@tstdl/base 0.83.3 → 0.83.4

package/authentication/server/authentication.service.d.ts

@@ -9,8 +9,15 @@ import { AuthenticationSessionRepository } from './authentication-session.reposi
 import { AuthenticationSubjectResolver } from './authentication-subject.resolver.js';
 import { AuthenticationTokenPayloadProvider } from './authentication-token-payload.provider.js';
 export declare class AuthenticationServiceOptions {
-    /** Secret used for signing tokens and refreshTokens */
-    secret: string;
+    /**
+     * Secrets used for signing tokens and refreshTokens
+     * If single secret is provided, multiple secrets are derived internally
+     */
+    secret: string | BinaryData | {
+        tokenSigningSecret: Uint8Array;
+        refreshTokenSigningSecret: Uint8Array;
+        secretResetTokenSigningSecret: Uint8Array;
+    };
     /** Token version, forces refresh on mismatch (useful if payload changes) */
     version?: number;
     /** How long a token is valid */
@@ -39,6 +46,7 @@ export declare class AuthenticationService<AdditionalTokenPayload = Record<never
     private readonly tokenPayloadProvider;
     private readonly subjectResolver;
     private readonly authenticationResetSecretHandler;
+    private readonly options;
     private readonly secret;
     private readonly tokenVersion;
     private readonly tokenTimeToLive;

package/authentication/server/authentication.service.js

@@ -60,7 +60,10 @@ var __param = function(paramIndex, decorator) {
   };
 };
 class AuthenticationServiceOptions {
-  /** Secret used for signing tokens and refreshTokens */
+  /**
+   * Secrets used for signing tokens and refreshTokens
+   * If single secret is provided, multiple secrets are derived internally
+   */
   secret;
   /** Token version, forces refresh on mismatch (useful if payload changes) */
   version;
@@ -79,6 +82,7 @@ let AuthenticationService = class AuthenticationService2 {
   tokenPayloadProvider;
   subjectResolver;
   authenticationResetSecretHandler;
+  options;
   secret;
   tokenVersion;
   tokenTimeToLive;
@@ -94,7 +98,7 @@ let AuthenticationService = class AuthenticationService2 {
     this.subjectResolver = subjectResolver;
     this.tokenPayloadProvider = tokenPayloadProvider;
     this.authenticationResetSecretHandler = authenticationResetSecretHandler;
-    this.secret = options.secret;
+    this.options = options;
     this.tokenVersion = options.version ?? 1;
     this.tokenTimeToLive = options.tokenTimeToLive ?? 5 * import_units.millisecondsPerMinute;
     this.refreshTokenTimeToLive = options.refreshTokenTimeToLive ?? 5 * import_units.millisecondsPerDay;
@@ -104,7 +108,13 @@ let AuthenticationService = class AuthenticationService2 {
     await this.initialize();
   }
   async initialize() {
-    await this.deriveSigningSecrets();
+    if ((0, import_type_guards.isString)(this.options.secret) || (0, import_type_guards.isBinaryData)(this.options.secret)) {
+      await this.deriveSigningSecrets(this.options.secret);
+    } else {
+      this.derivedTokenSigningSecret = this.options.secret.tokenSigningSecret;
+      this.derivedRefreshTokenSigningSecret = this.options.secret.refreshTokenSigningSecret;
+      this.derivedSecretResetTokenSigningSecret = this.options.secret.secretResetTokenSigningSecret;
+    }
   }
   async setCredentials(subject, secret) {
     const actualSubject = await this.resolveSubject(subject);
@@ -269,9 +279,10 @@ let AuthenticationService = class AuthenticationService2 {
     const token = await (0, import_jwt.createJwtTokenString)(jsonToken, this.derivedSecretResetTokenSigningSecret);
     return { token, jsonToken };
   }
-  async deriveSigningSecrets() {
-    const key = await (0, import_cryptography.importPbkdf2Key)(this.secret);
-    const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await (0, import_cryptography.deriveBytesMultiple)(3, SIGNING_SECRETS_LENGTH / 8, { name: "PBKDF2", hash: "SHA-512", iterations: 5e5, salt: new Uint8Array() }, key);
+  async deriveSigningSecrets(secret) {
+    const key = await (0, import_cryptography.importPbkdf2Key)(secret);
+    const algorithm = { name: "PBKDF2", hash: "SHA-512", iterations: 5e5, salt: new Uint8Array() };
+    const [derivedTokenSigningSecret, derivedRefreshTokenSigningSecret, derivedSecretResetTokenSigningSecret] = await (0, import_cryptography.deriveBytesMultiple)(algorithm, key, 3, SIGNING_SECRETS_LENGTH / 8);
     this.derivedTokenSigningSecret = derivedTokenSigningSecret;
     this.derivedRefreshTokenSigningSecret = derivedRefreshTokenSigningSecret;
     this.derivedSecretResetTokenSigningSecret = derivedSecretResetTokenSigningSecret;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tstdl/base",
-  "version": "0.83.3",
+  "version": "0.83.4",
   "author": "Patrick Hein",
   "publishConfig": {
     "access": "public"

