@venizia/ignis 0.0.7-8 → 0.0.7

package/dist/components/auth/authenticate/services/bearer/abstract.service.js

@@ -0,0 +1,177 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbstractBearerTokenService = void 0;
+const base_1 = require("../../../../../base/services/base");
+const ignis_helpers_1 = require("@venizia/ignis-helpers");
+const common_1 = require("../../common");
+/** Abstract base for Bearer-token services (JWS, JWKS) with optional AES payload encryption. */
+class AbstractBearerTokenService extends base_1.BaseService {
+    constructor() {
+        super(...arguments);
+        this.aes = null;
+        this.applicationSecret = null;
+        this.fieldCodecs = new Map();
+    }
+    /** Standard JWT fields that are never encrypted. */
+    static { this.JWT_COMMON_FIELDS = new Set([
+        'iss',
+        'sub',
+        'aud',
+        'jti',
+        'nbf',
+        'exp',
+        'iat',
+    ]); }
+    /** Configures AES payload encryption and field codecs. Both aesAlgorithm and applicationSecret required to activate encryption. */
+    configurePayloadEncryption(opts) {
+        const { aesAlgorithm = 'aes-256-cbc', applicationSecret, fieldCodecs } = opts;
+        if (fieldCodecs) {
+            for (const codec of fieldCodecs) {
+                this.fieldCodecs.set(codec.key, codec);
+            }
+        }
+        if (!applicationSecret) {
+            return;
+        }
+        this.aes = ignis_helpers_1.AES.withAlgorithm(aesAlgorithm);
+        this.applicationSecret = applicationSecret;
+    }
+    extractCredentials(context) {
+        const request = context.req;
+        const authHeaderValue = request.header('Authorization');
+        if (!authHeaderValue) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: 'Unauthorized user! Missing authorization header',
+            });
+        }
+        if (!authHeaderValue.startsWith(common_1.Authentication.TYPE_BEARER)) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: 'Unauthorized user! Invalid schema of request token!',
+            });
+        }
+        const parts = authHeaderValue.split(' ');
+        if (parts.length !== 2) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: `Authorization header value is invalid format. It must follow the pattern: 'Bearer xx.yy.zz' where xx.yy.zz is a valid JWT token.`,
+            });
+        }
+        const [tokenType, tokenValue] = parts;
+        return { type: tokenType, token: tokenValue };
+    }
+    async verify(opts) {
+        const { token } = opts;
+        if (!token) {
+            this.logger.for(this.verify.name).error('Missing token for validating request!');
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: '[verify] Invalid request token!',
+            });
+        }
+        try {
+            return await this.doVerify(token);
+        }
+        catch (error) {
+            this.logger.for(this.verify.name).error('Failed to verify token | Error: %s', error);
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: '[verify] Invalid or expired token',
+            });
+        }
+    }
+    async generate(opts) {
+        const { payload, getTokenExpiresFn = this.getDefaultTokenExpiresFn() } = opts;
+        if (!payload) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_4.Unauthorized,
+                message: '[generate] Invalid token payload!',
+            });
+        }
+        const signer = await this.getSigner({ payload, getTokenExpiresFn });
+        try {
+            const rs = await signer.sign(await this.getSigningKey());
+            return rs;
+        }
+        catch (error) {
+            this.logger.for(this.generate.name).error('Failed to generate token | Error: %s', error);
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                message: '[generate] Failed to generate token',
+            });
+        }
+    }
+    serializeField(opts) {
+        const { key, value } = opts;
+        const codec = this.fieldCodecs.get(key);
+        if (codec) {
+            return codec.serialize({ value });
+        }
+        return JSON.stringify(value);
+    }
+    encryptPayload(payload) {
+        if (!this.aes || !this.applicationSecret) {
+            return payload;
+        }
+        const rs = {};
+        const keys = Object.keys(payload);
+        for (const key of keys) {
+            const value = payload[key];
+            if (AbstractBearerTokenService.JWT_COMMON_FIELDS.has(key)) {
+                rs[key] = value;
+                continue;
+            }
+            // NOTE: Skip undefined or null values because they cannot be encrypted
+            if (value === undefined || value === null) {
+                continue;
+            }
+            const encryptedKey = this.aes.encrypt({
+                message: key,
+                secret: this.applicationSecret,
+            });
+            const serialized = this.serializeField({ key, value });
+            rs[encryptedKey] = this.aes.encrypt({
+                message: serialized,
+                secret: this.applicationSecret,
+            });
+        }
+        return rs;
+    }
+    deserializeField(opts) {
+        const { key, value } = opts;
+        const codec = this.fieldCodecs.get(key);
+        if (codec) {
+            return codec.deserialize({ raw: value });
+        }
+        return JSON.parse(value);
+    }
+    decryptPayload(opts) {
+        const { payload, protectedHeader } = opts.result;
+        if (!this.aes || !this.applicationSecret) {
+            return payload;
+        }
+        this.logger
+            .for(this.decryptPayload.name)
+            .debug('JWT Token | payload: %j | header: %j', payload, protectedHeader);
+        const rs = {};
+        for (const key in payload) {
+            if (AbstractBearerTokenService.JWT_COMMON_FIELDS.has(key)) {
+                rs[key] = payload[key];
+                continue;
+            }
+            const decryptedKey = this.aes.decrypt({
+                message: key,
+                secret: this.applicationSecret,
+            });
+            const decryptedValue = this.aes.decrypt({
+                message: payload[key],
+                secret: this.applicationSecret,
+            });
+            rs[decryptedKey] = this.deserializeField({ key: decryptedKey, value: decryptedValue });
+        }
+        return rs;
+    }
+}
+exports.AbstractBearerTokenService = AbstractBearerTokenService;
+//# sourceMappingURL=abstract.service.js.map

