npm - @sourceregistry/node-jwt - Versions diffs - 1.3.1 → 1.4.1 - Mend

@sourceregistry/node-jwt 1.3.1 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +37 -1
package/dist/index-BmAAEOLC.js +595 -0
package/dist/index-BmAAEOLC.js.map +1 -0
package/dist/index-eYY-I3Pd.cjs +2 -0
package/dist/index-eYY-I3Pd.cjs.map +1 -0
package/dist/index.cjs.js +1 -1
package/dist/index.es.js +1 -1
package/dist/jwt/index.d.ts +10 -0
package/dist/jwt/promises.d.ts +38 -52
package/dist/promises.cjs.js +1 -1
package/dist/promises.cjs.js.map +1 -1
package/dist/promises.es.js +37 -37
package/dist/promises.es.js.map +1 -1
package/package.json +5 -2
package/dist/index-CSRWSLal.cjs +0 -2
package/dist/index-CSRWSLal.cjs.map +0 -1
package/dist/index-DyXdSqEc.js +0 -515
package/dist/index-DyXdSqEc.js.map +0 -1

package/README.md CHANGED Viewed

@@ -14,7 +14,7 @@ Most JWT libraries are bloated, have security pitfalls, or lack proper TypeScrip
 * **Secure by default**
 * **TypeScript-first** with full JSDoc
 * **Zero external dependencies**
-* **100% test coverage**
+* **100% test coverage (Trying😉)**
 * **Dual API**: Sync and Promise-based
 * **Automatic algorithm detection based on key type**
 * **Full JWK/JWKS support** (`import/export`, `toPublicJWK`, `x5c/x5t`, RFC 7638 thumbprints, kid-based key selection)
@@ -166,6 +166,42 @@ const keyObject = JWKS.toKeyObject(jwks, jwk.kid);
 ---
+## 🔏 ECDSA Signature Format: DER vs JOSE (New)
+For **ECDSA** algorithms (`ES256`, `ES384`, `ES512`, `ES256K`) there are two common signature encodings:
+- **DER** (ASN.1) — what Node.js produces by default
+- **JOSE** (`r || s` raw signature) — required by the JWT/JWS spec and used by systems like **VAPID/Web Push (WNS)**
+### Default behavior
+By default, this library outputs **DER** signatures for `ES*` algorithms to match Node.js/OpenSSL defaults.
+### Enable JOSE output
+To generate spec-compliant JOSE ECDSA signatures, set:
+- `signatureFormat: "jose"` in `sign()`
+```ts
+import { sign, verify } from "@sourceregistry/node-jwt";
+const token = sign(
+  { sub: "123", iat: Math.floor(Date.now() / 1000) },
+  ecPrivateKey,
+  { alg: "ES256", signatureFormat: "jose" }
+);
+// Verify JOSE-signed token
+const result = verify(token, ecPublicKey, { signatureFormat: "jose" });
+````
+### Auto-detect verification (optional)
+If enabled in your version, `verify()` can also validate JOSE ECDSA signatures without specifying `signatureFormat` (it will try DER first, then JOSE).
+If you want strict behavior, pass `signatureFormat: "der"` or `signatureFormat: "jose"` explicitly.
+> 💡 For VAPID/Web Push (e.g. Windows WNS endpoints), you typically need `ES256` with `signatureFormat: "jose"`.
