npm - @zintrust/signer - Versions diffs - 0.1.49 - Mend

@zintrust/signer 0.1.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,561 @@
+# @zintrust/signer
+Zero-dependency WebCrypto library for signing and verifying HTTP requests using HMAC-SHA256. Works in browsers, Node.js 20+, and Cloudflare Workers — any runtime with `globalThis.crypto.subtle`.
+Used by the [ZinTrust](https://github.com/ZinTrust/zintrust) Bulletproof Auth middleware to implement **proof-of-possession request signing**: a stolen JWT alone is not enough to access protected endpoints.
+---
+## Install
+```bash
+npm i @zintrust/signer
+```
+---
+## How it works
+Every request carries five headers that bind it to a specific key, timestamp, nonce, and body:
+| Header             | Description                                       |
+| ------------------ | ------------------------------------------------- |
+| `x-zt-key-id`      | Identifies the signing key (e.g. a device ID)     |
+| `x-zt-timestamp`   | Unix timestamp in milliseconds at signing time    |
+| `x-zt-nonce`       | Random UUID — consumed exactly once (anti-replay) |
+| `x-zt-body-sha256` | SHA-256 hex of the raw request body               |
+| `x-zt-signature`   | HMAC-SHA256 of the canonical request string       |
+The **canonical string** format (joined with `\n`):
+```
+METHOD
+/path/name
+?query=string
+timestampMs
+nonce
+bodySha256Hex
+```
+---
+## Quick start
+### Sign a request (client side)
+```ts
+import { SignedRequest } from '@zintrust/signer';
+const url = new URL('/api/orders', 'https://api.example.com');
+const method = 'POST';
+const body = JSON.stringify({ item: 'widget', qty: 3 });
+const signed = await SignedRequest.createHeaders({
+  method,
+  url,
+  body,
+  keyId: 'device_abc123',
+  secret: 'base64:your-32-byte-secret-here',
+});
+await fetch(url, {
+  method,
+  headers: {
+    'Content-Type': 'application/json',
+    Authorization: `Bearer ${jwt}`,
+    ...signed, // spreads all five x-zt-* headers
+  },
+  body,
+});
+```
+### Verify a request (server side)
+```ts
+import { SignedRequest } from '@zintrust/signer';
+const result = await SignedRequest.verify({
+  method: req.method,
+  url: req.url,
+  body: await req.text(),
+  headers: req.headers,
+  getSecretForKeyId: async (keyId) => {
+    // Look up your DB / KV store
+    const device = await db.devices.findByKeyId(keyId);
+    return device?.signingSecret;
+  },
+  // Optional: reject replayed nonces
+  verifyNonce: async (keyId, nonce, ttlMs) => {
+    return await nonceStore.consumeOnce(keyId, nonce, ttlMs);
+  },
+});
+if (!result.ok) {
+  // result.code is one of the failure codes below
+  return new Response('Unauthorized', { status: 401 });
+}
+// result.keyId, result.timestampMs, result.nonce are available
+```
+---
+## API Reference
+### `SignedRequest.createHeaders(params)`
+Generates the five signed-request headers for a given request.
+```ts
+type SignedRequestCreateHeadersParams = {
+  method: string; // HTTP method — e.g. 'GET', 'POST'
+  url: string | URL; // Full URL including path and query
+  body?: string | Uint8Array | null; // Raw request body (default: empty string)
+  keyId: string; // Key identifier (sent in x-zt-key-id)
+  secret: string; // HMAC signing secret
+  timestampMs?: number; // Override timestamp (default: Date.now())
+  nonce?: string; // Override nonce (default: crypto.randomUUID())
+};
+```
+Returns: `Promise<SignedRequestHeaders>`
+```ts
+type SignedRequestHeaders = {
+  'x-zt-key-id': string;
+  'x-zt-timestamp': string;
+  'x-zt-nonce': string;
+  'x-zt-body-sha256': string;
+  'x-zt-signature': string;
+};
+```
+---
+### `SignedRequest.verify(params)`
+Verifies signed-request headers on an incoming request.
