@privy-io/node 0.1.0-alpha.2 → 0.1.0

package/lib/auth.d.mts

@@ -0,0 +1,68 @@
+import { CryptoKey, JWTVerifyGetKey } from 'jose';
+import { PrivyAPIError } from "../core/error.mjs";
+import { User } from "../resources.mjs";
+export type VerifyAuthTokenInput = {
+    /** The authentication token to verify. */
+    auth_token: string;
+    /** The Privy app ID to verify the token against. */
+    app_id: string;
+    /**
+     * The verification key to use to verify the token, or a mechanism to get the it such as via JWKS.
+     * You can find this verification key (or a JWKS endpoint) in the Privy dashboard.
+     * @see {@link createRemoteJWKSet}
+     * @see {@link importSPKI}
+     */
+    verification_key: CryptoKey | JWTVerifyGetKey | string;
+};
+export type VerifyAuthTokenResponse = {
+    /** The Privy app ID for which the token was issued. */
+    app_id: string;
+    /** The issuer of the token. */
+    issuer: string;
+    /** The issued at unix timestamp of the token. */
+    issued_at: number;
+    /** The expiration unix timestamp of the token. */
+    expiration: number;
+    /** The ID of the session for which the token was issued. */
+    session_id: string;
+    /** The ID of the user for which the token was issued. */
+    user_id: string;
+};
+/**
+ * Verifies a Privy-issued authentication token.
+ *
+ * @returns The payload of the token if it is valid.
+ * @throws If the token is invalid.
+ */
+export declare function verifyAuthToken({ auth_token: authToken, app_id: appId, verification_key: verificationKeyOrString, }: VerifyAuthTokenInput): Promise<VerifyAuthTokenResponse>;
+export type VerifyIdentityTokenInput = {
+    /** The identity token to verify. */
+    identity_token: string;
+    /** The Privy app ID to verify the token against. */
+    app_id: string;
+    /**
+     * The verification key to use to verify the token, or a mechanism to get the it such as via JWKS.
+     * You can find this verification key (or a JWKS endpoint) in the Privy dashboard.
+     * @see {@link createRemoteJWKSet}
+     * @see {@link importSPKI}
+     */
+    verification_key: CryptoKey | JWTVerifyGetKey | string;
+};
+/**
+ * Verifies an identity token, parsing it into a `User` object if it is valid.
+ *
+ * @returns The user object parsed from the identity token.
+ * @throws If the token or its payload is invalid.
+ */
+export declare function verifyIdentityToken({ identity_token: identityToken, app_id: appId, verification_key: verificationKeyOrString, }: VerifyIdentityTokenInput): Promise<User>;
+export declare class InvalidAuthTokenError extends PrivyAPIError {
+}
+export interface CreatePrivyAppJWKSInput {
+    appId: string;
+    apiUrl: string;
+    headers: Record<string, string>;
+    verificationKeyOverride?: string | undefined;
+}
+export type PrivyAppJWKS = JWTVerifyGetKey;
+export declare function createPrivyAppJWKS({ appId, apiUrl, headers, verificationKeyOverride, }: CreatePrivyAppJWKSInput): PrivyAppJWKS;
+//# sourceMappingURL=auth.d.mts.map

package/lib/auth.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.mts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"OAAO,EAEL,SAAS,EAIT,eAAe,EAEhB,MAAM,MAAM;OACN,EAAE,aAAa,EAAE;OAEjB,EAAE,IAAI,EAAE;AAKf,MAAM,MAAM,oBAAoB,GAAG;IACjC,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,gBAAgB,EAAE,SAAS,GAAG,eAAe,GAAG,MAAM,CAAC;CACxD,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,UAAU,EAAE,MAAM,CAAC;IACnB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,CAAC;IACnB,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAkCF;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,EACpC,UAAU,EAAE,SAAS,EACrB,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAC1C,EAAE,oBAAoB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAczD;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,oCAAoC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,gBAAgB,EAAE,SAAS,GAAG,eAAe,GAAG,MAAM,CAAC;CACxD,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,mBAAmB,CAAC,EACxC,cAAc,EAAE,aAAa,EAC7B,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAC1C,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAY1C;AAED,qBAAa,qBAAsB,SAAQ,aAAa;CAAG;AAgC3D,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,uBAAuB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9C;AAED,MAAM,MAAM,YAAY,GAAG,eAAe,CAAC;AAE3C,wBAAgB,kBAAkB,CAAC,EACjC,KAAK,EACL,MAAM,EACN,OAAO,EACP,uBAAuB,GACxB,EAAE,uBAAuB,GAAG,YAAY,CAsBxC"}

