peta-auth 0.1.0 → 0.1.2

package/README.md

@@ -26,7 +26,7 @@ bun add elysia         # for peta-auth/elysia
 
 ```ts
 import { Hono } from 'hono'
-import { session } from 'peta-auth/hono'
+import { session, requireSession } from 'peta-auth/hono'
 
 const app = new Hono()
 
@@ -35,19 +35,18 @@ app.use('*', session({
   cookieName: 'my-session',
 }))
 
-app.get('/profile', (c) => {
-  const s = c.var.session
-  if (!s.user) return c.json({ error: 'unauthorized' }, 401)
-  return c.json(s.user)
-})
-
 app.post('/login', async (c) => {
   const { name } = await c.req.json()
-  Object.assign(c.var.session, { user: { name }, loggedInAt: Date.now() })
+  c.var.session.user = { name }
   await c.var.session.save()
   return c.json({ ok: true })
 })
 
+// Everything below requireSession returns 401 if not logged in
+app.use('/api/*', requireSession())
+
+app.get('/api/profile', (c) => c.json(c.var.session.user))
+
 app.post('/logout', (c) => {
   c.var.session.destroy()
   return c.json({ ok: true })
@@ -60,25 +59,22 @@ Run with `bun run file.ts` — Bun auto-starts the server.
 
 ```ts
 import { Elysia } from 'elysia'
-import { session } from 'peta-auth/elysia'
+import { session, requireSession } from 'peta-auth/elysia'
 
 new Elysia()
   .use(session({
     password: process.env.SESSION_SECRET!,
     cookieName: 'my-session',
   }))
-  .get('/profile', ({ session: s }) =>
-    !s.user ? Response.json({ error: 'unauthorized' }, { status: 401 })
-            : Response.json(s.user))
   .post('/login', async ({ session: s, body }: any) => {
     s.user = { name: body.name }
     await s.save()
     return Response.json({ ok: true })
   })
-  .post('/logout', ({ session: s }) => {
-    s.destroy()
-    return Response.json({ ok: true })
-  })
+  .get('/public', () => Response.json({ message: 'public' }))
+  // Everything after requireSession is guarded
+  .use(requireSession())
+  .get('/profile', ({ session: s }) => Response.json(s.user))
   .listen(3000)
 ```
 
@@ -86,14 +82,14 @@ new Elysia()
 
 ```ts
 // server/api/profile.get.ts
-import { useSession } from 'peta-auth/nuxt'
+import { useSession, requireSession } from 'peta-auth/nuxt'
 
 export default defineEventHandler(async (event) => {
   const session = await useSession(event, {
     password: process.env.NUXT_SESSION_PASSWORD!,
     cookieName: 'nuxt-session',
   })
-  if (!session.user) throw createError({ statusCode: 401 })
+  requireSession(event, session)
   return session.user
 })
 ```
@@ -140,6 +136,33 @@ session({ password: { 1: 'old-pw', 2: 'new-pw' }, cookieName: 'my-session' })
 // new cookies use key 2, old cookies still decrypt with key 1
 ```
 
+### Typed sessions
+
+Add a generic type parameter to get full IntelliSense on your session data:
+
+```ts
+// Hono
+app.use('*', session<{ user: { name: string }; views: number }>({ password, cookieName }))
+// c.var.session.user.name → string
+// c.var.session.views     → number
+
+// Elysia
+app.use(session<{ user: { name: string } }>({ password, cookieName }))
+
+// Nuxt
+const session = await useSession<{ user: { name: string } }>(event, { password, cookieName })
+```
+
+Without a generic parameter, session data defaults to `Record<string, unknown>`.
+
+### `requireSession()` guard
+
+Returns 401 if the session has no user data. Works per-framework:
+
+- **Hono**: `app.use('/protected/*', requireSession())` — middleware, path-patterned
+- **Elysia**: `app.use(requireSession())` — guards all routes defined after it
+- **Nuxt**: `requireSession(event, session)` — throws `createError({ statusCode: 401 })`
+
 ### Session object
 
 ```ts
@@ -151,14 +174,93 @@ interface IronSession {
 }
 ```
 
