auth-vir 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth.d.ts +8 -0
- package/dist/auth.js +23 -0
- package/dist/cookie.js +1 -1
- package/dist/jwt.js +1 -1
- package/package.json +10 -10
- package/src/auth.ts +31 -0
- package/src/cookie.ts +1 -1
- package/src/jwt.ts +1 -1
package/dist/auth.d.ts
CHANGED
|
@@ -15,6 +15,14 @@ export type HeaderContainer = Record<string, string[] | undefined | string | num
|
|
|
15
15
|
* @returns The extracted user id or `undefined` if no valid auth headers exist.
|
|
16
16
|
*/
|
|
17
17
|
export declare function extractUserIdFromRequestHeaders(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string | undefined): Promise<string | undefined>;
|
|
18
|
+
/**
|
|
19
|
+
* Extract a user id from just the cookie, without CSRF token validation. This is _less secure_ than
|
|
20
|
+
* {@link extractUserIdFromRequestHeaders} as a result. This should only be used in rare
|
|
21
|
+
* circumstances where you cannot rely on client-side JavaScript to insert the CSRF token.
|
|
22
|
+
*
|
|
23
|
+
* @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure.
|
|
24
|
+
*/
|
|
25
|
+
export declare function extractUserIdFromCookieAlone(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string | undefined): Promise<string | undefined>;
|
|
18
26
|
/**
|
|
19
27
|
* Used by host (backend) code to set headers on a response object.
|
|
20
28
|
*
|
package/dist/auth.js
CHANGED
|
@@ -42,6 +42,29 @@ export async function extractUserIdFromRequestHeaders(headers, jwtParams, cookie
|
|
|
42
42
|
return undefined;
|
|
43
43
|
}
|
|
44
44
|
}
|
|
45
|
+
/**
|
|
46
|
+
* Extract a user id from just the cookie, without CSRF token validation. This is _less secure_ than
|
|
47
|
+
* {@link extractUserIdFromRequestHeaders} as a result. This should only be used in rare
|
|
48
|
+
* circumstances where you cannot rely on client-side JavaScript to insert the CSRF token.
|
|
49
|
+
*
|
|
50
|
+
* @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure.
|
|
51
|
+
*/
|
|
52
|
+
export async function extractUserIdFromCookieAlone(headers, jwtParams, cookieName) {
|
|
53
|
+
try {
|
|
54
|
+
const cookie = readHeader(headers, 'cookie');
|
|
55
|
+
if (!cookie) {
|
|
56
|
+
return undefined;
|
|
57
|
+
}
|
|
58
|
+
const jwt = await extractCookieJwt(cookie, jwtParams, cookieName);
|
|
59
|
+
if (!jwt) {
|
|
60
|
+
return undefined;
|
|
61
|
+
}
|
|
62
|
+
return jwt.userId;
|
|
63
|
+
}
|
|
64
|
+
catch {
|
|
65
|
+
return undefined;
|
|
66
|
+
}
|
|
67
|
+
}
|
|
45
68
|
/**
|
|
46
69
|
* Used by host (backend) code to set headers on a response object.
|
|
47
70
|
*
|
package/dist/cookie.js
CHANGED
|
@@ -71,7 +71,7 @@ export async function extractCookieJwt(rawCookie, jwtParams, cookieName = 'auth'
|
|
|
71
71
|
if (!auth) {
|
|
72
72
|
return undefined;
|
|
73
73
|
}
|
|
74
|
-
const rawJwt = auth.replace(
|
|
74
|
+
const rawJwt = auth.replace(`${cookieName}=`, '').replace(';', '');
|
|
75
75
|
const jwt = await parseUserJwt(rawJwt, jwtParams);
|
|
76
76
|
return jwt;
|
|
77
77
|
}
|
package/dist/jwt.js
CHANGED
|
@@ -11,7 +11,7 @@ const signingProtectedHeader = { alg: 'HS512' };
|
|
|
11
11
|
export async function createJwt(
|
|
12
12
|
/** The data to be included in the JWT. */
|
|
13
13
|
data, params) {
|
|
14
|
-
const rawJwt = new SignJWT({ data
|
|
14
|
+
const rawJwt = new SignJWT({ data })
|
|
15
15
|
.setProtectedHeader(signingProtectedHeader)
|
|
16
16
|
.setIssuedAt(params.issuedAt
|
|
17
17
|
? toTimestamp(createFullDateInUserTimezone(params.issuedAt))
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "auth-vir",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.3.0",
|
|
4
4
|
"description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"auth",
|
|
@@ -40,25 +40,25 @@
|
|
|
40
40
|
"test:update": "npm test update"
|
|
41
41
|
},
|
|
42
42
|
"dependencies": {
|
|
43
|
-
"@augment-vir/assert": "^31.
|
|
44
|
-
"@augment-vir/common": "^31.
