@sourceregistry/node-jwt 1.3.1 → 1.4.0

package/README.md

@@ -14,7 +14,7 @@ Most JWT libraries are bloated, have security pitfalls, or lack proper TypeScrip
 * **Secure by default**
 * **TypeScript-first** with full JSDoc
 * **Zero external dependencies**
-* **100% test coverage**
+* **100% test coverage (Trying😉)**
 * **Dual API**: Sync and Promise-based
 * **Automatic algorithm detection based on key type**
 * **Full JWK/JWKS support** (`import/export`, `toPublicJWK`, `x5c/x5t`, RFC 7638 thumbprints, kid-based key selection)

package/dist/index-BmAAEOLC.js

@@ -0,0 +1,595 @@
+import p, { sign as R, createSign as l, createHmac as m, verify as x, createVerify as S, timingSafeEqual as O, createPrivateKey as I, createSecretKey as B, createPublicKey as T, createHash as K } from "crypto";
+const v = {
+  encode: (e) => Buffer.from(e).toString("base64url"),
+  decode: (e) => Buffer.from(e, "base64url").toString()
+}, b = (e, t) => e.length !== t.length ? !1 : O(Buffer.from(e), Buffer.from(t));
+function P(e) {
+  switch (e) {
+    case "ES256":
+    case "ES256K":
+      return 64;
+    // 32 + 32
+    case "ES384":
+      return 96;
+    // 48 + 48
+    case "ES512":
+      return 132;
+    // 66 + 66 (P-521)
+    default:
+      throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`);
+  }
+}
+function H(e, t) {
+  let r = 0;
+  if (e[r++] !== 48) throw new Error("Invalid DER ECDSA signature");
+  let n = e[r++];
+  if (n & 128) {
+    const y = n & 127;
+    n = 0;
+    for (let o = 0; o < y; o++) n = n << 8 | e[r++];
+  }
+  if (e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (r)");
+  const s = e[r++];
+  let a = e.subarray(r, r + s);
+  if (r += s, e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (s)");
+  const f = e[r++];
+  let i = e.subarray(r, r + f);
+  for (; a.length > t / 2 && a[0] === 0; ) a = a.subarray(1);
+  for (; i.length > t / 2 && i[0] === 0; ) i = i.subarray(1);
+  const u = Buffer.concat([Buffer.alloc(t / 2 - a.length, 0), a]), c = Buffer.concat([Buffer.alloc(t / 2 - i.length, 0), i]);
+  return Buffer.concat([u, c]);
+}
+function E(e) {
+  const t = e.length / 2;
+  let r = e.subarray(0, t), n = e.subarray(t);
+  for (; r.length > 1 && r[0] === 0 && (r[1] & 128) === 0; ) r = r.subarray(1);
+  for (; n.length > 1 && n[0] === 0 && (n[1] & 128) === 0; ) n = n.subarray(1);
+  r[0] & 128 && (r = Buffer.concat([Buffer.from([0]), r])), n[0] & 128 && (n = Buffer.concat([Buffer.from([0]), n]));
+  const s = Buffer.concat([Buffer.from([2, r.length]), r]), a = Buffer.concat([Buffer.from([2, n.length]), n]), f = s.length + a.length;
+  let i;
+  if (f < 128)
+    i = Buffer.from([f]);
+  else {
+    const u = [];
+    let c = f;
+    for (; c > 0; )
+      u.unshift(c & 255), c >>= 8;
+    i = Buffer.from([128 | u.length, ...u]);
+  }
+  return Buffer.concat([Buffer.from([48]), i, s, a]);
+}
+function D(e) {
+  return e === "ES256" || e === "ES384" || e === "ES512" || e === "ES256K";
+}
+const g = {
+  // HMAC
+  HS256: {
+    sign: (e, t) => m("sha256", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha256", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  HS384: {
+    sign: (e, t) => m("sha384", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha384", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  HS512: {
+    sign: (e, t) => m("sha512", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha512", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  // RSA (DER-encoded signatures, base64url)
+  RS256: {
+    sign: (e, t) => l("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  RS384: {
+    sign: (e, t) => l("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  RS512: {
+    sign: (e, t) => l("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  // ECDSA (DER-encoded by default — no dsaEncoding!)
