auth-vir 5.0.2 → 5.0.4

package/dist/generated/models/User.js

@@ -0,0 +1 @@
+export {};

package/dist/generated/models.d.ts

@@ -0,0 +1,2 @@
+export type * from './models/User.js';
+export type * from './commonInputTypes.js';

package/dist/generated/models.js

@@ -0,0 +1 @@
+export {};

package/dist/generated/shapes.gen.d.ts

@@ -0,0 +1,8 @@
+import { type UserId } from './models/User.js';
+export declare const UserIdShape: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<UserId>>;
+export declare const UserShape: import("object-shape-tester").Shape<{
+    id: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<UserId>>;
+    createdAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<`${number}-${number}-${number}T${number}:${number}:${number}.${number}Z`>>;
+    updatedAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<`${number}-${number}-${number}T${number}:${number}:${number}.${number}Z`>>;
+    name: string;
+}>;

package/dist/generated/shapes.gen.js

@@ -0,0 +1,11 @@
+/** AUTO-GENERATED FILE. DO NOT EDIT DIRECTLY. */
+// @ts-nocheck
+import { defineShape, typedStringShape } from 'object-shape-tester';
+import { utcIsoStringShape } from 'date-vir';
+export const UserIdShape = typedStringShape();
+export const UserShape = defineShape({
+    id: UserIdShape,
+    createdAt: utcIsoStringShape(),
+    updatedAt: utcIsoStringShape(),
+    name: '',
+});

package/dist/hash.d.ts

@@ -0,0 +1,42 @@
+import { type PartialWithUndefined } from '@augment-vir/common';
+import { type IArgon2Options } from 'hash-wasm';
+/**
+ * Default value for {@link HashPasswordOptions}.
+ *
+ * @category Internal
+ */
+export declare const defaultHashOptions: HashPasswordOptions;
+/**
+ * Options for {@link hashPassword}.
+ *
+ * @category Internal
+ */
+export type HashPasswordOptions = PartialWithUndefined<Omit<IArgon2Options, 'outputType' | 'salt' | 'password' | 'secret'>>;
+/**
+ * Hashes a password using the Argon2id algorithm so passwords don't need to be stored in plain
+ * text. The output of this function is safe to store in a database for future credential
+ * comparisons.
+ *
+ * @category Auth : Host
+ * @returns The hashed password.
+ * @see https://en.wikipedia.org/wiki/Argon2
+ */
+export declare function hashPassword(password: string, options?: HashPasswordOptions): Promise<string>;
+/**
+ * A utility that provides more accurate string byte size than doing `string.length`.
+ *
+ * @category Internal
+ */
+export declare function getByteLength(input: string): number;
+/**
+ * Checks if the given password is a match by comparing it to the previously computed and stored
+ * hash.
+ *
+ * @category Auth : Host
+ */
+export declare function doesPasswordMatchHash({ password, hash, }: {
+    /** The password entered by the user in their login attempt. */
+    password: string;
+    /** The stored password hash for that user. */
+    hash: string;
+}): Promise<boolean>;

package/dist/hash.js

@@ -0,0 +1,52 @@
+import { assertWrap } from '@augment-vir/assert';
+import { mergeDefinedProperties, } from '@augment-vir/common';
+import { argon2id, argon2Verify } from 'hash-wasm';
+/**
+ * Default value for {@link HashPasswordOptions}.
+ *
+ * @category Internal
+ */
+export const defaultHashOptions = {
+    hashLength: 32,
+    iterations: 2,
+    memorySize: 19_456,
+    parallelism: 1,
+};
+/**
+ * Hashes a password using the Argon2id algorithm so passwords don't need to be stored in plain
+ * text. The output of this function is safe to store in a database for future credential
+ * comparisons.
+ *
+ * @category Auth : Host
+ * @returns The hashed password.
+ * @see https://en.wikipedia.org/wiki/Argon2
+ */
+export async function hashPassword(password, options = {}) {
+    const salt = globalThis.crypto.getRandomValues(new Uint8Array(16));
+    const hash = await argon2id(mergeDefinedProperties(defaultHashOptions, options, {
+        outputType: 'encoded',
+        password: password.normalize(),
+        salt,
+    }));
+    return assertWrap.isTruthy(hash);
+}
+/**
+ * A utility that provides more accurate string byte size than doing `string.length`.
+ *
+ * @category Internal
+ */
+export function getByteLength(input) {
+    return new Blob([input]).size;
+}
+/**
+ * Checks if the given password is a match by comparing it to the previously computed and stored
+ * hash.
+ *
+ * @category Auth : Host
+ */
+export async function doesPasswordMatchHash({ password, hash, }) {
+    return await argon2Verify({
+        hash,
+        password: password.normalize(),
+    });
+}

