@schemavaults/jwt 0.6.13

package/dist/jwt/jwt_keys/raw_jwt_keys_store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"raw_jwt_keys_store.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/raw_jwt_keys_store.ts"],"names":[],"mappings":"AAAA,OAAO,wBAAwB,MAAM,kCAAkC,CAAC;AACxE,OAAO,SAAS,MAAM,cAAc,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,EACL,0BAA0B,GAE3B,MAAM,wBAAwB,CAAC;AAChC,OAAO,WAAW,MAAM,qBAAqB,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAiBlE,MAAM,kBAAkB;IACN,WAAW,CAAS;IACpB,SAAS,CAAS;IACjB,cAAc,CAAU;IACzB,aAAa,CAAS;IAEtC,uCAAuC;IACtB,mBAAmB,CAAgB;IACnC,mBAAmB,CAAS;IAE7C,sCAAsC;IACrB,gBAAgB,CAAgB;IAChC,qBAAqB,CAAS;IAE/C,8CAA8C;IACtC,MAAM,CAAC,aAAa,CAAC,GAAyB;QACpD,MAAM,UAAU,GAAG,0BAA0B,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAC7D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,CAAC,KAAK,CACX,gDAAgD,EAChD,UAAU,CAAC,KAAK,CACjB,CAAC;YACF,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;YACzB,IACE,CAAC,SAAS,CAAC,WAAW,CACpB,GAAG,CAAC,KAAK,EACT,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CACvD,EACD,CAAC;gBACD,MAAM,IAAI,SAAS,CAAC,6BAA6B,CAAC,CAAC;YACrD,CAAC;YAED,OAAO,GAAG,CAAC,KAAK,CAAC;QACnB,CAAC;aAAM,IAAI,GAAG,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YACtC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC,CAAC;YAC3D,CAAC;YAED,MAAM,cAAc,GAAW,MAAM,CAAC,IAAI,CACxC,GAAG,CAAC,KAAK,EACT,WAAW,CACZ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACnB,OAAO,kBAAkB,CAAC,aAAa,CAAC;gBACtC,MAAM,EAAE,KAAK;gBACb,KAAK,EAAE,cAAc;gBACrB,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,SAAS,EAAE,GAAG,CAAC,SAAS;gBACxB,WAAW,EAAE,GAAG,CAAC,WAAW;aAC7B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,MAAM,CAAC,eAAe,CAAC,GAAW;QACxC,OAAO,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;IAED,YAAmB,EACjB,WAAW,EACX,SAAS,EACT,aAAa,EACb,UAAU,EACV,UAAU,EACV,OAAO,EACP,YAAY,EACZ,cAAc,GACc;QAC5B,qBAAqB;QACrB,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAE3B,uBAAuB;QACvB,IACE,OAAO,WAAW,KAAK,QAAQ;YAC/B,CAAC,iBAAiB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,OAAO,EACjD,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,qDAAqD,CACtD,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAE/B,IAAI,OAAO,aAAa,KAAK,QAAQ,IAAI,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9D,8BAA8B;YAC9B,MAAM,IAAI,SAAS,CAAC,0CAA0C,CAAC,CAAC;QAClE,CAAC;QACD,IAAI,CAAC,aAAa,GAAG,aAAa,CAAC;QAEnC,0BAA0B;QAC1B,IAAI,CAAC,mBAAmB,GAAG,UAAU,EAAE,KAAK;YAC1C,CAAC,CAAC,kBAAkB,CAAC,aAAa,CAAC,UAAU,CAAC;YAC9C,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,CAAC,mBAAmB,GAAG,kBAAkB,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QACxE,IAAI,CAAC,gBAAgB,GAAG,OAAO,EAAE,KAAK;YACpC,CAAC,CAAC,kBAAkB,CAAC,aAAa,CAAC,OAAO,CAAC;YAC3C,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,CAAC,qBAAqB,GAAG,kBAAkB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QAE5E,mFAAmF;QACnF,IAAI,CAAC,cAAc,GAAG,cAAc,IAAI,KAAK,CAAC;QAC9C,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,6DAA6D;YAC7D,IAAI,CAAC,IAAI,CAAC,mBAAmB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACxD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,qBAAqB,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,IAAW,UAAU;QACnB,OAAO,IAAI,CAAC,mBAAmB,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED,yCAAyC;IACzC,IAAW,UAAU;QACnB,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED,iDAAiD;IACjD,IAAW,OAAO;QAChB,OAAO,IAAI,CAAC,gBAAgB,CAAC;IAC/B,CAAC;IAED,2CAA2C;IAC3C,IAAW,YAAY;QACrB,OAAO,IAAI,CAAC,qBAAqB,CAAC;IACpC,CAAC;IAED,IAAW,oBAAoB;QAC7B,OAAO,IAAI,CAAC,UAAU;YACpB,CAAC,CAAC,kBAAkB,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC;YACrD,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED,IAAW,oBAAoB;QAC7B,OAAO,kBAAkB,CAAC,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7D,CAAC;IAED,IAAW,sBAAsB;QAC/B,OAAO,kBAAkB,CAAC,eAAe,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC/D,CAAC;IAED,IAAW,iBAAiB;QAC1B,OAAO,IAAI,CAAC,OAAO;YACjB,CAAC,CAAC,kBAAkB,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC;YAClD,CAAC,CAAC,IAAI,CAAC;IACX,CAAC;IAED,IAAW,eAAe;QACxB,MAAM,KAAK,GAAkB,IAAI,CAAC,UAAU,CAAC;QAC7C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO;YACL,MAAM,EAAE,KAAK;YACb,KAAK;YACL,aAAa,EAAE,QAAQ;YACvB,QAAQ,EAAE,YAAY;YACtB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED,IAAW,eAAe;QACxB,MAAM,KAAK,GAAW,IAAI,CAAC,UAAU,CAAC;QACtC,OAAO;YACL,MAAM,EAAE,KAAK;YACb,KAAK;YACL,aAAa,EAAE,SAAS,EAAE,sDAAsD;YAChF,QAAQ,EAAE,YAAY;YACtB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED,IAAW,YAAY;QACrB,MAAM,KAAK,GAAkB,IAAI,CAAC,OAAO,CAAC;QAC1C,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO;YACL,MAAM,EAAE,KAAK;YACb,KAAK;YACL,aAAa,EAAE,SAAS;YACxB,QAAQ,EAAE,SAAS;YACnB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAED,IAAW,iBAAiB;QAC1B,MAAM,KAAK,GAAW,IAAI,CAAC,YAAY,CAAC;QACxC,OAAO;YACL,MAAM,EAAE,KAAK;YACb,KAAK;YACL,aAAa,EAAE,QAAQ;YACvB,QAAQ,EAAE,cAAc;YACxB,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;IACJ,CAAC;IAEM,kBAAkB;QACvB,MAAM,IAAI,GAA2B;YACnC,IAAI,CAAC,eAAe;YACpB,IAAI,CAAC,iBAAiB;SACvB,CAAC;QACF,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,eAAgB,CAAC,CAAC;QACnC,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,YAAa,CAAC,CAAC;QAChC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,eAAe,kBAAkB,CAAC"}

