dbsc-toolkit 2.3.1 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -18
- package/dist/client/wrapFetch.d.ts +2 -22
- package/dist/client/wrapFetch.d.ts.map +1 -1
- package/dist/client/wrapFetch.js +9 -7
- package/dist/client/wrapFetch.js.map +1 -1
- package/dist/core/bound/proof.d.ts +2 -7
- package/dist/core/bound/proof.d.ts.map +1 -1
- package/dist/core/bound/proof.js +34 -11
- package/dist/core/bound/proof.js.map +1 -1
- package/dist/core/bound/refresh.d.ts.map +1 -1
- package/dist/core/bound/refresh.js +2 -1
- package/dist/core/bound/refresh.js.map +1 -1
- package/dist/core/derive-session-id.d.ts +21 -0
- package/dist/core/derive-session-id.d.ts.map +1 -0
- package/dist/core/derive-session-id.js +29 -0
- package/dist/core/derive-session-id.js.map +1 -0
- package/dist/core/index.d.ts +2 -0
- package/dist/core/index.d.ts.map +1 -1
- package/dist/core/index.js +1 -0
- package/dist/core/index.js.map +1 -1
- package/dist/core/protocol/headers.d.ts +4 -1
- package/dist/core/protocol/headers.d.ts.map +1 -1
- package/dist/core/protocol/headers.js +4 -1
- package/dist/core/protocol/headers.js.map +1 -1
- package/dist/core/protocol/refresh.d.ts.map +1 -1
- package/dist/core/protocol/refresh.js +1 -0
- package/dist/core/protocol/refresh.js.map +1 -1
- package/dist/core/types.d.ts +17 -0
- package/dist/core/types.d.ts.map +1 -1
- package/dist/express/index.d.ts +1 -0
- package/dist/express/index.d.ts.map +1 -1
- package/dist/express/index.js +9 -5
- package/dist/express/index.js.map +1 -1
- package/dist/express/proof.d.ts +4 -16
- package/dist/express/proof.d.ts.map +1 -1
- package/dist/express/proof.js +1 -8
- package/dist/express/proof.js.map +1 -1
- package/dist/fastify/index.d.ts +1 -0
- package/dist/fastify/index.d.ts.map +1 -1
- package/dist/fastify/index.js +20 -4
- package/dist/fastify/index.js.map +1 -1
- package/dist/fastify/proof.d.ts +4 -10
- package/dist/fastify/proof.d.ts.map +1 -1
- package/dist/fastify/proof.js +1 -4
- package/dist/fastify/proof.js.map +1 -1
- package/dist/hono/index.d.ts +1 -0
- package/dist/hono/index.d.ts.map +1 -1
- package/dist/hono/index.js +20 -4
- package/dist/hono/index.js.map +1 -1
- package/dist/hono/proof.d.ts +4 -9
- package/dist/hono/proof.d.ts.map +1 -1
- package/dist/hono/proof.js +1 -4
- package/dist/hono/proof.js.map +1 -1
- package/dist/nextjs/index.d.ts +2 -0
- package/dist/nextjs/index.d.ts.map +1 -1
- package/dist/nextjs/index.js +24 -3
- package/dist/nextjs/index.js.map +1 -1
- package/dist/nextjs/proof.d.ts +4 -16
- package/dist/nextjs/proof.d.ts.map +1 -1
- package/dist/nextjs/proof.js +1 -10
- package/dist/nextjs/proof.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -48,6 +48,8 @@ npm install express cookie-parser pg # Express + Postgres
|
|
|
48
48
|
|
|
49
49
|
## Quick start
|
|
50
50
|
|
|
51
|
+
Copy-paste runnable. The whole picture is ~25 lines — `trust proxy`, `cookieParser`, `express.json` and the static-file mount for the polyfill all matter, and missing any of them is the #1 reason "tier is always `none`" tickets get opened.
|
|
52
|
+
|
|
51
53
|
```ts
|
|
52
54
|
import express from "express";
|
|
53
55
|
import cookieParser from "cookie-parser";
|
|
@@ -56,23 +58,28 @@ import { dbsc, bindSession } from "dbsc-toolkit/express";
|
|
|
56
58
|
import { MemoryStorage } from "dbsc-toolkit/storage/memory";
|
|
57
59
|
|
|
58
60
|
const app = express();
|
|
59
|
-
app.set("trust proxy", true);
|
|
60
|
-
app.use(cookieParser());
|
|
61
|
-
app.use(express.json());
|
|
62
61
|
|
|
63
|
-
|
|
64
|
-
app.use(
|
|
62
|
+
app.set("trust proxy", true); // required behind Render / Fly / Cloudflare / nginx
|
|
63
|
+
app.use(cookieParser()); // required: bindSession sets HttpOnly cookies
|
|
64
|
+
app.use(express.json()); // required: bound polyfill POSTs JSON
|
|
65
|
+
app.use(
|
|
66
|
+
"/dbsc-client", // serves the browser SDK for Firefox / Safari
|
|
67
|
+
express.static(new URL("../node_modules/dbsc-toolkit/dist/client/", import.meta.url).pathname),
|
|
68
|
+
);
|
|
69
|
+
|
|
70
|
+
const storage = new MemoryStorage(); // swap for RedisStorage / PostgresStorage in production
|
|
71
|
+
app.use(dbsc({ storage })); // mounts /dbsc/registration, /dbsc/refresh, /dbsc-bound/*
|
|
65
72
|
|
|
66
73
|
app.post("/login", async (req, res) => {
|
|
67
74
|
await bindSession(res, randomUUID(), storage, { userId: req.body.username });
|
|
68
75
|
res.json({ ok: true });
|
|
69
76
|
});
|
|
70
77
|
|
|
71
|
-
app.get("/me", (
|
|
78
|
+
app.get("/me", (_req, res) => res.json(res.locals.dbsc));
|
|
72
79
|
app.listen(3000);
|
|
73
80
|
```
|
|
74
81
|
|
|
75
|
-
|
|
82
|
+
In your HTML, load the polyfill once so Firefox / Safari / older Chromium reach `tier: "bound"`:
|
|
76
83
|
|
|
77
84
|
```html
|
|
78
85
|
<script type="module">
|
|
@@ -81,27 +88,38 @@ app.listen(3000);
|
|
|
81
88
|
</script>
|
|
82
89
|
```
|
|
83
90
|
|
|
84
|
-
|
|
91
|
+
Without the script tag those browsers stay on `tier: "none"`. Native Chromium 145+ does not need the script — it negotiates the protocol on its own from the headers `dbsc()` sets.
