client-certificate-auth 1.1.3 → 1.3.0

package/README.md

@@ -7,7 +7,7 @@ Express/Connect middleware for client SSL certificate authentication (mTLS).
 [![codecov](https://codecov.io/gh/tgies/client-certificate-auth/graph/badge.svg)](https://codecov.io/gh/tgies/client-certificate-auth)
 [![stryker mutation testing](https://img.shields.io/endpoint?style=flat&url=https%3A%2F%2Fbadge-api.stryker-mutator.io%2Fgithub.com%2Ftgies%2Fclient-certificate-auth%2Fmaster)](https://dashboard.stryker-mutator.io/reports/github.com/tgies/client-certificate-auth/master)
 
-100% line/branch/function/statement coverage, plus mutation testing and E2E tests against real nginx/Envoy/Traefik containers. ~3,500 lines of test code for ~600 lines of source (measured by [cloc](https://github.com/AlDanial/cloc)).
+100% line/branch/function/statement coverage, plus mutation testing and E2E tests against real nginx/Envoy/Traefik containers. ~4,477 lines of test code for ~679 lines of source (measured by [cloc](https://github.com/AlDanial/cloc)).
 
 ## Installation
 
@@ -186,6 +186,112 @@ The `cert` parameter contains fields from [`tls.PeerCertificate`](https://nodejs
 - `valid_from`, `valid_to` - Validity period
 - `issuerCertificate` - Issuer's certificate (only when `includeChain: true`)
 
+### `extractClientCertificate(req, options?)`
+
+Framework-agnostic certificate extraction function exported from `client-certificate-auth/extractor`. Use this when building adapters for non-Express frameworks or when you need certificate extraction without middleware.
+
+**Parameters:**
+
+| Name | Type | Description |
+|------|------|-------------|
+| `req` | `Object` | Request object with `headers` and optional `socket` |
+| `req.headers` | `Record<string, string \| string[]>` | HTTP headers object |
+| `req.socket` | `Object` | Optional TLS socket (for socket-based extraction) |
+| `options` | `Object` | Same options as middleware (except `onAuthenticated`/`onRejected`) |
+
+**Returns:** `ExtractionResult`
+
+```typescript
+{
+  success: boolean;
+  certificate: PeerCertificate | null;
+  reason: string | null;  // Rejection reason if success is false
+}
+```
+
+**Rejection reasons:**
+
+- `'verification_header_mismatch'` - Proxy verify header didn't match expected value
+- `'header_missing_or_malformed'` - Header extraction failed and no fallback configured
+- `'socket_not_authorized'` - Socket not authorized for TLS client cert
+- `'certificate_not_retrievable'` - Socket authorized but getPeerCertificate() returned empty
+
+**Example - Building a Koa adapter:**
+
+```javascript
+import { extractClientCertificate } from 'client-certificate-auth/extractor';
+
+function koaClientCert(checkAuth, options = {}) {
+  return async (ctx, next) => {
+    const result = extractClientCertificate(ctx.req, options);
+
+    if (!result.success) {
+      ctx.throw(401, result.reason);
+    }
+
+    ctx.state.clientCertificate = result.certificate;
+
+    const allowed = await checkAuth(result.certificate, ctx.req);
+    if (!allowed) {
+      ctx.throw(401, 'Certificate not authorized');
+    }
+
+    await next();
+  };
+}
+
+// Usage
+app.use(koaClientCert(
+  (cert) => cert.subject.CN === 'admin',
+  { certificateSource: 'aws-alb' }
+));
+```
+
+**Example - Custom authentication flow:**
+
+```javascript
+import { extractClientCertificate } from 'client-certificate-auth/extractor';
+
+app.post('/api/login', (req, res) => {
+  // Extract certificate without middleware
+  const result = extractClientCertificate(req, {
+    certificateSource: 'envoy',
+    fallbackToSocket: true
+  });
+
+  if (!result.success) {
+    return res.status(401).json({ error: result.reason });
+  }
+
+  // Custom auth logic
+  const user = lookupUserByCertFingerprint(result.certificate.fingerprint);
+  if (!user) {
+    return res.status(403).json({ error: 'Certificate not registered' });
+  }
+
+  // Issue session token
+  const token = createSessionToken(user);
+  res.json({ token, user });
+});
+```
+
+### Ecosystem
+
+This package provides everything you need to build mTLS authentication for any Node.js framework:
+
+- **Certificate extraction** via `extractClientCertificate()` - handles both socket and header-based extraction
+- **Authorization helpers** - reusable validation callbacks for common patterns (`allowCN`, `allowFingerprints`, etc.)
+- **Parser library** - decode certificates from various reverse proxy formats (Envoy XFCC, AWS ALB, Cloudflare, etc.)
+- **Type definitions** - full TypeScript support
+
+**Official framework adapters:**
+
+- **[passport-client-certificate-auth](https://www.npmjs.com/package/passport-client-certificate-auth)** - Passport.js strategy for mTLS authentication
+
+**Community adapters:**
+
+If you build an adapter for another framework (Koa, Fastify, Hapi, NestJS, etc.), please open an issue or PR to get it listed here!
+
 ### Accessing the Certificate
 