package/dist/components/auth/authenticate/services/bearer/abstract.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"abstract.service.js","sourceRoot":"","sources":["../../../../../../src/components/auth/authenticate/services/bearer/abstract.service.ts"],"names":[],"mappings":";;;AACA,+CAAmD;AACnD,0DAA+F;AAG/F,yCAKsB;AAEtB,gGAAgG;AAChG,MAAsB,0BAAgD,SAAQ,kBAAW;IAAzF;;QAYY,QAAG,GAAe,IAAI,CAAC;QACvB,sBAAiB,GAAkB,IAAI,CAAC;QACxC,gBAAW,GAAoC,IAAI,GAAG,EAAE,CAAC;IA4MrE,CAAC;IAzNC,oDAAoD;aACpC,sBAAiB,GAAG,IAAI,GAAG,CAAmB;QAC5D,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;QACL,KAAK;KACN,CAAC,AAR+B,CAQ9B;IAMH,mIAAmI;IACzH,0BAA0B,CAAC,IAIpC;QACC,MAAM,EAAE,YAAY,GAAG,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;QAE9E,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;gBAChC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,GAAG,GAAG,mBAAG,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QAC3C,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;IAC7C,CAAC;IAED,kBAAkB,CAAC,OAA4B;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC;QAE5B,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QACxD,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,iDAAiD;aAC3D,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,eAAe,CAAC,UAAU,CAAC,uBAAc,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,qDAAqD;aAC/D,CAAC,CAAC;QACL,CAAC;QAED,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,kIAAkI;aAC5I,CAAC,CAAC;QACL,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;QACtC,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAqC;QAChD,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QACvB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YACjF,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,iCAAiC;aAC3C,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC;YACH,OAAO,MAAM,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;YACrF,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,mCAAmC;aAC7C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,IAGd;QACC,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC,wBAAwB,EAAE,EAAE,GAAG,IAAI,CAAC;QAE9E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,YAAY;gBAC9C,OAAO,EAAE,mCAAmC;aAC7C,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAEpE,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC;YACzD,OAAO,EAAE,CAAC;QACZ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;YACzF,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;gBACrD,OAAO,EAAE,qCAAqC;aAC/C,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAES,cAAc,CAAC,IAAiC;QACxD,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC/B,CAAC;IAED,cAAc,CAAC,OAAyB;QACtC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzC,OAAO,OAAO,CAAC;QACjB,CAAC;QAED,MAAM,EAAE,GAA2B,EAAE,CAAC;QAEtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;YAE3B,IAAI,0BAA0B,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1D,EAAE,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;gBAChB,SAAS;YACX,CAAC;YAED,uEAAuE;YACvE,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;gBAC1C,SAAS;YACX,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC;gBACpC,OAAO,EAAE,GAAG;gBACZ,MAAM,EAAE,IAAI,CAAC,iBAAiB;aAC/B,CAAC,CAAC;YAEH,MAAM,UAAU,GAAG,IAAI,CAAC,cAAc,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;YAEvD,EAAE,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC;gBAClC,OAAO,EAAE,UAAU;gBACnB,MAAM,EAAE,IAAI,CAAC,iBAAiB;aAC/B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;IAES,gBAAgB,CAAC,IAAoC;QAC7D,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAExC,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC,WAAW,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3B,CAAC;IAED,cAAc,CAAC,IAAmD;QAChE,MAAM,EAAE,OAAO,EAAE,eAAe,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC;QAEjD,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACzC,OAAO,OAA2B,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC;aAC7B,KAAK,CAAC,sCAAsC,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC;QAE3E,MAAM,EAAE,GAAQ,EAAE,CAAC;QACnB,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;YAC1B,IAAI,0BAA0B,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC1D,EAAE,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;gBACvB,SAAS;YACX,CAAC;YAED,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC;gBACpC,OAAO,EAAE,GAAG;gBACZ,MAAM,EAAE,IAAI,CAAC,iBAAiB;aAC/B,CAAC,CAAC;YACH,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC;gBACtC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC;gBACrB,MAAM,EAAE,IAAI,CAAC,iBAAiB;aAC/B,CAAC,CAAC;YAEH,EAAE,CAAC,YAAY,CAAC,GAAG,IAAI,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;QACzF,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;;AA9MH,gEA0NC"}