package/dist/headers.d.ts

@@ -0,0 +1,19 @@
+/**
+ * All custom headers used by auth-vir.
+ *
+ * @category Internal
+ */
+export declare enum AuthHeaderName {
+    AssumedUser = "assumed-user",
+    /**
+     * Used to track if the current user is signed in only with a sign-up cookie, which prevents us
+     * from prematurely wiping their CSRF token.
+     */
+    IsSignUpAuth = "is-sign-up-auth"
+}
+/**
+ * Merges multiple header values into a single array of header values.
+ *
+ * @category Internal
+ */
+export declare function mergeHeaderValues(...values: (string | string[] | undefined)[]): string[];

package/dist/headers.js

@@ -0,0 +1,32 @@
+import { check } from '@augment-vir/assert';
+/**
+ * All custom headers used by auth-vir.
+ *
+ * @category Internal
+ */
+export var AuthHeaderName;
+(function (AuthHeaderName) {
+    AuthHeaderName["AssumedUser"] = "assumed-user";
+    /**
+     * Used to track if the current user is signed in only with a sign-up cookie, which prevents us
+     * from prematurely wiping their CSRF token.
+     */
+    AuthHeaderName["IsSignUpAuth"] = "is-sign-up-auth";
+})(AuthHeaderName || (AuthHeaderName = {}));
+/**
+ * Merges multiple header values into a single array of header values.
+ *
+ * @category Internal
+ */
+export function mergeHeaderValues(...values) {
+    const finalHeaderValues = [];
+    values.forEach((value) => {
+        if (check.isArray(value)) {
+            finalHeaderValues.push(...value);
+        }
+        else if (check.isString(value)) {
+            finalHeaderValues.push(value);
+        }
+    });
+    return finalHeaderValues;
+}

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+export * from './auth-client/backend-auth.client.js';
+export * from './auth-client/frontend-auth.client.js';
+export * from './auth-client/is-session-refresh-ready.js';
+export * from './auth.js';
+export * from './cookie.js';
+export * from './csrf-token.js';
+export * from './hash.js';
+export * from './headers.js';
+export * from './jwt/jwt-keys.js';
+export * from './jwt/jwt.js';
+export * from './jwt/user-jwt.js';

package/dist/index.js

@@ -0,0 +1,11 @@
+export * from './auth-client/backend-auth.client.js';
+export * from './auth-client/frontend-auth.client.js';
+export * from './auth-client/is-session-refresh-ready.js';
+export * from './auth.js';
+export * from './cookie.js';
+export * from './csrf-token.js';
+export * from './hash.js';
+export * from './headers.js';
+export * from './jwt/jwt-keys.js';
+export * from './jwt/jwt.js';
+export * from './jwt/user-jwt.js';

package/dist/jwt/jwt-keys.d.ts

@@ -0,0 +1,44 @@
+/**
+ * The keys required to sign and encrypt the JWT in their raw form for storage in a secure secrets
+ * database (such as AWS Secrets Manager) for later parsing by {@link parseJwtKeys}.
+ *
+ * These keys should be kept secret and never shared with any frontend, client, etc.
+ *
+ * @category Internal
+ */
+export type RawJwtKeys = Readonly<{
+    encryptionKey: string;
+    signingKey: string;
+}>;
+/**
+ * The keys required to sign and encrypt the JWT.
+ *
+ * These keys should be kept secret and never shared with any frontend, client, etc.
+ *
+ * @category Internal
+ */
+export type JwtKeys = Readonly<{
+    /**
+     * Encryption key for JWTs. This is a Uint8Array because `EncryptJWT.encrypt` does not support
+     * `CryptoKey` for our chosen encryption algorithm.
+     */
+    encryptionKey: Readonly<Uint8Array>;
+    /** Signing key for JWTs. */
+    signingKey: Readonly<CryptoKey>;
+}>;
+/**
+ * Generate fresh and serialized JWT signing and encryption keys. These should be stored in a secure
+ * secrets database (such as AWS Secrets Manager) for later parsing by {@link parseJwtKeys}.
+ *
+ * These keys should be kept secret and never shared with any frontend, client, etc.
+ *
+ * @category Keys
+ */
+export declare function generateNewJwtKeys(): Promise<RawJwtKeys>;
+/**
+ * Parses an instance of {@link RawJwtKeys} and produces the final {@link JwtKeys} object required by
+ * all authentication functionality.
+ *
+ * @category Keys
+ */
+export declare function parseJwtKeys(rawKeys: Readonly<RawJwtKeys>): Promise<Readonly<JwtKeys>>;

