@stefanobalocco/honosignedrequests 1.0.0 → 1.1.1

package/LICENSE.md

@@ -1,4 +1,4 @@
-Copyright (c) 2025, Stefano Balocco <stefano.balocco@gmail.com>
+Copyright (c) 2025-2026, Stefano Balocco <stefano.balocco@gmail.com>
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are met:

package/client/dist/SignedRequester.d.ts

@@ -0,0 +1,38 @@
+type Methods = 'GET' | 'POST' | 'PUT' | 'DELETE';
+type SessionConfig = {
+    sessionId: number;
+    token: string;
+    sequenceNumber: number;
+};
+type SignedRequest<T = Record<string, any>> = {
+    sessionId: number;
+    timestamp: number;
+    signature: string;
+} & T;
+type SignedRequestOptions = {
+    baseUrl?: string;
+    headers?: Record<string, string>;
+    method?: Methods;
+};
+declare class SignedRequester {
+    private static readonly _primitives;
+    private readonly _baseUrl;
+    private readonly _onError?;
+    private _sessionId;
+    private _token;
+    private _sequenceNumber;
+    private _semaphore;
+    private _semaphoreQueue;
+    private _semaphoreAcquire;
+    private _semaphoreRelease;
+    private _incrementSequenceNumber;
+    private _loadFromStorage;
+    constructor(baseUrl?: string, onError?: (error: unknown) => void);
+    setSession(config: SessionConfig): void;
+    getSession(): boolean;
+    clearSession(): void;
+    signedRequest(path: string, parameters: Record<string, any>, options?: SignedRequestOptions): Promise<Response>;
+    signedRequestJson<T = any>(path: string, parameters: Record<string, any>, options?: SignedRequestOptions): Promise<T>;
+}
+export type { SessionConfig, SignedRequest, SignedRequestOptions };
+export { SignedRequester };