+  ES256: {
+    sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES384: {
+    sign: (e, t) => l("SHA384").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES512: {
+    sign: (e, t) => l("SHA512").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES256K: {
+    sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS256: {
+    sign: (e, t) => l("RSA-SHA256").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 32
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA256").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 32
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS384: {
+    sign: (e, t) => l("RSA-SHA384").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 48
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA384").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 48
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS512: {
+    sign: (e, t) => l("RSA-SHA512").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 64
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA512").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 64
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  EdDSA: {
+    sign: (e, t) => R(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return x(
+          null,
+          typeof e == "string" ? Buffer.from(e, "utf8") : e,
+          t,
+          Buffer.from(r, "base64url")
+        );
+      } catch {
+        return !1;
+      }
+    }
+  }
+}, F = Object.keys(g);
+function $(e) {
+  if (e.type === "secret") return "HS256";
+  if (e.type !== "private") throw new Error("Only private or symmetric keys can be used to sign JWTs");
+  const t = e.asymmetricKeyType, r = e.asymmetricKeyDetails;
+  switch (t) {
+    case "rsa":
+      return "RS256";
+    case "rsa-pss": {
+      const n = r?.hashAlgorithm ?? "sha256";
+      switch (n) {
+        case "sha256":
+          return "PS256";
+        case "sha384":
+          return "PS384";
+        case "sha512":
+          return "PS512";
+        default:
+          throw new Error(`Unsupported RSA-PSS hash algorithm: ${n}`);
+      }
+    }
+    case "ec": {
+      const n = r?.namedCurve;
+      switch (n) {
+        case "P-256":
+        case "prime256v1":
+          return "ES256";
+        case "P-384":
+        case "secp384r1":
+          return "ES384";
+        case "P-521":
+        case "secp521r1":
+          return "ES512";
+        case "secp256k1":
+          return "ES256K";
+        default:
+          throw new Error(`Unsupported EC curve: ${n}`);
+      }
+    }
+    case "ed25519":
+      return "EdDSA";
+    default:
+      throw new Error(`Unsupported asymmetric key type: ${t}`);
+  }
+}
+function k(e) {
+  if (typeof e == "object" && "type" in e) return e;
+  try {
+    return I(e);
+  } catch {
+    const t = typeof e == "string" ? Buffer.from(e, "utf8") : Buffer.isBuffer(e) ? e : (() => {
+      throw new Error("Unsupported key type");
+    })();
+    return B(t);
+  }
+}
+const _ = (e) => {
+  const t = e.split(".");
+  if (t.length !== 3)
+    throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');
+  const [r, n, s] = t;
+  if (!r || !n || !s)
+    throw new Error("Invalid JWT: empty part detected");
+  try {
+    const a = JSON.parse(v.decode(r)), f = JSON.parse(v.decode(n));
+    return { header: a, payload: f, signature: s };
+  } catch (a) {
+    throw new Error(`Invalid JWT: malformed header or payload (${a.message})`);
+  }
+}, W = (e, t, r = {}) => {
+  const n = k(t), s = r.alg ?? $(n), a = r.signatureFormat ?? "der", f = r.typ ?? "JWT";
+  if (!(s in g)) throw new Error(`Unsupported algorithm: ${s}`);
