@schemavaults/jwt 0.6.13

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from './jwt';
+export type * from './jwt';

package/dist/index.js

@@ -0,0 +1,3 @@
+// @schemavaults/jwt - index.ts
+export * from './jwt';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,cAAc,OAAO,CAAC"}

package/dist/jwt/aud.d.ts

@@ -0,0 +1 @@
+export declare const REFRESH_TOKEN_AUDIENCE: "schemavaults-auth";

package/dist/jwt/aud.js

@@ -0,0 +1,3 @@
+import { SCHEMAVAULTS_AUTH_APP_DEFINITION } from "@schemavaults/app-definitions";
+export const REFRESH_TOKEN_AUDIENCE = SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id;
+//# sourceMappingURL=aud.js.map

package/dist/jwt/aud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aud.js","sourceRoot":"","sources":["../../src/jwt/aud.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gCAAgC,EAAE,MAAM,+BAA+B,CAAC;AAEjF,MAAM,CAAC,MAAM,sBAAsB,GAAG,gCAAgC,CAAC,MAAM,CAAC"}

package/dist/jwt/decode.d.ts

@@ -0,0 +1,22 @@
+import { type CryptoKey } from "jose";
+import type { I_JWT_Keys } from "./jwt_keys";
+import { type CustomJWTPayload } from "./payload_data";
+import type { AuthTokenTypes } from "@schemavaults/auth-common";
+import { type SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
+interface BaseDecodeJWTOptions<T extends AuthTokenTypes> {
+    type: T;
+    jwt: string;
+    audience?: string;
+    env: SchemaVaultsAppEnvironment;
+}
+interface DecodeJWTWithAllKeysOptions<T extends AuthTokenTypes> extends BaseDecodeJWTOptions<T> {
+    jwt_keys: I_JWT_Keys;
+}
+interface DecodeJWTWithOnlyRequiredKeysOptions<T extends AuthTokenTypes> extends BaseDecodeJWTOptions<T> {
+    decryption_key: CryptoKey;
+    verification_key: CryptoKey;
+    keyset_id: string;
+}
+export type DecodeJWTOptions<T extends AuthTokenTypes> = DecodeJWTWithAllKeysOptions<T> | DecodeJWTWithOnlyRequiredKeysOptions<T>;
+export declare function decodeJWT<T extends AuthTokenTypes>({ type, jwt, audience, ...opts }: DecodeJWTOptions<T>): Promise<CustomJWTPayload>;
+export {};

