@x12i/authx-token-sdk 1.0.0

package/README.md

@@ -0,0 +1,21 @@
+# @x12i/authx-token-sdk
+
+AuthX Token Infrastructure — standalone package.
+
+## Install
+
+```bash
+npm install @x12i/authx-token-sdk
+```
+
+## Build
+
+```bash
+npm install
+npm run build
+npm test
+```
+
+## Links
+
+- Repository: https://github.com/x12i/authx-token-sdk

package/dist/errors.d.ts

@@ -0,0 +1,12 @@
+export declare class AuthxTokenError extends Error {
+    readonly code: string;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: string, details?: Record<string, unknown> | undefined);
+}
+export declare class AuthxInvalidTokenError extends AuthxTokenError {
+    constructor(message?: string, details?: Record<string, unknown>);
+}
+export declare class AuthxRevokedTokenError extends AuthxTokenError {
+    constructor(message?: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,eAAgB,SAAQ,KAAK;aAGtB,IAAI,EAAE,MAAM;aACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFjD,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKpD;AAED,qBAAa,sBAAuB,SAAQ,eAAe;gBAC7C,OAAO,SAAkB,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;CAIzE;AAED,qBAAa,sBAAuB,SAAQ,eAAe;gBAC7C,OAAO,SAAkB;CAItC"}

package/dist/errors.js

@@ -0,0 +1,23 @@
+export class AuthxTokenError extends Error {
+    code;
+    details;
+    constructor(message, code, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = "AuthxTokenError";
+    }
+}
+export class AuthxInvalidTokenError extends AuthxTokenError {
+    constructor(message = "Invalid token", details) {
+        super(message, "INVALID_TOKEN", details);
+        this.name = "AuthxInvalidTokenError";
+    }
+}
+export class AuthxRevokedTokenError extends AuthxTokenError {
+    constructor(message = "Token revoked") {
+        super(message, "REVOKED_TOKEN");
+        this.name = "AuthxRevokedTokenError";
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAGtB;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,OAAiC;QAEjD,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QACZ,YAAO,GAAP,OAAO,CAA0B;QAGjD,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,eAAe;IACzD,YAAY,OAAO,GAAG,eAAe,EAAE,OAAiC;QACtE,KAAK,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF;AAED,MAAM,OAAO,sBAAuB,SAAQ,eAAe;IACzD,YAAY,OAAO,GAAG,eAAe;QACnC,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,wBAAwB,CAAC;IACvC,CAAC;CACF"}

package/dist/helpers.d.ts

@@ -0,0 +1,6 @@
+import type { AuthxTokenFeature, AuthxTokenPayload, AuthxTokenScope } from "@x12i/authx-token-types";
+export declare function hasFeature(payload: AuthxTokenPayload, featureId: string): boolean;
+export declare function getFeature(payload: AuthxTokenPayload, featureId: string): AuthxTokenFeature | undefined;
+export declare function hasScopeId(scope: AuthxTokenScope | undefined, field: keyof AuthxTokenScope, id: string): boolean;
+export declare function hasDomainAccess(payload: AuthxTokenPayload, domainId: string): boolean;
+//# sourceMappingURL=helpers.d.ts.map

package/dist/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAErG,wBAAgB,UAAU,CACxB,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,MAAM,GAChB,OAAO,CAKT;AAED,wBAAgB,UAAU,CACxB,OAAO,EAAE,iBAAiB,EAC1B,SAAS,EAAE,MAAM,GAChB,iBAAiB,GAAG,SAAS,CAE/B;AAED,wBAAgB,UAAU,CACxB,KAAK,EAAE,eAAe,GAAG,SAAS,EAClC,KAAK,EAAE,MAAM,eAAe,EAC5B,EAAE,EAAE,MAAM,GACT,OAAO,CAKT;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,MAAM,GACf,OAAO,CAET"}

package/dist/helpers.js

@@ -0,0 +1,19 @@
+export function hasFeature(payload, featureId) {
+    return (payload.features?.some((f) => f.featureId === featureId && f.enabled) ??
+        false);
+}
+export function getFeature(payload, featureId) {
+    return payload.features?.find((f) => f.featureId === featureId);
+}
+export function hasScopeId(scope, field, id) {
+    if (!scope)
+        return false;
+    const list = scope[field];
+    if (!Array.isArray(list))
+        return false;
+    return list.includes(id);
+}
+export function hasDomainAccess(payload, domainId) {
+    return hasScopeId(payload.scope, "domainIds", domainId);
+}
+//# sourceMappingURL=helpers.js.map

