@sourceregistry/node-jwt 1.5.3 → 1.5.4

package/dist/index-DNa3e1QZ.js

@@ -1,701 +0,0 @@
-import w, { sign as C, createSign as m, createHmac as I, verify as M, createVerify as v, timingSafeEqual as G, createPrivateKey as _, createSecretKey as N, createPublicKey as R, createHash as O } from "crypto";
-const K = {
-  encode: (e) => Buffer.from(e).toString("base64url"),
-  decode: (e) => Buffer.from(e, "base64url").toString()
-}, J = (e, t) => e.length !== t.length ? !1 : G(Buffer.from(e), Buffer.from(t));
-function W(e) {
-  switch (e) {
-    case "ES256":
-    case "ES256K":
-      return 64;
-    // 32 + 32
-    case "ES384":
-      return 96;
-    // 48 + 48
-    case "ES512":
-      return 132;
-    // 66 + 66 (P-521)
-    default:
-      throw new Error(`Unsupported ECDSA alg for JOSE conversion: ${e}`);
-  }
-}
-function V(e, t) {
-  let r = 0;
-  if (e[r++] !== 48) throw new Error("Invalid DER ECDSA signature");
-  let n = e[r++];
-  if (n & 128) {
-    const h = n & 127;
-    n = 0;
-    for (let o = 0; o < h; o++) n = n << 8 | e[r++];
-  }
-  if (e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (r)");
-  const s = e[r++];
-  let a = e.subarray(r, r + s);
-  if (r += s, e[r++] !== 2) throw new Error("Invalid DER ECDSA signature (s)");
-  const c = e[r++];
-  let i = e.subarray(r, r + c);
-  for (; a.length > t / 2 && a[0] === 0; ) a = a.subarray(1);
-  for (; i.length > t / 2 && i[0] === 0; ) i = i.subarray(1);
-  const d = Buffer.concat([Buffer.alloc(t / 2 - a.length, 0), a]), f = Buffer.concat([Buffer.alloc(t / 2 - i.length, 0), i]);
-  return Buffer.concat([d, f]);
-}
-function k(e) {
-  const t = e.length / 2;
-  let r = e.subarray(0, t), n = e.subarray(t);
-  for (; r.length > 1 && r[0] === 0 && (r[1] & 128) === 0; ) r = r.subarray(1);
-  for (; n.length > 1 && n[0] === 0 && (n[1] & 128) === 0; ) n = n.subarray(1);
-  r[0] & 128 && (r = Buffer.concat([Buffer.from([0]), r])), n[0] & 128 && (n = Buffer.concat([Buffer.from([0]), n]));
-  const s = Buffer.concat([Buffer.from([2, r.length]), r]), a = Buffer.concat([Buffer.from([2, n.length]), n]), c = s.length + a.length;
-  let i;
-  if (c < 128)
-    i = Buffer.from([c]);
-  else {
-    const d = [];
-    let f = c;
-    for (; f > 0; )
-      d.unshift(f & 255), f >>= 8;
-    i = Buffer.from([128 | d.length, ...d]);
-  }
-  return Buffer.concat([Buffer.from([48]), i, s, a]);
-}
-function $(e) {
-  return e === "ES256" || e === "ES384" || e === "ES512" || e === "ES256K";
-}
-const p = {
-  // HMAC
-  HS256: {
-    sign: (e, t) => I("sha256", t).update(e).digest("base64url"),
-    verify: (e, t, r) => {
-      const n = I("sha256", t).update(e).digest("base64url");
-      return J(n, r);
-    }
-  },
-  HS384: {
-    sign: (e, t) => I("sha384", t).update(e).digest("base64url"),
-    verify: (e, t, r) => {
-      const n = I("sha384", t).update(e).digest("base64url");
-      return J(n, r);
-    }
-  },
-  HS512: {
-    sign: (e, t) => I("sha512", t).update(e).digest("base64url"),
-    verify: (e, t, r) => {
-      const n = I("sha512", t).update(e).digest("base64url");
-      return J(n, r);
-    }
-  },
-  // RSA (DER-encoded signatures, base64url)
-  RS256: {
-    sign: (e, t) => m("RSA-SHA256").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  RS384: {
-    sign: (e, t) => m("RSA-SHA384").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  RS512: {
-    sign: (e, t) => m("RSA-SHA512").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  // ECDSA (DER-encoded by default — no dsaEncoding!)