package/dist/jwt/decode.js

@@ -0,0 +1,228 @@
+import { jwtDecrypt, decodeProtectedHeader, } from "jose";
+import { REFRESH_TOKEN_AUDIENCE } from "./aud";
+import { issuer } from "./iss";
+import { getExpiryDurationString } from "./expiry";
+import { jwtPayloadSchema } from "./payload_data";
+import { apiServerIdSchema, SCHEMAVAULTS_AUTH_APP_DEFINITION, schemaVaultsAppEnvironmentSchema, } from "@schemavaults/app-definitions";
+import { verifyJWTSignature } from "./verify_signature";
+import isValidUuid from "../utils/isValidUuid";
+import encryptDecryptAlgorithm from "./encrypt_decrypt_alg";
+export async function decodeJWT({ type, jwt, audience = type === "refresh"
+    ? SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id
+    : undefined, ...opts }) {
+    const environment = opts.env;
+    if (!environment) {
+        throw new Error("Invalid app environment to decode JWT within");
+    }
+    const debug = environment === "development";
+    if (debug) {
+        console.log("[decodeJWT] Attempting to decode JWT: ", jwt);
+    }
+    if (!audience || typeof audience !== "string") {
+        throw new TypeError("Invalid audience; expected string");
+    }
+    let keyset_id;
+    try {
+        if ("keyset_id" in opts) {
+            keyset_id = opts.keyset_id;
+        }
+        else if ("jwt_keys" in opts) {
+            keyset_id = opts.jwt_keys.keyset_id;
+        }
+        else {
+            throw new Error("Failed to retrieve keyset ID from input options");
+        }
+        if (!isValidUuid(keyset_id)) {
+            throw new Error("Invalid keyset ID; not a valid UUID!");
+        }
+    }
+    catch (error) {
+        console.error("Failed to retrieve keyset ID:", error);
+        throw new Error("Failed to retrieve keyset ID");
+    }
+    if (typeof jwt !== "string") {
+        throw new Error("Invalid JWT; expected string");
+    }
+    if (type === "refresh" &&
+        audience !== SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id) {
+        if (debug) {
+            console.log("Invalid audience for refresh token: ", audience);
+        }
+        throw new Error(`Invalid audience for refresh token; only '${SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id}' is valid.`);
+    }
+    let aud;
+    if (type === "refresh") {
+        aud = REFRESH_TOKEN_AUDIENCE;
+    }
+    else if (type === "access") {
+        if (typeof audience !== "string") {
+            throw new Error("Missing audience for JWT to decode with");
+        }
+        aud = audience;
+    }
+    else {
+        throw new Error("Invalid auth token 'type' (should be 'access'/'refresh')");
+    }
+    const decodeTime = new Date();
+    const maxTokenAge = getExpiryDurationString(type);
+    if (debug) {
+        console.log(`[decodeJWT] Setting max token age to ${maxTokenAge}`);
+    }
+    let kid;
+    let alg;
+    let decoded_header_aud;
+    try {
+        const decoded_header = decodeProtectedHeader(jwt);
+        if (!decoded_header.kid || typeof decoded_header.kid !== "string") {
+            throw new Error("Missing 'kid' in JWT header");
+        }
+        kid = decoded_header.kid;
+        if (!decoded_header.alg || typeof decoded_header.alg !== "string") {
+            throw new Error("Missing 'alg' in JWT header");
+        }
+        alg = decoded_header.alg;
+        if (!decoded_header.keyset_id ||
+            typeof decoded_header.keyset_id !== "string") {
+            throw new Error("Missing 'keyset_id' in JWT header");
+        }
+        if (decoded_header.keyset_id !== keyset_id) {
+            throw new Error("Invalid keyset_id in JWT header; mismatch with input decryption key");
+        }
+        if (!decoded_header.aud ||
+            typeof decoded_header.aud !== "string" ||
+            !apiServerIdSchema.safeParse(decoded_header.aud).success) {
+            throw new Error("Invalid audience in JWT header");
+        }
+        if (type === "refresh" &&
+            decoded_header.aud !== SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id) {
+            throw new Error(`Invalid audience in JWT header; only '${SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id}' tokens are allowed here`);
+        }
+        if (decoded_header.aud !== audience) {
+            throw new Error(`Invalid audience in JWT header; only '${audience}' tokens are allowed here`);
+        }
+        decoded_header_aud = decoded_header.aud;
+    }
+    catch (e) {
+        console.error("Error decoding JWT header: ", e);
+        throw new Error("Error decoding JWT header!");
+    }
+    if (kid !== `${keyset_id}-decryption`) {
+        throw new Error("Invalid kid in JWT header; mismatch with input decryption key");
+    }
+    if (alg !== encryptDecryptAlgorithm) {
+        throw new Error("Invalid algorithm header for JWT decryption");
+    }
+    let decryption_key;
+    try {
+        if ("jwt_keys" in opts) {
+            decryption_key = await opts.jwt_keys.decryption_key;
+        }
+        else if ("decryption_key" in opts) {
+            decryption_key = opts.decryption_key;
+        }
+        else {
+            throw new Error("Missing decryption key for JWT to decode with");
+        }
+    }
+    catch (e) {
+        console.error("Error loading decryption key from key store or inputs: ", e);
+        throw new Error("Error loading decryption key from key store or inputs!");
+    }
+    const decoded = await jwtDecrypt(jwt, decryption_key, {
+        audience: aud,
+        issuer,
+        maxTokenAge,
+        currentDate: decodeTime,
+    });
+    if (decoded.payload.aud !== decoded_header_aud) {
+        throw new Error("Mismatch in header 'aud' and 'aud' in JWT payload");
+    }
+    if (debug) {
+        console.log("[decodeJWT] Decoded JWT: ", decoded);
+    }
+    const iat = decoded.payload.iat;
+    if (typeof iat !== "number" || isNaN(iat)) {
+        throw new Error("Decoded JWT is missing iat property!");
+    }
+    const withoutJWTspecific = { ...decoded.payload };
+    delete withoutJWTspecific.iat;
+    delete withoutJWTspecific.exp;
+    if (!Array.isArray(withoutJWTspecific.orgs)) {
+        throw new Error("Expected JWT to have an 'orgs' property, representing organizations that user is a member of!");
+    }
+    const parsedPayload = await jwtPayloadSchema.safeParseAsync(withoutJWTspecific);
+    if (!parsedPayload.success) {
+        if (environment === "development") {
+            console.error("[decodeJWT] Error validating JWT payload with schema");
+            parsedPayload.error.issues.forEach((issue) => {
+                console.error("[decodeJWT] Validation Error: ", issue);
+            });
+            console.error(parsedPayload.error);
+        }
+        throw new Error(`Error parsing JWT payload: ${parsedPayload.error.errors
+            .map((e) => e.message)
+            .join(", ")}`);
+    }
+    const payload = parsedPayload.data;
+    if (!payload.env || typeof payload.env !== "string") {
+        throw new Error("Missing 'env' field in JWT payload!");
+    }
+    const parsed_app_env = await schemaVaultsAppEnvironmentSchema.safeParseAsync(payload.env);
+    if (!parsed_app_env.success) {
+        throw new Error("Invalid app environment within 'env' field of JWT payload!");
+    }
+    if (environment !== payload.env) {
+        console.log("Server app environment: ", environment);
+        console.log("JWT 'env' field: ", payload.env);
+        throw new Error("Payload 'env' field does not match server app environment!");
+    }
+    const signature = payload.sig;
+    if (!signature || typeof signature !== "string") {
+        throw new Error("JWT 'sig' field is missing or not a string!");
+    }
+    const sub = payload.sub;
+    const uid = payload.uid;
+    if (typeof uid !== "string" || typeof sub !== "string" || uid !== sub) {
+        throw new Error("Sub and UID must be strings and should be equal!");
+    }
+    let verification_key;
+    try {
+        if ("jwt_keys" in opts) {
+            verification_key = await opts.jwt_keys.verification_key;
+        }
+        else if ("verification_key" in opts) {
+            verification_key = opts.verification_key;
+        }
+        else {
+            throw new Error("Missing verification key for JWT to decode with");
+        }
+    }
+    catch (e) {
+        console.error("Error loading verification key from key store or inputs: ", e);
+        throw new Error("Error loading verification key from key store or inputs!");
+    }
+    try {
+        const isValidSig = await verifyJWTSignature({
+            jwt: signature,
+            verification_key,
+            keyset_id,
+            aud,
+            iat,
+            type,
+            sub,
+            uid,
+            env: environment,
+        });
+        if (!isValidSig) {
+            throw new Error("Invalid JWT signature!");
+        }
+    }
+    catch (e) {
+        if (debug) {
+            console.error("Failed to verify 'sig' field of JWT using public key: ", e);
+        }
+        throw new Error("Failed to verify 'sig' field of JWT using public key!");
+    }
+    return payload;
+}
+//# sourceMappingURL=decode.js.map