package/client/dist/SignedRequester.js

@@ -0,0 +1,218 @@
+function _base64url_encode(value, onError) {
+    let returnValue = '';
+    if (0 < value?.length) {
+        try {
+            const base64String = Array.from(value, (byte) => String.fromCharCode(byte)).join('');
+            returnValue = btoa(base64String)
+                .replace(/\+/g, '-')
+                .replace(/\//g, '_')
+                .replace(/=+$/, '');
+        }
+        catch (error) {
+            onError?.(error);
+        }
+    }
+    return returnValue;
+}
+function _base64url_decode(value, onError) {
+    let returnValue;
+    if (0 < value?.length && /^[A-Za-z0-9_-]*$/.test(value)) {
+        const padding = value.length % 4;
+        const paddedValue = 0 === padding ? value : value.padEnd(value.length + (4 - padding), '=');
+        const base64 = paddedValue.replace(/-/g, '+').replace(/_/g, '/');
+        try {
+            const binaryString = atob(base64);
+            returnValue = Uint8Array.from(binaryString, (char) => char.charCodeAt(0));
+        }
+        catch (error) {
+            onError?.(error);
+        }
+    }
+    return returnValue;
+}
+class SignedRequester {
+    _semaphoreAcquire(wait = true) {
+        let returnValue = Promise.resolve(false);
+        if (!this._semaphore) {
+            this._semaphore = true;
+            returnValue = Promise.resolve(true);
+        }
+        else if (wait) {
+            returnValue = new Promise((resolve) => {
+                this._semaphoreQueue.push(resolve);
+            });
+        }
+        return returnValue;
+    }
+    _semaphoreRelease() {
+        if (this._semaphore) {
+            if (0 < this._semaphoreQueue.length) {
+                const nextWaiting = this._semaphoreQueue.shift();
+                if (nextWaiting) {
+                    nextWaiting(true);
+                }
+            }
+            else {
+                this._semaphore = false;
+            }
+        }
+    }
+    _incrementSequenceNumber() {
+        if (undefined !== this._sequenceNumber) {
+            this._sequenceNumber++;
+            localStorage.setItem('sequenceNumber', this._sequenceNumber.toString());
+        }
+    }
+    _loadFromStorage() {
+        let returnValue = false;
+        const sessionIdStr = localStorage.getItem('sessionId');
+        const tokenStr = localStorage.getItem('token');
+        const sequenceNumberStr = localStorage.getItem('sequenceNumber');
+        if (sessionIdStr && tokenStr && sequenceNumberStr) {
+            const sessionId = parseInt(sessionIdStr);
+            const sequenceNumber = parseInt(sequenceNumberStr);
+            const token = _base64url_decode(tokenStr, this._onError);
+            if (!isNaN(sessionId) && !isNaN(sequenceNumber) && token) {
+                this._sessionId = sessionId;
+                this._token = token;
+                this._sequenceNumber = sequenceNumber;
+                returnValue = true;
+            }
+        }
+        return returnValue;
+    }
+    constructor(baseUrl, onError) {
+        this._semaphore = false;
+        this._semaphoreQueue = [];
+        this._baseUrl = baseUrl;
+        this._onError = onError;
+    }
+    setSession(config) {
+        const token = _base64url_decode(config.token, this._onError);
+        if (token) {
+            this._sessionId = config.sessionId;
+            this._token = token;
+            this._sequenceNumber = config.sequenceNumber;
+            localStorage.setItem('sessionId', config.sessionId.toString());
+            localStorage.setItem('token', config.token);
+            localStorage.setItem('sequenceNumber', config.sequenceNumber.toString());
+        }
+        else {
+            throw new Error('Invalid token format');
+        }
+    }
+    getSession() {
+        let returnValue;
+        if (undefined !== this._sessionId &&
+            undefined !== this._token &&
+            undefined !== this._sequenceNumber) {
+            returnValue = true;
+        }
+        else {
+            returnValue = this._loadFromStorage();
+        }
+        return returnValue;
+    }
+    clearSession() {
+        localStorage.removeItem('sessionId');
+        localStorage.removeItem('token');
+        localStorage.removeItem('sequenceNumber');
+        this._sessionId = undefined;
+        this._token = undefined;
+        this._sequenceNumber = undefined;
+    }
+    async signedRequest(path, parameters, options = {}) {
+        let returnValue;
+        let error;
+        await this._semaphoreAcquire();
+        try {
+            if (undefined !== this._sessionId &&
+                undefined !== this._token &&
+                undefined !== this._sequenceNumber) {
+                const timestamp = Date.now();
+                const parametersArray = Object.entries(parameters);
+                const parametersOrdered = [
+                    ['sessionId', this._sessionId],
+                    ['sequenceNumber', this._sequenceNumber],
+                    ['timestamp', timestamp],
+                    ...parametersArray.sort((a, b) => a[0].localeCompare(b[0]))
+                ];
+                const dataToSign = parametersOrdered
+                    .map(([name, value]) => {
+                    const serializedValue = SignedRequester._primitives.has(typeof value) || null === value
+                        ? String(value)
+                        : JSON.stringify(value);
+                    return `${name}=${serializedValue}`;
+                })
+                    .join(';');
+                const cryptoKey = await crypto.subtle.importKey('raw', this._token, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+                const encoder = new TextEncoder();
+                const signatureBuffer = await crypto.subtle.sign('HMAC', cryptoKey, encoder.encode(dataToSign));
+                const signature = _base64url_encode(new Uint8Array(signatureBuffer), this._onError);
+                const signedPayload = {
+                    sessionId: this._sessionId,
+                    timestamp: timestamp,
+                    signature: signature
+                };
+                Object.assign(signedPayload, Object.fromEntries(parametersArray));
+                const url = options.baseUrl
+                    ? `${options.baseUrl}${path}`
+                    : (this._baseUrl ? `${this._baseUrl}${path}` : path);
+                const method = options.method || 'POST';
+                returnValue = await fetch(url, {
+                    method: method,
+                    headers: {
+                        'Content-Type': 'application/json',
+                        ...options.headers
+                    },
+                    body: JSON.stringify(signedPayload)
+                });
+                if (returnValue.ok) {
+                    this._incrementSequenceNumber();
+                }
+                else if (401 === returnValue.status) {
+                    this.clearSession();
+                }
+            }
+            else {
+                error = new Error('Session not configured');
+            }
+        }
+        catch (e) {
+            error = e instanceof Error ? e : new Error(String(e));
+        }
+        finally {
+            this._semaphoreRelease();
+        }
+        if (error) {
+            throw error;
+        }
+        return returnValue;
+    }
+    async signedRequestJson(path, parameters, options = {}) {
+        let returnValue;
+        let error;
+        try {
+            const response = await this.signedRequest(path, parameters, options);
+            if (response.ok) {
+                returnValue = (await response.json());
+            }
+            else {
+                error = new Error(`Request failed with status ${response.status}`);
+            }
+        }
+        catch (e) {
+            error = e instanceof Error ? e : new Error(String(e));
+        }
+        if (error) {
+            throw error;
+        }
+        return returnValue;
+    }
+}
+SignedRequester._primitives = new Set([
+    'undefined',
+    'string',
+    'number'
+]);
+export { SignedRequester };