-  ES256: {
-    sign: (e, t) => m("SHA256").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  ES384: {
-    sign: (e, t) => m("SHA384").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("SHA384").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  ES512: {
-    sign: (e, t) => m("SHA512").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("SHA512").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  ES256K: {
-    sign: (e, t) => m("SHA256").update(e).end().sign(t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("SHA256").update(e).end().verify(t, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  PS256: {
-    sign: (e, t) => m("RSA-SHA256").update(e).end().sign({
-      //@ts-ignore
-      key: t,
-      padding: w.constants.RSA_PKCS1_PSS_PADDING,
-      saltLength: 32
-    }).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA256").update(e).end().verify({
-          //@ts-ignore
-          key: t,
-          padding: w.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: 32
-        }, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  PS384: {
-    sign: (e, t) => m("RSA-SHA384").update(e).end().sign({
-      //@ts-ignore
-      key: t,
-      padding: w.constants.RSA_PKCS1_PSS_PADDING,
-      saltLength: 48
-    }).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA384").update(e).end().verify({
-          //@ts-ignore
-          key: t,
-          padding: w.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: 48
-        }, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  PS512: {
-    sign: (e, t) => m("RSA-SHA512").update(e).end().sign({
-      //@ts-ignore
-      key: t,
-      padding: w.constants.RSA_PKCS1_PSS_PADDING,
-      saltLength: 64
-    }).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return v("RSA-SHA512").update(e).end().verify({
-          //@ts-ignore
-          key: t,
-          padding: w.constants.RSA_PKCS1_PSS_PADDING,
-          saltLength: 64
-        }, Buffer.from(r, "base64url"));
-      } catch {
-        return !1;
-      }
-    }
-  },
-  EdDSA: {
-    sign: (e, t) => C(null, typeof e == "string" ? Buffer.from(e, "utf8") : e, t).toString("base64url"),
-    verify: (e, t, r) => {
-      try {
-        return M(
-          null,
-          typeof e == "string" ? Buffer.from(e, "utf8") : e,
-          t,
-          Buffer.from(r, "base64url")
-        );
-      } catch {
-        return !1;
-      }
-    }
-  }
-}, te = Object.keys(p);
-function j(e) {
-  if (e.type === "secret") return "HS256";
-  if (e.type !== "private") throw new Error("Only private or symmetric keys can be used to sign JWTs");
-  const t = e.asymmetricKeyType, r = e.asymmetricKeyDetails;
-  switch (t) {
-    case "rsa":
-      return "RS256";
-    case "rsa-pss": {
-      const n = r?.hashAlgorithm ?? "sha256";
-      switch (n) {
-        case "sha256":
-          return "PS256";
-        case "sha384":
-          return "PS384";
-        case "sha512":
-          return "PS512";
-        default:
-          throw new Error(`Unsupported RSA-PSS hash algorithm: ${n}`);
-      }
-    }
-    case "ec": {
-      const n = r?.namedCurve;
-      switch (n) {
-        case "P-256":
-        case "prime256v1":
-          return "ES256";
-        case "P-384":
-        case "secp384r1":
-          return "ES384";
-        case "P-521":
-        case "secp521r1":
-          return "ES512";
-        case "secp256k1":
-          return "ES256K";
-        default:
-          throw new Error(`Unsupported EC curve: ${n}`);
-      }
-    }
-    case "ed25519":
-      return "EdDSA";
-    default:
-      throw new Error(`Unsupported asymmetric key type: ${t}`);
-  }
-}
-function q(e) {
-  if (typeof e == "object" && "type" in e) return e;
-  try {
-    return _(e);
-  } catch {
-    const t = typeof e == "string" ? Buffer.from(e, "utf8") : Buffer.isBuffer(e) ? e : (() => {