|
|
45
|
-
"date-vir": "^7.
|
|
43
|
+
"@augment-vir/assert": "^31.32.2",
|
|
44
|
+
"@augment-vir/common": "^31.32.2",
|
|
45
|
+
"date-vir": "^7.4.0",
|
|
46
46
|
"hash-wasm": "^4.12.0",
|
|
47
|
-
"jose": "^6.0.
|
|
48
|
-
"object-shape-tester": "^5.
|
|
47
|
+
"jose": "^6.0.12",
|
|
48
|
+
"object-shape-tester": "^5.3.0",
|
|
49
49
|
"type-fest": "^4.41.0",
|
|
50
50
|
"url-vir": "^2.1.3"
|
|
51
51
|
},
|
|
52
52
|
"devDependencies": {
|
|
53
|
-
"@augment-vir/test": "^31.
|
|
53
|
+
"@augment-vir/test": "^31.32.2",
|
|
54
54
|
"@web/dev-server-esbuild": "^1.0.4",
|
|
55
|
-
"@web/test-runner": "^0.20.
|
|
55
|
+
"@web/test-runner": "^0.20.2",
|
|
56
56
|
"@web/test-runner-commands": "^0.9.0",
|
|
57
|
-
"@web/test-runner-playwright": "^0.11.
|
|
57
|
+
"@web/test-runner-playwright": "^0.11.1",
|
|
58
58
|
"@web/test-runner-visual-regression": "^0.10.0",
|
|
59
59
|
"istanbul-smart-text-reporter": "^1.1.5",
|
|
60
60
|
"markdown-code-example-inserter": "^3.0.3",
|
|
61
|
-
"typedoc": "^0.28.
|
|
61
|
+
"typedoc": "^0.28.10"
|
|
62
62
|
},
|
|
63
63
|
"engines": {
|
|
64
64
|
"node": ">=22"
|
package/src/auth.ts
CHANGED
|
@@ -63,6 +63,37 @@ export async function extractUserIdFromRequestHeaders(
|
|
|
63
63
|
}
|
|
64
64
|
}
|
|
65
65
|
|
|
66
|
+
/**
|
|
67
|
+
* Extract a user id from just the cookie, without CSRF token validation. This is _less secure_ than
|
|
68
|
+
* {@link extractUserIdFromRequestHeaders} as a result. This should only be used in rare
|
|
69
|
+
* circumstances where you cannot rely on client-side JavaScript to insert the CSRF token.
|
|
70
|
+
*
|
|
71
|
+
* @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure.
|
|
72
|
+
*/
|
|
73
|
+
export async function extractUserIdFromCookieAlone(
|
|
74
|
+
headers: HeaderContainer,
|
|
75
|
+
jwtParams: Readonly<ParseJwtParams>,
|
|
76
|
+
cookieName?: string | undefined,
|
|
77
|
+
): Promise<string | undefined> {
|
|
78
|
+
try {
|
|
79
|
+
const cookie = readHeader(headers, 'cookie');
|
|
80
|
+
|
|
81
|
+
if (!cookie) {
|
|
82
|
+
return undefined;
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
const jwt = await extractCookieJwt(cookie, jwtParams, cookieName);
|
|
86
|
+
|
|
87
|
+
if (!jwt) {
|
|
88
|
+
return undefined;
|
|
89
|
+
}
|
|
90
|
+
|
|
91
|
+
return jwt.userId;
|
|
92
|
+
} catch {
|
|
93
|
+
return undefined;
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
|
|
66
97
|
/**
|
|
67
98
|
* Used by host (backend) code to set headers on a response object.
|
|
68
99
|
*
|
package/src/cookie.ts
CHANGED
|
@@ -132,7 +132,7 @@ export async function extractCookieJwt(
|
|
|
132
132
|
return undefined;
|
|
133
133
|
}
|
|
134
134
|
|
|
135
|
-
const rawJwt = auth.replace(
|
|
135
|
+
const rawJwt = auth.replace(`${cookieName}=`, '').replace(';', '');
|
|
136
136
|
|
|
137
137
|
const jwt = await parseUserJwt(rawJwt, jwtParams);
|
|
138
138
|
|
package/src/jwt.ts
CHANGED
|
@@ -87,7 +87,7 @@ export async function createJwt<JwtData extends AnyObject = AnyObject>(
|
|
|
87
87
|
data: JwtData,
|
|
88
88
|
params: Readonly<CreateJwtParams>,
|
|
89
89
|
): Promise<string> {
|
|
90
|
-
const rawJwt = new SignJWT({data
|
|
90
|
+
const rawJwt = new SignJWT({data})
|
|
91
91
|
.setProtectedHeader(signingProtectedHeader)
|
|
92
92
|
.setIssuedAt(
|
|
93
93
|
params.issuedAt
|