package/dist/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,UAAU,CACxB,OAA0B,EAC1B,SAAiB;IAEjB,OAAO,CACL,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,OAAO,CAAC;QACrE,KAAK,CACN,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,OAA0B,EAC1B,SAAiB;IAEjB,OAAO,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAkC,EAClC,KAA4B,EAC5B,EAAU;IAEV,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC;IAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,OAAQ,IAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,eAAe,CAC7B,OAA0B,EAC1B,QAAgB;IAEhB,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;AAC1D,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export { AuthxInvalidTokenError, AuthxRevokedTokenError, AuthxTokenError, } from "./errors.js";
+export { getFeature, hasDomainAccess, hasFeature, hasScopeId, } from "./helpers.js";
+export { createAuthxTokenVerifier, type AuthxTokenVerifier, type AuthxVerifierConfig, } from "./verifier.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,GACX,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,wBAAwB,EACxB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,GACzB,MAAM,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { AuthxInvalidTokenError, AuthxRevokedTokenError, AuthxTokenError, } from "./errors.js";
+export { getFeature, hasDomainAccess, hasFeature, hasScopeId, } from "./helpers.js";
+export { createAuthxTokenVerifier, } from "./verifier.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,sBAAsB,EACtB,sBAAsB,EACtB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,GACX,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,wBAAwB,GAGzB,MAAM,eAAe,CAAC"}

package/dist/middleware/express.d.ts

@@ -0,0 +1,15 @@
+import type { NextFunction, Request, Response } from "express";
+import type { AuthxTokenPayload } from "@x12i/authx-token-types";
+import { type AuthxVerifierConfig } from "../verifier.js";
+declare global {
+    namespace Express {
+        interface Request {
+            authxToken?: AuthxTokenPayload;
+        }
+    }
+}
+export type AuthxExpressMiddlewareOptions = AuthxVerifierConfig & {
+    optional?: boolean;
+};
+export declare function authxTokenMiddleware(options: AuthxExpressMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+//# sourceMappingURL=express.d.ts.map

package/dist/middleware/express.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/middleware/express.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAKjE,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,gBAAgB,CAAC;AAExB,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,UAAU,CAAC,EAAE,iBAAiB,CAAC;SAChC;KACF;CACF;AAED,MAAM,MAAM,6BAA6B,GAAG,mBAAmB,GAAG;IAChE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAQF,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,6BAA6B,IAE3D,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAmB9D"}

package/dist/middleware/express.js

@@ -0,0 +1,33 @@
+import { AuthxInvalidTokenError, AuthxRevokedTokenError, } from "../errors.js";
+import { createAuthxTokenVerifier, } from "../verifier.js";
+function extractBearer(req) {
+    const header = req.headers.authorization;
+    if (!header?.startsWith("Bearer "))
+        return undefined;
+    return header.slice(7);
+}
+export function authxTokenMiddleware(options) {
+    const verifier = createAuthxTokenVerifier(options);
+    return async (req, res, next) => {
+        const token = extractBearer(req);
+        if (!token) {
+            if (options.optional)
+                return next();
+            return res.status(401).json({ error: "Missing bearer token" });
+        }
+        try {
+            req.authxToken = await verifier.assertValid(token);
+            return next();
+        }
+        catch (err) {
+            if (err instanceof AuthxRevokedTokenError) {
+                return res.status(401).json({ error: err.message, code: err.code });
+            }
+            if (err instanceof AuthxInvalidTokenError) {
+                return res.status(401).json({ error: err.message, code: err.code });
+            }
+            return next(err);
+        }
+    };
+}
+//# sourceMappingURL=express.js.map

package/dist/middleware/express.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"express.js","sourceRoot":"","sources":["../../src/middleware/express.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,wBAAwB,GAEzB,MAAM,gBAAgB,CAAC;AAcxB,SAAS,aAAa,CAAC,GAAY;IACjC,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;IACzC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IACrD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,OAAsC;IACzE,MAAM,QAAQ,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACnD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QAC/D,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,OAAO,CAAC,QAAQ;gBAAE,OAAO,IAAI,EAAE,CAAC;YACpC,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,IAAI,CAAC;YACH,GAAG,CAAC,UAAU,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;YACnD,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;gBAC1C,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YACtE,CAAC;YACD,IAAI,GAAG,YAAY,sBAAsB,EAAE,CAAC;gBAC1C,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YACtE,CAAC;YACD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/fastify.d.ts