package/dist/jwt/decode.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"decode.js","sourceRoot":"","sources":["../../src/jwt/decode.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,UAAU,EACV,qBAAqB,GAEtB,MAAM,MAAM,CAAC;AAEd,OAAO,EAAE,sBAAsB,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AACnD,OAAO,EAAyB,gBAAgB,EAAE,MAAM,gBAAgB,CAAC;AAMzE,OAAO,EACL,iBAAiB,EACjB,gCAAgC,EAEhC,gCAAgC,GACjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,OAAO,WAAW,MAAM,qBAAqB,CAAC;AAC9C,OAAO,uBAAuB,MAAM,uBAAuB,CAAC;AAyB5D,MAAM,CAAC,KAAK,UAAU,SAAS,CAA2B,EACxD,IAAI,EACJ,GAAG,EACH,QAAQ,GAAG,IAAI,KAAK,SAAS;IAC3B,CAAC,CAAC,gCAAgC,CAAC,MAAM;IACzC,CAAC,CAAC,SAAS,EACb,GAAG,IAAI,EACa;IACpB,MAAM,WAAW,GAA+B,IAAI,CAAC,GAAG,CAAC;IACzD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,MAAM,KAAK,GAAY,WAAW,KAAK,aAAa,CAAC;IAErD,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,wCAAwC,EAAE,GAAG,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,CAAC;aAAM,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YAC9B,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,CAAC,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,IACE,IAAI,KAAK,SAAS;QAClB,QAAQ,KAAK,gCAAgC,CAAC,MAAM,EACpD,CAAC;QACD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,GAAG,CAAC,sCAAsC,EAAE,QAAQ,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,IAAI,KAAK,CACb,6CAA6C,gCAAgC,CAAC,MAAM,aAAa,CAClG,CAAC;IACJ,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,GAAG,GAAG,sBAAsB,CAAC;IAC/B,CAAC;SAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;QAC7D,CAAC;QACD,GAAG,GAAG,QAAQ,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,MAAM,UAAU,GAAS,IAAI,IAAI,EAAE,CAAC;IAEpC,MAAM,WAAW,GAAW,uBAAuB,CAAC,IAAI,CAAC,CAAC;IAC1D,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,wCAAwC,WAAW,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,GAAW,CAAC;IAChB,IAAI,kBAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,MAAM,cAAc,GAClB,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,GAAG,IAAI,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC;QACzB,IAAI,CAAC,cAAc,CAAC,GAAG,IAAI,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC;QACzB,IACE,CAAC,cAAc,CAAC,SAAS;YACzB,OAAO,cAAc,CAAC,SAAS,KAAK,QAAQ,EAC5C,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,cAAc,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,IACE,CAAC,cAAc,CAAC,GAAG;YACnB,OAAO,cAAc,CAAC,GAAG,KAAK,QAAQ;YACtC,CAAC,iBAAiB,CAAC,SAAS,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,OAAO,EACxD,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,IACE,IAAI,KAAK,SAAS;YAClB,cAAc,CAAC,GAAG,KAAK,gCAAgC,CAAC,MAAM,EAC9D,CAAC;YACD,MAAM,IAAI,KAAK,CACb,yCAAyC,gCAAgC,CAAC,MAAM,2BAA2B,CAC5G,CAAC;QACJ,CAAC;QAED,IAAI,cAAc,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,yCAAyC,QAAQ,2BAA2B,CAC7E,CAAC;QACJ,CAAC;QACD,kBAAkB,GAAG,cAAc,CAAC,GAAG,CAAC;IAC1C,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,CAAC,CAAC,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,GAAG,KAAK,GAAG,SAAS,aAAa,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAC;IACJ,CAAC;IAED,IAAI,GAAG,KAAK,uBAAuB,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,cAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;QACtD,CAAC;aAAM,IAAI,gBAAgB,IAAI,IAAI,EAAE,CAAC;YACpC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,yDAAyD,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IAED,MAAM,OAAO,GAAqB,MAAM,UAAU,CAAC,GAAG,EAAE,cAAc,EAAE;QACtE,QAAQ,EAAE,GAAG;QACb,MAAM;QACN,WAAW;QACX,WAAW,EAAE,UAAU;KACxB,CAAC,CAAC;IAEH,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,KAAK,kBAAkB,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,OAAO,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,GAAG,GAAuB,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;IACpD,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,kBAAkB,GAQpB,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAC3B,OAAO,kBAAkB,CAAC,GAAG,CAAC;IAC9B,OAAO,kBAAkB,CAAC,GAAG,CAAC;IAE9B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CACb,+FAA+F,CAChG,CAAC;IACJ,CAAC;IACD,MAAM,aAAa,GACjB,MAAM,gBAAgB,CAAC,cAAc,CAAC,kBAAkB,CAAC,CAAC;IAC5D,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,CAAC;QAC3B,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;YAClC,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YACtE,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,EAAE;gBAC3C,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;YACzD,CAAC,CAAC,CAAC;YACH,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QACrC,CAAC;QACD,MAAM,IAAI,KAAK,CACb,8BAA8B,aAAa,CAAC,KAAK,CAAC,MAAM;aACrD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;aACrB,IAAI,CAAC,IAAI,CAAC,EAAE,CAChB,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAqB,aAAa,CAAC,IAAI,CAAC;IAErD,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,cAAc,GAGhB,MAAM,gCAAgC,CAAC,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACvE,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,WAAW,KAAK,OAAO,CAAC,GAAG,EAAE,CAAC;QAChC,OAAO,CAAC,GAAG,CAAC,0BAA0B,EAAE,WAAW,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,mBAAmB,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAW,OAAO,CAAC,GAAG,CAAC;IACtC,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,GAAG,GAAW,OAAO,CAAC,GAAG,CAAC;IAChC,MAAM,GAAG,GAAW,OAAO,CAAC,GAAG,CAAC;IAChC,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,IAAI,gBAA2B,CAAC;IAChC,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,gBAAgB,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAC1D,CAAC;aAAM,IAAI,kBAAkB,IAAI,IAAI,EAAE,CAAC;YACtC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,2DAA2D,EAC3D,CAAC,CACF,CAAC;QACF,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,UAAU,GAAY,MAAM,kBAAkB,CAAC;YACnD,GAAG,EAAE,SAAS;YACd,gBAAgB;YAChB,SAAS;YACT,GAAG;YACH,GAAG;YACH,IAAI;YACJ,GAAG;YACH,GAAG;YACH,GAAG,EAAE,WAAW;SACjB,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,KAAK,CACX,wDAAwD,EACxD,CAAC,CACF,CAAC;QACJ,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/jwt/encrypt_decrypt_alg.d.ts