|
|
92
|
+
|
|
93
|
+
### Common failure modes
|
|
85
94
|
|
|
86
|
-
|
|
95
|
+
- **`tier` always reads `"none"` on Chromium 145+?** Forgot `trust proxy`, on plain HTTP, or middleware order is wrong (cookieParser must run before `dbsc`).
|
|
96
|
+
- **Chrome loops registration?** Storage was wiped — switch off `MemoryStorage` to Redis or Postgres before deploying anywhere that ever restarts.
|
|
97
|
+
- **Tier flips back to `"none"` right after login?** The race between `/login` returning and the browser running `POST /dbsc/registration`. Poll `/me` for ~1 s after login or await the bound-SDK outcome promise. The demo wires both — see [examples/express/src/server.js](./examples/express/src/server.js).
|
|
98
|
+
- **Firefox / Safari still on `"none"`?** Forgot the `<script type="module">` tag above, or the static-file mount is wrong.
|
|
99
|
+
|
|
100
|
+
Full walk-through: [docs/getting-started.md](./docs/getting-started.md).
|
|
87
101
|
|
|
88
102
|
## Adding to an existing app
|
|
89
103
|
|
|
90
|
-
You don't rewrite login, you don't migrate the session store. DBSC sits alongside your existing session cookie and binds to the same session id. For a typical Express app
|
|
104
|
+
You don't rewrite login, you don't migrate the session store. DBSC sits alongside your existing session cookie and binds to the same session id. For a typical Express app, the new lines you write are:
|
|
105
|
+
|
|
106
|
+
1. `import { dbsc, bindSession, requireBoundProof } from "dbsc-toolkit/express";`
|
|
107
|
+
2. `import { RedisStorage } from "dbsc-toolkit/storage/redis";`
|
|
108
|
+
3. `const dbscStorage = new RedisStorage(new Redis(process.env.REDIS_URL));`
|
|
109
|
+
4. `app.use(dbsc({ storage: dbscStorage }));`
|
|
110
|
+
5. End of `/login`: `await bindSession(res, sessionId, dbscStorage, { userId: user.id });`
|
|
111
|
+
6. Start of `/logout`: `await res.locals.dbsc.revoke();`
|
|
91
112
|
|
|
92
|
-
|
|
113
|
+
If your app isn't already set up for HTTPS-terminating proxies, `cookieParser`, or JSON bodies, you also need the four lines in the quick-start block above (`trust proxy`, `cookieParser()`, `express.json()`, and the `/dbsc-client/*` static mount for the polyfill). Most existing apps already have the first three.
|
|
93
114
|
|
|
94
|
-
|
|
95
|
-
2. Top of the file — `import { RedisStorage } from "dbsc-toolkit/storage/redis";`
|
|
96
|
-
3. During app boot — `const dbscStorage = new RedisStorage(new Redis(process.env.REDIS_URL));`
|
|
97
|
-
4. During app boot, once — `app.use(dbsc({ storage: dbscStorage }));`
|
|
98
|
-
5. At the end of `/login`, after the password check — `await bindSession(res, sessionId, dbscStorage, { userId: user.id });`
|
|
99
|
-
6. At the start of `/logout`, before tearing down your own session — `await res.locals.dbsc.revoke();`
|
|
115
|
+
`sessionId` on line 5 is whatever id your existing session store issues. DBSC binds to that same id; you don't manage a second id-space.
|
|
100
116
|
|
|
101
|
-
|
|
117
|
+
Using **NextAuth (JWT mode), iron-session, Lucia, or a hand-rolled JWT cookie**? Those have no server-side session id — call `deriveSessionId({ userId })` to get a stable one to pass to `bindSession()`. Copy-paste recipes for every common session system: [docs/integration-recipes.md](./docs/integration-recipes.md).
|
|
102
118
|
|
|
103
119
|
## Choose your protection level per route
|
|
104
120
|
|
|
121
|
+
> **First time here?** [docs/usage.md](./docs/usage.md) walks the 6-line setup and the table below in order, with concrete code for each lever. Five-minute read.
|
|
122
|
+
|
|
105
123
|
After the 6-line setup, every request through the middleware has a `tier` field on the request context. The library does not auto-protect anything — you pick the level per route. The library exposes three levers; this table tells you which one to reach for.
|
|
106
124
|
|
|
107
125
|
| Your route does… | Use this guard | What it stops | Detailed in |
|
|
@@ -1,28 +1,8 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Wraps a `fetch` function so every outgoing request carries a fresh ECDSA P-256
|
|
3
|
-
* signature in the `X-Dbsc-Bound-Proof` header.
|
|
4
|
-
*
|
|
5
|
-
* Use this ONLY for calls to sensitive routes you've gated with
|
|
6
|
-
* `requireBoundProof()` on the server (payment, admin, password-change, etc).
|
|
7
|
-
* It is per-call by design — keep it out of `globalThis.fetch` so third-party
|
|
8
|
-
* SDKs (analytics, React Query, SWR, etc) keep using the native `fetch`.
|
|
9
|
-
*
|
|
10
|
-
* If no bound key is present in IndexedDB the wrapped fetch transparently falls
|
|
11
|
-
* back to the underlying fetch — Chromium native DBSC paths and the
|
|
12
|
-
* unauthenticated paths keep working.
|
|
13
|
-
*/
|
|
1
|
+
/** Per-call fetch wrapper that signs requests with the bound key. Never assign to globalThis.fetch. */
|
|
14
2
|
export interface WrapFetchOptions {
|
|
15
3
|
fetch?: typeof fetch;
|
|
16
4
|
headerName?: string;
|
|
17
|
-
/**
|
|
18
|
-
* When true, the wrapper computes sha256(body) and signs it into the proof
|
|
19
|
-
* header. The server must be configured with `requireBoundProof({ signBody: true })`
|
|
20
|
-
* for the matching route. Defaults to false.
|
|
21
|
-
*
|
|
22
|
-
* Cost: one extra SHA-256 hash per request (~0.1 ms for typical JSON
|
|
23
|
-
* payloads). Cannot be used with streaming request bodies — the wrapper
|
|
24
|
-
* reads the body into memory to hash it.