package/dist/jwt/jwt_keys/to_public_jwks.d.ts

@@ -0,0 +1,6 @@
+import type { I_JWT_Keys } from "../../jwt/jwt_keys";
+import { type JWK } from "jose";
+export declare function to_public_jwks(active_keysets: I_JWT_Keys | readonly I_JWT_Keys[]): Promise<{
+    keys: readonly JWK[];
+}>;
+export default to_public_jwks;

package/dist/jwt/jwt_keys/to_public_jwks.js

@@ -0,0 +1,39 @@
+import { exportJWK } from "jose";
+import getAlgorithmForKey from "./getAlgorithmForKey";
+export async function to_public_jwks(active_keysets) {
+    const keysets = Array.isArray(active_keysets)
+        ? active_keysets
+        : [active_keysets];
+    const output_jwks = [];
+    for (const keyset of keysets) {
+        const keyset_id = keyset.keyset_id;
+        if (keyset.keyset_expiry && keyset.keyset_expiry < Date.now()) {
+            // don't use any keys from this expired keyset
+            continue;
+        }
+        const keys_in_set = keyset.listSerializedKeys();
+        for (const key of keys_in_set) {
+            const key_type = key.key_type;
+            if (key_type !== "decryption" && key_type !== "verification") {
+                continue; // Skip keys that are not decryption or verification keys
+            }
+            if (key.keyset_id !== keyset_id) {
+                throw new Error(`Keyset '${keyset_id}' contains a key that is not part of it!`);
+            }
+            const jose_activated_key = await keyset[`${key_type}_key`];
+            const alg = getAlgorithmForKey(key);
+            const jwk = await exportJWK(jose_activated_key);
+            output_jwks.push({
+                ...jwk,
+                kid: `${keyset_id}-${key.key_type}`,
+                alg,
+            });
+            continue;
+        }
+    }
+    return {
+        keys: output_jwks,
+    };
+}
+export default to_public_jwks;
+//# sourceMappingURL=to_public_jwks.js.map