package/lib/auth.d.ts

@@ -0,0 +1,68 @@
+import { CryptoKey, JWTVerifyGetKey } from 'jose';
+import { PrivyAPIError } from "../core/error.js";
+import { User } from "../resources.js";
+export type VerifyAuthTokenInput = {
+    /** The authentication token to verify. */
+    auth_token: string;
+    /** The Privy app ID to verify the token against. */
+    app_id: string;
+    /**
+     * The verification key to use to verify the token, or a mechanism to get the it such as via JWKS.
+     * You can find this verification key (or a JWKS endpoint) in the Privy dashboard.
+     * @see {@link createRemoteJWKSet}
+     * @see {@link importSPKI}
+     */
+    verification_key: CryptoKey | JWTVerifyGetKey | string;
+};
+export type VerifyAuthTokenResponse = {
+    /** The Privy app ID for which the token was issued. */
+    app_id: string;
+    /** The issuer of the token. */
+    issuer: string;
+    /** The issued at unix timestamp of the token. */
+    issued_at: number;
+    /** The expiration unix timestamp of the token. */
+    expiration: number;
+    /** The ID of the session for which the token was issued. */
+    session_id: string;
+    /** The ID of the user for which the token was issued. */
+    user_id: string;
+};
+/**
+ * Verifies a Privy-issued authentication token.
+ *
+ * @returns The payload of the token if it is valid.
+ * @throws If the token is invalid.
+ */
+export declare function verifyAuthToken({ auth_token: authToken, app_id: appId, verification_key: verificationKeyOrString, }: VerifyAuthTokenInput): Promise<VerifyAuthTokenResponse>;
+export type VerifyIdentityTokenInput = {
+    /** The identity token to verify. */
+    identity_token: string;
+    /** The Privy app ID to verify the token against. */
+    app_id: string;
+    /**
+     * The verification key to use to verify the token, or a mechanism to get the it such as via JWKS.
+     * You can find this verification key (or a JWKS endpoint) in the Privy dashboard.
+     * @see {@link createRemoteJWKSet}
+     * @see {@link importSPKI}
+     */
+    verification_key: CryptoKey | JWTVerifyGetKey | string;
+};
+/**
+ * Verifies an identity token, parsing it into a `User` object if it is valid.
+ *
+ * @returns The user object parsed from the identity token.
+ * @throws If the token or its payload is invalid.
+ */
+export declare function verifyIdentityToken({ identity_token: identityToken, app_id: appId, verification_key: verificationKeyOrString, }: VerifyIdentityTokenInput): Promise<User>;
+export declare class InvalidAuthTokenError extends PrivyAPIError {
+}
+export interface CreatePrivyAppJWKSInput {
+    appId: string;
+    apiUrl: string;
+    headers: Record<string, string>;
+    verificationKeyOverride?: string | undefined;
+}
+export type PrivyAppJWKS = JWTVerifyGetKey;
+export declare function createPrivyAppJWKS({ appId, apiUrl, headers, verificationKeyOverride, }: CreatePrivyAppJWKSInput): PrivyAppJWKS;
+//# sourceMappingURL=auth.d.ts.map

