npm - @venturekit/auth - Versions diffs - 0.0.0-dev.20260415181804 → 0.0.0-dev.20260427211132 - Mend

@venturekit/auth 0.0.0-dev.20260415181804 → 0.0.0-dev.20260427211132

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/cognito/config.d.ts +8 -1
package/dist/cognito/config.d.ts.map +1 -1
package/dist/cognito/config.js +9 -2
package/dist/cognito/config.js.map +1 -1
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -1
package/dist/index.js.map +1 -1
package/dist/session/index.d.ts +46 -12
package/dist/session/index.d.ts.map +1 -1
package/dist/session/index.js +69 -16
package/dist/session/index.js.map +1 -1
package/package.json +2 -2

package/dist/cognito/config.d.ts CHANGED Viewed

@@ -15,7 +15,14 @@ export declare const DEFAULT_MFA_CONFIG: MfaConfig;
  */
 export declare const DEFAULT_TOKEN_CONFIG: TokenConfig;
 /**
- * Default Cognito configuration
+ * Default Cognito configuration.
+ *
+ * Security-first defaults:
+ * - `selfSignUpEnabled: false` — production apps typically invite users
+ *   explicitly. Opt in via `{ selfSignUpEnabled: true }` if your product is
+ *   consumer-facing and anyone can register.
+ * - MFA optional (TOTP) — nudges users without forcing them.
+ * - Password policy 8+ chars with mixed case and digits; symbols opt-in.
  */
 export declare const DEFAULT_COGNITO_CONFIG: CognitoConfig;
 /**

package/dist/cognito/config.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAE/F;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAOrC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,SAGhC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF~~;;GAEG~~;AACH,eAAO,MAAM,sBAAsB,EAAE,aAapC,CAAC;AAEF;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;IAC/B,cAAc,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACzB,MAAM,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC/B,GACA,aAAa,CAuBf"}
1	+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAE/F;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAOrC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,SAGhC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAIlC,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,sBAAsB,EAAE,aAapC,CAAC;AAEF;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG;IAC/B,cAAc,CAAC,EAAE,OAAO,CAAC,cAAc,CAAC,CAAC;IACzC,GAAG,CAAC,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;IACzB,MAAM,CAAC,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC;CAC/B,GACA,aAAa,CAuBf"}

package/dist/cognito/config.js CHANGED Viewed

@@ -28,7 +28,14 @@ export const DEFAULT_TOKEN_CONFIG = {
     refreshTokenValidityDays: 30,
 };
 /**
- * Default Cognito configuration
+ * Default Cognito configuration.
+ *
+ * Security-first defaults:
+ * - `selfSignUpEnabled: false` — production apps typically invite users
+ *   explicitly. Opt in via `{ selfSignUpEnabled: true }` if your product is
+ *   consumer-facing and anyone can register.
+ * - MFA optional (TOTP) — nudges users without forcing them.
+ * - Password policy 8+ chars with mixed case and digits; symbols opt-in.
  */
 export const DEFAULT_COGNITO_CONFIG = {
     signInAliases: {
@@ -36,7 +43,7 @@ export const DEFAULT_COGNITO_CONFIG = {
         phone: false,
         username: false,
     },
-    selfSignUpEnabled: true,
+    selfSignUpEnabled: false,
     autoVerifyEmail: true,
     autoVerifyPhone: false,
     passwordPolicy: DEFAULT_PASSWORD_POLICY,