package/dist/components/auth/authenticate/services/bearer/index.d.ts

@@ -0,0 +1,4 @@
+export * from './abstract.service';
+export * from './jwks';
+export * from './jws.service';
+//# sourceMappingURL=index.d.ts.map

package/dist/components/auth/authenticate/services/bearer/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../src/components/auth/authenticate/services/bearer/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,QAAQ,CAAC;AACvB,cAAc,eAAe,CAAC"}

package/dist/components/auth/authenticate/services/bearer/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./abstract.service"), exports);
+__exportStar(require("./jwks"), exports);
+__exportStar(require("./jws.service"), exports);
+//# sourceMappingURL=index.js.map

package/dist/components/auth/authenticate/services/bearer/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../src/components/auth/authenticate/services/bearer/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,yCAAuB;AACvB,gDAA8B"}

package/dist/components/auth/authenticate/services/bearer/jwks/abstract.service.d.ts

@@ -0,0 +1,16 @@
+import { Env } from 'hono';
+import { AbstractBearerTokenService } from '../abstract.service';
+/**
+ * Base class for JWKS token services (Issuer + Verifier).
+ *
+ * Consolidates the lazy-initialization pattern with retry-on-failure semantics:
+ * if `initialize()` rejects, `initPromise` is reset so the next call retries
+ * instead of caching the failure permanently.
+ */
+export declare abstract class AbstractJWKSTokenService<E extends Env = Env> extends AbstractBearerTokenService<E> {
+    protected initialized: boolean;
+    protected initPromise: Promise<void> | null;
+    protected ensureInitialized(): Promise<void>;
+    protected abstract initialize(): Promise<void>;
+}
+//# sourceMappingURL=abstract.service.d.ts.map

package/dist/components/auth/authenticate/services/bearer/jwks/abstract.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"abstract.service.d.ts","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/abstract.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAC3B,OAAO,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAEjE;;;;;;GAMG;AACH,8BAAsB,wBAAwB,CAC5C,CAAC,SAAS,GAAG,GAAG,GAAG,CACnB,SAAQ,0BAA0B,CAAC,CAAC,CAAC;IACrC,SAAS,CAAC,WAAW,UAAS;IAC9B,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAQ;cAEnC,iBAAiB,IAAI,OAAO,CAAC,IAAI,CAAC;IAelD,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;CAC/C"}

package/dist/components/auth/authenticate/services/bearer/jwks/abstract.service.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AbstractJWKSTokenService = void 0;
+const abstract_service_1 = require("../abstract.service");
+/**
+ * Base class for JWKS token services (Issuer + Verifier).
+ *
+ * Consolidates the lazy-initialization pattern with retry-on-failure semantics:
+ * if `initialize()` rejects, `initPromise` is reset so the next call retries
+ * instead of caching the failure permanently.
+ */
+class AbstractJWKSTokenService extends abstract_service_1.AbstractBearerTokenService {
+    constructor() {
+        super(...arguments);
+        this.initialized = false;
+        this.initPromise = null;
+    }
+    async ensureInitialized() {
+        if (this.initialized) {
+            return;
+        }
+        if (!this.initPromise) {
+            this.initPromise = this.initialize().catch(error => {
+                this.initPromise = null;
+                throw error;
+            });
+        }
+        await this.initPromise;
+    }
+}
+exports.AbstractJWKSTokenService = AbstractJWKSTokenService;
+//# sourceMappingURL=abstract.service.js.map

package/dist/components/auth/authenticate/services/bearer/jwks/abstract.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"abstract.service.js","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/abstract.service.ts"],"names":[],"mappings":";;;AACA,0DAAiE;AAEjE;;;;;;GAMG;AACH,MAAsB,wBAEpB,SAAQ,6CAA6B;IAFvC;;QAGY,gBAAW,GAAG,KAAK,CAAC;QACpB,gBAAW,GAAyB,IAAI,CAAC;IAkBrD,CAAC;IAhBW,KAAK,CAAC,iBAAiB;QAC/B,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACrB,OAAO;QACT,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACjD,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;gBACxB,MAAM,KAAK,CAAC;YACd,CAAC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,IAAI,CAAC,WAAW,CAAC;IACzB,CAAC;CAGF;AAtBD,4DAsBC"}