package/lib/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"OAAO,EAEL,SAAS,EAIT,eAAe,EAEhB,MAAM,MAAM;OACN,EAAE,aAAa,EAAE;OAEjB,EAAE,IAAI,EAAE;AAKf,MAAM,MAAM,oBAAoB,GAAG;IACjC,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,gBAAgB,EAAE,SAAS,GAAG,eAAe,GAAG,MAAM,CAAC;CACxD,CAAC;AAEF,MAAM,MAAM,uBAAuB,GAAG;IACpC,uDAAuD;IACvD,MAAM,EAAE,MAAM,CAAC;IACf,+BAA+B;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,iDAAiD;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,UAAU,EAAE,MAAM,CAAC;IACnB,4DAA4D;IAC5D,UAAU,EAAE,MAAM,CAAC;IACnB,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAkCF;;;;;GAKG;AACH,wBAAsB,eAAe,CAAC,EACpC,UAAU,EAAE,SAAS,EACrB,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAC1C,EAAE,oBAAoB,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAczD;AAED,MAAM,MAAM,wBAAwB,GAAG;IACrC,oCAAoC;IACpC,cAAc,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,MAAM,EAAE,MAAM,CAAC;IACf;;;;;OAKG;IACH,gBAAgB,EAAE,SAAS,GAAG,eAAe,GAAG,MAAM,CAAC;CACxD,CAAC;AAEF;;;;;GAKG;AACH,wBAAsB,mBAAmB,CAAC,EACxC,cAAc,EAAE,aAAa,EAC7B,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAC1C,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAY1C;AAED,qBAAa,qBAAsB,SAAQ,aAAa;CAAG;AAgC3D,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,uBAAuB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9C;AAED,MAAM,MAAM,YAAY,GAAG,eAAe,CAAC;AAE3C,wBAAgB,kBAAkB,CAAC,EACjC,KAAK,EACL,MAAM,EACN,OAAO,EACP,uBAAuB,GACxB,EAAE,uBAAuB,GAAG,YAAY,CAsBxC"}

