@xivdyetools/auth 1.0.0

package/dist/discord.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Discord Request Verification
+ *
+ * Wraps the `discord-interactions` library's Ed25519 signature verification
+ * with additional security checks (body size limits, header validation).
+ *
+ * @see https://discord.com/developers/docs/interactions/receiving-and-responding#security-and-authorization
+ * @module discord
+ */
+/**
+ * Result of Discord request verification
+ */
+export interface DiscordVerificationResult {
+    /** Whether the signature is valid */
+    isValid: boolean;
+    /** The raw request body (needed for parsing after verification) */
+    body: string;
+    /** Error message if verification failed */
+    error?: string;
+}
+/**
+ * Options for Discord verification
+ */
+export interface DiscordVerifyOptions {
+    /** Maximum request body size in bytes (default: 100KB) */
+    maxBodySize?: number;
+}
+/**
+ * Verify that a request came from Discord using Ed25519 signature verification.
+ *
+ * Security features:
+ * - Content-Length header check (before reading body)
+ * - Actual body size validation (Content-Length can be spoofed)
+ * - Required header validation (X-Signature-Ed25519, X-Signature-Timestamp)
+ *
+ * @param request - The incoming HTTP request
+ * @param publicKey - Your Discord application's public key
+ * @param options - Verification options
+ * @returns Verification result with the request body
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
+ * if (!result.isValid) {
+ *   return new Response(result.error, { status: 401 });
+ * }
+ * const interaction = JSON.parse(result.body);
+ * ```
+ */
+export declare function verifyDiscordRequest(request: Request, publicKey: string, options?: DiscordVerifyOptions): Promise<DiscordVerificationResult>;
+/**
+ * Creates a 401 Unauthorized response for failed verification.
+ *
+ * @param message - Error message (default: 'Invalid request signature')
+ * @returns Response object
+ */
+export declare function unauthorizedResponse(message?: string): Response;
+/**
+ * Creates a 400 Bad Request response.
+ *
+ * @param message - Error message
+ * @returns Response object
+ */
+export declare function badRequestResponse(message: string): Response;
+//# sourceMappingURL=discord.d.ts.map

package/dist/discord.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discord.d.ts","sourceRoot":"","sources":["../src/discord.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,qCAAqC;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,0DAA0D;IAC1D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAKD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,OAAO,EAChB,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,yBAAyB,CAAC,CAqDpC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,SAA8B,GACpC,QAAQ,CAKV;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,CAK5D"}

package/dist/discord.js

@@ -0,0 +1,107 @@
+/**
+ * Discord Request Verification
+ *
+ * Wraps the `discord-interactions` library's Ed25519 signature verification
+ * with additional security checks (body size limits, header validation).
+ *
+ * @see https://discord.com/developers/docs/interactions/receiving-and-responding#security-and-authorization
+ * @module discord
+ */
+import { verifyKey } from 'discord-interactions';
+/** Default maximum body size (100KB) */
+const DEFAULT_MAX_BODY_SIZE = 100_000;
+/**
+ * Verify that a request came from Discord using Ed25519 signature verification.
+ *
+ * Security features:
+ * - Content-Length header check (before reading body)
+ * - Actual body size validation (Content-Length can be spoofed)
+ * - Required header validation (X-Signature-Ed25519, X-Signature-Timestamp)
+ *
+ * @param request - The incoming HTTP request
+ * @param publicKey - Your Discord application's public key
+ * @param options - Verification options
+ * @returns Verification result with the request body
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
+ * if (!result.isValid) {
+ *   return new Response(result.error, { status: 401 });
+ * }
+ * const interaction = JSON.parse(result.body);
+ * ```
+ */
+export async function verifyDiscordRequest(request, publicKey, options = {}) {
+    const maxBodySize = options.maxBodySize ?? DEFAULT_MAX_BODY_SIZE;
+    // Check Content-Length header first (if present) to reject obviously large requests
+    const contentLength = request.headers.get('Content-Length');
+    if (contentLength && parseInt(contentLength, 10) > maxBodySize) {
+        return {
+            isValid: false,
+            body: '',
+            error: 'Request body too large',
+        };
+    }
+    // Get required headers
+    const signature = request.headers.get('X-Signature-Ed25519');
+    const timestamp = request.headers.get('X-Signature-Timestamp');
+    if (!signature || !timestamp) {
+        return {
+            isValid: false,
+            body: '',
+            error: 'Missing signature headers',
+        };
+    }
+    // Get the raw body
+    const body = await request.text();
+    // Verify actual body size (Content-Length can be spoofed)
+    if (body.length > maxBodySize) {
+        return {
+            isValid: false,
+            body: '',
+            error: 'Request body too large',
+        };
+    }
+    // Verify the signature using discord-interactions library
+    try {
+        const isValid = await verifyKey(body, signature, timestamp, publicKey);
+        return {
+            isValid,
+            body,
+            error: isValid ? undefined : 'Invalid signature',
+        };
+    }
+    catch (error) {
+        return {
+            isValid: false,
+            body,
+            error: error instanceof Error ? error.message : 'Verification failed',
+        };
+    }
+}
+/**
+ * Creates a 401 Unauthorized response for failed verification.
+ *
+ * @param message - Error message (default: 'Invalid request signature')
+ * @returns Response object
+ */
+export function unauthorizedResponse(message = 'Invalid request signature') {
+    return new Response(JSON.stringify({ error: message }), {
+        status: 401,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+/**
+ * Creates a 400 Bad Request response.
+ *
+ * @param message - Error message
+ * @returns Response object
+ */
+export function badRequestResponse(message) {
+    return new Response(JSON.stringify({ error: message }), {
+        status: 400,
+        headers: { 'Content-Type': 'application/json' },
+    });
+}
+//# sourceMappingURL=discord.js.map