|
|
25
|
-
*/
|
|
5
|
+
/** SHA-256 the body into the proof header. ReadableStream bodies not supported. */
|
|
26
6
|
signBody?: boolean;
|
|
27
7
|
}
|
|
28
8
|
export declare function wrapFetch(opts?: WrapFetchOptions): typeof fetch;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wrapFetch.d.ts","sourceRoot":"","sources":["../../src/client/wrapFetch.ts"],"names":[],"mappings":"AAEA
|
|
1
|
+
{"version":3,"file":"wrapFetch.d.ts","sourceRoot":"","sources":["../../src/client/wrapFetch.ts"],"names":[],"mappings":"AAEA,uGAAuG;AACvG,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,mFAAmF;IACnF,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,wBAAgB,SAAS,CAAC,IAAI,GAAE,gBAAqB,GAAG,OAAO,KAAK,CAwDnE"}
|
package/dist/client/wrapFetch.js
CHANGED
|
@@ -13,20 +13,22 @@ export function wrapFetch(opts = {}) {
|
|
|
13
13
|
const ts = Date.now() + offset;
|
|
14
14
|
let bodyHash = "";
|
|
15
15
|
let finalBody = init.body;
|
|
16
|
-
if (signBody
|
|
17
|
-
const bodyBytes =
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
16
|
+
if (signBody) {
|
|
17
|
+
const bodyBytes = init.body === undefined || init.body === null
|
|
18
|
+
? new Uint8Array(0)
|
|
19
|
+
: await readBodyBytes(init.body);
|
|
20
|
+
if (bodyBytes.byteLength > 0) {
|
|
21
|
+
finalBody = new Blob([bodyBytes]);
|
|
22
|
+
}
|
|
21
23
|
bodyHash = await sha256B64Url(bodyBytes);
|
|
22
24
|
}
|
|
23
|
-
const message = signBody
|
|
25
|
+
const message = signBody
|
|
24
26
|
? `${rec.sessionId}.${method}.${url.pathname}.${ts}.${bodyHash}`
|
|
25
27
|
: `${rec.sessionId}.${method}.${url.pathname}.${ts}`;
|
|
26
28
|
const sigBytes = await crypto.subtle.sign({ name: "ECDSA", hash: "SHA-256" }, rec.keyPair.privateKey, new TextEncoder().encode(message));
|
|
27
29
|
const sig = base64url(new Uint8Array(sigBytes));
|
|
28
30
|
const headers = new Headers(init.headers);
|
|
29
|
-
const headerValue =
|
|
31
|
+
const headerValue = signBody
|
|
30
32
|
? `ts=${ts};sig=${sig};bh=${bodyHash}`
|
|
31
33
|
: `ts=${ts};sig=${sig}`;
|
|
32
34
|
headers.set(headerName, headerValue);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"wrapFetch.js","sourceRoot":"","sources":["../../src/client/wrapFetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"wrapFetch.js","sourceRoot":"","sources":["../../src/client/wrapFetch.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAU7C,MAAM,UAAU,SAAS,CAAC,OAAyB,EAAE;IACnD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,oBAAoB,CAAC;IAC3D,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,KAAK,CAAC;IAExC,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,GAAG,EAAE,EAAE,EAAE;QACjC,MAAM,GAAG,GAAG,MAAM,YAAY,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAEnC,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,YAAY,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,EAChF,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,kBAAkB,CAC1E,CAAC;QACF,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACpD,MAAM,MAAM,GAAG,GAAG,CAAC,aAAa,IAAI,CAAC,CAAC;QACtC,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC;QAE/B,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,IAAI,SAAS,GAAgC,IAAI,CAAC,IAAI,CAAC;QACvD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI;gBAC7D,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC;gBACnB,CAAC,CAAC,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnC,IAAI,SAAS,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;gBAC7B,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,SAAqB,CAAC,CAAC,CAAC;YAChD,CAAC;YACD,QAAQ,GAAG,MAAM,YAAY,CAAC,SAAS,CAAC,CAAC;QAC3C,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ;YACtB,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,IAAI,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,IAAI,QAAQ,EAAE;YAChE,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,IAAI,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAEvD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CACvC,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,EAClC,GAAG,CAAC,OAAO,CAAC,UAAU,EACtB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAClC,CAAC;QACF,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC;QAEhD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,QAAQ;YAC1B,CAAC,CAAC,MAAM,EAAE,QAAQ,GAAG,OAAO,QAAQ,EAAE;YACtC,CAAC,CAAC,MAAM,EAAE,QAAQ,GAAG,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAErC,MAAM,QAAQ,GAAgB;YAC5B,GAAG,IAAI;YACP,OAAO;YACP,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,SAAS;SAC3C,CAAC;QACF,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YAClD,QAAQ,CAAC,IAAI,GAAG,SAAqB,CAAC;QACxC,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAiB,CAAC;AACrB,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,IAAc;IACzC,IAAI,IAAI,YAAY,UAAU;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,IAAI,YAAY,WAAW;QAAE,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7D,IAAI,OAAO,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACpE,IAAI,IAAI,YAAY,IAAI;QAAE,OAAO,IAAI,UAAU,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1E,IAAI,IAAI,YAAY,QAAQ,IAAI,IAAI,YAAY,eAAe,EAAE,CAAC;QAChE,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,IAAI,IAAI,YAAY,cAAc,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,KAAiB;IAC3C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAgB,CACzF,CAAC;IACF,OAAO,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,CAAa;IAC9B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAW,CAAC,CAAC;IAC5E,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC3E,CAAC"}
|
|
@@ -6,14 +6,9 @@ export interface VerifyBoundProofRequest {
|
|
|
6
6
|
method: string;
|
|
7
7
|
path: string;
|
|
8
8
|
timestampWindowMs?: number | undefined;
|
|
9
|
-
/**
|
|
10
|
-
* Raw request body bytes. When present, `signBody` is implied. The server
|
|
11
|
-
* computes sha256(bodyBytes) and demands the proof header carries a
|
|
12
|
-
* matching `bh=` field signed into the message. Pass undefined for GET/HEAD
|
|
13
|
-
* or when body signing is disabled.