package/lib/auth.js

@@ -0,0 +1,130 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InvalidAuthTokenError = void 0;
+exports.verifyAuthToken = verifyAuthToken;
+exports.verifyIdentityToken = verifyIdentityToken;
+exports.createPrivyAppJWKS = createPrivyAppJWKS;
+const jose_1 = require("jose");
+const error_1 = require("../core/error.js");
+const identity_token_1 = require("./identity-token.js");
+const JWT_ALGORITHM = 'ES256';
+const JWT_ISSUER = 'privy.io';
+/**
+ * Verifies a JWT issued by privy.io for the given app ID.
+ * This serves both auth tokens and identity tokens.
+ * @returns The verify result along with the token's payload.
+ * @throws If the token is invalid.
+ */
+async function verifyPrivyIssuedJwt(jwt, appId, verificationKey) {
+    // Because of a type difference, the calls cannot be merged into one.
+    let verifiedToken;
+    if (typeof verificationKey !== 'function') {
+        verifiedToken = await (0, jose_1.jwtVerify)(jwt, verificationKey, {
+            typ: 'JWT',
+            algorithms: [JWT_ALGORITHM],
+            issuer: JWT_ISSUER,
+            audience: appId,
+        }).catch(mapAndThrowJoseErrors);
+    }
+    else {
+        verifiedToken = await (0, jose_1.jwtVerify)(jwt, verificationKey, {
+            typ: 'JWT',
+            algorithms: [JWT_ALGORITHM],
+            issuer: JWT_ISSUER,
+            audience: appId,
+        }).catch(mapAndThrowJoseErrors);
+    }
+    return verifiedToken;
+}
+/**
+ * Verifies a Privy-issued authentication token.
+ *
+ * @returns The payload of the token if it is valid.
+ * @throws If the token is invalid.
+ */
+async function verifyAuthToken({ auth_token: authToken, app_id: appId, verification_key: verificationKeyOrString, }) {
+    const verificationKey = typeof verificationKeyOrString === 'string' ?
+        await (0, jose_1.importSPKI)(verificationKeyOrString, JWT_ALGORITHM)
+        : verificationKeyOrString;
+    const verifiedToken = await verifyPrivyIssuedJwt(authToken, appId, verificationKey);
+    return {
+        app_id: throwIfNotString(verifiedToken.payload.aud),
+        issuer: throwIfNotString(verifiedToken.payload.iss),
+        issued_at: throwIfNotNumber(verifiedToken.payload.iat),
+        expiration: throwIfNotNumber(verifiedToken.payload.exp),
+        session_id: throwIfNotString(verifiedToken.payload['sid']),
+        user_id: throwIfNotString(verifiedToken.payload.sub),
+    };
+}
+/**
+ * Verifies an identity token, parsing it into a `User` object if it is valid.
+ *
+ * @returns The user object parsed from the identity token.
+ * @throws If the token or its payload is invalid.
+ */
+async function verifyIdentityToken({ identity_token: identityToken, app_id: appId, verification_key: verificationKeyOrString, }) {
+    const verificationKey = typeof verificationKeyOrString === 'string' ?
+        await (0, jose_1.importSPKI)(verificationKeyOrString, JWT_ALGORITHM)
+        : verificationKeyOrString;
+    const verifiedToken = await verifyPrivyIssuedJwt(identityToken, appId, verificationKey);
+    if (!verifiedToken.payload) {
+        throw new InvalidAuthTokenError('Unable to parse identity token');
+    }
+    return (0, identity_token_1.parseUserFromIdentityTokenPayload)(verifiedToken.payload);
+}
+class InvalidAuthTokenError extends error_1.PrivyAPIError {
+}
+exports.InvalidAuthTokenError = InvalidAuthTokenError;
+/** Used for asserting the values in the token payload are strings. */
+function throwIfNotString(value) {
+    if (!value || typeof value !== 'string') {
+        throw new InvalidAuthTokenError("Token's payload is invalid");
+    }
+    return value;
+}
+/** Used for asserting the values in the token payload are numbers. */
+function throwIfNotNumber(value) {
+    if (!value || typeof value !== 'number') {
+        throw new InvalidAuthTokenError("Token's payload is invalid");
+    }
+    return value;
+}
+/**
+ * Used to catch errors thrown by async `jose` functions and map to our own error types.
+ * This method will **always** throw an error, so it's return type is `never`.
+ */
+function mapAndThrowJoseErrors(error) {
+    if (error instanceof jose_1.errors.JWTExpired) {
+        throw new InvalidAuthTokenError('Authentication token expired');
+    }
+    else if (error instanceof jose_1.errors.JWTClaimValidationFailed || error instanceof jose_1.errors.JWTInvalid) {
+        throw new InvalidAuthTokenError('Authentication token is invalid');
+    }
+    else {
+        throw new InvalidAuthTokenError('Failed to verify authentication token');
+    }
+}
+function createPrivyAppJWKS({ appId, apiUrl, headers, verificationKeyOverride, }) {
+    if (verificationKeyOverride !== undefined) {
+        // Use a closure to cache the verification key once imported
+        let verificationKey;
+        return async () => {
+            if (verificationKey === undefined) {
+                try {
+                    verificationKey = await (0, jose_1.importSPKI)(verificationKeyOverride, JWT_ALGORITHM);
+                }
+                catch (error) {
+                    throw new InvalidAuthTokenError('Failed to import the provided verification key override');
+                }
+            }
+            return verificationKey;
+        };
+    }
+    const url = new URL(`${apiUrl}/v1/apps/${appId}/jwks.json`);
+    return (0, jose_1.createRemoteJWKSet)(url, {
+        cacheMaxAge: 60 * 60 * 1000, // 60 minutes
+        cooldownDuration: 10 * 60 * 1000, // 10 minutes
+        headers,
+    });
+}
+//# sourceMappingURL=auth.js.map