+```ts
+type SignedRequestVerifyParams = {
+  method: string;
+  url: string | URL;
+  body?: string | Uint8Array | null;
+  headers: Headers | Record<string, string | undefined>;
+  getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+  nowMs?: number; // Override current time for testing (default: Date.now())
+  windowMs?: number; // Replay window in ms (default: 60_000 — 60 seconds)
+  verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+};
+```
+Returns: `Promise<SignedRequestVerifyResult>`
+```ts
+type SignedRequestVerifyResult =
+  // Success
+  | { ok: true; keyId: string; timestampMs: number; nonce: string }
+  // Failure
+  | {
+      ok: false;
+      code:
+        | 'MISSING_HEADER' // One or more x-zt-* headers absent
+        | 'INVALID_TIMESTAMP' // x-zt-timestamp is not a valid integer
+        | 'EXPIRED' // Request timestamp outside the allowed window
+        | 'INVALID_BODY_SHA' // x-zt-body-sha256 does not match computed hash
+        | 'INVALID_SIGNATURE' // HMAC signature mismatch
+        | 'UNKNOWN_KEY' // getSecretForKeyId returned undefined or empty
+        | 'REPLAYED'; // verifyNonce hook returned false
+      message: string;
+    };
+```
+---
+### `SignedRequest.sha256Hex(data)`
+Utility: computes the SHA-256 hex digest of a string or `Uint8Array`.
+```ts
+const hash = await SignedRequest.sha256Hex('hello world');
+// => 'b94d27b9934d3e08...'
+```
+---
+### `SignedRequest.canonicalString(params)`
+Utility: builds the canonical string that is signed/verified. Useful for debugging.
+```ts
+const canonical = await SignedRequest.canonicalString({
+  method: 'POST',
+  url: new URL('/api/orders?page=1', 'https://api.example.com'),
+  timestampMs: 1708000000000,
+  nonce: 'abc-123',
+  bodySha256Hex: 'e3b0c44298fc1c14...',
+});
+// => "POST\n/api/orders\n?page=1\n1708000000000\nabc-123\ne3b0c44298fc1c14..."
+```
+---
+## Browser / React example
+```ts
+// lib/auth.ts
+import { SignedRequest } from '@zintrust/signer';
+interface LoginResult {
+  jwt: string;
+  deviceId: string;
+  deviceSecret: string;
+}
+export async function login(email: string, password: string): Promise<LoginResult> {
+  const res = await fetch('/auth/login', {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ email, password }),
+  });
+  if (!res.ok) throw new Error('Login failed');
+  const data = (await res.json()) as LoginResult;
+  sessionStorage.setItem('jwt', data.jwt);
+  sessionStorage.setItem('deviceId', data.deviceId);
+  sessionStorage.setItem('deviceSecret', data.deviceSecret);
+  return data;
+}
+// lib/api.ts
+export async function apiFetch(path: string, init: RequestInit = {}): Promise<Response> {
+  const jwt = sessionStorage.getItem('jwt')!;
+  const deviceId = sessionStorage.getItem('deviceId')!;
+  const deviceSecret = sessionStorage.getItem('deviceSecret')!;
+  const method = (init.method ?? 'GET').toUpperCase();
+  const url = new URL(path, window.location.origin);
+  const body = typeof init.body === 'string' ? init.body : '';
+  const signed = await SignedRequest.createHeaders({
+    method,
+    url,
+    body,
+    keyId: deviceId,
+    secret: deviceSecret,
+  });
+  return fetch(url, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${jwt}`,
+      'x-zt-device-id': deviceId,
+      'x-zt-timezone': Intl.DateTimeFormat().resolvedOptions().timeZone,
+      ...(init.headers as Record<string, string> | undefined),
+      ...signed,
+    },
+  });
+}
+```
+---
+## Vue 3 example
+```ts
+// composables/useAuth.ts
+import { ref } from 'vue';
+import { SignedRequest } from '@zintrust/signer';
+interface LoginResult {
+  jwt: string;
+  deviceId: string;
+  deviceSecret: string;
+}
+const jwt = ref<string | null>(sessionStorage.getItem('jwt'));
+const deviceId = ref<string | null>(sessionStorage.getItem('deviceId'));
+const deviceSecret = ref<string | null>(sessionStorage.getItem('deviceSecret'));
+export function useAuth() {
+  const isLoggedIn = computed(() => !!jwt.value);
+  async function login(email: string, password: string): Promise<void> {
+    const res = await fetch('/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email, password }),
+    });
+    if (!res.ok) throw new Error('Login failed');
+    const data = (await res.json()) as LoginResult;
+    jwt.value = data.jwt;
+    deviceId.value = data.deviceId;
+    deviceSecret.value = data.deviceSecret;
+    sessionStorage.setItem('jwt', data.jwt);
+    sessionStorage.setItem('deviceId', data.deviceId);
+    sessionStorage.setItem('deviceSecret', data.deviceSecret);
+  }
+  async function logout(): Promise<void> {
+    // Call logout endpoint using a signed request
+    await apiFetch('/auth/logout', { method: 'POST' });
+    jwt.value = null;
+    deviceId.value = null;