package/dist/discord.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discord.js","sourceRoot":"","sources":["../src/discord.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAsBjD,wCAAwC;AACxC,MAAM,qBAAqB,GAAG,OAAO,CAAC;AAEtC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAgB,EAChB,SAAiB,EACjB,UAAgC,EAAE;IAElC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,qBAAqB,CAAC;IAEjE,oFAAoF;IACpF,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC5D,IAAI,aAAa,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,GAAG,WAAW,EAAE,CAAC;QAC/D,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,wBAAwB;SAChC,CAAC;IACJ,CAAC;IAED,uBAAuB;IACvB,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC7D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;IAE/D,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,2BAA2B;SACnC,CAAC;IACJ,CAAC;IAED,mBAAmB;IACnB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAElC,0DAA0D;IAC1D,IAAI,IAAI,CAAC,MAAM,GAAG,WAAW,EAAE,CAAC;QAC9B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,EAAE;YACR,KAAK,EAAE,wBAAwB;SAChC,CAAC;IACJ,CAAC;IAED,0DAA0D;IAC1D,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;QAEvE,OAAO;YACL,OAAO;YACP,IAAI;YACJ,KAAK,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,mBAAmB;SACjD,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI;YACJ,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,qBAAqB;SACtE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAO,GAAG,2BAA2B;IAErC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE;QACtD,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAe;IAChD,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,EAAE;QACtD,MAAM,EAAE,GAAG;QACX,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;KAChD,CAAC,CAAC;AACL,CAAC"}

