npm - @planetlogin/core - Versions diffs - 0.3.0 → 0.4.0 - Mend

@planetlogin/core 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -26,7 +26,8 @@ declare function signSession(claims: SessionClaims, opts?: {
     audience?: string;
     ttlSeconds?: number;
 }): Promise<string>;
-/** Verify a session token against our own key material (what a downstream does). */
+/** Verify a session token against our own key material (what a downstream does).
+ *  Transparently decrypts a JWE-wrapped token first when encryption is on. */
 declare function verifySession(token: string): Promise<jose.JWTPayload>;
 declare function signMagicToken(identifier: string, ttlSeconds?: number): Promise<string>;
 /** Returns {identifier, jti} if the token is a valid, unexpired magic token, else null. */
@@ -152,6 +153,7 @@ interface PlanetLoginConfig {
         audience?: string;
         ttlSeconds?: number;
         algorithm?: 'EdDSA' | 'RS256' | 'ES256' | 'HS256';
+        encrypt?: boolean;
     };
     session?: {
         store?: 'none' | 'memory' | 'redis' | 'sqlite' | 'downstream';

package/dist/index.js CHANGED Viewed

@@ -103,7 +103,10 @@ import {
   generateKeyPair,
   generateSecret,
   importPKCS8,
-  createLocalJWKSet
+  createLocalJWKSet,
+  CompactEncrypt,
+  compactDecrypt,
+  base64url
 } from "jose";
 import { readFileSync as readFileSync2 } from "fs";
 var ASYMMETRIC = ["EdDSA", "RS256", "ES256"];
@@ -161,12 +164,38 @@ async function verifier() {
   if (k.alg === "HS256") return k.verify;
   return createLocalJWKSet({ keys: [k.pubJwk] });
 }
+var jweKey = null;
+function encryptEnabled() {
+  return process.env.PLANETLOGIN_JWT_ENCRYPT === "true";
+}
+function getJweKey() {
+  if (jweKey) return jweKey;
+  const env = process.env.PLANETLOGIN_JWE_KEY;
+  if (env) {
+    jweKey = base64url.decode(env);
+    if (jweKey.length !== 32) throw new Error("PLANETLOGIN_JWE_KEY must decode to 32 bytes (base64url)");
+  } else {
+    console.warn("[planetlogin] WARNING: PLANETLOGIN_JWT_ENCRYPT is on but no PLANETLOGIN_JWE_KEY \u2014 using an EPHEMERAL key. Tokens cannot be decrypted across instances/restarts. Do not use in production.");
+    jweKey = crypto.getRandomValues(new Uint8Array(32));
+  }
+  return jweKey;
+}
+async function maybeEncrypt(jws) {
+  if (!encryptEnabled()) return jws;
+  return new CompactEncrypt(new TextEncoder().encode(jws)).setProtectedHeader({ alg: "dir", enc: "A256GCM", cty: "JWT" }).encrypt(getJweKey());
+}
+async function maybeDecrypt(token) {
+  if (token.split(".").length !== 5) return token;
+  const { plaintext } = await compactDecrypt(token, getJweKey());
+  return new TextDecoder().decode(plaintext);
+}
 async function signSession(claims, opts = {}) {
   const k = await getKeys();
-  return new SignJWT({ email: claims.email, name: claims.name, locale: claims.locale }).setProtectedHeader({ alg: k.alg, kid: k.kid }).setSubject(claims.sub).setIssuedAt().setExpirationTime(`${opts.ttlSeconds ?? 3600}s`).setIssuer(opts.issuer ?? "planetlogin").setAudience(opts.audience ?? "planetlogin").sign(k.sign);
+  const jws = await new SignJWT({ email: claims.email, name: claims.name, locale: claims.locale }).setProtectedHeader({ alg: k.alg, kid: k.kid }).setSubject(claims.sub).setIssuedAt().setExpirationTime(`${opts.ttlSeconds ?? 3600}s`).setIssuer(opts.issuer ?? "planetlogin").setAudience(opts.audience ?? "planetlogin").sign(k.sign);
+  return maybeEncrypt(jws);
 }
 async function verifySession(token) {
-  const { payload } = await jwtVerify(token, await verifier(), {
+  const { payload } = await jwtVerify(await maybeDecrypt(token), await verifier(), {
     issuer: "planetlogin",
     audience: "planetlogin"
   });
@@ -455,12 +484,12 @@ async function fetchProfile(p, accessToken) {
 }
 // src/oauthState.ts
-import { EncryptJWT, jwtDecrypt, base64url } from "jose";
+import { EncryptJWT, jwtDecrypt, base64url as base64url2 } from "jose";
 var stateKey = null;
 function getStateKey() {
   if (stateKey) return stateKey;
   const env = process.env.PLANETLOGIN_STATE_KEY;
-  stateKey = env ? base64url.decode(env) : crypto.getRandomValues(new Uint8Array(32));
+  stateKey = env ? base64url2.decode(env) : crypto.getRandomValues(new Uint8Array(32));
   if (stateKey.length !== 32) throw new Error("PLANETLOGIN_STATE_KEY must decode to 32 bytes");
   return stateKey;
 }

package/dist/keygen.js CHANGED Viewed

@@ -1,8 +1,16 @@
 #!/usr/bin/env node
 // bin/keygen.ts
-import { generateKeyPair, exportPKCS8, exportJWK } from "jose";
+import { generateKeyPair, exportPKCS8, exportJWK, base64url } from "jose";
 import { writeFileSync } from "fs";
+if (process.argv.includes("--jwe")) {
+  const key = base64url.encode(crypto.getRandomValues(new Uint8Array(32)));
+  process.stdout.write(key + "\n");
+  console.error("\n# \u2191 32-byte JWE key (base64url). Shared out of band with services that read claims. Then set:");
+  console.error("#   PLANETLOGIN_JWT_ENCRYPT=true");
+  console.error(`#   PLANETLOGIN_JWE_KEY=${key}`);
+  process.exit(0);
+}
 var { privateKey, publicKey } = await generateKeyPair("EdDSA", { extractable: true });
 var pem = await exportPKCS8(privateKey);
 var pubJwk = await exportJWK(publicKey);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@planetlogin/core",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "type": "module",
   "description": "PlanetLogin auth core — framework-agnostic flows, JWT, crypto, downstream contract. Consumed by every flavor; the HTTP binding stays per-framework.",
   "exports": {