+    deviceSecret.value = null;
+    sessionStorage.removeItem('jwt');
+    sessionStorage.removeItem('deviceId');
+    sessionStorage.removeItem('deviceSecret');
+  }
+  return { isLoggedIn, login, logout };
+}
+```
+```ts
+// composables/useApi.ts
+import { SignedRequest } from '@zintrust/signer';
+export async function apiFetch(path: string, init: RequestInit = {}): Promise<Response> {
+  const jwt = sessionStorage.getItem('jwt')!;
+  const deviceId = sessionStorage.getItem('deviceId')!;
+  const deviceSecret = sessionStorage.getItem('deviceSecret')!;
+  const method = (init.method ?? 'GET').toUpperCase();
+  const url = new URL(path, window.location.origin);
+  const body = typeof init.body === 'string' ? init.body : '';
+  const signed = await SignedRequest.createHeaders({
+    method,
+    url,
+    body,
+    keyId: deviceId,
+    secret: deviceSecret,
+  });
+  return fetch(url, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${jwt}`,
+      'x-zt-device-id': deviceId,
+      'x-zt-timezone': Intl.DateTimeFormat().resolvedOptions().timeZone,
+      ...(init.headers as Record<string, string> | undefined),
+      ...signed,
+    },
+  });
+}
+```
+```vue
+<!-- components/LoginForm.vue -->
+<script setup lang="ts">
+import { ref } from 'vue';
+import { useAuth } from '@/composables/useAuth';
+import { useRouter } from 'vue-router';
+const { login } = useAuth();
+const router = useRouter();
+const email = ref('');
+const password = ref('');
+const error = ref('');
+const loading = ref(false);
+async function handleSubmit() {
+  error.value = '';
+  loading.value = true;
+  try {
+    await login(email.value, password.value);
+    await router.push('/dashboard');
+  } catch {
+    error.value = 'Invalid email or password.';
+  } finally {
+    loading.value = false;
+  }
+}
+</script>
+<template>
+  <form @submit.prevent="handleSubmit">
+    <input v-model="email" type="email" placeholder="Email" required />
+    <input v-model="password" type="password" placeholder="Password" required />
+    <p v-if="error" class="error">{{ error }}</p>
+    <button type="submit" :disabled="loading">
+      {{ loading ? 'Signing in…' : 'Sign in' }}
+    </button>
+  </form>
+</template>
+```
+```vue
+<!-- components/ProfileCard.vue — example of a signed API call -->
+<script setup lang="ts">
+import { ref, onMounted } from 'vue';
+import { apiFetch } from '@/composables/useApi';
+interface Profile {
+  id: string;
+  email: string;
+  role: string;
+}
+const profile = ref<Profile | null>(null);
+const error = ref('');
+onMounted(async () => {
+  const res = await apiFetch('/api/me');
+  if (res.ok) {
+    profile.value = (await res.json()) as Profile;
+  } else {
+    error.value = 'Failed to load profile.';
+  }
+});
+</script>
+<template>
+  <div v-if="profile">
+    <p>{{ profile.email }} ({{ profile.role }})</p>
+  </div>
+  <p v-else-if="error">{{ error }}</p>
+  <p v-else>Loading…</p>
+</template>
+```
+---
+## Node.js / server-to-server example
+```ts
+import { SignedRequest } from '@zintrust/signer';
+const secret = process.env.API_SIGNING_SECRET!;
+const keyId = process.env.API_KEY_ID!;
+const jwt = process.env.SERVICE_JWT!;
+async function signedFetch(url: string, init: RequestInit = {}) {
+  const method = (init.method ?? 'GET').toUpperCase();
+  const body = typeof init.body === 'string' ? init.body : '';
+  const signed = await SignedRequest.createHeaders({
+    method,
+    url: new URL(url),
+    body,
+    keyId,
+    secret,
+  });
+  return fetch(url, {
+    ...init,
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${jwt}`,
+      ...signed,
+    },
+  });
+}
+const res = await signedFetch('https://api.example.com/internal/sync', {
+  method: 'POST',
+  body: JSON.stringify({ action: 'sync' }),
+});
+```
+---
+## Cloudflare Workers example
+```ts
+import { SignedRequest } from '@zintrust/signer';
+export default {
+  async fetch(request: Request, env: Env): Promise<Response> {
+    const result = await SignedRequest.verify({
+      method: request.method,
+      url: request.url,
+      body: await request.clone().text(),
+      headers: request.headers,
+      getSecretForKeyId: async (keyId) => {
+        return (await env.KV.get(`signing_secret:${keyId}`)) ?? undefined;
+      },
+      windowMs: 30_000,
+    });
+    if (!result.ok) {
+      return Response.json({ error: result.code }, { status: 401 });
+    }
+    return Response.json({ keyId: result.keyId });
+  },
+};
+```
+---
+## Nonce replay protection
+The `verifyNonce` hook lets you plug in any store. Example using an in-memory `Map` (single instance only — use Redis/KV for multi-instance):
+```ts
+const seenNonces = new Map<string, number>();
+const result = await SignedRequest.verify({
+  // ...
