@xivdyetools/auth 1.0.2 → 1.1.0

package/README.md

@@ -1,158 +1,171 @@
-# @xivdyetools/auth
-
-Shared authentication utilities for the xivdyetools ecosystem. Provides secure JWT verification, HMAC signing, timing-safe comparison, and Discord signature verification.
-
-## Installation
-
-```bash
-npm install @xivdyetools/auth
-```
-
-## Features
-
-- **JWT Verification** - HMAC-SHA256 JWT verification with algorithm validation
-- **HMAC Signing** - Create and verify HMAC-SHA256 signatures
-- **Timing-Safe Comparison** - Constant-time string comparison to prevent timing attacks
-- **Discord Verification** - Ed25519 signature verification for Discord interactions
-- **Tree-Shakeable** - Subpath exports for minimal bundle size
-
-## Usage
-
-### JWT Verification
-
-```typescript
-import { verifyJWT, decodeJWT, isJWTExpired } from '@xivdyetools/auth';
-
-// Verify JWT with signature and expiration checking
-const payload = await verifyJWT(token, process.env.JWT_SECRET);
-if (!payload) {
-  // Invalid signature, expired, or wrong algorithm
-}
-
-// Decode without verification (debugging only)
-const decoded = decodeJWT(token);
-
-// Check if JWT is expired
-if (isJWTExpired(payload)) {
-  // Token has expired
-}
-```
-
-### HMAC Signing
-
-```typescript
-import { hmacSign, hmacVerify, verifyBotSignature } from '@xivdyetools/auth';
-
-// Sign data with HMAC-SHA256 (base64url output)
-const signature = await hmacSign(data, secret);
-
-// Verify signature
-const isValid = await hmacVerify(data, signature, secret);
-
-// Verify bot request signature (with timestamp validation)
-const isValidBot = await verifyBotSignature(
-  signature,    // X-Request-Signature header
-  timestamp,    // X-Request-Timestamp header
-  userDiscordId,
-  userName,
-  secret,
-  { maxAgeMs: 5 * 60 * 1000 }  // Optional: 5 minute max age
-);
-```
-
-### Timing-Safe Comparison
-
-```typescript
-import { timingSafeEqual } from '@xivdyetools/auth';
-
-// Constant-time string comparison (prevents timing attacks)
-const isEqual = await timingSafeEqual(userInput, expectedValue);
-```
-
-### Discord Signature Verification
-
-```typescript
-import { verifyDiscordRequest } from '@xivdyetools/auth';
-
-// Verify Discord interaction signature
-const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
-
-if (!result.valid) {
-  return new Response('Unauthorized', { status: 401 });
-}
-
-// result.body contains the parsed interaction
-const interaction = result.body;
-```
-
-## Subpath Exports
-
-Import only what you need for optimal tree-shaking:
-
-```typescript
-// JWT utilities only
-import { verifyJWT, decodeJWT } from '@xivdyetools/auth/jwt';
-
-// HMAC utilities only
-import { hmacSign, hmacVerify } from '@xivdyetools/auth/hmac';
-
-// Timing utilities only
-import { timingSafeEqual } from '@xivdyetools/auth/timing';
-
-// Discord utilities only
-import { verifyDiscordRequest } from '@xivdyetools/auth/discord';
-```
-
-## API Reference
-
-### JWT (`@xivdyetools/auth/jwt`)
-
-| Function | Description |
-|----------|-------------|
-| `verifyJWT(token, secret)` | Verify JWT signature, algorithm (HS256 only), and expiration |
-| `verifyJWTSignatureOnly(token, secret, maxAgeMs?)` | Verify signature only (for refresh token grace periods) |
-| `decodeJWT(token)` | Decode JWT without verification (debugging only) |
-| `isJWTExpired(payload)` | Check if JWT payload is expired |
-| `getJWTTimeToExpiry(payload)` | Get milliseconds until JWT expires |
-
-### HMAC (`@xivdyetools/auth/hmac`)
-
-| Function | Description |
-|----------|-------------|
-| `createHmacKey(secret, usage)` | Create CryptoKey for HMAC operations |
-| `hmacSign(data, secret)` | Sign data, return base64url signature |
