@twin.org/web 0.0.1-next.5 → 0.0.1-next.51

package/dist/esm/index.mjs

@@ -1,5 +1,6 @@
-import { BaseError, StringHelper, Guards, Is, AsyncCache, ObjectHelper, Converter, GeneralError, ArrayHelper } from '@twin.org/core';
-import { HmacSha256, Ed25519 } from '@twin.org/crypto';
+import { BaseError, StringHelper, Guards, Is, AsyncCache, ObjectHelper, GeneralError, Converter } from '@twin.org/core';
+import { Ed25519 } from '@twin.org/crypto';
+import { importJWK, CompactSign, flattenedVerify, SignJWT, jwtVerify } from 'jose';
 
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
@@ -37,35 +38,35 @@ const HeaderTypes = {
     /**
      * Content Type.
      */
-    ContentType: "Content-Type",
+    ContentType: "content-type",
     /**
      * Content Length.
      */
-    ContentLength: "Content-Length",
+    ContentLength: "content-length",
     /**
      * Content Disposition.
      */
-    ContentDisposition: "Content-Disposition",
+    ContentDisposition: "content-disposition",
     /**
      * Accept.
      */
-    Accept: "Accept",
+    Accept: "accept",
     /**
      * Authorization.
      */
-    Authorization: "Authorization",
+    Authorization: "authorization",
     /**
      * Cookie.
      */
-    Cookie: "Cookie",
+    Cookie: "cookie",
     /**
      * Set Cookie.
      */
-    SetCookie: "Set-Cookie",
+    SetCookie: "set-cookie",
     /**
      * Location
      */
-    Location: "Location"
+    Location: "location"
 };
 
 // Copyright 2024 IOTA Stiftung.
@@ -343,23 +344,6 @@ const HttpStatusCode = {
     networkAuthenticationRequired: 511
 };
 