|
|
14
|
-
*/
|
|
9
|
+
/** Raw body bytes. Required when signBody is true. */
|
|
15
10
|
bodyBytes?: Uint8Array | undefined;
|
|
16
|
-
/**
|
|
11
|
+
/** Hash and verify body bytes into the signed message. */
|
|
17
12
|
signBody?: boolean | undefined;
|
|
18
13
|
}
|
|
19
14
|
export declare function verifyBoundProof(req: VerifyBoundProofRequest, storage: StorageAdapter): Promise<void>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"proof.d.ts","sourceRoot":"","sources":["../../../src/core/bound/proof.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,eAAO,MAAM,kBAAkB,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"proof.d.ts","sourceRoot":"","sources":["../../../src/core/bound/proof.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAGlD,eAAO,MAAM,kBAAkB,uBAAuB,CAAC;AAKvD,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,GAAG,SAAS,CAAC;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IACvC,sDAAsD;IACtD,SAAS,CAAC,EAAE,UAAU,GAAG,SAAS,CAAC;IACnC,0DAA0D;IAC1D,QAAQ,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;CAChC;AAED,wBAAsB,gBAAgB,CACpC,GAAG,EAAE,uBAAuB,EAC5B,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,IAAI,CAAC,CAkDf;AAED,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,GAAG;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,EAAE,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAsB3F"}
|
package/dist/core/bound/proof.js
CHANGED
|
@@ -2,6 +2,8 @@ import { DbscVerificationError, ErrorCodes } from "../errors.js";
|
|
|
2
2
|
import { verifyP256Signature } from "./verify.js";
|
|
3
3
|
export const BOUND_PROOF_HEADER = "X-Dbsc-Bound-Proof";
|
|
4
4
|
const DEFAULT_WINDOW_MS = 5 * 60 * 1000;
|
|
5
|
+
const MAX_HEADER_LEN = 8 * 1024;
|
|
6
|
+
const MAX_SEGMENTS = 8;
|
|
5
7
|
export async function verifyBoundProof(req, storage) {
|
|
6
8
|
if (!req.proofHeader) {
|
|
7
9
|
throw new DbscVerificationError(ErrorCodes.MISSING_PROOF, "proof header missing");
|
|
@@ -18,20 +20,26 @@ export async function verifyBoundProof(req, storage) {
|
|
|
18
20
|
if (!key) {
|
|
19
21
|
throw new DbscVerificationError(ErrorCodes.KEY_NOT_FOUND, "no bound key for session");
|
|
20
22
|
}
|
|
21
|
-
const wantBodySig = req.signBody === true
|
|
22
|
-
|
|
23
|
+
const wantBodySig = req.signBody === true;
|
|
24
|
+
if (wantBodySig && req.bodyBytes === undefined) {
|
|
25
|
+
throw new DbscVerificationError(ErrorCodes.MALFORMED_PROOF, "signBody requires bodyBytes");
|
|
26
|
+
}
|
|
27
|
+
if (!wantBodySig && parsed.bh) {
|
|
28
|
+
throw new DbscVerificationError(ErrorCodes.MALFORMED_PROOF, "proof header carries bh but signBody is disabled");
|
|
29
|
+
}
|
|
30
|
+
let bodyHash = "";
|
|
23
31
|
if (wantBodySig) {
|
|
24
32
|
if (!parsed.bh) {
|
|
25
|
-
throw new DbscVerificationError(ErrorCodes.MALFORMED_PROOF, "proof header missing bh
|
|
33
|
+
throw new DbscVerificationError(ErrorCodes.MALFORMED_PROOF, "proof header missing bh");
|
|
26
34
|
}
|
|
27
|
-
const
|
|
28
|
-
if (
|
|
35
|
+
const actual = await sha256Base64Url(req.bodyBytes);
|
|
36
|
+
if (actual !== parsed.bh) {
|
|
29
37
|
throw new DbscVerificationError(ErrorCodes.SIGNATURE_INVALID, "body hash mismatch");
|
|
30
38
|
}
|
|
31
|
-
|
|
39
|
+
bodyHash = parsed.bh;
|
|
32
40
|
}
|
|
33
41
|
const message = wantBodySig
|
|
34
|
-
? `${req.sessionId}.${req.method.toUpperCase()}.${req.path}.${parsed.ts}.${
|
|
42
|
+
? `${req.sessionId}.${req.method.toUpperCase()}.${req.path}.${parsed.ts}.${bodyHash}`
|
|
35
43
|
: `${req.sessionId}.${req.method.toUpperCase()}.${req.path}.${parsed.ts}`;
|
|
36
44
|
const ok = await verifyP256Signature(key.jwk, parsed.sig, message);
|
|
37
45
|
if (!ok) {
|
|
@@ -39,11 +47,26 @@ export async function verifyBoundProof(req, storage) {
|
|
|
39
47
|
}
|
|
40
48
|
}
|
|
41
49
|
export function parseProofHeader(s) {
|
|
50
|
+
if (s.length > MAX_HEADER_LEN)
|
|
51
|
+
return null;
|
|
52
|
+
const segments = s.split(";");
|
|
53
|
+
if (segments.length > MAX_SEGMENTS)
|
|
54
|
+
return null;
|
|
42
55
|
const parts = {};
|
|
43
|
-
for (const seg of
|
|
44
|
-
const
|
|
45
|
-
if (
|
|
46
|
-
|
|
56
|
+
for (const seg of segments) {
|
|
57
|
+
const trimmed = seg.trim();
|
|
58
|
+
if (!trimmed)
|
|
59
|
+
continue;
|
|
60
|
+
const eq = trimmed.indexOf("=");
|
|
61
|
+
if (eq <= 0)
|
|
62
|
+
return null;
|
|
63
|
+
const k = trimmed.slice(0, eq);
|
|
64
|
+
const v = trimmed.slice(eq + 1);
|
|
65
|
+
if (!v)
|
|
66
|
+
return null;
|
|
67
|
+
if (k in parts)
|
|
68
|
+
return null;
|
|
69
|
+
parts[k] = v;
|
|
47
70
|
}
|
|
48
71
|
const ts = Number(parts.ts);
|
|
49
72
|
if (!Number.isFinite(ts) || !parts.sig)
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"proof.js","sourceRoot":"","sources":["../../../src/core/bound/proof.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AACvD,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"proof.js","sourceRoot":"","sources":["../../../src/core/bound/proof.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEjE,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AACvD,MAAM,iBAAiB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AACxC,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,CAAC;AAChC,MAAM,YAAY,GAAG,CAAC,CAAC;AAcvB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,GAA4B,EAC5B,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjD,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,eAAe,EAAE,wBAAwB,CAAC,CAAC;IACxF,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,iBAAiB,IAAI,iBAAiB,CAAC;IAC5D,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC;QAChD,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,gCAAgC,CAAC,CAAC;IAClG,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,WAAW,GAAG,GAAG,CAAC,QAAQ,KAAK,IAAI,CAAC;IAC1C,IAAI,WAAW,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,eAAe,EAC1B,6BAA6B,CAC9B,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,WAAW,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;QAC9B,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,eAAe,EAC1B,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,eAAe,EAAE,yBAAyB,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,CAAC,SAAU,CAAC,CAAC;QACrD,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC;YACzB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,oBAAoB,CAAC,CAAC;QACtF,CAAC;QACD,QAAQ,GAAG,MAAM,CAAC,EAAE,CAAC;IACvB,CAAC;IAED,MAAM,OAAO,GAAG,WAAW;QACzB,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,EAAE,IAAI,QAAQ,EAAE;QACrF,CAAC,CAAC,GAAG,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,IAAI,GAAG,CAAC,IAAI,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;IAC5E,MAAM,EAAE,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACnE,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,gCAAgC,CAAC,CAAC;IAClG,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,CAAS;IACxC,IAAI,CAAC,CAAC,MAAM,GAAG,cAAc;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,QAAQ,CAAC,MAAM,GAAG,YAAY;QAAE,OAAO,IAAI,CAAC;IAEhD,MAAM,KAAK,GAA2B,EAAE,CAAC;IACzC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,EAAE,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QACzB,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC/B,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;QAChC,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QACpB,IAAI,CAAC,IAAI,KAAK;YAAE,OAAO,IAAI,CAAC;QAC5B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACf,CAAC;IACD,MAAM,EAAE,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC5B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACpD,MAAM,GAAG,GAA6C,EAAE,EAAE,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,CAAC;IAC7E,IAAI,KAAK,CAAC,EAAE;QAAE,GAAG,CAAC,EAAE,GAAG,KAAK,CAAC,EAAE,CAAC;IAChC,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,KAAiB;IAC9C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAgB,CACzF,CAAC;IACF,OAAO,cAAc,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,cAAc,CAAC,CAAa;IACnC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAW,CAAC,CAAC;IAC5E,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/G,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKhE,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,
|
|
1
|
+
{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAKhE,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,mBAAmB,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CA0DvB"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { DbscProtocolError, DbscVerificationError, ErrorCodes } from "../errors.js";
|
|
2
2
|
import { verifyP256Signature } from "./verify.js";
|
|
3
|
-
const TIMESTAMP_WINDOW_MS =
|
|
3
|
+
const TIMESTAMP_WINDOW_MS = 5 * 60 * 1000;
|
|
4
4
|
export async function handleBoundRefresh(req, storage) {
|
|
5
5
|
if (!req.signature) {
|
|
6
6
|
throw new DbscProtocolError(ErrorCodes.MISSING_RESPONSE_HEADER, "signature is required for bound refresh");
|
|
@@ -29,6 +29,7 @@ export async function handleBoundRefresh(req, storage) {
|
|
|
29
29
|
const message = `${req.expectedJti}.${req.timestamp}`;
|
|
30
30
|
const ok = await verifyP256Signature(key.jwk, req.signature, message);
|
|
31
31
|
if (!ok) {
|
|
32
|
+
await storage.consumeChallenge(req.expectedJti);
|
|
32
33
|
const session = await storage.getSession(req.sessionId);
|
|
33
34
|
if (session) {
|
|
34
35
|
await storage.setSession({ ...session, tier: "none" });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpF,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,mBAAmB,GAAG,
|
|
1
|
+
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/bound/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAEpF,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAElD,MAAM,mBAAmB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAS1C,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,GAAwB,EACxB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;QACnB,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,yCAAyC,CAC1C,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC;IAClD,IAAI,IAAI,GAAG,mBAAmB,EAAE,CAAC;QAC/B,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,qCAAqC,CAAC,CAAC;IACvG,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,aAAa,EAAE,0BAA0B,CAAC,CAAC;IACxF,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IACD,IAAI,SAAS,CAAC,SAAS,KAAK,GAAG,CAAC,SAAS,EAAE,CAAC;QAC1C,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,YAAY,EAAE,2CAA2C,CAAC,CAAC;IACxG,CAAC;IAED,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;IACtD,MAAM,EAAE,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IACtE,IAAI,CAAC,EAAE,EAAE,CAAC;QACR,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACxD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,2BAA2B,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
export interface DeriveSessionIdInput {
|
|
2
|
+
/** Stable user identifier from your JWT (the `sub` claim is the canonical choice). */
|
|
3
|
+
userId: string;
|
|
4
|
+
/** Optional per-device hint. If omitted, one stable id per user — fine for single-device apps. */
|
|
5
|
+
deviceHint?: string;
|
|
6
|
+
/** Optional namespace to scope ids when the same user has multiple binding contexts (e.g. impersonation). Defaults to "default". */
|
|
7
|
+
namespace?: string;
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Returns a stable, opaque sessionId suitable for `bindSession()` when the
|
|
11
|
+
* caller has no server-side session row to take the id from (NextAuth in
|
|
12
|
+
* JWT mode, iron-session, Lucia stateless, raw JWT cookies). Output is
|
|
13
|
+
* deterministic for the same input — call it on every request, get the
|
|
14
|
+
* same id, bind against it once at login, look it up on refresh.
|
|
15
|
+
*
|
|
16
|
+
* The id is SHA-256 of `${namespace}.${userId}.${deviceHint ?? ""}`,
|
|
17
|
+
* base64url-encoded. It is not a secret and not reversible; it only needs
|
|
18
|
+
* to be stable and collision-free across your users.
|
|
19
|
+
*/
|
|
20
|
+
export declare function deriveSessionId(input: DeriveSessionIdInput): Promise<string>;
|
|
21
|
+
//# sourceMappingURL=derive-session-id.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"derive-session-id.d.ts","sourceRoot":"","sources":["../../src/core/derive-session-id.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,oBAAoB;IACnC,sFAAsF;IACtF,MAAM,EAAE,MAAM,CAAC;IACf,kGAAkG;IAClG,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oIAAoI;IACpI,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,eAAe,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,MAAM,CAAC,CAalF"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Returns a stable, opaque sessionId suitable for `bindSession()` when the
|
|
3
|
+
* caller has no server-side session row to take the id from (NextAuth in
|
|
4
|
+
* JWT mode, iron-session, Lucia stateless, raw JWT cookies). Output is
|
|
5
|
+
* deterministic for the same input — call it on every request, get the
|
|
6
|
+
* same id, bind against it once at login, look it up on refresh.