-| `hmacSignHex(data, secret)` | Sign data, return hex signature |
-| `hmacVerify(data, signature, secret)` | Verify base64url signature |
-| `hmacVerifyHex(data, signature, secret)` | Verify hex signature |
-| `verifyBotSignature(sig, ts, userId, userName, secret, opts?)` | Verify bot request signature |
-
-### Timing (`@xivdyetools/auth/timing`)
-
-| Function | Description |
-|----------|-------------|
-| `timingSafeEqual(a, b)` | Constant-time string comparison |
-| `timingSafeEqualBytes(a, b)` | Constant-time Uint8Array comparison |
-
-### Discord (`@xivdyetools/auth/discord`)
-
-| Function | Description |
-|----------|-------------|
-| `verifyDiscordRequest(request, publicKey, opts?)` | Verify Discord Ed25519 signature |
-| `unauthorizedResponse()` | Return 401 response |
-| `badRequestResponse(message?)` | Return 400 response |
-
-## Security Features
-
-- **Algorithm Validation**: JWT verification only accepts HS256, preventing algorithm confusion attacks
-- **Timing-Safe Comparison**: Uses `crypto.subtle.timingSafeEqual()` with XOR fallback
-- **Timestamp Validation**: Bot signatures include clock skew tolerance and max age checks
-- **Body Size Limits**: Discord verification enforces 100KB max body size by default
-
-## Dependencies
-
-- `@xivdyetools/crypto` - Base64URL and hex encoding utilities
-- `discord-interactions` - Discord Ed25519 signature verification
-
-## License
-
-MIT
+# @xivdyetools/auth
+
+Shared authentication utilities for the xivdyetools ecosystem. Provides secure JWT verification, HMAC signing, timing-safe comparison, and Discord signature verification.
+
+## Installation
+
+```bash
+npm install @xivdyetools/auth
+```
+
+## Features
+
+- **JWT Verification** - HMAC-SHA256 JWT verification with algorithm validation
+- **HMAC Signing** - Create and verify HMAC-SHA256 signatures
+- **Timing-Safe Comparison** - Constant-time string comparison to prevent timing attacks
+- **Discord Verification** - Ed25519 signature verification for Discord interactions
+- **Tree-Shakeable** - Subpath exports for minimal bundle size
+
+## Usage
+
+### JWT Verification
+
+```typescript
+import { verifyJWT, decodeJWT, isJWTExpired } from '@xivdyetools/auth';
+
+// Verify JWT with signature and expiration checking
+const payload = await verifyJWT(token, process.env.JWT_SECRET);
+if (!payload) {
+  // Invalid signature, expired, or wrong algorithm
+}
+
+// Decode without verification (debugging only)
+const decoded = decodeJWT(token);
+
+// Check if JWT is expired
+if (isJWTExpired(payload)) {
+  // Token has expired
+}
+```
+
+### HMAC Signing
+
+```typescript
+import { hmacSign, hmacVerify, verifyBotSignature } from '@xivdyetools/auth';
+
+// Sign data with HMAC-SHA256 (base64url output)
+const signature = await hmacSign(data, secret);
+
+// Verify signature
+const isValid = await hmacVerify(data, signature, secret);
+
+// Verify bot request signature (with timestamp validation)
+const isValidBot = await verifyBotSignature(
+  signature,    // X-Request-Signature header
+  timestamp,    // X-Request-Timestamp header
+  userDiscordId,
+  userName,
+  secret,
+  { maxAgeMs: 5 * 60 * 1000 }  // Optional: 5 minute max age
+);
+```
+
+### Timing-Safe Comparison
+
+```typescript
+import { timingSafeEqual } from '@xivdyetools/auth';
+
+// Constant-time string comparison (prevents timing attacks)
+const isEqual = await timingSafeEqual(userInput, expectedValue);
+```
+
+### Discord Signature Verification
+
+```typescript
+import { verifyDiscordRequest } from '@xivdyetools/auth';
+
+// Verify Discord interaction signature
+const result = await verifyDiscordRequest(request, env.DISCORD_PUBLIC_KEY);
+
+if (!result.valid) {