package/dist/jwt/jwt-keys.js

@@ -0,0 +1,57 @@
+import { assertWrap } from '@augment-vir/assert';
+import { base64url } from 'jose';
+const signingKeyOptions = [
+    {
+        name: 'HMAC',
+        hash: 'SHA-512',
+    },
+    true,
+    [
+        'sign',
+        'verify',
+    ],
+];
+/**
+ * Generate fresh and serialized JWT signing and encryption keys. These should be stored in a secure
+ * secrets database (such as AWS Secrets Manager) for later parsing by {@link parseJwtKeys}.
+ *
+ * These keys should be kept secret and never shared with any frontend, client, etc.
+ *
+ * @category Keys
+ */
+export async function generateNewJwtKeys() {
+    return {
+        encryptionKey: assertWrap.isDefined((await globalThis.crypto.subtle.exportKey('jwk', await globalThis.crypto.subtle.generateKey({
+            name: 'AES-GCM',
+            length: 256,
+        }, true, [
+            'encrypt',
+            'decrypt',
+        ]))).k),
+        signingKey: assertWrap.isDefined((await globalThis.crypto.subtle.exportKey('jwk', await globalThis.crypto.subtle.generateKey(...signingKeyOptions))).k),
+    };
+}
+/**
+ * Parses an instance of {@link RawJwtKeys} and produces the final {@link JwtKeys} object required by
+ * all authentication functionality.
+ *
+ * @category Keys
+ */
+export async function parseJwtKeys(rawKeys) {
+    if (!rawKeys.encryptionKey) {
+        throw new Error('JWT encryption key is empty');
+    }
+    else if (!rawKeys.signingKey) {
+        throw new Error('JWT signing key is empty');
+    }
+    return {
+        encryptionKey: base64url.decode(rawKeys.encryptionKey),
+        signingKey: await crypto.subtle.importKey('jwk', {
+            k: rawKeys.signingKey,
+            alg: 'HS512',
+            ext: signingKeyOptions[1],
+            key_ops: [...signingKeyOptions[2]],
+            kty: 'oct',
+        }, ...signingKeyOptions),
+    };
+}

package/dist/jwt/jwt-keys.script.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/jwt/jwt-keys.script.js

@@ -0,0 +1,3 @@
+import { stringifyWithJson5 } from '@augment-vir/common';
+import { generateNewJwtKeys } from './jwt-keys.js';
+console.info(stringifyWithJson5(await generateNewJwtKeys()));