-// Copyright 2024 IOTA Stiftung.
-// SPDX-License-Identifier: Apache-2.0.
-/**
- * The cryptographic algorithms supported for JSON Web Tokens and JSON Web Keys.
- */
-// eslint-disable-next-line @typescript-eslint/naming-convention
-const JwtAlgorithms = {
-    /**
-     * HMAC using SHA-256.
-     */
-    HS256: "HS256",
-    /**
-     * EdDSA using Ed25519.
-     */
-    EdDSA: "EdDSA"
-};
-
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -387,6 +371,10 @@ const MimeTypes = {
      * JSON-LD - application/ld+json
      */
     JsonLd: "application/ld+json",
+    /**
+     * JWT - application/jwt
+     */
+    Jwt: "application/jwt",
     /**
      * XML - application/xml
      */
@@ -696,6 +684,15 @@ class FetchHelper {
     static async getCacheEntry(url) {
         return AsyncCache.get(`${FetchHelper._CACHE_PREFIX}${url}`);
     }
+    /**
+     * Set a cache entry.
+     * @param url The url for the request.
+     * @param value The value to cache.
+     * @returns The cache entry if it exists.
+     */
+    static async setCacheEntry(url, value) {
+        AsyncCache.set(`${FetchHelper._CACHE_PREFIX}${url}`, value);
+    }
     /**
      * Remove a cache entry.
      * @param url The url for the request.
@@ -708,7 +705,145 @@ class FetchHelper {
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
- * Class to encode and decode JSON Web Tokens.
+ * Class to handle JSON Web Keys.
+ */
+class Jwk {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "Jwk";
+    /**
+     * Convert the JWK to a crypto key.
+     * @param jwk The JWK to convert.
+     * @returns The crypto key.
+     */
+    static async toCryptoKey(jwk) {
+        Guards.object(Jwk._CLASS_NAME, "jwk", jwk);
+        try {
+            return importJWK(jwk);
+        }
+        catch (err) {
+            throw new GeneralError(Jwk._CLASS_NAME, "jwkImportFailed", undefined, err);
+        }
+    }
+    /**
+     * Convert the Ed25519 private key to a crypto key.
+     * @param privateKey The private key to use.
+     * @returns The crypto key.
+     */
+    static async fromEd25519Private(privateKey) {
+        Guards.uint8Array(Jwk._CLASS_NAME, "privateKey", privateKey);
+        const publicKey = Ed25519.publicKeyFromPrivateKey(privateKey);
+        const jwk = {
+            kty: "OKP",
+            use: "enc",
+            alg: "EdDSA",
+            crv: "Ed25519",
+            x: Converter.bytesToBase64Url(publicKey),
+            d: Converter.bytesToBase64Url(privateKey)
+        };
+        return jwk;
+    }
+    /**
+     * Convert the Ed25519 public key to a crypto key.
+     * @param publicKey The private key to use.
+     * @returns The crypto key.
+     */
+    static async fromEd25519Public(publicKey) {
+        Guards.uint8Array(Jwk._CLASS_NAME, "publicKey", publicKey);
+        const jwk = {
+            kty: "OKP",
+            use: "sig",
+            alg: "EdDSA",
+            crv: "Ed25519",
+            x: Converter.bytesToBase64Url(publicKey)
+        };
+        return jwk;
+    }
+    /**
+     * Convert the JWK to raw keys.
+     * @param jwk The JWK to convert to raw.
+     * @returns The crypto key.
+     */
+    static async toRaw(jwk) {
+        Guards.object(Jwk._CLASS_NAME, "jwk", jwk);
+        let publicKey;
+        let privateKey;
+        if (Is.stringBase64Url(jwk.x)) {
+            publicKey = Converter.base64UrlToBytes(jwk.x);
+        }
+        if (Is.stringBase64Url(jwk.d)) {
+            privateKey = Converter.base64UrlToBytes(jwk.d);
+        }
+        return {
+            publicKey,
+            privateKey
+        };
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Class to handle JSON Web Signatures.
+ */
+class Jws {
+    /**
+     * Runtime name for the class.
+     * @internal
+     */
+    static _CLASS_NAME = "Jws";
+    /**
+     * Create a signature.
+     * @param privateKey The private key to use.
+     * @param hash The hash to sign.
+     * @param algOverride An optional algorithm override.
+     * @returns The signature.
+     */
+    static async create(privateKey, hash, algOverride) {
+        Guards.defined(Jws._CLASS_NAME, "privateKey", privateKey);
+        Guards.uint8Array(Jws._CLASS_NAME, "hash", hash);
+        try {
+            const jws = await new CompactSign(hash)
+                .setProtectedHeader({
+                alg: Is.uint8Array(privateKey) ? (algOverride ?? "EdDSA") : privateKey.algorithm.name,
+                b64: false,
+                crit: ["b64"]
+            })
+                .sign(privateKey);
+            return jws;
+        }
+        catch (err) {
+            throw new GeneralError(Jws._CLASS_NAME, "createFailed", undefined, err);
+        }
+    }
+    /**
+     * Verify a signature.
+     * @param jws The signature to verify.
+     * @param publicKey The public key to verify the signature with.
+     * @param hash The hash to verify.
+     * @returns True if the signature was verified.
+     */
+    static async verify(jws, publicKey, hash) {
+        Guards.stringValue(Jws._CLASS_NAME, "jws", jws);
+        Guards.defined(Jws._CLASS_NAME, "publicKey", publicKey);
+        Guards.uint8Array(Jws._CLASS_NAME, "hash", hash);
+        try {
+            const jwsParts = jws.split(".");
+            await flattenedVerify({ protected: jwsParts[0], payload: hash, signature: jwsParts[2] }, publicKey);
+            return true;