package/dist/jwt/jwt_keys/to_public_jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"to_public_jwks.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/to_public_jwks.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,SAAS,EAAY,MAAM,MAAM,CAAC;AAC3C,OAAO,kBAAkB,MAAM,sBAAsB,CAAC;AAEtD,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,cAAkD;IAElD,MAAM,OAAO,GAA0B,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC;QAClE,CAAC,CAAC,cAAc;QAChB,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;IAErB,MAAM,WAAW,GAAU,EAAE,CAAC;IAE9B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,SAAS,GAAW,MAAM,CAAC,SAAS,CAAC;QAE3C,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YAC9D,8CAA8C;YAC9C,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GACf,MAAM,CAAC,kBAAkB,EAAE,CAAC;QAC9B,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;YAC9B,MAAM,QAAQ,GAAe,GAAG,CAAC,QAAQ,CAAC;YAC1C,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;gBAC7D,SAAS,CAAC,yDAAyD;YACrE,CAAC;YACD,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;gBAChC,MAAM,IAAI,KAAK,CACb,WAAW,SAAS,0CAA0C,CAC/D,CAAC;YACJ,CAAC;YACD,MAAM,kBAAkB,GAAc,MAAM,MAAM,CAAC,GAAG,QAAQ,MAAM,CAAC,CAAC;YAEtE,MAAM,GAAG,GAAW,kBAAkB,CAAC,GAAG,CAAC,CAAC;YAE5C,MAAM,GAAG,GAAQ,MAAM,SAAS,CAAC,kBAAkB,CAAC,CAAC;YACrD,WAAW,CAAC,IAAI,CAAC;gBACf,GAAG,GAAG;gBACN,GAAG,EAAE,GAAG,SAAS,IAAI,GAAG,CAAC,QAAQ,EAAE;gBACnC,GAAG;aACJ,CAAC,CAAC;YACH,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO;QACL,IAAI,EAAE,WAAW;KAClB,CAAC;AACJ,CAAC;AAED,eAAe,cAAc,CAAC"}

package/dist/jwt/payload_data.d.ts

@@ -0,0 +1,73 @@
+import { z } from "zod";
+export declare const jwtPayloadSchema: z.ZodEffects<z.ZodObject<{
+    sub: z.ZodString;
+    uid: z.ZodString;
+    email: z.ZodString;
+    email_verified: z.ZodBoolean;
+    aud: z.ZodUnion<[z.ZodString, z.ZodLiteral<"schemavaults-registry">, z.ZodLiteral<"schemavaults-auth">, z.ZodLiteral<"schemavaults-mail">]>;
+    app: z.ZodUnion<readonly [z.ZodString, z.ZodEffects<z.ZodString, "schemavaults-auth" | "schemavaults-mail" | "schemavaults-web" | "schemavaults-cli", string>]>;
+    admin: z.ZodBoolean;
+    disabled: z.ZodBoolean;
+    created_at: z.ZodEffects<z.ZodNumber, number, number>;
+    sig: z.ZodString;
+    iss: z.ZodLiteral<"schemavaults-auth">;
+    env: z.ZodEnum<["development", "staging", "test", "production"]>;
+    orgs: z.ZodReadonly<z.ZodArray<z.ZodEffects<z.ZodString, string, string>, "many">>;
+}, "strict", z.ZodTypeAny, {
+    sub: string;
+    uid: string;
+    email: string;
+    email_verified: boolean;
+    aud: string;
+    app: string;
+    admin: boolean;
+    disabled: boolean;
+    created_at: number;
+    sig: string;
+    iss: "schemavaults-auth";
+    env: "development" | "staging" | "test" | "production";
+    orgs: readonly string[];
+}, {
+    sub: string;
+    uid: string;
+    email: string;
+    email_verified: boolean;
+    aud: string;
+    app: string;
+    admin: boolean;
+    disabled: boolean;
+    created_at: number;
+    sig: string;
+    iss: "schemavaults-auth";
+    env: "development" | "staging" | "test" | "production";
+    orgs: readonly string[];
+}>, {
+    sub: string;
+    uid: string;
+    email: string;
+    email_verified: boolean;
+    aud: string;
+    app: string;
+    admin: boolean;
+    disabled: boolean;
+    created_at: number;
+    sig: string;
+    iss: "schemavaults-auth";
+    env: "development" | "staging" | "test" | "production";
+    orgs: readonly string[];
+}, {
+    sub: string;
+    uid: string;
+    email: string;
+    email_verified: boolean;
+    aud: string;
+    app: string;
+    admin: boolean;
+    disabled: boolean;
+    created_at: number;
+    sig: string;
+    iss: "schemavaults-auth";
+    env: "development" | "staging" | "test" | "production";
+    orgs: readonly string[];
+}>;
+export type CustomJWTPayload = z.infer<typeof jwtPayloadSchema>;

package/dist/jwt/payload_data.js

@@ -0,0 +1,45 @@
+import { z } from "zod";
+import { REFRESH_TOKEN_AUDIENCE } from "./aud";
+import { appIdSchema, schemaVaultsAppEnvironmentSchema, } from "@schemavaults/app-definitions";
+import { audienceRefSchema, organizationIdSchema } from "@schemavaults/auth-common";
+// Data to hold in the JWT
+export const jwtPayloadSchema = z
+    .object({
+    uid: z.string().uuid(),
+    sub: z.string().uuid(),
+    email: z.string().email(),
+    email_verified: z.boolean(),
+    aud: audienceRefSchema, // Backend resource API UUID, either auth server url or a registered api server's unique UUID
+    app: appIdSchema, // Frontend client app UUID, either auth server url or a registered app's unique UUID
+    admin: z.boolean(),
+    disabled: z.boolean(),
+    created_at: z.number().refine(
+    // What time the user was created at
+    (creation_time) => {
+        return (creation_time <= Date.now());
+    }, "Creation time must not be in the future"),
+    sig: z.string().min(32).max(4096),
+    iss: z.literal(REFRESH_TOKEN_AUDIENCE),
+    env: schemaVaultsAppEnvironmentSchema,
+    orgs: organizationIdSchema.array().readonly(),
+})
+    .required({
+    uid: true,
+    sub: true,
+    email: true,
+    email_verified: true,
+    aud: true,
+    app: true,
+    admin: true,
+    disabled: true,
+    created_at: true,
+    sig: true,
+    iss: true,
+    env: true,
+    orgs: true,
+})
+    .strict()
+    .refine((jwt_payload) => {
+    return jwt_payload.sub === jwt_payload.uid;
+}, "Token subject does not match user ID");
+//# sourceMappingURL=payload_data.js.map

