bro-auth 0.2.0 → 0.2.2

package/README.md

@@ -1,174 +1,178 @@
+
 # bro-auth
 
-**Stateless JWT authentication with device fingerprint binding and derived signing keys.**
+```
+╔══════════════════════════════════════════════════════════════╗
+║               █▄▄ █▀█ █▀█   █▀█ █ █ ▀█▀ █ █                  ║
+║               █▄█ █▀▄ █▄█   █▀█ █▄█  █  █▀█                  ║
+╠══════════════════════════════════════════════════════════════╣
+║            Stateless JWT · Device Fingerprinting             ║
+╚══════════════════════════════════════════════════════════════╝
+```
+
+**Stateless JWT authentication with browser fingerprint binding and derived signing keys.**
+
 
 [![npm version](https://img.shields.io/npm/v/bro-auth.svg)](https://www.npmjs.com/package/bro-auth)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-
 ---
 
 ## Overview
 
-`bro-auth` is a Node.js library that binds JWT tokens to browser devices using fingerprinting and derives signing keys from application-provided secrets. This prevents token replay attacks and limits the impact of token theft.
+bro-auth is a stateless authentication library that strengthens JWT security by binding tokens to a browser/device fingerprint and deriving signing keys per user + device.
 
-**What bro-auth does:**
-- Generates and verifies JWT tokens bound to device fingerprints
-- Derives unique signing secrets per user-device combination using HMAC
-- Provides browser fingerprinting utilities
+It is designed to:
 
-**What bro-auth does NOT do:**
-- Manage secrets or environment variables (your application's responsibility)
-- Prevent XSS attacks (your application's responsibility)
-- Handle login UI or session management (your application's responsibility)
+* Prevent token-only theft
+* Block non-browser and cross-device replay
+* Keep authentication stateless and scalable
+* Be plug-and-play for developers
 
+> **bro-auth strengthens stateless JWT authentication by binding tokens to browser context.**  
+> It is designed to make token theft, cross-device reuse, and blind replay attacks significantly harder — while remaining fully stateless and developer-friendly.
 ---
 
-## Why Use bro-auth?
+## Why bro-auth?
 
-Traditional JWT tokens work from any device if stolen. `bro-auth` binds tokens to specific devices, making stolen tokens unusable on different browsers.
+JWT-based authentication is simple and scalable — but **by default, JWTs are bearer tokens**.  
+If a token is stolen, it can often be reused from anywhere.
 
-### Attack Mitigation
+**bro-auth raises the security bar without adding server-side state.**
 
-For an attacker to successfully use a stolen token, they would need:
+It does this by:
+- Binding tokens to the browser/device that created them
+- Deriving signing keys per user + device context
+- Making token-only theft insufficient for reuse
+- Preventing cross-browser and non-browser replay
+- Keeping the system fully stateless and horizontally scalable
 
-1. The JWT token itself (stolen via XSS, network interception, etc.)
-2. The user ID (embedded in token)
-3. The application's access/refresh secrets
-4. The exact device fingerprint hash (SHA-256)
-5. The application's server-only pepper (`BRO_AUTH_SECRET_PEPPER`)
+bro-auth is ideal when you want:
+- Better security than plain JWT
+- Zero session storage
+- Simple developer experience
+- Clear, well-defined security trade-offs
 
-Even with items 1-4, the attacker cannot:
-- Use the token from a different device (fingerprint mismatch fails verification)
-- Forge new tokens (requires the server-only pepper)
-- Replay the token (derived secret verification fails)
 
-### Security Scope & Limitations
+---
 
-**What bro-auth protects against:**
-- Token replay from different devices
-- Token forgery without server secrets
-- Credential stuffing across devices
+## Threat Model (Important – Read This)
 