+  const i = { alg: s, typ: f };
+  r.kid && (i.kid = r.kid);
+  const u = v.encode(JSON.stringify(i)), c = v.encode(JSON.stringify(e)), y = `${u}.${c}`;
+  let o = g[s].sign(y, t);
+  if (a === "jose" && D(s)) {
+    const d = Buffer.from(o, "base64url");
+    o = H(d, P(s)).toString("base64url");
+  }
+  return `${u}.${c}.${o}`;
+}, U = (e, t, r = {}) => {
+  let n;
+  try {
+    n = _(e);
+  } catch (o) {
+    return {
+      valid: !1,
+      error: {
+        reason: o.message,
+        code: "INVALID_TOKEN"
+      }
+    };
+  }
+  const { header: s, payload: a, signature: f } = n, i = s.alg;
+  if (!(i in g))
+    return {
+      valid: !1,
+      error: {
+        reason: `Unsupported or unknown algorithm: ${s.alg}`,
+        code: "INVALID_ALGORITHM"
+      }
+    };
+  if (r.algorithms && r.algorithms.length > 0 && !r.algorithms.includes(i))
+    return {
+      valid: !1,
+      error: {
+        reason: `Algorithm "${i}" is not in the allowed algorithms list`,
+        code: "ALGORITHM_NOT_ALLOWED"
+      }
+    };
+  if (s.typ !== void 0 && s.typ !== "JWT")
+    return {
+      valid: !1,
+      error: {
+        reason: `Invalid token type: expected 'JWT', got '${s.typ}'`,
+        code: "INVALID_TYPE"
+      }
+    };
+  const u = `${v.encode(JSON.stringify(s))}.${v.encode(JSON.stringify(a))}`;
+  if (D(i)) {
+    const o = r.signatureFormat;
+    let d;
+    if (o === "jose")
+      try {
+        const h = Buffer.from(f, "base64url"), A = E(h).toString("base64url");
+        d = g[i].verify(u, t, A);
+      } catch {
+        d = !1;
+      }
+    else if (o === "der")
+      d = g[i].verify(u, t, f);
+    else if (d = g[i].verify(u, t, f), !d)
+      try {
+        const h = Buffer.from(f, "base64url");
+        if (h.length === P(i)) {
+          const A = E(h).toString("base64url");
+          d = g[i].verify(u, t, A);
+        }
+      } catch {
+      }
+    if (!d)
+      return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
+  } else if (!g[i].verify(u, t, f))
+    return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
+  const c = Math.floor(Date.now() / 1e3), y = r.clockSkew ?? 0;
+  if (!r.ignoreExpiration && a.exp !== void 0 && c > a.exp + y)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token expired",
+        code: "TOKEN_EXPIRED"
+      }
+    };
+  if (a.nbf !== void 0 && c + y < a.nbf)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token not yet valid",
+        code: "TOKEN_NOT_ACTIVE"
+      }
+    };
+  if (a.iat !== void 0 && c + y < a.iat)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token issued in the future",
+        code: "TOKEN_FUTURE_ISSUED"
+      }
+    };
+  if (r.maxTokenAge !== void 0 && a.iat !== void 0) {
+    const o = c - a.iat;
+    if (o > r.maxTokenAge)
+      return {
+        valid: !1,
+        error: {
+          reason: `Token age (${o}s) exceeds maximum allowed age (${r.maxTokenAge}s)`,
+          code: "TOKEN_TOO_OLD"
+        }
+      };
+  }
+  if (r.issuer !== void 0) {
+    if (a.iss === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required issuer claim ("iss")',
+          code: "MISSING_ISSUER"
+        }
+      };
+    if (r.issuer !== a.iss)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid token issuer: expected "${r.issuer}", got "${a.iss}"`,
+          code: "INVALID_ISSUER"
+        }
+      };
+  }
+  if (r.subject !== void 0) {
+    if (a.sub === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required subject claim ("sub")',
+          code: "MISSING_SUBJECT"
+        }
+      };