+  return new Response('Unauthorized', { status: 401 });
+}
+
+// result.body contains the parsed interaction
+const interaction = result.body;
+```
+
+## Subpath Exports
+
+Import only what you need for optimal tree-shaking:
+
+```typescript
+// JWT utilities only
+import { verifyJWT, decodeJWT } from '@xivdyetools/auth/jwt';
+
+// HMAC utilities only
+import { hmacSign, hmacVerify } from '@xivdyetools/auth/hmac';
+
+// Timing utilities only
+import { timingSafeEqual } from '@xivdyetools/auth/timing';
+
+// Discord utilities only
+import { verifyDiscordRequest } from '@xivdyetools/auth/discord';
+```
+
+## API Reference
+
+### JWT (`@xivdyetools/auth/jwt`)
+
+| Function | Description |
+|----------|-------------|
+| `verifyJWT(token, secret)` | Verify JWT signature, algorithm (HS256 only), and expiration |
+| `verifyJWTSignatureOnly(token, secret, maxAgeMs?)` | Verify signature only (for refresh token grace periods) |
+| `decodeJWT(token)` | Decode JWT without verification (debugging only) |
+| `isJWTExpired(payload)` | Check if JWT payload is expired |
+| `getJWTTimeToExpiry(payload)` | Get milliseconds until JWT expires |
+
+### HMAC (`@xivdyetools/auth/hmac`)
+
+| Function | Description |
+|----------|-------------|
+| `createHmacKey(secret, usage)` | Create CryptoKey for HMAC operations |
+| `hmacSign(data, secret)` | Sign data, return base64url signature |
+| `hmacSignHex(data, secret)` | Sign data, return hex signature |
+| `hmacVerify(data, signature, secret)` | Verify base64url signature |
+| `hmacVerifyHex(data, signature, secret)` | Verify hex signature |
+| `verifyBotSignature(sig, ts, userId, userName, secret, opts?)` | Verify bot request signature |
+
+### Timing (`@xivdyetools/auth/timing`)
+
+| Function | Description |
+|----------|-------------|
+| `timingSafeEqual(a, b)` | Constant-time string comparison |
+| `timingSafeEqualBytes(a, b)` | Constant-time Uint8Array comparison |
+
+### Discord (`@xivdyetools/auth/discord`)
+
+| Function | Description |
+|----------|-------------|
+| `verifyDiscordRequest(request, publicKey, opts?)` | Verify Discord Ed25519 signature |
+| `unauthorizedResponse()` | Return 401 response |
+| `badRequestResponse(message?)` | Return 400 response |
+
+## Security Features
+
+- **Algorithm Validation**: JWT verification only accepts HS256, preventing algorithm confusion attacks
+- **Timing-Safe Comparison**: Uses `crypto.subtle.timingSafeEqual()` with XOR fallback
+- **Timestamp Validation**: Bot signatures include clock skew tolerance and max age checks
+- **Body Size Limits**: Discord verification enforces 100KB max body size by default
+
+## Dependencies
+
+- `@xivdyetools/crypto` - Base64URL and hex encoding utilities
+- `discord-interactions` - Discord Ed25519 signature verification
+
+## Connect With Me
+
+**Flash Galatine** | Midgardsormr (Aether)
+
+🎮 **FFXIV**: [Lodestone Character](https://na.finalfantasyxiv.com/lodestone/character/7677106/)
+📝 **Blog**: [Project Galatine](https://blog.projectgalatine.com/)
+💻 **GitHub**: [@FlashGalatine](https://github.com/FlashGalatine)
+📺 **Twitch**: [flashgalatine](https://www.twitch.tv/flashgalatine)
+🌐 **BlueSky**: [projectgalatine.com](https://bsky.app/profile/projectgalatine.com)
+❤️ **Patreon**: [ProjectGalatine](https://patreon.com/ProjectGalatine)
+☕ **Ko-Fi**: [flashgalatine](https://ko-fi.com/flashgalatine)
+💬 **Discord**: [Join Server](https://discord.gg/5VUSKTZCe5)
+
+## License
+
+MIT © 2025-2026 Flash Galatine

package/dist/hmac.d.ts

@@ -15,6 +15,12 @@ export interface BotSignatureOptions {
     /** Allowed clock skew in milliseconds (default: 1 minute) */
     clockSkewMs?: number;
 }
+/**
+ * Get or create a cached CryptoKey for the given secret and usage.