package/dist/components/auth/authenticate/services/bearer/jwks/index.d.ts

@@ -0,0 +1,4 @@
+export * from './abstract.service';
+export * from './issuer.service';
+export * from './verifier.service';
+//# sourceMappingURL=index.d.ts.map

package/dist/components/auth/authenticate/services/bearer/jwks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,cAAc,kBAAkB,CAAC;AACjC,cAAc,oBAAoB,CAAC"}

package/dist/components/auth/authenticate/services/bearer/jwks/index.js

@@ -0,0 +1,20 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./abstract.service"), exports);
+__exportStar(require("./issuer.service"), exports);
+__exportStar(require("./verifier.service"), exports);
+//# sourceMappingURL=index.js.map

package/dist/components/auth/authenticate/services/bearer/jwks/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,qDAAmC;AACnC,mDAAiC;AACjC,qDAAmC"}

package/dist/components/auth/authenticate/services/bearer/jwks/issuer.service.d.ts

@@ -0,0 +1,46 @@
+import { TNullable, ValueOrPromise } from '@venizia/ignis-helpers';
+import { Env } from 'hono';
+import { CryptoKey, JWK, SignJWT } from 'jose';
+import { IJWKSIssuerOptions, IJWTTokenPayload, TGetTokenExpiresFn } from '../../../common';
+import { AbstractJWKSTokenService } from './abstract.service';
+export declare class JWKSIssuerTokenService<E extends Env = Env> extends AbstractJWKSTokenService<E> {
+    protected options: IJWKSIssuerOptions;
+    protected privateKey: TNullable<CryptoKey | Uint8Array>;
+    protected publicKey: TNullable<CryptoKey | Uint8Array>;
+    protected jwks: {
+        keys: JWK[];
+    } | null;
+    constructor(options: IJWKSIssuerOptions);
+    protected initialize(): Promise<void>;
+    protected resolveKeyContent(opts: {
+        keys: IJWKSIssuerOptions['keys'];
+    }): Promise<{
+        priv: string;
+        pub: string;
+    }>;
+    protected parseKeyMaterial(opts: {
+        raw: {
+            priv: string;
+            pub: string;
+        };
+        algorithm: IJWKSIssuerOptions['algorithm'];
+        keys: IJWKSIssuerOptions['keys'];
+    }): Promise<{
+        priv: Uint8Array<ArrayBufferLike> | import("node:crypto").webcrypto.CryptoKey;
+        pub: Uint8Array<ArrayBufferLike> | import("node:crypto").webcrypto.CryptoKey;
+    }>;
+    protected doVerify(token: string): Promise<IJWTTokenPayload>;
+    getSigner(opts: {
+        payload: IJWTTokenPayload;
+        getTokenExpiresFn: TGetTokenExpiresFn;
+    }): Promise<SignJWT>;
+    protected getSigningKey(): ValueOrPromise<Uint8Array | CryptoKey>;
+    protected getDefaultTokenExpiresFn(): TGetTokenExpiresFn;
+    getJWKS(): {
+        keys: JWK[];
+    };
+    getJWKSAsync(): Promise<{
+        keys: JWK[];
+    }>;
+}
+//# sourceMappingURL=issuer.service.d.ts.map

package/dist/components/auth/authenticate/services/bearer/jwks/issuer.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.service.d.ts","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/issuer.service.ts"],"names":[],"mappings":"AACA,OAAO,EAAkB,SAAS,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACnF,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAC3B,OAAO,EACL,SAAS,EAKT,GAAG,EAEH,OAAO,EACR,MAAM,MAAM,CAAC;AAEd,OAAO,EAEL,kBAAkB,EAClB,gBAAgB,EAGhB,kBAAkB,EACnB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,qBAAa,sBAAsB,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,CAAE,SAAQ,wBAAwB,CAAC,CAAC,CAAC;IAOxF,SAAS,CAAC,OAAO,EAAE,kBAAkB;IANvC,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,SAAS,GAAG,UAAU,CAAC,CAAQ;IAC/D,SAAS,CAAC,SAAS,EAAE,SAAS,CAAC,SAAS,GAAG,UAAU,CAAC,CAAQ;IAC9D,SAAS,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,GAAG,EAAE,CAAA;KAAE,GAAG,IAAI,CAAQ;gBAIlC,OAAO,EAAE,kBAAkB;cAWd,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;cA4BpC,iBAAiB,CAAC,IAAI,EAAE;QAAE,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAA;KAAE;;;;cA0B5D,gBAAgB,CAAC,IAAI,EAAE;QACrC,GAAG,EAAE;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,GAAG,EAAE,MAAM,CAAA;SAAE,CAAC;QACnC,SAAS,EAAE,kBAAkB,CAAC,WAAW,CAAC,CAAC;QAC3C,IAAI,EAAE,kBAAkB,CAAC,MAAM,CAAC,CAAC;KAClC;;;;cAoDwB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAM5D,SAAS,CAAC,IAAI,EAAE;QAC7B,OAAO,EAAE,gBAAgB,CAAC;QAC1B,iBAAiB,EAAE,kBAAkB,CAAC;KACvC;cAekB,aAAa,IAAI,cAAc,CAAC,UAAU,GAAG,SAAS,CAAC;cAQvD,wBAAwB,IAAI,kBAAkB;IAIjE,OAAO,IAAI;QAAE,IAAI,EAAE,GAAG,EAAE,CAAA;KAAE;IAWpB,YAAY,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,CAAA;KAAE,CAAC;CAI/C"}