|
|
7
|
+
*
|
|
8
|
+
* The id is SHA-256 of `${namespace}.${userId}.${deviceHint ?? ""}`,
|
|
9
|
+
* base64url-encoded. It is not a secret and not reversible; it only needs
|
|
10
|
+
* to be stable and collision-free across your users.
|
|
11
|
+
*/
|
|
12
|
+
export async function deriveSessionId(input) {
|
|
13
|
+
if (!input.userId) {
|
|
14
|
+
throw new Error("deriveSessionId: userId is required");
|
|
15
|
+
}
|
|
16
|
+
const namespace = input.namespace ?? "default";
|
|
17
|
+
const deviceHint = input.deviceHint ?? "";
|
|
18
|
+
const material = `${namespace}.${input.userId}.${deviceHint}`;
|
|
19
|
+
const bytes = new TextEncoder().encode(material);
|
|
20
|
+
const digest = await crypto.subtle.digest("SHA-256", bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength));
|
|
21
|
+
return base64Url(new Uint8Array(digest));
|
|
22
|
+
}
|
|
23
|
+
function base64Url(b) {
|
|
24
|
+
let s = "";
|
|
25
|
+
for (let i = 0; i < b.length; i++)
|
|
26
|
+
s += String.fromCharCode(b[i]);
|
|
27
|
+
return Buffer.from(s, "binary").toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
|
|
28
|
+
}
|
|
29
|
+
//# sourceMappingURL=derive-session-id.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"derive-session-id.js","sourceRoot":"","sources":["../../src/core/derive-session-id.ts"],"names":[],"mappings":"AASA;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAA2B;IAC/D,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,IAAI,SAAS,CAAC;IAC/C,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,IAAI,EAAE,CAAC;IAC1C,MAAM,QAAQ,GAAG,GAAG,SAAS,IAAI,KAAK,CAAC,MAAM,IAAI,UAAU,EAAE,CAAC;IAC9D,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACvC,SAAS,EACT,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAgB,CACzF,CAAC;IACF,OAAO,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,SAAS,SAAS,CAAC,CAAa;IAC9B,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,CAAC,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAW,CAAC,CAAC;IAC5E,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AAC/G,CAAC"}
|
package/dist/core/index.d.ts
CHANGED
|
@@ -14,4 +14,6 @@ export { verifyBoundProof, parseProofHeader, BOUND_PROOF_HEADER } from "./bound/
|
|
|
14
14
|
export type { VerifyBoundProofRequest } from "./bound/proof.js";
|
|
15
15
|
export { NoopRateLimiter } from "./ratelimit/interface.js";
|
|
16
16
|
export { emit } from "./telemetry/hooks.js";
|
|
17
|
+
export { deriveSessionId } from "./derive-session-id.js";
|
|
18
|
+
export type { DeriveSessionIdInput } from "./derive-session-id.js";
|
|
17
19
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/core/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,cAAc,EACd,QAAQ,EACR,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,wBAAwB,EACxB,kBAAkB,EAClB,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1F,YAAY,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAEhE,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,cAAc,EACd,QAAQ,EACR,OAAO,EACP,SAAS,EACT,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,WAAW,EACX,WAAW,EACX,cAAc,EACd,iBAAiB,EACjB,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,wBAAwB,EACxB,kBAAkB,EAClB,eAAe,GAChB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAC/B,YAAY,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACzE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC1F,YAAY,EAAE,uBAAuB,EAAE,MAAM,kBAAkB,CAAC;AAEhE,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,YAAY,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC"}
|
package/dist/core/index.js
CHANGED
|
@@ -11,4 +11,5 @@ export { verifyP256Signature } from "./bound/verify.js";
|
|
|
11
11
|
export { verifyBoundProof, parseProofHeader, BOUND_PROOF_HEADER } from "./bound/proof.js";
|
|
12
12
|
export { NoopRateLimiter } from "./ratelimit/interface.js";
|
|
13
13
|
export { emit } from "./telemetry/hooks.js";
|
|
14
|
+
export { deriveSessionId } from "./derive-session-id.js";
|
|
14
15
|
//# sourceMappingURL=index.js.map
|
package/dist/core/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG1F,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/core/index.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAErG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AAEtE,OAAO,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACtE,OAAO,EACL,uBAAuB,EACvB,oBAAoB,EACpB,0BAA0B,EAC1B,yBAAyB,EACzB,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACnB,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,0BAA0B,EAC1B,sBAAsB,EACtB,uBAAuB,EACvB,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AAEtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,EAAE,gBAAgB,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG1F,OAAO,EAAE,eAAe,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAE5C,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC"}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
export interface RegistrationHeaderOptions {
|
|
2
2
|
algorithm?: "ES256" | "RS256";
|
|
3
|
-
|
|
3
|
+
/** Path where the browser will POST the registration JWS. */
|
|
4
|
+
registrationPath?: string;
|
|
5
|
+
/** @deprecated misnamed alias for registrationPath; kept for back-compat. */
|
|
6
|
+
refreshPath?: string;
|
|
4
7
|
challenge: string;
|
|
5
8
|
cookieName?: string;
|
|
6
9
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,yBAAyB;IACxC,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;IAC9B,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,yBAAyB,GAAG,MAAM,CAO/E;AAED,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAG5E;AAED,wBAAgB,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAC1C,MAAM,CAMR;AAED,eAAO,MAAM,mBAAmB,gCAAgC,CAAC;AACjE,eAAO,MAAM,eAAe,4BAA4B,CAAC;AACzD,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAC3D,eAAO,MAAM,cAAc,2BAA2B,CAAC;AAEvD,eAAO,MAAM,0BAA0B,6BAA6B,CAAC;AACrE,eAAO,MAAM,sBAAsB,yBAAyB,CAAC;AAC7D,eAAO,MAAM,uBAAuB,0BAA0B,CAAC;AAC/D,eAAO,MAAM,qBAAqB,wBAAwB,CAAC;AAE3D,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,MAAM,GAAG,SAAS,CAIpB;AAED,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,cAAc,GAAG,gBAAgB,CAAC;AAE9E,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,aAAa,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAQD,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,GACrD,YAAY,EAAE,CAgChB"}
