@spfn/auth 0.1.0-alpha.87 → 0.2.0-beta.1

package/dist/lib/crypto.d.ts

@@ -1,76 +0,0 @@
-import { Algorithm } from 'jsonwebtoken';
-
-/**
- * @spfn/auth - Client Crypto Helpers
- *
- * ES256 (ECDSA P-256) key generation and JWT signing for Next.js
- * Keys are stored in DER format (Base64 encoded) for efficiency
- *
- * Key Sizes:
- * - ES256 (ECDSA P-256): ~91 bytes (Base64: ~120 chars)
- * - RS256 (RSA 2048):   ~294 bytes (Base64: ~392 chars)
- */
-
-type Unit = "Years" | "Year" | "Yrs" | "Yr" | "Y" | "Weeks" | "Week" | "W" | "Days" | "Day" | "D" | "Hours" | "Hour" | "Hrs" | "Hr" | "H" | "Minutes" | "Minute" | "Mins" | "Min" | "M" | "Seconds" | "Second" | "Secs" | "Sec" | "s" | "Milliseconds" | "Millisecond" | "Msecs" | "Msec" | "Ms";
-type UnitAnyCase = Unit | Uppercase<Unit> | Lowercase<Unit>;
-type StringValue = `${number}` | `${number}${UnitAnyCase}` | `${number} ${UnitAnyCase}`;
-interface KeyPair {
-    privateKey: string;
-    publicKey: string;
-    keyId: string;
-    fingerprint: string;
-    algorithm: 'ES256' | 'RS256';
-}
-interface TokenPayload {
-    userId?: string;
-    keyId?: string;
-    timestamp?: number;
-    exp?: number;
-    iat?: number;
-    iss?: string;
-    [key: string]: any;
-}
-/**
- * Generate ECDSA P-256 key pair (ES256)
- * Recommended for optimal size and performance
- */
-declare function generateKeyPairES256(): KeyPair;
-/**
- * Generate RSA 2048 key pair (RS256)
- * Fallback option, larger size but wider compatibility
- */
-declare function generateKeyPairRS256(): KeyPair;
-/**
- * Generate key pair (defaults to ES256)
- */
-declare function generateKeyPair(algorithm?: 'ES256' | 'RS256'): KeyPair;
-/**
- * Generate JWT signed with client private key (DER format)
- */
-declare function generateClientToken(payload: Record<string, any>, privateKeyB64: string, algorithm: Algorithm, options?: {
-    expiresIn?: StringValue | number;
-    issuer?: string;
-}): string;
-/**
- * Verify JWT with public key (DER format)
- *
- * @internal Used for testing/validation only
- * For production verification, use server-side verifyClientToken
- */
-declare function verifyClientToken(token: string, publicKeyB64: string, algorithm: 'ES256' | 'RS256'): TokenPayload;
-/**
- * Get key size information
- */
-declare function getKeySize(publicKeyB64: string): {
-    bytes: number;
-    base64Length: number;
-};
-/**
- * Check if key should be rotated based on creation date
- */
-declare function shouldRotateKey(createdAt: Date, rotationDays?: number): {
-    shouldRotate: boolean;
-    daysRemaining: number;
-};
-
-export { type KeyPair, type TokenPayload, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, getKeySize, shouldRotateKey, verifyClientToken };

package/dist/lib/crypto.js

@@ -1,127 +0,0 @@
-// src/lib/crypto.ts
-import crypto from "crypto";
-import jwt from "jsonwebtoken";
-function generateKeyPairES256() {
-  const keyId = crypto.randomUUID();
-  const { privateKey, publicKey } = crypto.generateKeyPairSync("ec", {
-    namedCurve: "P-256",
-    // ES256
-    publicKeyEncoding: {
-      type: "spki",
-      format: "der"
-    },
-    privateKeyEncoding: {
-      type: "pkcs8",
-      format: "der"
-    }
-  });
-  const privateKeyB64 = privateKey.toString("base64");
-  const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto.createHash("sha256").update(publicKey).digest("hex");
-  return {
-    privateKey: privateKeyB64,
-    publicKey: publicKeyB64,
-    keyId,
-    fingerprint,
-    algorithm: "ES256"
-  };
-}
-function generateKeyPairRS256() {
-  const keyId = crypto.randomUUID();
-  const { privateKey, publicKey } = crypto.generateKeyPairSync("rsa", {
-    modulusLength: 2048,
-    publicKeyEncoding: {
-      type: "spki",
-      format: "der"
-    },
-    privateKeyEncoding: {
-      type: "pkcs8",
-      format: "der"
-    }
-  });
-  const privateKeyB64 = privateKey.toString("base64");
-  const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto.createHash("sha256").update(publicKey).digest("hex");
-  return {
-    privateKey: privateKeyB64,
-    publicKey: publicKeyB64,
-    keyId,
-    fingerprint,
-    algorithm: "RS256"
-  };
-}
-function generateKeyPair(algorithm = "ES256") {
-  return algorithm === "ES256" ? generateKeyPairES256() : generateKeyPairRS256();
-}
-function generateClientToken(payload, privateKeyB64, algorithm, options) {
-  try {
-    const privateKeyDER = Buffer.from(privateKeyB64, "base64");
-    const privateKeyObject = crypto.createPrivateKey({
-      key: privateKeyDER,
-      format: "der",
-      type: "pkcs8"
-    });
-    const privateKeyPEM = privateKeyObject.export({
-      type: "pkcs8",
-      format: "pem"
-    });
-    const signOptions = {
-      algorithm,
-      issuer: options?.issuer || "spfn-client",
-      expiresIn: options?.expiresIn ?? "15m"
-      // Default to 15 minutes
-    };
-    return jwt.sign(payload, privateKeyPEM, signOptions);
-  } catch (error) {
-    throw new Error(
-      `Failed to generate client token: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-}
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    return jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      issuer: "spfn-client"
-    });
-  } catch (error) {
-    throw new Error(
-      `Failed to verify token: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-}
-function getKeySize(publicKeyB64) {
-  const keyDER = Buffer.from(publicKeyB64, "base64");
-  return {
-    bytes: keyDER.length,
-    base64Length: publicKeyB64.length
-  };
-}
-function shouldRotateKey(createdAt, rotationDays = 90) {
-  const now = /* @__PURE__ */ new Date();
-  const ageInDays = Math.floor(
-    (now.getTime() - createdAt.getTime()) / (1e3 * 60 * 60 * 24)
-  );
-  const daysRemaining = Math.max(0, rotationDays - ageInDays);
-  return {
-    shouldRotate: daysRemaining <= 7,
-    // Warn 7 days before expiry
-    daysRemaining
-  };
-}
-export {
-  generateClientToken,
-  generateKeyPair,
-  generateKeyPairES256,
-  generateKeyPairRS256,
-  getKeySize,
-  shouldRotateKey,
-  verifyClientToken
-};
-//# sourceMappingURL=crypto.js.map