package/dist/components/auth/authenticate/services/bearer/jwks/issuer.service.js

@@ -0,0 +1,168 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var JWKSIssuerTokenService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWKSIssuerTokenService = void 0;
+const injectors_1 = require("../../../../../../base/metadata/injectors");
+const ignis_helpers_1 = require("@venizia/ignis-helpers");
+const jose_1 = require("jose");
+const promises_1 = require("node:fs/promises");
+const common_1 = require("../../../common");
+const abstract_service_1 = require("./abstract.service");
+let JWKSIssuerTokenService = JWKSIssuerTokenService_1 = class JWKSIssuerTokenService extends abstract_service_1.AbstractJWKSTokenService {
+    constructor(options) {
+        super({ scope: JWKSIssuerTokenService_1.name });
+        this.options = options;
+        this.privateKey = null;
+        this.publicKey = null;
+        this.jwks = null;
+        this.configurePayloadEncryption({
+            aesAlgorithm: this.options.aesAlgorithm,
+            applicationSecret: this.options.applicationSecret,
+            fieldCodecs: this.options.fieldCodecs,
+        });
+    }
+    async initialize() {
+        const { keys, algorithm } = this.options;
+        const raw = await this.resolveKeyContent({ keys });
+        const built = await this.parseKeyMaterial({ raw, algorithm, keys });
+        this.privateKey = built.priv;
+        this.publicKey = built.pub;
+        const publicJWK = await (0, jose_1.exportJWK)(this.publicKey);
+        publicJWK.kid = this.options.kid;
+        publicJWK.alg = algorithm;
+        publicJWK.use = 'sig';
+        this.jwks = { keys: [publicJWK] };
+        this.initialized = true;
+        this.logger
+            .for(this.initialize.name)
+            .info('JWKS issuer initialized | driver: %s | format: %s | kid: %s', keys.driver, keys.format, this.options.kid);
+    }
+    async resolveKeyContent(opts) {
+        const { keys } = opts;
+        switch (keys.driver) {
+            case common_1.JWKSKeyDrivers.FILE: {
+                const [priv, pub] = await Promise.all([
+                    (0, promises_1.readFile)(keys.private, 'utf-8'),
+                    (0, promises_1.readFile)(keys.public, 'utf-8'),
+                ]);
+                return { priv, pub };
+            }
+            case common_1.JWKSKeyDrivers.TEXT: {
+                return {
+                    priv: keys.private,
+                    pub: keys.public,
+                };
+            }
+            default: {
+                throw (0, ignis_helpers_1.getError)({
+                    statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                    message: `[JWKSIssuerTokenService] Unknown key driver: ${keys.driver}`,
+                });
+            }
+        }
+    }
+    async parseKeyMaterial(opts) {
+        const { raw, algorithm, keys } = opts;
+        if (!raw.priv) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                message: '[JWKSIssuerTokenService] Invalid raw.priv key!',
+            });
+        }
+        if (!raw.pub) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                message: '[JWKSIssuerTokenService] Invalid raw.pub key!',
+            });
+        }
+        switch (keys.format) {
+            case common_1.JWKSKeyFormats.PEM: {