@@ -0,0 +1,3 @@
+export declare const alg: "RSA-OAEP-256";
+export default alg;
+export declare const enc: "A256GCM";

package/dist/jwt/encrypt_decrypt_alg.js

@@ -0,0 +1,4 @@
+export const alg = "RSA-OAEP-256";
+export default alg;
+export const enc = "A256GCM";
+//# sourceMappingURL=encrypt_decrypt_alg.js.map

package/dist/jwt/encrypt_decrypt_alg.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encrypt_decrypt_alg.js","sourceRoot":"","sources":["../../src/jwt/encrypt_decrypt_alg.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,GAAG,GAAG,cAAwC,CAAC;AAC5D,eAAe,GAAG,CAAC;AAEnB,MAAM,CAAC,MAAM,GAAG,GAAG,SAAmC,CAAC"}

package/dist/jwt/expiry.d.ts

@@ -0,0 +1 @@
+export { refreshTokenExpiry, accessTokenExpiry, getExpiryTime, getExpiryDurationString, } from "@schemavaults/auth-common";

package/dist/jwt/expiry.js

@@ -0,0 +1,2 @@
+export { refreshTokenExpiry, accessTokenExpiry, getExpiryTime, getExpiryDurationString, } from "@schemavaults/auth-common";
+//# sourceMappingURL=expiry.js.map

package/dist/jwt/expiry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expiry.js","sourceRoot":"","sources":["../../src/jwt/expiry.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,aAAa,EACb,uBAAuB,GACxB,MAAM,2BAA2B,CAAC"}