package/lib/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":";;;AAmFA,0CAkBC;AAsBD,kDAgBC;AA2CD,gDA2BC;AAjND,+BAQc;AACd,4CAA8C;AAC9C,wDAAqE;AAGrE,MAAM,aAAa,GAAG,OAAO,CAAC;AAC9B,MAAM,UAAU,GAAG,UAAU,CAAC;AA+B9B;;;;;GAKG;AACH,KAAK,UAAU,oBAAoB,CACjC,GAAW,EACX,KAAa,EACb,eAA4C;IAE5C,qEAAqE;IACrE,IAAI,aAA8B,CAAC;IACnC,IAAI,OAAO,eAAe,KAAK,UAAU,EAAE,CAAC;QAC1C,aAAa,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,eAAe,EAAE;YACpD,GAAG,EAAE,KAAK;YACV,UAAU,EAAE,CAAC,aAAa,CAAC;YAC3B,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,aAAa,GAAG,MAAM,IAAA,gBAAS,EAAC,GAAG,EAAE,eAAe,EAAE;YACpD,GAAG,EAAE,KAAK;YACV,UAAU,EAAE,CAAC,aAAa,CAAC;YAC3B,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,eAAe,CAAC,EACpC,UAAU,EAAE,SAAS,EACrB,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GACpB;IACrB,MAAM,eAAe,GACnB,OAAO,uBAAuB,KAAK,QAAQ,CAAC,CAAC;QAC3C,MAAM,IAAA,iBAAU,EAAC,uBAAuB,EAAE,aAAa,CAAC;QAC1D,CAAC,CAAC,uBAAuB,CAAC;IAC5B,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IACpF,OAAO;QACL,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACnD,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACnD,SAAS,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACtD,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACvD,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1D,OAAO,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;KACrD,CAAC;AACJ,CAAC;AAgBD;;;;;GAKG;AACI,KAAK,UAAU,mBAAmB,CAAC,EACxC,cAAc,EAAE,aAAa,EAC7B,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAChB;IACzB,MAAM,eAAe,GACnB,OAAO,uBAAuB,KAAK,QAAQ,CAAC,CAAC;QAC3C,MAAM,IAAA,iBAAU,EAAC,uBAAuB,EAAE,aAAa,CAAC;QAC1D,CAAC,CAAC,uBAAuB,CAAC;IAC5B,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,aAAa,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IAExF,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,qBAAqB,CAAC,gCAAgC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,IAAA,kDAAiC,EAAC,aAAa,CAAC,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,MAAa,qBAAsB,SAAQ,qBAAa;CAAG;AAA3D,sDAA2D;AAE3D,sEAAsE;AACtE,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAAC,4BAA4B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sEAAsE;AACtE,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAAC,4BAA4B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,KAAc;IAC3C,IAAI,KAAK,YAAY,aAAU,CAAC,UAAU,EAAE,CAAC;QAC3C,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;IAClE,CAAC;SAAM,IAAI,KAAK,YAAY,aAAU,CAAC,wBAAwB,IAAI,KAAK,YAAY,aAAU,CAAC,UAAU,EAAE,CAAC;QAC1G,MAAM,IAAI,qBAAqB,CAAC,iCAAiC,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,qBAAqB,CAAC,uCAAuC,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC;AAWD,SAAgB,kBAAkB,CAAC,EACjC,KAAK,EACL,MAAM,EACN,OAAO,EACP,uBAAuB,GACC;IACxB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAC1C,4DAA4D;QAC5D,IAAI,eAA0B,CAAC;QAC/B,OAAO,KAAK,IAAI,EAAE;YAChB,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAClC,IAAI,CAAC;oBACH,eAAe,GAAG,MAAM,IAAA,iBAAU,EAAC,uBAAuB,EAAE,aAAa,CAAC,CAAC;gBAC7E,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,IAAI,qBAAqB,CAAC,yDAAyD,CAAC,CAAC;gBAC7F,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC;QACzB,CAAC,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,MAAM,YAAY,KAAK,YAAY,CAAC,CAAC;IAC5D,OAAO,IAAA,yBAAkB,EAAC,GAAG,EAAE;QAC7B,WAAW,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QAC1C,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QAC/C,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}