package/client/dist/SignedRequester.min.js

@@ -0,0 +1 @@
+function t(t,e){let s;if(0<t?.length&&/^[A-Za-z0-9_-]*$/.test(t)){const i=t.length%4,o=(0===i?t:t.padEnd(t.length+(4-i),"=")).replace(/-/g,"+").replace(/_/g,"/");try{const t=atob(o);s=Uint8Array.from(t,t=>t.charCodeAt(0))}catch(t){e?.(t)}}return s}class e{t(t=!0){let e=Promise.resolve(!1);return this.i?t&&(e=new Promise(t=>{this.o.push(t)})):(this.i=!0,e=Promise.resolve(!0)),e}h(){if(this.i)if(0<this.o.length){const t=this.o.shift();t&&t(!0)}else this.i=!1}l(){void 0!==this.u&&(this.u++,localStorage.setItem("sequenceNumber",this.u.toString()))}S(){let e=!1;const s=localStorage.getItem("sessionId"),i=localStorage.getItem("token"),o=localStorage.getItem("sequenceNumber");if(s&&i&&o){const r=parseInt(s),n=parseInt(o),a=t(i,this.m);isNaN(r)||isNaN(n)||!a||(this.p=r,this.N=a,this.u=n,e=!0)}return e}constructor(t,e){this.i=!1,this.o=[],this.v=t,this.m=e}setSession(e){const s=t(e.token,this.m);if(!s)throw new Error("Invalid token format");this.p=e.sessionId,this.N=s,this.u=e.sequenceNumber,localStorage.setItem("sessionId",e.sessionId.toString()),localStorage.setItem("token",e.token),localStorage.setItem("sequenceNumber",e.sequenceNumber.toString())}getSession(){let t;return t=void 0!==this.p&&void 0!==this.N&&void 0!==this.u||this.S(),t}clearSession(){localStorage.removeItem("sessionId"),localStorage.removeItem("token"),localStorage.removeItem("sequenceNumber"),this.p=void 0,this.N=void 0,this.u=void 0}async signedRequest(t,s,i={}){let o,r;await this.t();try{if(void 0!==this.p&&void 0!==this.N&&void 0!==this.u){const r=Date.now(),n=Object.entries(s),a=[["sessionId",this.p],["sequenceNumber",this.u],["timestamp",r],...n.sort((t,e)=>t[0].localeCompare(e[0]))].map(([t,s])=>`${t}=${e.q.has(typeof s)||null===s?String(s):JSON.stringify(s)}`).join(";"),h=await crypto.subtle.importKey("raw",this.N,{name:"HMAC",hash:"SHA-256"},!1,["sign"]),c=new TextEncoder,l=await crypto.subtle.sign("HMAC",h,c.encode(a)),u=function(t,e){let s="";if(0<t?.length)try{const e=Array.from(t,t=>String.fromCharCode(t)).join("");s=btoa(e).replace(/\+/g,"-").replace(/\//g,"_").replace(/=+$/,"")}catch(t){e?.(t)}return s}(new Uint8Array(l),this.m),d={sessionId:this.p,timestamp:r,signature:u};Object.assign(d,Object.fromEntries(n));const g=i.baseUrl?`${i.baseUrl}${t}`:this.v?`${this.v}${t}`:t,S=i.method||"POST";o=await fetch(g,{method:S,headers:{"Content-Type":"application/json",...i.headers},body:JSON.stringify(d)}),o.ok?this.l():401===o.status&&this.clearSession()}else r=new Error("Session not configured")}catch(t){r=t instanceof Error?t:new Error(String(t))}finally{this.h()}if(r)throw r;return o}async signedRequestJson(t,e,s={}){let i,o;try{const r=await this.signedRequest(t,e,s);r.ok?i=await r.json():o=new Error(`Request failed with status ${r.status}`)}catch(t){o=t instanceof Error?t:new Error(String(t))}if(o)throw o;return i}}e.q=new Set(["undefined","string","number"]);export{e as SignedRequester};

package/dist/SessionsStorage.d.ts

@@ -1,5 +1,5 @@
-import { Undefinedable } from './Common';
-import { Session } from './Session';
+import { Undefinedable } from './Common.js';
+import { Session } from './Session.js';
 export declare abstract class SessionsStorage {
     abstract create(validityToken: number, tokenLength: number, userId: number): Promise<Session>;
     abstract getBySessionId(sessionId: number): Promise<Undefinedable<Session>>;

package/dist/SessionsStorageLocal.d.ts

@@ -1,6 +1,6 @@
-import { Undefinedable } from './Common';
-import { Session } from './Session';
-import { SessionsStorage } from './SessionsStorage';
+import { Undefinedable } from './Common.js';
+import { Session } from './Session.js';
+import { SessionsStorage } from './SessionsStorage.js';
 type SessionStorageLocalConfig = {
     maxSessions: number;
     maxSessionsPerUser: number;

