@tidecloak/verify 0.9.11 → 0.9.13

package/README.md

@@ -1,6 +1,6 @@
 # TideCloak Verify SDK
 
-A lightweight utility for server-side verification of TideCloak-issued JSON Web Tokens (JWTs).
+A lightweight utility for server‑side verification of TideCloak‑issued JSON Web Tokens (JWTs).
 
 This package exports a single function, `verifyTideCloakToken`, which you can use in your Next.js API routes, Node.js servers, or any backend to verify the authenticity, issuer, audience, and roles of a JWT issued by your TideCloak realm.
 

package/dist/cjs/TideJWT.js

@@ -0,0 +1,53 @@
+import { jwtVerify, createLocalJWKSet, createRemoteJWKSet } from "jose";
+/**
+ * Verify a TideCloak-issued JWT on the server side using your imported config object.
+ *
+ * @param {object} config - Imported TideCloak configuration (parsed JSON).
+ * @param {string} token - access token to verify.
+ * @param {string[]} [allowedRoles] - Array of Keycloak realm or client roles; user must have at least one.
+ * @returns {Promise<object|null>} - The token payload if valid and role-check passes, otherwise null.
+ */
+export async function verifyTideCloakToken(config, token, allowedRoles = []) {
+    var _a, _b, _c;
+    try {
+        // Ensure token is provided
+        if (!token) {
+            throw new Error("No token provided");
+        }
+        // Ensure config is provided
+        if (!config || Object.keys(config).length === 0) {
+            throw new Error("Could not load TideCloak configuration");
+        }
+        // Construct issuer URL (ensure slash before 'realms')
+        const baseUrl = config["auth-server-url"];
+        const sep = baseUrl.endsWith("/") ? "" : "/";
+        const issuer = `${baseUrl}${sep}realms/${config.realm}`;
+        // Determine JWK set (use local JWKs if provided, otherwise fetch remotely)
+        const jwkSet = config.jwk
+            ? createLocalJWKSet(config.jwk)
+            : createRemoteJWKSet(new URL(`${issuer}/protocol/openid-connect/certs`));
+        // Verify token signature and issuer
+        const { payload } = await jwtVerify(token, jwkSet, { issuer });
+        // Verify authorized party (client)
+        const client = config["resource"];
+        if (payload.azp !== client) {
+            throw new Error(`AZP mismatch: expected '${config.resource}', got '${payload.azp}'`);
+        }
+        // Gather all user roles from realm and client roles for the specified resource from the config.
+        const realmRoles = ((_a = payload.realm_access) === null || _a === void 0 ? void 0 : _a.roles) || [];
+        const clientRoles = ((_c = (_b = payload.resource_access) === null || _b === void 0 ? void 0 : _b[client]) === null || _c === void 0 ? void 0 : _c.roles) || [];
+        const allRoles = new Set([...realmRoles, ...clientRoles]);
+        // If allowedRoles specified, ensure at least one match
+        if (allowedRoles.length > 0) {
+            const hasAllowed = allowedRoles.some(role => allRoles.has(role));
+            if (!hasAllowed) {
+                throw new Error(`Role match failed: user roles [${[...allRoles].join(", ")}] do not include any of [${allowedRoles.join(", ")}]`);
+            }
+        }
+        return payload;
+    }
+    catch (err) {
+        console.error("[TideJWT] Token verification failed:", err);
+        return null;
+    }
+}

package/dist/esm/TideJWT.js

@@ -0,0 +1,53 @@
+import { jwtVerify, createLocalJWKSet, createRemoteJWKSet } from "jose";
+/**
+ * Verify a TideCloak-issued JWT on the server side using your imported config object.
+ *
+ * @param {object} config - Imported TideCloak configuration (parsed JSON).
+ * @param {string} token - access token to verify.
+ * @param {string[]} [allowedRoles] - Array of Keycloak realm or client roles; user must have at least one.
+ * @returns {Promise<object|null>} - The token payload if valid and role-check passes, otherwise null.
+ */
+export async function verifyTideCloakToken(config, token, allowedRoles = []) {
+    var _a, _b, _c;
+    try {
+        // Ensure token is provided
+        if (!token) {
+            throw new Error("No token provided");
+        }
+        // Ensure config is provided
+        if (!config || Object.keys(config).length === 0) {
+            throw new Error("Could not load TideCloak configuration");
+        }
+        // Construct issuer URL (ensure slash before 'realms')
+        const baseUrl = config["auth-server-url"];
+        const sep = baseUrl.endsWith("/") ? "" : "/";
+        const issuer = `${baseUrl}${sep}realms/${config.realm}`;
+        // Determine JWK set (use local JWKs if provided, otherwise fetch remotely)
+        const jwkSet = config.jwk
+            ? createLocalJWKSet(config.jwk)
+            : createRemoteJWKSet(new URL(`${issuer}/protocol/openid-connect/certs`));
+        // Verify token signature and issuer
+        const { payload } = await jwtVerify(token, jwkSet, { issuer });
+        // Verify authorized party (client)
+        const client = config["resource"];
+        if (payload.azp !== client) {
+            throw new Error(`AZP mismatch: expected '${config.resource}', got '${payload.azp}'`);
+        }
+        // Gather all user roles from realm and client roles for the specified resource from the config.
+        const realmRoles = ((_a = payload.realm_access) === null || _a === void 0 ? void 0 : _a.roles) || [];
+        const clientRoles = ((_c = (_b = payload.resource_access) === null || _b === void 0 ? void 0 : _b[client]) === null || _c === void 0 ? void 0 : _c.roles) || [];
+        const allRoles = new Set([...realmRoles, ...clientRoles]);
+        // If allowedRoles specified, ensure at least one match
+        if (allowedRoles.length > 0) {
+            const hasAllowed = allowedRoles.some(role => allRoles.has(role));
+            if (!hasAllowed) {
+                throw new Error(`Role match failed: user roles [${[...allRoles].join(", ")}] do not include any of [${allowedRoles.join(", ")}]`);
+            }
+        }
+        return payload;
+    }
+    catch (err) {
+        console.error("[TideJWT] Token verification failed:", err);
+        return null;
+    }
+}