+                const priv = await (0, jose_1.importPKCS8)(raw.priv, algorithm);
+                const pub = await (0, jose_1.importSPKI)(raw.pub, algorithm);
+                return { priv, pub };
+            }
+            case common_1.JWKSKeyFormats.JWK: {
+                try {
+                    const parsed = {
+                        priv: JSON.parse(raw.priv),
+                        pub: JSON.parse(raw.pub),
+                    };
+                    const priv = await (0, jose_1.importJWK)(parsed.priv, algorithm);
+                    const pub = await (0, jose_1.importJWK)(parsed.pub, algorithm);
+                    return { priv, pub };
+                }
+                catch (error) {
+                    this.logger
+                        .for(this.parseKeyMaterial.name)
+                        .error('Invalid JWK key material | Error: %s', error);
+                    throw (0, ignis_helpers_1.getError)({
+                        statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                        message: '[JWKSIssuerTokenService] Invalid JWK key material',
+                    });
+                }
+            }
+            default: {
+                throw (0, ignis_helpers_1.getError)({
+                    statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                    message: `[JWKSIssuerTokenService] Unknown key format: ${keys.format}`,
+                });
+            }
+        }
+    }
+    async doVerify(token) {
+        await this.ensureInitialized();
+        const result = await (0, jose_1.jwtVerify)(token, this.publicKey);
+        return this.decryptPayload({ result });
+    }
+    async getSigner(opts) {
+        await this.ensureInitialized();
+        const now = Math.floor(Date.now() / 1000);
+        const expiresIn = await opts.getTokenExpiresFn();
+        const encryptedPayload = this.encryptPayload(opts.payload);
+        return new jose_1.SignJWT({ ...encryptedPayload })
+            .setProtectedHeader({ alg: this.options.algorithm, kid: this.options.kid })
+            .setIssuedAt()
+            .setExpirationTime(now + expiresIn)
+            .setNotBefore(now);
+    }
+    getSigningKey() {
+        if (!this.privateKey) {
+            throw (0, ignis_helpers_1.getError)({ message: '[getSigningKey] Invalid privateKey!' });
+        }
+        return this.privateKey;
+    }
+    getDefaultTokenExpiresFn() {
+        return this.options.getTokenExpiresFn;
+    }
+    getJWKS() {
+        if (!this.jwks) {
+            throw (0, ignis_helpers_1.getError)({
+                statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+                message: '[JWKSIssuerTokenService] JWKS not initialized yet. Call getJWKSAsync() instead.',
+            });
+        }
+        return this.jwks;
+    }
+    async getJWKSAsync() {
+        await this.ensureInitialized();
+        return this.jwks;
+    }
+};
+exports.JWKSIssuerTokenService = JWKSIssuerTokenService;
+exports.JWKSIssuerTokenService = JWKSIssuerTokenService = JWKSIssuerTokenService_1 = __decorate([
+    __param(0, (0, injectors_1.inject)({ key: common_1.AuthenticateBindingKeys.JWKS_OPTIONS })),
+    __metadata("design:paramtypes", [Object])
+], JWKSIssuerTokenService);
+//# sourceMappingURL=issuer.service.js.map