-**What bro-auth does NOT protect against:**
-- XSS attacks during active execution (attacker can make requests while JS runs)
-- Full server compromise (if secrets are leaked, all bets are off)
-- Social engineering or phishing attacks
-- Browser fingerprint spoofing (though difficult, it's theoretically possible)
+### bro-auth protects against:
 
-**Your application must:**
-- Implement XSS prevention (CSP, input sanitization, etc.)
-- Store tokens securely (HTTP-only cookies for refresh tokens)
-- Protect environment variables and secrets
-- Use HTTPS in production
+* JWT copied from logs, storage, or memory
+* Token reuse from a different browser/device
+* Non-browser attacks (curl, Postman, bots)
+* Token swapping across users
+* Blind replay without browser context
 
----
+### bro-auth does NOT protect against:
 
-## Installation
+* XSS with active JS execution
+* Malicious browser extensions
+* Compromised dependencies running in-browser
+* Replay after fingerprint observation
+* Full device compromise
 
-```bash
-npm install bro-auth
-```
+> **This is a hard limit of stateless authentication, not a bug.**
 
 ---
 
-## How It Works
+## High-Level Design
+
+### Core idea
+
+A JWT is only valid if the same browser fingerprint that created it is presented again.
 
-### 1. Authentication Flow
+### Authentication Flow
+
+#### 1. Login
 
 ```
-Browser                                    Server
+Browser                                  Server
   │
-  ├─ Generate fingerprint hash
-  │  (Canvas, GPU, User-Agent, etc.)
+  ├─ Generate RAW fingerprint
+  │  (Canvas, GPU, UA, timezone, etc.)
   │
-  ├─ POST /login ────────────────────────▶ Verify credentials
-  │  { username, password, fpHash }        │
-  │                                        ├─ Derive signing secret:
-  │                                        │  HMAC(pepper, secret|userId|fpHash)
-  │                                        │
-  │                                        ├─ Sign JWT with derived secret
-  │                                        │  Payload: { sub: userId, fp: fpHash }
-  │                                        │
-  │  ◀──────────────────────────────────── Return tokens
-  │  { accessToken, refreshToken }
+  ├─ POST /login ─────────────────────▶ Verify credentials
+  │  { username, password, rawFP }      │
+  │                                     ├─ Normalize & hash fingerprint:
+  │                                     │  fpHash = SHA256(rawFP)
+  │                                     │
+  │                                     ├─ Derive signing secret:
+  │                                     │  HMAC(pepper, secret|userId|fpHash)
+  │                                     │
+  │                                     ├─ Sign JWT
+  │                                     │  Payload: { sub, fp: fpHash }
   │
+  ◀──────────────────────────────────── Return tokens
 ```
 
-### 2. Verification Flow
+#### 2. Protected API Request
 
 ```
-Browser                                    Server
-  │
-  ├─ GET /api/protected ─────────────────▶ Extract token & fpHash
-  │  Headers:                              │
-  │    Authorization: Bearer <token>       ├─ Decode token (unsafe)
-  │    X-Fingerprint: <fpHash>             │  Extract userId from payload
-  │                                        │
-  │                                        ├─ Re-derive signing secret:
-  │                                        │  HMAC(pepper, secret|userId|fpHash)
-  │                                        │
-  │                                        ├─ Verify JWT signature
-  │                                        │  jwt.verify(token, derivedSecret)
-  │                                        │
-  │                                        ├─ Compare fingerprints
-  │                                        │  payload.fp === request.fpHash
-  │                                        │
-  │  ◀──────────────────────────────────── Grant access ✓
+Browser                                  Server
   │
+  ├─ GET /api/protected ──────────────▶
+  │  Authorization: Bearer <token>     │
+  │  X-Fingerprint: <rawFP>            │
+  │                                    │
+  │                                    ├─ Hash fingerprint again:
+  │                                    │  SHA256(rawFP)
+  │                                    │
+  │                                    ├─ Re-derive signing secret
+  │                                    │
+  │                                    ├─ Verify JWT signature
+  │                                    │
+  │                                    ├─ Compare fp hashes
+  │                                    │
+  ◀──────────────────────────────────── Access granted
 ```
 