package/dist/jwt/jwt.d.ts

@@ -0,0 +1,126 @@
+import { type AnyObject, type PartialWithUndefined, type SelectFrom } from '@augment-vir/common';
+import { type AnyDuration, type DateLike, type FullDate, type UtcTimezone } from 'date-vir';
+import { type JwtKeys } from './jwt-keys.js';
+/**
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
+ *
+ * @category Internal
+ * @default {minutes: 5}
+ */
+export declare const defaultAllowedClockSkew: Readonly<AnyDuration>;
+/**
+ * Params for {@link createJwt}.
+ *
+ * @category Internal
+ */
+export type CreateJwtParams = Readonly<{
+    /**
+     * The keys required to sign and encrypt the JWT.
+     *
+     * These keys should be kept secret and never shared with any frontend, client, etc.
+     */
+    jwtKeys: Readonly<JwtKeys>;
+    /**
+     * The name of the company, the name of the service, or the URL to the service that originally
+     * issued the JWT. The same value must be used when creating and parsing a JWT or the parse will
+     * fail.
+     *
+     * This name can be anything you want.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1
+     */
+    issuer: string;
+    /**
+     * The arbitrary name or URL of the client intended to consume the JWT. The host and client must
+     * both know this name in order for the token to be signed and read correctly.
+     *
+     * This name can be anything you want.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
+     */
+    audience: string;
+    /**
+     * The duration until the JWT expires.
+     *
+     * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4
+     */
+    jwtDuration: Readonly<AnyDuration>;
+}> & Readonly<PartialWithUndefined<{
+    /**
+     * Set a custom issued at date.
+     *
+     * This should usually not be overridden.
+     *
+     * @default Date.now()
+     * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6
+     */
+    issuedAt: DateLike;
+    /**
+     * Set a custom date for when the JWT will become valid. The JWT will be considered
+     * invalid and not be processed until this date.
+     *
+     * This should usually not be overridden.
+     *
+     * @default
+     * none, the JWT will be immediately valid
+     * @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5
+     */
+    notValidUntil: DateLike;
+}>>;
+/**
+ * JWT uses seconds since the epoch per RFC 7519, whereas `toTimestamp` uses milliseconds.
+ *
+ * @category Internal
+ */
+export declare function toJwtTimestamp(date: Readonly<FullDate>): number;
+/**
+ * Converts a JWT timestamp (in seconds) into a FullDate instance.
+ *
+ * @category Internal
+ */
+export declare function parseJwtTimestamp(seconds: number): FullDate<UtcTimezone>;
+/**
+ * Creates a signed and encrypted JWT that contains the given data.
+ *
+ * @category Internal
+ */
+export declare function createJwt<JwtData extends AnyObject = AnyObject>(
+/** The data to be included in the JWT. */
+data: JwtData, params: Readonly<CreateJwtParams>): Promise<string>;
+/**
+ * Params for {@link parseJwt}.
+ *
+ * @category Internal
+ */
+export type ParseJwtParams = Readonly<SelectFrom<CreateJwtParams, {
+    issuer: true;
+    audience: true;
+    jwtKeys: true;
+}>> & PartialWithUndefined<{
+    /**
+     * Allowed clock skew tolerance for JWT expiration and timestamp checks. Accounts for
+     * differences between server and client clocks.
+     *
+     * @default {minutes: 5}
+     */
+    allowedClockSkew: Readonly<AnyDuration>;
+}>;
+/**
+ * A fully parsed JWT with embedded data.
+ *
+ * @category Internal
+ */
+export type ParsedJwt<JwtData extends AnyObject> = {
+    data: JwtData;
+    jwtExpiration: FullDate<UtcTimezone>;
+    /** When the JWT was issued (`iat` claim). */
+    jwtIssuedAt: FullDate<UtcTimezone>;
+};
+/**
+ * Parse and extract all data from an encrypted and signed JWT.
+ *
+ * @category Internal
+ * @throws Errors if the decryption, signature verification, or other JWT requirements fail
+ */
+export declare function parseJwt<JwtData extends AnyObject = AnyObject>(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<ParsedJwt<JwtData>>;