package/dist/jwt/generate.d.ts

@@ -0,0 +1,31 @@
+import { type CryptoKey } from "jose";
+import type { I_JWT_Keys } from "./jwt_keys";
+import { type UserData, type AccessToken, type AuthTokenTypes, type RefreshToken, type OrganizationID } from "@schemavaults/auth-common";
+import { type SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
+interface BaseGenerateJWTOptions<T extends AuthTokenTypes> {
+    user: UserData;
+    type: T;
+    iat: number;
+    client_app_id: string;
+    audience: string;
+    env: SchemaVaultsAppEnvironment;
+    orgs: readonly OrganizationID[];
+}
+interface GenerateJWTWithAllKeysOptions<T extends AuthTokenTypes> extends BaseGenerateJWTOptions<T> {
+    jwt_keys: I_JWT_Keys;
+}
+interface GenerateJWTWithOnlyRequiredKeysOptions<T extends AuthTokenTypes> extends BaseGenerateJWTOptions<T> {
+    encryption_key: CryptoKey;
+    signing_key: CryptoKey;
+    keyset_id: string;
+}
+export type GenerateJWTOptions<T extends AuthTokenTypes> = GenerateJWTWithAllKeysOptions<T> | GenerateJWTWithOnlyRequiredKeysOptions<T>;
+/**
+ *
+ * @param userData
+ * @param type Access or refresh token
+ * @param iat Current unix timestamp
+ * @returns A JWT (string)
+ */
+export declare function generateJWT<T extends AuthTokenTypes>({ type, user, iat, client_app_id, audience, ...opts }: GenerateJWTOptions<T>, refresh_token_audience?: "schemavaults-auth"): Promise<T extends "access" ? AccessToken : RefreshToken>;
+export {};