-### 3. Why Stolen Tokens Fail
+### Why Token-Only Theft Fails
 
-```
-Attacker (Different Device)                Server
-  │
-  ├─ GET /api/protected ─────────────────▶ Extract token & fpHash
-  │  Token: <stolen_token>                 │
-  │  Fingerprint: <attacker_fp_hash>       ├─ Decode token
-  │                                        │  payload.fp = <victim_fp_hash>
-  │                                        │
-  │                                        ├─ Derive secret using attacker's FP:
-  │                                        │  HMAC(pepper, secret|userId|attacker_fp)
-  │                                        │
-  │                                        ├─ Verify signature
-  │                                        │  ✗ FAILS - Different derived secret
-  │                                        │
-  │  ◀──────────────────────────────────── Reject: "invalid signature"
-  │
-```
+If an attacker steals **only the JWT:**
 
-**Key insight:** The signing secret is derived from the fingerprint. A different fingerprint produces a different secret, causing signature verification to fail.
+* They do not know the browser fingerprint
+* Signature verification fails
+* Token cannot be reused elsewhere
 
----
+If the attacker also steals the raw fingerprint:
 
-## Quick Start
+* Replay may succeed until token expiry
+* This is a known stateless limitation
 
-### Step 1: Configure Environment Variables
+---
 
-Create a `.env` file in your application (NOT in bro-auth):
+## Installation
 
 ```bash
-# Required: Application-owned server-only pepper
-# bro-auth requires this but does NOT provide it
-BRO_AUTH_SECRET_PEPPER=your-random-string-min-32-chars-never-expose
+npm install bro-auth
+```
+
+---
 
-# Your application's JWT signing secrets
-ACCESS_SECRET=your-access-secret-min-32-chars
-REFRESH_SECRET=your-refresh-secret-min-32-chars
+## Environment Variables
+
+```bash
+BRO_AUTH_SECRET_PEPPER=long-random-server-only-value
+ACCESS_SECRET=your-access-secret
+REFRESH_SECRET=your-refresh-secret
 ```
 
-**Important:** These are YOUR application's secrets. `bro-auth` reads them but does not manage or provide them.
+> ⚠️ **These secrets must never be exposed to the browser.**
+
+---
 
-### Step 2: Browser - Generate Fingerprint
+## Browser Usage
+
+### Generate fingerprint (RAW)
 
 ```javascript
 import { getFingerprint } from "bro-auth/browser";
 
 async function handleLogin() {
   // Generate device fingerprint hash
-  const fpHash = await getFingerprint();
-  
-  // fpHash is a string: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+  const rawFingerprint = await getFingerprint();
   
   const response = await fetch("/api/login", {
     method: "POST",
@@ -176,18 +180,27 @@ async function handleLogin() {
     body: JSON.stringify({
       username: "user@example.com",
       password: "password123",
-      fingerprint: fpHash
+      fingerprint: rawFingerprint
     })
   });
   
   const { accessToken, refreshToken } = await response.json();
   
-  // Store tokens (see security best practices)
+  // Store access token (see Token Storage Best Practices below)
   sessionStorage.setItem("accessToken", accessToken);
+  
+  // Refresh token is typically set as HTTP-only cookie by the server
 }
 ```
 
-### Step 3: Server - Generate Tokens
+**Returns:** A normalized raw string  
+**Note:** Never hashed on the client, sent as-is to the backend
+
+---
+
+## Server Usage
+
+### Generate Tokens
 
 ```javascript
 import { generateTokens } from "bro-auth/core";
@@ -204,7 +217,7 @@ app.post("/api/login", async (req, res) => {
   // 2. Generate device-bound tokens
   const { accessToken, refreshToken } = generateTokens(
     user.id,                          // userId
-    fingerprint,                      // fpHash from browser
+    fingerprint,                      // RAW fingerprint from browser
     process.env.ACCESS_SECRET,        // your secret
     process.env.REFRESH_SECRET        // your secret
   );
@@ -213,7 +226,9 @@ app.post("/api/login", async (req, res) => {
 });
 ```
 