package/dist/hmac.d.ts

@@ -0,0 +1,101 @@
+/**
+ * HMAC Signing Utilities
+ *
+ * Provides HMAC-SHA256 signing and verification using the Web Crypto API.
+ * Used for JWT signing and bot request authentication.
+ *
+ * @module hmac
+ */
+/**
+ * Options for bot signature verification
+ */
+export interface BotSignatureOptions {
+    /** Maximum age of signature in milliseconds (default: 5 minutes) */
+    maxAgeMs?: number;
+    /** Allowed clock skew in milliseconds (default: 1 minute) */
+    clockSkewMs?: number;
+}
+/**
+ * Create an HMAC-SHA256 CryptoKey from a secret string.
+ *
+ * @param secret - The secret string to use as key material
+ * @param usage - Key usage: 'sign', 'verify', or 'both'
+ * @returns CryptoKey for HMAC operations
+ *
+ * @example
+ * ```typescript
+ * const key = await createHmacKey(process.env.JWT_SECRET, 'verify');
+ * ```
+ */
+export declare function createHmacKey(secret: string, usage?: 'sign' | 'verify' | 'both'): Promise<CryptoKey>;
+/**
+ * Sign data with HMAC-SHA256 and return base64url-encoded signature.
+ *
+ * @param data - The data to sign
+ * @param secret - The secret key
+ * @returns Base64URL-encoded signature
+ *
+ * @example
+ * ```typescript
+ * const signature = await hmacSign('header.payload', jwtSecret);
+ * ```
+ */
+export declare function hmacSign(data: string, secret: string): Promise<string>;
+/**
+ * Sign data with HMAC-SHA256 and return hex-encoded signature.
+ *
+ * @param data - The data to sign
+ * @param secret - The secret key
+ * @returns Hex-encoded signature
+ *
+ * @example
+ * ```typescript
+ * const signature = await hmacSignHex('timestamp:userId:userName', secret);
+ * ```
+ */
+export declare function hmacSignHex(data: string, secret: string): Promise<string>;
+/**
+ * Verify HMAC-SHA256 signature (base64url-encoded).
+ *
+ * @param data - The original data that was signed
+ * @param signature - Base64URL-encoded signature to verify
+ * @param secret - The secret key
+ * @returns true if signature is valid
+ */
+export declare function hmacVerify(data: string, signature: string, secret: string): Promise<boolean>;
+/**
+ * Verify HMAC-SHA256 signature (hex-encoded).
+ *
+ * @param data - The original data that was signed
+ * @param signature - Hex-encoded signature to verify
+ * @param secret - The secret key
+ * @returns true if signature is valid
+ */
+export declare function hmacVerifyHex(data: string, signature: string, secret: string): Promise<boolean>;
+/**
+ * Verify a bot request signature.
+ *
+ * Bot signatures use the format: `${timestamp}:${userDiscordId}:${userName}`
+ * Signatures are hex-encoded HMAC-SHA256.
+ *
+ * @param signature - Hex-encoded signature
+ * @param timestamp - Unix timestamp string (seconds)
+ * @param userDiscordId - Discord user ID
+ * @param userName - Discord username
+ * @param secret - The signing secret
+ * @param options - Verification options
+ * @returns true if signature is valid and not expired
+ *
+ * @example
+ * ```typescript
+ * const isValid = await verifyBotSignature(
+ *   request.headers.get('X-Signature'),
+ *   request.headers.get('X-Timestamp'),
+ *   request.headers.get('X-User-Id'),
+ *   request.headers.get('X-User-Name'),
+ *   env.BOT_SIGNING_SECRET
+ * );
+ * ```
+ */
+export declare function verifyBotSignature(signature: string | undefined, timestamp: string | undefined, userDiscordId: string | undefined, userName: string | undefined, secret: string, options?: BotSignatureOptions): Promise<boolean>;
+//# sourceMappingURL=hmac.d.ts.map

package/dist/hmac.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,KAAK,GAAE,MAAM,GAAG,QAAQ,GAAG,MAAe,GACzC,OAAO,CAAC,SAAS,CAAC,CAcpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK5E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAQlB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAelB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAgClB"}