package/dist/SessionsStorageLocal.js

@@ -1,4 +1,4 @@
-import { randomBytes, randomInt } from './Common';
+import { randomBytes, randomInt } from './Common.js';
 export class SessionsStorageLocal {
     _maxSessions;
     _maxSessionsPerUser;

package/dist/SignedRequestsManager.d.ts

@@ -1,11 +1,12 @@
 import { MiddlewareHandler } from 'hono';
-import { Undefinedable } from './Common';
-import { Session } from './Session';
-import { SessionsStorage } from './SessionsStorage';
+import { Undefinedable } from './Common.js';
+import { Session } from './Session.js';
+import { SessionsStorage } from './SessionsStorage.js';
 type SignedRequestsManagerConfig = {
     validitySignature: number;
     validityToken: number;
     tokenLength: number;
+    onError?: (error: unknown) => void;
 };
 export declare class SignedRequestsManager {
     private static readonly _primitives;
@@ -13,6 +14,7 @@ export declare class SignedRequestsManager {
     private readonly _validitySignature;
     private readonly _validityToken;
     private readonly _tokenLength;
+    private readonly _onError?;
     constructor(storage?: SessionsStorage, options?: Partial<SignedRequestsManagerConfig>);
     createSession(userId: number): Promise<Session>;
     validate(sessionId: number, timestamp: number, parameters: [string, any][], signature: Uint8Array<ArrayBuffer>): Promise<Undefinedable<Session>>;

package/dist/SignedRequestsManager.js

@@ -1,15 +1,17 @@
-import { constantTimeEqual, fromBase64Url, hmacSha256 } from './Common';
-import { SessionsStorageLocal } from './SessionsStorageLocal';
+import { constantTimeEqual, fromBase64Url, hmacSha256 } from './Common.js';
+import { SessionsStorageLocal } from './SessionsStorageLocal.js';
 export class SignedRequestsManager {
     static _primitives = new Set(['string', 'number', 'boolean']);
     _storage;
     _validitySignature;
     _validityToken;
     _tokenLength;
+    _onError;
     constructor(storage, options) {
         this._validitySignature = options?.validitySignature ?? 5000;
         this._validityToken = options?.validityToken ?? 60 * 60000;
         this._tokenLength = options?.tokenLength ?? 32;
+        this._onError = options?.onError;
         if (!storage) {
             storage = new SessionsStorageLocal();
         }
@@ -81,7 +83,7 @@ export class SignedRequestsManager {
             }
         }
         catch (error) {
-            console.error('Session validation error:', error);
+            this._onError?.(error);
         }
         if (session) {
             context.set('session', session);

package/package.json

@@ -1,7 +1,18 @@
 {
   "name": "@stefanobalocco/honosignedrequests",
-  "version": "1.0.0",
+  "version": "1.1.1",
   "description": "An hono middleware to manage signed requests, including a client implementation.",
+  "author": "Stefano Balocco <stefano.balocco@gmail.com>",
+  "license": "BSD-3-Clause",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/StefanoBalocco/HonoSignedRequests.git"
+  },
+  "bugs": {
+    "url": "https://github.com/StefanoBalocco/HonoSignedRequests/issues"
+  },
+  "homepage": "https://github.com/StefanoBalocco/HonoSignedRequests",
+  "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "exports": {
@@ -15,15 +26,21 @@
     }
   },
   "devDependencies": {
+    "@hono/node-server": "^1.13.7",
+    "@types/node": "^22.10.5",
+    "ava": "^6.4.1",
+    "c8": "^10.1.3",
     "hono": "^4.10.6",
     "terser": "^5.44.1",
-    "typescript": "^5.5.3"
+    "typescript": "^5.5.3",
+    "undici": "^7.4.0"
   },
   "peerDependencies": {
     "hono": "^4.0.0"
   },
   "files": [
-    "dist"
+    "dist",
+    "client/dist"
   ],
   "keywords": [
     "hono",
@@ -33,10 +50,11 @@
     "session",
     "authentication"
   ],
-  "license": "BSD-3-Clause",
   "scripts": {
-    "build": "npm run build:server && npm run build:client",
+    "build": "npm run build:server && npm run build:client && npm run build:tests",
     "build:server": "tsc",
-    "build:client": "tsc -p client/tsconfig.json && terser client/dist/SignedRequester.js -o client/dist/SignedRequester.min.js --toplevel -m -c --mangle-props regex=/^_/"
+    "build:client": "tsc -p client/tsconfig.json && terser client/dist/SignedRequester.js -o client/dist/SignedRequester.min.js --toplevel -m -c --mangle-props regex=/^_/",
+    "build:tests": "tsc -p tests/tsconfig.json",
+    "run:tests": "npx ava tests/dist/*.test.js --verbose"
   }
 }