@@ -0,0 +1,13 @@
+import type { FastifyPluginAsync } from "fastify";
+import type { AuthxTokenPayload } from "@x12i/authx-token-types";
+import { type AuthxVerifierConfig } from "../verifier.js";
+declare module "fastify" {
+    interface FastifyRequest {
+        authxToken?: AuthxTokenPayload;
+    }
+}
+export type AuthxFastifyPluginOptions = AuthxVerifierConfig & {
+    optional?: boolean;
+};
+export declare const authxTokenFastifyPlugin: FastifyPluginAsync<AuthxFastifyPluginOptions>;
+//# sourceMappingURL=fastify.d.ts.map

package/dist/middleware/fastify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fastify.d.ts","sourceRoot":"","sources":["../../src/middleware/fastify.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,kBAAkB,EAAkB,MAAM,SAAS,CAAC;AAClE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAKjE,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,gBAAgB,CAAC;AAExB,OAAO,QAAQ,SAAS,CAAC;IACvB,UAAU,cAAc;QACtB,UAAU,CAAC,EAAE,iBAAiB,CAAC;KAChC;CACF;AAED,MAAM,MAAM,yBAAyB,GAAG,mBAAmB,GAAG;IAC5D,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB,CAAC;AAUF,eAAO,MAAM,uBAAuB,EAAE,kBAAkB,CACtD,yBAAyB,CAsB1B,CAAC"}

package/dist/middleware/fastify.js

@@ -0,0 +1,31 @@
+import { AuthxInvalidTokenError, AuthxRevokedTokenError, } from "../errors.js";
+import { createAuthxTokenVerifier, } from "../verifier.js";
+function extractBearer(request) {
+    const header = request.headers.authorization;
+    if (typeof header !== "string" || !header.startsWith("Bearer ")) {
+        return undefined;
+    }
+    return header.slice(7);
+}
+export const authxTokenFastifyPlugin = async (fastify, options) => {
+    const verifier = createAuthxTokenVerifier(options);
+    fastify.addHook("onRequest", async (request, reply) => {
+        const token = extractBearer(request);
+        if (!token) {
+            if (options.optional)
+                return;
+            return reply.status(401).send({ error: "Missing bearer token" });
+        }
+        try {
+            request.authxToken = await verifier.assertValid(token);
+        }
+        catch (err) {
+            if (err instanceof AuthxInvalidTokenError ||
+                err instanceof AuthxRevokedTokenError) {
+                return reply.status(401).send({ error: err.message, code: err.code });
+            }
+            throw err;
+        }
+    });
+};
+//# sourceMappingURL=fastify.js.map

package/dist/middleware/fastify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fastify.js","sourceRoot":"","sources":["../../src/middleware/fastify.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,wBAAwB,GAEzB,MAAM,gBAAgB,CAAC;AAYxB,SAAS,aAAa,CAAC,OAAuB;IAC5C,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;IAC7C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChE,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,CAAC,MAAM,uBAAuB,GAEhC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE;IAC7B,MAAM,QAAQ,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IAEnD,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,EAAE;QACpD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,IAAI,OAAO,CAAC,QAAQ;gBAAE,OAAO;YAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC;YACH,OAAO,CAAC,UAAU,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IACE,GAAG,YAAY,sBAAsB;gBACrC,GAAG,YAAY,sBAAsB,EACrC,CAAC;gBACD,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;YACxE,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}