+  verifyNonce: async (keyId, nonce, ttlMs) => {
+    const key = `${keyId}:${nonce}`;
+    if (seenNonces.has(key)) return false; // replayed
+    seenNonces.set(key, Date.now() + ttlMs);
+    return true;
+  },
+});
+```
+For multi-instance deployments, use a Redis/KV SET NX with TTL:
+```ts
+verifyNonce: async (keyId, nonce, ttlMs) => {
+  const key = `nonce:${keyId}:${nonce}`;
+  const set = await redis.set(key, '1', 'PX', ttlMs, 'NX');
+  return set === 'OK';
+},
+```
+---
+## Security notes
+- **Secrets** should be at least 32 random bytes. Generate one with:
+  ```bash
+  node -e "console.log('base64:' + require('crypto').randomBytes(32).toString('base64'))"
+  # or with the ZinTrust CLI:
+  zin key:bulletproof
+  ```
+- **Replay window** defaults to 60 seconds. Reduce for stricter security; increase if clients have clock skew issues.
+- **Nonce replay protection** requires a shared store (Redis/KV) when running multiple instances.
+- All HMAC comparisons use a timing-safe equality check to prevent timing attacks.
+---
+## Runtime requirements
+| Runtime            | Minimum version                       | Notes                               |
+| ------------------ | ------------------------------------- | ----------------------------------- |
+| Node.js            | 20.0.0                                | `globalThis.crypto.subtle` built-in |
+| Bun                | Any                                   | WebCrypto built-in                  |
+| Cloudflare Workers | Any                                   | WebCrypto built-in                  |
+| Browsers           | Chrome 37+ / Firefox 34+ / Safari 11+ | WebCrypto available since 2014      |
+| Deno               | Any                                   | WebCrypto built-in                  |
+---
+## License
+MIT — part of the [ZinTrust](https://github.com/ZinTrust/zintrust) framework.

package/dist/SignedRequest.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+export type SignedRequestHeaders = {
+    'x-zt-key-id': string;
+    'x-zt-timestamp': string;
+    'x-zt-nonce': string;
+    'x-zt-body-sha256': string;
+    'x-zt-signature': string;
+};
+export type SignedRequestCreateHeadersParams = {
+    method: string;
+    url: string | URL;
+    body?: string | Uint8Array | null;
+    keyId: string;
+    secret: string;
+    timestampMs?: number;
+    nonce?: string;
+};
+export type SignedRequestVerifyParams = {
+    method: string;
+    url: string | URL;
+    body?: string | Uint8Array | null;
+    headers: Headers | Record<string, string | undefined>;
+    getSecretForKeyId: (keyId: string) => string | undefined | Promise<string | undefined>;
+    nowMs?: number;
+    windowMs?: number;
+    /**
+     * Optional replay protection hook.
+     * Return true if the nonce is accepted and stored; false if replayed/invalid.