-### Step 4: Server - Verify Requests
+> **Note:** bro-auth hashes the fingerprint internally using SHA-256.
+
+### Verify Access Token
 
 ```javascript
 import { verifyAccessToken } from "bro-auth/core";
@@ -228,7 +243,7 @@ app.get("/api/protected", (req, res) => {
   
   const result = verifyAccessToken(
     token,
-    fingerprint,
+    fingerprint,                      // RAW fingerprint
     process.env.ACCESS_SECRET
   );
   
@@ -242,7 +257,37 @@ app.get("/api/protected", (req, res) => {
 });
 ```
 
-### Step 5: Server - Refresh Tokens
+### Why RAW FP → Server-Side Hashing?
+
+* Prevents trusting client-side hashes blindly
+* Ensures consistent normalization
+* Improves debuggability
+* Avoids mismatch bugs
+* Keeps hashing logic centralized
+
+> **Hashing is not claimed as replay prevention** — it is a binding and consistency mechanism.
+
+---
+
+## API Reference (Key Functions)
+
+### `getFingerprint()`
+
+Returns normalized raw fingerprint string.
+
+### `generateTokens(userId, rawFP, accessSecret, refreshSecret)`
+
+* Hashes fingerprint internally
+* Derives signing secrets
+* Issues access + refresh tokens
+
+### `verifyAccessToken(token, rawFP, secret)`
+
+* Hashes fingerprint again
+* Re-derives signing key
+* Verifies JWT integrity & binding
+
+### Refresh Tokens
 
 ```javascript
 import { verifyRefreshToken, generateTokens } from "bro-auth/core";
@@ -274,7 +319,154 @@ app.post("/api/refresh", (req, res) => {
 
 ---
 
-## API Reference
+## Token Storage Best Practices
+
+### Access Token Storage
+
+You can store access tokens in:
+
+* **HTTP-only cookies** (Recommended) - Most secure, immune to XSS
+* **Session storage** - Good for SPAs, cleared on tab close
+* **Local storage** - Not recommended, vulnerable to XSS attacks
+* **Memory (React state/Vue reactive)** - Secure but lost on page refresh
+
+**Best practice:** Use HTTP-only cookies for maximum security.
+
+#### Example: Storing Access Token in HTTP-only Cookie (Server-side)
+
+```javascript
+import { generateTokens } from "bro-auth/core";
+
+app.post("/api/login", async (req, res) => {
+  const { username, password, fingerprint } = req.body;
+  const user = await authenticateUser(username, password);
+  
+  if (!user) {
+    return res.status(401).json({ error: "Invalid credentials" });
+  }
+  
+  const { accessToken, refreshToken } = generateTokens(
+    user.id,
+    fingerprint,
+    process.env.ACCESS_SECRET,
+    process.env.REFRESH_SECRET
+  );
+  
+  // Set access token as HTTP-only cookie
+  res.cookie("accessToken", accessToken, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "strict",
+    maxAge: 15 * 60 * 1000 // 15 minutes
+  });
+  
+  // Set refresh token as HTTP-only cookie
+  res.cookie("refreshToken", refreshToken, {
+    httpOnly: true,
+    secure: true,
+    sameSite: "strict",
+    maxAge: 7 * 24 * 60 * 60 * 1000 // 7 days
+  });
+  
+  res.json({ success: true });
+});
+```
+
+### Refresh Token Storage
+
+**Always store refresh tokens in HTTP-only cookies.** 
+
+bro-auth provides a built-in helper method `buildRefreshCookie` to simplify this.
+
+#### Using `buildRefreshCookie`
+
+```javascript
+import { generateTokens, buildRefreshCookie } from "bro-auth/core";
+
+app.post("/api/login", async (req, res) => {
+  const { username, password, fingerprint } = req.body;