package/dist/jwt/jwt.js

@@ -0,0 +1,109 @@
+import { assertWrap, check } from '@augment-vir/assert';
+import { calculateRelativeDate, convertDuration, createFullDateInUserTimezone, createUtcFullDate, getNowInUtcTimezone, toTimestamp, } from 'date-vir';
+import { EncryptJWT, jwtDecrypt, jwtVerify, SignJWT } from 'jose';
+const encryptionProtectedHeader = {
+    alg: 'dir',
+    enc: 'A256GCM',
+};
+const signingProtectedHeader = {
+    alg: 'HS512',
+};
+/**
+ * Default allowed clock skew for JWT expiration checks. Accounts for differences between server and
+ * client clocks.
+ *
+ * @category Internal
+ * @default {minutes: 5}
+ */
+export const defaultAllowedClockSkew = {
+    minutes: 5,
+};
+/**
+ * JWT uses seconds since the epoch per RFC 7519, whereas `toTimestamp` uses milliseconds.
+ *
+ * @category Internal
+ */
+export function toJwtTimestamp(date) {
+    return Math.floor(toTimestamp(date) / 1000);
+}
+/**
+ * Converts a JWT timestamp (in seconds) into a FullDate instance.
+ *
+ * @category Internal
+ */
+export function parseJwtTimestamp(seconds) {
+    return createUtcFullDate(seconds * 1000);
+}
+/**
+ * Creates a signed and encrypted JWT that contains the given data.
+ *
+ * @category Internal
+ */
+export async function createJwt(
+/** The data to be included in the JWT. */
+data, params) {
+    const rawJwt = new SignJWT({
+        data,
+    })
+        .setProtectedHeader(signingProtectedHeader)
+        .setIssuedAt(params.issuedAt
+        ? toJwtTimestamp(createFullDateInUserTimezone(params.issuedAt))
+        : undefined)
+        .setIssuer(params.issuer)
+        .setAudience(params.audience)
+        .setExpirationTime(toJwtTimestamp(calculateRelativeDate(getNowInUtcTimezone(), params.jwtDuration)));
+    if (params.notValidUntil) {
+        rawJwt.setNotBefore(toJwtTimestamp(createFullDateInUserTimezone(params.notValidUntil)));
+    }
+    const signedJwt = await rawJwt.sign(params.jwtKeys.signingKey);
+    return await new EncryptJWT({
+        jwt: signedJwt,
+    })
+        .setProtectedHeader(encryptionProtectedHeader)
+        .encrypt(params.jwtKeys.encryptionKey);
+}
+/**
+ * Parse and extract all data from an encrypted and signed JWT.
+ *
+ * @category Internal
+ * @throws Errors if the decryption, signature verification, or other JWT requirements fail
+ */
+export async function parseJwt(encryptedJwt, params) {
+    const decryptedJwt = await jwtDecrypt(encryptedJwt, params.jwtKeys.encryptionKey);
+    if (!check.deepEquals(decryptedJwt.protectedHeader, encryptionProtectedHeader)) {
+        throw new Error('Invalid encryption protected header.');
+    }
+    else if (!check.isString(decryptedJwt.payload.jwt)) {
+        throw new TypeError('Decrypted jwt is not a string.');
+    }
+    const clockToleranceSeconds = convertDuration(params.allowedClockSkew || defaultAllowedClockSkew, {
+        seconds: true,
+    }).seconds;
+    const verifiedJwt = await jwtVerify(decryptedJwt.payload.jwt, params.jwtKeys.signingKey, {
+        issuer: params.issuer,
+        audience: params.audience,
+        requiredClaims: [
+            'iat',
+            'aud',
+            'iss',
+        ],
+        clockTolerance: clockToleranceSeconds,
+    });
+    if (!verifiedJwt.payload.iat ||
+        verifiedJwt.payload.iat * 1000 > Date.now() + clockToleranceSeconds * 1000) {
+        throw new Error('"iat" claim timestamp check failed');
+    }
+    const data = verifiedJwt.payload.data;
+    if (!check.deepEquals(verifiedJwt.protectedHeader, signingProtectedHeader)) {
+        throw new Error('Invalid signing protected header.');
+    }
+    const issuedAtSeconds = assertWrap.isDefined(verifiedJwt.payload.iat, 'JWT has no issued at.');
+    const expirationSeconds = assertWrap.isDefined(verifiedJwt.payload.exp, 'JWT has no expiration.');
+    const jwtIssuedAt = parseJwtTimestamp(issuedAtSeconds);
+    const jwtExpiration = parseJwtTimestamp(expirationSeconds);
+    return {
+        data: data,
+        jwtExpiration,
+        jwtIssuedAt,
+    };
+}