+ * Exported for use by jwt.ts — not part of the public package API.
+ * @internal
+ */
+export declare function getOrCreateHmacKey(secret: string, usage: 'sign' | 'verify' | 'both'): Promise<CryptoKey>;
 /**
  * Create an HMAC-SHA256 CryptoKey from a secret string.
  *

package/dist/hmac.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,KAAK,GAAE,MAAM,GAAG,QAAQ,GAAG,MAAe,GACzC,OAAO,CAAC,SAAS,CAAC,CAcpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK5E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAelB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAgClB"}
+{"version":3,"file":"hmac.d.ts","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AASH;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,6DAA6D;IAC7D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAmBD;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,GAChC,OAAO,CAAC,SAAS,CAAC,CAmBpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,MAAM,EACd,KAAK,GAAE,MAAM,GAAG,QAAQ,GAAG,MAAe,GACzC,OAAO,CAAC,SAAS,CAAC,CAmBpB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAK5E;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAKjB;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAC9B,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAelB;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,EAC7B,aAAa,EAAE,MAAM,GAAG,SAAS,EACjC,QAAQ,EAAE,MAAM,GAAG,SAAS,EAC5B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,OAAO,CAAC,CAiClB"}

package/dist/hmac.js

@@ -7,6 +7,43 @@
  * @module hmac
  */
 import { base64UrlEncodeBytes, base64UrlDecodeBytes, bytesToHex, hexToBytes, } from '@xivdyetools/crypto';
+// ============================================================================
+// CryptoKey Cache (OPT-002)
+// ============================================================================
+/**
+ * Module-level cache for CryptoKeys.
+ *
+ * In Cloudflare Workers, module-level state persists across requests within
+ * an isolate, making this safe and effective. Eliminates redundant
+ * `crypto.subtle.importKey()` calls when the same secret is reused.
+ *
+ * Cache key format: `${secret}:${usage}` — bounded to 10 entries max
+ * to prevent unbounded growth during key rotation.
+ */
+const cryptoKeyCache = new Map();
+const CRYPTO_KEY_CACHE_MAX = 10;
+/**
+ * Get or create a cached CryptoKey for the given secret and usage.
+ * Exported for use by jwt.ts — not part of the public package API.
+ * @internal
+ */
+export async function getOrCreateHmacKey(secret, usage) {
+    const cacheKey = `${secret}:${usage}`;
+    const cached = cryptoKeyCache.get(cacheKey);
+    if (cached) {
+        return cached;
+    }
+    const key = await createHmacKey(secret, usage);
+    // Evict oldest entries if cache is full (simple FIFO)
+    if (cryptoKeyCache.size >= CRYPTO_KEY_CACHE_MAX) {
+        const firstKey = cryptoKeyCache.keys().next().value;
+        if (firstKey !== undefined) {
+            cryptoKeyCache.delete(firstKey);
+        }
+    }
+    cryptoKeyCache.set(cacheKey, key);
+    return key;
+}
 /**
  * Create an HMAC-SHA256 CryptoKey from a secret string.