package/dist/cognito/config.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAmB;IACrD,SAAS,EAAE,CAAC;IACZ,gBAAgB,EAAE,IAAI;IACtB,gBAAgB,EAAE,IAAI;IACtB,cAAc,EAAE,IAAI;IACpB,cAAc,EAAE,KAAK;IACrB,wBAAwB,EAAE,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAc;IAC3C,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,CAAC,MAAM,CAAC;CAClB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAgB;IAC/C,0BAA0B,EAAE,EAAE;IAC9B,sBAAsB,EAAE,EAAE;IAC1B,wBAAwB,EAAE,EAAE;CAC7B,CAAC;AAEF~~;;GAEG~~;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAkB;IACnD,aAAa,EAAE;QACb,KAAK,EAAE,IAAI;QACX,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;KAChB;IACD,iBAAiB,EAAE,~~IAAI~~;~~IACvB~~,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;IACtB,cAAc,EAAE,uBAAuB;IACvC,GAAG,EAAE,kBAAkB;IACvB,MAAM,EAAE,oBAAoB;IAC5B,eAAe,EAAE,OAAO;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAIC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,sBAAsB,CAAC;IAE1C,OAAO;QACL,GAAG,sBAAsB;QACzB,GAAG,KAAK;QACR,aAAa,EAAE;YACb,GAAG,sBAAsB,CAAC,aAAa;YACvC,GAAG,KAAK,CAAC,aAAa;SACvB;QACD,cAAc,EAAE;YACd,GAAG,uBAAuB;YAC1B,GAAG,KAAK,CAAC,cAAc;SACxB;QACD,GAAG,EAAE;YACH,GAAG,kBAAkB;YACrB,GAAG,KAAK,CAAC,GAAG;SACb;QACD,MAAM,EAAE;YACN,GAAG,oBAAoB;YACvB,GAAG,KAAK,CAAC,MAAM;SAChB;KACF,CAAC;AACJ,CAAC"}
1	+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/cognito/config.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAmB;IACrD,SAAS,EAAE,CAAC;IACZ,gBAAgB,EAAE,IAAI;IACtB,gBAAgB,EAAE,IAAI;IACtB,cAAc,EAAE,IAAI;IACpB,cAAc,EAAE,KAAK;IACrB,wBAAwB,EAAE,CAAC;CAC5B,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAc;IAC3C,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,CAAC,MAAM,CAAC;CAClB,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAgB;IAC/C,0BAA0B,EAAE,EAAE;IAC9B,sBAAsB,EAAE,EAAE;IAC1B,wBAAwB,EAAE,EAAE;CAC7B,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,sBAAsB,GAAkB;IACnD,aAAa,EAAE;QACb,KAAK,EAAE,IAAI;QACX,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;KAChB;IACD,iBAAiB,EAAE,KAAK;IACxB,eAAe,EAAE,IAAI;IACrB,eAAe,EAAE,KAAK;IACtB,cAAc,EAAE,uBAAuB;IACvC,GAAG,EAAE,kBAAkB;IACvB,MAAM,EAAE,oBAAoB;IAC5B,eAAe,EAAE,OAAO;CACzB,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAIC;IAED,IAAI,CAAC,KAAK;QAAE,OAAO,sBAAsB,CAAC;IAE1C,OAAO;QACL,GAAG,sBAAsB;QACzB,GAAG,KAAK;QACR,aAAa,EAAE;YACb,GAAG,sBAAsB,CAAC,aAAa;YACvC,GAAG,KAAK,CAAC,aAAa;SACvB;QACD,cAAc,EAAE;YACd,GAAG,uBAAuB;YAC1B,GAAG,KAAK,CAAC,cAAc;SACxB;QACD,GAAG,EAAE;YACH,GAAG,kBAAkB;YACrB,GAAG,KAAK,CAAC,GAAG;SACb;QACD,MAAM,EAAE;YACN,GAAG,oBAAoB;YACvB,GAAG,KAAK,CAAC,MAAM;SAChB;KACF,CAAC;AACJ,CAAC"}

package/dist/index.d.ts CHANGED Viewed

@@ -7,5 +7,6 @@ export * from './types/index.js';
 export { createCognitoConfig, DEFAULT_COGNITO_CONFIG, buildUserPoolConfig, } from './cognito/index.js';
 export type { UserPoolOutputs, UserPoolInfraConfig } from './cognito/user-pool.js';
 export { hasScope, hasAnyScope, hasAllScopes, getScopesForRoles, validateRolesConfig, } from './roles/index.js';
-export { decodeToken, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session/index.js';
+export { decodeTokenUnsafe, decodeToken, // deprecated alias of decodeTokenUnsafe
+verifyAndDecode, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session/index.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAGnF,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,WAAW,~~EACX~~,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,oBAAoB,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,cAAc,kBAAkB,CAAC;AAGjC,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAC5B,YAAY,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAGnF,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,iBAAiB,EACjB,WAAW,EAAE,wCAAwC;AACrD,eAAe,EACf,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,oBAAoB,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -10,5 +10,6 @@ export { createCognitoConfig, DEFAULT_COGNITO_CONFIG, buildUserPoolConfig, } fro
 // Roles
 export { hasScope, hasAnyScope, hasAllScopes, getScopesForRoles, validateRolesConfig, } from './roles/index.js';
 // Session
-export { decodeToken, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session/index.js';
+export { decodeTokenUnsafe, decodeToken, // deprecated alias of decodeTokenUnsafe
+verifyAndDecode, extractUserFromToken, isTokenExpired, getTokenExpiry, } from './session/index.js';
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,QAAQ;AACR,cAAc,kBAAkB,CAAC;AAEjC,UAAU;AACV,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,QAAQ;AACR,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,UAAU;AACV,OAAO,EACL,WAAW,~~EACX~~,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,oBAAoB,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,QAAQ;AACR,cAAc,kBAAkB,CAAC;AAEjC,UAAU;AACV,OAAO,EACL,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,oBAAoB,CAAC;AAG5B,QAAQ;AACR,OAAO,EACL,QAAQ,EACR,WAAW,EACX,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,GACpB,MAAM,kBAAkB,CAAC;AAE1B,UAAU;AACV,OAAO,EACL,iBAAiB,EACjB,WAAW,EAAE,wCAAwC;AACrD,eAAe,EACf,oBAAoB,EACpB,cAAc,EACd,cAAc,GACf,MAAM,oBAAoB,CAAC"}