package/dist/lib/crypto.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../src/lib/crypto.ts"],"sourcesContent":["/**\n * @spfn/auth - Client Crypto Helpers\n *\n * ES256 (ECDSA P-256) key generation and JWT signing for Next.js\n * Keys are stored in DER format (Base64 encoded) for efficiency\n *\n * Key Sizes:\n * - ES256 (ECDSA P-256): ~91 bytes (Base64: ~120 chars)\n * - RS256 (RSA 2048):   ~294 bytes (Base64: ~392 chars)\n */\n\nimport crypto from 'crypto';\nimport jwt, { type Algorithm, type SignOptions } from 'jsonwebtoken';\n\ntype Unit =\n    | \"Years\"\n    | \"Year\"\n    | \"Yrs\"\n    | \"Yr\"\n    | \"Y\"\n    | \"Weeks\"\n    | \"Week\"\n    | \"W\"\n    | \"Days\"\n    | \"Day\"\n    | \"D\"\n    | \"Hours\"\n    | \"Hour\"\n    | \"Hrs\"\n    | \"Hr\"\n    | \"H\"\n    | \"Minutes\"\n    | \"Minute\"\n    | \"Mins\"\n    | \"Min\"\n    | \"M\"\n    | \"Seconds\"\n    | \"Second\"\n    | \"Secs\"\n    | \"Sec\"\n    | \"s\"\n    | \"Milliseconds\"\n    | \"Millisecond\"\n    | \"Msecs\"\n    | \"Msec\"\n    | \"Ms\";\n\ntype UnitAnyCase = Unit | Uppercase<Unit> | Lowercase<Unit>;\n\ntype StringValue =\n    | `${number}`\n    | `${number}${UnitAnyCase}`\n    | `${number} ${UnitAnyCase}`;\n\nexport interface KeyPair\n{\n    privateKey: string;     // Base64 encoded DER\n    publicKey: string;      // Base64 encoded DER\n    keyId: string;          // UUID\n    fingerprint: string;    // SHA-256 hash\n    algorithm: 'ES256' | 'RS256';\n}\n\nexport interface TokenPayload\n{\n    userId?: string;\n    keyId?: string;\n    timestamp?: number;\n    exp?: number;\n    iat?: number;\n    iss?: string;\n    [key: string]: any;\n}\n\n/**\n * Generate ECDSA P-256 key pair (ES256)\n * Recommended for optimal size and performance\n */\nexport function generateKeyPairES256(): KeyPair\n{\n    const keyId = crypto.randomUUID();\n\n    const { privateKey, publicKey } = crypto.generateKeyPairSync('ec', {\n        namedCurve: 'P-256', // ES256\n        publicKeyEncoding: {\n            type: 'spki',\n            format: 'der',\n        },\n        privateKeyEncoding: {\n            type: 'pkcs8',\n            format: 'der',\n        },\n    });\n\n    // Convert Buffer to Base64\n    const privateKeyB64 = privateKey.toString('base64');\n    const publicKeyB64 = publicKey.toString('base64');\n\n    // Generate fingerprint (SHA-256 of public key)\n    const fingerprint = crypto\n        .createHash('sha256')\n        .update(publicKey)\n        .digest('hex');\n\n    return {\n        privateKey: privateKeyB64,\n        publicKey: publicKeyB64,\n        keyId,\n        fingerprint,\n        algorithm: 'ES256',\n    };\n}\n\n/**\n * Generate RSA 2048 key pair (RS256)\n * Fallback option, larger size but wider compatibility\n */\nexport function generateKeyPairRS256(): KeyPair\n{\n    const keyId = crypto.randomUUID();\n\n    const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {\n        modulusLength: 2048,\n        publicKeyEncoding: {\n            type: 'spki',\n            format: 'der',\n        },\n        privateKeyEncoding: {\n            type: 'pkcs8',\n            format: 'der',\n        },\n    });\n\n    const privateKeyB64 = privateKey.toString('base64');\n    const publicKeyB64 = publicKey.toString('base64');\n\n    const fingerprint = crypto\n        .createHash('sha256')\n        .update(publicKey)\n        .digest('hex');\n\n    return {\n        privateKey: privateKeyB64,\n        publicKey: publicKeyB64,\n        keyId,\n        fingerprint,\n        algorithm: 'RS256',\n    };\n}\n\n/**\n * Generate key pair (defaults to ES256)\n */\nexport function generateKeyPair(\n    algorithm: 'ES256' | 'RS256' = 'ES256'\n): KeyPair\n{\n    return algorithm === 'ES256'\n        ? generateKeyPairES256()\n        : generateKeyPairRS256();\n}\n\n/**\n * Generate JWT signed with client private key (DER format)\n */\nexport function generateClientToken(\n    payload: Record<string, any>,\n    privateKeyB64: string,\n    algorithm: Algorithm,\n    options?: {\n        expiresIn?: StringValue | number;\n        issuer?: string;\n    }\n): string\n{\n    try\n    {\n        // Convert Base64 back to Buffer\n        const privateKeyDER = Buffer.from(privateKeyB64, 'base64');\n\n        // Create key object for signing\n        const privateKeyObject = crypto.createPrivateKey({\n            key: privateKeyDER,\n            format: 'der',\n            type: 'pkcs8',\n        });\n\n        // Export as PEM for jwt.sign\n        const privateKeyPEM = privateKeyObject.export({\n            type: 'pkcs8',\n            format: 'pem',\n        });\n\n        const signOptions: SignOptions = {\n            algorithm,\n            issuer: options?.issuer || 'spfn-client',\n            expiresIn: options?.expiresIn ?? '15m', // Default to 15 minutes\n        }\n\n        return jwt.sign(payload, privateKeyPEM, signOptions);\n    }\n    catch (error)\n    {\n        throw new Error(\n            `Failed to generate client token: ${error instanceof Error ? error.message : 'Unknown error'}`\n        );\n    }\n}\n\n/**\n * Verify JWT with public key (DER format)\n *\n * @internal Used for testing/validation only\n * For production verification, use server-side verifyClientToken\n */\nexport function verifyClientToken(\n    token: string,\n    publicKeyB64: string,\n    algorithm: 'ES256' | 'RS256'\n): TokenPayload\n{\n    try\n    {\n        // Convert Base64 to Buffer\n        const publicKeyDER = Buffer.from(publicKeyB64, 'base64');\n\n        // Create key object for verification\n        const publicKeyObject = crypto.createPublicKey({\n            key: publicKeyDER,\n            format: 'der',\n            type: 'spki',\n        });\n\n        return jwt.verify(token, publicKeyObject, {\n            algorithms: [algorithm],\n            issuer: 'spfn-client',\n        }) as TokenPayload;\n    }\n    catch (error)\n    {\n        throw new Error(\n            `Failed to verify token: ${error instanceof Error ? error.message : 'Unknown error'}`\n        );\n    }\n}\n\n/**\n * Get key size information\n */\nexport function getKeySize(publicKeyB64: string): {\n    bytes: number;\n    base64Length: number;\n}\n{\n    const keyDER = Buffer.from(publicKeyB64, 'base64');\n\n    return {\n        bytes: keyDER.length,\n        base64Length: publicKeyB64.length,\n    };\n}\n\n/**\n * Check if key should be rotated based on creation date\n */\nexport function shouldRotateKey(\n    createdAt: Date,\n    rotationDays: number = 90\n): {\n    shouldRotate: boolean;\n    daysRemaining: number;\n}\n{\n    const now = new Date();\n    const ageInDays = Math.floor(\n        (now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24)\n    );\n    const daysRemaining = Math.max(0, rotationDays - ageInDays);\n\n    return {\n        shouldRotate: daysRemaining <= 7, // Warn 7 days