  *
@@ -22,6 +59,10 @@ import { base64UrlEncodeBytes, base64UrlDecodeBytes, bytesToHex, hexToBytes, } f
 export async function createHmacKey(secret, usage = 'both') {
     const encoder = new TextEncoder();
     const keyData = encoder.encode(secret);
+    // FINDING-009: Enforce minimum key length for HMAC-SHA256 security
+    if (keyData.length < 32) {
+        throw new Error('HMAC secret must be at least 32 bytes (256 bits)');
+    }
     const keyUsages = usage === 'both' ? ['sign', 'verify'] : [usage];
     return crypto.subtle.importKey('raw', keyData, { name: 'HMAC', hash: 'SHA-256' }, false, keyUsages);
 }
@@ -38,7 +79,7 @@ export async function createHmacKey(secret, usage = 'both') {
  * ```
  */
 export async function hmacSign(data, secret) {
-    const key = await createHmacKey(secret, 'sign');
+    const key = await getOrCreateHmacKey(secret, 'sign');
     const encoder = new TextEncoder();
     const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
     return base64UrlEncodeBytes(new Uint8Array(signature));
@@ -56,7 +97,7 @@ export async function hmacSign(data, secret) {
  * ```
  */
 export async function hmacSignHex(data, secret) {
-    const key = await createHmacKey(secret, 'sign');
+    const key = await getOrCreateHmacKey(secret, 'sign');
     const encoder = new TextEncoder();
     const signature = await crypto.subtle.sign('HMAC', key, encoder.encode(data));
     return bytesToHex(new Uint8Array(signature));
@@ -71,7 +112,7 @@ export async function hmacSignHex(data, secret) {
  */
 export async function hmacVerify(data, signature, secret) {
     try {
-        const key = await createHmacKey(secret, 'verify');
+        const key = await getOrCreateHmacKey(secret, 'verify');
         const encoder = new TextEncoder();
         const signatureBytes = base64UrlDecodeBytes(signature);
         // Use crypto.subtle.verify() which is inherently timing-safe
@@ -91,7 +132,7 @@ export async function hmacVerify(data, signature, secret) {
  */
 export async function hmacVerifyHex(data, signature, secret) {
     try {
-        const key = await createHmacKey(secret, 'verify');
+        const key = await getOrCreateHmacKey(secret, 'verify');
         const encoder = new TextEncoder();
         const signatureBytes = hexToBytes(signature);
         return crypto.subtle.verify('HMAC', key, signatureBytes, encoder.encode(data));
@@ -127,8 +168,9 @@ export async function hmacVerifyHex(data, signature, secret) {
  */
 export async function verifyBotSignature(signature, timestamp, userDiscordId, userName, secret, options = {}) {
     const { maxAgeMs = 5 * 60 * 1000, clockSkewMs = 60 * 1000 } = options;
-    // Validate required fields
-    if (!signature || !timestamp || !userDiscordId || !userName) {
+    // Validate required fields (signature and timestamp are required;
+    // userDiscordId and userName are optional for system-level bot requests)
+    if (!signature || !timestamp) {
         return false;
     }
     // Validate timestamp format
@@ -149,7 +191,7 @@ export async function verifyBotSignature(signature, timestamp, userDiscordId, us
         return false;
     }
     // Verify the signature
-    const message = `${timestamp}:${userDiscordId}:${userName}`;
+    const message = `${timestamp}:${userDiscordId ?? ''}:${userName ?? ''}`;
     return hmacVerifyHex(message, signature, secret);
 }
 //# sourceMappingURL=hmac.js.map

package/dist/hmac.js.map

@@ -1 +1 @@
-{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,UAAU,EACV,UAAU,GACX,MAAM,qBAAqB,CAAC;AAY7B;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAoC,MAAM;IAE1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,SAAS,GACb,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAElD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IACzD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,oBAAoB,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,UAAU,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAEvD,6DAA6D;QAC7D,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;QAE7C,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAA6B,EAC7B,SAA6B,EAC7B,aAAiC,EACjC,QAA4B,EAC5B,MAAc,EACd,UAA+B,EAAE;IAEjC,MAAM,EAAE,QAAQ,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAEtE,2BAA2B;IAC3B,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,IAAI,CAAC,aAAa,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kDAAkD;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,aAAa,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,0BAA0B;IACrE,MAAM,GAAG,GAAG,GAAG,GAAG,aAAa,CAAC;IAEhC,oBAAoB;IACpB,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0DAA0D;IAC1D,IAAI,aAAa,GAAG,GAAG,GAAG,WAAW,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uBAAuB;IACvB,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,aAAa,IAAI,QAAQ,EAAE,CAAC;IAC5D,OAAO,aAAa,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC"}
