npm - @xivdyetools/auth - Versions diffs - 1.0.0 - Mend

@xivdyetools/auth 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/jwt.js ADDED Viewed

@@ -0,0 +1,194 @@
+/**
+ * JWT Verification Utilities
+ *
+ * Provides JWT verification using HMAC-SHA256 (HS256) with the Web Crypto API.
+ * Intentionally does NOT include JWT creation - that stays in the oauth service.
+ *
+ * Security features:
+ * - Algorithm validation (rejects non-HS256 tokens)
+ * - Expiration checking
+ * - Timing-safe signature comparison
+ *
+ * @module jwt
+ */
+import { base64UrlEncodeBytes, base64UrlDecode, base64UrlDecodeBytes, } from '@xivdyetools/crypto';
+import { createHmacKey } from './hmac.js';
+/**
+ * Decode a JWT without verifying the signature.
+ *
+ * WARNING: Only use this for debugging or when you'll verify separately.
+ * For production use, always use `verifyJWT()`.
+ *
+ * @param token - The JWT string
+ * @returns Decoded payload or null if malformed
+ *
+ * @example
+ * ```typescript
+ * const payload = decodeJWT(token);
+ * console.log('Token expires:', new Date(payload.exp * 1000));
+ * ```
+ */
+export function decodeJWT(token) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            return null;
+        }
+        const payloadJson = base64UrlDecode(parts[1]);
+        return JSON.parse(payloadJson);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify a JWT and return the payload if valid.
+ *
+ * Performs full verification:
+ * 1. Validates token structure (3 parts)
+ * 2. Validates algorithm is HS256 (prevents confusion attacks)
+ * 3. Verifies HMAC-SHA256 signature
+ * 4. Checks expiration time
+ *
+ * @param token - The JWT string
+ * @param secret - The HMAC secret used to sign the token
+ * @returns Verified payload or null if invalid/expired
+ *
+ * @example
+ * ```typescript
+ * const payload = await verifyJWT(token, env.JWT_SECRET);
+ * if (!payload) {
+ *   return new Response('Unauthorized', { status: 401 });
+ * }
+ * ```
+ */
+export async function verifyJWT(token, secret) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            return null;
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Decode and validate header
+        const headerJson = base64UrlDecode(headerB64);
+        const header = JSON.parse(headerJson);
+        // SECURITY: Reject non-HS256 algorithms (prevents algorithm confusion attacks)
+        if (header.alg !== 'HS256') {
+            return null;
+        }
+        // Verify signature
+        const signatureInput = `${headerB64}.${payloadB64}`;
+        const key = await createHmacKey(secret, 'both');
+        const encoder = new TextEncoder();
+        const expectedSignature = await crypto.subtle.sign('HMAC', key, encoder.encode(signatureInput));
+        const expectedSignatureB64 = base64UrlEncodeBytes(new Uint8Array(expectedSignature));
+        // Compare signatures (using string comparison - both are base64url)
+        if (signatureB64 !== expectedSignatureB64) {
+            return null;
+        }
+        // Decode payload
+        const payloadJson = base64UrlDecode(payloadB64);
+        const payload = JSON.parse(payloadJson);
+        // Check expiration
+        const now = Math.floor(Date.now() / 1000);
+        if (payload.exp && payload.exp < now) {
+            return null;
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Verify JWT signature only, ignoring expiration.
+ *
+ * Used for refresh tokens where we want to verify authenticity
+ * but allow some grace period past expiration.
+ *
+ * @param token - The JWT string
+ * @param secret - The HMAC secret
+ * @param maxAgeMs - Optional maximum age in milliseconds (from iat)
+ * @returns Payload if signature valid, null otherwise
+ *
+ * @example
+ * ```typescript
+ * // Allow refresh tokens up to 7 days old
+ * const payload = await verifyJWTSignatureOnly(
+ *   refreshToken,
+ *   env.JWT_SECRET,
+ *   7 * 24 * 60 * 60 * 1000
+ * );
+ * ```
+ */
+export async function verifyJWTSignatureOnly(token, secret, maxAgeMs) {
+    try {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            return null;
+        }
+        const [headerB64, payloadB64, signatureB64] = parts;
+        // Decode and validate header
+        const headerJson = base64UrlDecode(headerB64);
+        const header = JSON.parse(headerJson);
+        // SECURITY: Still reject non-HS256 algorithms
+        if (header.alg !== 'HS256') {
+            return null;
+        }
+        // Verify signature
+        const signatureInput = `${headerB64}.${payloadB64}`;
+        const key = await createHmacKey(secret, 'both');
+        const encoder = new TextEncoder();
+        const expectedSignature = await crypto.subtle.sign('HMAC', key, encoder.encode(signatureInput));
+        const expectedSignatureB64 = base64UrlEncodeBytes(new Uint8Array(expectedSignature));
+        if (signatureB64 !== expectedSignatureB64) {
+            return null;
+        }
+        // Decode payload
+        const payloadJson = base64UrlDecode(payloadB64);
+        const payload = JSON.parse(payloadJson);
+        // Check max age if specified
+        if (maxAgeMs !== undefined && payload.iat) {
+            const now = Date.now();
+            const tokenAge = now - payload.iat * 1000;
+            if (tokenAge > maxAgeMs) {
+                return null;
+            }
+        }
+        return payload;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Check if a JWT is expired without full verification.
+ *
+ * Useful for quick checks before making API calls.
+ *
+ * @param token - The JWT string
+ * @returns true if token is expired or malformed
+ */
+export function isJWTExpired(token) {
+    const payload = decodeJWT(token);
+    if (!payload || !payload.exp) {
+        return true;
+    }
+    const now = Math.floor(Date.now() / 1000);
+    return payload.exp < now;
+}
+/**
+ * Get time until JWT expiration.
+ *
+ * @param token - The JWT string
+ * @returns Seconds until expiration, or 0 if expired/invalid
+ */
+export function getJWTTimeToExpiry(token) {
+    const payload = decodeJWT(token);
+    if (!payload || !payload.exp) {
+        return 0;
+    }
+    const now = Math.floor(Date.now() / 1000);
+    return Math.max(0, payload.exp - now);
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,oBAAoB,EACpB,eAAe,EACf,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AA+B1C;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAe,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,6BAA6B;QAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAEjD,+EAA+E;QAC/E,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAElC,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAChD,MAAM,EACN,GAAG,EACH,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAC/B,CAAC;QACF,MAAM,oBAAoB,GAAG,oBAAoB,CAC/C,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAClC,CAAC;QAEF,oEAAoE;QACpE,IAAI,YAAY,KAAK,oBAAoB,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iBAAiB;QACjB,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,OAAO,GAAe,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAEpD,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAa,EACb,MAAc,EACd,QAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,6BAA6B;QAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAEjD,8CAA8C;QAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mBAAmB;QACnB,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAElC,MAAM,iBAAiB,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAChD,MAAM,EACN,GAAG,EACH,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAC/B,CAAC;QACF,MAAM,oBAAoB,GAAG,oBAAoB,CAC/C,IAAI,UAAU,CAAC,iBAAiB,CAAC,CAClC,CAAC;QAEF,IAAI,YAAY,KAAK,oBAAoB,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iBAAiB;QACjB,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,OAAO,GAAe,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAEpD,6BAA6B;QAC7B,IAAI,QAAQ,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;YAC1C,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AACxC,CAAC"}