package/dist/components/auth/authenticate/services/bearer/jwks/issuer.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.service.js","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/issuer.service.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yDAAmD;AACnD,0DAAmF;AAEnF,+BASc;AACd,+CAA4C;AAC5C,4CAOyB;AACzB,yDAA8D;AAE9D,IAAa,sBAAsB,8BAAnC,MAAa,sBAA4C,SAAQ,2CAA2B;IAK1F,YAEE,OAAqC;QAErC,KAAK,CAAC,EAAE,KAAK,EAAE,wBAAsB,CAAC,IAAI,EAAE,CAAC,CAAC;QAFpC,YAAO,GAAP,OAAO,CAAoB;QAN7B,eAAU,GAAsC,IAAI,CAAC;QACrD,cAAS,GAAsC,IAAI,CAAC;QACpD,SAAI,GAA2B,IAAI,CAAC;QAQ5C,IAAI,CAAC,0BAA0B,CAAC;YAC9B,YAAY,EAAE,IAAI,CAAC,OAAO,CAAC,YAAY;YACvC,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,iBAAiB;YACjD,WAAW,EAAE,IAAI,CAAC,OAAO,CAAC,WAAW;SACtC,CAAC,CAAC;IACL,CAAC;IAEkB,KAAK,CAAC,UAAU;QACjC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEzC,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEpE,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,GAAG,CAAC;QAE3B,MAAM,SAAS,GAAG,MAAM,IAAA,gBAAS,EAAC,IAAI,CAAC,SAAU,CAAC,CAAC;QACnD,SAAS,CAAC,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QACjC,SAAS,CAAC,GAAG,GAAG,SAAS,CAAC;QAC1B,SAAS,CAAC,GAAG,GAAG,KAAK,CAAC;QAEtB,IAAI,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC;QAElC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QAExB,IAAI,CAAC,MAAM;aACR,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;aACzB,IAAI,CACH,6DAA6D,EAC7D,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,MAAM,EACX,IAAI,CAAC,OAAO,CAAC,GAAG,CACjB,CAAC;IACN,CAAC;IAES,KAAK,CAAC,iBAAiB,CAAC,IAA0C;QAC1E,MAAM,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QAEtB,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,uBAAc,CAAC,IAAI,CAAC,CAAC,CAAC;gBACzB,MAAM,CAAC,IAAI,EAAE,GAAG,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;oBACpC,IAAA,mBAAQ,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC;oBAC/B,IAAA,mBAAQ,EAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC;iBAC/B,CAAC,CAAC;gBACH,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;YACvB,CAAC;YACD,KAAK,uBAAc,CAAC,IAAI,CAAC,CAAC,CAAC;gBACzB,OAAO;oBACL,IAAI,EAAE,IAAI,CAAC,OAAO;oBAClB,GAAG,EAAE,IAAI,CAAC,MAAM;iBACjB,CAAC;YACJ,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;oBACrD,OAAO,EAAE,gDAAgD,IAAI,CAAC,MAAM,EAAE;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAES,KAAK,CAAC,gBAAgB,CAAC,IAIhC;QACC,MAAM,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC;QAEtC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;gBACrD,OAAO,EAAE,gDAAgD;aAC1D,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACb,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;gBACrD,OAAO,EAAE,+CAA+C;aACzD,CAAC,CAAC;QACL,CAAC;QAED,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;YACpB,KAAK,uBAAc,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxB,MAAM,IAAI,GAAG,MAAM,IAAA,kBAAW,EAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;gBACpD,MAAM,GAAG,GAAG,MAAM,IAAA,iBAAU,EAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBACjD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;YACvB,CAAC;YACD,KAAK,uBAAc,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG;wBACb,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAQ;wBACjC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAQ;qBAChC,CAAC;oBAEF,MAAM,IAAI,GAAG,MAAM,IAAA,gBAAS,EAAC,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;oBACrD,MAAM,GAAG,GAAG,MAAM,IAAA,gBAAS,EAAC,MAAM,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;oBACnD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;gBACvB,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,IAAI,CAAC,MAAM;yBACR,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;yBAC/B,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;oBACxD,MAAM,IAAA,wBAAQ,EAAC;wBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;wBACrD,OAAO,EAAE,mDAAmD;qBAC7D,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,OAAO,CAAC,CAAC,CAAC;gBACR,MAAM,IAAA,wBAAQ,EAAC;oBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;oBACrD,OAAO,EAAE,gDAAgD,IAAI,CAAC,MAAM,EAAE;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEkB,KAAK,CAAC,QAAQ,CAAC,KAAa;QAC7C,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,MAAM,IAAA,gBAAS,EAAmB,KAAK,EAAE,IAAI,CAAC,SAAU,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAEQ,KAAK,CAAC,SAAS,CAAC,IAGxB;QACC,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAE/B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAEjD,MAAM,gBAAgB,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3D,OAAO,IAAI,cAAO,CAAC,EAAE,GAAG,gBAAgB,EAAE,CAAC;aACxC,kBAAkB,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;aAC1E,WAAW,EAAE;aACb,iBAAiB,CAAC,GAAG,GAAG,SAAS,CAAC;aAClC,YAAY,CAAC,GAAG,CAAC,CAAC;IACvB,CAAC;IAEkB,aAAa;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACrB,MAAM,IAAA,wBAAQ,EAAC,EAAE,OAAO,EAAE,qCAAqC,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAEkB,wBAAwB;QACzC,OAAO,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC;IACxC,CAAC;IAED,OAAO;QACL,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAA,wBAAQ,EAAC;gBACb,UAAU,EAAE,oBAAI,CAAC,WAAW,CAAC,IAAI,CAAC,mBAAmB;gBACrD,OAAO,EAAE,iFAAiF;aAC3F,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED,KAAK,CAAC,YAAY;QAChB,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAC/B,OAAO,IAAI,CAAC,IAAK,CAAC;IACpB,CAAC;CACF,CAAA;AAnLY,wDAAsB;iCAAtB,sBAAsB;IAM9B,WAAA,IAAA,kBAAM,EAAC,EAAE,GAAG,EAAE,gCAAuB,CAAC,YAAY,EAAE,CAAC,CAAA;;GAN7C,sBAAsB,CAmLlC"}