package/dist/verifier.d.ts

@@ -0,0 +1,23 @@
+import type { AuthxTokenIntrospectResponse, AuthxTokenPayload, AuthxTokenVerifyResponse } from "@x12i/authx-token-types";
+export interface AuthxVerifierConfig {
+    appId: string;
+    appSecretKey: string;
+    keyVersion?: number;
+    previousAppSecretKey?: string;
+    previousKeyVersion?: number;
+    issuer?: string;
+    audience?: string[];
+    /** Remote introspection URL (e.g. https://authx/v1/tokens/introspect) */
+    introspectUrl?: string;
+    apiKey?: string;
+}
+export interface AuthxTokenVerifier {
+    verify(token: string): Promise<AuthxTokenVerifyResponse>;
+    decrypt(token: string): Promise<AuthxTokenVerifyResponse>;
+    introspect(token: string): Promise<AuthxTokenIntrospectResponse>;
+    assertValid(token: string): Promise<AuthxTokenPayload>;
+    hasFeature(payload: AuthxTokenPayload, featureId: string): boolean;
+    hasScopeId(payload: AuthxTokenPayload, field: keyof NonNullable<AuthxTokenPayload["scope"]>, id: string): boolean;
+}
+export declare function createAuthxTokenVerifier(config: AuthxVerifierConfig): AuthxTokenVerifier;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EACV,4BAA4B,EAC5B,iBAAiB,EACjB,wBAAwB,EACzB,MAAM,yBAAyB,CAAC;AAIjC,MAAM,WAAW,mBAAmB;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;IACpB,yEAAyE;IACzE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IACzD,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;IAC1D,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAAC;IACjE,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACvD,UAAU,CAAC,OAAO,EAAE,iBAAiB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IACnE,UAAU,CACR,OAAO,EAAE,iBAAiB,EAC1B,KAAK,EAAE,MAAM,WAAW,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,EACpD,EAAE,EAAE,MAAM,GACT,OAAO,CAAC;CACZ;AAED,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,mBAAmB,GAC1B,kBAAkB,CAqGpB"}

package/dist/verifier.js

@@ -0,0 +1,97 @@
+import { decryptToken, verifyToken, } from "@x12i/authx-token-core";
+import { AuthxInvalidTokenError, AuthxRevokedTokenError } from "./errors.js";
+import { hasFeature, hasScopeId } from "./helpers.js";
+export function createAuthxTokenVerifier(config) {
+    const cryptoOptions = {
+        appSecretKey: config.appSecretKey,
+        keyVersion: config.keyVersion,
+        previousAppSecretKey: config.previousAppSecretKey,
+        previousKeyVersion: config.previousKeyVersion,
+        expectedAppId: config.appId,
+        expectedIssuer: config.issuer,
+        expectedAudience: config.audience,
+    };
+    async function remoteIntrospect(token) {
+        if (!config.introspectUrl) {
+            throw new Error("introspectUrl not configured");
+        }
+        const headers = {
+            "content-type": "application/json",
+        };
+        if (config.apiKey) {
+            headers["x-authx-api-key"] = config.apiKey;
+        }
+        const res = await fetch(config.introspectUrl, {
+            method: "POST",
+            headers,
+            body: JSON.stringify({ token }),
+        });
+        if (!res.ok) {
+            throw new AuthxInvalidTokenError(`Introspection failed: ${res.status}`);
+        }
+        return res.json();
+    }
+    function wrapResult(result) {
+        if (!result.valid) {
+            return {
+                valid: false,
+                error: result.error,
+                expired: result.expired,
+            };
+        }
+        return { valid: true, payload: result.payload };
+    }
+    return {
+        async verify(token) {
+            const local = wrapResult(verifyToken(token, cryptoOptions));
+            if (!local.valid)
+                return local;
+            if (config.introspectUrl) {
+                const remote = await remoteIntrospect(token);
+                if (!remote.active || remote.revoked) {
+                    return {
+                        valid: false,
+                        revoked: remote.revoked,
+                        expired: remote.expired,
+                        error: "token inactive",
+                    };
+                }
+            }
+            return local;
+        },
+        async decrypt(token) {
+            return wrapResult(decryptToken(token, cryptoOptions));
+        },
+        async introspect(token) {
+            if (config.introspectUrl) {
+                return remoteIntrospect(token);
+            }
+            const verified = await this.verify(token);
+            return {
+                active: verified.valid,
+                tokenId: verified.payload?.tokenId,
+                appId: verified.payload?.appId,
+                payload: verified.payload,
+                revoked: Boolean(verified.revoked),
+                expired: Boolean(verified.expired),
+                expiresAt: verified.payload?.expiresAt,
+            };
+        },
+        async assertValid(token) {
+            const result = await this.verify(token);
+            if (result.revoked)
+                throw new AuthxRevokedTokenError();
+            if (!result.valid || !result.payload) {
+                throw new AuthxInvalidTokenError(result.error ?? "Invalid token", {
+                    expired: result.expired,
+                });
+            }
+            return result.payload;
+        },
+        hasFeature,
+        hasScopeId(payload, field, id) {
+            return hasScopeId(payload.scope, field, id);
+        },
+    };
+}
+//# sourceMappingURL=verifier.js.map