+     */
+    verifyNonce?: (keyId: string, nonce: string, ttlMs: number) => Promise<boolean>;
+};
+export type SignedRequestVerifyResult = {
+    ok: true;
+    keyId: string;
+    timestampMs: number;
+    nonce: string;
+} | {
+    ok: false;
+    code: 'MISSING_HEADER' | 'INVALID_TIMESTAMP' | 'EXPIRED' | 'INVALID_BODY_SHA' | 'INVALID_SIGNATURE' | 'UNKNOWN_KEY' | 'REPLAYED';
+    message: string;
+};
+export declare const SignedRequest: Readonly<{
+    sha256Hex: (data: string | Uint8Array) => Promise<string>;
+    canonicalString: (params: {
+        method: string;
+        url: string | URL;
+        timestampMs: number;
+        nonce: string;
+        bodySha256Hex: string;
+    }) => string;
+    createHeaders(params: SignedRequestCreateHeadersParams): Promise<SignedRequestHeaders>;
+    verify(params: SignedRequestVerifyParams): Promise<SignedRequestVerifyResult>;
+}>;
+export default SignedRequest;

package/dist/SignedRequest.js ADDED Viewed

@@ -0,0 +1,171 @@
+const getHeader = (headers, name) => {
+    if (typeof headers.get === 'function') {
+        const value = headers.get(name);
+        return value ?? undefined;
+    }
+    return headers[name];
+};
+const timingSafeEquals = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= (a.codePointAt(i) ?? 0) ^ (b.codePointAt(i) ?? 0);
+    }
+    return result === 0;
+};
+const getCrypto = () => {
+    if (typeof crypto === 'undefined' || crypto.subtle === undefined) {
+        // eslint-disable-next-line no-restricted-syntax
+        throw new Error('WebCrypto is not available in this runtime');
+    }
+    return crypto;
+};
+const getSubtle = () => getCrypto().subtle;
+const toBytes = (data) => {
+    const bytes = typeof data === 'string' ? new TextEncoder().encode(data) : data;
+    return new Uint8Array(bytes);
+};
+const toHex = (bytes) => {
+    const view = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
+    let out = '';
+    for (const element of view) {
+        out += element.toString(16).padStart(2, '0');
+    }
+    return out;
+};
+const sha256Hex = async (data) => {
+    const digest = await getSubtle().digest('SHA-256', toBytes(data));
+    return toHex(digest);
+};
+const canonicalString = (params) => {
+    const u = typeof params.url === 'string' ? new URL(params.url) : params.url;
+    const method = params.method.toUpperCase();
+    return [
+        method,
+        u.pathname,
+        u.search,
+        String(params.timestampMs),
+        params.nonce,
+        params.bodySha256Hex,
+    ].join('\n');
+};
+export const SignedRequest = Object.freeze({
+    sha256Hex,
+    canonicalString,
+    async createHeaders(params) {
+        const timestampMs = params.timestampMs ?? Date.now();
+        const webCrypto = getCrypto();
+        const nonce = params.nonce ??
+            (typeof webCrypto.randomUUID === 'function'
+                ? webCrypto.randomUUID()
+                : toHex(webCrypto.getRandomValues(new Uint8Array(16))));
+        const body = params.body ?? '';
+        const bodySha = await sha256Hex(body);
+        const canonical = canonicalString({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha256Hex: bodySha,
+        });
+        const subtle = getSubtle();
+        const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const signatureBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+        const signature = toHex(signatureBytes);
+        return {
+            'x-zt-key-id': params.keyId,
+            'x-zt-timestamp': String(timestampMs),
+            'x-zt-nonce': nonce,
+            'x-zt-body-sha256': bodySha,
+            'x-zt-signature': signature,
+        };
+    },
+    async verify(params) {
+        const parsed = parseAndValidateHeaders(params.headers);
+        if (!parsed.ok)
+            return parsed;
+        const { keyId, timestampMs, nonce, bodySha, signature } = parsed;
+        const nowMs = params.nowMs ?? Date.now();
+        const windowMs = params.windowMs ?? 60_000;
+        const windowFail = validateTimestampWindow({ nowMs, timestampMs, windowMs });
+        if (windowFail)
+            return windowFail;
+        const bodyFail = await validateBodyHash({ body: params.body ?? '', bodyShaHeader: bodySha });
+        if (bodyFail)
+            return bodyFail;
+        const secret = await params.getSecretForKeyId(keyId);
+        if (secret === undefined || secret.trim() === '') {
+            return { ok: false, code: 'UNKNOWN_KEY', message: 'Unknown key id' };
+        }
