@thinkingcat/auth-utils 2.0.6 → 2.0.8

package/dist/core/jwt.d.ts

@@ -15,7 +15,7 @@ export declare function extractRoleFromPayload(payload: JWTPayload, serviceId: s
  */
 export declare function createNextAuthJWT(payload: JWTPayload, serviceId: string): JWT;
 /**
- * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환 (HKDF 기반 암호화 적용)
  */
 export declare function encodeNextAuthToken(jwt: JWT, secret: string, maxAge?: number): Promise<string>;
 /**

package/dist/core/jwt.js

@@ -41,7 +41,6 @@ exports.isTokenExpired = isTokenExpired;
 exports.isValidToken = isValidToken;
 const jose_1 = require("jose");
 const logger_js_1 = require("../utils/logger.js");
-const crypto_js_1 = require("../utils/crypto.js");
 /**
  * 토큰 검증 및 디코딩
  */
@@ -116,7 +115,7 @@ function createNextAuthJWT(payload, serviceId) {
     return jwt;
 }
 /**
- * NextAuth JWT를 인코딩된 세션 토큰으로 변환
+ * NextAuth JWT를 인코딩된 세션 토큰으로 변환 (HKDF 기반 암호화 적용)
  */
 async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
     try {
@@ -130,14 +129,23 @@ async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
         return encoded;
     }
     catch (error) {
-        (0, logger_js_1.debugLog)('encodeNextAuthToken', 'NextAuth encode failed, using jose EncryptJWT fallback', error);
-        const secretHash = await (0, crypto_js_1.createHashSHA256)(secret);
-        const keyBytes = new Uint8Array(32);
-        for (let i = 0; i < 32; i++) {
-            keyBytes[i] = parseInt(secretHash.slice(i * 2, i * 2 + 2), 16);
-        }
+        (0, logger_js_1.debugLog)('encodeNextAuthToken', 'NextAuth encode failed, using jose EncryptJWT fallback with HKDF', error);
+        // NextAuth.js의 표준 HKDF 키 유도 방식 구현
+        // https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/jwt/index.ts
         const now = Math.floor(Date.now() / 1000);
         try {
+            // Web Crypto API를 이용한 HKDF 구현
+            const encoder = new TextEncoder();
+            const secretKey = await crypto.subtle.importKey('raw', encoder.encode(secret), 'HKDF', false, ['deriveKey']);
+            const derivedKey = await crypto.subtle.deriveKey({
+                name: 'HKDF',
+                hash: 'SHA-256',
+                salt: encoder.encode(''),
+                info: encoder.encode('NextAuth.js Generated Encryption Key'),
+            }, secretKey, { name: 'AES-GCM', length: 256 }, true, ['encrypt']);
+            // 유도된 키를 Uint8Array로 변환
+            const exportedKey = await crypto.subtle.exportKey('raw', derivedKey);
+            const keyBytes = new Uint8Array(exportedKey);
             const token = await new jose_1.EncryptJWT(jwt)
                 .setProtectedHeader({
                 alg: 'dir',
@@ -150,7 +158,7 @@ async function encodeNextAuthToken(jwt, secret, maxAge = 30 * 24 * 60 * 60) {
             return token;
         }
         catch (encryptError) {
-            (0, logger_js_1.debugError)('encodeNextAuthToken', 'EncryptJWT also failed:', encryptError);
+            (0, logger_js_1.debugError)('encodeNextAuthToken', 'HKDF EncryptJWT failed:', encryptError);
             throw new Error(`Failed to encode NextAuth token: ${error instanceof Error ? error.message : String(error)}`);
         }
     }

package/dist/types/index.d.ts

@@ -14,8 +14,6 @@ export interface ResponseLike {
 export interface ServiceInfo {
     serviceId: string;
     role: string;
-    joinedAt: string;
-    lastAccessAt?: string;
     expiredAt?: string;
     status: string;
     isFree?: boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@thinkingcat/auth-utils",
-  "version": "2.0.6",
+  "version": "2.0.8",
   "description": "Authentication utilities for ThinkingCat SSO services with conditional logging",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",