verify = await HmacSha512.verify(data, extracted.signature, secretKey);
                 break;
             default:
                 throw new JwtError(`Unsupported algorithm`);

package/dist/JwtExtract.d.ts

@@ -1,8 +1,6 @@
 import { JwtHeader } from "./JwtHeader";
 export interface JwtExtract {
     header: JwtHeader;
-    headerRaw: string;
     payload: any;
-    payloadRaw: string;
     signature: string;
 }

package/dist/src/JWT.d.ts

@@ -0,0 +1,46 @@
+import { JwtHeader } from "./JwtHeader";
+import { JwtExtract } from "./JwtExtract";
+import { JwtExtractOpts } from "./JwtExtractOpts";
+import { JWTAlgorithm } from "./JWTAlgorithms";
+import { JWTPayload } from "./JWTPayload";
+import { JWTKeyPair } from "./JWTKeyPair";
+/**
+ * Class representing JSON Web Tokens (JWT) functionalities, including signing, extracting components,
+ * and verifying the signature of the token.
+ */
+export declare class JWT {
+    private static algExportFormat;
+    /**
+     * Generates a new key pair for the given algorithm
+     * @param alg JWT algorithm to generate for
+     * @returns
+     */
+    static generateKeys(alg?: JWTAlgorithm): Promise<JWTKeyPair>;
+    /**
+     * Signs the given payload and returns a JWT string.
+     * @param payload - The payload of the JWT which is the content that you want to protect.
+     * @param alg - The algorithm for signing the JWT
+     * @param key - The key for signing the JWT
+     * @returns A promise that resolves to the signed JWT string.
+     */
+    static sign(payload: JWTPayload, alg: JWTAlgorithm, key: string | BufferSource): Promise<string>;
+    /**
+     * Extracts and returns the header, payload, and signature components from a JWT string.
+     * @param input - The JWT string to be parsed.
+     * @param opts - Optional parameters, including the requirements for the presence of required properties in the payload.
+     * @returns A promise that resolves to an object containing the separated components of the JWT (header, payload, signature).
+     */
+    static extract(input: string, opts?: JwtExtractOpts): Promise<JwtExtract>;
+    /**
+     * Verifies the given JWT string using the secret key fetched by the given issuer.
+     * @param token - The JWT to be verified.
+     * @param getVerifyKey - A function to retrieve the verification key based on the header & payload (BufferSource or base64-encoded string)
+     * @param throwErrors - If true then will throw JwtError if something fails or the token is not valid
+     * @returns A promise that resolves to a boolean indicating whether the JWT has been verified successfully or not.
+     * @throws `JwtError | Error`
+     */
+    static verifySignature(token: string, getVerifyKey: (header: JwtHeader, payload: JWTPayload) => Promise<BufferSource | string> | BufferSource | string, throwErrors?: boolean): Promise<{
+        verified: boolean;
+        extracted: JwtExtract | null;
+    }>;
+}