package/utils/cryptography.d.ts

@@ -8,6 +8,7 @@ export type AsymmetricAlgorithm = 'RSASSA-PKCS1-v1_5' | 'RSA-PSS' | 'RSA-OAEP' |
 export type CryptionAlgorithm = Parameters<typeof crypto.subtle.encrypt>[0];
 export type SignAlgorithm = Parameters<typeof crypto.subtle.sign>[0];
 export type KeyAlgorithm = Parameters<typeof crypto.subtle.generateKey>[0];
+export type DeriveAlgorithm = Parameters<typeof globalThis.crypto.subtle.deriveBits>['0'];
 export type KeyType = 'raw' | 'pkcs8' | 'spki' | 'jwk';
 export type Key = JsonWebKey | BinaryData;
 export type ScryptOptions = {
@@ -105,13 +106,18 @@ export declare function generateEcdsaKey(curve: EcdsaCurve, extractable?: boolea
  * @param extractable whether the key can be used for exportKey
  */
 export declare function generatePbkdf2Key(extractable?: boolean): Promise<CryptoKey>;
-type AlgorithmParameter = Parameters<typeof globalThis.crypto.subtle.deriveBits>['0'];
 /**
- * derive multiply byte arrays
+ * derive byte array from key
+ * @param length length in bytes
+ * @param algorithm algorithm to derive with
+ * @param baseKey key to derive from
+ */
+export declare function deriveBytes(algorithm: DeriveAlgorithm, baseKey: CryptoKey, length: number): Promise<Uint8Array>;
+/**
+ * derive multiply byte arrays from key
  * @param count how many Uint8Arrays to dervice
  * @param length length of each Uint8Array in bytes
  * @param algorithm algorithm to derive with
  * @param baseKey key to derive from
  */
-export declare function deriveBytesMultiple<C extends number>(count: C, length: number, algorithm: AlgorithmParameter, baseKey: CryptoKey): Promise<ReadonlyTuple<Uint8Array, C>>;
-export {};
+export declare function deriveBytesMultiple<C extends number>(algorithm: DeriveAlgorithm, baseKey: CryptoKey, count: C, length: number): Promise<ReadonlyTuple<Uint8Array, C>>;

package/utils/cryptography.js

@@ -19,6 +19,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var cryptography_exports = {};
 __export(cryptography_exports, {
   decrypt: () => decrypt,
+  deriveBytes: () => deriveBytes,
   deriveBytesMultiple: () => deriveBytesMultiple,
   digest: () => digest,
   encrypt: () => encrypt,
@@ -122,7 +123,11 @@ async function generatePbkdf2Key(extractable = false) {
   const key = (0, import_random.getRandomBytes)(16);
   return importPbkdf2Key(key, extractable);
 }
-async function deriveBytesMultiple(count, length, algorithm, baseKey) {
+async function deriveBytes(algorithm, baseKey, length) {
+  const bytes = await globalThis.crypto.subtle.deriveBits(algorithm, baseKey, length * 8);
+  return new Uint8Array(bytes);
+}
+async function deriveBytesMultiple(algorithm, baseKey, count, length) {
   const totalBits = count * length * 8;
   const bytes = await globalThis.crypto.subtle.deriveBits(algorithm, baseKey, totalBits);
   return (0, import_array.createArray)(count, (index) => new Uint8Array(bytes.slice(index * length, index * length + length)));