package/dist/jwt/payload_data.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payload_data.js","sourceRoot":"","sources":["../../src/jwt/payload_data.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,MAAM,OAAO,CAAC;AAC/C,OAAO,EACL,WAAW,EACX,gCAAgC,GACjC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEpF,0BAA0B;AAC1B,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC;KAC9B,MAAM,CAAC;IACN,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IACtB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;IACtB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,EAAE;IACzB,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE;IAC3B,GAAG,EAAE,iBAAiB,EAAE,6FAA6F;IACrH,GAAG,EAAE,WAAW,EAAE,qFAAqF;IACvG,KAAK,EAAE,CAAC,CAAC,OAAO,EAAE;IAClB,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE;IACrB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM;IAC3B,oCAAoC;IACpC,CAAC,aAAa,EAAW,EAAE;QACzB,OAAO,CAAC,aAAa,IAAI,IAAI,CAAC,GAAG,EAAE,CAAmB,CAAC;IACzD,CAAC,EACD,yCAAyC,CAC1C;IACD,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IACjC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC;IACtC,GAAG,EAAE,gCAAgC;IACrC,IAAI,EAAE,oBAAoB,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE;CAC9C,CAAC;KACD,QAAQ,CAAC;IACR,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,KAAK,EAAE,IAAI;IACX,cAAc,EAAE,IAAI;IACpB,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,KAAK,EAAE,IAAI;IACX,QAAQ,EAAE,IAAI;IACd,UAAU,EAAE,IAAI;IAChB,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,GAAG,EAAE,IAAI;IACT,IAAI,EAAE,IAAI;CACX,CAAC;KACD,MAAM,EAAE;KACR,MAAM,CAAC,CAAC,WAAW,EAAE,EAAE;IACtB,OAAO,WAAW,CAAC,GAAG,KAAK,WAAW,CAAC,GAAG,CAAC;AAC7C,CAAC,EAAE,sCAAsC,CAAC,CAAC"}

package/dist/jwt/sign.d.ts

@@ -0,0 +1,23 @@
+import { type CryptoKey } from "jose";
+import JWT_Keys from "./jwt_keys";
+import type { AuthTokenTypes, OrganizationID } from "@schemavaults/auth-common";
+import type { SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
+interface BaseSignJSONWebTokenInputOptions<TokenType extends AuthTokenTypes> {
+    iat: number;
+    uid: string;
+    email: string;
+    audience: string;
+    type: TokenType;
+    env: SchemaVaultsAppEnvironment;
+    orgs: readonly OrganizationID[];
+}
+interface SignJSONWebTokenInputWithAllKeysOptions<TokenType extends AuthTokenTypes> extends BaseSignJSONWebTokenInputOptions<TokenType> {
+    jwt_keys: JWT_Keys;
+}
+interface SignJSONWebTokenInputWithSigningCryptoKeyOptions<TokenType extends AuthTokenTypes> extends BaseSignJSONWebTokenInputOptions<TokenType> {
+    signing_key: CryptoKey;
+    keyset_id: string;
+}
+export type SignJSONWebTokenInputOptions<TokenType extends AuthTokenTypes> = SignJSONWebTokenInputWithAllKeysOptions<TokenType> | SignJSONWebTokenInputWithSigningCryptoKeyOptions<TokenType>;
+export declare function signJWT<TokenType extends AuthTokenTypes>(opts: SignJSONWebTokenInputOptions<TokenType>): Promise<string>;
+export {};