before expiry\n        daysRemaining,\n    };\n}"],"mappings":";AAWA,OAAO,YAAY;AACnB,OAAO,SAA+C;AAkE/C,SAAS,uBAChB;AACI,QAAM,QAAQ,OAAO,WAAW;AAEhC,QAAM,EAAE,YAAY,UAAU,IAAI,OAAO,oBAAoB,MAAM;AAAA,IAC/D,YAAY;AAAA;AAAA,IACZ,mBAAmB;AAAA,MACf,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,IACA,oBAAoB;AAAA,MAChB,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,EACJ,CAAC;AAGD,QAAM,gBAAgB,WAAW,SAAS,QAAQ;AAClD,QAAM,eAAe,UAAU,SAAS,QAAQ;AAGhD,QAAM,cAAc,OACf,WAAW,QAAQ,EACnB,OAAO,SAAS,EAChB,OAAO,KAAK;AAEjB,SAAO;AAAA,IACH,YAAY;AAAA,IACZ,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACf;AACJ;AAMO,SAAS,uBAChB;AACI,QAAM,QAAQ,OAAO,WAAW;AAEhC,QAAM,EAAE,YAAY,UAAU,IAAI,OAAO,oBAAoB,OAAO;AAAA,IAChE,eAAe;AAAA,IACf,mBAAmB;AAAA,MACf,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,IACA,oBAAoB;AAAA,MAChB,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,EACJ,CAAC;AAED,QAAM,gBAAgB,WAAW,SAAS,QAAQ;AAClD,QAAM,eAAe,UAAU,SAAS,QAAQ;AAEhD,QAAM,cAAc,OACf,WAAW,QAAQ,EACnB,OAAO,SAAS,EAChB,OAAO,KAAK;AAEjB,SAAO;AAAA,IACH,YAAY;AAAA,IACZ,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACf;AACJ;AAKO,SAAS,gBACZ,YAA+B,SAEnC;AACI,SAAO,cAAc,UACf,qBAAqB,IACrB,qBAAqB;AAC/B;AAKO,SAAS,oBACZ,SACA,eACA,WACA,SAKJ;AACI,MACA;AAEI,UAAM,gBAAgB,OAAO,KAAK,eAAe,QAAQ;AAGzD,UAAM,mBAAmB,OAAO,iBAAiB;AAAA,MAC7C,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACV,CAAC;AAGD,UAAM,gBAAgB,iBAAiB,OAAO;AAAA,MAC1C,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ,CAAC;AAED,UAAM,cAA2B;AAAA,MAC7B;AAAA,MACA,QAAQ,SAAS,UAAU;AAAA,MAC3B,WAAW,SAAS,aAAa;AAAA;AAAA,IACrC;AAEA,WAAO,IAAI,KAAK,SAAS,eAAe,WAAW;AAAA,EACvD,SACO,OACP;AACI,UAAM,IAAI;AAAA,MACN,oCAAoC,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,IAChG;AAAA,EACJ;AACJ;AAQO,SAAS,kBACZ,OACA,cACA,WAEJ;AACI,MACA;AAEI,UAAM,eAAe,OAAO,KAAK,cAAc,QAAQ;AAGvD,UAAM,kBAAkB,OAAO,gBAAgB;AAAA,MAC3C,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACV,CAAC;AAED,WAAO,IAAI,OAAO,OAAO,iBAAiB;AAAA,MACtC,YAAY,CAAC,SAAS;AAAA,MACtB,QAAQ;AAAA,IACZ,CAAC;AAAA,EACL,SACO,OACP;AACI,UAAM,IAAI;AAAA,MACN,2BAA2B,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,IACvF;AAAA,EACJ;AACJ;AAKO,SAAS,WAAW,cAI3B;AACI,QAAM,SAAS,OAAO,KAAK,cAAc,QAAQ;AAEjD,SAAO;AAAA,IACH,OAAO,OAAO;AAAA,IACd,cAAc,aAAa;AAAA,EAC/B;AACJ;AAKO,SAAS,gBACZ,WACA,eAAuB,IAK3B;AACI,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,YAAY,KAAK;AAAA,KAClB,IAAI,QAAQ,IAAI,UAAU,QAAQ,MAAM,MAAO,KAAK,KAAK;AAAA,EAC9D;AACA,QAAM,gBAAgB,KAAK,IAAI,GAAG,eAAe,SAAS;AAE1D,SAAO;AAAA,IACH,cAAc,iBAAiB;AAAA;AAAA,IAC/B;AAAA,EACJ;AACJ;","names":[]}

package/dist/lib/index.d.ts

@@ -1,4 +0,0 @@
-export { KeyPair, TokenPayload, generateClientToken, generateKeyPair, generateKeyPairES256, generateKeyPairRS256, getKeySize, shouldRotateKey, verifyClientToken } from './crypto.js';
-export { SessionData, getSessionInfo, sealSession, shouldRefreshSession, unsealSession, validateSessionSecret } from './session.js';
-export { AuthConfig, COOKIE_NAMES, configureAuth, getAuthConfig, getSessionTtl, parseDuration } from './config.js';
-import 'jsonwebtoken';

package/dist/lib/index.js

@@ -1,313 +0,0 @@
-// src/lib/crypto.ts
-import crypto2 from "crypto";
-import jwt from "jsonwebtoken";
-function generateKeyPairES256() {
-  const keyId = crypto2.randomUUID();
-  const { privateKey, publicKey } = crypto2.generateKeyPairSync("ec", {
-    namedCurve: "P-256",
-    // ES256
-    publicKeyEncoding: {
-      type: "spki",
-      format: "der"
-    },
-    privateKeyEncoding: {
-      type: "pkcs8",
-      format: "der"
-    }
-  });
-  const privateKeyB64 = privateKey.toString("base64");
-  const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
-  return {
-    privateKey: privateKeyB64,
-    publicKey: publicKeyB64,
-    keyId,
-    fingerprint,
-    algorithm: "ES256"
-  };
-}
-function generateKeyPairRS256() {
-  const keyId = crypto2.randomUUID();
-  const { privateKey, publicKey } = crypto2.generateKeyPairSync("rsa", {
-    modulusLength: 2048,
-    publicKeyEncoding: {
-      type: "spki",
-      format: "der"
-    },
-    privateKeyEncoding: {
-      type: "pkcs8",
-      format: "der"
-    }
-  });
-  const privateKeyB64 = privateKey.toString("base64");
-  const publicKeyB64 = publicKey.toString("base64");
-  const fingerprint = crypto2.createHash("sha256").update(publicKey).digest("hex");
-  return {
-    privateKey: privateKeyB64,
-    publicKey: publicKeyB64,
-    keyId,
-    fingerprint,
-    algorithm: "RS256"
-  };
-}
-function generateKeyPair(algorithm = "ES256") {
-  return algorithm === "ES256" ? generateKeyPairES256() : generateKeyPairRS256();
-}
-function generateClientToken(payload, privateKeyB64, algorithm, options) {
-  try {
-    const privateKeyDER = Buffer.from(privateKeyB64, "base64");
-    const privateKeyObject = crypto2.createPrivateKey({
-      key: privateKeyDER,
-      format: "der",
-      type: "pkcs8"
-    });
-    const privateKeyPEM = privateKeyObject.export({
-      type: "pkcs8",
-      format: "pem"
-    });
-    const signOptions = {
-      algorithm,
-      issuer: options?.issuer || "spfn-client",
-      expiresIn: options?.expiresIn ?? "15m"
-      // Default to 15 minutes
-    };
-    return jwt.sign(payload, privateKeyPEM, signOptions);
-  } catch (error) {
-    throw new Error(
-      `Failed to generate client token: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-}
-function verifyClientToken(token, publicKeyB64, algorithm) {
-  try {
-    const publicKeyDER = Buffer.from(publicKeyB64, "base64");
-    const publicKeyObject = crypto2.createPublicKey({
-      key: publicKeyDER,
-      format: "der",
-      type: "spki"
-    });
-    return jwt.verify(token, publicKeyObject, {
-      algorithms: [algorithm],
-      issuer: "spfn-client"
-    });
-  } catch (error) {
-    throw new Error(
-      `Failed to verify token: ${error instanceof Error ? error.message : "Unknown error"}`
-    );
-  }
-}
-function getKeySize(publicKeyB64) {
-  const keyDER = Buffer.from(publicKeyB64, "base64");
-  return {
-    bytes: keyDER.length,
-    base64Length: publicKeyB64.length
-  };
-}
-function shouldRotateKey(createdAt, rotationDays = 90) {
-  const now = /* @__PURE__ */ new Date();
-  const ageInDays = Math.floor(
-    (now.getTime() - createdAt.getTime()) / (1e3 * 60 * 60 * 24)
-  );
-  const daysRemaining = Math.max(0, rotationDays - ageInDays);
-  return {
-    shouldRotate: daysRemaining <= 7,
-    // Warn 7 days before expiry
-    daysRemaining
-  };
-}
-
-// src/lib/session.ts
-import * as jose from "jose";