+{"version":3,"file":"hmac.js","sourceRoot":"","sources":["../src/hmac.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,UAAU,EACV,UAAU,GACX,MAAM,qBAAqB,CAAC;AAY7B,+EAA+E;AAC/E,4BAA4B;AAC5B,+EAA+E;AAE/E;;;;;;;;;GASG;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,EAAqB,CAAC;AACpD,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAEhC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAc,EACd,KAAiC;IAEjC,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,KAAK,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAE/C,sDAAsD;IACtD,IAAI,cAAc,CAAC,IAAI,IAAI,oBAAoB,EAAE,CAAC;QAChD,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;QACpD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,MAAc,EACd,QAAoC,MAAM;IAE1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAEvC,mEAAmE;IACnE,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,SAAS,GACb,KAAK,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IAElD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B,KAAK,EACL,OAAO,EACP,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,SAAS,CACV,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,IAAY,EAAE,MAAc;IACzD,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,oBAAoB,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,MAAc;IAEd,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,OAAO,UAAU,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,oBAAoB,CAAC,SAAS,CAAC,CAAC;QAEvD,6DAA6D;QAC7D,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAY,EACZ,SAAiB,EACjB,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;QAE7C,OAAO,MAAM,CAAC,MAAM,CAAC,MAAM,CACzB,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CACrB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAA6B,EAC7B,SAA6B,EAC7B,aAAiC,EACjC,QAA4B,EAC5B,MAAc,EACd,UAA+B,EAAE;IAEjC,MAAM,EAAE,QAAQ,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,WAAW,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;IAEtE,kEAAkE;IAClE,yEAAyE;IACzE,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4BAA4B;IAC5B,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC7C,IAAI,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kDAAkD;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,aAAa,GAAG,YAAY,GAAG,IAAI,CAAC,CAAC,0BAA0B;IACrE,MAAM,GAAG,GAAG,GAAG,GAAG,aAAa,CAAC;IAEhC,oBAAoB;IACpB,IAAI,GAAG,GAAG,QAAQ,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,0DAA0D;IAC1D,IAAI,aAAa,GAAG,GAAG,GAAG,WAAW,EAAE,CAAC;QACtC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,uBAAuB;IACvB,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,aAAa,IAAI,EAAE,IAAI,QAAQ,IAAI,EAAE,EAAE,CAAC;IACxE,OAAO,aAAa,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/jwt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAUD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAY1D;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAkD5B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAqD5B;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOnD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOxD"}
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAQH;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IACzB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,IAAI,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC3B,uBAAuB;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAUD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAY1D;AAuDD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAe5B;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,QAAQ,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAkB5B;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAOnD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAOxD"}

package/dist/jwt.js

@@ -12,7 +12,7 @@
  * @module jwt
  */
 import { base64UrlDecode, base64UrlDecodeBytes, } from '@xivdyetools/crypto';
-import { createHmacKey } from './hmac.js';
+import { getOrCreateHmacKey } from './hmac.js';
 /**
  * Decode a JWT without verifying the signature.