package/dist/components/auth/authenticate/services/bearer/jwks/verifier.service.d.ts

@@ -0,0 +1,18 @@
+import { Env } from 'hono';
+import { createRemoteJWKSet, SignJWT } from 'jose';
+import { IJWKSVerifierOptions, IJWTTokenPayload, TGetTokenExpiresFn } from '../../../common';
+import { AbstractJWKSTokenService } from './abstract.service';
+export declare class JWKSVerifierTokenService<E extends Env = Env> extends AbstractJWKSTokenService<E> {
+    protected options: IJWKSVerifierOptions;
+    protected jwksVerifier: ReturnType<typeof createRemoteJWKSet> | null;
+    constructor(options: IJWKSVerifierOptions);
+    protected initialize(): Promise<void>;
+    protected doVerify(token: string): Promise<IJWTTokenPayload>;
+    getSigner(_opts: {
+        payload: IJWTTokenPayload;
+        getTokenExpiresFn: TGetTokenExpiresFn;
+    }): Promise<SignJWT>;
+    protected getSigningKey(): never;
+    protected getDefaultTokenExpiresFn(): never;
+}
+//# sourceMappingURL=verifier.service.d.ts.map

package/dist/components/auth/authenticate/services/bearer/jwks/verifier.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.service.d.ts","sourceRoot":"","sources":["../../../../../../../src/components/auth/authenticate/services/bearer/jwks/verifier.service.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAC3B,OAAO,EAAE,kBAAkB,EAAa,OAAO,EAAE,MAAM,MAAM,CAAC;AAC9D,OAAO,EAEL,oBAAoB,EACpB,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAE9D,qBAAa,wBAAwB,CAAC,CAAC,SAAS,GAAG,GAAG,GAAG,CAAE,SAAQ,wBAAwB,CAAC,CAAC,CAAC;IAK1F,SAAS,CAAC,OAAO,EAAE,oBAAoB;IAJzC,SAAS,CAAC,YAAY,EAAE,UAAU,CAAC,OAAO,kBAAkB,CAAC,GAAG,IAAI,CAAQ;gBAIhE,OAAO,EAAE,oBAAoB;cAUhB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;cAc3B,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAM5D,SAAS,CAAC,KAAK,EAAE;QAC9B,OAAO,EAAE,gBAAgB,CAAC;QAC1B,iBAAiB,EAAE,kBAAkB,CAAC;KACvC,GAAG,OAAO,CAAC,OAAO,CAAC;cAOD,aAAa,IAAI,KAAK;cAOtB,wBAAwB,IAAI,KAAK;CAMrD"}

package/dist/components/auth/authenticate/services/bearer/jwks/verifier.service.js

@@ -0,0 +1,73 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var JWKSVerifierTokenService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWKSVerifierTokenService = void 0;
+const injectors_1 = require("../../../../../../base/metadata/injectors");
+const ignis_helpers_1 = require("@venizia/ignis-helpers");
+const jose_1 = require("jose");
+const common_1 = require("../../../common");
+const abstract_service_1 = require("./abstract.service");
+let JWKSVerifierTokenService = JWKSVerifierTokenService_1 = class JWKSVerifierTokenService extends abstract_service_1.AbstractJWKSTokenService {
+    constructor(options) {
+        super({ scope: JWKSVerifierTokenService_1.name });
+        this.options = options;
+        this.jwksVerifier = null;
+        this.configurePayloadEncryption({
+            aesAlgorithm: this.options.aesAlgorithm,
+            applicationSecret: this.options.applicationSecret,
+            fieldCodecs: this.options.fieldCodecs,
+        });
+    }
+    async initialize() {
+        const jwksUrl = new URL(this.options.jwksUrl);
+        this.jwksVerifier = (0, jose_1.createRemoteJWKSet)(jwksUrl, {
+            cacheMaxAge: this.options.cacheTtlMs ?? 43_200_000,
+            cooldownDuration: this.options.cooldownMs ?? 30_000,
+        });
+        this.initialized = true;
+        this.logger
+            .for(this.initialize.name)
+            .info('JWKS verifier initialized | url: %s', this.options.jwksUrl);
+    }
+    async doVerify(token) {
+        await this.ensureInitialized();
+        const result = await (0, jose_1.jwtVerify)(token, this.jwksVerifier);
+        return this.decryptPayload({ result });
+    }
+    async getSigner(_opts) {
+        throw (0, ignis_helpers_1.getError)({
+            statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+            message: '[JWKSVerifierTokenService] Verifier mode cannot sign tokens',
+        });
+    }
+    getSigningKey() {
+        throw (0, ignis_helpers_1.getError)({
+            statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+            message: '[JWKSVerifierTokenService] Verifier mode cannot sign tokens',
+        });
+    }
+    getDefaultTokenExpiresFn() {
+        throw (0, ignis_helpers_1.getError)({
+            statusCode: ignis_helpers_1.HTTP.ResultCodes.RS_5.InternalServerError,
+            message: '[JWKSVerifierTokenService] Verifier mode has no token expiry',
+        });
+    }
+};
+exports.JWKSVerifierTokenService = JWKSVerifierTokenService;
+exports.JWKSVerifierTokenService = JWKSVerifierTokenService = JWKSVerifierTokenService_1 = __decorate([
+    __param(0, (0, injectors_1.inject)({ key: common_1.AuthenticateBindingKeys.JWKS_OPTIONS })),
+    __metadata("design:paramtypes", [Object])
+], JWKSVerifierTokenService);
+//# sourceMappingURL=verifier.service.js.map