-function calculateEntropy(str) {
-  const len = str.length;
-  const frequencies = /* @__PURE__ */ new Map();
-  for (const char of str) {
-    frequencies.set(char, (frequencies.get(char) || 0) + 1);
-  }
-  let entropy = 0;
-  for (const count of frequencies.values()) {
-    const probability = count / len;
-    entropy -= probability * Math.log2(probability);
-  }
-  return entropy;
-}
-async function getSessionSecret() {
-  const secret = process.env.SPFN_AUTH_SESSION_SECRET || // New prefixed version (recommended)
-  process.env.SESSION_SECRET;
-  if (!secret) {
-    throw new Error("SPFN_AUTH_SESSION_SECRET environment variable is not set");
-  }
-  if (secret.length < 32) {
-    throw new Error("SPFN_AUTH_SESSION_SECRET must be at least 32 characters long");
-  }
-  const encoder = new TextEncoder();
-  const data = encoder.encode(secret);
-  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-  return new Uint8Array(hashBuffer);
-}
-async function sealSession(data, ttl = 60 * 60 * 24 * 7) {
-  const secret = await getSessionSecret();
-  return await new jose.EncryptJWT({ data }).setProtectedHeader({ alg: "dir", enc: "A256GCM" }).setIssuedAt().setExpirationTime(`${ttl}s`).setIssuer("spfn-auth").setAudience("spfn-client").encrypt(secret);
-}
-async function unsealSession(jwt2) {
-  const secret = await getSessionSecret();
-  try {
-    const { payload } = await jose.jwtDecrypt(jwt2, secret, {
-      issuer: "spfn-auth",
-      audience: "spfn-client"
-    });
-    return payload.data;
-  } catch (err) {
-    if (err instanceof jose.errors.JWTExpired) {
-      throw new Error("Session expired");
-    }
-    if (err instanceof jose.errors.JWEDecryptionFailed) {
-      throw new Error("Invalid session");
-    }
-    if (err instanceof jose.errors.JWTClaimValidationFailed) {
-      throw new Error("Session validation failed");
-    }
-    throw new Error("Failed to unseal session");
-  }
-}
-async function getSessionInfo(jwt2) {
-  const secret = await getSessionSecret();
-  try {
-    const { payload } = await jose.jwtDecrypt(jwt2, secret);
-    return {
-      issuedAt: new Date(payload.iat * 1e3),
-      expiresAt: new Date(payload.exp * 1e3),
-      issuer: payload.iss || "",
-      audience: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud || ""
-    };
-  } catch (err) {
-    if (process.env.NODE_ENV !== "production") {
-      console.warn("[Session] Failed to get session info:", err instanceof Error ? err.message : "Unknown error");
-    }
-    return null;
-  }
-}
-async function shouldRefreshSession(jwt2, thresholdHours = 24) {
-  const info = await getSessionInfo(jwt2);
-  if (!info) {
-    return true;
-  }
-  const hoursRemaining = (info.expiresAt.getTime() - Date.now()) / (1e3 * 60 * 60);
-  return hoursRemaining < thresholdHours;
-}
-function validateSessionSecret() {
-  try {
-    const secret = process.env.SPFN_AUTH_SESSION_SECRET || // New prefixed version (recommended)
-    process.env.SESSION_SECRET;
-    if (!secret) {
-      return { valid: false, error: "SPFN_AUTH_SESSION_SECRET is not set" };
-    }
-    const length = secret.length;
-    const uniqueChars = new Set(secret).size;
-    const entropy = calculateEntropy(secret);
-    if (length < 32) {
-      return {
-        valid: false,
-        error: `SPFN_AUTH_SESSION_SECRET too short (${length} chars, minimum 32)`,
-        details: { length, uniqueChars, entropy }
-      };
-    }
-    if (uniqueChars < 16) {
-      return {
-        valid: false,
-        error: `SPFN_AUTH_SESSION_SECRET has low diversity (${uniqueChars} unique chars, minimum 16)`,
-        details: { length, uniqueChars, entropy }
-      };
-    }
-    if (entropy < 3.5) {
-      return {
-        valid: false,
-        error: `SPFN_AUTH_SESSION_SECRET has low entropy (${entropy.toFixed(2)} bits/char, minimum 3.5). Use a more random secret.`,
-        details: { length, uniqueChars, entropy }
-      };
-    }
-    return {
-      valid: true,
-      details: { length, uniqueChars, entropy }
-    };
-  } catch (err) {
-    return { valid: false, error: "Failed to validate SPFN_AUTH_SESSION_SECRET" };
-  }
-}
-
-// src/lib/config.ts
-var COOKIE_NAMES = {
-  /** Encrypted session data (userId, privateKey, keyId, algorithm) */
-  SESSION: "spfn_session",
-  /** Current key ID (for key rotation) */
-  SESSION_KEY_ID: "spfn_session_key_id"
-};
-function parseDuration(duration) {
-  if (typeof duration === "number") {
-    return duration;
-  }
-  const match = duration.match(/^(\d+)([dhms]?)$/);
-  if (!match) {
-    throw new Error(`Invalid duration format: ${duration}. Use format like '30d', '12h', '45m', '3600s', or plain number.`);
-  }
-  const value = parseInt(match[1], 10);
-  const unit = match[2] || "s";
-  switch (unit) {
-    case "d":
-      return value * 24 * 60 * 60;
-    case "h":
-      return value * 60 * 60;
-    case "m":
-      return value * 60;
-    case "s":
-      return value;
-    default:
-      throw new Error(`Unknown duration unit: ${unit}`);
-  }
-}
-var globalConfig = {
-  sessionTtl: "7d"
-  // Default: 7 days
-};
-function configureAuth(config) {
-  globalConfig = {
-    ...globalConfig,
-    ...config
-  };
-}
-function getAuthConfig() {
-  return { ...globalConfig };
-}
-function getSessionTtl(override) {
-  if (override !== void 0) {
-    return parseDuration(override);
-  }
-  if (globalConfig.sessionTtl !== void 0) {
-    return parseDuration(globalConfig.sessionTtl);
-  }
-  const envTtl = process.env.SPFN_AUTH_SESSION_TTL;
-  if (envTtl) {
-    return parseDuration(envTtl);
-  }
-  return 7 * 24 * 60 * 60;
-}
-export {
-  COOKIE_NAMES,
-  configureAuth,
-  generateClientToken,
-  generateKeyPair,
-  generateKeyPairES256,
-  generateKeyPairRS256,
-  getAuthConfig,
-  getKeySize,
-  getSessionInfo,
-  getSessionTtl,
-  parseDuration,
-  sealSession,
-  shouldRefreshSession,
-  shouldRotateKey,
-  unsealSession,
-  validateSessionSecret,
-  verifyClientToken
-};
-//# sourceMappingURL=index.js.map