package/utils/type-guards.d.ts

@@ -118,6 +118,12 @@ export declare function assertBlob(value: any, message?: AssertionMessage): asse
 export declare function assertNotBlob<T>(value: T, message?: AssertionMessage): asserts value is InferIsNotType<T, typeof isBlob>;
 export declare function assertBlobPass(value: any, message?: AssertionMessage): InferIsType<typeof isBlob>;
 export declare function assertNotBlobPass<T>(value: T, message?: AssertionMessage): InferIsNotType<T, typeof isBlob>;
+export declare function isBinaryData(value: any): value is BinaryData;
+export declare function isNotBinaryData<T>(value: T): value is InferIsNotType<T, typeof isBinaryData>;
+export declare function assertBinaryData(value: any, message?: AssertionMessage): asserts value is InferIsType<typeof isBinaryData>;
+export declare function assertNotBinaryData<T>(value: T, message?: AssertionMessage): asserts value is InferIsNotType<T, typeof isBinaryData>;
+export declare function assertBinaryDataPass(value: any, message?: AssertionMessage): InferIsType<typeof isBinaryData>;
+export declare function assertNotBinaryDataPass<T>(value: T, message?: AssertionMessage): InferIsNotType<T, typeof isBinaryData>;
 export declare function isArrayBuffer(value: any): value is ArrayBuffer;
 export declare function isNotArrayBuffer<T>(value: T): value is InferIsNotType<T, typeof isArrayBuffer>;
 export declare function assertArrayBuffer(value: any, message?: AssertionMessage): asserts value is InferIsType<typeof isArrayBuffer>;

package/utils/type-guards.js

@@ -31,6 +31,8 @@ __export(type_guards_exports, {
   assertBigIntPass: () => assertBigIntPass,
   assertBigUint64Array: () => assertBigUint64Array,
   assertBigUint64ArrayPass: () => assertBigUint64ArrayPass,
+  assertBinaryData: () => assertBinaryData,
+  assertBinaryDataPass: () => assertBinaryDataPass,
   assertBlob: () => assertBlob,
   assertBlobPass: () => assertBlobPass,
   assertBoolean: () => assertBoolean,
@@ -70,6 +72,8 @@ __export(type_guards_exports, {
   assertNotBigIntPass: () => assertNotBigIntPass,
   assertNotBigUint64Array: () => assertNotBigUint64Array,
   assertNotBigUint64ArrayPass: () => assertNotBigUint64ArrayPass,
+  assertNotBinaryData: () => assertNotBinaryData,
+  assertNotBinaryDataPass: () => assertNotBinaryDataPass,
   assertNotBlob: () => assertNotBlob,
   assertNotBlobPass: () => assertNotBlobPass,
   assertNotBoolean: () => assertNotBoolean,
@@ -178,6 +182,7 @@ __export(type_guards_exports, {
   isBigInt: () => isBigInt,
   isBigInt64Array: () => isBigInt64Array,
   isBigUint64Array: () => isBigUint64Array,
+  isBinaryData: () => isBinaryData,
   isBlob: () => isBlob,
   isBoolean: () => isBoolean,
   isDataView: () => isDataView,
@@ -197,6 +202,7 @@ __export(type_guards_exports, {
   isNotBigInt: () => isNotBigInt,
   isNotBigInt64Array: () => isNotBigInt64Array,
   isNotBigUint64Array: () => isNotBigUint64Array,
+  isNotBinaryData: () => isNotBinaryData,
   isNotBlob: () => isNotBlob,
   isNotBoolean: () => isNotBoolean,
   isNotDataView: () => isNotDataView,
@@ -642,6 +648,26 @@ function assertNotBlobPass(value, message) {
   assertNotBlob(value, message);
   return value;
 }
+function isBinaryData(value) {
+  return isArrayBuffer(value) || isArrayBufferView(value);
+}
+function isNotBinaryData(value) {
+  return !isBinaryData(value);
+}
+function assertBinaryData(value, message = "Expected value to be BinaryData.") {
+  assert(isBinaryData(value), message);
+}
+function assertNotBinaryData(value, message = "Expected value to not be BinaryData.") {
+  assert(isNotBinaryData(value), message);
+}
+function assertBinaryDataPass(value, message) {
+  assertBinaryData(value, message);
+  return value;
+}
+function assertNotBinaryDataPass(value, message) {
+  assertNotBinaryData(value, message);
+  return value;
+}
 function isArrayBuffer(value) {
   return value instanceof ArrayBuffer;
 }