package/dist/session/index.d.ts CHANGED Viewed

@@ -5,29 +5,63 @@
  */
 import type { User } from '../types/index.js';
 /**
- * Decode JWT token payload (without verification)
+ * Decode JWT token payload WITHOUT verifying the signature.
  *
- * ⚠️ SECURITY WARNING: This function does NOT verify the token signature.
- * It only decodes the payload for reading claims.
+ * ⚠️ SECURITY: This is deliberately named `decodeTokenUnsafe` so reviewers
+ * spot authentication bypasses in code review. **Never** feed the returned
+ * claims into an authorization decision without first calling
+ * {@link verifyAndDecode} or relying on API Gateway / ALB to do the
+ * verification for you.
  *
- * Token verification should be handled by:
- * - API Gateway Cognito Authorizer (recommended)
- * - AWS ALB with OIDC authentication
- * - Manual verification using cognito-jwt-verifier
+ * Legitimate use cases:
+ * - Reading non-sensitive metadata (issuer, kid) to look up the right JWKS.
+ * - Inspecting a token the server already verified once upstream.
+ * - Extracting the TTL for local caches.
+ */
+export declare function decodeTokenUnsafe(token: string): Record<string, unknown> | null;
+/**
+ * Deprecated alias for {@link decodeTokenUnsafe}. Kept for backward
+ * compatibility; prefer the explicit `Unsafe` suffix so reviewers can spot
+ * authentication bypasses at a glance.
  *
- * Never trust decoded claims for authorization without proper verification.
+ * @deprecated Use `decodeTokenUnsafe` or `verifyAndDecode`.
  */
-export declare function decodeToken(token: string): Record<string, unknown> | null;
+export declare const decodeToken: typeof decodeTokenUnsafe;
 /**
- * Extract user from ID token claims
+ * Verify a Cognito/JWKS-signed JWT and return its claims, or `null` if the
+ * token is invalid/expired/untrusted. Uses `aws-jwt-verify` under the hood,
+ * which is lazily imported so the dependency is optional.
+ *
+ * @example
+ * ```ts
+ * const claims = await verifyAndDecode(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ *   tokenUse: 'access',
+ * });
+ * if (!claims) throw new UnauthorizedError();
+ * ```
+ *
+ * Requires `aws-jwt-verify` to be installed at the consumer site.
+ */
+export declare function verifyAndDecode(token: string, options: {
+    userPoolId: string;
+    clientId?: string | string[];
+    tokenUse?: 'access' | 'id';
+}): Promise<Record<string, unknown> | null>;
+/**
+ * Extract user from ID token claims.
+ *
+ * ⚠️ Uses the unverified decoder. Callers MUST have already verified the
+ * token (e.g. via API Gateway Cognito Authorizer or {@link verifyAndDecode}).
  */
 export declare function extractUserFromToken(idToken: string): User | null;
 /**
- * Check if a token is expired
+ * Check if a token is expired (based on its `exp` claim, without signature verification).
  */
 export declare function isTokenExpired(token: string): boolean;
 /**
- * Get token expiry time
+ * Get token expiry time (from the `exp` claim, without signature verification).
  */
 export declare function getTokenExpiry(token: string): Date | null;
 //# sourceMappingURL=index.d.ts.map

package/dist/session/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAkB,MAAM,mBAAmB,CAAC;AAE9D~~;;;;;;;;;;;;GAYG~~;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,~~CAWzE~~;AAED~~;;GAEG~~;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAwBjE;AAuDD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAKzD"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAkB,MAAM,mBAAmB,CAAC;AAE9D;;;;;;;;;;;;;GAaG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAW/E;AAED;;;;;;GAMG;AACH,eAAO,MAAM,WAAW,0BAAoB,CAAC;AAE7C;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,eAAe,CACnC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE;IACP,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B,QAAQ,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CAC5B,GACA,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CA0BzC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAwBjE;AAuDD;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAMrD;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,CAKzD"}