package/dist/lib/index.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../src/lib/crypto.ts","../../src/lib/session.ts","../../src/lib/config.ts"],"sourcesContent":["/**\n * @spfn/auth - Client Crypto Helpers\n *\n * ES256 (ECDSA P-256) key generation and JWT signing for Next.js\n * Keys are stored in DER format (Base64 encoded) for efficiency\n *\n * Key Sizes:\n * - ES256 (ECDSA P-256): ~91 bytes (Base64: ~120 chars)\n * - RS256 (RSA 2048):   ~294 bytes (Base64: ~392 chars)\n */\n\nimport crypto from 'crypto';\nimport jwt, { type Algorithm, type SignOptions } from 'jsonwebtoken';\n\ntype Unit =\n    | \"Years\"\n    | \"Year\"\n    | \"Yrs\"\n    | \"Yr\"\n    | \"Y\"\n    | \"Weeks\"\n    | \"Week\"\n    | \"W\"\n    | \"Days\"\n    | \"Day\"\n    | \"D\"\n    | \"Hours\"\n    | \"Hour\"\n    | \"Hrs\"\n    | \"Hr\"\n    | \"H\"\n    | \"Minutes\"\n    | \"Minute\"\n    | \"Mins\"\n    | \"Min\"\n    | \"M\"\n    | \"Seconds\"\n    | \"Second\"\n    | \"Secs\"\n    | \"Sec\"\n    | \"s\"\n    | \"Milliseconds\"\n    | \"Millisecond\"\n    | \"Msecs\"\n    | \"Msec\"\n    | \"Ms\";\n\ntype UnitAnyCase = Unit | Uppercase<Unit> | Lowercase<Unit>;\n\ntype StringValue =\n    | `${number}`\n    | `${number}${UnitAnyCase}`\n    | `${number} ${UnitAnyCase}`;\n\nexport interface KeyPair\n{\n    privateKey: string;     // Base64 encoded DER\n    publicKey: string;      // Base64 encoded DER\n    keyId: string;          // UUID\n    fingerprint: string;    // SHA-256 hash\n    algorithm: 'ES256' | 'RS256';\n}\n\nexport interface TokenPayload\n{\n    userId?: string;\n    keyId?: string;\n    timestamp?: number;\n    exp?: number;\n    iat?: number;\n    iss?: string;\n    [key: string]: any;\n}\n\n/**\n * Generate ECDSA P-256 key pair (ES256)\n * Recommended for optimal size and performance\n */\nexport function generateKeyPairES256(): KeyPair\n{\n    const keyId = crypto.randomUUID();\n\n    const { privateKey, publicKey } = crypto.generateKeyPairSync('ec', {\n        namedCurve: 'P-256', // ES256\n        publicKeyEncoding: {\n            type: 'spki',\n            format: 'der',\n        },\n        privateKeyEncoding: {\n            type: 'pkcs8',\n            format: 'der',\n        },\n    });\n\n    // Convert Buffer to Base64\n    const privateKeyB64 = privateKey.toString('base64');\n    const publicKeyB64 = publicKey.toString('base64');\n\n    // Generate fingerprint (SHA-256 of public key)\n    const fingerprint = crypto\n        .createHash('sha256')\n        .update(publicKey)\n        .digest('hex');\n\n    return {\n        privateKey: privateKeyB64,\n        publicKey: publicKeyB64,\n        keyId,\n        fingerprint,\n        algorithm: 'ES256',\n    };\n}\n\n/**\n * Generate RSA 2048 key pair (RS256)\n * Fallback option, larger size but wider compatibility\n */\nexport function generateKeyPairRS256(): KeyPair\n{\n    const keyId = crypto.randomUUID();\n\n    const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {\n        modulusLength: 2048,\n        publicKeyEncoding: {\n            type: 'spki',\n            format: 'der',\n        },\n        privateKeyEncoding: {\n            type: 'pkcs8',\n            format: 'der',\n        },\n    });\n\n    const privateKeyB64 = privateKey.toString('base64');\n    const publicKeyB64 = publicKey.toString('base64');\n\n    const fingerprint = crypto\n        .createHash('sha256')\n        .update(publicKey)\n        .digest('hex');\n\n    return {\n        privateKey: privateKeyB64,\n        publicKey: publicKeyB64,\n        keyId,\n        fingerprint,\n        algorithm: 'RS256',\n    };\n}\n\n/**\n * Generate key pair (defaults to ES256)\n */\nexport function generateKeyPair(\n    algorithm: 'ES256' | 'RS256' = 'ES256'\n): KeyPair\n{\n    return algorithm === 'ES256'\n        ? generateKeyPairES256()\n        : generateKeyPairRS256();\n}\n\n/**\n * Generate JWT signed with client private key (DER format)\n */\nexport function generateClientToken(\n    payload: Record<string, any>,\n    privateKeyB64: string,\n    algorithm: Algorithm,\n    options?: {\n        expiresIn?: StringValue | number;\n        issuer?: string;\n    }\n): string\n{\n    try\n    {\n        // Convert Base64 back to Buffer\n        const privateKeyDER = Buffer.from(privateKeyB64, 'base64');\n\n        // Create key object for signing\n        const privateKeyObject = crypto.createPrivateKey({\n            key: privateKeyDER,\n            format: 'der',\n            type: 'pkcs8',\n        });\n\n        // Export as PEM for jwt.sign\n        const privateKeyPEM = privateKeyObject.export({\n            type: 'pkcs8',\n            format: 'pem',\n        });\n\n        const signOptions: SignOptions = {\n            algorithm,\n            issuer: options?.issuer || 'spfn-client',\n            expiresIn: options?.expiresIn ?? '15m', // Default to 15 minutes\n        }\n\n        return jwt.sign(payload, privateKeyPEM, signOptions);\n    }\n    catch (error)\n    {\n        throw new Error(\n            `Failed to generate client token: ${error instanceof Error ? error.message : 'Unknown error'}`\n        );\n    }\n}\n\n/**\n * Verify JWT with public key (DER format)\n *\n * @internal Used for testing/validation only\n * For production verification, use server-side verifyClientToken\n */\nexport function verifyClientToken(\n    token: string,\n    publicKeyB64: string,\n    algorithm: 'ES256' | 'RS256'\n): TokenPayload\n{\n    try\n    {\n        // Convert Base64 to Buffer\n        const publicKeyDER = Buffer.from(publicKeyB64, 'base64');\n\n        // Create key object for verification\n        const publicKeyObject = crypto.createPublicKey({\n            key: publicKeyDER,\n            format: 'der',\n            type: 'spki',\n        });\n\n        return jwt.verify(token, publicKeyObject, {\n            algorithms: [algorithm],\n            issuer: 'spfn-client',\n        }) as TokenPayload;\n    }\n    catch (error)\n    {\n        throw new Error(\n            `Failed to verify token: ${error instanceof Error ? error.message : 'Unknown error'}`\n        );\n    }\n}\n\n/**\n * Get key size information\n */\nexport function getKeySize(publicKeyB64: string): {\n    bytes: number;\n    base64Length: number;\n}\n{\n    const keyDER = Buffer.from(publicKeyB64, 'base64');\n\n    return {\n        bytes: keyDER.length,\n        base64Length: publicKeyB64.length,\n    };\n}\n\n/**\n * Check if key should be rotated based on creation date\n */\nexport function shouldRotateKey(\n    createdAt: Date,\n    rotationDays: number = 90\n): {\n    shouldRotate: boolean;\n    daysRemaining: number;\n}\n{\n    const now = new Date();\n    const ageInDays = Math.floor(\n        (now.getTime() - createdAt.getTime()) / (1000 * 60 * 60 * 24)\n    );\n    const daysRemaining = Math.max(0, rotationDays - ageInDays);\n\n    return {\n        shouldRotate: daysRemaining <= 7, // Warn 7 days before expiry\n        daysRemaining,\n    };\n}","/**\n * @spfn/auth - Client Session Management\n *\n * Uses Jose JWE (JSON Web Encryption) to securely store session data in cookies\n * More efficient than Iron Session with better Edge Runtime support\n */\n\nimport * as jose from 'jose';\n\nexport interface SessionData\n{\n    userId: string;\n    privateKey: string;     // Base64 encoded DER\n    keyId: string;\n    algorithm: 'ES256' | 'RS256';\n}\n\n/**\n * Calculate Shannon entropy of a string\n * Returns entropy in bits per character\n *\n * @param str - String to calculate entropy for\n * @returns Entropy value (0 to ~6.6 bits for printable ASCII)\n */\nfunction calculateEntropy(str: string): number\n{\n    const len = str.length;\n    const frequencies = new Map<string, number>();\n\n    // Count character frequencies\n    for (const char of str)\n    {\n        frequencies.set(char, (frequencies.get(char) || 0) + 1);\n    }\n\n    // Calculate Shannon entropy\n    let entropy = 0;\n    for (const count of frequencies.values())\n    {\n        const probability = count / len;\n        entropy -= probability * Math.log2(probability);\n    }\n\n    return entropy;\n}\n\n/**\n * Get session secret from environment\n * Must be at least 32 characters (256-bit)\n *\n * Derives a 32-byte key using SHA-256 to ensure compatibility with Jose A256GCM\n */\nasync function getSessionSecret(): Promise<Uint8Array>\n{\n    const secret =\n        process.env.SPFN_AUTH_SESSION_SECRET ||  // New prefixed version (recommended)\n        process.env.SESSION_SECRET;               // Legacy fallback\n\n    if (!secret)\n    {\n        throw new Error('SPFN_AUTH_SESSION_SECRET environment variable is not set');\n    }\n\n    if (secret.length < 32)\n    {\n        throw new Error('SPFN_AUTH_SESSION_SECRET must be at least 32 characters long');\n    }\n\n    // Derive a 32-byte key using SHA-256 for A256GCM compatibility\n    // Use Web Crypto API for universal compatibility (browser + Node.js)\n    const encoder = new TextEncoder();\n    const data = encoder.encode(secret);\n    const hashBuffer = await crypto.subtle.digest('SHA-256', data);\n    return new Uint8Array(hashBuffer);\n}\n\n/**\n * Seal session data into encrypted JWT (JWE)\n *\n * @param data - Session data to encrypt\n * @param ttl - Time to live in seconds (default: 7 days)\n * @returns Encrypted JWT string\n */\nexport async function sealSession(\n    data: SessionData,\n    ttl: number = 60 * 60 * 24 * 7 // 7 days\n): Promise<string>\n{\n    const secret = await getSessionSecret();\n\n    return await new jose.EncryptJWT({ data })\n        .setProtectedHeader({ alg: 'dir', enc: 'A256GCM' })\n        .setIssuedAt()\n        .setExpirationTime(`${ttl}s`)\n        .setIssuer('spfn-auth')\n        .setAudience('spfn-client')\n        .encrypt(secret);\n}\n\n/**\n * Unseal encrypted JWT (JWE) to session data\n *\n * @param jwt - Encrypted JWT string\n * @returns Session data\n * @throws Error if session is invalid or expired\n */\nexport async function unsealSession(jwt: string): Promise<SessionData>\n{\n    const secret = await getSessionSecret();\n\n    try\n    {\n        const { payload } = await jose.jwtDecrypt(jwt, secret, {\n            issuer: 'spfn-auth',\n            audience: 'spfn-client',\n        });\n\n        return payload.data as SessionData;\n    }\n    catch (err)\n    {\n        if (err instanceof jose.errors.JWTExpired)\n        {\n            throw new Error('Session expired');\n        }\n\n        if (err instanceof jose.errors.JWEDecryptionFailed)\n        {\n            throw new Error('Invalid session');\n        }\n\n        if (err instanceof jose.errors.JWTClaimValidationFailed)\n        {\n            throw new Error('Session validation failed');\n        }\n\n        throw new Error('Failed to unseal session');\n    }\n}\n\n/**\n * Get session metadata without decrypting\n *\n * @param jwt - Encrypted JWT string\n * @returns Session metadata or null if invalid\n */\nexport async function getSessionInfo(jwt: string): Promise<{\n    issuedAt: Date;\n    expiresAt: Date;\n    issuer: string;\n    audience: string;\n} | null>\n{\n    const secret = await getSessionSecret();\n\n    try\n    {\n        const { payload } = await jose.jwtDecrypt(jwt, secret);\n\n        return {\n            issuedAt: new Date(payload.iat! * 1000),\n            expiresAt: new Date(payload.exp! * 1000),\n            issuer: payload.iss || '',\n            audience: Array.isArray(payload.aud) ? payload.aud[0] : payload.aud || '',\n        };\n    }\n    catch (err)\n    {\n        // Log error for debugging but return null for graceful handling\n        if (process.env.NODE_ENV !== 'production')\n        {\n            console.warn('[Session] Failed to get session info:', err instanceof Error ? err.message : 'Unknown error');\n        }\n        return null;\n    }\n}\n\n/**\n * Check if session is about to expire (within threshold)\n *\n * @param jwt - Encrypted JWT string\n * @param thresholdHours - Hours before expiry to trigger refresh (default: 24)\n * @returns True if session should be refreshed\n */\nexport async function shouldRefreshSession(\n    jwt: string,\n    thresholdHours: number = 24\n): Promise<boolean>\n{\n    const info = await getSessionInfo(jwt);\n\n    if (!info)\n    {\n        return true;\n    }\n\n    const hoursRemaining = (info.expiresAt.getTime() - Date.now()) / (1000 * 60 * 60);\n\n    return hoursRemaining < thresholdHours;\n}\n\n/**\n * Validate session secret strength\n * Call this at startup to ensure proper configuration\n *\n * Validation criteria:\n * - Minimum 32 characters (256-bit)\n * - Minimum 16 unique characters\n * - Minimum 3.5 bits/char Shannon entropy (good randomness)\n */\nexport function validateSessionSecret(): {\n    valid: boolean;\n    error?: string;\n    details?: {\n        length: number;\n        uniqueChars: number;\n        entropy: number;\n    };\n}\n{\n    try\n    {\n        const secret =\n            process.env.SPFN_AUTH_SESSION_SECRET ||  // New prefixed version (recommended)\n            process.env.SESSION_SECRET;               // Legacy fallback\n\n        if (!secret)\n        {\n            return { valid: false, error: 'SPFN_AUTH_SESSION_SECRET is not set' };\n        }\n\n        const length = secret.length;\n        const uniqueChars = new Set(secret).size;\n        const entropy = calculateEntropy(secret);\n\n        // Check length (minimum 32 chars for 256-bit)\n        if (length < 32)\n        {\n            return {\n                valid: false,\n                error: `SPFN_AUTH_SESSION_SECRET too short (${length} chars, minimum 32)`,\n                details: { length, uniqueChars, entropy },\n            };\n        }\n\n        // Check unique character diversity\n        if (uniqueChars < 16)\n        {\n            return {\n                valid: false,\n                error: `SPFN_AUTH_SESSION_SECRET has low diversity (${uniqueChars} unique chars, minimum 16)`,\n                details: { length, uniqueChars, entropy },\n            };\n        }\n\n        // Check Shannon entropy (3.5 bits/char is good randomness)\n        // For reference:\n        // - Random lowercase: ~4.7 bits/char\n        // - Random alphanumeric: ~5.2 bits/char\n        // - Random printable ASCII: ~6.6 bits/char\n        // - \"aaaaaaa...