|
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
export function buildRegistrationHeader(opts) {
|
|
2
2
|
const alg = opts.algorithm ?? "ES256";
|
|
3
|
-
const
|
|
3
|
+
const path = opts.registrationPath ?? opts.refreshPath;
|
|
4
|
+
if (!path)
|
|
5
|
+
throw new Error("buildRegistrationHeader: registrationPath is required");
|
|
6
|
+
const parts = [`(${alg})`, `path="${path}"`, `challenge="${opts.challenge}"`];
|
|
4
7
|
if (opts.cookieName)
|
|
5
8
|
parts.push(`id="${opts.cookieName}"`);
|
|
6
9
|
return parts.join(";");
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../../../src/core/protocol/headers.ts"],"names":[],"mappings":"AAUA,MAAM,UAAU,uBAAuB,CAAC,IAA+B;IACrE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,gBAAgB,IAAI,IAAI,CAAC,WAAW,CAAC;IACvD,IAAI,CAAC,IAAI;QAAE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IACpF,MAAM,KAAK,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE,SAAS,IAAI,GAAG,EAAE,cAAc,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC;IAC9E,IAAI,IAAI,CAAC,UAAU;QAAE,KAAK,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;IAC3D,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW,EAAE,SAAkB;IAClE,MAAM,IAAI,GAAG,IAAI,GAAG,GAAG,CAAC;IACxB,OAAO,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,QAAQ,SAAS,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACxD,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,SAAiB,EACjB,IAA2C;IAE3C,MAAM,KAAK,GAAG,CAAC,uBAAuB,SAAS,EAAE,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;IACzE,IAAI,IAAI,CAAC,MAAM;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IAChF,KAAK,CAAC,IAAI,CAAC,YAAY,QAAQ,EAAE,CAAC,CAAC;IACnC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,MAAM,mBAAmB,GAAG,6BAA6B,CAAC;AACjE,MAAM,CAAC,MAAM,eAAe,GAAG,yBAAyB,CAAC;AACzD,MAAM,CAAC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAC3D,MAAM,CAAC,MAAM,cAAc,GAAG,wBAAwB,CAAC;AAEvD,MAAM,CAAC,MAAM,0BAA0B,GAAG,0BAA0B,CAAC;AACrE,MAAM,CAAC,MAAM,sBAAsB,GAAG,sBAAsB,CAAC;AAC7D,MAAM,CAAC,MAAM,uBAAuB,GAAG,uBAAuB,CAAC;AAC/D,MAAM,CAAC,MAAM,qBAAqB,GAAG,qBAAqB,CAAC;AAE3D,MAAM,UAAU,yBAAyB,CACvC,OAAsD;IAEtD,MAAM,CAAC,GAAG,OAAO,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAChF,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,OAAO,CAAC,CAAC;AACX,CAAC;AASD,MAAM,eAAe,GAAwB,IAAI,GAAG,CAAC;IACnD,aAAa;IACb,cAAc;IACd,gBAAgB;CACjB,CAAC,CAAC;AAEH,MAAM,UAAU,yBAAyB,CACvC,OAAsD;IAEtD,MAAM,GAAG,GAAG,OAAO,CAAC,wBAAwB,CAAC,IAAI,OAAO,CAAC,qBAAqB,CAAC,CAAC;IAChF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IACxD,MAAM,OAAO,GAAmB,EAAE,CAAC;IAEnC,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,CAAC,SAAS,EAAE,GAAG,UAAU,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,SAAU,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,SAAS;QAE3C,IAAI,SAA6B,CAAC;QAClC,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;YAC/B,MAAM,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC9B,IAAI,EAAE,KAAK,CAAC,CAAC;gBAAE,SAAS;YACxB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACtC,IAAI,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7C,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,GAAG,KAAK,oBAAoB;gBAAE,SAAS,GAAG,GAAG,CAAC;QACpD,CAAC;QAED,MAAM,KAAK,GAAiB,EAAE,MAAM,EAAE,MAAuB,EAAE,CAAC;QAChE,IAAI,SAAS,KAAK,SAAS;YAAE,KAAK,CAAC,SAAS,GAAG,SAAS,CAAC;QACzD,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,
|
|
1
|
+
{"version":3,"file":"refresh.d.ts","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,wBAAwB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7C,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,aAAa,CACjC,GAAG,EAAE,cAAc,EACnB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,YAAY,CAAC,CAwDvB"}
|
|
@@ -24,6 +24,7 @@ export async function handleRefresh(req, storage) {
|
|
|
24
24
|
}
|
|
25
25
|
catch (err) {
|
|
26
26
|
if (err instanceof DbscVerificationError && err.code === ErrorCodes.SIGNATURE_INVALID) {
|
|
27
|
+
await storage.consumeChallenge(req.expectedJti);
|
|
27
28
|
const session = await storage.getSession(req.sessionId);
|
|
28
29
|
if (session) {
|
|
29
30
|
await storage.setSession({ ...session, tier: "none" });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AASpF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAmB,EACnB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,iBAAiB,EAAE,CAAC;YACtF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxD,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}
|
|
1
|
+
{"version":3,"file":"refresh.js","sourceRoot":"","sources":["../../../src/core/protocol/refresh.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AASpF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,GAAmB,EACnB,OAAuB;IAEvB,IAAI,CAAC,GAAG,CAAC,wBAAwB,EAAE,CAAC;QAClC,MAAM,IAAI,iBAAiB,CACzB,UAAU,CAAC,uBAAuB,EAClC,wDAAwD,CACzD,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACrD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,qBAAqB,CAC7B,UAAU,CAAC,aAAa,EACxB,0BAA0B,CAC3B,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IAC9D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IACzF,CAAC;IACD,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;QACrC,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,CAAC,IAAI,EAAE,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,qBAAqB,IAAI,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,iBAAiB,EAAE,CAAC;YACtF,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAChD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACxD,IAAI,OAAO,EAAE,CAAC;gBACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,qBAAqB,CAAC,UAAU,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,OAAO,CAAC,UAAU,CAAC,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACpF,CAAC;IAED,OAAO;QACL,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,GAAG,EAAE,GAAG,CAAC,WAAW;QACpB,QAAQ,EAAE,IAAI;KACf,CAAC;AACJ,CAAC"}
|
package/dist/core/types.d.ts
CHANGED
|
@@ -85,6 +85,23 @@ export interface DbscOptions {
|
|
|
85
85
|
refreshPath?: string;
|
|
86
86
|
boundCookieTtl?: number;
|
|
87
87
|
registrationCookieTtl?: number;
|
|
88
|
+
/**
|
|
89
|
+
* Grace window, in ms, applied after a bound cookie's freshness expires.