package/dist/session/index.js CHANGED Viewed

@@ -4,19 +4,20 @@
  * Utilities for managing user sessions and tokens.
  */
 /**
- * Decode JWT token payload (without verification)
+ * Decode JWT token payload WITHOUT verifying the signature.
  *
- * ⚠️ SECURITY WARNING: This function does NOT verify the token signature.
- * It only decodes the payload for reading claims.
+ * ⚠️ SECURITY: This is deliberately named `decodeTokenUnsafe` so reviewers
+ * spot authentication bypasses in code review. **Never** feed the returned
+ * claims into an authorization decision without first calling
+ * {@link verifyAndDecode} or relying on API Gateway / ALB to do the
+ * verification for you.
  *
- * Token verification should be handled by:
- * - API Gateway Cognito Authorizer (recommended)
- * - AWS ALB with OIDC authentication
- * - Manual verification using cognito-jwt-verifier
- *
- * Never trust decoded claims for authorization without proper verification.
+ * Legitimate use cases:
+ * - Reading non-sensitive metadata (issuer, kid) to look up the right JWKS.
+ * - Inspecting a token the server already verified once upstream.
+ * - Extracting the TTL for local caches.
  */
-export function decodeToken(token) {
+export function decodeTokenUnsafe(token) {
     try {
         const parts = token.split('.');
         if (parts.length !== 3)
@@ -30,10 +31,62 @@ export function decodeToken(token) {
     }
 }
 /**
- * Extract user from ID token claims
+ * Deprecated alias for {@link decodeTokenUnsafe}. Kept for backward
+ * compatibility; prefer the explicit `Unsafe` suffix so reviewers can spot
+ * authentication bypasses at a glance.
+ *
+ * @deprecated Use `decodeTokenUnsafe` or `verifyAndDecode`.
+ */
+export const decodeToken = decodeTokenUnsafe;
+/**
+ * Verify a Cognito/JWKS-signed JWT and return its claims, or `null` if the
+ * token is invalid/expired/untrusted. Uses `aws-jwt-verify` under the hood,
+ * which is lazily imported so the dependency is optional.
+ *
+ * @example
+ * ```ts
+ * const claims = await verifyAndDecode(token, {
+ *   userPoolId: process.env.COGNITO_USER_POOL_ID!,
+ *   clientId: process.env.COGNITO_CLIENT_ID!,
+ *   tokenUse: 'access',
+ * });
+ * if (!claims) throw new UnauthorizedError();
+ * ```
+ *
+ * Requires `aws-jwt-verify` to be installed at the consumer site.
+ */
+export async function verifyAndDecode(token, options) {
+    let CognitoJwtVerifier;
+    try {
+        // Lazy, peer-optional import — consumers only pay the cost if they use it.
+        ({ CognitoJwtVerifier } = await import(
+        /* @vite-ignore */ 'aws-jwt-verify'));
+    }
+    catch {
+        throw new Error("verifyAndDecode requires 'aws-jwt-verify'. " +
+            "Install it with: pnpm add aws-jwt-verify");
+    }
+    const verifier = CognitoJwtVerifier.create({
+        userPoolId: options.userPoolId,
+        tokenUse: options.tokenUse ?? 'access',
+        clientId: options.clientId ?? null,
+    });
+    try {
+        const payload = await verifier.verify(token);
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Extract user from ID token claims.
+ *
+ * ⚠️ Uses the unverified decoder. Callers MUST have already verified the
+ * token (e.g. via API Gateway Cognito Authorizer or {@link verifyAndDecode}).
  */
 export function extractUserFromToken(idToken) {
-    const claims = decodeToken(idToken);
+    const claims = decodeTokenUnsafe(idToken);
     if (!claims)
         return null;
     // Determine identifier type and value
@@ -105,20 +158,20 @@ function extractCustomAttributes(claims) {
     return attributes;
 }
 /**
- * Check if a token is expired
+ * Check if a token is expired (based on its `exp` claim, without signature verification).
  */
 export function isTokenExpired(token) {
-    const claims = decodeToken(token);
+    const claims = decodeTokenUnsafe(token);
     if (!claims || !claims.exp)
         return true;
     const expiry = claims.exp * 1000;
     return Date.now() >= expiry;
 }
 /**
- * Get token expiry time
+ * Get token expiry time (from the `exp` claim, without signature verification).
  */
 export function getTokenExpiry(token) {
-    const claims = decodeToken(token);
+    const claims = decodeTokenUnsafe(token);
     if (!claims || !claims.exp)
         return null;
     return new Date(claims.exp * 1000);