 ## 📚 API Reference
 ### `sign(payload, secret, options?)`

package/dist/index-BmAAEOLC.js ADDED Viewed

@@ -0,0 +1,595 @@
+import p, { sign as R, createSign as l, createHmac as m, verify as x, createVerify as S, timingSafeEqual as O, createPrivateKey as I, createSecretKey as B, createPublicKey as T, createHash as K } from "crypto";
+const v = {
+  encode: (e) => Buffer.from(e).toString("base64url"),
+  decode: (e) => Buffer.from(e, "base64url").toString()
+}, b = (e, t) => e.length !== t.length ? !1 : O(Buffer.from(e), Buffer.from(t));
+function P(e) {
+  switch (e) {
+    case "ES256":
+    case "ES256K":
+      return 64;
+    // 32 + 32
+    case "ES384":
+      return 96;
+    // 48 + 48
+    case "ES512":
+      return 132;
+    // 66 + 66 (P-521)
+    default:
+      throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`);
+  }
+}
+function H(e, t) {
+  let r = 0;
+  if (e[r++] !== 48) throw new Error("Invalid DER ECDSA signature");
+  let n = e[r++];
+  if (n & 128) {
+    const y = n & 127;
+    n = 0;
+    for (let o = 0; o < y; o++) n = n << 8 | e[r++];
+  }
+  if (e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (r)");
+  const s = e[r++];
+  let a = e.subarray(r, r + s);
+  if (r += s, e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (s)");
+  const f = e[r++];
+  let i = e.subarray(r, r + f);
+  for (; a.length > t / 2 && a[0] === 0; ) a = a.subarray(1);
+  for (; i.length > t / 2 && i[0] === 0; ) i = i.subarray(1);
+  const u = Buffer.concat([Buffer.alloc(t / 2 - a.length, 0), a]), c = Buffer.concat([Buffer.alloc(t / 2 - i.length, 0), i]);
+  return Buffer.concat([u, c]);
+}
+function E(e) {
+  const t = e.length / 2;
+  let r = e.subarray(0, t), n = e.subarray(t);
+  for (; r.length > 1 && r[0] === 0 && (r[1] & 128) === 0; ) r = r.subarray(1);
+  for (; n.length > 1 && n[0] === 0 && (n[1] & 128) === 0; ) n = n.subarray(1);
+  r[0] & 128 && (r = Buffer.concat([Buffer.from([0]), r])), n[0] & 128 && (n = Buffer.concat([Buffer.from([0]), n]));
+  const s = Buffer.concat([Buffer.from([2, r.length]), r]), a = Buffer.concat([Buffer.from([2, n.length]), n]), f = s.length + a.length;
+  let i;
+  if (f < 128)
+    i = Buffer.from([f]);
+  else {
+    const u = [];
+    let c = f;
+    for (; c > 0; )
+      u.unshift(c & 255), c >>= 8;
+    i = Buffer.from([128 | u.length, ...u]);
+  }
+  return Buffer.concat([Buffer.from([48]), i, s, a]);
+}
+function D(e) {
+  return e === "ES256" || e === "ES384" || e === "ES512" || e === "ES256K";
+}
+const g = {
+  // HMAC
+  HS256: {
+    sign: (e, t) => m("sha256", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha256", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  HS384: {
+    sign: (e, t) => m("sha384", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha384", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  HS512: {
+    sign: (e, t) => m("sha512", t).update(e).digest("base64url"),
+    verify: (e, t, r) => {
+      const n = m("sha512", t).update(e).digest("base64url");
+      return b(n, r);
+    }
+  },
+  // RSA (DER-encoded signatures, base64url)
+  RS256: {
+    sign: (e, t) => l("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  RS384: {
+    sign: (e, t) => l("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  RS512: {
+    sign: (e, t) => l("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  // ECDSA (DER-encoded by default — no dsaEncoding!)