+    if (r.subject !== a.sub)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid token subject: expected "${r.subject}", got "${a.sub}"`,
+          code: "INVALID_SUBJECT"
+        }
+      };
+  }
+  if (r.audience !== void 0) {
+    const o = a.aud;
+    if (o === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required audience claim ("aud")',
+          code: "MISSING_AUDIENCE"
+        }
+      };
+    const d = Array.isArray(r.audience) ? r.audience : [r.audience], h = Array.isArray(o) ? o : [o];
+    if (!d.some((N) => h.includes(N)))
+      return {
+        valid: !1,
+        error: {
+          reason: "Audience claim mismatch",
+          code: "INVALID_AUDIENCE"
+        }
+      };
+  }
+  if (r.jwtId !== void 0) {
+    if (a.jti === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required JWT ID claim ("jti")',
+          code: "MISSING_JTI"
+        }
+      };
+    if (r.jwtId !== a.jti)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid JWT ID: expected "${r.jwtId}", got "${a.jti}"`,
+          code: "INVALID_JTI"
+        }
+      };
+  }
+  return { valid: !0, header: s, payload: a, signature: f };
+}, j = {
+  sign: W,
+  verify: U,
+  decode: _,
+  algorithms: g
+};
+function L(e) {
+  if (!e || typeof e != "object") throw new Error("Invalid KeyObject");
+  return e.export({ format: "jwk" });
+}
+function J(e) {
+  if (!e || typeof e != "object") throw new Error("Invalid JWK");
+  switch (e.kty) {
+    case "oct": {
+      if (!("k" in e) || typeof e.k != "string")
+        throw new Error('Invalid oct JWK: missing "k"');
+      return B(Buffer.from(e.k, "base64url"));
+    }
+    case "RSA":
+    case "EC":
+    case "OKP":
+      return "d" in e && typeof e.d == "string" ? I({ format: "jwk", key: e }) : T({ format: "jwk", key: e });
+    default:
+      throw new Error(`Unsupported JWK key type: ${e.kty}`);
+  }
+}
+function C(e) {
+  if (!e || typeof e != "object")
+    throw new Error("Invalid KeyObject");
+  const r = (e.type === "private" ? T(e) : e).export({ format: "jwk" });
+  return delete r.d, delete r.p, delete r.q, delete r.dp, delete r.dq, delete r.qi, r;
+}
+function w(e, t = "sha256") {
+  if (!e || typeof e != "object")
+    throw new Error("Invalid JWK");
+  let r;
+  switch (e.kty) {
+    case "RSA":
+      r = { e: e.e, kty: e.kty, n: e.n };
+      break;
+    case "EC":
+      r = { crv: e.crv, kty: e.kty, x: e.x, y: e.y };
+      break;
+    case "OKP":
+      r = { crv: e.crv, kty: e.kty, x: e.x };
+      break;
+    case "oct":
+      r = { k: e.k, kty: e.kty };
+      break;
+    default:
+      throw new Error(`Unsupported JWK key type: ${e.kty}`);
+  }
+  const n = JSON.stringify(
+    Object.keys(r).sort().reduce((s, a) => (s[a] = r[a], s), {})
+  );
+  return K(t).update(n).digest("base64url");
+}
+function G(e) {
+  if (e.x5c?.length)
+    return K("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
+}
+const z = {
+  export: L,
+  import: J,
+  toPublic: C,
+  thumbprint: w
+};
+function V(e, t) {
+  if (!e || !Array.isArray(e.keys)) throw new Error("Invalid JWKS");
+  let r;
+  if (t && (r = e.keys.find((n) => n.kid === t)), !r && e.keys.length === 1 && (r = e.keys[0]), !r) throw new Error("Key not found in JWKS");
+  return J(r);
+}
+function q(e) {
+  return {
+    keys: e.keys.map((t) => ({
+      ...t,
+      kid: t.kid ?? w(t),
+      x5t: t.x5t ?? G(t)
+    }))
+  };
+}
+const X = {
+  toKeyObject: V,
+  normalize: q
+};
+export {
+  $ as A,
+  j as J,
+  g as S,
+  F as a,
+  v as b,
+  G as c,
+  _ as d,
+  L as e,
+  z as f,
+  w as g,
+  V as h,
+  J as i,
+  X as j,
+  q as n,
+  W as s,
+  C as t,
+  U as v
+};
+//# sourceMappingURL=index-BmAAEOLC.js.map