@yappr/server-node 0.1.0

package/README.md

@@ -0,0 +1,32 @@
+# @yappr/server-node
+
+Mint short-lived Yappr end-user auth tokens **from your backend**. Runs on Node 18+, Bun, and edge runtimes (pure WebCrypto, zero dependencies).
+
+## Why
+
+Your **publishable key** (`pk_live_…`) identifies your tenant and is safe to ship in the browser. To prove *who* an end-user is, your server signs a short-lived token with your **secret** (`jwt_secret`) — the secret never leaves your backend, so the browser can't impersonate anyone.
+
+## Install
+
+    npm install @yappr/server-node
+
+## Mint a token (server-side)
+
+```ts
+import { mintToken } from "@yappr/server-node";
+
+// In your authenticated API route, for the currently logged-in user:
+const token = await mintToken(
+  { tenantId: "t_xxx", userId: user.id, displayName: user.name },
+  process.env.YAPPR_JWT_SECRET!,   // your tenant's jwt_secret — server-only
+  { expiresInSeconds: 3600 },
+);
+// Return `token` to the browser; pass it to createClient({ key: pk_live, token }).
+```
+
+`tenantId` and your `pk_live` / `jwt_secret` are issued when your Yappr tenant is provisioned. Keep `jwt_secret` secret (env var / secrets manager) — treat it like a password.
+
+## API
+
+- `mintToken(claims, secret, opts?)` → `Promise<string>` — `claims: { tenantId, userId, displayName? }`; `opts: { expiresInSeconds?: number (default 3600) }`.
+- `verifyToken(token, secret, opts?)` → `Promise<VerifiedToken>` — usually only the Yappr server calls this; exposed for testing.

package/dist/base64url.d.ts

@@ -0,0 +1,2 @@
+export declare function base64urlEncode(bytes: Uint8Array): string;
+export declare function base64urlDecode(s: string): Uint8Array<ArrayBuffer>;

package/dist/base64url.js

@@ -0,0 +1,14 @@
+export function base64urlEncode(bytes) {
+    let bin = "";
+    for (const b of bytes)
+        bin += String.fromCharCode(b);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+export function base64urlDecode(s) {
+    const b64 = s.replace(/-/g, "+").replace(/_/g, "/") + "=".repeat((4 - (s.length % 4)) % 4);
+    const bin = atob(b64);
+    const out = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        out[i] = bin.charCodeAt(i);
+    return out;
+}

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./base64url.js";
+export * from "./jwt.js";

package/dist/index.js

@@ -0,0 +1,2 @@
+export * from "./base64url.js";
+export * from "./jwt.js";

package/dist/jwt.d.ts

@@ -0,0 +1,16 @@
+export interface YapprClaims {
+    tenantId: string;
+    userId: string;
+    displayName?: string;
+}
+export interface VerifiedToken extends YapprClaims {
+    iat: number;
+    exp: number;
+}
+export declare function mintToken(claims: YapprClaims, secret: string, opts?: {
+    expiresInSeconds?: number;
+    now?: number;
+}): Promise<string>;
+export declare function verifyToken(token: string, secret: string, opts?: {
+    now?: number;
+}): Promise<VerifiedToken>;

package/dist/jwt.js

@@ -0,0 +1,52 @@
+import { base64urlDecode, base64urlEncode } from "./base64url.js";
+const enc = new TextEncoder();
+const dec = new TextDecoder();
+function b64urlJson(obj) {
+    return base64urlEncode(enc.encode(JSON.stringify(obj)));
+}
+async function hmacKey(secret) {
+    return crypto.subtle.importKey("raw", enc.encode(secret), { name: "HMAC", hash: "SHA-256" }, false, ["sign", "verify"]);
+}
+export async function mintToken(claims, secret, opts = {}) {
+    const now = opts.now ?? Math.floor(Date.now() / 1000);
+    const exp = now + (opts.expiresInSeconds ?? 3600);
+    const header = b64urlJson({ alg: "HS256", typ: "JWT" });
+    const payload = b64urlJson({ ...claims, iat: now, exp });
+    const signingInput = `${header}.${payload}`;
+    const sig = await crypto.subtle.sign("HMAC", await hmacKey(secret), enc.encode(signingInput));
+    return `${signingInput}.${base64urlEncode(new Uint8Array(sig))}`;
+}
+export async function verifyToken(token, secret, opts = {}) {
+    const parts = token.split(".");
+    if (parts.length !== 3)
+        throw new Error("token_invalid");
+    const [header, payload, sig] = parts;
+    let headerObj;
+    try {
+        headerObj = JSON.parse(dec.decode(base64urlDecode(header)));
+    }
+    catch {
+        throw new Error("token_invalid");
+    }
+    if (headerObj.alg !== "HS256")
+        throw new Error("token_invalid");
+    if (headerObj.typ !== undefined && headerObj.typ !== "JWT")
+        throw new Error("token_invalid");
+    const ok = await crypto.subtle.verify("HMAC", await hmacKey(secret), base64urlDecode(sig), enc.encode(`${header}.${payload}`));
+    if (!ok)
+        throw new Error("token_invalid");
+    let claims;
+    try {
+        claims = JSON.parse(dec.decode(base64urlDecode(payload)));
+    }
+    catch {
+        throw new Error("token_invalid");
+    }
+    if (typeof claims.tenantId !== "string" || typeof claims.userId !== "string" || typeof claims.exp !== "number") {
+        throw new Error("token_invalid");
+    }
+    const now = opts.now ?? Math.floor(Date.now() / 1000);
+    if (claims.exp <= now)
+        throw new Error("token_expired");
+    return claims;
+}

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "@yappr/server-node",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "Mint short-lived Yappr end-user auth tokens from your backend (Node 18+, Bun, edge).",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "typescript": "5.9.3",
+    "vitest": "^3.0.0"
+  },
+  "scripts": {
+    "check": "tsc --noEmit -p tsconfig.json",
+    "build": "tsc -p tsconfig.build.json",
+    "test": "vitest run"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  }
+}