+        }
+        catch (err) {
+            throw new GeneralError(Jws._CLASS_NAME, "verifyFailed", undefined, err);
+        }
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Class to handle JSON Web Tokens.
  */
 class Jwt {
     /**
@@ -725,9 +860,8 @@ class Jwt {
      */
     static async encode(header, payload, key) {
         Guards.object(Jwt._CLASS_NAME, "header", header);
-        Guards.arrayOneOf(Jwt._CLASS_NAME, "header.alg", header.alg, Object.values(JwtAlgorithms));
         Guards.object(Jwt._CLASS_NAME, "payload", payload);
-        Guards.uint8Array(Jwt._CLASS_NAME, "key", key);
+        Guards.defined(Jwt._CLASS_NAME, "key", key);
         return Jwt.internalEncode(header, payload, key);
     }
     /**
@@ -739,7 +873,7 @@ class Jwt {
      */
     static async encodeWithSigner(header, payload, signer) {
         Guards.object(Jwt._CLASS_NAME, "header", header);
-        Guards.arrayOneOf(Jwt._CLASS_NAME, "header.alg", header.alg, Object.values(JwtAlgorithms));
+        Guards.stringValue(Jwt._CLASS_NAME, "header.alg", header.alg);
         Guards.object(Jwt._CLASS_NAME, "payload", payload);
         Guards.function(Jwt._CLASS_NAME, "signer", signer);
         return Jwt.internalEncode(header, payload, undefined, signer);
@@ -786,13 +920,8 @@ class Jwt {
      */
     static async verify(token, key) {
         Guards.stringValue(Jwt._CLASS_NAME, "token", token);
-        Guards.uint8Array(Jwt._CLASS_NAME, "key", key);
-        const decoded = await Jwt.decode(token);
-        const verified = await Jwt.verifySignature(decoded.header, decoded.payload, decoded.signature, key);
-        return {
-            verified,
-            ...decoded
-        };
+        Guards.defined(Jwt._CLASS_NAME, "key", key);
+        return Jwt.verifySignature(token, key);
     }
     /**
      * Verify a token.
@@ -803,79 +932,131 @@ class Jwt {
     static async verifyWithVerifier(token, verifier) {
         Guards.stringValue(Jwt._CLASS_NAME, "token", token);
         Guards.function(Jwt._CLASS_NAME, "verifier", verifier);
-        Guards.stringValue(Jwt._CLASS_NAME, "token", token);
-        const decoded = await Jwt.decode(token);
-        const verified = await Jwt.verifySignature(decoded.header, decoded.payload, decoded.signature, undefined, verifier);
-        return {
-            verified,
-            ...decoded
-        };
+        return Jwt.verifySignature(token, undefined, verifier);
     }
     /**
      * Verify a token by parts.
-     * @param header The header to verify.
-     * @param payload The payload to verify.
-     * @param signature The signature to verify.
+     * @param token The token to verify.
      * @param key The key for verifying the token, if not provided no verification occurs.
      * @param verifier Custom verification method.
      * @returns True if the parts are verified.
      */
-    static async verifySignature(header, payload, signature, key, verifier) {
+    static async verifySignature(token, key, verifier) {
+        Guards.stringValue(Jwt._CLASS_NAME, "token", token);
         const hasKey = Is.notEmpty(key);
         const hasVerifier = Is.notEmpty(verifier);
         if (!hasKey && !hasVerifier) {
             throw new GeneralError(Jwt._CLASS_NAME, "noKeyOrVerifier");
         }
-        let verified = false;
-        if (Is.object(header) &&
-            Is.object(payload) &&
-            Is.uint8Array(signature) &&
-            Is.arrayOneOf(header.alg, Object.values(JwtAlgorithms))) {
-            const segments = [];
-            const headerBytes = Converter.utf8ToBytes(JSON.stringify(header));
-            segments.push(Converter.bytesToBase64Url(headerBytes));
-            const payloadBytes = Converter.utf8ToBytes(JSON.stringify(payload));
-            segments.push(Converter.bytesToBase64Url(payloadBytes));
-            const jwtHeaderAndPayload = Converter.utf8ToBytes(segments.join("."));
-            verifier ??= async (alg, k, p, s) => Jwt.defaultVerifier(alg, k, p, s);
-            verified = await verifier(header.alg, key, jwtHeaderAndPayload, signature);
-        }
-        return verified;
+        verifier ??= async (t, k) => Jwt.defaultVerifier(t, k);
+        return verifier(token, key);
     }
     /**
      * The default signer for the JWT.
-     * @param alg The algorithm to use.
-     * @param key The key to sign with.
+     * @param header The header to sign.
      * @param payload The payload to sign.
+     * @param key The optional key to sign with.
      * @returns The signature.
      */
-    static async defaultSigner(alg, key, payload) {
-        Guards.uint8Array(Jwt._CLASS_NAME, "key", key);
-        Guards.uint8Array(Jwt._CLASS_NAME, "payload", payload);
-        if (alg === "HS256") {
-            const algo = new HmacSha256(key);
-            return algo.update(payload).digest();
+    static async defaultSigner(header, payload, key) {
+        Guards.object(Jwt._CLASS_NAME, "header", header);
+        Guards.object(Jwt._CLASS_NAME, "payload", payload);
+        Guards.defined(Jwt._CLASS_NAME, "key", key);
+        const signer = new SignJWT(payload);
+        signer.setProtectedHeader(header);
+        let finalKey = key;
+        if (header.alg === "EdDSA" && Is.uint8Array(key)) {
+            // Jose does not support Ed25519 keys in raw format, so we need to convert it to PKCS8.