 After authentication, the certificate is attached to `req.clientCertificate` for downstream handlers:

package/lib/clientCertificateAuth.js

@@ -5,7 +5,7 @@
  * @license MIT
  */
 
-import { getCertificateFromHeaders } from './parsers.js';
+import { extractClientCertificate } from './extractor.js';
 
 /**
  * @typedef {import('http').IncomingMessage & { secure?: boolean; socket: import('tls').TLSSocket & { authorized?: boolean; authorizationError?: string }; clientCertificate?: import('tls').PeerCertificate }} ClientCertRequest
@@ -113,72 +113,52 @@ export default function clientCertificateAuth(callback, options = {}) {
     });
   }
 
-  // Determine if header-based extraction is configured
-  const useHeaders = Boolean(certificateSource || certificateHeader);
-
   return function middleware(req, res, next) {
-    let cert = null;
+    // Extract certificate using shared extractor logic
+    const result = extractClientCertificate(req, {
+      certificateSource,
+      certificateHeader,
+      headerEncoding,
+      fallbackToSocket,
+      includeChain,
+      verifyHeader,
+      verifyValue,
+    });
 
-    // Try header-based extraction first if configured
-    if (useHeaders) {
-      // Verify upstream proxy's certificate validation if configured
-      // Stryker disable next-line LogicalOperator: construction-time validation ensures both set or neither, so && vs || is equivalent
-      if (verifyHeader && verifyValue) {
-        const verifyStatus = req.headers[verifyHeader.toLowerCase()];
-        if (Array.isArray(verifyStatus) || verifyStatus !== verifyValue) {
-          safeCallHook(onRejected, null, req, 'verification_header_mismatch');
-          const e = new Error(`Unauthorized: Certificate verification failed (${verifyStatus || 'header missing'})`);
-          e.status = 401;
-          return next(e);
-        }
-      }
-      cert = getCertificateFromHeaders(req.headers, {
-        certificateSource,
-        certificateHeader,
-        headerEncoding,
-      });
+    if (!result.success) {
+      safeCallHook(onRejected, null, req, result.reason);
 
-      // Normalize: strip chain unless includeChain is true
-      if (cert && !includeChain && 'issuerCertificate' in cert) {
-        delete cert.issuerCertificate;
-      }
+      // Map rejection reasons to user-friendly error messages
+      let errorMessage;
+      let statusCode = 401;
 