package/lib/auth.mjs

@@ -0,0 +1,123 @@
+import { createRemoteJWKSet, importSPKI, errors as joseErrors, jwtVerify, } from 'jose';
+import { PrivyAPIError } from "../core/error.mjs";
+import { parseUserFromIdentityTokenPayload } from "./identity-token.mjs";
+const JWT_ALGORITHM = 'ES256';
+const JWT_ISSUER = 'privy.io';
+/**
+ * Verifies a JWT issued by privy.io for the given app ID.
+ * This serves both auth tokens and identity tokens.
+ * @returns The verify result along with the token's payload.
+ * @throws If the token is invalid.
+ */
+async function verifyPrivyIssuedJwt(jwt, appId, verificationKey) {
+    // Because of a type difference, the calls cannot be merged into one.
+    let verifiedToken;
+    if (typeof verificationKey !== 'function') {
+        verifiedToken = await jwtVerify(jwt, verificationKey, {
+            typ: 'JWT',
+            algorithms: [JWT_ALGORITHM],
+            issuer: JWT_ISSUER,
+            audience: appId,
+        }).catch(mapAndThrowJoseErrors);
+    }
+    else {
+        verifiedToken = await jwtVerify(jwt, verificationKey, {
+            typ: 'JWT',
+            algorithms: [JWT_ALGORITHM],
+            issuer: JWT_ISSUER,
+            audience: appId,
+        }).catch(mapAndThrowJoseErrors);
+    }
+    return verifiedToken;
+}
+/**
+ * Verifies a Privy-issued authentication token.
+ *
+ * @returns The payload of the token if it is valid.
+ * @throws If the token is invalid.
+ */
+export async function verifyAuthToken({ auth_token: authToken, app_id: appId, verification_key: verificationKeyOrString, }) {
+    const verificationKey = typeof verificationKeyOrString === 'string' ?
+        await importSPKI(verificationKeyOrString, JWT_ALGORITHM)
+        : verificationKeyOrString;
+    const verifiedToken = await verifyPrivyIssuedJwt(authToken, appId, verificationKey);
+    return {
+        app_id: throwIfNotString(verifiedToken.payload.aud),
+        issuer: throwIfNotString(verifiedToken.payload.iss),
+        issued_at: throwIfNotNumber(verifiedToken.payload.iat),
+        expiration: throwIfNotNumber(verifiedToken.payload.exp),
+        session_id: throwIfNotString(verifiedToken.payload['sid']),
+        user_id: throwIfNotString(verifiedToken.payload.sub),
+    };
+}
+/**
+ * Verifies an identity token, parsing it into a `User` object if it is valid.
+ *
+ * @returns The user object parsed from the identity token.
+ * @throws If the token or its payload is invalid.
+ */
+export async function verifyIdentityToken({ identity_token: identityToken, app_id: appId, verification_key: verificationKeyOrString, }) {
+    const verificationKey = typeof verificationKeyOrString === 'string' ?
+        await importSPKI(verificationKeyOrString, JWT_ALGORITHM)
+        : verificationKeyOrString;
+    const verifiedToken = await verifyPrivyIssuedJwt(identityToken, appId, verificationKey);
+    if (!verifiedToken.payload) {
+        throw new InvalidAuthTokenError('Unable to parse identity token');
+    }
+    return parseUserFromIdentityTokenPayload(verifiedToken.payload);
+}
+export class InvalidAuthTokenError extends PrivyAPIError {
+}
+/** Used for asserting the values in the token payload are strings. */
+function throwIfNotString(value) {
+    if (!value || typeof value !== 'string') {
+        throw new InvalidAuthTokenError("Token's payload is invalid");
+    }
+    return value;
+}
+/** Used for asserting the values in the token payload are numbers. */
+function throwIfNotNumber(value) {
+    if (!value || typeof value !== 'number') {
+        throw new InvalidAuthTokenError("Token's payload is invalid");
+    }
+    return value;
+}
+/**
+ * Used to catch errors thrown by async `jose` functions and map to our own error types.
+ * This method will **always** throw an error, so it's return type is `never`.
+ */
+function mapAndThrowJoseErrors(error) {
+    if (error instanceof joseErrors.JWTExpired) {
+        throw new InvalidAuthTokenError('Authentication token expired');
+    }
+    else if (error instanceof joseErrors.JWTClaimValidationFailed || error instanceof joseErrors.JWTInvalid) {
+        throw new InvalidAuthTokenError('Authentication token is invalid');
+    }
+    else {
+        throw new InvalidAuthTokenError('Failed to verify authentication token');
+    }
+}
+export function createPrivyAppJWKS({ appId, apiUrl, headers, verificationKeyOverride, }) {
+    if (verificationKeyOverride !== undefined) {
+        // Use a closure to cache the verification key once imported
+        let verificationKey;
+        return async () => {
+            if (verificationKey === undefined) {
+                try {
+                    verificationKey = await importSPKI(verificationKeyOverride, JWT_ALGORITHM);
+                }
+                catch (error) {
+                    throw new InvalidAuthTokenError('Failed to import the provided verification key override');
+                }
+            }
+            return verificationKey;
+        };
+    }
+    const url = new URL(`${apiUrl}/v1/apps/${appId}/jwks.json`);
+    return createRemoteJWKSet(url, {
+        cacheMaxAge: 60 * 60 * 1000, // 60 minutes
+        cooldownDuration: 10 * 60 * 1000, // 10 minutes
+        headers,
+    });
+}
+//# sourceMappingURL=auth.mjs.map