+  ES256: {
+    sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES384: {
+    sign: (e, t) => l("SHA384").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES512: {
+    sign: (e, t) => l("SHA512").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  ES256K: {
+    sign: (e, t) => l("SHA256").update(e).end().sign(t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS256: {
+    sign: (e, t) => l("RSA-SHA256").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 32
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA256").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 32
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS384: {
+    sign: (e, t) => l("RSA-SHA384").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 48
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA384").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 48
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  PS512: {
+    sign: (e, t) => l("RSA-SHA512").update(e).end().sign({
+      //@ts-ignore
+      key: t,
+      padding: p.constants.RSA_PKCS1_PSS_PADDING,
+      saltLength: 64
+    }).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return S("RSA-SHA512").update(e).end().verify({
+          //@ts-ignore
+          key: t,
+          padding: p.constants.RSA_PKCS1_PSS_PADDING,
+          saltLength: 64
+        }, Buffer.from(r, "base64url"));
+      } catch {
+        return !1;
+      }
+    }
+  },
+  EdDSA: {
+    sign: (e, t) => R(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
+    verify: (e, t, r) => {
+      try {
+        return x(
+          null,
+          typeof e == "string" ? Buffer.from(e, "utf8") : e,
+          t,
+          Buffer.from(r, "base64url")
+        );
+      } catch {
+        return !1;
+      }
+    }
+  }
+}, F = Object.keys(g);
+function $(e) {
+  if (e.type === "secret") return "HS256";
+  if (e.type !== "private") throw new Error("Only private or symmetric keys can be used to sign JWTs");
+  const t = e.asymmetricKeyType, r = e.asymmetricKeyDetails;
+  switch (t) {
+    case "rsa":
+      return "RS256";
+    case "rsa-pss": {
+      const n = r?.hashAlgorithm ?? "sha256";
+      switch (n) {
+        case "sha256":
+          return "PS256";
+        case "sha384":
+          return "PS384";
+        case "sha512":
+          return "PS512";
+        default:
+          throw new Error(`Unsupported RSA-PSS hash algorithm: ${n}`);
+      }
+    }
+    case "ec": {
+      const n = r?.namedCurve;
+      switch (n) {
+        case "P-256":
+        case "prime256v1":
+          return "ES256";
+        case "P-384":
+        case "secp384r1":
+          return "ES384";
+        case "P-521":
+        case "secp521r1":
+          return "ES512";
+        case "secp256k1":
+          return "ES256K";
+        default:
+          throw new Error(`Unsupported EC curve: ${n}`);
+      }
+    }
+    case "ed25519":
+      return "EdDSA";
+    default:
+      throw new Error(`Unsupported asymmetric key type: ${t}`);
+  }
+}
+function k(e) {
+  if (typeof e == "object" && "type" in e) return e;
+  try {
+    return I(e);
+  } catch {
+    const t = typeof e == "string" ? Buffer.from(e, "utf8") : Buffer.isBuffer(e) ? e : (() => {
+      throw new Error("Unsupported key type");
+    })();
+    return B(t);
+  }
+}
+const _ = (e) => {
+  const t = e.split(".");
+  if (t.length !== 3)
+    throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');
+  const [r, n, s] = t;
+  if (!r || !n || !s)
+    throw new Error("Invalid JWT: empty part detected");
+  try {
+    const a = JSON.parse(v.decode(r)), f = JSON.parse(v.decode(n));
+    return { header: a, payload: f, signature: s };
+  } catch (a) {
+    throw new Error(`Invalid JWT: malformed header or payload (${a.message})`);