+  const user = await authenticateUser(username, password);
+  
+  if (!user) {
+    return res.status(401).json({ error: "Invalid credentials" });
+  }
+  
+  const { accessToken, refreshToken } = generateTokens(
+    user.id,
+    fingerprint,
+    process.env.ACCESS_SECRET,
+    process.env.REFRESH_SECRET
+  );
+  
+  // Use bro-auth's built-in helper for refresh token cookie
+  const refreshCookie = buildRefreshCookie(refreshToken);
+  
+  res.cookie(
+    refreshCookie.name,
+    refreshCookie.value,
+    refreshCookie.options
+  );
+  
+  // Return access token (client can store in sessionStorage or cookie)
+  res.json({ accessToken });
+});
+```
+
+#### Custom Configuration for `buildRefreshCookie`
+
+```javascript
+import { buildRefreshCookie } from "bro-auth/core";
+
+// Default: 7 days
+const cookie = buildRefreshCookie(refreshToken);
+
+// Custom expiry: 24 hours
+const cookie24h = buildRefreshCookie(refreshToken, 60 * 60 * 24);
+
+// The cookie object contains:
+// {
+//   name: "bro_refresh",
+//   value: "<token>",
+//   options: {
+//     httpOnly: true,
+//     secure: true,
+//     sameSite: "strict",
+//     path: "/",
+//     maxAge: <seconds>
+//   }
+// }
+```
+
+#### Clearing Refresh Token on Logout
+
+```javascript
+import { buildClearRefreshCookie } from "bro-auth/core";
+
+app.post("/api/logout", (req, res) => {
+  const clearCookie = buildClearRefreshCookie();
+  
+  res.cookie(
+    clearCookie.name,
+    clearCookie.value,
+    clearCookie.options
+  );
+  
+  res.json({ message: "Logged out successfully" });
+});
+```
+
+### Additional Security Best Practices
+
+* Use short-lived access tokens (5–15 min)
+* Enable CSP (Content Security Policy) to reduce XSS risk
+* Rotate secrets on compromise
+* Always use HTTPS in production
+* Implement rate limiting on authentication endpoints
+* Treat bro-auth as hardening, not magic
+
+---
+
+## Full API Reference
 
 ### Browser Module (`bro-auth/browser`)
 
@@ -411,43 +603,72 @@ Verifies a refresh token and fingerprint binding.
 
 ---
 
-#### `buildRefreshCookie(refreshToken, options?)`
+#### `buildRefreshCookie(refreshToken, maxAge?)`
 
-Generates a secure HTTP-only cookie string for refresh tokens.
+Generates a secure HTTP-only cookie configuration object for refresh tokens.
 
 **Parameters:**
 - `refreshToken` (string) - The refresh token
-- `options` (object, optional):
-  - `maxAge` (number) - Cookie lifetime in seconds (default: 604800 = 7 days)
-  - `domain` (string) - Cookie domain
-  - `sameSite` ("Strict" | "Lax" | "None") - SameSite policy (default: "Strict")
-  - `secure` (boolean) - HTTPS only (default: true)
+- `maxAge` (number, optional) - Cookie lifetime in seconds (default: 604800 = 7 days)
 
-**Returns:** `string` (Set-Cookie header value)
+**Returns:** `Object`
+```javascript
+{
+  name: "bro_refresh",
+  value: string,
+  options: {
+    httpOnly: true,
+    secure: true,
+    sameSite: "strict",
+    path: "/",
+    maxAge: number
+  }
+}
+```
 
 **Example:**
 ```javascript
-const cookie = buildRefreshCookie(refreshToken, {
-  maxAge: 86400,
-  sameSite: "Strict",
-  secure: true
-});
+import { buildRefreshCookie } from "bro-auth/core";
+
+const refreshCookie = buildRefreshCookie(refreshToken);
+
+// Express/Fastify
+res.cookie(
+  refreshCookie.name,
+  refreshCookie.value,
+  refreshCookie.options
+);
 