+            finalKey = await Ed25519.privateKeyToPkcs8(key);
         }
-        return Ed25519.sign(key, payload);
+        return signer.sign(finalKey);
     }
     /**
      * The default verifier for the JWT.
-     * @param alg The algorithm to use.
+     * @param token The token to verify.
      * @param key The key to verify with.
-     * @param payload The payload to verify.
-     * @param signature The signature to verify.
-     * @returns True if the signature was verified.
+     * @returns The header and payload if verification successful.
      */
-    static async defaultVerifier(alg, key, payload, signature) {
-        Guards.uint8Array(Jwt._CLASS_NAME, "key", key);
-        Guards.uint8Array(Jwt._CLASS_NAME, "payload", payload);
+    static async defaultVerifier(token, key) {
+        Guards.stringValue(Jwt._CLASS_NAME, "token", token);
+        Guards.defined(Jwt._CLASS_NAME, "key", key);
+        try {
+            const result = await jwtVerify(token, key);
+            return {
+                header: result.protectedHeader,
+                payload: result.payload
+            };
+        }
+        catch (err) {
+            throw new GeneralError(Jwt._CLASS_NAME, "verifyFailed", undefined, err);
+        }
+    }
+    /**
+     * Create bytes for signing from header and payload.
+     * @param header The header.
+     * @param payload The payload.
+     * @returns The bytes to sign.
+     */
+    static toSigningBytes(header, payload) {
+        Guards.object(Jwt._CLASS_NAME, "header", header);
+        Guards.object(Jwt._CLASS_NAME, "payload", payload);
+        const segments = [];
+        const headerBytes = Converter.utf8ToBytes(JSON.stringify(header));
+        segments.push(Converter.bytesToBase64Url(headerBytes));
+        const payloadBytes = Converter.utf8ToBytes(JSON.stringify(payload));
+        segments.push(Converter.bytesToBase64Url(payloadBytes));
+        return Converter.utf8ToBytes(segments.join("."));
+    }
+    /**
+     * Create header and payload from signing bytes.
+     * @param signingBytes The signing bytes from a token.
+     * @returns The header and payload.
+     * @throws If the signing bytes are invalid
+     */
+    static fromSigningBytes(signingBytes) {
+        Guards.uint8Array(Jwt._CLASS_NAME, "signingBytes", signingBytes);
+        const segments = Converter.bytesToUtf8(signingBytes).split(".");
+        if (segments.length !== 2) {
+            throw new GeneralError(Jwt._CLASS_NAME, "invalidSigningBytes");
+        }
+        const headerBytes = Converter.base64UrlToBytes(segments[0]);
+        const payloadBytes = Converter.base64UrlToBytes(segments[1]);
+        return {
+            header: ObjectHelper.fromBytes(headerBytes),
+            payload: ObjectHelper.fromBytes(payloadBytes)
+        };
+    }
+    /**
+     * Convert signed bytes and signature bytes to token.
+     * @param signingBytes The signed bytes.
+     * @param signature The signature.
+     * @returns The token.
+     */
+    static tokenFromBytes(signingBytes, signature) {
+        Guards.uint8Array(Jwt._CLASS_NAME, "signingBytes", signingBytes);
         Guards.uint8Array(Jwt._CLASS_NAME, "signature", signature);
-        if (alg === "HS256") {
-            const algo = new HmacSha256(key);
-            const sigBytes = algo.update(payload).digest();
-            return ArrayHelper.matches(sigBytes, signature);
+        const signedBytesUtf8 = Converter.bytesToUtf8(signingBytes);
+        const signatureBase64 = Converter.bytesToBase64Url(signature);
+        return `${signedBytesUtf8}.${signatureBase64}`;
+    }
+    /**
+     * Convert the token to signing bytes and signature bytes.
+     * @param token The token to convert to bytes.
+     * @returns The decoded bytes.
+     * @throws If the token is invalid.
+     */
+    static tokenToBytes(token) {
+        Guards.stringValue(Jwt._CLASS_NAME, "token", token);
+        const segments = token.split(".");
+        if (segments.length !== 3) {
+            throw new GeneralError(Jwt._CLASS_NAME, "invalidTokenParts");
         }
-        return Ed25519.verify(key, payload, signature);
+        const signingBytes = Converter.utf8ToBytes(`${segments[0]}.${segments[1]}`);
+        const signature = Converter.base64UrlToBytes(segments[2]);
+        return {
+            signingBytes,
+            signature
+        };
     }
     /**
      * Encode a token.
@@ -892,19 +1073,11 @@ class Jwt {
         if (!hasKey && !hasSigner) {
             throw new GeneralError(Jwt._CLASS_NAME, "noKeyOrSigner");
         }
-        signer ??= async (alg, k, p) => Jwt.defaultSigner(alg, k, p);
+        signer ??= async (h, p, k) => Jwt.defaultSigner(h, p, k);
         if (Is.undefined(header.typ)) {
             header.typ = "JWT";
         }
-        const segments = [];
-        const headerBytes = Converter.utf8ToBytes(JSON.stringify(header));
-        segments.push(Converter.bytesToBase64Url(headerBytes));
-        const payloadBytes = Converter.utf8ToBytes(JSON.stringify(payload));
-        segments.push(Converter.bytesToBase64Url(payloadBytes));
-        const jwtHeaderAndPayload = Converter.utf8ToBytes(segments.join("."));
-        const sigBytes = await signer(header.alg, key, jwtHeaderAndPayload);
-        segments.push(Converter.bytesToBase64Url(sigBytes));
-        return segments.join(".");
+        return signer(header, payload, key);
     }
 }
 