package/dist/timing.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+/**
+ * Timing-Safe Comparison Utilities
+ *
+ * Provides constant-time comparison to prevent timing attacks.
+ * Regular string comparison (===) can leak information about secrets
+ * because it short-circuits on the first non-matching character.
+ *
+ * @module timing
+ */
+/**
+ * Performs a constant-time string comparison to prevent timing attacks.
+ *
+ * Uses `crypto.subtle.timingSafeEqual()` when available (Cloudflare Workers),
+ * with a fallback XOR-based implementation for other environments.
+ *
+ * @param a - First string to compare
+ * @param b - Second string to compare
+ * @returns true if strings are equal, false otherwise
+ *
+ * @example
+ * ```typescript
+ * const isValid = await timingSafeEqual(providedToken, expectedToken);
+ * ```
+ */
+export declare function timingSafeEqual(a: string, b: string): Promise<boolean>;
+/**
+ * Performs constant-time comparison on Uint8Arrays.
+ *
+ * @param a - First array to compare
+ * @param b - Second array to compare
+ * @returns true if arrays are equal, false otherwise
+ */
+export declare function timingSafeEqualBytes(a: Uint8Array, b: Uint8Array): Promise<boolean>;
+//# sourceMappingURL=timing.d.ts.map

package/dist/timing.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../src/timing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA4B5E;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,CAAC,EAAE,UAAU,EACb,CAAC,EAAE,UAAU,GACZ,OAAO,CAAC,OAAO,CAAC,CAkBlB"}