package/dist/hmac.js

@@ -0,0 +1,153 @@
+/**
+ * HMAC Signing Utilities
+ *
+ * Provides HMAC-SHA256 signing and verification using the Web Crypto API.
+ * Used for JWT signing and bot request authentication.
+ *
+ * @module hmac
+ */
+import { base64UrlEncodeBytes, bytesToHex, hexToBytes, } from '@xivdyetools/crypto';
+/**
+ * Create an HMAC-SHA256 CryptoKey from a secret string.
+ *
+ * @param secret - The secret string to use as key material
+ * @param usage - Key usage: 'sign', 'verify', or 'both'
+ * @returns CryptoKey for HMAC operations
+ *
+ * @example
+ * ```typescript
+ * const key = await createHmacKey(process.env.JWT_SECRET, 'verify');
+ * ```
+ */
+export async function createHmacKey(secret, usage = 'both') {
+    const encoder = new TextEncoder();
+    const keyData = encoder.encode(secret);
+    const keyUsages = usage === 'both' ? ['sign', 'verify'] : [usage];
+    return crypto.subtle.importKey('raw', keyData, { name: 'HMAC', hash: 'SHA-256' }, false, keyUsages);
+}
+/**
+ * Sign data with HMAC-SHA256 and return base64url-encoded signature.
+ *
+ * @param data - The data to sign
+ * @param secret - The secret key
+ * @returns Base64URL-encoded signature
+ *
+ * @example
+ * ```typescript
+ * const signature = await hmacSign('header.payload', jwtSecret);
+ * ```
+ */
+export async function hmacSign(data, secret) {
+    const key = await createHmacKey(secret, 'sign');
+    const encoder = new TextEncoder();
+    const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+    return base64UrlEncodeBytes(new Uint8Array(signature));
+}
+/**
+ * Sign data with HMAC-SHA256 and return hex-encoded signature.
+ *
+ * @param data - The data to sign
+ * @param secret - The secret key
+ * @returns Hex-encoded signature
+ *
+ * @example
+ * ```typescript
+ * const signature = await hmacSignHex('timestamp:userId:userName', secret);
+ * ```
+ */
+export async function hmacSignHex(data, secret) {
+    const key = await createHmacKey(secret, 'sign');
+    const encoder = new TextEncoder();
+    const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
+    return bytesToHex(new Uint8Array(signature));
+}
+/**
+ * Verify HMAC-SHA256 signature (base64url-encoded).
+ *
+ * @param data - The original data that was signed
+ * @param signature - Base64URL-encoded signature to verify
+ * @param secret - The secret key
+ * @returns true if signature is valid
+ */
+export async function hmacVerify(data, signature, secret) {
+    try {
+        const expectedSignature = await hmacSign(data, secret);
+        // Use timing-safe comparison
+        return expectedSignature === signature;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify HMAC-SHA256 signature (hex-encoded).
+ *
+ * @param data - The original data that was signed
+ * @param signature - Hex-encoded signature to verify
+ * @param secret - The secret key
+ * @returns true if signature is valid
+ */
+export async function hmacVerifyHex(data, signature, secret) {
+    try {
+        const key = await createHmacKey(secret, 'verify');
+        const encoder = new TextEncoder();
+        const signatureBytes = hexToBytes(signature);
+        return crypto.subtle.verify('HMAC', key, signatureBytes, encoder.encode(data));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Verify a bot request signature.
+ *
+ * Bot signatures use the format: `${timestamp}:${userDiscordId}:${userName}`
+ * Signatures are hex-encoded HMAC-SHA256.
+ *
+ * @param signature - Hex-encoded signature
+ * @param timestamp - Unix timestamp string (seconds)
+ * @param userDiscordId - Discord user ID
+ * @param userName - Discord username
+ * @param secret - The signing secret
+ * @param options - Verification options
+ * @returns true if signature is valid and not expired
+ *
+ * @example
+ * ```typescript
+ * const isValid = await verifyBotSignature(
+ *   request.headers.get('X-Signature'),
+ *   request.headers.get('X-Timestamp'),
+ *   request.headers.get('X-User-Id'),
+ *   request.headers.get('X-User-Name'),
+ *   env.BOT_SIGNING_SECRET
+ * );
+ * ```
+ */
+export async function verifyBotSignature(signature, timestamp, userDiscordId, userName, secret, options = {}) {
+    const { maxAgeMs = 5 * 60 * 1000, clockSkewMs = 60 * 1000 } = options;
+    // Validate required fields
+    if (!signature || !timestamp || !userDiscordId || !userName) {
+        return false;
+    }
+    // Validate timestamp format
+    const timestampNum = parseInt(timestamp, 10);
+    if (isNaN(timestampNum)) {
+        return false;
+    }
+    // Check timestamp age (with clock skew tolerance)
+    const now = Date.now();
+    const signatureTime = timestampNum * 1000; // Convert to milliseconds
+    const age = now - signatureTime;
+    // Reject if too old
+    if (age > maxAgeMs) {
+        return false;
+    }
+    // Reject if too far in the future (clock skew protection)
+    if (signatureTime > now + clockSkewMs) {
+        return false;
+    }
+    // Verify the signature
+    const message = `${timestamp}:${userDiscordId}:${userName}`;
+    return hmacVerifyHex(message, signature, secret);
+}
+//# sourceMappingURL=hmac.js.map