-      if (!cert) {
-        // If no fallback, return 401 immediately
-        if (!fallbackToSocket) {
-          safeCallHook(onRejected, null, req, 'header_missing_or_malformed');
-          const e = new Error('Unauthorized: Client certificate header missing or malformed');
-          e.status = 401;
-          return next(e);
+      switch (result.reason) {
+        case 'verification_header_mismatch': {
+          const verifyStatus = req.headers[verifyHeader.toLowerCase()];
+          errorMessage = `Unauthorized: Certificate verification failed (${verifyStatus || 'header missing'})`;
+          break;
         }
-      }
-    }
-
-    // Fallback to socket-based extraction (original behavior)
-    if (!cert) {
-      // Ensure that the certificate was validated at the protocol level
-      if (!req.socket?.authorized) {
-        safeCallHook(onRejected, null, req, 'socket_not_authorized');
-        const authError = req.socket?.authorizationError || 'unknown';
-        const e = new Error(`Unauthorized: Client certificate required (${authError})`);
-        e.status = 401;
-        return next(e);
+        case 'header_missing_or_malformed':
+          errorMessage = 'Unauthorized: Client certificate header missing or malformed';
+          break;
+        case 'socket_not_authorized': {
+          const authError = req.socket?.authorizationError || 'unknown';
+          errorMessage = `Unauthorized: Client certificate required (${authError})`;
+          break;
+        }
+        case 'certificate_not_retrievable':
+          errorMessage = 'Client certificate was authenticated but certificate information could not be retrieved.';
+          statusCode = 500;
+          break;
       }
 
-      // Obtain certificate details from socket
-      cert = req.socket.getPeerCertificate(includeChain);
-      if (!cert || Object.keys(cert).length === 0) {
-        // Handle the bizarre case where a certificate was validated but we can't inspect it
-        safeCallHook(onRejected, null, req, 'certificate_not_retrievable');
-        const e = new Error(
-          'Client certificate was authenticated but certificate information could not be retrieved.'
-        );
-        e.status = 500;
-        return next(e);
-      }
+      const e = new Error(errorMessage);
+      e.status = statusCode;
+      return next(e);
     }
 
     // Attach certificate to request for downstream access
+    const cert = result.certificate;
     req.clientCertificate = cert;
 
     /**
@@ -197,9 +177,9 @@ export default function clientCertificateAuth(callback, options = {}) {
     }
 
     try {
-      const result = callback(cert, req);
-      if (result instanceof Promise) {
-        result.then(doneAuthorizing).catch((err) => {
+      const callbackResult = callback(cert, req);
+      if (callbackResult instanceof Promise) {
+        callbackResult.then(doneAuthorizing).catch((err) => {
           safeCallHook(onRejected, cert, req, err.message || 'callback_threw');
           if (err.status === undefined) {
             err.status = 401;
@@ -207,7 +187,7 @@ export default function clientCertificateAuth(callback, options = {}) {
           next(err);
         });
       } else {
-        doneAuthorizing(result);
+        doneAuthorizing(callbackResult);
       }
     } catch (err) {
       safeCallHook(onRejected, cert, req, err.message || 'callback_threw');

package/lib/extractor.cjs

@@ -0,0 +1,20 @@
+/*!
+ * client-certificate-auth/extractor - CommonJS wrapper
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+'use strict';
+
+let _module;
+
+async function load() {
+    // Stryker disable next-line ConditionalExpression,BlockStatement: test ordering caches _module from prior test; ConditionalExpression→true (always re-import) re-imports same module successfully; BlockStatement→{} uses cached value
+    if (!_module) {
+        // Stryker disable next-line StringLiteral: test ordering caches _module; StringLiteral→"" fails import but cached value masks it
+        _module = await import('./extractor.js');
+    }
+    return _module;
+}
+
+module.exports = { load };

package/lib/extractor.d.cts

@@ -0,0 +1,13 @@
+/*!
+ * client-certificate-auth/extractor - CommonJS type declarations
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+import type * as ExtractorModule from './extractor.js';
+
+declare const extractor: {
+    load(): Promise<typeof ExtractorModule>;
+};
+
+export = extractor;