package/dist/jwt/sign.js

@@ -0,0 +1,68 @@
+import { SignJWT } from "jose";
+import JWT_Keys from "./jwt_keys";
+import { issuer } from "./iss";
+import { getExpiryDurationString } from "./expiry";
+import signAndVerifyAlg from "./sign_verify_alg";
+import isValidUuid from "../utils/isValidUuid";
+export async function signJWT(opts) {
+    const type = opts.type;
+    const uid = opts.uid;
+    const sub = uid;
+    const orgs = opts.orgs;
+    if (typeof uid !== "string" || typeof sub !== "string" || uid !== sub) {
+        throw new Error("uid and sub must be defined and equal strings");
+    }
+    const env = opts.env;
+    let private_signing_key;
+    let keyset_id;
+    try {
+        if ("jwt_keys" in opts && opts.jwt_keys instanceof JWT_Keys) {
+            const jwt_keys = opts.jwt_keys;
+            const private_key_promise = jwt_keys.signing_key;
+            if (!private_key_promise) {
+                throw new Error("Failed to load private signing key from key store!");
+            }
+            private_signing_key = await private_key_promise;
+            keyset_id = jwt_keys.keyset_id;
+        }
+        else if ("signing_key" in opts) {
+            private_signing_key = opts.signing_key;
+            keyset_id = opts.keyset_id;
+        }
+        else {
+            throw new Error("Neither JWT keys nor signing key provided!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to load private signing key from key store or input options: ", e);
+        throw new Error("Failed to load private signing key from key store or input options!");
+    }
+    if (!isValidUuid(keyset_id)) {
+        throw new Error("Invalid keyset ID provided!");
+    }
+    const signaturePayload = {
+        sub,
+        uid,
+        type,
+        env,
+        orgs
+    };
+    try {
+        return await new SignJWT(signaturePayload)
+            .setProtectedHeader({
+            alg: signAndVerifyAlg,
+            keyset_id,
+            kid: `${keyset_id}-verification` // the key needed for verification
+        })
+            .setAudience(opts.audience)
+            .setIssuedAt(opts.iat)
+            .setIssuer(issuer)
+            .setExpirationTime(getExpiryDurationString(type))
+            .sign(private_signing_key);
+    }
+    catch (e) {
+        console.error("Failed to sign JWT: ", e);
+        throw new Error("Failed to sign JWT!");
+    }
+}
+//# sourceMappingURL=sign.js.map

package/dist/jwt/sign.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/jwt/sign.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,OAAO,EAAE,MAAM,MAAM,CAAC;AAChE,OAAO,QAAQ,MAAM,YAAY,CAAC;AAClC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAC/B,OAAO,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAGnD,OAAO,gBAAgB,MAAM,mBAAmB,CAAC;AACjD,OAAO,WAAW,MAAM,qBAAqB,CAAC;AA+B9C,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,IAA6C;IAE7C,MAAM,IAAI,GAAc,IAAI,CAAC,IAAI,CAAC;IAClC,MAAM,GAAG,GAAW,IAAI,CAAC,GAAG,CAAC;IAC7B,MAAM,GAAG,GAAW,GAAG,CAAC;IACxB,MAAM,IAAI,GAAsB,IAAI,CAAC,IAAI,CAAC;IAE1C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;IAGrB,IAAI,mBAA8B,CAAC;IACnC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,IAAI,IAAI,CAAC,QAAQ,YAAY,QAAQ,EAAE,CAAC;YAC5D,MAAM,QAAQ,GAAa,IAAI,CAAC,QAAQ,CAAC;YACzC,MAAM,mBAAmB,GAA8B,QAAQ,CAAC,WAAW,CAAC;YAC5E,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACzB,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;YACvE,CAAC;YACD,mBAAmB,GAAG,MAAM,mBAAmB,CAAC;YAChD,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;QACjC,CAAC;aAAM,IAAI,aAAa,IAAI,IAAI,EAAE,CAAC;YACjC,mBAAmB,GAAG,IAAI,CAAC,WAAW,CAAC;YACvC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,sEAAsE,EAAE,CAAC,CAAC,CAAC;QACzF,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;IACzF,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,gBAAgB,GAAe;QACnC,GAAG;QACH,GAAG;QACH,IAAI;QACJ,GAAG;QACH,IAAI;KACL,CAAC;IAEF,IAAI,CAAC;QACH,OAAO,MAAM,IAAI,OAAO,CAAC,gBAAgB,CAAC;aACvC,kBAAkB,CAAC;YAClB,GAAG,EAAE,gBAAgB;YACrB,SAAS;YACT,GAAG,EAAE,GAAG,SAAS,eAAe,CAAC,kCAAkC;SACpE,CAAC;aACD,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;aAC1B,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC;aACrB,SAAS,CAAC,MAAM,CAAC;aACjB,iBAAiB,CAAC,uBAAuB,CAAC,IAAI,CAAC,CAAC;aAChD,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,CAAC,CAAC,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;AACH,CAAC"}

package/dist/jwt/sign_verify_alg.d.ts

@@ -0,0 +1,2 @@
+export declare const alg: "RS256";
+export default alg;

package/dist/jwt/sign_verify_alg.js

@@ -0,0 +1,3 @@
+export const alg = "RS256";
+export default alg;
+//# sourceMappingURL=sign_verify_alg.js.map

package/dist/jwt/sign_verify_alg.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign_verify_alg.js","sourceRoot":"","sources":["../../src/jwt/sign_verify_alg.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,GAAG,GAAG,OAAgB,CAAC;AACpC,eAAe,GAAG,CAAC"}