package/dist/hmac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,UAAU,GACX,MAAM,qBAAqB,CAAC;AAY7B;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAoC,MAAM;IAE1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,SAAS,GACb,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAElD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IACzD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,oBAAoB,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,UAAU,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,iBAAiB,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACvD,6BAA6B;QAC7B,OAAO,iBAAiB,KAAK,SAAS,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;QAE7C,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAA6B,EAC7B,SAA6B,EAC7B,aAAiC,EACjC,QAA4B,EAC5B,MAAc,EACd,UAA+B,EAAE;IAEjC,MAAM,EAAE,QAAQ,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAEtE,2BAA2B;IAC3B,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kDAAkD;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,aAAa,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,0BAA0B;IACrE,MAAM,GAAG,GAAG,GAAG,GAAG,aAAa,CAAC;IAEhC,oBAAoB;IACpB,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0DAA0D;IAC1D,IAAI,aAAa,GAAG,GAAG,GAAG,WAAW,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uBAAuB;IACvB,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;IAC5D,OAAO,aAAa,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * @xivdyetools/auth
+ *
+ * Shared authentication utilities for the xivdyetools ecosystem.
+ *
+ * @example
+ * ```typescript
+ * import { verifyJWT, verifyDiscordRequest, timingSafeEqual } from '@xivdyetools/auth';
+ *
+ * // Verify JWT
+ * const payload = await verifyJWT(token, env.JWT_SECRET);
+ *
+ * // Verify Discord request
+ * const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
+ *
+ * // Timing-safe comparison
+ * const isValid = await timingSafeEqual(provided, expected);
+ * ```
+ *
+ * @module @xivdyetools/auth
+ */
+export { verifyJWT, verifyJWTSignatureOnly, decodeJWT, isJWTExpired, getJWTTimeToExpiry, type JWTPayload, } from './jwt.js';
+export { createHmacKey, hmacSign, hmacSignHex, hmacVerify, hmacVerifyHex, verifyBotSignature, type BotSignatureOptions, } from './hmac.js';
+export { timingSafeEqual, timingSafeEqualBytes } from './timing.js';
+export { verifyDiscordRequest, unauthorizedResponse, badRequestResponse, type DiscordVerificationResult, type DiscordVerifyOptions, } from './discord.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EACL,SAAS,EACT,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,kBAAkB,EAClB,KAAK,UAAU,GAChB,MAAM,UAAU,CAAC;AAGlB,OAAO,EACL,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,KAAK,mBAAmB,GACzB,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGpE,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,EAClB,KAAK,yBAAyB,EAC9B,KAAK,oBAAoB,GAC1B,MAAM,cAAc,CAAC"}