package/lib/extractor.d.ts

@@ -0,0 +1,110 @@
+/**
+ * @typedef {Object} ExtractionResult
+ * @property {boolean} success - Whether extraction succeeded
+ * @property {import('tls').PeerCertificate | null} certificate - Extracted certificate (null on failure)
+ * @property {string | null} reason - Rejection reason code (null on success)
+ *
+ * Rejection reasons:
+ * - 'verification_header_mismatch' - Proxy verify header didn't match expected value
+ * - 'header_missing_or_malformed' - Header extraction failed and no fallback configured
+ * - 'socket_not_authorized' - Socket not authorized for TLS client cert
+ * - 'certificate_not_retrievable' - Socket authorized but getPeerCertificate() returned empty
+ */
+/**
+ * @typedef {Object} ExtractorOptions
+ * @property {'aws-alb' | 'envoy' | 'cloudflare' | 'traefik'} [certificateSource] - Preset configuration
+ * @property {string} [certificateHeader] - Custom header name
+ * @property {'url-pem' | 'url-pem-aws' | 'xfcc' | 'base64-der' | 'rfc9440'} [headerEncoding] - Header encoding
+ * @property {boolean} [fallbackToSocket=false] - Try socket if header extraction fails
+ * @property {boolean} [includeChain=false] - Include issuerCertificate chain
+ * @property {string} [verifyHeader] - Header name for upstream verification status
+ * @property {string} [verifyValue] - Expected value for successful verification
+ */
+/**
+ * Extract client certificate from request.
+ *
+ * Works with both header-based extraction (reverse proxy scenarios) and socket-based
+ * extraction (direct TLS connections). Returns a structured result object instead of
+ * throwing or using callbacks, making it suitable for any framework adapter.
+ *
+ * @param {Object} req - Request object with headers and optional socket
+ * @param {Record<string, string | string[] | undefined>} req.headers - HTTP headers object
+ * @param {Object} [req.socket] - TLS socket with getPeerCertificate() method
+ * @param {boolean} [req.socket.authorized] - Whether socket was authorized
+ * @param {(detailed: boolean) => import('tls').PeerCertificate} [req.socket.getPeerCertificate] - Get peer certificate
+ * @param {ExtractorOptions} [options={}] - Extraction options
+ * @returns {ExtractionResult}
+ *
+ * @example
+ * // AWS ALB header extraction
+ * const result = extractClientCertificate(req, { certificateSource: 'aws-alb' });
+ * if (result.success) {
+ *   console.log('Certificate CN:', result.certificate.subject.CN);
+ * } else {
+ *   console.error('Extraction failed:', result.reason);
+ * }
+ *
+ * @example
+ * // Socket extraction with fallback
+ * const result = extractClientCertificate(req, {
+ *   certificateSource: 'envoy',
+ *   fallbackToSocket: true
+ * });
+ */
+export function extractClientCertificate(req: {
+    headers: Record<string, string | string[] | undefined>;
+    socket?: {
+        authorized?: boolean;
+        getPeerCertificate?: (detailed: boolean) => import("tls").PeerCertificate;
+    };
+}, options?: ExtractorOptions): ExtractionResult;
+export type ExtractionResult = {
+    /**
+     * - Whether extraction succeeded
+     */
+    success: boolean;
+    /**
+     * - Extracted certificate (null on failure)
+     */
+    certificate: import("tls").PeerCertificate | null;
+    /**
+     * - Rejection reason code (null on success)
+     *
+     * Rejection reasons:
+     * - 'verification_header_mismatch' - Proxy verify header didn't match expected value
+     * - 'header_missing_or_malformed' - Header extraction failed and no fallback configured
+     * - 'socket_not_authorized' - Socket not authorized for TLS client cert
+     * - 'certificate_not_retrievable' - Socket authorized but getPeerCertificate() returned empty
+     */
+    reason: string | null;
+};
+export type ExtractorOptions = {
+    /**
+     * - Preset configuration
+     */
+    certificateSource?: "aws-alb" | "envoy" | "cloudflare" | "traefik";
+    /**
+     * - Custom header name
+     */
+    certificateHeader?: string;
+    /**
+     * - Header encoding
+     */
+    headerEncoding?: "url-pem" | "url-pem-aws" | "xfcc" | "base64-der" | "rfc9440";
+    /**
+     * - Try socket if header extraction fails
+     */
+    fallbackToSocket?: boolean;
+    /**
+     * - Include issuerCertificate chain
+     */
+    includeChain?: boolean;
+    /**
+     * - Header name for upstream verification status
+     */
+    verifyHeader?: string;
+    /**
+     * - Expected value for successful verification
+     */
+    verifyValue?: string;
+};