package/dist/types/TideJWT.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Verify a TideCloak-issued JWT on the server side using your imported config object.
+ *
+ * @param {object} config - Imported TideCloak configuration (parsed JSON).
+ * @param {string} token - access token to verify.
+ * @param {string[]} [allowedRoles] - Array of Keycloak realm or client roles; user must have at least one.
+ * @returns {Promise<object|null>} - The token payload if valid and role-check passes, otherwise null.
+ */
+export function verifyTideCloakToken(config: object, token: string, allowedRoles?: string[]): Promise<object | null>;
+//# sourceMappingURL=TideJWT.d.ts.map

package/dist/types/TideJWT.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TideJWT.d.ts","sourceRoot":"","sources":["../../src/TideJWT.js"],"names":[],"mappings":"AAEA;;;;;;;GAOG;AACH,6CALW,MAAM,SACN,MAAM,iBACN,MAAM,EAAE,GACN,OAAO,CAAC,MAAM,GAAC,IAAI,CAAC,CAsDhC"}

package/package.json

@@ -1,15 +1,16 @@
 {
   "name": "@tidecloak/verify",
-  "version": "0.9.11",
+  "version": "0.9.13",
   "description": "A lightweight utility for server-side verification of TideCloak-issued JSON Web Tokens (JWTs).",
   "exports": {
     ".": {
-      "types": "./src/TideJWT.d.ts",
-      "default": "./src/TideJWT.js"
+      "import": "./dist/esm/TideJWT.js",
+      "types": "./dist/types/TideJWT.d.ts",
+      "require": "./dist/cjs/TideJWT.js"
     }
   },
   "files": [
-    "src"
+    "dist"
   ],
   "scripts": {
     "build:cjs": "tsc -p tsconfig.cjs.json",

package/src/TideJWT.js

@@ -1,63 +0,0 @@
-import { jwtVerify, createLocalJWKSet, createRemoteJWKSet } from "jose";
-
-/**
- * Verify a TideCloak-issued JWT on the server side using your imported config object.
- *
- * @param {object} config - Imported TideCloak configuration (parsed JSON).
- * @param {string} token - access token to verify.
- * @param {string[]} [allowedRoles] - Array of Keycloak realm or client roles; user must have at least one.
- * @returns {Promise<object|null>} - The token payload if valid and role-check passes, otherwise null.
- */
-export async function verifyTideCloakToken(config, token, allowedRoles = []) {
-  try {
-
-    // Ensure token is provided
-    if (!token) {
-      throw new Error("No token provided");
-    }
-
-    // Ensure config is provided
-    if (!config || Object.keys(config).length === 0) {
-      throw new Error("Could not load TideCloak configuration");
-    }
-
-    // Construct issuer URL (ensure slash before 'realms')
-    const baseUrl = config["auth-server-url"];
-    const sep = baseUrl.endsWith("/") ? "" : "/";
-    const issuer = `${baseUrl}${sep}realms/${config.realm}`;
-
-    // Determine JWK set (use local JWKs if provided, otherwise fetch remotely)
-    const jwkSet = config.jwk
-      ? createLocalJWKSet(config.jwk)
-      : createRemoteJWKSet(new URL(`${issuer}/protocol/openid-connect/certs`));
-
-    // Verify token signature and issuer
-    const { payload } = await jwtVerify(token, jwkSet, { issuer });
-
-    // Verify authorized party (client)
-    const client = config["resource"];
-    if (payload.azp !== client) {
-      throw new Error(`AZP mismatch: expected '${config.resource}', got '${payload.azp}'`);
-    }
-
-    // Gather all user roles from realm and client roles for the specified resource from the config.
-    const realmRoles = payload.realm_access?.roles || [];
-    const clientRoles = payload.resource_access?.[client]?.roles || [];
-    const allRoles = new Set([...realmRoles, ...clientRoles]);
-
-    // If allowedRoles specified, ensure at least one match
-    if (allowedRoles.length > 0) {
-      const hasAllowed = allowedRoles.some(role => allRoles.has(role));
-      if (!hasAllowed) {
-        throw new Error(
-          `Role match failed: user roles [${[...allRoles].join(", ")}] do not include any of [${allowedRoles.join(", ")}]`
-        );
-      }
-    }
-
-    return payload;
-  } catch (err) {
-    console.error("[TideJWT] Token verification failed:", err);
-    return null;
-  }
-}