package/dist/jwt/generate.js

@@ -0,0 +1,188 @@
+import { EncryptJWT } from "jose";
+import { alg, enc } from "./encrypt_decrypt_alg";
+import { issuer } from "./iss";
+import { REFRESH_TOKEN_AUDIENCE } from "./aud";
+import { getExpiryDurationString, getExpiryTime } from "./expiry";
+import { organizationIdSchema, } from "@schemavaults/auth-common";
+import { signJWT } from "./sign";
+import { apiServerIdSchema, SCHEMAVAULTS_AUTH_APP_DEFINITION, } from "@schemavaults/app-definitions";
+import isValidUuid from "../utils/isValidUuid";
+const organizationIdsSchema = organizationIdSchema.array().readonly();
+/**
+ *
+ * @param userData
+ * @param type Access or refresh token
+ * @param iat Current unix timestamp
+ * @returns A JWT (string)
+ */
+export async function generateJWT({ type, user, iat, client_app_id, audience, ...opts }, refresh_token_audience = REFRESH_TOKEN_AUDIENCE) {
+    let keyset_id;
+    try {
+        if ("keyset_id" in opts) {
+            keyset_id = opts.keyset_id;
+        }
+        else if ("jwt_keys" in opts) {
+            keyset_id = opts.jwt_keys.keyset_id;
+        }
+        else {
+            throw new Error("Failed to parse 'keyset_id' from options!");
+        }
+        if (!isValidUuid(keyset_id)) {
+            throw new Error("Invalid 'keyset_id' provided; not a valid uuid!");
+        }
+    }
+    catch (e) {
+        console.error("Error parsing 'keyset_id' from options: ", e);
+        throw new Error("Error parsing 'keyset_id' from options!");
+    }
+    const userData = user;
+    let aud;
+    if (type === "refresh") {
+        if (typeof audience !== "string" || audience !== refresh_token_audience) {
+            throw new Error(`Audience for a refresh token must be the auth server. Received "${audience}", but expected "${refresh_token_audience}".`);
+        }
+        else {
+            aud = refresh_token_audience;
+        }
+    }
+    else if (type === "access") {
+        if (typeof audience !== "string") {
+            throw new TypeError("An audience must be supplied for access tokens");
+        }
+        if (!apiServerIdSchema.safeParse(audience).success) {
+            throw new TypeError("Invalid audience provided; not a valid API server ID!");
+        }
+        aud = audience;
+    }
+    else {
+        throw new TypeError("Invalid token type; expected 'type' to be 'access' or 'refresh'");
+    }
+    if ("jwt_keys" in opts) {
+        const keyset_audience_id = opts.jwt_keys.audience_id;
+        if (typeof keyset_audience_id !== "string" ||
+            !apiServerIdSchema.safeParse(keyset_audience_id).success) {
+            throw new TypeError("Invalid audience ID for JWT keyset; not a valid API server ID!");
+        }
+        if (keyset_audience_id !== aud) {
+            throw new Error(`JWT keyset audience ID '${keyset_audience_id}' does not match requested token audience ID '${aud}'`);
+        }
+    }
+    const email = user.email;
+    const uid = user.uid;
+    const env = opts.env;
+    const parsed_organization_ids = await organizationIdsSchema.safeParseAsync(opts.orgs);
+    if (!parsed_organization_ids.success) {
+        console.error("Received invalid list of organization IDs that user is a member of: ", parsed_organization_ids.error);
+        throw new Error("Received invalid list of organization IDs that user is a member of!");
+    }
+    const orgs = parsed_organization_ids.data;
+    if (type === "refresh" &&
+        audience !== SCHEMAVAULTS_AUTH_APP_DEFINITION.app_id) {
+        throw new Error("Invalid audience for refresh token");
+    }
+    let signing_key;
+    try {
+        if ("jwt_keys" in opts) {
+            const signing_key_promise = opts.jwt_keys.signing_key;
+            if (!signing_key_promise) {
+                throw new Error("Failed to load signing key from key store!");
+            }
+            signing_key = await signing_key_promise;
+        }
+        else if ("signing_key" in opts) {
+            signing_key = opts.signing_key;
+        }
+        else {
+            throw new Error("Did not receive signing key from key store or input options!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to load encryption key from key store or input options: ", e);
+        throw new Error("Failed to load encryption key from key store or input options!");
+    }
+    let sig;
+    try {
+        sig = await signJWT({
+            audience,
+            signing_key,
+            keyset_id,
+            iat,
+            uid,
+            email,
+            type,
+            env,
+            orgs,
+        });
+    }
+    catch (e) {
+        console.error("Failed to generate signature token for 'sig' field of JWT: ", e);
+        throw new Error("Failed to generate signature token for 'sig' field of JWT!");
+    }
+    let encryption_key;
+    try {
+        if ("jwt_keys" in opts) {
+            const encryption_key_promise = opts.jwt_keys.encryption_key;
+            if (!encryption_key_promise) {
+                throw new Error("Failed to load encryption key from key store!");
+            }
+            encryption_key = await encryption_key_promise;
+        }
+        else if ("encryption_key" in opts) {
+            encryption_key = opts.encryption_key;
+        }
+        else {
+            throw new Error("Did not receive encryption key from key store or input options!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to load encryption key from key store or input options: ", e);
+        throw new Error("Failed to load encryption key from key store or input options!");
+    }
+    try {
+        const additionalClaims = {
+            uid: user.uid,
+            admin: user.admin ?? false,
+            email: user.email,
+            email_verified: user.email_verified ?? false,
+            aud: audience,
+            app: client_app_id,
+            disabled: user.disabled ?? false,
+            created_at: user.created_at,
+            env,
+            sig,
+            orgs: orgs,
+        };
+        const jwt = await new EncryptJWT(additionalClaims)
+            .setProtectedHeader({
+            alg,
+            enc,
+            keyset_id,
+            kid: `${keyset_id}-decryption`,
+            aud: audience,
+        })
+            .setIssuedAt(new Date(iat))
+            .setIssuer(issuer)
+            .setAudience(aud)
+            .setExpirationTime(getExpiryDurationString(type))
+            .setSubject(userData.uid)
+            .encrypt(encryption_key);
+        const expiryTime = getExpiryTime(type, iat);
+        if (env === "development") {
+            console.log(`[generateJWT] Generated ${type} JWT: `, jwt);
+        }
+        const tokenData = {
+            type,
+            uid: userData.uid,
+            iat,
+            exp: expiryTime,
+            token: jwt,
+            aud,
+        };
+        return tokenData;
+    }
+    catch (error) {
+        console.error("Error generating JWT: ", error);
+        throw new Error("Error generating JWT!");
+    }
+}
+//# sourceMappingURL=generate.js.map