package/dist/session/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH~~;;;;;;;;;;;;GAYG~~;AACH,MAAM,UAAU,~~WAAW~~,CAAC,KAAa;~~IACvC~~,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED~~;;GAEG~~;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,~~WAAW~~,CAAC,OAAO,CAAC,CAAC;~~IACpC~~,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAa;QACxB,cAAc;QACd,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAA2B;QACzC,aAAa,EAAE,MAAM,CAAC,cAAqC;QAC3D,KAAK,EAAE,MAAM,CAAC,YAAkC;QAChD,aAAa,EAAE,MAAM,CAAC,qBAA4C;QAClE,QAAQ,EAAE,MAAM,CAAC,kBAAwC,IAAI,MAAM,CAAC,kBAAkB,CAAuB;QAC7G,IAAI,EAAE,MAAM,CAAC,IAA0B;QACvC,MAAM,EAAE,MAAM,CAAC,MAA4B;QAC3C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAuB;QAC1D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC;QACzB,UAAU,EAAE,uBAAuB,CAAC,MAAM,CAAC;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,wBAAwB;IACxB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,KAAe,EAAE,CAAC;IACzE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,YAAsB,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,CAAW;SAChF,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,GAAa,EAAE,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAA+B;IAC9D,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,kBAAkB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YACtF,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,~~WAAW~~,CAAC,KAAK,CAAC,CAAC;~~IAClC~~,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAI,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC;IAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,~~WAAW~~,CAAC,KAAK,CAAC,CAAC;~~IAClC~~,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,IAAI,IAAI,CAAE,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC;AACjD,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAEpC,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,WAAW,GAAG,iBAAiB,CAAC;AAE7C;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAa,EACb,OAIC;IAED,IAAI,kBAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,2EAA2E;QAC3E,CAAC,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM;QACpC,kBAAkB,CAAC,gBAA0B,CAC9C,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CACb,6CAA6C;YAC3C,0CAA0C,CAC7C,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC;QACzC,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;QACtC,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC7C,OAAO,OAAkC,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,sCAAsC;IACtC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAEnE,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,GAAa;QACxB,cAAc;QACd,UAAU;QACV,KAAK,EAAE,MAAM,CAAC,KAA2B;QACzC,aAAa,EAAE,MAAM,CAAC,cAAqC;QAC3D,KAAK,EAAE,MAAM,CAAC,YAAkC;QAChD,aAAa,EAAE,MAAM,CAAC,qBAA4C;QAClE,QAAQ,EAAE,MAAM,CAAC,kBAAwC,IAAI,MAAM,CAAC,kBAAkB,CAAuB;QAC7G,IAAI,EAAE,MAAM,CAAC,IAA0B;QACvC,MAAM,EAAE,MAAM,CAAC,MAA4B;QAC3C,QAAQ,EAAE,MAAM,CAAC,kBAAkB,CAAuB;QAC1D,KAAK,EAAE,UAAU,CAAC,MAAM,CAAC;QACzB,UAAU,EAAE,uBAAuB,CAAC,MAAM,CAAC;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,IAAI,IAAI,EAAE;KACtB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,MAA+B;IAC1D,wBAAwB;IACxB,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,KAAe,EAAE,CAAC;IACzE,CAAC;IAED,kBAAkB;IAClB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,OAAO,EAAE,cAAc,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,YAAsB,EAAE,CAAC;IAChF,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC5D,OAAO;YACL,cAAc,EAAE,UAAU;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC,kBAAkB,IAAI,MAAM,CAAC,kBAAkB,CAAC,CAAW;SAChF,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,GAAa,EAAE,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,MAA+B;IACjD,MAAM,KAAK,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACjE,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,CAAC;IACtB,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAiB,CAAC;IACnD,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1E,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAAC,MAA+B;IAC9D,MAAM,UAAU,GAA2B,EAAE,CAAC;IAE9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,GAAG,KAAK,kBAAkB,IAAI,GAAG,KAAK,cAAc,EAAE,CAAC;YACtF,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YAC5C,UAAU,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,MAAM,MAAM,GAAI,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC;IAC7C,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAExC,OAAO,IAAI,IAAI,CAAE,MAAM,CAAC,GAAc,GAAG,IAAI,CAAC,CAAC;AACjD,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@venturekit/auth",
-  "version": "0.0.0-dev.20260415181804",
+  "version": "0.0.0-dev.20260427211132",
   "description": "Authentication and authorization for VentureKit",
   "type": "module",
   "main": "./dist/index.js",
@@ -25,7 +25,7 @@
     }
   },
   "dependencies": {
-    "@venturekit/core": "0.0.0-dev.20260415181804"
+    "@venturekit/core": "0.0.0-dev.20260427211132"
   },
   "devDependencies": {
     "@types/node": "^20.10.0",