  *
@@ -41,6 +41,43 @@ export function decodeJWT(token) {
         return null;
     }
 }
+/**
+ * Shared JWT signature verification helper (REFACTOR-003).
+ *
+ * Validates token structure, ensures HS256 algorithm, and verifies
+ * HMAC-SHA256 signature. Used by both `verifyJWT()` and `verifyJWTSignatureOnly()`.
+ *
+ * @param token - The JWT string
+ * @param secret - The HMAC secret
+ * @returns Decoded payload if signature is valid, null otherwise
+ */
+async function verifyJWTSignature(token, secret) {
+    const parts = token.split('.');
+    if (parts.length !== 3) {
+        return null;
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Decode and validate header
+    const headerJson = base64UrlDecode(headerB64);
+    const header = JSON.parse(headerJson);
+    // SECURITY: Reject non-HS256 algorithms (prevents algorithm confusion attacks)
+    if (header.alg !== 'HS256') {
+        return null;
+    }
+    // SECURITY: Verify signature using crypto.subtle.verify() which is
+    // inherently timing-safe (comparison happens in native crypto, not JS)
+    const signatureInput = `${headerB64}.${payloadB64}`;
+    const key = await getOrCreateHmacKey(secret, 'verify');
+    const encoder = new TextEncoder();
+    const signatureBytes = base64UrlDecodeBytes(signatureB64);
+    const isValid = await crypto.subtle.verify('HMAC', key, signatureBytes, encoder.encode(signatureInput));
+    if (!isValid) {
+        return null;
+    }
+    // Decode payload
+    const payloadJson = base64UrlDecode(payloadB64);
+    return JSON.parse(payloadJson);
+}
 /**
  * Verify a JWT and return the payload if valid.
  *
@@ -64,34 +101,12 @@ export function decodeJWT(token) {
  */
 export async function verifyJWT(token, secret) {
     try {
-        const parts = token.split('.');
-        if (parts.length !== 3) {
-            return null;
-        }
-        const [headerB64, payloadB64, signatureB64] = parts;
-        // Decode and validate header
-        const headerJson = base64UrlDecode(headerB64);
-        const header = JSON.parse(headerJson);
-        // SECURITY: Reject non-HS256 algorithms (prevents algorithm confusion attacks)
-        if (header.alg !== 'HS256') {
+        const payload = await verifyJWTSignature(token, secret);
+        if (!payload)
             return null;
-        }
-        // SECURITY: Verify signature using crypto.subtle.verify() which is
-        // inherently timing-safe (comparison happens in native crypto, not JS)
-        const signatureInput = `${headerB64}.${payloadB64}`;
-        const key = await createHmacKey(secret, 'verify');
-        const encoder = new TextEncoder();
-        const signatureBytes = base64UrlDecodeBytes(signatureB64);
-        const isValid = await crypto.subtle.verify('HMAC', key, signatureBytes, encoder.encode(signatureInput));
-        if (!isValid) {
-            return null;
-        }
-        // Decode payload
-        const payloadJson = base64UrlDecode(payloadB64);
-        const payload = JSON.parse(payloadJson);
-        // Check expiration
+        // FINDING-003: Require exp claim — tokens without expiration are rejected
         const now = Math.floor(Date.now() / 1000);
-        if (payload.exp && payload.exp < now) {
+        if (!payload.exp || payload.exp < now) {
             return null;
         }
         return payload;
@@ -123,31 +138,9 @@ export async function verifyJWT(token, secret) {
  */
 export async function verifyJWTSignatureOnly(token, secret, maxAgeMs) {
     try {
-        const parts = token.split('.');
-        if (parts.length !== 3) {
-            return null;
-        }
-        const [headerB64, payloadB64, signatureB64] = parts;
-        // Decode and validate header
-        const headerJson = base64UrlDecode(headerB64);
-        const header = JSON.parse(headerJson);
-        // SECURITY: Still reject non-HS256 algorithms
-        if (header.alg !== 'HS256') {
+        const payload = await verifyJWTSignature(token, secret);
+        if (!payload)
             return null;
-        }
-        // SECURITY: Verify signature using crypto.subtle.verify() which is
-        // inherently timing-safe (comparison happens in native crypto, not JS)
-        const signatureInput = `${headerB64}.${payloadB64}`;
-        const key = await createHmacKey(secret, 'verify');
-        const encoder = new TextEncoder();
-        const signatureBytes = base64UrlDecodeBytes(signatureB64);
-        const isValid = await crypto.subtle.verify('HMAC', key, signatureBytes, encoder.encode(signatureInput));
