npm - @thinkingcat/auth-utils - Versions diffs - 2.0.5 → 2.0.7 - Mend

@thinkingcat/auth-utils 2.0.5 → 2.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/core/jwt.d.ts CHANGED Viewed

@@ -15,7 +15,7 @@ export declare function extractRoleFromPayload(payload: JWTPayload, serviceId: s
  */
 export declare function createNextAuthJWT(payload: JWTPayload, serviceId: string): JWT;
 /**
- * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환 (HKDF 기반 암호화 적용)
  */
 export declare function encodeNextAuthToken(jwt: JWT, secret: string, maxAge?: number): Promise<string>;
 /**

package/dist/core/jwt.js CHANGED Viewed

@@ -41,7 +41,6 @@ exports.isTokenExpired = isTokenExpired;
 exports.isValidToken = isValidToken;
 const jose_1 = require("jose");
 const logger_js_1 = require("../utils/logger.js");
-const crypto_js_1 = require("../utils/crypto.js");
 /**
  * 토큰 검증 및 디코딩
  */
@@ -116,7 +115,7 @@ function createNextAuthJWT(payload, serviceId) {
     return jwt;
 }
 /**
- * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환 (HKDF 기반 암호화 적용)
  */
 async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
     try {
@@ -130,14 +129,23 @@ async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
         return encoded;
     }
     catch (error) {
-        (0, logger_js_1.debugLog)('encodeNextAuthToken', 'NextAuth encode failed, using jose EncryptJWT fallback', error);
-        const secretHash = await (0, crypto_js_1.createHashSHA256)(secret);
-        const keyBytes = new Uint8Array(32);
-        for (let i = 0; i < 32; i++) {
-            keyBytes[i] = parseInt(secretHash.slice(i * 2, i * 2 + 2), 16);
-        }
+        (0, logger_js_1.debugLog)('encodeNextAuthToken', 'NextAuth encode failed, using jose EncryptJWT fallback with HKDF', error);
+        // NextAuth.js의 표준 HKDF 키 유도 방식 구현
+        // https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/jwt/index.ts
         const now = Math.floor(Date.now() / 1000);
         try {
+            // Web Crypto API를 이용한 HKDF 구현
+            const encoder = new TextEncoder();
+            const secretKey = await crypto.subtle.importKey('raw', encoder.encode(secret), 'HKDF', false, ['deriveKey']);
+            const derivedKey = await crypto.subtle.deriveKey({
+                name: 'HKDF',
+                hash: 'SHA-256',
+                salt: encoder.encode(''),
+                info: encoder.encode('NextAuth.js Generated Encryption Key'),
+            }, secretKey, { name: 'AES-GCM', length: 256 }, true, ['encrypt']);
+            // 유도된 키를 Uint8Array로 변환
+            const exportedKey = await crypto.subtle.exportKey('raw', derivedKey);
+            const keyBytes = new Uint8Array(exportedKey);
             const token = await new jose_1.EncryptJWT(jwt)
                 .setProtectedHeader({
                 alg: 'dir',
@@ -150,7 +158,7 @@ async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
             return token;
         }
         catch (encryptError) {
-            (0, logger_js_1.debugError)('encodeNextAuthToken', 'EncryptJWT also failed:', encryptError);
+            (0, logger_js_1.debugError)('encodeNextAuthToken', 'HKDF EncryptJWT failed:', encryptError);
             throw new Error(`Failed to encode NextAuth token: ${error instanceof Error ? error.message : String(error)}`);
         }
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@thinkingcat/auth-utils",
-  "version": "2.0.5",
+  "version": "2.0.7",
   "description": "Authentication utilities for ThinkingCat SSO services with conditional logging",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",