+  }
+}, W = (e, t, r = {}) => {
+  const n = k(t), s = r.alg ?? $(n), a = r.signatureFormat ?? "der", f = r.typ ?? "JWT";
+  if (!(s in g)) throw new Error(`Unsupported algorithm: ${s}`);
+  const i = { alg: s, typ: f };
+  r.kid && (i.kid = r.kid);
+  const u = v.encode(JSON.stringify(i)), c = v.encode(JSON.stringify(e)), y = `${u}.${c}`;
+  let o = g[s].sign(y, t);
+  if (a === "jose" && D(s)) {
+    const d = Buffer.from(o, "base64url");
+    o = H(d, P(s)).toString("base64url");
+  }
+  return `${u}.${c}.${o}`;
+}, U = (e, t, r = {}) => {
+  let n;
+  try {
+    n = _(e);
+  } catch (o) {
+    return {
+      valid: !1,
+      error: {
+        reason: o.message,
+        code: "INVALID_TOKEN"
+      }
+    };
+  }
+  const { header: s, payload: a, signature: f } = n, i = s.alg;
+  if (!(i in g))
+    return {
+      valid: !1,
+      error: {
+        reason: `Unsupported or unknown algorithm: ${s.alg}`,
+        code: "INVALID_ALGORITHM"
+      }
+    };
+  if (r.algorithms && r.algorithms.length > 0 && !r.algorithms.includes(i))
+    return {
+      valid: !1,
+      error: {
+        reason: `Algorithm "${i}" is not in the allowed algorithms list`,
+        code: "ALGORITHM_NOT_ALLOWED"
+      }
+    };
+  if (s.typ !== void 0 && s.typ !== "JWT")
+    return {
+      valid: !1,
+      error: {
+        reason: `Invalid token type: expected 'JWT', got '${s.typ}'`,
+        code: "INVALID_TYPE"
+      }
+    };
+  const u = `${v.encode(JSON.stringify(s))}.${v.encode(JSON.stringify(a))}`;
+  if (D(i)) {
+    const o = r.signatureFormat;
+    let d;
+    if (o === "jose")
+      try {
+        const h = Buffer.from(f, "base64url"), A = E(h).toString("base64url");
+        d = g[i].verify(u, t, A);
+      } catch {
+        d = !1;
+      }
+    else if (o === "der")
+      d = g[i].verify(u, t, f);
+    else if (d = g[i].verify(u, t, f), !d)
+      try {
+        const h = Buffer.from(f, "base64url");
+        if (h.length === P(i)) {
+          const A = E(h).toString("base64url");
+          d = g[i].verify(u, t, A);
+        }
+      } catch {
+      }
+    if (!d)
+      return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
+  } else if (!g[i].verify(u, t, f))
+    return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
+  const c = Math.floor(Date.now() / 1e3), y = r.clockSkew ?? 0;
+  if (!r.ignoreExpiration && a.exp !== void 0 && c > a.exp + y)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token expired",
+        code: "TOKEN_EXPIRED"
+      }
+    };
+  if (a.nbf !== void 0 && c + y < a.nbf)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token not yet valid",
+        code: "TOKEN_NOT_ACTIVE"
+      }
+    };
+  if (a.iat !== void 0 && c + y < a.iat)
+    return {
+      valid: !1,
+      error: {
+        reason: "Token issued in the future",
+        code: "TOKEN_FUTURE_ISSUED"
+      }
+    };
+  if (r.maxTokenAge !== void 0 && a.iat !== void 0) {
+    const o = c - a.iat;
+    if (o > r.maxTokenAge)
+      return {
+        valid: !1,
+        error: {
+          reason: `Token age (${o}s) exceeds maximum allowed age (${r.maxTokenAge}s)`,
+          code: "TOKEN_TOO_OLD"
+        }
+      };
+  }
+  if (r.issuer !== void 0) {
+    if (a.iss === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required issuer claim ("iss")',
+          code: "MISSING_ISSUER"
+        }
+      };
+    if (r.issuer !== a.iss)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid token issuer: expected "${r.issuer}", got "${a.iss}"`,
+          code: "INVALID_ISSUER"
+        }
+      };
+  }
+  if (r.subject !== void 0) {
+    if (a.sub === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required subject claim ("sub")',
+          code: "MISSING_SUBJECT"
+        }
+      };