@@ -920,7 +1093,7 @@ class MimeTypeHelper {
      * @returns The mime type if detected.
      */
     static async detect(data) {
-        if (!Is.uint8Array(data)) {
+        if (!Is.uint8Array(data) || data.length === 0) {
             return undefined;
         }
         // Image
@@ -992,12 +1165,13 @@ class MimeTypeHelper {
             [MimeTypes.Javascript]: "js",
             [MimeTypes.Json]: "json",
             [MimeTypes.JsonLd]: "jsonld",
+            [MimeTypes.Jwt]: "jwt",
             [MimeTypes.Xml]: "xml",
             [MimeTypes.OctetStream]: "bin",
             [MimeTypes.Gzip]: "gzip",
             [MimeTypes.Bzip2]: "bz2",
             [MimeTypes.Zip]: "zip",
-            [MimeTypes.Pdf]: "pfd",
+            [MimeTypes.Pdf]: "pdf",
             [MimeTypes.Gif]: "gif",
             [MimeTypes.Bmp]: "bmp",
             [MimeTypes.Jpeg]: "jpeg",
@@ -1043,4 +1217,4 @@ class MimeTypeHelper {
     }
 }
 
-export { FetchError, FetchHelper, HeaderTypes, HttpMethod, HttpStatusCode, Jwt, JwtAlgorithms, MimeTypeHelper, MimeTypes };
+export { FetchError, FetchHelper, HeaderTypes, HttpMethod, HttpStatusCode, Jwk, Jws, Jwt, MimeTypeHelper, MimeTypes };