-res.setHeader("Set-Cookie", cookie);
+// Next.js App Router
+import { cookies } from "next/headers";
+cookies().set(
+  refreshCookie.name,
+  refreshCookie.value,
+  refreshCookie.options
+);
 ```
 
 ---
 
 #### `buildClearRefreshCookie()`
 
-Generates a cookie string to clear the refresh token (for logout).
+Generates a cookie configuration object to clear the refresh token (for logout).
 
-**Returns:** `string`
+**Returns:** `Object` (same structure as `buildRefreshCookie` but with empty value and maxAge: 0)
 
 **Example:**
 ```javascript
+import { buildClearRefreshCookie } from "bro-auth/core";
+
 app.post("/api/logout", (req, res) => {
-  res.setHeader("Set-Cookie", buildClearRefreshCookie());
+  const clearCookie = buildClearRefreshCookie();
+  
+  res.cookie(
+    clearCookie.name,
+    clearCookie.value,
+    clearCookie.options
+  );
+  
   res.json({ message: "Logged out" });
 });
 ```
@@ -469,101 +690,38 @@ Derives a unique signing secret using HMAC-SHA256 with the application's pepper.
 
 ---
 
-## Security Best Practices
+## FAQ (Corrected)
 
-### 1. Environment Variables
+**"Is bro-auth replay-proof?"**
 
-Never hardcode secrets. Use environment variables:
+❌ No.  
+It blocks token-only replay, not replay after full browser compromise.
 
-```bash
-# .env (add to .gitignore)
-BRO_AUTH_SECRET_PEPPER=min-32-chars-random-string
-ACCESS_SECRET=min-32-chars-random-string
-REFRESH_SECRET=min-32-chars-random-string
-```
-
-Generate secrets using:
-```bash
-node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
-```
+**"Is this better than plain JWT?"**
 
-### 2. Token Storage
+✅ Yes. Significantly.
 
-**Access tokens:**
-- Store in memory (React state, Vue reactive)
-- Session storage is acceptable for SPAs
-- **Never** in localStorage (XSS vulnerable)
+**"Is this WebAuthn?"**
 
-**Refresh tokens:**
-- HTTP-only, Secure, SameSite=Strict cookies (recommended)
-- **Never** accessible to JavaScript
+❌ No.  
+bro-auth is stateless. WebAuthn is stateful + hardware-backed.
 
-**Example:**
-```javascript
-// ✓ Good: In-memory
-const [accessToken, setAccessToken] = useState(null);
-
-// ✗ Bad: localStorage
-localStorage.setItem("token", accessToken); // XSS vulnerable
-```
-
-### 3. HTTPS Only
-
-Always use HTTPS in production:
-
-```javascript
-const cookie = buildRefreshCookie(refreshToken, {
-  secure: process.env.NODE_ENV === "production",
-  sameSite: "Strict"
-});
-```
-
-### 4. Short-Lived Access Tokens
-
-Keep access token TTL short (5-15 minutes):
-
-```javascript
-generateAccessToken(userId, fpHash, secret, "15m");
-```
-
-### 5. Token Rotation
-
-Rotate refresh tokens on each use:
-
-```javascript
-app.post("/api/refresh", async (req, res) => {
-  const result = verifyRefreshToken(/* ... */);
-  
-  if (result.valid) {
-    // Issue new token pair
-    const newTokens = generateTokens(/* ... */);
-    
-    // Optional: Invalidate old refresh token in database
-    await revokeToken(req.body.refreshToken);
-    
-    res.json(newTokens);
-  }
-});
-```
+---
 
-### 6. Rate Limiting
+## Final Positioning (Important)
 
-Implement rate limiting on auth endpoints:
+**bro-auth is a stateless JWT hardening library.**  
+It raises the bar against real-world JWT misuse while remaining scalable and developer-friendly.
 
-```javascript
-import rateLimit from "express-rate-limit";