package/dist/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,WAAW,GAGZ,MAAM,wBAAwB,CAAC;AAMhC,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAC7E,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AA4BtD,MAAM,UAAU,wBAAwB,CACtC,MAA2B;IAE3B,MAAM,aAAa,GAAuB;QACxC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;QACjD,kBAAkB,EAAE,MAAM,CAAC,kBAAkB;QAC7C,aAAa,EAAE,MAAM,CAAC,KAAK;QAC3B,cAAc,EAAE,MAAM,CAAC,MAAM;QAC7B,gBAAgB,EAAE,MAAM,CAAC,QAAQ;KAClC,CAAC;IAEF,KAAK,UAAU,gBAAgB,CAC7B,KAAa;QAEb,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QACD,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;SACnC,CAAC;QACF,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,iBAAiB,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7C,CAAC;QACD,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,aAAa,EAAE;YAC5C,MAAM,EAAE,MAAM;YACd,OAAO;YACP,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,CAAC;SAChC,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,MAAM,IAAI,sBAAsB,CAAC,yBAAyB,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,GAAG,CAAC,IAAI,EAA2C,CAAC;IAC7D,CAAC;IAED,SAAS,UAAU,CAAC,MAAyB;QAC3C,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,MAAM,CAAC,KAAK;gBACnB,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAC;IAClD,CAAC;IAED,OAAO;QACL,KAAK,CAAC,MAAM,CAAC,KAAK;YAChB,MAAM,KAAK,GAAG,UAAU,CAAC,WAAW,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAE/B,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,CAAC;gBAC7C,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACrC,OAAO;wBACL,KAAK,EAAE,KAAK;wBACZ,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,KAAK,EAAE,gBAAgB;qBACxB,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO,KAAK,CAAC;QACf,CAAC;QAED,KAAK,CAAC,OAAO,CAAC,KAAK;YACjB,OAAO,UAAU,CAAC,YAAY,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;QACxD,CAAC;QAED,KAAK,CAAC,UAAU,CAAC,KAAK;YACpB,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACzB,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACjC,CAAC;YACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC1C,OAAO;gBACL,MAAM,EAAE,QAAQ,CAAC,KAAK;gBACtB,OAAO,EAAE,QAAQ,CAAC,OAAO,EAAE,OAAO;gBAClC,KAAK,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK;gBAC9B,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAClC,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAClC,SAAS,EAAE,QAAQ,CAAC,OAAO,EAAE,SAAS;aACvC,CAAC;QACJ,CAAC;QAED,KAAK,CAAC,WAAW,CAAC,KAAK;YACrB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACxC,IAAI,MAAM,CAAC,OAAO;gBAAE,MAAM,IAAI,sBAAsB,EAAE,CAAC;YACvD,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACrC,MAAM,IAAI,sBAAsB,CAAC,MAAM,CAAC,KAAK,IAAI,eAAe,EAAE;oBAChE,OAAO,EAAE,MAAM,CAAC,OAAO;iBACxB,CAAC,CAAC;YACL,CAAC;YACD,OAAO,MAAM,CAAC,OAAO,CAAC;QACxB,CAAC;QAED,UAAU;QACV,UAAU,CAAC,OAAO,EAAE,KAAK,EAAE,EAAE;YAC3B,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/verifier.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=verifier.test.d.ts.map

package/dist/verifier.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.test.d.ts","sourceRoot":"","sources":["../src/verifier.test.ts"],"names":[],"mappings":""}

