@peac/protocol 0.12.0 → 0.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +58 -1
- package/dist/index.cjs.map +1 -1
- package/dist/index.mjs +60 -3
- package/dist/index.mjs.map +1 -1
- package/dist/issue.d.ts +1 -1
- package/dist/jwks-resolver.d.ts +2 -2
- package/dist/jwks-resolver.d.ts.map +1 -1
- package/dist/policy-binding.d.ts +4 -4
- package/dist/type-extension-check.d.ts +44 -0
- package/dist/type-extension-check.d.ts.map +1 -0
- package/dist/verifier-types.d.ts +2 -2
- package/dist/verify-local.cjs +57 -0
- package/dist/verify-local.cjs.map +1 -1
- package/dist/verify-local.d.ts +11 -5
- package/dist/verify-local.d.ts.map +1 -1
- package/dist/verify-local.mjs +59 -2
- package/dist/verify-local.mjs.map +1 -1
- package/package.json +4 -4
package/dist/index.cjs
CHANGED
|
@@ -1393,6 +1393,35 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
1393
1393
|
};
|
|
1394
1394
|
}
|
|
1395
1395
|
}
|
|
1396
|
+
|
|
1397
|
+
// src/type-extension-check.ts
|
|
1398
|
+
function checkTypeExtensionMapping(kind, type, extensions, typeToExtensionMap, registeredExtensionGroupKeys) {
|
|
1399
|
+
if (kind === "challenge") {
|
|
1400
|
+
return { status: "skip" };
|
|
1401
|
+
}
|
|
1402
|
+
const expectedGroup = typeToExtensionMap.get(type);
|
|
1403
|
+
if (expectedGroup === void 0) {
|
|
1404
|
+
return { status: "skip" };
|
|
1405
|
+
}
|
|
1406
|
+
if (extensions !== void 0 && Object.prototype.hasOwnProperty.call(extensions, expectedGroup)) {
|
|
1407
|
+
return { status: "ok" };
|
|
1408
|
+
}
|
|
1409
|
+
const presentRegistered = [];
|
|
1410
|
+
if (extensions !== void 0) {
|
|
1411
|
+
for (const key of Object.keys(extensions)) {
|
|
1412
|
+
if (key !== expectedGroup && registeredExtensionGroupKeys.has(key)) {
|
|
1413
|
+
presentRegistered.push(key);
|
|
1414
|
+
}
|
|
1415
|
+
}
|
|
1416
|
+
}
|
|
1417
|
+
return {
|
|
1418
|
+
status: presentRegistered.length > 0 ? "mismatch" : "missing",
|
|
1419
|
+
expected_extension_group: expectedGroup,
|
|
1420
|
+
present_registered_extension_groups: presentRegistered
|
|
1421
|
+
};
|
|
1422
|
+
}
|
|
1423
|
+
|
|
1424
|
+
// src/verify-local.ts
|
|
1396
1425
|
function isCryptoError(err) {
|
|
1397
1426
|
return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
|
|
1398
1427
|
}
|
|
@@ -1519,6 +1548,34 @@ async function verifyLocal(jws, publicKey, options = {}) {
|
|
|
1519
1548
|
}
|
|
1520
1549
|
}
|
|
1521
1550
|
}
|
|
1551
|
+
const typeExtCheck = checkTypeExtensionMapping(
|
|
1552
|
+
claims.kind,
|
|
1553
|
+
claims.type,
|
|
1554
|
+
claims.extensions,
|
|
1555
|
+
kernel.TYPE_TO_EXTENSION_MAP,
|
|
1556
|
+
schema.REGISTERED_EXTENSION_GROUP_KEYS
|
|
1557
|
+
);
|
|
1558
|
+
if (typeExtCheck.status === "missing" || typeExtCheck.status === "mismatch") {
|
|
1559
|
+
const warningCode = typeExtCheck.status === "missing" ? schema.WARNING_EXTENSION_GROUP_MISSING : schema.WARNING_EXTENSION_GROUP_MISMATCH;
|
|
1560
|
+
const errorCode = typeExtCheck.status === "missing" ? "E_EXTENSION_GROUP_REQUIRED" : "E_EXTENSION_GROUP_MISMATCH";
|
|
1561
|
+
if (strictness === "strict") {
|
|
1562
|
+
return {
|
|
1563
|
+
valid: false,
|
|
1564
|
+
code: errorCode,
|
|
1565
|
+
message: `Type "${claims.type}" expects extension group "${typeExtCheck.expected_extension_group}" but it is ${typeExtCheck.status === "mismatch" ? "replaced by a different registered group" : "absent"}`,
|
|
1566
|
+
details: {
|
|
1567
|
+
type: claims.type,
|
|
1568
|
+
expected_extension_group: typeExtCheck.expected_extension_group,
|
|
1569
|
+
present_registered_extension_groups: typeExtCheck.present_registered_extension_groups
|
|
1570
|
+
}
|
|
1571
|
+
};
|
|
1572
|
+
}
|
|
1573
|
+
accumulatedWarnings.push({
|
|
1574
|
+
code: warningCode,
|
|
1575
|
+
message: `Type "${claims.type}" expects extension group "${typeExtCheck.expected_extension_group}"`,
|
|
1576
|
+
pointer: "/type"
|
|
1577
|
+
});
|
|
1578
|
+
}
|
|
1522
1579
|
if (policyDigest !== void 0 && !kernel.HASH.pattern.test(policyDigest)) {
|
|
1523
1580
|
return {
|
|
1524
1581
|
valid: false,
|
|
@@ -1855,7 +1912,7 @@ var VerificationReportBuilder = class {
|
|
|
1855
1912
|
reason,
|
|
1856
1913
|
severity: reasonCodeToSeverity(reason),
|
|
1857
1914
|
receipt_type: options?.receiptType ?? kernel.WIRE_TYPE,
|
|
1858
|
-
// Wire 0.1: always 'unavailable'
|
|
1915
|
+
// Wire 0.1: always 'unavailable'. Wire 0.2 will set this via options.
|
|
1859
1916
|
policy_binding: "unavailable",
|
|
1860
1917
|
...options?.issuer && { issuer: options.issuer },
|
|
1861
1918
|
...options?.kid && { kid: options.kid }
|