-      throw new Error("Unsupported key type");
-    })();
-    return N(t);
-  }
-}
-const x = (e) => {
-  const t = e.split(".");
-  if (t.length !== 3)
-    throw new Error('Invalid JWT: must contain exactly 3 parts separated by "."');
-  const [r, n, s] = t;
-  if (!r || !n || !s)
-    throw new Error("Invalid JWT: empty part detected");
-  try {
-    const a = JSON.parse(K.decode(r)), c = JSON.parse(K.decode(n));
-    return { header: a, payload: c, signature: s };
-  } catch (a) {
-    throw new Error(`Invalid JWT: malformed header or payload (${a.message})`);
-  }
-}, F = (e, t, r = {}) => {
-  const n = q(t), s = r.alg ?? j(n), a = r.signatureFormat ?? "der", c = r.typ ?? "JWT";
-  if (!(s in p)) throw new Error(`Unsupported algorithm: ${s}`);
-  const i = { alg: s, typ: c };
-  r.kid && (i.kid = r.kid);
-  const d = K.encode(JSON.stringify(i)), f = K.encode(JSON.stringify(e)), h = `${d}.${f}`;
-  let o = p[s].sign(h, t);
-  if (a === "jose" && $(s)) {
-    const y = Buffer.from(o, "base64url");
-    o = V(y, W(s)).toString("base64url");
-  }
-  return `${d}.${f}.${o}`;
-}, z = (e, t, r = {}) => {
-  let n;
-  try {
-    n = x(e);
-  } catch (o) {
-    return {
-      valid: !1,
-      error: {
-        reason: o.message,
-        code: "INVALID_TOKEN"
-      }
-    };
-  }
-  const { header: s, payload: a, signature: c } = n, i = s.alg;
-  if (!(i in p))
-    return {
-      valid: !1,
-      error: {
-        reason: `Unsupported or unknown algorithm: ${s.alg}`,
-        code: "INVALID_ALGORITHM"
-      }
-    };
-  if (r.algorithms && r.algorithms.length > 0 && !r.algorithms.includes(i))
-    return {
-      valid: !1,
-      error: {
-        reason: `Algorithm "${i}" is not in the allowed algorithms list`,
-        code: "ALGORITHM_NOT_ALLOWED"
-      }
-    };
-  if (s.typ !== void 0 && s.typ !== "JWT")
-    return {
-      valid: !1,
-      error: {
-        reason: `Invalid token type: expected 'JWT', got '${s.typ}'`,
-        code: "INVALID_TYPE"
-      }
-    };
-  const d = `${K.encode(JSON.stringify(s))}.${K.encode(JSON.stringify(a))}`;
-  if ($(i)) {
-    const o = r.signatureFormat;
-    let y;
-    if (o === "jose")
-      try {
-        const S = Buffer.from(c, "base64url"), l = k(S).toString("base64url");
-        y = p[i].verify(d, t, l);
-      } catch {
-        y = !1;
-      }
-    else if (o === "der")
-      y = p[i].verify(d, t, c);
-    else if (y = p[i].verify(d, t, c), !y)
-      try {
-        const S = Buffer.from(c, "base64url");
-        if (S.length === W(i)) {
-          const l = k(S).toString("base64url");
-          y = p[i].verify(d, t, l);
-        }
-      } catch {
-      }
-    if (!y)
-      return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
-  } else if (!p[i].verify(d, t, c))
-    return { valid: !1, error: { reason: "Signature verification failed", code: "INVALID_SIGNATURE" } };
-  const f = Math.floor(Date.now() / 1e3), h = r.clockSkew ?? 0;
-  if (!r.ignoreExpiration && a.exp !== void 0 && f > a.exp + h)
-    return {
-      valid: !1,
-      error: {
-        reason: "Token expired",
-        code: "TOKEN_EXPIRED"
-      }
-    };
-  if (a.nbf !== void 0 && f + h < a.nbf)
-    return {
-      valid: !1,
-      error: {
-        reason: "Token not yet valid",
-        code: "TOKEN_NOT_ACTIVE"
-      }
-    };
-  if (a.iat !== void 0 && f + h < a.iat)
-    return {
-      valid: !1,
-      error: {
-        reason: "Token issued in the future",
-        code: "TOKEN_FUTURE_ISSUED"
-      }
-    };
-  if (r.maxTokenAge !== void 0 && a.iat !== void 0) {
-    const o = f - a.iat;
-    if (o > r.maxTokenAge)
-      return {
-        valid: !1,
-        error: {
-          reason: `Token age (${o}s) exceeds maximum allowed age (${r.maxTokenAge}s)`,
-          code: "TOKEN_TOO_OLD"