package/dist/jwt/verify_signature.d.ts

@@ -0,0 +1,23 @@
+import { type CryptoKey } from "jose";
+import { JWT_Keys } from "./jwt_keys";
+import type { AuthTokenTypes } from "@schemavaults/auth-common";
+import type { SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
+interface BaseVerifyJWTSignatureInputOptions<TokenType extends AuthTokenTypes> {
+    jwt: string;
+    aud: string;
+    iat: number;
+    type: TokenType;
+    sub: string;
+    uid: string;
+    env: SchemaVaultsAppEnvironment;
+}
+interface VerifyJWTSignatureInputWithAllKeysOptions<TokenType extends AuthTokenTypes> extends BaseVerifyJWTSignatureInputOptions<TokenType> {
+    jwt_keys: JWT_Keys;
+}
+interface VerifyJWTSignatureInputWithVerificationKeyOptions<TokenType extends AuthTokenTypes> extends BaseVerifyJWTSignatureInputOptions<TokenType> {
+    verification_key: CryptoKey;
+    keyset_id: string;
+}
+export type VerifyJWTSignatureInputOptions<TokenType extends AuthTokenTypes> = VerifyJWTSignatureInputWithAllKeysOptions<TokenType> | VerifyJWTSignatureInputWithVerificationKeyOptions<TokenType>;
+export declare function verifyJWTSignature<TokenType extends AuthTokenTypes>({ jwt, ...opts }: VerifyJWTSignatureInputOptions<TokenType>): Promise<boolean>;
+export {};

package/dist/jwt/verify_signature.js

@@ -0,0 +1,86 @@
+import { jwtVerify, decodeProtectedHeader } from "jose";
+import { JWT_Keys } from "./jwt_keys";
+import { issuer } from "./iss";
+import isValidUuid from "../utils/isValidUuid";
+import signVerifyAlg from './sign_verify_alg';
+export async function verifyJWTSignature({ jwt, ...opts }) {
+    if (typeof opts.aud !== "string") {
+        console.error("Did not receive an audience option!");
+        return false;
+    }
+    if (!opts.sub || !opts.uid || opts.sub !== opts.uid) {
+        throw new Error("Invalid sub/uid field for jwt!");
+    }
+    let verification_key;
+    let keyset_id;
+    try {
+        if ("jwt_keys" in opts && opts.jwt_keys instanceof JWT_Keys) {
+            const verifierKeyPromise = opts.jwt_keys.verification_key;
+            verification_key = await verifierKeyPromise;
+            keyset_id = opts.jwt_keys.keyset_id;
+        }
+        else if ("verification_key" in opts) {
+            verification_key = opts.verification_key;
+            keyset_id = opts.keyset_id;
+        }
+        else {
+            throw new Error("Invalid input options, missing verification key!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to retrieve verification key from key store or input options: ", e);
+        throw new Error("Failed to retrieve verification key from key store or input options!");
+    }
+    if (!isValidUuid(keyset_id)) {
+        throw new Error("Invalid keyset id!");
+    }
+    let alg;
+    let kid;
+    try {
+        const header = decodeProtectedHeader(jwt);
+        if (!header.alg || typeof header.alg !== 'string') {
+            throw new Error("Missing 'alg' claim in protected header!");
+        }
+        alg = header.alg;
+        if (!header.kid || typeof header.kid !== 'string') {
+            throw new Error("Missing 'kid' claim in protected header!");
+        }
+        kid = header.kid;
+        if (header.keyset_id !== keyset_id) {
+            throw new Error("Invalid keyset id; mismatch between 'keyset_id' in header and keyset ID associated with verification key!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to decode protected header: ", e);
+        throw new Error("Failed to decode protected header!");
+    }
+    if (alg !== signVerifyAlg) {
+        throw new Error("Invalid algorithm; mismatch between 'alg' in header and algorithm associated with verification key!");
+    }
+    if (kid !== `${keyset_id}-verification`) {
+        throw new Error("Invalid key id; mismatch between 'kid' in header and key ID associated with verification key!");
+    }
+    try {
+        const verify_result = await jwtVerify(jwt, verification_key, {
+            audience: opts.aud,
+            issuer,
+            subject: opts.sub,
+            algorithms: [signVerifyAlg]
+        });
+        if (verify_result.payload.aud !== opts.aud) {
+            throw new Error("Decoded payload does not match input audience!");
+        }
+        if (verify_result.payload.iss !== issuer) {
+            throw new Error("Unexpected 'iss' claim in signature token!");
+        }
+        if (verify_result.payload.env !== opts.env) {
+            throw new Error("App environment mismatch!");
+        }
+    }
+    catch (e) {
+        console.error("Failed to verify jwt signature: ", e);
+        return false;
+    }
+    return true;
+}
+//# sourceMappingURL=verify_signature.js.map