package/dist/src/JWT.js

@@ -0,0 +1,171 @@
+import { JwtError } from "./JwtError";
+import { base64_decode_buffer, base64_decode_urlsafe, base64_encode_buffer, base64_encode_urlsafe } from "./base64_encode_buffer";
+import { JWTAlgorithms } from "./JWTAlgorithms";
+/**
+ * Class representing JSON Web Tokens (JWT) functionalities, including signing, extracting components,
+ * and verifying the signature of the token.
+ */
+export class JWT {
+    static algExportFormat(alg, use) {
+        const algName = JWTAlgorithms[alg].name;
+        if (["RSASSA-PKCS1-v1_5", "ECDSA", "RSA-PSS"].indexOf(algName) > -1) {
+            return use == "sign" ? "pkcs8" : "spki";
+        }
+        return "raw";
+    }
+    /**
+     * Generates a new key pair for the given algorithm
+     * @param alg JWT algorithm to generate for
+     * @returns
+     */
+    static async generateKeys(alg = "HS256") {
+        if (alg == "HS256" || alg == "HS384" || alg == "HS512") {
+            const cryptoKey = await crypto.subtle.generateKey(JWTAlgorithms[alg], true, ["sign", "verify"]);
+            const privateKey = await crypto.subtle.exportKey("raw", cryptoKey);
+            const key = { raw: privateKey, base64: base64_encode_buffer(privateKey) };
+            return { sign: key, verify: key };
+        }
+        else if (alg == "RS256" || alg == "RS384" || alg == "RS512" || alg == "ES256" || alg == "ES384" || alg == "ES512" || alg == "PS256" || alg == "PS384" || alg == "PS512") {
+            const cryptoKey = await crypto.subtle.generateKey(JWTAlgorithms[alg], true, ["sign", "verify"]);
+            const privateKey = await crypto.subtle.exportKey(this.algExportFormat(alg, "sign"), cryptoKey.privateKey);
+            const publicKey = await crypto.subtle.exportKey(this.algExportFormat(alg, "verify"), cryptoKey.publicKey);
+            return { sign: { raw: privateKey, base64: base64_encode_buffer(privateKey) }, verify: { raw: publicKey, base64: base64_encode_buffer(publicKey) } };
+        }
+        throw new JwtError("Unknown algorithm: " + alg);
+    }
+    /**
+     * Signs the given payload and returns a JWT string.
+     * @param payload - The payload of the JWT which is the content that you want to protect.
+     * @param alg - The algorithm for signing the JWT
+     * @param key - The key for signing the JWT
+     * @returns A promise that resolves to the signed JWT string.
+     */
+    static async sign(payload, alg, key) {
+        if (typeof JWTAlgorithms[alg] == "undefined")
+            throw new JwtError("Unknown algorithm");
+        const _header = {
+            typ: 'JWT',
+            alg: alg
+        };
+        const body = base64_encode_urlsafe(JSON.stringify(_header)) +
+            "." +
+            base64_encode_urlsafe(JSON.stringify(payload));
+        const signingKey = typeof key == "string" ? new Uint8Array(base64_decode_buffer(key)) : key;
+        const importedKey = await crypto.subtle.importKey(this.algExportFormat(alg, "sign"), signingKey, JWTAlgorithms[alg], false, ['sign']);
+        const signed = await crypto.subtle.sign(JWTAlgorithms[alg], importedKey, new TextEncoder().encode(body));
+        // Returns the final JWT token as a concatenation of header, payload, and signature
+        return body + "." + base64_encode_buffer(signed);
+    }
+    /**
+     * Extracts and returns the header, payload, and signature components from a JWT string.
+     * @param input - The JWT string to be parsed.
+     * @param opts - Optional parameters, including the requirements for the presence of required properties in the payload.
+     * @returns A promise that resolves to an object containing the separated components of the JWT (header, payload, signature).
+     */
+    static async extract(input, opts = {}) {
+        const bits = input.split(".");
+        // Ensures that the JWT string has three parts: header, payload, and signature.
+        if (bits.length !== 3) {
+            throw new JwtError(`Invalid number of parts in JWT string. Expected 3 but got ${bits.length}`);
+        }
+        const header = JSON.parse(base64_decode_urlsafe(bits[0]));
+        if (!header || !header.typ || header.typ !== "JWT") {
+            throw new JwtError("Header invalid or type is not JWT");
+        }
+        const payload = JSON.parse(base64_decode_urlsafe(bits[1]));
+        if (!payload || typeof payload !== "object") {