-        if (!isValid) {
-            return null;
-        }
-        // Decode payload
-        const payloadJson = base64UrlDecode(payloadB64);
-        const payload = JSON.parse(payloadJson);
         // Check max age if specified
         if (maxAgeMs !== undefined && payload.iat) {
             const now = Date.now();

package/dist/jwt.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,eAAe,EACf,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AA+B1C;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAe,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,6BAA6B;QAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAEjD,+EAA+E;QAC/E,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mEAAmE;QACnE,uEAAuE;QACvE,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QAE1D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACxC,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAC/B,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iBAAiB;QACjB,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,OAAO,GAAe,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAEpD,mBAAmB;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAa,EACb,MAAc,EACd,QAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;QAEpD,6BAA6B;QAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC9C,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAEjD,8CAA8C;QAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QACd,CAAC;QAED,mEAAmE;QACnE,uEAAuE;QACvE,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QAE1D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACxC,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAC/B,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,iBAAiB;QACjB,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAChD,MAAM,OAAO,GAAe,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QAEpD,6BAA6B;QAC7B,IAAI,QAAQ,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;YAC1C,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AACxC,CAAC"}
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EACL,eAAe,EACf,oBAAoB,GACrB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AA+B/C;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,WAAW,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAe,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,KAAK,UAAU,kBAAkB,CAC/B,KAAa,EACb,MAAc;IAEd,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAEpD,6BAA6B;IAC7B,MAAM,UAAU,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;IAC9C,MAAM,MAAM,GAAc,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;IAE9D,+EAA+E;IAC/E,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,mEAAmE;IACnE,uEAAuE;IACvE,MAAM,cAAc,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IACpD,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IACvD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,cAAc,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAE1D,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACxC,MAAM,EACN,GAAG,EACH,cAAc,EACd,OAAO,CAAC,MAAM,CAAC,cAAc,CAAC,CAC/B,CAAC;IAEF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iBAAiB;IACjB,MAAM,WAAW,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAChD,OAAO,IAAI,CAAC,KAAK,CAAC,WAAW,CAAe,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,KAAa,EACb,MAAc;IAEd,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,0EAA0E;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,KAAa,EACb,MAAc,EACd,QAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QACxD,IAAI,CAAC,OAAO;YAAE,OAAO,IAAI,CAAC;QAE1B,6BAA6B;QAC7B,IAAI,QAAQ,KAAK,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;YAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;YAC1C,IAAI,QAAQ,GAAG,QAAQ,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,KAAa;IACxC,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,MAAM,OAAO,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;QAC7B,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AACxC,CAAC"}

package/dist/timing.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../src/timing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA4B5E;AAED;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CACxC,CAAC,EAAE,UAAU,EACb,CAAC,EAAE,UAAU,GACZ,OAAO,CAAC,OAAO,CAAC,CAkBlB"}
+{"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../src/timing.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH;;;;;;;;;;;;;;GAcG;AAEH,wBAAsB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CA4B5E;AAED;;;;;;GAMG;AAEH,wBAAsB,oBAAoB,CACxC,CAAC,EAAE,UAAU,EACb,CAAC,EAAE,UAAU,GACZ,OAAO,CAAC,OAAO,CAAC,CAkBlB"}