package/dist/types/index.d.ts

@@ -7,8 +7,10 @@ export * from "./models/IHttpHeaders";
 export * from "./models/IJwk";
 export * from "./models/IJwtHeader";
 export * from "./models/IJwtPayload";
-export * from "./models/jwtAlgorithms";
+export * from "./models/jwkCryptoKey";
 export * from "./models/mimeTypes";
 export * from "./utils/fetchHelper";
+export * from "./utils/jwk";
+export * from "./utils/jws";
 export * from "./utils/jwt";
 export * from "./utils/mimeTypeHelper";

package/dist/types/models/IJwk.d.ts

@@ -1,62 +1,6 @@
-import type { JwtAlgorithms } from "./jwtAlgorithms";
+import type { JWK } from "jose";
 /**
  * The fields in a JSON Web Key.
  */
-export interface IJwk {
-    /**
-     * Additional fields in the key.
-     */
-    [key: string]: unknown;
-    /**
-     * The cryptographic algorithm for the key.
-     */
-    alg?: JwtAlgorithms;
-    /**
-     * The intended use for the key.
-     */
-    use?: string;
-    /**
-     * The operation(s) that the key is intended to be used for.
-     */
-    key_ops?: string[];
-    /**
-     * The key type parameter.
-     */
-    kty: string;
-    /**
-     * The public key parameters.
-     */
-    n?: string;
-    /**
-     * Exponent parameter.
-     */
-    e?: string;
-    /**
-     * The private key parameters.
-     */
-    d?: string;
-    /**
-     * The private key parameters.
-     */
-    p?: string;
-    /**
-     * The private key parameters.
-     */
-    q?: string;
-    /**
-     * The private key parameters.
-     */
-    dp?: string;
-    /**
-     * The private key parameters.
-     */
-    dq?: string;
-    /**
-     * The private key parameters.
-     */
-    qi?: string;
-    /**
-     * The key ID.
-     */
-    kid?: string;
+export interface IJwk extends JWK {
 }

package/dist/types/models/IJwtHeader.d.ts

@@ -1,22 +1,6 @@
-import type { JwtAlgorithms } from "./jwtAlgorithms";
+import type { JWTHeaderParameters } from "jose";
 /**
  * The fields in a JSON Web Token header.
  */
-export interface IJwtHeader {
-    /**
-     * Additional fields in the header.
-     */
-    [key: string]: unknown;
-    /**
-     * The type of the token.
-     */
-    typ?: string;
-    /**
-     * The algorithm used to sign the token.
-     */
-    alg: JwtAlgorithms;
-    /**
-     * The key ID.
-     */
-    kid?: string;
+export interface IJwtHeader extends JWTHeaderParameters {
 }

package/dist/types/models/IJwtPayload.d.ts

@@ -1,37 +1,6 @@
+import type { JWTPayload } from "jose";
 /**
  * The fields in a JSON Web Token payload.
  */
-export interface IJwtPayload {
-    /**
-     * Additional fields in the payload.
-     */
-    [key: string]: unknown;
-    /**
-     * The issuer of the token.
-     */
-    iss?: string;
-    /**
-     * The subject of the token.
-     */
-    sub?: string;
-    /**
-     * The audience of the token.
-     */
-    aud?: string;
-    /**
-     * The expiration time of the token.
-     */
-    exp?: number;
-    /**
-     * The not before time of the token.
-     */
-    nbf?: number;
-    /**
-     * The issued at time of the token.
-     */
-    iat?: number;
-    /**
-     * The JWT ID.
-     */
-    jti?: string;
+export interface IJwtPayload extends JWTPayload {
 }