\": ~0 bits/char\n        // - \"abcabcabc...\": ~1.58 bits/char\n        if (entropy < 3.5)\n        {\n            return {\n                valid: false,\n                error: `SPFN_AUTH_SESSION_SECRET has low entropy (${entropy.toFixed(2)} bits/char, minimum 3.5). Use a more random secret.`,\n                details: { length, uniqueChars, entropy },\n            };\n        }\n\n        return {\n            valid: true,\n            details: { length, uniqueChars, entropy },\n        };\n    }\n    catch (err)\n    {\n        return { valid: false, error: 'Failed to validate SPFN_AUTH_SESSION_SECRET' };\n    }\n}","/**\n * @spfn/auth - Global Configuration\n *\n * Manages global auth configuration including session TTL\n */\n\n/**\n * Cookie names used by SPFN Auth\n */\nexport const COOKIE_NAMES = {\n    /** Encrypted session data (userId, privateKey, keyId, algorithm) */\n    SESSION: 'spfn_session',\n    /** Current key ID (for key rotation) */\n    SESSION_KEY_ID: 'spfn_session_key_id',\n} as const;\n\n/**\n * Parse duration string to seconds\n *\n * Supports: '30d', '12h', '45m', '3600s', or plain number\n *\n * @example\n * parseDuration('30d')   // 2592000 (30 days in seconds)\n * parseDuration('12h')   // 43200\n * parseDuration('45m')   // 2700\n * parseDuration('3600')  // 3600\n */\nexport function parseDuration(duration: string | number): number\n{\n    if (typeof duration === 'number')\n    {\n        return duration;\n    }\n\n    const match = duration.match(/^(\\d+)([dhms]?)$/);\n    if (!match)\n    {\n        throw new Error(`Invalid duration format: ${duration}. Use format like '30d', '12h', '45m', '3600s', or plain number.`);\n    }\n\n    const value = parseInt(match[1], 10);\n    const unit = match[2] || 's';\n\n    switch (unit)\n    {\n        case 'd':\n            return value * 24 * 60 * 60;\n        case 'h':\n            return value * 60 * 60;\n        case 'm':\n            return value * 60;\n        case 's':\n            return value;\n        default:\n            throw new Error(`Unknown duration unit: ${unit}`);\n    }\n}\n\n/**\n * Auth configuration\n */\nexport interface AuthConfig\n{\n    /**\n     * Default session TTL in seconds or duration string\n     *\n     * Supports:\n     * - Number: seconds (e.g., 2592000)\n     * - String: '30d', '12h', '45m', '3600s'\n     *\n     * @default 7d (7 days)\n     */\n    sessionTtl?: string | number;\n}\n\n/**\n * Global auth configuration state\n */\nlet globalConfig: AuthConfig = {\n    sessionTtl: '7d', // Default: 7 days\n};\n\n/**\n * Configure global auth settings\n *\n * @param config - Auth configuration\n *\n * @example\n * ```typescript\n * configureAuth({\n *   sessionTtl: '30d',  // 30 days\n * });\n * ```\n */\nexport function configureAuth(config: AuthConfig): void\n{\n    globalConfig = {\n        ...globalConfig,\n        ...config,\n    };\n}\n\n/**\n * Get current auth configuration\n */\nexport function getAuthConfig(): AuthConfig\n{\n    return { ...globalConfig };\n}\n\n/**\n * Get session TTL in seconds\n *\n * Priority:\n * 1. Runtime override (remember parameter)\n * 2. Global config (configureAuth)\n * 3. Environment variable (SPFN_AUTH_SESSION_TTL)\n * 4. Default (7 days)\n */\nexport function getSessionTtl(override?: string | number): number\n{\n    // 1. Runtime override\n    if (override !== undefined)\n    {\n        return parseDuration(override);\n    }\n\n    // 2. Global config\n    if (globalConfig.sessionTtl !== undefined)\n    {\n        return parseDuration(globalConfig.sessionTtl);\n    }\n\n    // 3. Environment variable\n    const envTtl = process.env.SPFN_AUTH_SESSION_TTL;\n    if (envTtl)\n    {\n        return parseDuration(envTtl);\n    }\n\n    // 4. Default: 7 days\n    return 7 * 24 * 60 * 60;\n}"],"mappings":";AAWA,OAAOA,aAAY;AACnB,OAAO,SAA+C;AAkE/C,SAAS,uBAChB;AACI,QAAM,QAAQA,QAAO,WAAW;AAEhC,QAAM,EAAE,YAAY,UAAU,IAAIA,QAAO,oBAAoB,MAAM;AAAA,IAC/D,YAAY;AAAA;AAAA,IACZ,mBAAmB;AAAA,MACf,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,IACA,oBAAoB;AAAA,MAChB,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,EACJ,CAAC;AAGD,QAAM,gBAAgB,WAAW,SAAS,QAAQ;AAClD,QAAM,eAAe,UAAU,SAAS,QAAQ;AAGhD,QAAM,cAAcA,QACf,WAAW,QAAQ,EACnB,OAAO,SAAS,EAChB,OAAO,KAAK;AAEjB,SAAO;AAAA,IACH,YAAY;AAAA,IACZ,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACf;AACJ;AAMO,SAAS,uBAChB;AACI,QAAM,QAAQA,QAAO,WAAW;AAEhC,QAAM,EAAE,YAAY,UAAU,IAAIA,QAAO,oBAAoB,OAAO;AAAA,IAChE,eAAe;AAAA,IACf,mBAAmB;AAAA,MACf,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,IACA,oBAAoB;AAAA,MAChB,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ;AAAA,EACJ,CAAC;AAED,QAAM,gBAAgB,WAAW,SAAS,QAAQ;AAClD,QAAM,eAAe,UAAU,SAAS,QAAQ;AAEhD,QAAM,cAAcA,QACf,WAAW,QAAQ,EACnB,OAAO,SAAS,EAChB,OAAO,KAAK;AAEjB,SAAO;AAAA,IACH,YAAY;AAAA,IACZ,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA,WAAW;AAAA,EACf;AACJ;AAKO,SAAS,gBACZ,YAA+B,SAEnC;AACI,SAAO,cAAc,UACf,qBAAqB,IACrB,qBAAqB;AAC/B;AAKO,SAAS,oBACZ,SACA,eACA,WACA,SAKJ;AACI,MACA;AAEI,UAAM,gBAAgB,OAAO,KAAK,eAAe,QAAQ;AAGzD,UAAM,mBAAmBA,QAAO,iBAAiB;AAAA,MAC7C,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACV,CAAC;AAGD,UAAM,gBAAgB,iBAAiB,OAAO;AAAA,MAC1C,MAAM;AAAA,MACN,QAAQ;AAAA,IACZ,CAAC;AAED,UAAM,cAA2B;AAAA,MAC7B;AAAA,MACA,QAAQ,SAAS,UAAU;AAAA,MAC3B,WAAW,SAAS,aAAa;AAAA;AAAA,IACrC;AAEA,WAAO,IAAI,KAAK,SAAS,eAAe,WAAW;AAAA,EACvD,SACO,OACP;AACI,UAAM,IAAI;AAAA,MACN,oCAAoC,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,IAChG;AAAA,EACJ;AACJ;AAQO,SAAS,kBACZ,OACA,cACA,WAEJ;AACI,MACA;AAEI,UAAM,eAAe,OAAO,KAAK,cAAc,QAAQ;AAGvD,UAAM,kBAAkBA,QAAO,gBAAgB;AAAA,MAC3C,KAAK;AAAA,MACL,QAAQ;AAAA,MACR,MAAM;AAAA,IACV,CAAC;AAED,WAAO,IAAI,OAAO,OAAO,iBAAiB;AAAA,MACtC,YAAY,CAAC,SAAS;AAAA,MACtB,QAAQ;AAAA,IACZ,CAAC;AAAA,EACL,SACO,OACP;AACI,UAAM,IAAI;AAAA,MACN,2BAA2B,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,IACvF;AAAA,EACJ;AACJ;AAKO,SAAS,WAAW,cAI3B;AACI,QAAM,SAAS,OAAO,KAAK,cAAc,QAAQ;AAEjD,SAAO;AAAA,IACH,OAAO,OAAO;AAAA,IACd,cAAc,aAAa;AAAA,EAC/B;AACJ;AAKO,SAAS,gBACZ,WACA,eAAuB,IAK3B;AACI,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,YAAY,KAAK;AAAA,KAClB,IAAI,QAAQ,IAAI,UAAU,QAAQ,MAAM,MAAO,KAAK,KAAK;AAAA,EAC9D;AACA,QAAM,gBAAgB,KAAK,IAAI,GAAG,eAAe,SAAS;AAE1D,SAAO;AAAA,IACH,cAAc,iBAAiB;AAAA;AAAA,IAC/B;AAAA,EACJ;AACJ;;;ACpRA,YAAY,UAAU;AAiBtB,SAAS,iBAAiB,KAC1B;AACI,QAAM,MAAM,IAAI;AAChB,QAAM,cAAc,oBAAI,IAAoB;AAG5C,aAAW,QAAQ,KACnB;AACI,gBAAY,IAAI,OAAO,YAAY,IAAI,IAAI,KAAK,KAAK,CAAC;AAAA,EAC1D;AAGA,MAAI,UAAU;AACd,aAAW,SAAS,YAAY,OAAO,GACvC;AACI,UAAM,cAAc,QAAQ;AAC5B,eAAW,cAAc,KAAK,KAAK,WAAW;AAAA,EAClD;AAEA,SAAO;AACX;AAQA,eAAe,mBACf;AACI,QAAM,SACF,QAAQ,IAAI;AAAA,EACZ,QAAQ,IAAI;AAEhB,MAAI,CAAC,QACL;AACI,UAAM,IAAI,MAAM,0DAA0D;AAAA,EAC9E;AAEA,MAAI,OAAO,SAAS,IACpB;AACI,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAClF;AAIA,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,OAAO,QAAQ,OAAO,MAAM;AAClC,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AAC7D,SAAO,IAAI,WAAW,UAAU;AACpC;AASA,eAAsB,YAClB,MACA,MAAc,KAAK,KAAK,KAAK,GAEjC;AACI,QAAM,SAAS,MAAM,iBAAiB;AAEtC,SAAO,MAAM,IAAS,gBAAW,EAAE,KAAK,CAAC,EACpC,mBAAmB,EAAE,KAAK,OAAO,KAAK,UAAU,CAAC,EACjD,YAAY,EACZ,kBAAkB,GAAG,GAAG,GAAG,EAC3B,UAAU,WAAW,EACrB,YAAY,aAAa,EACzB,QAAQ,MAAM;AACvB;AASA,eAAsB,cAAcC,MACpC;AACI,QAAM,SAAS,MAAM,iBAAiB;AAEtC,MACA;AACI,UAAM,EAAE,QAAQ,IAAI,MAAW,gBAAWA,MAAK,QAAQ;AAAA,MACnD,QAAQ;AAAA,MACR,UAAU;AAAA,IACd,CAAC;AAED,WAAO,QAAQ;AAAA,EACnB,SACO,KACP;AACI,QAAI,eAAoB,YAAO,YAC/B;AACI,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACrC;AAEA,QAAI,eAAoB,YAAO,qBAC/B;AACI,YAAM,IAAI,MAAM,iBAAiB;AAAA,IACrC;AAEA,QAAI,eAAoB,YAAO,0BAC/B;AACI,YAAM,IAAI,MAAM,2BAA2B;AAAA,IAC/C;AAEA,UAAM,IAAI,MAAM,0BAA0B;AAAA,EAC9C;AACJ;AAQA,eAAsB,eAAeA,MAMrC;AACI,QAAM,SAAS,MAAM,iBAAiB;AAEtC,MACA;AACI,UAAM,EAAE,QAAQ,IAAI,MAAW,gBAAWA,MAAK,MAAM;AAErD,WAAO;AAAA,MACH,UAAU,IAAI,KAAK,QAAQ,MAAO,GAAI;AAAA,MACtC,WAAW,IAAI,KAAK,QAAQ,MAAO,GAAI;AAAA,MACvC,QAAQ,QAAQ,OAAO;AAAA,MACvB,UAAU,MAAM,QAAQ,QAAQ,GAAG,IAAI,QAAQ,IAAI,CAAC,IAAI,QAAQ,OAAO;AAAA,IAC3E;AAAA,EACJ,SACO,KACP;AAEI,QAAI,QAAQ,IAAI,aAAa,cAC7B;AACI,cAAQ,KAAK,yCAAyC,eAAe,QAAQ,IAAI,UAAU,eAAe;AAAA,IAC9G;AACA,WAAO;AAAA,EACX;AACJ;AASA,eAAsB,qBAClBA,MACA,iBAAyB,IAE7B;AACI,QAAM,OAAO,MAAM,eAAeA,IAAG;AAErC,MAAI,CAAC,MACL;AACI,WAAO;AAAA,EACX;AAEA,QAAM,kBAAkB,KAAK,UAAU,QAAQ,IAAI,KAAK,IAAI,MAAM,MAAO,KAAK;AAE9E,SAAO,iBAAiB;AAC5B;AAWO,SAAS,wBAShB;AACI,MACA;AACI,UAAM,SACF,QAAQ,IAAI;AAAA,IACZ,QAAQ,IAAI;AAEhB,QAAI,CAAC,QACL;AACI,aAAO,EAAE,OAAO,OAAO,OAAO,sCAAsC;AAAA,IACxE;AAEA,UAAM,SAAS,OAAO;AACtB,UAAM,cAAc,IAAI,IAAI,MAAM,EAAE;AACpC,UAAM,UAAU,iBAAiB,MAAM;AAGvC,QAAI,SAAS,IACb;AACI,aAAO;AAAA,QACH,OAAO;AAAA,QACP,OAAO,uCAAuC,MAAM;AAAA,QACpD,SAAS,EAAE,QAAQ,aAAa,QAAQ;AAAA,MAC5C;AAAA,IACJ;AAGA,QAAI,cAAc,IAClB;AACI,aAAO;AAAA,QACH,OAAO;AAAA,QACP,OAAO,+CAA+C,WAAW;AAAA,QACjE,SAAS,EAAE,QAAQ,aAAa,QAAQ;AAAA,MAC5C;AAAA,IACJ;AASA,QAAI,UAAU,KACd;AACI,aAAO;AAAA,QACH,OAAO;AAAA,QACP,OAAO,6CAA6C,QAAQ,QAAQ,CAAC,CAAC;AAAA,QACtE,SAAS,EAAE,QAAQ,aAAa,QAAQ;AAAA,MAC5C;AAAA,IACJ;AAEA,WAAO;AAAA,MACH,OAAO;AAAA,MACP,SAAS,EAAE,QAAQ,aAAa,QAAQ;AAAA,IAC5C;AAAA,EACJ,SACO,KACP;AACI,WAAO,EAAE,OAAO,OAAO,OAAO,8CAA8C;AAAA,EAChF;AACJ;;;AC/QO,IAAM,eAAe;AAAA;AAAA,EAExB,SAAS;AAAA;AAAA,EAET,gBAAgB;AACpB;AAaO,SAAS,cAAc,UAC9B;AACI,MAAI,OAAO,aAAa,UACxB;AACI,WAAO;AAAA,EACX;AAEA,QAAM,QAAQ,SAAS,MAAM,kBAAkB;AAC/C,MAAI,CAAC,OACL;AACI,UAAM,IAAI,MAAM,4BAA4B,QAAQ,kEAAkE;AAAA,EAC1H;AAEA,QAAM,QAAQ,SAAS,MAAM,CAAC,GAAG,EAAE;AACnC,QAAM,OAAO,MAAM,CAAC,KAAK;AAEzB,UAAQ,MACR;AAAA,IACI,KAAK;AACD,aAAO,QAAQ,KAAK,KAAK;AAAA,IAC7B,KAAK;AACD,aAAO,QAAQ,KAAK;AAAA,IACxB,KAAK;AACD,aAAO,QAAQ;AAAA,IACnB,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAI,MAAM,0BAA0B,IAAI,EAAE;AAAA,EACxD;AACJ;AAsBA,IAAI,eAA2B;AAAA,EAC3B,YAAY;AAAA;AAChB;AAcO,SAAS,cAAc,QAC9B;AACI,iBAAe;AAAA,IACX,GAAG;AAAA,IACH,GAAG;AAAA,EACP;AACJ;AAKO,SAAS,gBAChB;AACI,SAAO,EAAE,GAAG,aAAa;AAC7B;AAWO,SAAS,cAAc,UAC9B;AAEI,MAAI,aAAa,QACjB;AACI,WAAO,cAAc,QAAQ;AAAA,EACjC;AAGA,MAAI,aAAa,eAAe,QAChC;AACI,WAAO,cAAc,aAAa,UAAU;AAAA,EAChD;AAGA,QAAM,SAAS,QAAQ,IAAI;AAC3B,MAAI,QACJ;AACI,WAAO,cAAc,MAAM;AAAA,EAC/B;AAGA,SAAO,IAAI,KAAK,KAAK;AACzB;","names":["crypto","jwt"]}

package/dist/lib/session.d.ts

@@ -1,68 +0,0 @@
-/**
- * @spfn/auth - Client Session Management
- *
- * Uses Jose JWE (JSON Web Encryption) to securely store session data in cookies
- * More efficient than Iron Session with better Edge Runtime support
- */
-interface SessionData {
-    userId: string;
-    privateKey: string;
-    keyId: string;
-    algorithm: 'ES256' | 'RS256';
-}
-/**
- * Seal session data into encrypted JWT (JWE)
- *
- * @param data - Session data to encrypt
- * @param ttl - Time to live in seconds (default: 7 days)
- * @returns Encrypted JWT string
- */
-declare function sealSession(data: SessionData, ttl?: number): Promise<string>;
-/**
- * Unseal encrypted JWT (JWE) to session data
- *
- * @param jwt - Encrypted JWT string
- * @returns Session data
- * @throws Error if session is invalid or expired
- */
-declare function unsealSession(jwt: string): Promise<SessionData>;
-/**
- * Get session metadata without decrypting
- *
- * @param jwt - Encrypted JWT string
- * @returns Session metadata or null if invalid
- */
-declare function getSessionInfo(jwt: string): Promise<{
-    issuedAt: Date;
-    expiresAt: Date;
-    issuer: string;
-    audience: string;
-} | null>;
-/**
- * Check if session is about to expire (within threshold)
- *
- * @param jwt - Encrypted JWT string
- * @param thresholdHours - Hours before expiry to trigger refresh (default: 24)
- * @returns True if session should be refreshed
- */
-declare function shouldRefreshSession(jwt: string, thresholdHours?: number): Promise<boolean>;
-/**
- * Validate session secret strength
- * Call this at startup to ensure proper configuration
- *
- * Validation criteria:
- * - Minimum 32 characters (256-bit)
- * - Minimum 16 unique characters
- * - Minimum 3.5 bits/char Shannon entropy (good randomness)
- */
-declare function validateSessionSecret(): {
-    valid: boolean;
-    error?: string;
-    details?: {
-        length: number;
-        uniqueChars: number;
-        entropy: number;
-    };
-};
-
-export { type SessionData, getSessionInfo, sealSession, shouldRefreshSession, unsealSession, validateSessionSecret };