+        const sigFail = await validateSignature({
+            method: params.method,
+            url: params.url,
+            timestampMs,
+            nonce,
+            bodySha,
+            signature,
+            secret,
+        });
+        if (sigFail)
+            return sigFail;
+        if (params.verifyNonce !== undefined) {
+            const ok = await params.verifyNonce(keyId, nonce, windowMs);
+            if (!ok) {
+                return { ok: false, code: 'REPLAYED', message: 'Nonce replayed or rejected' };
+            }
+        }
+        return { ok: true, keyId, timestampMs, nonce };
+    },
+});
+const parseAndValidateHeaders = (headers) => {
+    const keyId = getHeader(headers, 'x-zt-key-id');
+    const ts = getHeader(headers, 'x-zt-timestamp');
+    const nonce = getHeader(headers, 'x-zt-nonce');
+    const bodySha = getHeader(headers, 'x-zt-body-sha256');
+    const signature = getHeader(headers, 'x-zt-signature');
+    if (keyId === undefined ||
+        ts === undefined ||
+        nonce === undefined ||
+        bodySha === undefined ||
+        signature === undefined) {
+        return { ok: false, code: 'MISSING_HEADER', message: 'Missing required signing headers' };
+    }
+    const timestampMs = Number.parseInt(ts, 10);
+    if (!Number.isFinite(timestampMs)) {
+        return { ok: false, code: 'INVALID_TIMESTAMP', message: 'Invalid x-zt-timestamp' };
+    }
+    return { ok: true, keyId, timestampMs, nonce, bodySha, signature };
+};
+const validateTimestampWindow = (params) => {
+    const diff = Math.abs(params.nowMs - params.timestampMs);
+    if (!Number.isFinite(diff) || diff > Math.max(1, params.windowMs)) {
+        return { ok: false, code: 'EXPIRED', message: 'Request timestamp outside allowed window' };
+    }
+    return null;
+};
+const validateBodyHash = async (params) => {
+    const computed = await sha256Hex(params.body);
+    if (!timingSafeEquals(computed, params.bodyShaHeader)) {
+        return { ok: false, code: 'INVALID_BODY_SHA', message: 'Invalid body hash' };
+    }
+    return null;
+};
+const validateSignature = async (params) => {
+    const canonical = canonicalString({
+        method: params.method,
+        url: params.url,
+        timestampMs: params.timestampMs,
+        nonce: params.nonce,
+        bodySha256Hex: params.bodySha,
+    });
+    const subtle = getSubtle();
+    const key = await subtle.importKey('raw', toBytes(params.secret), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+    const signatureBytes = await subtle.sign('HMAC', key, toBytes(canonical));
+    const computed = toHex(signatureBytes);
+    if (!timingSafeEquals(computed, params.signature)) {
+        return { ok: false, code: 'INVALID_SIGNATURE', message: 'Invalid signature' };
+    }
+    return null;
+};
+export default SignedRequest;

package/dist/build-manifest.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "@zintrust/signer",
+  "version": "0.1.47",
+  "buildDate": "2026-02-23T16:21:42.488Z",
+  "buildEnvironment": {
+    "node": "v20.20.0",
+    "platform": "linux",
+    "arch": "x64"
+  },
+  "git": {
+    "commit": "16b342c",
+    "branch": "master"
+  },
+  "package": {
+    "engines": {
+      "node": ">=20.0.0"
+    },
+    "dependencies": [],
+    "peerDependencies": []
+  },
+  "files": {
+    "SignedRequest.d.ts": {
+      "size": 1750,
+      "sha256": "d308d63499f3b7298581c14f21d5d6f9299ac1c68e31c10256c50da7381b597b"
+    },
+    "SignedRequest.js": {
+      "size": 6462,
+      "sha256": "d77715dbaba201311c4b42543d30e03a71a97bdffc8e64286de23dd792a68353"
+    },
+    "index.d.ts": {
+      "size": 180,
+      "sha256": "c06c81a970e75623446631798b080b4224efb4900992eec411a9ac468c6f3773"
+    },
+    "index.js": {
+      "size": 225,
+      "sha256": "26dde35f7583af546af97eda4696868f7d71e6b613bd9e14fc36bfd77f686aa1"
+    }
+  }
+}

package/dist/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { SignedRequest, type SignedRequestCreateHeadersParams, type SignedRequestHeaders, type SignedRequestVerifyParams, type SignedRequestVerifyResult, } from './SignedRequest';

package/dist/index.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ export { SignedRequest, } from './SignedRequest';

package/package.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "@zintrust/signer",
+  "version": "0.1.49",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "type-check": "tsc -p tsconfig.json --noEmit"
+  },
+  "peerDependencies": {
+    "@zintrust/core": "^0.1.49"
+  }
+}