-        }
-      };
-  }
-  if (r.issuer !== void 0) {
-    if (a.iss === void 0)
-      return {
-        valid: !1,
-        error: {
-          reason: 'Token missing required issuer claim ("iss")',
-          code: "MISSING_ISSUER"
-        }
-      };
-    if (r.issuer !== a.iss)
-      return {
-        valid: !1,
-        error: {
-          reason: `Invalid token issuer: expected "${r.issuer}", got "${a.iss}"`,
-          code: "INVALID_ISSUER"
-        }
-      };
-  }
-  if (r.subject !== void 0) {
-    if (a.sub === void 0)
-      return {
-        valid: !1,
-        error: {
-          reason: 'Token missing required subject claim ("sub")',
-          code: "MISSING_SUBJECT"
-        }
-      };
-    if (r.subject !== a.sub)
-      return {
-        valid: !1,
-        error: {
-          reason: `Invalid token subject: expected "${r.subject}", got "${a.sub}"`,
-          code: "INVALID_SUBJECT"
-        }
-      };
-  }
-  if (r.audience !== void 0) {
-    const o = a.aud;
-    if (o === void 0)
-      return {
-        valid: !1,
-        error: {
-          reason: 'Token missing required audience claim ("aud")',
-          code: "MISSING_AUDIENCE"
-        }
-      };
-    const y = Array.isArray(r.audience) ? r.audience : [r.audience], S = Array.isArray(o) ? o : [o];
-    if (!y.some((u) => S.includes(u)))
-      return {
-        valid: !1,
-        error: {
-          reason: "Audience claim mismatch",
-          code: "INVALID_AUDIENCE"
-        }
-      };
-  }
-  if (r.jwtId !== void 0) {
-    if (a.jti === void 0)
-      return {
-        valid: !1,
-        error: {
-          reason: 'Token missing required JWT ID claim ("jti")',
-          code: "MISSING_JTI"
-        }
-      };
-    if (r.jwtId !== a.jti)
-      return {
-        valid: !1,
-        error: {
-          reason: `Invalid JWT ID: expected "${r.jwtId}", got "${a.jti}"`,
-          code: "INVALID_JTI"
-        }
-      };
-  }
-  return { valid: !0, header: s, payload: a, signature: c };
-}, ne = {
-  sign: F,
-  verify: z,
-  decode: x,
-  algorithms: p
-};
-function X(e) {
-  if (!e || typeof e != "object") throw new Error("Invalid KeyObject");
-  return e.export({ format: "jwk" });
-}
-function P(e) {
-  if (!e || typeof e != "object") throw new Error("Invalid JWK");
-  switch (e.kty) {
-    case "oct": {
-      if (!("k" in e) || typeof e.k != "string")
-        throw new Error('Invalid oct JWK: missing "k"');
-      return N(Buffer.from(e.k, "base64url"));
-    }
-    case "RSA":
-    case "EC":
-    case "OKP":
-      return "d" in e && typeof e.d == "string" ? _({ format: "jwk", key: e }) : R({ format: "jwk", key: e });
-    default:
-      throw new Error(`Unsupported JWK key type: ${e.kty}`);
-  }
-}
-function Y(e) {
-  if (!e || typeof e != "object")
-    throw new Error("Invalid KeyObject");
-  const r = (e.type === "private" ? R(e) : e).export({ format: "jwk" });
-  return delete r.d, delete r.p, delete r.q, delete r.dp, delete r.dq, delete r.qi, r;
-}
-function H(e, t = "sha256") {
-  if (!e || typeof e != "object")
-    throw new Error("Invalid JWK");
-  let r;
-  switch (e.kty) {
-    case "RSA":
-      r = { e: e.e, kty: e.kty, n: e.n };
-      break;
-    case "EC":
-      r = { crv: e.crv, kty: e.kty, x: e.x, y: e.y };
-      break;
-    case "OKP":
-      r = { crv: e.crv, kty: e.kty, x: e.x };
-      break;
-    case "oct":
-      r = { k: e.k, kty: e.kty };
-      break;
-    default:
-      throw new Error(`Unsupported JWK key type: ${e.kty}`);
-  }
-  const n = JSON.stringify(
-    Object.keys(r).sort().reduce((s, a) => (s[a] = r[a], s), {})
-  );
-  return O(t).update(n).digest("base64url");
-}
-function Q(e) {
-  if (e.x5c?.length)
-    return O("sha1").update(Buffer.from(e.x5c[0], "base64")).digest("base64url");
-}
-const ae = {
-  export: X,