+            throw new JwtError("Payload invalid");
+        }
+        // Validates the present of required properties in the payload.
+        const requiredProps = opts.requiredProps || [];
+        for (const prop of requiredProps) {
+            if (!payload[prop]) {
+                throw new JwtError(`Payload missing ${prop} value`);
+            }
+        }
+        const signature = base64_decode_buffer(bits[2]);
+        // Returns an object containing the extracted components of the JWT.
+        return {
+            header: header,
+            headerRaw: bits[0],
+            payload: payload,
+            payloadRaw: bits[1],
+            signature: signature,
+            signatureRaw: bits[2]
+        };
+    }
+    /**
+     * Verifies the given JWT string using the secret key fetched by the given issuer.
+     * @param token - The JWT to be verified.
+     * @param getVerifyKey - A function to retrieve the verification key based on the header & payload (BufferSource or base64-encoded string)
+     * @param throwErrors - If true then will throw JwtError if something fails or the token is not valid
+     * @returns A promise that resolves to a boolean indicating whether the JWT has been verified successfully or not.
+     * @throws `JwtError | Error`
+     */
+    static async verifySignature(token, getVerifyKey, throwErrors) {
+        const extracted = await this.extract(token).catch(e => {
+            if (throwErrors)
+                throw e;
+        });
+        if (!extracted) {
+            return { verified: false, extracted: null };
+        }
+        // Fetches the secret key based on the issuer in the payload.
+        let verifyKey = await getVerifyKey(extracted.header, extracted.payload);
+        if (!verifyKey || (typeof verifyKey !== "string" && typeof verifyKey !== "object")) {
+            if (throwErrors)
+                throw new JwtError(`Verify key not found`);
+            return { verified: false, extracted: null };
+        }
+        if (typeof verifyKey == "string") {
+            try {
+                verifyKey = base64_decode_buffer(verifyKey);
+            }
+            catch (e) {
+                if (throwErrors)
+                    throw e;
+                return { verified: false, extracted: null };
+            }
+        }
+        let verified = false;
+        // Preparation of the data to verify the signature.
+        const body = `${extracted.headerRaw}.${extracted.payloadRaw}`;
+        try {
+            // Verification of the signature based on the algorithm specified in the header.
+            switch (extracted.header.alg) {
+                case 'HS256':
+                case 'HS384':
+                case 'HS512':
+                    const importedSignKey = await crypto.subtle.importKey(this.algExportFormat(extracted.header.alg, "verify"), verifyKey, JWTAlgorithms[extracted.header.alg], false, ['sign']);
+                    const signed = await crypto.subtle.sign(JWTAlgorithms[extracted.header.alg], importedSignKey, new TextEncoder().encode(body));
+                    verified = extracted.signatureRaw == base64_encode_buffer(signed);
+                    break;
+                case 'ES256':
+                case 'ES384':
+                case 'ES512':
+                case 'PS256':
+                case 'PS384':
+                case 'PS512':
+                case 'RS256':
+                case 'RS384':
+                case 'RS512':
+                    const importedVerifyKey = await crypto.subtle.importKey(this.algExportFormat(extracted.header.alg, "verify"), verifyKey, JWTAlgorithms[extracted.header.alg], false, ['verify']);
+                    verified = await crypto.subtle.verify(JWTAlgorithms[extracted.header.alg], importedVerifyKey, extracted.signature, new TextEncoder().encode(body));
+                    break;
+                default:
+                    if (throwErrors)
+                        throw new JwtError(`Unsupported algorithm`);
+                    break;
+            }
+        }
+        catch (e) {
+            if (throwErrors)
+                throw e;
+        }
+        if (verified === true)
+            return { verified: true, extracted: extracted };
+        if (throwErrors)
+            throw new JwtError(`Signature not verified`);
+        return { verified: false, extracted: null };
+    }
+}