package/lib/extractor.js

@@ -0,0 +1,160 @@
+/*!
+ * client-certificate-auth - Certificate extraction module
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+import { getCertificateFromHeaders } from './parsers.js';
+
+/**
+ * @typedef {Object} ExtractionResult
+ * @property {boolean} success - Whether extraction succeeded
+ * @property {import('tls').PeerCertificate | null} certificate - Extracted certificate (null on failure)
+ * @property {string | null} reason - Rejection reason code (null on success)
+ *
+ * Rejection reasons:
+ * - 'verification_header_mismatch' - Proxy verify header didn't match expected value
+ * - 'header_missing_or_malformed' - Header extraction failed and no fallback configured
+ * - 'socket_not_authorized' - Socket not authorized for TLS client cert
+ * - 'certificate_not_retrievable' - Socket authorized but getPeerCertificate() returned empty
+ */
+
+/**
+ * @typedef {Object} ExtractorOptions
+ * @property {'aws-alb' | 'envoy' | 'cloudflare' | 'traefik'} [certificateSource] - Preset configuration
+ * @property {string} [certificateHeader] - Custom header name
+ * @property {'url-pem' | 'url-pem-aws' | 'xfcc' | 'base64-der' | 'rfc9440'} [headerEncoding] - Header encoding
+ * @property {boolean} [fallbackToSocket=false] - Try socket if header extraction fails
+ * @property {boolean} [includeChain=false] - Include issuerCertificate chain
+ * @property {string} [verifyHeader] - Header name for upstream verification status
+ * @property {string} [verifyValue] - Expected value for successful verification
+ */
+
+/**
+ * Extract client certificate from request.
+ *
+ * Works with both header-based extraction (reverse proxy scenarios) and socket-based
+ * extraction (direct TLS connections). Returns a structured result object instead of
+ * throwing or using callbacks, making it suitable for any framework adapter.
+ *
+ * @param {Object} req - Request object with headers and optional socket
+ * @param {Record<string, string | string[] | undefined>} req.headers - HTTP headers object
+ * @param {Object} [req.socket] - TLS socket with getPeerCertificate() method
+ * @param {boolean} [req.socket.authorized] - Whether socket was authorized
+ * @param {(detailed: boolean) => import('tls').PeerCertificate} [req.socket.getPeerCertificate] - Get peer certificate
+ * @param {ExtractorOptions} [options={}] - Extraction options
+ * @returns {ExtractionResult}
+ *
+ * @example
+ * // AWS ALB header extraction
+ * const result = extractClientCertificate(req, { certificateSource: 'aws-alb' });
+ * if (result.success) {
+ *   console.log('Certificate CN:', result.certificate.subject.CN);
+ * } else {
+ *   console.error('Extraction failed:', result.reason);
+ * }
+ *
+ * @example
+ * // Socket extraction with fallback
+ * const result = extractClientCertificate(req, {
+ *   certificateSource: 'envoy',
+ *   fallbackToSocket: true
+ * });
+ */
+export function extractClientCertificate(req, options = {}) {
+  const {
+    certificateSource,
+    certificateHeader,
+    headerEncoding,
+    fallbackToSocket = false,
+    includeChain = false,
+    verifyHeader,
+    verifyValue,
+  } = options;
+
+  // Validate verifyHeader/verifyValue pairing
+  if ((verifyHeader && !verifyValue) || (!verifyHeader && verifyValue)) {
+    throw new Error(
+      'extractClientCertificate: verifyHeader and verifyValue must both be provided together, or both omitted'
+    );
+  }
+
+  const useHeaders = Boolean(certificateSource || certificateHeader);
+  let cert = null;
+
+  // Try header-based extraction first if configured
+  if (useHeaders) {
+    // Verify upstream proxy's certificate validation if configured
+    // Stryker disable next-line LogicalOperator: construction-time validation ensures both set or neither, single-side check is redundant but clearer
+    if (verifyHeader && verifyValue) {
+      const verifyStatus = req.headers[verifyHeader.toLowerCase()];
+      if (Array.isArray(verifyStatus) || verifyStatus !== verifyValue) {
+        return {
+          success: false,
+          certificate: null,
+          reason: 'verification_header_mismatch',
+        };
+      }
+    }
+
+    cert = getCertificateFromHeaders(req.headers, {
+      certificateSource,
+      certificateHeader,
+      headerEncoding,
+    });
+
+    // Normalize: strip chain unless includeChain is true
+    if (cert && !includeChain && 'issuerCertificate' in cert) {
+      delete cert.issuerCertificate;
+    }
+
+    if (!cert) {
+      // If no fallback, return error immediately
+      if (!fallbackToSocket) {
+        return {
+          success: false,
+          certificate: null,
+          reason: 'header_missing_or_malformed',
+        };
+      }
+    }
+  }
+
+  // Fallback to socket-based extraction (original behavior)
+  if (!cert) {
+    // Ensure that the certificate was validated at the protocol level
+    if (!req.socket?.authorized) {
+      return {
+        success: false,
+        certificate: null,
+        reason: 'socket_not_authorized',
+      };
+    }
+
+    // Obtain certificate details from socket
+    // TypeScript: cast to TLSSocket since we've validated this is a TLS connection
+    if (typeof req.socket.getPeerCertificate !== 'function') {
+      return {
+        success: false,
+        certificate: null,
+        reason: 'certificate_not_retrievable',
+      };
+    }
+
+    cert = /** @type {import('tls').TLSSocket} */ (req.socket).getPeerCertificate(includeChain);
+    if (!cert || Object.keys(cert).length === 0) {
+      // Handle the case where a certificate was validated but we can't inspect it
+      return {
+        success: false,
+        certificate: null,
+        reason: 'certificate_not_retrievable',
+      };
+    }
+  }
+
+  return {
+    success: true,
+    certificate: cert,
+    reason: null,
+  };
+}