+That statement is:
 
-const loginLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000,
-  max: 5
-});
-
-app.post("/api/login", loginLimiter, handleLogin);
-```
+* technically correct
+* interview-safe
+* production-honest
 
 ---
 
-## Framework Examples
+## Advanced Framework Examples
 
 ### Express.js Middleware
 
@@ -719,55 +877,6 @@ export const useAuth = () => useContext(AuthContext);
 
 ---
 
-## FAQ
-
-**Q: Can users have multiple devices?**
-
-A: Yes. Each device generates its own fingerprint. Issue separate token pairs for each device. Optionally track active sessions by storing fingerprint hashes.
-
-**Q: What if the fingerprint changes (browser update)?**
-
-A: The user must re-authenticate. This is intentional—it prevents fingerprint spoofing. For better UX, implement a "trusted devices" feature or send email notifications for new logins.
-
-**Q: What about privacy concerns?**
-
-A: The fingerprint is SHA-256 hashed before transmission. Only the hash is sent to the server. However, disclose fingerprinting in your privacy policy and comply with GDPR/CCPA.
-
-**Q: Does this work with mobile apps?**
-
-A: The browser module is web-only. For mobile apps, use native device identifiers:
-- iOS: `identifierForVendor`
-- Android: `ANDROID_ID`
-- React Native: `react-native-device-info`
-
-**Q: How do I invalidate tokens immediately?**
-
-A: `bro-auth` is stateless, so tokens can't be revoked until expiry. For immediate invalidation:
-- Maintain a token blacklist in Redis
-- Use short-lived access tokens (5-15 min)
-- Implement token versioning (increment on password change)
-
-**Q: Can I use this with GraphQL?**
-
-A: Yes. Pass credentials in HTTP headers:
-
-```javascript
-const client = new ApolloClient({
-  uri: '/graphql',
-  request: async (operation) => {
-    const fpHash = await getFingerprint();
-    operation.setContext({
-      headers: {
-        authorization: `Bearer ${accessToken}`,
-        'x-fingerprint': fpHash
-      }
-    });
-  }
-});
-```
-
----
-
 ## Testing
 
 ### Run Backend Tests
@@ -811,7 +920,7 @@ Contributions welcome. Please:
 
 ## License
 
-MIT © Vaishnav
+MIT © Vaishnav - Creator of bro-auth
 
 ---
 
@@ -819,4 +928,5 @@ MIT © Vaishnav
 
 - [NPM Package](https://www.npmjs.com/package/bro-auth)
 - [GitHub Repository](https://github.com/ChakraVaishnav/bro-auth)
-- [Report Issues](https://github.com/ChakraVaishnav/bro-auth/issues)
+- [Report Issues](https://github.com/ChakraVaishnav/bro-auth/issues)
+- [Portfolio](https://giyu.me)

package/dist/browser.cjs

@@ -705,6 +705,8 @@ async function getFingerprint() {
   ].join("|");
   const hash = SHA256(normalizedString).toString();
   return {
+    normalizedString,
+    components,
     hash
   };
 }

package/dist/browser.js

@@ -680,6 +680,8 @@ async function getFingerprint() {
   ].join("|");
   const hash = SHA256(normalizedString).toString();
   return {
+    normalizedString,
+    components,
     hash
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bro-auth",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "bro-auth — Stateless, fingerprint-bound JWT authentication. Server utilities + browser fingerprinting module.",
   "type": "module",
   "main": "dist/index.cjs",
@@ -46,4 +46,4 @@
     "tsup": "^8.5.1",
     "typescript": "^5.9.3"
   }
-}
+}