package/dist/src/JWTAlgorithms.d.ts

@@ -0,0 +1,93 @@
+export declare const JWTAlgorithms: {
+    readonly HS256: {
+        readonly name: "HMAC";
+        readonly hash: {
+            readonly name: "SHA-256";
+        };
+    };
+    readonly HS384: {
+        readonly name: "HMAC";
+        readonly hash: {
+            readonly name: "SHA-384";
+        };
+    };
+    readonly HS512: {
+        readonly name: "HMAC";
+        readonly hash: {
+            readonly name: "SHA-512";
+        };
+    };
+    readonly RS256: {
+        readonly name: "RSASSA-PKCS1-v1_5";
+        readonly modulusLength: 2048;
+        readonly publicExponent: Uint8Array;
+        readonly hash: {
+            readonly name: "SHA-256";
+        };
+    };
+    readonly RS384: {
+        readonly name: "RSASSA-PKCS1-v1_5";
+        readonly modulusLength: 3072;
+        readonly publicExponent: Uint8Array;
+        readonly hash: {
+            readonly name: "SHA-384";
+        };
+    };
+    readonly RS512: {
+        readonly name: "RSASSA-PKCS1-v1_5";
+        readonly modulusLength: 4096;
+        readonly publicExponent: Uint8Array;
+        readonly hash: {
+            readonly name: "SHA-512";
+        };
+    };
+    readonly ES256: {
+        readonly name: "ECDSA";
+        readonly namedCurve: "P-256";
+        readonly hash: {
+            readonly name: "SHA-256";
+        };
+    };
+    readonly ES384: {
+        readonly name: "ECDSA";
+        readonly namedCurve: "P-384";
+        readonly hash: {
+            readonly name: "SHA-384";
+        };
+    };
+    readonly ES512: {
+        readonly name: "ECDSA";
+        readonly namedCurve: "P-521";
+        readonly hash: {
+            readonly name: "SHA-512";
+        };
+    };
+    readonly PS256: {
+        readonly name: "RSA-PSS";
+        readonly modulusLength: 2048;
+        readonly publicExponent: Uint8Array;
+        readonly saltLength: 32;
+        readonly hash: {
+            readonly name: "SHA-256";
+        };
+    };
+    readonly PS384: {
+        readonly name: "RSA-PSS";
+        readonly modulusLength: 3072;
+        readonly publicExponent: Uint8Array;
+        readonly saltLength: 48;
+        readonly hash: {
+            readonly name: "SHA-384";
+        };
+    };
+    readonly PS512: {
+        readonly name: "RSA-PSS";
+        readonly modulusLength: 4096;
+        readonly publicExponent: Uint8Array;
+        readonly saltLength: 64;
+        readonly hash: {
+            readonly name: "SHA-512";
+        };
+    };
+};
+export type JWTAlgorithm = keyof typeof JWTAlgorithms;

package/dist/src/JWTAlgorithms.js

@@ -0,0 +1,81 @@
+// { [key: string]: AlgorithmIdentifier | RsaHashedImportParams | EcKeyImportParams | HmacImportParams | AesKeyAlgorithm | RsaPssParams | EcdsaParams | RsaHashedKeyGenParams | EcKeyGenParams; }
+export const JWTAlgorithms = {
+    // HMAC using SHA-256
+    HS256: {
+        name: "HMAC",
+        hash: { name: "SHA-256" }
+    },
+    // HMAC using SHA-384
+    HS384: {
+        name: "HMAC",
+        hash: { name: "SHA-384" }
+    },
+    // HMAC using SHA-512
+    HS512: {
+        name: "HMAC",
+        hash: { name: "SHA-512" }
+    },
+    // RSASSA-PKCS1-v1_5 using SHA-256
+    RS256: {
+        name: "RSASSA-PKCS1-v1_5",
+        modulusLength: 2048,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: { name: "SHA-256" }
+    },
+    // RSASSA-PKCS1-v1_5 using SHA-384
+    RS384: {
+        name: "RSASSA-PKCS1-v1_5",
+        modulusLength: 3072,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: { name: "SHA-384" }
+    },
+    // RSASSA-PKCS1-v1_5 using SHA-512
+    RS512: {
+        name: "RSASSA-PKCS1-v1_5",
+        modulusLength: 4096,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        hash: { name: "SHA-512" }
+    },
+    // ECDSA using P-256 and SHA-256
+    ES256: {
+        name: "ECDSA",
+        namedCurve: "P-256",
+        hash: { name: "SHA-256" }
+    },
+    // ECDSA using P-384 and SHA-384
+    ES384: {
+        name: "ECDSA",
+        namedCurve: "P-384",
+        hash: { name: "SHA-384" }
+    },
+    // ECDSA using P-521 and SHA-512
+    ES512: {
+        name: "ECDSA",
+        namedCurve: "P-521",
+        hash: { name: "SHA-512" }
+    },
+    // RSASSA-PSS using SHA-256 and MGF1 with SHA-256
+    PS256: {
+        name: "RSA-PSS",
+        modulusLength: 2048,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        saltLength: 32,
+        hash: { name: "SHA-256" }
+    },
+    // RSASSA-PSS using SHA-384 and MGF1 with SHA-384
+    PS384: {
+        name: "RSA-PSS",
+        modulusLength: 3072,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        saltLength: 48,
+        hash: { name: "SHA-384" }
+    },
+    // RSASSA-PSS using SHA-512 and MGF1 with SHA-512
+    PS512: {
+        name: "RSA-PSS",
+        modulusLength: 4096,
+        publicExponent: new Uint8Array([1, 0, 1]),
+        saltLength: 64,
+        hash: { name: "SHA-512" }
+    }
+};