package/dist/index.js

@@ -0,0 +1,30 @@
+/**
+ * @xivdyetools/auth
+ *
+ * Shared authentication utilities for the xivdyetools ecosystem.
+ *
+ * @example
+ * ```typescript
+ * import { verifyJWT, verifyDiscordRequest, timingSafeEqual } from '@xivdyetools/auth';
+ *
+ * // Verify JWT
+ * const payload = await verifyJWT(token, env.JWT_SECRET);
+ *
+ * // Verify Discord request
+ * const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
+ *
+ * // Timing-safe comparison
+ * const isValid = await timingSafeEqual(provided, expected);
+ * ```
+ *
+ * @module @xivdyetools/auth
+ */
+// JWT utilities
+export { verifyJWT, verifyJWTSignatureOnly, decodeJWT, isJWTExpired, getJWTTimeToExpiry, } from './jwt.js';
+// HMAC utilities
+export { createHmacKey, hmacSign, hmacSignHex, hmacVerify, hmacVerifyHex, verifyBotSignature, } from './hmac.js';
+// Timing-safe utilities
+export { timingSafeEqual, timingSafeEqualBytes } from './timing.js';
+// Discord verification
+export { verifyDiscordRequest, unauthorizedResponse, badRequestResponse, } from './discord.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,gBAAgB;AAChB,OAAO,EACL,SAAS,EACT,sBAAsB,EACtB,SAAS,EACT,YAAY,EACZ,kBAAkB,GAEnB,MAAM,UAAU,CAAC;AAElB,iBAAiB;AACjB,OAAO,EACL,aAAa,EACb,QAAQ,EACR,WAAW,EACX,UAAU,EACV,aAAa,EACb,kBAAkB,GAEnB,MAAM,WAAW,CAAC;AAEnB,wBAAwB;AACxB,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEpE,uBAAuB;AACvB,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,kBAAkB,GAGnB,MAAM,cAAc,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,110 @@
+/**
+ * JWT Verification Utilities
+ *
+ * Provides JWT verification using HMAC-SHA256 (HS256) with the Web Crypto API.
+ * Intentionally does NOT include JWT creation - that stays in the oauth service.
+ *
+ * Security features:
+ * - Algorithm validation (rejects non-HS256 tokens)
+ * - Expiration checking
+ * - Timing-safe signature comparison
+ *
+ * @module jwt
+ */
+/**
+ * JWT payload structure
+ *
+ * Re-exported from @xivdyetools/types for convenience.
+ * Consumers should import from here rather than directly from types.
+ */
+export interface JWTPayload {
+    /** Subject - Discord user ID */
+    sub: string;
+    /** Issued at timestamp (seconds) */
+    iat: number;
+    /** Expiration timestamp (seconds) */
+    exp: number;
+    /** Token type: 'access' or 'refresh' */
+    type: 'access' | 'refresh';
+    /** Discord username */
+    username?: string;
+    /** Discord avatar hash */
+    avatar?: string | null;
+}
+/**
+ * Decode a JWT without verifying the signature.
+ *
+ * WARNING: Only use this for debugging or when you'll verify separately.
+ * For production use, always use `verifyJWT()`.
+ *
+ * @param token - The JWT string
+ * @returns Decoded payload or null if malformed
+ *
+ * @example
+ * ```typescript
+ * const payload = decodeJWT(token);
+ * console.log('Token expires:', new Date(payload.exp * 1000));
+ * ```
+ */
+export declare function decodeJWT(token: string): JWTPayload | null;
+/**
+ * Verify a JWT and return the payload if valid.
+ *
+ * Performs full verification:
+ * 1. Validates token structure (3 parts)
+ * 2. Validates algorithm is HS256 (prevents confusion attacks)
+ * 3. Verifies HMAC-SHA256 signature
+ * 4. Checks expiration time
+ *
+ * @param token - The JWT string
+ * @param secret - The HMAC secret used to sign the token
+ * @returns Verified payload or null if invalid/expired
+ *
+ * @example
+ * ```typescript
+ * const payload = await verifyJWT(token, env.JWT_SECRET);
+ * if (!payload) {
+ *   return new Response('Unauthorized', { status: 401 });
+ * }
+ * ```
+ */
+export declare function verifyJWT(token: string, secret: string): Promise<JWTPayload | null>;
+/**
+ * Verify JWT signature only, ignoring expiration.
+ *
+ * Used for refresh tokens where we want to verify authenticity
+ * but allow some grace period past expiration.
+ *
+ * @param token - The JWT string
+ * @param secret - The HMAC secret
+ * @param maxAgeMs - Optional maximum age in milliseconds (from iat)
+ * @returns Payload if signature valid, null otherwise
+ *
+ * @example
+ * ```typescript
+ * // Allow refresh tokens up to 7 days old
+ * const payload = await verifyJWTSignatureOnly(
+ *   refreshToken,
+ *   env.JWT_SECRET,
+ *   7 * 24 * 60 * 60 * 1000
+ * );
+ * ```
+ */
+export declare function verifyJWTSignatureOnly(token: string, secret: string, maxAgeMs?: number): Promise<JWTPayload | null>;
+/**
+ * Check if a JWT is expired without full verification.
+ *
+ * Useful for quick checks before making API calls.
+ *
+ * @param token - The JWT string
+ * @returns true if token is expired or malformed
+ */
+export declare function isJWTExpired(token: string): boolean;
+/**
+ * Get time until JWT expiration.
+ *
+ * @param token - The JWT string
+ * @returns Seconds until expiration, or 0 if expired/invalid
+ */
+export declare function getJWTTimeToExpiry(token: string): number;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AASH;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAUD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAY1D;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAmD5B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAqD5B;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOnD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOxD"}