package/dist/timing.js ADDED Viewed

@@ -0,0 +1,77 @@
+/**
+ * Timing-Safe Comparison Utilities
+ *
+ * Provides constant-time comparison to prevent timing attacks.
+ * Regular string comparison (===) can leak information about secrets
+ * because it short-circuits on the first non-matching character.
+ *
+ * @module timing
+ */
+/**
+ * Performs a constant-time string comparison to prevent timing attacks.
+ *
+ * Uses `crypto.subtle.timingSafeEqual()` when available (Cloudflare Workers),
+ * with a fallback XOR-based implementation for other environments.
+ *
+ * @param a - First string to compare
+ * @param b - Second string to compare
+ * @returns true if strings are equal, false otherwise
+ *
+ * @example
+ * ```typescript
+ * const isValid = await timingSafeEqual(providedToken, expectedToken);
+ * ```
+ */
+export async function timingSafeEqual(a, b) {
+    const encoder = new TextEncoder();
+    const aBytes = encoder.encode(a);
+    const bBytes = encoder.encode(b);
+    // If lengths differ, we still need to do constant-time comparison
+    // to avoid leaking length information. Use the longer length.
+    const maxLength = Math.max(aBytes.length, bBytes.length);
+    // Pad shorter array to match length (prevents length-based timing leak)
+    const aPadded = new Uint8Array(maxLength);
+    const bPadded = new Uint8Array(maxLength);
+    aPadded.set(aBytes);
+    bPadded.set(bBytes);
+    // Use crypto.subtle.timingSafeEqual if available (Cloudflare Workers)
+    try {
+        const result = await crypto.subtle.timingSafeEqual(aPadded, bPadded);
+        // Also check original lengths matched
+        return result && aBytes.length === bBytes.length;
+    }
+    catch {
+        // Fallback: manual constant-time comparison (for environments without timingSafeEqual)
+        let diff = aBytes.length ^ bBytes.length;
+        for (let i = 0; i < maxLength; i++) {
+            diff |= aPadded[i] ^ bPadded[i];
+        }
+        return diff === 0;
+    }
+}
+/**
+ * Performs constant-time comparison on Uint8Arrays.
+ *
+ * @param a - First array to compare
+ * @param b - Second array to compare
+ * @returns true if arrays are equal, false otherwise
+ */
+export async function timingSafeEqualBytes(a, b) {
+    const maxLength = Math.max(a.length, b.length);
+    const aPadded = new Uint8Array(maxLength);
+    const bPadded = new Uint8Array(maxLength);
+    aPadded.set(a);
+    bPadded.set(b);
+    try {
+        const result = await crypto.subtle.timingSafeEqual(aPadded, bPadded);
+        return result && a.length === b.length;
+    }
+    catch {
+        let diff = a.length ^ b.length;
+        for (let i = 0; i < maxLength; i++) {
+            diff |= aPadded[i] ^ bPadded[i];
+        }
+        return diff === 0;
+    }
+}
+//# sourceMappingURL=timing.js.map

package/dist/timing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"timing.js","sourceRoot":"","sources":["../src/timing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IACxD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAEjC,kEAAkE;IAClE,8DAA8D;IAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IAEzD,wEAAwE;IACxE,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACpB,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAEpB,sEAAsE;IACtE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACrE,sCAAsC;QACtC,OAAO,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,uFAAuF;QACvF,IAAI,IAAI,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,IAAI,KAAK,CAAC,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,CAAa,EACb,CAAa;IAEb,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IAE/C,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACf,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAEf,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACrE,OAAO,MAAM,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,IAAI,GAAG,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,IAAI,IAAI,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,IAAI,KAAK,CAAC,CAAC;IACpB,CAAC;AACH,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,71 @@
+{
+  "name": "@xivdyetools/auth",
+  "version": "1.0.0",
+  "description": "Shared authentication utilities for xivdyetools ecosystem",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./jwt": {
+      "types": "./dist/jwt.d.ts",
+      "import": "./dist/jwt.js"
+    },
+    "./hmac": {
+      "types": "./dist/hmac.d.ts",
+      "import": "./dist/hmac.js"
+    },
+    "./timing": {
+      "types": "./dist/timing.d.ts",
+      "import": "./dist/timing.js"
+    },
+    "./discord": {
+      "types": "./dist/discord.d.ts",
+      "import": "./dist/discord.js"
+    }
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "type-check": "tsc --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "clean": "rimraf dist"
+  },
+  "dependencies": {
+    "@xivdyetools/crypto": "^1.0.0",
+    "discord-interactions": "^4.4.0"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20241224.0",
+    "@vitest/coverage-v8": "^2.1.8",
+    "rimraf": "^6.0.1",
+    "typescript": "^5.7.2",
+    "vitest": "^2.1.8"
+  },
+  "peerDependencies": {
+    "@cloudflare/workers-types": "^4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "@cloudflare/workers-types": {
+      "optional": true
+    }
+  },
+  "keywords": [
+    "xivdyetools",
+    "auth",
+    "jwt",
+    "hmac",
+    "discord",
+    "cloudflare-workers"
+  ],
+  "author": "XIVDyeTools",
+  "license": "MIT"
+}