package/dist/src/JWTKeyPair.d.ts

@@ -0,0 +1,28 @@
+export interface JWTKeyPair {
+    /**
+     * The key which should be used for signing (creating) JWTs, such as the server
+     */
+    sign: {
+        /**
+         * Raw bytes of the key
+         */
+        raw: ArrayBuffer;
+        /**
+         * Base64-encoded key
+         */
+        base64: string;
+    };
+    /**
+     * The key which should be used for verifying the JWT, such as the client
+     */
+    verify: {
+        /**
+         * Raw bytes of the key
+         */
+        raw: ArrayBuffer;
+        /**
+         * Base64-encoded key
+         */
+        base64: string;
+    };
+}

package/dist/src/JWTKeyPair.js

@@ -0,0 +1 @@
+export {};

package/dist/src/JWTPayload.d.ts

@@ -0,0 +1,67 @@
+export interface JWTPayload {
+    /**
+     * "iss" (Issuer) Claim [RFC7519, Section 4.1.1]
+     * @description - The "iss" (issuer) claim identifies the principal that issued the JWT.
+     * - The processing of this claim is generally application specific.
+     * - The "iss" value is a case-sensitive string containing a StringOrURI value.
+     * - Use of this claim is OPTIONAL.
+     */
+    iss?: string;
+    /**
+     * "sub" (Subject) Claim [RFC7519, Section 4.1.1]
+     * @description - The "sub" (subject) claim identifies the principal that is the subject of the JWT.
+     * - The claims in a JWT are normally statements about the subject.
+     * - The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
+     * - The processing of this claim is generally application specific.
+     * - The "sub" value is a case-sensitive string containing a StringOrURI value.
+     * - Use of this claim is OPTIONAL.
+     */
+    sub?: string;
+    /**
+     * "aud" (Audience) Claim [RFC7519, Section 4.1.1]
+     * @description - The "aud" (audience) claim identifies the recipients that the JWT is intended for.
+     * - Each principal intended to process the JWT MUST identify itself with a value in the audience claim.
+     * - If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
+     * - In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value.
+     * - In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value.
+     * - The interpretation of audience values is generally application specific.
+     * - Use of this claim is OPTIONAL.
+     */
+    aud?: string | string[];
+    /**
+     * "exp" (Expiration Time) Claim [RFC7519, Section 4.1.1]
+     * @description - The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
+     * - The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim.
+     * - Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
+     * - Its value MUST be a number containing a NumericDate value.
+     * - Use of this claim is OPTIONAL.
+     */
+    exp?: number;
+    /**
+     * "nbf" (Not Before) Claim [RFC7519, Section 4.1.1]
+     * @description - The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.
+     * - The processing of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the "nbf" claim.
+     * - Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.
+     * - Its value MUST be a number containing a NumericDate value.
+     * - Use of this claim is OPTIONAL.
+     */
+    nbf?: number;
+    /**
+     * "iat" (Issued At) Claim [RFC7519, Section 4.1.1]
+     * @description - The "iat" (issued at) claim identifies the time at which the JWT was issued.
+     * - This claim can be used to determine the age of the JWT.
+     * - Its value MUST be a number containing a NumericDate value.
+     * - Use of this claim is OPTIONAL.
+     */
+    iat?: number;
+    /**
+     * "jti" (JWT ID) Claim [RFC7519, Section 4.1.1]
+     * @description - The "jti" (JWT ID) claim provides a unique identifier for the JWT.
+     * - The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object; if the application uses multiple issuers, collisions MUST be prevented among values produced by different issuers as well.
+     * - The "jti" claim can be used to prevent the JWT from being replayed.
+     * - The "jti" value is a case- sensitive string.
+     * - Use of this claim is OPTIONAL.
+     */
+    jti?: string;
+    [key: string]: any;
+}