|
|
90
|
+
* Between cookie expiry and the browser's next /dbsc/refresh there is a
|
|
91
|
+
* short in-flight gap; without grace, freshness polls during that gap see
|
|
92
|
+
* tier="none" and may false-alarm an auto-logout. The middleware keeps the
|
|
93
|
+
* previous tier until `lastRefreshAt + boundCookieTtl + refreshGraceMs`.
|
|
94
|
+
* Defaults to 30000 (30s). Set 0 to demote the instant freshness expires.
|
|
95
|
+
*/
|
|
96
|
+
refreshGraceMs?: number;
|
|
97
|
+
/**
|
|
98
|
+
* Cookie prefix scope. "host" (default) uses `__Host-` cookies — origin
|
|
99
|
+
* locked, no Domain attribute, strongest. "site" uses `__Secure-` cookies
|
|
100
|
+
* with a Domain attribute so the binding works across subdomains
|
|
101
|
+
* (app.example.com + api.example.com); this drops `__Host-`'s
|
|
102
|
+
* subdomain-takeover protection. See docs/integration-recipes.md.
|
|
103
|
+
*/
|
|
104
|
+
cookieScope?: "host" | "site";
|
|
88
105
|
rateLimiter?: RateLimiter;
|
|
89
106
|
onEvent?: (event: AnyTelemetryEvent) => void;
|
|
90
107
|
/**
|
package/dist/core/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAEvD,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;IAC7B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAChD,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IACzD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACrD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,WAAW;IAC1B,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAa,SAAQ,cAAc;IAClD,IAAI,EAAE,SAAS,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,wBAAyB,SAAQ,cAAc;IAC9D,IAAI,EAAE,sBAAsB,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,IAAI,EAAE,gBAAgB,CAAC;IACvB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,eAAgB,SAAQ,cAAc;IACrD,IAAI,EAAE,aAAa,CAAC;IACpB,IAAI,EAAE,cAAc,CAAC;IACrB,EAAE,EAAE,cAAc,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,MAAM,iBAAiB,GACzB,iBAAiB,GACjB,YAAY,GACZ,wBAAwB,GACxB,kBAAkB,GAClB,eAAe,CAAC;AAEpB,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC7C;;;;;;;;OAQG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,cAAc,GAAG,IAAI,CAAC;CACjF;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/core/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,CAAC;AAEvD,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;CAC9B;AAED,MAAM,WAAW,OAAO;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,UAAU,CAAC;IAChB,SAAS,EAAE,OAAO,GAAG,OAAO,CAAC;IAC7B,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAChD,UAAU,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5C,aAAa,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEzC,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;IACzD,WAAW,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1C,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;IACrD,YAAY,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClD,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAChD,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACjD;AAED,MAAM,WAAW,WAAW;IAC1B,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAChD,YAAY,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9D,aAAa,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAkB,SAAQ,cAAc;IACvD,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,YAAa,SAAQ,cAAc;IAClD,IAAI,EAAE,SAAS,CAAC;IAChB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,wBAAyB,SAAQ,cAAc;IAC9D,IAAI,EAAE,sBAAsB,CAAC;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,kBAAmB,SAAQ,cAAc;IACxD,IAAI,EAAE,gBAAgB,CAAC;IACvB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,eAAgB,SAAQ,cAAc;IACrD,IAAI,EAAE,aAAa,CAAC;IACpB,IAAI,EAAE,cAAc,CAAC;IACrB,EAAE,EAAE,cAAc,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,MAAM,iBAAiB,GACzB,iBAAiB,GACjB,YAAY,GACZ,wBAAwB,GACxB,kBAAkB,GAClB,eAAe,CAAC;AAEpB,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,cAAc,CAAC;IACxB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B;;;;;;;OAOG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC9B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,iBAAiB,KAAK,IAAI,CAAC;IAC7C;;;;;;;;OAQG;IACH,QAAQ,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,cAAc,GAAG,IAAI,CAAC;CACjF;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;CAChB"}
|
package/dist/express/index.d.ts
CHANGED
|
@@ -24,6 +24,7 @@ declare global {
|
|
|
24
24
|
}
|
|
25
25
|
export interface BindSessionOptions {
|
|
26
26
|
userId: string;
|
|
27
|
+
/** Match the value passed to dbsc({ secure }). Defaults true. Mismatch = cookies the middleware cannot read. */
|
|
27
28
|
secure?: boolean;
|
|
28
29
|
registrationPath?: string;
|
|
29
30
|
registrationCookieTtl?: number;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,QAAQ,EAAgB,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAmBL,KAAK,WAAW,EAChB,KAAK,cAAc,EAEnB,KAAK,cAAc,EACnB,KAAK,YAAY,EAElB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAY3D,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,MAAM;YACd,IAAI,EAAE,UAAU,CAAC;SAClB;KACF;CACF;AAuBD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,WAAW,CAC/B,GAAG,EAAE,QAAQ,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,kBAAkB,GACvB,OAAO,CAAC,IAAI,CAAC,CAyCf;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,cAAc,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/express/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAW,QAAQ,EAAgB,cAAc,EAAE,MAAM,SAAS,CAAC;AAE/E,OAAO,EAmBL,KAAK,WAAW,EAChB,KAAK,cAAc,EAEnB,KAAK,cAAc,EACnB,KAAK,YAAY,EAElB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AAY3D,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,IAAI,EAAE,cAAc,CAAC;IACrB,OAAO,EAAE,YAAY,EAAE,CAAC;IACxB,MAAM,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC7B;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,MAAM;YACd,IAAI,EAAE,UAAU,CAAC;SAClB;KACF;CACF;AAuBD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,gHAAgH;IAChH,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,wBAAsB,WAAW,CAC/B,GAAG,EAAE,QAAQ,EACb,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,cAAc,EACvB,IAAI,EAAE,kBAAkB,GACvB,OAAO,CAAC,IAAI,CAAC,CAyCf;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,kBAAkB,GAAG,cAAc,CAge7D"}
|