package/dist/jwt/verify_signature.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify_signature.js","sourceRoot":"","sources":["../../src/jwt/verify_signature.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmB,SAAS,EAAwC,qBAAqB,EAA6B,MAAM,MAAM,CAAC;AAC1I,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,OAAO,CAAC;AAG/B,OAAO,WAAW,MAAM,qBAAqB,CAAC;AAC9C,OAAO,aAAa,MAAM,mBAAmB,CAAC;AA+B9C,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAEtC,EACA,GAAG,EACH,GAAG,IAAI,EACmC;IAC1C,IAAI,OAAO,IAAI,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACrD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IAED,IAAI,gBAA2B,CAAC;IAChC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,UAAU,IAAI,IAAI,IAAI,IAAI,CAAC,QAAQ,YAAY,QAAQ,EAAE,CAAC;YAC5D,MAAM,kBAAkB,GAAuB,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAC9E,gBAAgB,GAAG,MAAM,kBAAkB,CAAC;YAC5C,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;QACtC,CAAC;aAAM,IAAI,kBAAkB,IAAI,IAAI,EAAE,CAAC;YACtC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,CAAC;YACzC,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC7B,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,uEAAuE,EAAE,CAAC,CAAC,CAAC;QAC1F,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,MAAM,GAA8B,qBAAqB,CAAC,GAAG,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACjB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACjB,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,2GAA2G,CAAC,CAAC;QAC/H,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,qCAAqC,EAAE,CAAC,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,GAAG,KAAK,aAAa,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,qGAAqG,CAAC,CAAC;IACzH,CAAC;IAED,IAAI,GAAG,KAAK,GAAG,SAAS,eAAe,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,+FAA+F,CAAC,CAAC;IACnH,CAAC;IAED,IAAI,CAAC;QACH,MAAM,aAAa,GAAgC,MAAM,SAAS,CAAC,GAAG,EAAE,gBAAgB,EAAE;YACxF,QAAQ,EAAE,IAAI,CAAC,GAAG;YAClB,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,UAAU,EAAE,CAAC,aAAa,CAAC;SAC5B,CAAC,CAAC;QAEH,IAAI,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,IAAI,aAAa,CAAC,OAAO,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,EAAE,CAAC;YAC3C,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,kCAAkC,EAAE,CAAC,CAAC,CAAC;QACrD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/utils/fromBase64UrlEncoded.d.ts

@@ -0,0 +1,2 @@
+export declare function fromBase64UrlEncoded(base64url: string): string;
+export default fromBase64UrlEncoded;

package/dist/utils/fromBase64UrlEncoded.js

@@ -0,0 +1,5 @@
+export function fromBase64UrlEncoded(base64url) {
+    return Buffer.from(base64url, "base64url").toString("utf8").trim();
+}
+export default fromBase64UrlEncoded;
+//# sourceMappingURL=fromBase64UrlEncoded.js.map

package/dist/utils/fromBase64UrlEncoded.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fromBase64UrlEncoded.js","sourceRoot":"","sources":["../../src/utils/fromBase64UrlEncoded.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,oBAAoB,CAAC,SAAiB;IACpD,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;AACrE,CAAC;AAED,eAAe,oBAAoB,CAAC"}

package/dist/utils/getDefaultDebugState.d.ts

@@ -0,0 +1,2 @@
+import type { SchemaVaultsAppEnvironment } from "@schemavaults/app-definitions";
+export declare function getDefaultDebugState(environment: SchemaVaultsAppEnvironment): boolean;

package/dist/utils/getDefaultDebugState.js

@@ -0,0 +1,7 @@
+export function getDefaultDebugState(environment) {
+    if (environment === "development") {
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=getDefaultDebugState.js.map

package/dist/utils/getDefaultDebugState.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getDefaultDebugState.js","sourceRoot":"","sources":["../../src/utils/getDefaultDebugState.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,oBAAoB,CAClC,WAAuC;IAEvC,IAAI,WAAW,KAAK,aAAa,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/utils/isValidBase64UrlEncoding.d.ts

@@ -0,0 +1,2 @@
+export declare function isValidBase64UrlEncoding(str: string): boolean;
+export default isValidBase64UrlEncoding;

package/dist/utils/isValidBase64UrlEncoding.js

@@ -0,0 +1,18 @@
+// Alternative version with more strict length validation
+function isBase64UrlStrict(str) {
+    // Base64URL regex with optional length validation
+    const base64UrlRegex = /^[A-Za-z0-9_-]+$/;
+    if (!str || str.length === 0) {
+        return false;
+    }
+    // Check regex pattern
+    if (!base64UrlRegex.test(str)) {
+        return false;
+    }
+    return str.length >= 1;
+}
+export function isValidBase64UrlEncoding(str) {
+    return isBase64UrlStrict(str);
+}
+export default isValidBase64UrlEncoding;
+//# sourceMappingURL=isValidBase64UrlEncoding.js.map

package/dist/utils/isValidBase64UrlEncoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isValidBase64UrlEncoding.js","sourceRoot":"","sources":["../../src/utils/isValidBase64UrlEncoding.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,SAAS,iBAAiB,CAAC,GAAW;IACpC,kDAAkD;IAClD,MAAM,cAAc,GAAG,kBAAkB,CAAC;IAE1C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,sBAAsB;IACtB,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,IAAI,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,wBAAwB,CAAC,GAAW;IAClD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,eAAe,wBAAwB,CAAC"}