package/src/discord.test.ts ADDED Viewed

@@ -0,0 +1,243 @@
+/**
+ * Tests for Discord Request Verification
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import {
+  verifyDiscordRequest,
+  unauthorizedResponse,
+  badRequestResponse,
+} from './discord.js';
+// Mock discord-interactions
+vi.mock('discord-interactions', () => ({
+  verifyKey: vi.fn(),
+}));
+import { verifyKey } from 'discord-interactions';
+describe('discord.ts', () => {
+  const mockPublicKey = 'test-public-key-123';
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+  describe('verifyDiscordRequest', () => {
+    it('should return valid result for valid signature', async () => {
+      vi.mocked(verifyKey).mockResolvedValue(true);
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'valid-signature',
+          'X-Signature-Timestamp': '1234567890',
+          'Content-Length': '50',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(true);
+      expect(result.body).toBe(JSON.stringify({ type: 1 }));
+      expect(result.error).toBeUndefined();
+    });
+    it('should return invalid result for invalid signature', async () => {
+      vi.mocked(verifyKey).mockResolvedValue(false);
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'invalid-signature',
+          'X-Signature-Timestamp': '1234567890',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Invalid signature');
+    });
+    it('should reject request with missing signature header', async () => {
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Timestamp': '1234567890',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Missing signature headers');
+    });
+    it('should reject request with missing timestamp header', async () => {
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Missing signature headers');
+    });
+    it('should reject request with Content-Length exceeding limit', async () => {
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+          'X-Signature-Timestamp': '1234567890',
+          'Content-Length': '200000', // 200KB, exceeds 100KB limit
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Request body too large');
+    });
+    it('should reject request with actual body exceeding limit', async () => {
+      // Create a large body
+      const largeBody = 'x'.repeat(150_000); // 150KB
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+          'X-Signature-Timestamp': '1234567890',
+          // No Content-Length header to bypass first check
+        },
+        body: largeBody,
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Request body too large');
+    });
+    it('should respect custom maxBodySize option', async () => {
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+          'X-Signature-Timestamp': '1234567890',
+          'Content-Length': '500', // 500 bytes
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey, {
+        maxBodySize: 100, // Only allow 100 bytes
+      });
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Request body too large');
+    });
+    it('should handle verifyKey throwing an error', async () => {
+      vi.mocked(verifyKey).mockRejectedValue(new Error('Verification error'));
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+          'X-Signature-Timestamp': '1234567890',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Verification error');
+    });
+    it('should handle non-Error exceptions from verifyKey', async () => {
+      vi.mocked(verifyKey).mockRejectedValue('string error');
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'some-signature',
+          'X-Signature-Timestamp': '1234567890',
+        },
+        body: JSON.stringify({ type: 1 }),
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.error).toBe('Verification failed');
+    });
+    it('should include body in result even on invalid signature', async () => {
+      vi.mocked(verifyKey).mockResolvedValue(false);
+      const bodyContent = JSON.stringify({ type: 2, data: { name: 'test' } });
+      const request = new Request('https://example.com/interactions', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Signature-Ed25519': 'invalid-signature',
+          'X-Signature-Timestamp': '1234567890',
+        },
+        body: bodyContent,
+      });
+      const result = await verifyDiscordRequest(request, mockPublicKey);
+      expect(result.isValid).toBe(false);
+      expect(result.body).toBe(bodyContent);
+    });
+  });
+  describe('unauthorizedResponse', () => {
+    it('should return 401 response with default message', () => {
+      const response = unauthorizedResponse();
+      expect(response.status).toBe(401);
+      expect(response.headers.get('Content-Type')).toBe('application/json');
+    });
+    it('should return 401 response with custom message', async () => {
+      const response = unauthorizedResponse('Custom error message');
+      const body = await response.json();
+      expect(response.status).toBe(401);
+      expect(body.error).toBe('Custom error message');
+    });
+  });
+  describe('badRequestResponse', () => {
+    it('should return 400 response with message', async () => {
+      const response = badRequestResponse('Bad request error');
+      const body = await response.json();
+      expect(response.status).toBe(400);
+      expect(response.headers.get('Content-Type')).toBe('application/json');
+      expect(body.error).toBe('Bad request error');
+    });
+  });
+});