package/dist/src/JWTPayload.js

@@ -0,0 +1 @@
+export {};

package/dist/src/JwtError.d.ts

@@ -0,0 +1,4 @@
+export declare class JwtError extends Error {
+    type: "@payello/module-jwt#JwtError";
+    constructor(message: string, options?: ErrorOptions);
+}

package/dist/src/JwtError.js

@@ -0,0 +1,6 @@
+export class JwtError extends Error {
+    type = "@payello/module-jwt#JwtError";
+    constructor(message, options) {
+        super(message, options);
+    }
+}

package/dist/src/JwtExtract.d.ts

@@ -0,0 +1,10 @@
+import { JWTPayload } from "./JWTPayload";
+import { JwtHeader } from "./JwtHeader";
+export interface JwtExtract {
+    header: JwtHeader;
+    headerRaw: string;
+    payload: JWTPayload;
+    payloadRaw: string;
+    signature: Uint8Array;
+    signatureRaw: string;
+}

package/dist/src/JwtExtract.js

@@ -0,0 +1 @@
+export {};

package/dist/src/JwtExtractOpts.d.ts

@@ -0,0 +1,3 @@
+export interface JwtExtractOpts {
+    requiredProps?: string[];
+}

package/dist/src/JwtExtractOpts.js

@@ -0,0 +1 @@
+export {};

package/dist/src/JwtHeader.d.ts

@@ -0,0 +1,5 @@
+import { JWTAlgorithm } from "./JWTAlgorithms";
+export interface JwtHeader {
+    typ: 'JWT';
+    alg: JWTAlgorithm;
+}

package/dist/src/JwtHeader.js

@@ -0,0 +1 @@
+export {};

package/dist/src/JwtSignOpts.d.ts

@@ -0,0 +1,5 @@
+import { JWTAlgorithm } from "./JWTAlgorithms";
+export interface JwtSignOpts {
+    privateKey: string | ArrayBuffer | Uint8Array;
+    algorithm: JWTAlgorithm;
+}

package/dist/src/JwtSignOpts.js

@@ -0,0 +1 @@
+export {};

package/dist/src/base64_encode_buffer.d.ts

@@ -0,0 +1,4 @@
+export declare function base64_encode_urlsafe(str: string): string;
+export declare function base64_decode_urlsafe(str: string): string;
+export declare function base64_encode_buffer(buffer: Uint8Array | ArrayBuffer | string): string;
+export declare function base64_decode_buffer(str: string): Uint8Array;