package/lib/auth.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.mjs","sourceRoot":"","sources":["../src/lib/auth.ts"],"names":[],"mappings":"OAAO,EACL,kBAAkB,EAElB,UAAU,EACV,MAAM,IAAI,UAAU,EACpB,SAAS,GAGV,MAAM,MAAM;OACN,EAAE,aAAa,EAAE;OACjB,EAAE,iCAAiC,EAAE;AAG5C,MAAM,aAAa,GAAG,OAAO,CAAC;AAC9B,MAAM,UAAU,GAAG,UAAU,CAAC;AA+B9B;;;;;GAKG;AACH,KAAK,UAAU,oBAAoB,CACjC,GAAW,EACX,KAAa,EACb,eAA4C;IAE5C,qEAAqE;IACrE,IAAI,aAA8B,CAAC;IACnC,IAAI,OAAO,eAAe,KAAK,UAAU,EAAE,CAAC;QAC1C,aAAa,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE;YACpD,GAAG,EAAE,KAAK;YACV,UAAU,EAAE,CAAC,aAAa,CAAC;YAC3B,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACN,aAAa,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,eAAe,EAAE;YACpD,GAAG,EAAE,KAAK;YACV,UAAU,EAAE,CAAC,aAAa,CAAC;YAC3B,MAAM,EAAE,UAAU;YAClB,QAAQ,EAAE,KAAK;SAChB,CAAC,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,EACpC,UAAU,EAAE,SAAS,EACrB,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GACpB;IACrB,MAAM,eAAe,GACnB,OAAO,uBAAuB,KAAK,QAAQ,CAAC,CAAC;QAC3C,MAAM,UAAU,CAAC,uBAAuB,EAAE,aAAa,CAAC;QAC1D,CAAC,CAAC,uBAAuB,CAAC;IAC5B,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IACpF,OAAO;QACL,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACnD,MAAM,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACnD,SAAS,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACtD,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;QACvD,UAAU,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAC1D,OAAO,EAAE,gBAAgB,CAAC,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC;KACrD,CAAC;AACJ,CAAC;AAgBD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,EACxC,cAAc,EAAE,aAAa,EAC7B,MAAM,EAAE,KAAK,EACb,gBAAgB,EAAE,uBAAuB,GAChB;IACzB,MAAM,eAAe,GACnB,OAAO,uBAAuB,KAAK,QAAQ,CAAC,CAAC;QAC3C,MAAM,UAAU,CAAC,uBAAuB,EAAE,aAAa,CAAC;QAC1D,CAAC,CAAC,uBAAuB,CAAC;IAC5B,MAAM,aAAa,GAAG,MAAM,oBAAoB,CAAC,aAAa,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC;IAExF,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,qBAAqB,CAAC,gCAAgC,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,iCAAiC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,OAAO,qBAAsB,SAAQ,aAAa;CAAG;AAE3D,sEAAsE;AACtE,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAAC,4BAA4B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,sEAAsE;AACtE,SAAS,gBAAgB,CAAC,KAAc;IACtC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAAC,4BAA4B,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,KAAc;IAC3C,IAAI,KAAK,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;QAC3C,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,CAAC,CAAC;IAClE,CAAC;SAAM,IAAI,KAAK,YAAY,UAAU,CAAC,wBAAwB,IAAI,KAAK,YAAY,UAAU,CAAC,UAAU,EAAE,CAAC;QAC1G,MAAM,IAAI,qBAAqB,CAAC,iCAAiC,CAAC,CAAC;IACrE,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,qBAAqB,CAAC,uCAAuC,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC;AAWD,MAAM,UAAU,kBAAkB,CAAC,EACjC,KAAK,EACL,MAAM,EACN,OAAO,EACP,uBAAuB,GACC;IACxB,IAAI,uBAAuB,KAAK,SAAS,EAAE,CAAC;QAC1C,4DAA4D;QAC5D,IAAI,eAA0B,CAAC;QAC/B,OAAO,KAAK,IAAI,EAAE;YAChB,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAClC,IAAI,CAAC;oBACH,eAAe,GAAG,MAAM,UAAU,CAAC,uBAAuB,EAAE,aAAa,CAAC,CAAC;gBAC7E,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,MAAM,IAAI,qBAAqB,CAAC,yDAAyD,CAAC,CAAC;gBAC7F,CAAC;YACH,CAAC;YACD,OAAO,eAAe,CAAC;QACzB,CAAC,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,MAAM,YAAY,KAAK,YAAY,CAAC,CAAC;IAC5D,OAAO,kBAAkB,CAAC,GAAG,EAAE;QAC7B,WAAW,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QAC1C,gBAAgB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,aAAa;QAC/C,OAAO;KACR,CAAC,CAAC;AACL,CAAC"}