package/dist/utils/isValidUuid.d.ts

@@ -0,0 +1,2 @@
+export declare const isValidUuid: (value: unknown) => value is string;
+export default isValidUuid;

package/dist/utils/isValidUuid.js

@@ -0,0 +1,4 @@
+import { z } from "zod";
+export const isValidUuid = (value) => z.string().uuid().safeParse(value).success;
+export default isValidUuid;
+//# sourceMappingURL=isValidUuid.js.map

package/dist/utils/isValidUuid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"isValidUuid.js","sourceRoot":"","sources":["../../src/utils/isValidUuid.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAAA,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,KAAc,EAAmB,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;AACnI,eAAe,WAAW,CAAC"}

package/dist/utils/maybeStripQuotes.d.ts

@@ -0,0 +1,8 @@
+/**
+ *
+ * @param maybeQuotes A string or undefined
+ * @returns If the string is wrapped in quotes or whitespace, returns string without those quotes/whitespace
+ * @description Useful helper for parsing environment variables
+ */
+export declare function maybeStripQuotes(maybeQuotes?: string | undefined): string | undefined;
+export default maybeStripQuotes;

package/dist/utils/maybeStripQuotes.js

@@ -0,0 +1,20 @@
+/**
+ *
+ * @param maybeQuotes A string or undefined
+ * @returns If the string is wrapped in quotes or whitespace, returns string without those quotes/whitespace
+ * @description Useful helper for parsing environment variables
+ */
+export function maybeStripQuotes(maybeQuotes) {
+    if (!maybeQuotes)
+        return maybeQuotes;
+    const trimmed = maybeQuotes.trim();
+    if (trimmed.startsWith('"') && trimmed.endsWith('"')) {
+        return trimmed.slice(1, -1);
+    }
+    if (trimmed.startsWith("'") && trimmed.endsWith("'")) {
+        return trimmed.slice(1, -1);
+    }
+    return trimmed;
+}
+export default maybeStripQuotes;
+//# sourceMappingURL=maybeStripQuotes.js.map

package/dist/utils/maybeStripQuotes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"maybeStripQuotes.js","sourceRoot":"","sources":["../../src/utils/maybeStripQuotes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAAgC;IAEhC,IAAI,CAAC,WAAW;QAAE,OAAO,WAAW,CAAC;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;IACnC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACrD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,eAAe,gBAAgB,CAAC"}

package/dist/utils/toBase64UrlEncoded.d.ts

@@ -0,0 +1,2 @@
+export declare function toBase64UrlEncoded(utf8: string): string;
+export default toBase64UrlEncoded;

package/dist/utils/toBase64UrlEncoded.js

@@ -0,0 +1,5 @@
+export function toBase64UrlEncoded(utf8) {
+    return Buffer.from(utf8, "utf8").toString("base64url").trim();
+}
+export default toBase64UrlEncoded;
+//# sourceMappingURL=toBase64UrlEncoded.js.map

package/dist/utils/toBase64UrlEncoded.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"toBase64UrlEncoded.js","sourceRoot":"","sources":["../../src/utils/toBase64UrlEncoded.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,IAAI,EAAE,CAAC;AAChE,CAAC;AAED,eAAe,kBAAkB,CAAC"}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@schemavaults/jwt",
+  "description": "Utility functions for authentication and authorization for use from the auth server or a resource server",
+  "version": "0.6.13",
+  "license": "UNLICENSED",
+  "private": false,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/schemavaults/auth.git",
+    "directory": "packages/jwt"
+  },
+  "type": "module",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "dependencies": {
+    "zod": "3.23.8",
+    "jose": "6.1.3",
+    "@schemavaults/auth-common": "0.7.27",
+    "@schemavaults/app-definitions": "0.6.1"
+  },
+  "scripts": {
+    "build": "tsc --project tsconfig.json && tsc-alias --project tsconfig.json",
+    "test": "SCHEMAVAULTS_APP_ENVIRONMENT=test bun test",
+    "cleanup:compiled-tests-output": "find ./dist -type f \\( -name \"*.test.js\" -o -name \"*.test.js.map\" -o -name \"*.test.d.ts\" \\) -delete",
+    "cleanup:delete-tests-dir": "rm -rf ./dist/tests",
+    "cleanup": "bun run cleanup:delete-tests-dir && bun run cleanup:compiled-tests-output",
+    "postbuild": "bun run cleanup",
+    "lint": "eslint src --ext .ts,.tsx"
+  },
+  "devDependencies": {
+    "typescript": "5.9.3",
+    "bun-types": "1.3.6",
+    "tsc-alias": "1.8.16",
+    "eslint": "9.39.1",
+    "@eslint/js": "9.39.1",
+    "globals": "16.5.0",
+    "@typescript-eslint/eslint-plugin": "8.48.1",
+    "@typescript-eslint/parser": "8.48.1"
+  },
+  "browser": {
+    "crypto": false
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "packageManager": "bun@1.3.6"
+}