-  import: P,
-  toPublic: Y,
-  thumbprint: H
-};
-function Z(e, t) {
-  if (!e || !Array.isArray(e.keys)) throw new Error("Invalid JWKS");
-  let r;
-  if (t && (r = e.keys.find((n) => n.kid === t)), !r && e.keys.length === 1 && (r = e.keys[0]), !r) throw new Error("Key not found in JWKS");
-  return P(r);
-}
-function D(e) {
-  return {
-    keys: T(...e.keys)
-  };
-}
-function T(...e) {
-  return e.map((t) => {
-    const r = {
-      ...t,
-      kid: t.kid ?? H(t),
-      x5t: t.x5t ?? Q(t)
-    };
-    return Object.defineProperty(r, "toKeyObject", {
-      enumerable: !1,
-      configurable: !1,
-      writable: !1,
-      value: () => P(r)
-    }), r;
-  });
-}
-const ee = async (e, t = {}) => {
-  const r = typeof e == "string" ? e : e.toString(), n = t.fetch ?? globalThis.fetch, s = Math.max(0, t.ttl ?? 5 * 6e4), a = Math.max(0, t.timeoutMs ?? 5e3), c = "/.well-known/jwks.json";
-  if (!n)
-    throw new Error("No fetch implementation available");
-  const i = (() => {
-    if (t.endpointOverride) {
-      const l = t.endpointOverride;
-      try {
-        return new URL(l, r).toString();
-      } catch {
-        return l;
-      }
-    }
-    return t.overrideEndpointCheck || r.endsWith(c) ? r : `${r.replace(/\/+$/, "")}${c}`;
-  })(), d = (() => {
-    if (t.cache) return t.cache;
-    let l;
-    return {
-      get: () => l,
-      set: (u, g) => {
-        l = g;
-      }
-    };
-  })();
-  let f, h = 0, o, y = 0;
-  const S = async (l) => {
-    if (o) return o;
-    o = (async () => {
-      const u = new AbortController();
-      let g;
-      a > 0 && (g = setTimeout(() => u.abort(), a));
-      let b;
-      try {
-        b = await n(i, { signal: u.signal });
-      } catch (E) {
-        throw u.signal.aborted ? new Error(`JWKS fetch timed out after ${a}ms`) : E;
-      } finally {
-        g && clearTimeout(g);
-      }
-      if (!b.ok)
-        throw new Error(`Failed to fetch JWKS: ${b.status} ${b.statusText}`);
-      const A = await b.json();
-      if (!A || typeof A != "object" || !Array.isArray(A.keys))
-        throw new Error("Invalid JWKS");
-      return D(A);
-    })();
-    try {
-      const u = await o;
-      return f = u, await d.set(i, u), y = 0, s > 0 && (h = Date.now() + s), u;
-    } catch (u) {
-      if (!l || !f)
-        throw u;
-      if (y += 1, s > 0) {
-        const g = Math.min(
-          Math.max(s, 3e4) * Math.pow(2, y - 1),
-          9e5
-        );
-        h = Date.now() + g;
-      }
-      return console.warn(`JWKS refresh failed for "${i}", using stale cache.`, u), f;
-    } finally {
-      o = void 0;
-    }
-  };
-  return f = await d.get(i), f ? (f = D(f), s > 0 && (h = Date.now() + s)) : f = await S(!1), {
-    async list() {
-      return s > 0 && Date.now() >= h && await S(!0), T(...f.keys);
-    },
-    async refresh() {
-      return await S(!1), this;
-    },
-    async key(l) {
-      const g = (await this.list()).find((b) => b.kid === l);
-      if (g)
-        return T(g)[0];
-    },
-    async find(l) {
-      const u = await this.list(), g = Object.entries(l);
-      return g.length === 0 ? T(...u) : T(...u.filter(
-        (b) => g.every(([A, E]) => {
-          const B = b[A];
-          return Array.isArray(E) ? Array.isArray(B) && B.length === E.length && B.every((U, L) => U === E[L]) : B === E;
-        })
-      ));
-    },
-    async findFirst(l) {
-      return this.find(l).then(([u]) => u);
-    },
-    export() {
-      return f;
-    }
-  };
-}, se = {
-  toKeyObject: Z,
-  normalize: D,
-  fromWeb: ee
-};
-export {
-  j as A,
-  ne as J,
-  p as S,
-  te as a,
-  K as b,
-  Q as c,
-  x as d,
-  X as e,
-  ae as f,
-  H as g,
-  Z as h,
-  P as i,
-  T as j,
-  ee as k,
-  se as l,
-  D as n,
-  F as s,
-  Y as t,
-  z as v
-};
-//# sourceMappingURL=index-DNa3e1QZ.js.map