package/dist/jwt/generate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate.js","sourceRoot":"","sources":["../../src/jwt/generate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAkB,MAAM,MAAM,CAAC;AAElD,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,uBAAuB,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,sBAAsB,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EAAE,uBAAuB,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAElE,OAAO,EAOL,oBAAoB,GACrB,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AACjC,OAAO,EACL,iBAAiB,EACjB,gCAAgC,GAEjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,WAAW,MAAM,qBAAqB,CAAC;AA4B9C,MAAM,qBAAqB,GAAG,oBAAoB,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,CAAC;AAEtE;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,aAAa,EAAE,QAAQ,EAAE,GAAG,IAAI,EAAyB,EAC5E,sBAAsB,GAAG,sBAAsB;IAE/C,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,WAAW,IAAI,IAAI,EAAE,CAAC;YACxB,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,CAAC;aAAM,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YAC9B,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACtC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,QAAQ,GAAa,IAAI,CAAC;IAChC,IAAI,GAAW,CAAC;IAChB,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;QACvB,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,sBAAsB,EAAE,CAAC;YACxE,MAAM,IAAI,KAAK,CACb,mEAAmE,QAAQ,oBAAoB,sBAAsB,IAAI,CAC1H,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,GAAG,GAAG,sBAAsB,CAAC;QAC/B,CAAC;IACH,CAAC;SAAM,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QAC7B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;YACnD,MAAM,IAAI,SAAS,CACjB,uDAAuD,CACxD,CAAC;QACJ,CAAC;QAED,GAAG,GAAG,QAAQ,CAAC;IACjB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,SAAS,CACjB,iEAAiE,CAClE,CAAC;IACJ,CAAC;IAED,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,kBAAkB,GAAW,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC7D,IACE,OAAO,kBAAkB,KAAK,QAAQ;YACtC,CAAC,iBAAiB,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC,OAAO,EACxD,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,gEAAgE,CACjE,CAAC;QACJ,CAAC;QAED,IAAI,kBAAkB,KAAK,GAAG,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,2BAA2B,kBAAkB,iDAAiD,GAAG,GAAG,CACrG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAW,IAAI,CAAC,KAAK,CAAC;IACjC,MAAM,GAAG,GAAW,IAAI,CAAC,GAAG,CAAC;IAE7B,MAAM,GAAG,GAA+B,IAAI,CAAC,GAAG,CAAC;IAEjD,MAAM,uBAAuB,GAAG,MAAM,qBAAqB,CAAC,cAAc,CACxE,IAAI,CAAC,IAAI,CACV,CAAC;IACF,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,CAAC;QACrC,OAAO,CAAC,KAAK,CACX,sEAAsE,EACtE,uBAAuB,CAAC,KAAK,CAC9B,CAAC;QACF,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAA8B,uBAAuB,CAAC,IAAI,CAAC;IAErE,IACE,IAAI,KAAK,SAAS;QAClB,QAAQ,KAAK,gCAAgC,CAAC,MAAM,EACpD,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,WAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,mBAAmB,GACvB,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC5B,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChE,CAAC;YACD,WAAW,GAAG,MAAM,mBAAmB,CAAC;QAC1C,CAAC;aAAM,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;YACjC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACjC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,CAAC,CACF,CAAC;QACF,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,OAAO,CAAC;YAClB,QAAQ;YACR,WAAW;YACX,SAAS;YACT,GAAG;YACH,GAAG;YACH,KAAK;YACL,IAAI;YACJ,GAAG;YACH,IAAI;SACL,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,6DAA6D,EAC7D,CAAC,CACF,CAAC;QACF,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IAED,IAAI,cAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAC1B,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC;YAC/B,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACnE,CAAC;YACD,cAAc,GAAG,MAAM,sBAAsB,CAAC;QAChD,CAAC;aAAM,IAAI,gBAAgB,IAAI,IAAI,EAAE,CAAC;YACpC,cAAc,GAAG,IAAI,CAAC,cAAc,CAAC;QACvC,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CACX,iEAAiE,EACjE,CAAC,CACF,CAAC;QACF,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,gBAAgB,GAA8B;YAClD,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,KAAK;YAC1B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,KAAK;YAC5C,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,aAAa;YAClB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,KAAK;YAChC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,GAAG;YACH,GAAG;YACH,IAAI,EAAE,IAAI;SACX,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,IAAI,UAAU,CAAC,gBAAgB,CAAC;aAC/C,kBAAkB,CAAC;YAClB,GAAG;YACH,GAAG;YACH,SAAS;YACT,GAAG,EAAE,GAAG,SAAS,aAAa;YAC9B,GAAG,EAAE,QAAyB;SAC/B,CAAC;aACD,WAAW,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;aAC1B,SAAS,CAAC,MAAM,CAAC;aACjB,WAAW,CAAC,GAAG,CAAC;aAChB,iBAAiB,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;aAChD,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC;aACxB,OAAO,CAAC,cAAc,CAAC,CAAC;QAE3B,MAAM,UAAU,GAAW,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAEpD,IAAI,GAAG,KAAK,aAAa,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CAAC,2BAA2B,IAAI,QAAQ,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,SAAS,GAAc;YAC3B,IAAI;YACJ,GAAG,EAAE,QAAQ,CAAC,GAAG;YACjB,GAAG;YACH,GAAG,EAAE,UAAU;YACf,KAAK,EAAE,GAAG;YACV,GAAG;SACJ,CAAC;QAEF,OAAO,SAA4D,CAAC;IACtE,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}

package/dist/jwt/get_audience_from_token.d.ts

@@ -0,0 +1 @@
+export default function getAudienceFromToken(token: string): string;

package/dist/jwt/get_audience_from_token.js

@@ -0,0 +1,17 @@
+import { apiServerIdSchema } from "@schemavaults/app-definitions";
+import { decodeProtectedHeader } from "jose";
+export default function getAudienceFromToken(token) {
+    const headers = decodeProtectedHeader(token);
+    if ("aud" in headers) {
+        if (typeof headers.aud === "string" && headers.aud.length > 0) {
+            const aud = headers.aud;
+            if (!apiServerIdSchema.safeParse(aud).success) {
+                throw new Error("Invalid token; 'aud' claim must be a valid API server ID");
+            }
+            return aud;
+        }
+        throw new Error("Invalid token; 'aud' claim must be a string");
+    }
+    throw new Error("Invalid token; no 'aud' claim in header");
+}
+//# sourceMappingURL=get_audience_from_token.js.map