package/lib/identity-token.d.mts

@@ -0,0 +1,15 @@
+import { JWTPayload } from 'jose';
+import { User } from "../resources.mjs";
+import { PrivyAPIError } from "../error.mjs";
+/**
+ * Parses the payload of an identity token (JWT) into a `User` object.
+ * Note that the user object may be incomplete due to the size constraints of the identity token.
+ *
+ * @param payload The payload of the identity token.
+ * @returns The user object parsed from the identity token.
+ * @throws If the payload is invalid.
+ */
+export declare function parseUserFromIdentityTokenPayload(payload: JWTPayload): User;
+export declare class InvalidIdentityTokenError extends PrivyAPIError {
+}
+//# sourceMappingURL=identity-token.d.mts.map

package/lib/identity-token.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-token.d.mts","sourceRoot":"","sources":["../src/lib/identity-token.ts"],"names":[],"mappings":"OAAO,EAAE,UAAU,EAAE,MAAM,MAAM;OAC1B,EAAE,IAAI,EAAE;OACR,EAAE,aAAa,EAAE;AAGxB;;;;;;;GAOG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,CAY3E;AA8PD,qBAAa,yBAA0B,SAAQ,aAAa;CAAG"}

package/lib/identity-token.d.ts

@@ -0,0 +1,15 @@
+import { JWTPayload } from 'jose';
+import { User } from "../resources.js";
+import { PrivyAPIError } from "../error.js";
+/**
+ * Parses the payload of an identity token (JWT) into a `User` object.
+ * Note that the user object may be incomplete due to the size constraints of the identity token.
+ *
+ * @param payload The payload of the identity token.
+ * @returns The user object parsed from the identity token.
+ * @throws If the payload is invalid.
+ */
+export declare function parseUserFromIdentityTokenPayload(payload: JWTPayload): User;
+export declare class InvalidIdentityTokenError extends PrivyAPIError {
+}
+//# sourceMappingURL=identity-token.d.ts.map

package/lib/identity-token.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-token.d.ts","sourceRoot":"","sources":["../src/lib/identity-token.ts"],"names":[],"mappings":"OAAO,EAAE,UAAU,EAAE,MAAM,MAAM;OAC1B,EAAE,IAAI,EAAE;OACR,EAAE,aAAa,EAAE;AAGxB;;;;;;;GAOG;AACH,wBAAgB,iCAAiC,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI,CAY3E;AA8PD,qBAAa,yBAA0B,SAAQ,aAAa;CAAG"}