package/lib/helpers.cjs

@@ -0,0 +1,20 @@
+/*!
+ * client-certificate-auth/helpers - CommonJS wrapper
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+'use strict';
+
+let _module;
+
+async function load() {
+    // Stryker disable next-line ConditionalExpression,BlockStatement: test ordering caches _module from prior test; ConditionalExpression→true (always re-import) re-imports same module successfully; BlockStatement→{} uses cached value
+    if (!_module) {
+        // Stryker disable next-line StringLiteral: test ordering caches _module; StringLiteral→"" fails import but cached value masks it
+        _module = await import('./helpers.js');
+    }
+    return _module;
+}
+
+module.exports = { load };

package/lib/helpers.d.cts

@@ -0,0 +1,13 @@
+/*!
+ * client-certificate-auth/helpers - CommonJS type declarations
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+import type * as HelpersModule from './helpers.js';
+
+declare const helpers: {
+    load(): Promise<typeof HelpersModule>;
+};
+
+export = helpers;

package/lib/helpers.d.ts

@@ -4,13 +4,9 @@
  * @license MIT
  */
 
-import type { PeerCertificate, DetailedPeerCertificate } from 'tls';
-import type { ClientCertRequest } from './clientCertificateAuth.js';
+import type { ValidationCallback } from './clientCertificateAuth.js';
 