package/dist/jwt/user-jwt.d.ts

@@ -0,0 +1,44 @@
+import { type CreateJwtParams, type ParsedJwt, type ParseJwtParams } from './jwt.js';
+/**
+ * Shape definition and source of truth for {@link JwtUserData}.
+ *
+ * @category Internal
+ */
+export declare const userJwtDataShape: import("object-shape-tester").Shape<{
+    /** The id from your database of the user you're authenticating. */
+    userId: import("object-shape-tester").Shape<import("@sinclair/typebox").TUnion<(import("@sinclair/typebox").TString | import("@sinclair/typebox").TNumber)[]>>;
+    /**
+     * CSRF token. This can be any cryptographically secure randomized string.
+     *
+     * Consider using {@link generateCsrfToken} to generate this.
+     */
+    csrfToken: string;
+    /**
+     * Unix timestamp (in milliseconds) when the session was originally started. This is used to
+     * enforce the max session duration. If not present, the session is considered to have started
+     * when the JWT was issued.
+     */
+    sessionStartedAt: import("object-shape-tester").Shape<import("@sinclair/typebox").TOptional<import("@sinclair/typebox").TUnion<[import("@sinclair/typebox").TUndefined, import("@sinclair/typebox").TNumber]>>>;
+}>;
+/**
+ * Data required for user JWTs.
+ *
+ * @category Internal
+ */
+export type JwtUserData = typeof userJwtDataShape.runtimeType;
+/**
+ * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully
+ * authenticates with the host (backend). This is used by host (backend) code to establish a new
+ * user session. The output of this function should be sent to the client (frontend) for storage.
+ *
+ * @category Internal
+ */
+export declare function createUserJwt(data: Readonly<JwtUserData>, params: Readonly<CreateJwtParams>): Promise<string>;
+/**
+ * Parses a {@link JwtUserData} generated from {@link createUserJwt}. This should be used on the host
+ * (backend) to a client (frontend) request. Do not use this function in client (frontend) code: it
+ * requires JWT signing keys which should not be shared with any client (frontend).
+ *
+ * @category Internal
+ */
+export declare function parseUserJwt(encryptedJwt: string, params: Readonly<ParseJwtParams>): Promise<ParsedJwt<JwtUserData> | undefined>;

package/dist/jwt/user-jwt.js

@@ -0,0 +1,53 @@
+import { checkValidShape, defineShape, optionalShape, unionShape } from 'object-shape-tester';
+import { createJwt, parseJwt, } from './jwt.js';
+/**
+ * Shape definition and source of truth for {@link JwtUserData}.
+ *
+ * @category Internal
+ */
+export const userJwtDataShape = defineShape({
+    /** The id from your database of the user you're authenticating. */
+    userId: unionShape('', -1),
+    /**
+     * CSRF token. This can be any cryptographically secure randomized string.
+     *
+     * Consider using {@link generateCsrfToken} to generate this.
+     */
+    csrfToken: '',
+    /**
+     * Unix timestamp (in milliseconds) when the session was originally started. This is used to
+     * enforce the max session duration. If not present, the session is considered to have started
+     * when the JWT was issued.
+     */
+    sessionStartedAt: optionalShape(0, {
+        alsoUndefined: true,
+    }),
+});
+/**
+ * Creates a new signed and encrypted {@link JwtUserData} when a client (frontend) successfully
+ * authenticates with the host (backend). This is used by host (backend) code to establish a new
+ * user session. The output of this function should be sent to the client (frontend) for storage.
+ *
+ * @category Internal
+ */
+export async function createUserJwt(data, params) {
+    return await createJwt(data, params);
+}
+/**
+ * Parses a {@link JwtUserData} generated from {@link createUserJwt}. This should be used on the host
+ * (backend) to a client (frontend) request. Do not use this function in client (frontend) code: it
+ * requires JWT signing keys which should not be shared with any client (frontend).
+ *
+ * @category Internal
+ */
+export async function parseUserJwt(encryptedJwt, params) {
+    const { data, jwtExpiration, jwtIssuedAt } = await parseJwt(encryptedJwt, params);
+    if (!checkValidShape(data, userJwtDataShape)) {
+        throw new TypeError('Verified jwt has wrong data.');
+    }
+    return {
+        data,
+        jwtExpiration,
+        jwtIssuedAt,
+    };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "auth-vir",
-    "version": "5.0.2",
+    "version": "5.0.4",
     "description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
     "keywords": [
         "auth",
@@ -25,9 +25,9 @@
         "url": "https://github.com/electrovir"
     },
     "type": "module",
-    "main": "src/index.ts",
-    "module": "src/index.ts",
-    "types": "src/index.ts",
+    "main": "dist/index.js",
+    "module": "dist/index.js",
+    "types": "dist/index.d.ts",
     "bin": "bin.js",
     "scripts": {
         "build": "virmator frontend build",