package/dist/verifier.test.js

@@ -0,0 +1,38 @@
+import { createToken } from "@x12i/authx-token-core";
+import { describe, expect, it } from "vitest";
+import { createAuthxTokenVerifier } from "./verifier.js";
+const secret = "sdk-test-secret-key-32chars-min!!";
+const appId = "sdk-app";
+describe("authx-token-sdk", () => {
+    const verifier = createAuthxTokenVerifier({
+        appId,
+        appSecretKey: secret,
+    });
+    it("verifies valid tokens", async () => {
+        const { token } = createToken({
+            appId,
+            appSecretKey: secret,
+            subject: { identityId: "u1", identityType: "user" },
+            features: [{ featureId: "catalog.read", enabled: true }],
+            scope: { domainIds: ["sales"] },
+        });
+        const result = await verifier.verify(token);
+        expect(result.valid).toBe(true);
+        expect(verifier.hasFeature(result.payload, "catalog.read")).toBe(true);
+        expect(verifier.hasScopeId(result.payload, "domainIds", "sales")).toBe(true);
+    });
+    it("rejects invalid scope check", async () => {
+        const { token } = createToken({
+            appId,
+            appSecretKey: secret,
+            subject: { identityId: "u1", identityType: "user" },
+        });
+        const result = await verifier.verify(token);
+        expect(verifier.hasScopeId(result.payload, "domainIds", "finance")).toBe(false);
+    });
+    it("rejects invalid tokens", async () => {
+        const result = await verifier.verify("not-a-token");
+        expect(result.valid).toBe(false);
+    });
+});
+//# sourceMappingURL=verifier.test.js.map

package/dist/verifier.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.test.js","sourceRoot":"","sources":["../src/verifier.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,wBAAwB,EAAE,MAAM,eAAe,CAAC;AAEzD,MAAM,MAAM,GAAG,mCAAmC,CAAC;AACnD,MAAM,KAAK,GAAG,SAAS,CAAC;AAExB,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,MAAM,QAAQ,GAAG,wBAAwB,CAAC;QACxC,KAAK;QACL,YAAY,EAAE,MAAM;KACrB,CAAC,CAAC;IAEH,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC;YAC5B,KAAK;YACL,YAAY,EAAE,MAAM;YACpB,OAAO,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE;YACnD,QAAQ,EAAE,CAAC,EAAE,SAAS,EAAE,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;YACxD,KAAK,EAAE,EAAE,SAAS,EAAE,CAAC,OAAO,CAAC,EAAE;SAChC,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,OAAQ,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxE,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,OAAQ,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CACrE,IAAI,CACL,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,6BAA6B,EAAE,KAAK,IAAI,EAAE;QAC3C,MAAM,EAAE,KAAK,EAAE,GAAG,WAAW,CAAC;YAC5B,KAAK;YACL,YAAY,EAAE,MAAM;YACpB,OAAO,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE;SACpD,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5C,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,OAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CACvE,KAAK,CACN,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,wBAAwB,EAAE,KAAK,IAAI,EAAE;QACtC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QACpD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@x12i/authx-token-sdk",
+  "version": "1.0.0",
+  "description": "Consumer SDK for verifying and introspecting AuthX tokens",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/x12i/authx-token-sdk.git"
+  },
+  "bugs": "https://github.com/x12i/authx-token-sdk/issues",
+  "homepage": "https://github.com/x12i/authx-token-sdk#readme",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./express": {
+      "types": "./dist/middleware/express.d.ts",
+      "import": "./dist/middleware/express.js"
+    },
+    "./fastify": {
+      "types": "./dist/middleware/fastify.d.ts",
+      "import": "./dist/middleware/fastify.js"
+    }
+  },
+  "files": ["dist"],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "lint": "echo ok"
+  },
+  "dependencies": {
+    "@x12i/authx-token-core": "1.0.0",
+    "@x12i/authx-token-types": "1.0.0"
+  },
+  "peerDependencies": {
+    "express": ">=4",
+    "fastify": ">=4"
+  },
+  "peerDependenciesMeta": {
+    "express": { "optional": true },
+    "fastify": { "optional": true }
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.2",
+    "express": "^5.1.0",
+    "fastify": "^5.3.3",
+    "typescript": "^5.8.3",
+    "vitest": "^3.2.1"
+  },
+  "publishConfig": {
+    "access": "restricted"
+  }
+}