-/**
- * Validation callback for clientCertificateAuth middleware.
- */
-export type ValidationCallback = (cert: PeerCertificate | DetailedPeerCertificate, req?: ClientCertRequest) => boolean | Promise<boolean>;
+export type { ValidationCallback };
 
 /**
  * Distinguished Name fields for matching.

package/lib/parsers.cjs

@@ -0,0 +1,20 @@
+/*!
+ * client-certificate-auth/parsers - CommonJS wrapper
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+'use strict';
+
+let _module;
+
+async function load() {
+    // Stryker disable next-line ConditionalExpression,BlockStatement: test ordering caches _module from prior test; ConditionalExpression→true (always re-import) re-imports same module successfully; BlockStatement→{} uses cached value
+    if (!_module) {
+        // Stryker disable next-line StringLiteral: test ordering caches _module; StringLiteral→"" fails import but cached value masks it
+        _module = await import('./parsers.js');
+    }
+    return _module;
+}
+
+module.exports = { load };

package/lib/parsers.d.cts

@@ -0,0 +1,13 @@
+/*!
+ * client-certificate-auth/parsers - CommonJS type declarations
+ * Copyright (C) 2013-2026 Tony Gies
+ * @license MIT
+ */
+
+import type * as ParsersModule from './parsers.js';
+
+declare const parsers: {
+    load(): Promise<typeof ParsersModule>;
+};
+
+export = parsers;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "client-certificate-auth",
-  "version": "1.1.3",
+  "version": "1.3.0",
   "description": "Express/Connect middleware for mTLS client certificate authentication with reverse proxy support (AWS ALB, Envoy, Cloudflare, Traefik)",
   "homepage": "https://github.com/tgies/client-certificate-auth",
   "bugs": {
@@ -26,35 +26,66 @@
       "import": {
         "types": "./lib/parsers.d.ts",
         "default": "./lib/parsers.js"
+      },
+      "require": {
+        "types": "./lib/parsers.d.cts",
+        "default": "./lib/parsers.cjs"
       }
     },
     "./helpers": {
       "import": {
         "types": "./lib/helpers.d.ts",
         "default": "./lib/helpers.js"
+      },
+      "require": {
+        "types": "./lib/helpers.d.cts",
+        "default": "./lib/helpers.cjs"
+      }
+    },
+    "./extractor": {
+      "import": {
+        "types": "./lib/extractor.d.ts",
+        "default": "./lib/extractor.js"
+      },
+      "require": {
+        "types": "./lib/extractor.d.cts",
+        "default": "./lib/extractor.cjs"
       }
     }
   },
   "main": "./lib/clientCertificateAuth.cjs",
   "types": "./lib/clientCertificateAuth.d.ts",
+  "typesVersions": {
+    "*": {
+      "parsers": [
+        "./lib/parsers.d.ts"
+      ],
+      "helpers": [
+        "./lib/helpers.d.ts"
+      ],
+      "extractor": [
+        "./lib/extractor.d.ts"
+      ]
+    }
+  },
   "engines": {
     "node": ">= 20"
   },
   "devDependencies": {
     "@commitlint/cli": "^20.4.1",
     "@commitlint/config-conventional": "^20.4.1",
-    "@stryker-mutator/core": "^9.4.0",
-    "@stryker-mutator/jest-runner": "^9.4.0",
-    "@types/express": "^5.0.0",
-    "@types/node": "^25.2.1",
+    "@stryker-mutator/core": "^9.5.1",
+    "@stryker-mutator/jest-runner": "^9.5.1",
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.2.3",
     "c8": "^10.1.3",
     "eslint": "^9.17.0",
-    "globals": "^17.0.0",
+    "globals": "^17.3.0",
     "husky": "^9.1.7",
     "jest": "^30.2.0",
     "lint-staged": "^16.2.7",
-    "selfsigned": "^5.4.0",
-    "typescript": "^5.7.2",
+    "selfsigned": "^5.5.0",
+    "typescript": "^5.9.3",
     "ws": "^8.19.0"
   },
   "directories": {