package/dist/src/base64_encode_buffer.js

@@ -0,0 +1,22 @@
+export function base64_encode_urlsafe(str) {
+    return btoa(str).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+export function base64_decode_urlsafe(str) {
+    return atob(str.replace(/-/g, '+').replace(/_/g, '/'));
+}
+export function base64_encode_buffer(buffer) {
+    let uint8array;
+    if (buffer instanceof Uint8Array) {
+        uint8array = buffer;
+    }
+    else if (buffer instanceof ArrayBuffer) {
+        uint8array = new Uint8Array(buffer);
+    }
+    else if (typeof buffer == "string") {
+        uint8array = new Uint8Array(buffer.split('').map(x => x.charCodeAt(0)));
+    }
+    return base64_encode_urlsafe(String.fromCharCode(...uint8array));
+}
+export function base64_decode_buffer(str) {
+    return new Uint8Array(base64_decode_urlsafe(str).split('').map(c => c.charCodeAt(0)));
+}

package/dist/src/index.d.ts

@@ -0,0 +1,10 @@
+export * from './JwtSignOpts';
+export * from './JWTPayload';
+export * from './JWTKeyPair';
+export * from './JwtHeader';
+export * from './JwtExtractOpts';
+export * from './JwtExtract';
+export * from './JwtError';
+export * from './JWTAlgorithms';
+export * from './JWT';
+export * from './base64_encode_buffer';

package/dist/src/index.js

@@ -0,0 +1,10 @@
+export * from './JwtSignOpts';
+export * from './JWTPayload';
+export * from './JWTKeyPair';
+export * from './JwtHeader';
+export * from './JwtExtractOpts';
+export * from './JwtExtract';
+export * from './JwtError';
+export * from './JWTAlgorithms';
+export * from './JWT';
+export * from './base64_encode_buffer';

package/dist/test/test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/test/test.js

@@ -0,0 +1,46 @@
+import { JWT } from "../src/JWT";
+import { JWTAlgorithms } from "../src/JWTAlgorithms";
+/**
+ * Ensures that verification works for all algorithms
+ */
+async function Test1() {
+    for (let key of Object.keys(JWTAlgorithms)) {
+        console.log("ALG: ", key);
+        const keys = await JWT.generateKeys(key);
+        console.log("KEYS: ", keys);
+        const signed = await JWT.sign({ iss: "Hello" }, key, keys.sign.base64);
+        console.log("SIGNED: ", signed);
+        const verify = await JWT.verifySignature(signed, () => { return keys.verify.base64; });
+        console.log("VERIFIED: ", verify);
+        if (!verify.verified) {
+            throw new Error("Not verified!");
+        }
+        console.log("----");
+    }
+}
+/**
+ * Ensures that signature manipulation fails for all algorithms
+ */
+async function Test2() {
+    for (let key of Object.keys(JWTAlgorithms)) {
+        console.log("ALG: ", key);
+        const keys = await JWT.generateKeys(key);
+        console.log("KEYS: ", keys);
+        const signed = await JWT.sign({ iss: "Hello" }, key, keys.sign.base64);
+        console.log("SIGNED: ", signed);
+        const signed2 = await JWT.sign({ iss: "Hello there" }, key, keys.sign.base64);
+        console.log("SIGNED2: ", signed);
+        const token = signed.split('.').map(x => (val, index) => {
+            if (index == 2)
+                return signed2.split('.')[index];
+            return val;
+        }).join('.');
+        const verify = await JWT.verifySignature(token, () => { return keys.verify.base64; });
+        console.log("VERIFIED: ", verify);
+        if (verify.verified) {
+            throw new Error("Somehow verified (shouldn't be)");
+        }
+        console.log("----");
+    }
+}
+Test1();

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@payello-module/jwt",
-    "version": "0.1.6",
+    "version": "0.2.0",
     "author": "Payello <devsupport@payello.com> (https://payello.com/)",
     "displayName": "@payello-module/jwt",
     "description": "JSON Web Token Module",
@@ -12,6 +12,7 @@
         "prepare": "npm run build"
     },
     "devDependencies": {
+        "payellodev": "^0.20240413.1813",
         "typescript": "^5.3.3"
     },
     "files": [