package/dist/jwt/get_audience_from_token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_audience_from_token.js","sourceRoot":"","sources":["../../src/jwt/get_audience_from_token.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,qBAAqB,EAAE,MAAM,MAAM,CAAC;AAE7C,MAAM,CAAC,OAAO,UAAU,oBAAoB,CAAC,KAAa;IACxD,MAAM,OAAO,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAC7C,IAAI,KAAK,IAAI,OAAO,EAAE,CAAC;QACrB,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,GAAG,GAAW,OAAO,CAAC,GAAG,CAAC;YAChC,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC9C,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAC;YACJ,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;AAC7D,CAAC"}

package/dist/jwt/get_keyset_id_from_token.d.ts

@@ -0,0 +1,2 @@
+export declare function getKeysetIdFromToken(token: string): string;
+export default getKeysetIdFromToken;

package/dist/jwt/get_keyset_id_from_token.js

@@ -0,0 +1,17 @@
+import isValidUuid from "../utils/isValidUuid";
+import { decodeProtectedHeader } from "jose";
+export function getKeysetIdFromToken(token) {
+    const header = decodeProtectedHeader(token);
+    if (!header.kid || !header.keyset_id) {
+        throw new Error("Invalid token; missing 'kid' or 'keyset_id' in header!");
+    }
+    if (!isValidUuid(header.keyset_id)) {
+        throw new Error("Invalid token; 'keyset_id' is not a valid UUID!");
+    }
+    if (!header.kid.startsWith(header.keyset_id)) {
+        throw new Error("Invalid token; 'kid' does not start with 'keyset_id'!");
+    }
+    return header.keyset_id;
+}
+export default getKeysetIdFromToken;
+//# sourceMappingURL=get_keyset_id_from_token.js.map

package/dist/jwt/get_keyset_id_from_token.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get_keyset_id_from_token.js","sourceRoot":"","sources":["../../src/jwt/get_keyset_id_from_token.ts"],"names":[],"mappings":"AAAA,OAAO,WAAW,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAA6B,MAAM,MAAM,CAAC;AAExE,MAAM,UAAU,oBAAoB,CAAC,KAAa;IAChD,MAAM,MAAM,GAA8B,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACvE,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,CAAC;IAC5E,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IACD,OAAO,MAAM,CAAC,SAAS,CAAC;AAC1B,CAAC;AAED,eAAe,oBAAoB,CAAC"}

package/dist/jwt/index.d.ts

@@ -0,0 +1,9 @@
+export { decodeJWT } from "./decode";
+export { getExpiryTime, getExpiryDurationString } from "./expiry";
+export { JWT_Factory } from "./jwt-factory";
+export type { CustomJWTPayload } from "./payload_data";
+export { JWT_Keys, generateNewJwtKeySet, to_public_jwks, importAsymmetricJWK, jsonSerializedJwtKeySchema, PEMFormat, } from "./jwt_keys";
+export type * from "./jwt_keys";
+export { getKeysetIdFromToken } from "./get_keyset_id_from_token";
+export { default as getAudienceFromToken } from "./get_audience_from_token";
+export { refreshTokenExpiry, accessTokenExpiry } from "./expiry";

package/dist/jwt/index.js

@@ -0,0 +1,9 @@
+// export {generateJWT} from './generate';
+export { decodeJWT } from "./decode";
+export { getExpiryTime, getExpiryDurationString } from "./expiry";
+export { JWT_Factory } from "./jwt-factory";
+export { JWT_Keys, generateNewJwtKeySet, to_public_jwks, importAsymmetricJWK, jsonSerializedJwtKeySchema, PEMFormat, } from "./jwt_keys";
+export { getKeysetIdFromToken } from "./get_keyset_id_from_token";
+export { default as getAudienceFromToken } from "./get_audience_from_token";
+export { refreshTokenExpiry, accessTokenExpiry } from "./expiry";
+//# sourceMappingURL=index.js.map

package/dist/jwt/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/jwt/index.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AACrC,OAAO,EAAE,aAAa,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAI5C,OAAO,EACL,QAAQ,EACR,oBAAoB,EACpB,cAAc,EACd,mBAAmB,EACnB,0BAA0B,EAC1B,SAAS,GACV,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,OAAO,IAAI,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAE5E,OAAO,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC"}

package/dist/jwt/iss.d.ts

@@ -0,0 +1 @@
+export declare const issuer: "schemavaults-auth";

package/dist/jwt/iss.js

@@ -0,0 +1,3 @@
+import { REFRESH_TOKEN_AUDIENCE } from "./aud";
+export const issuer = REFRESH_TOKEN_AUDIENCE;
+//# sourceMappingURL=iss.js.map

package/dist/jwt/iss.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"iss.js","sourceRoot":"","sources":["../../src/jwt/iss.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,OAAO,CAAC;AAE/C,MAAM,CAAC,MAAM,MAAM,GAAG,sBAAsB,CAAC"}