+    if (r.subject !== a.sub)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid token subject: expected "${r.subject}", got "${a.sub}"`,
+          code: "INVALID_SUBJECT"
+        }
+      };
+  }
+  if (r.audience !== void 0) {
+    const o = a.aud;
+    if (o === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required audience claim ("aud")',
+          code: "MISSING_AUDIENCE"
+        }
+      };
+    const d = Array.isArray(r.audience) ? r.audience : [r.audience], h = Array.isArray(o) ? o : [o];
+    if (!d.some((N) => h.includes(N)))
+      return {
+        valid: !1,
+        error: {
+          reason: "Audience claim mismatch",
+          code: "INVALID_AUDIENCE"
+        }
+      };
+  }
+  if (r.jwtId !== void 0) {
+    if (a.jti === void 0)
+      return {
+        valid: !1,
+        error: {
+          reason: 'Token missing required JWT ID claim ("jti")',
+          code: "MISSING_JTI"
+        }
+      };
+    if (r.jwtId !== a.jti)
+      return {
+        valid: !1,
+        error: {
+          reason: `Invalid JWT ID: expected "${r.jwtId}", got "${a.jti}"`,
+          code: "INVALID_JTI"
+        }
+      };
+  }
+  return { valid: !0, header: s, payload: a, signature: f };
+}, j = {
+  sign: W,
+  verify: U,
+  decode: _,
+  algorithms: g
+};
+function L(e) {
+  if (!e || typeof e != "object") throw new Error("Invalid KeyObject");
+  return e.export({ format: "jwk" });
+}
+function J(e) {
+  if (!e || typeof e != "object") throw new Error("Invalid JWK");
+  switch (e.kty) {
+    case "oct": {
+      if (!("k" in e) || typeof e.k != "string")
+        throw new Error('Invalid oct JWK: missing "k"');
+      return B(Buffer.from(e.k, "base64url"));
+    }
+    case "RSA":
+    case "EC":
+    case "OKP":
+      return "d" in e && typeof e.d == "string" ? I({ format: "jwk", key: e }) : T({ format: "jwk", key: e });
+    default:
+      throw new Error(`Unsupported JWK key type: ${e.kty}`);
+  }
+}
+function C(e) {
+  if (!e || typeof e != "object")
+    throw new Error("Invalid KeyObject");
+  const r = (e.type === "private" ? T(e) : e).export({ format: "jwk" });
+  return delete r.d, delete r.p, delete r.q, delete r.dp, delete r.dq, delete r.qi, r;
+}
+function w(e, t = "sha256") {
+  if (!e || typeof e != "object")
+    throw new Error("Invalid JWK");
+  let r;
+  switch (e.kty) {
+    case "RSA":
+      r = { e: e.e, kty: e.kty, n: e.n };
+      break;
+    case "EC":
+      r = { crv: e.crv, kty: e.kty, x: e.x, y: e.y };
+      break;
+    case "OKP":
+      r = { crv: e.crv, kty: e.kty, x: e.x };
+      break;
+    case "oct":
+      r = { k: e.k, kty: e.kty };
+      break;
+    default:
+      throw new Error(`Unsupported JWK key type: ${e.kty}`);
+  }
+  const n = JSON.stringify(
+    Object.keys(r).sort().reduce((s, a) => (s[a] = r[a], s), {})
+  );
+  return K(t).update(n).digest("base64url");
+}
+function G(e) {
+  if (e.x5c?.length)
+    return K("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
+}
+const z = {
+  export: L,
+  import: J,
+  toPublic: C,
+  thumbprint: w
+};
+function V(e, t) {
+  if (!e || !Array.isArray(e.keys)) throw new Error("Invalid JWKS");
+  let r;
+  if (t && (r = e.keys.find((n) => n.kid === t)), !r && e.keys.length === 1 && (r = e.keys[0]), !r) throw new Error("Key not found in JWKS");
+  return J(r);
+}
+function q(e) {
+  return {
+    keys: e.keys.map((t) => ({
+      ...t,
+      kid: t.kid ?? w(t),
+      x5t: t.x5t ?? G(t)
+    }))
+  };
+}
+const X = {
+  toKeyObject: V,
+  normalize: q
+};
+export {
+  $ as A,
+  j as J,
+  g as S,
+  F as a,
+  v as b,
+  G as c,
+  _ as d,
+  L as e,
+  z as f,
+  w as g,
+  V as h,
+  J as i,
+  X as j,
+  q as n,
+  W as s,
+  C as t,
+  U as v
+};
+//# sourceMappingURL=index-BmAAEOLC.js.map