-### Low-level
+---
+
+## JWT
+
+Sign and verify HS256 JWTs using the same password infrastructure.
+
+```ts
+import { signJWT, verifyJWT } from 'peta-auth/jwt'
+
+// Sign
+const token = await signJWT({ userId: 42, role: 'admin' }, {
+  password: process.env.JWT_SECRET!,
+  exp: 3600,                       // optional, seconds from now
+})
+
+// Verify
+const payload = await verifyJWT<{ userId: number; role: string }>(token, {
+  password: process.env.JWT_SECRET!,
+})
+if (!payload) throw new Error('invalid or expired token')
+```
+
+- `exp` defaults to no expiry if omitted
+- Supports password rotation (tries all keys on verify, signs with highest)
+- Requires password at least 32 characters
+
+---
+
+## CSRF protection
+
+Generate and validate CSRF tokens stored in the session.
+
+```ts
+import { generateCsrf, validateCsrf } from 'peta-auth/csrf'
+
+// On a form page — generate token and store in session
+const token = await generateCsrf(session)
+await session.save()
+// → render form with hidden field: <input name="_csrf" value="${token}" />
+
+// On form submission — validate
+if (!validateCsrf(session, body._csrf)) {
+  throw new Error('CSRF mismatch')
+}
+```
+
+- Uses `crypto.randomUUID()` for token generation
+- Stores token in session under `_csrfToken` (configurable via `{ key: 'myKey' }`)
+- You must call `session.save()` after `generateCsrf()`
+
+---
+
+## Password Reset
+
+Helpers for forgot/reset password flows using short-lived JWTs.
+
+```ts
+import { createPasswordResetToken, verifyPasswordResetToken, resetPassword } from 'peta-auth'
+
+// Generate a token (e.g., in a "forgot password" endpoint)
+const token = await createPasswordResetToken(user.email, {
+  password: process.env.SECRET!,
+  exp: 3600,  // optional, default 1 hour
+})
+// → email token as a link: https://example.com/reset?token=${token}
+
+// Verify a token (e.g., in a "reset password" endpoint)
+const payload = await verifyPasswordResetToken(token, process.env.SECRET!)
+if (!payload) throw new Error('Invalid or expired token')
+// payload.userId → the email passed to createPasswordResetToken
+
+// Combined: verify token + hash new password
+const result = await resetPassword(token, newPassword, process.env.SECRET!)
+if (!result) throw new Error('Invalid or expired token')
+users.set(result.userId, { ...user, hash: result.hash })
+```
+
+---
+
+## Low-level
 
 ```ts
 import { createSessionFromAdapter, sealData, unsealData } from 'peta-auth'
 import { hashPassword, verifyPassword } from 'peta-auth'
 ```
 
-- **`createSessionFromAdapter(adapter, options)`** — takes a `SessionAdapter` (`{ getCookie, setCookie }`). Used internally by all framework adapters.
+- **`createSessionFromAdapter<T>(adapter, options)`** — takes a `SessionAdapter` (`{ getCookie, setCookie }`). Used internally by all framework adapters.
 - **`sealData(data, { password, ttl? })` / `unsealData<T>(seal, { password, ttl? })`** — encrypt/decrypt arbitrary data.
 - **`hashPassword(password, { cost? })` / `verifyPassword(hash, password)`** — bcrypt hashing via `bcryptjs`. Default cost: 10.
 
@@ -186,9 +288,6 @@ const githubHandler = defineOAuthGitHubEventHandler({
     clientSecret: process.env.GITHUB_CLIENT_SECRET!,
   },
   async onSuccess({ user, tokens }) {
-    // The user is authenticated — redirect back to your app.
-    // To create a session, use the `request` parameter:
-    // onSuccess({ user, tokens, request })
     return new Response(null, { status: 302, headers: { Location: '/' } })
   },
 })
@@ -223,15 +322,20 @@ async onSuccess({ user, tokens, request }) {
 Full runnable examples in [`examples/`](./examples). All work with zero config (demo password fallback built in):
 
 ```bash
-bun run examples/hono-basic.ts        # Hono — session CRUD, views counter
-bun run examples/elysia-basic.ts      # Elysia — session CRUD, views counter
-bun run examples/password-auth.ts     # Hono — signup + login with bcrypt
-bun run examples/oauth-github.ts      # Hono — GitHub OAuth
-bun run examples/oauth-google.ts      # Hono — Google OAuth (PKCE)
-bun run examples/elysia-password.ts   # Elysia — signup + login with bcrypt
-bun run examples/elysia-oauth-github.ts # Elysia — GitHub OAuth
-bun run examples/elysia-oauth-google.ts # Elysia — Google OAuth (PKCE)
-cd examples/nuxt                      # Nuxt — server routes with useSession
+bun run examples/hono-basic.ts           # Hono — session CRUD, views counter
+bun run examples/hono-guard.ts           # Hono — requireSession guard
+bun run examples/elysia-basic.ts         # Elysia — session CRUD, views counter
+bun run examples/elysia-guard.ts         # Elysia — requireSession guard
+bun run examples/password-auth.ts        # Hono — signup + login with bcrypt
+bun run examples/password-reset.ts       # Hono — forgot/reset password flow
+bun run examples/jwt-basic.ts            # JWT sign + verify + tamper detection
+bun run examples/csrf-basic.ts           # Hono — CSRF token form example
+bun run examples/oauth-github.ts         # Hono — GitHub OAuth
+bun run examples/oauth-google.ts         # Hono — Google OAuth (PKCE)
+bun run examples/elysia-password.ts      # Elysia — signup + login with bcrypt
+bun run examples/elysia-oauth-github.ts  # Elysia — GitHub OAuth
+bun run examples/elysia-oauth-google.ts  # Elysia — Google OAuth (PKCE)
+cd examples/nuxt                         # Nuxt — server routes with useSession
 ```
 
 ---
@@ -250,7 +354,7 @@ Session data is serialized, encrypted with AES-256-CBC, integrity-protected with
 ## Scripts
 
 ```bash
-bun test            # 43 tests across 9 files
-bun run build       # tsdown → dist/ (16 files, 24 kB)
+bun test            # 65 tests across 12 files
+bun run build       # tsdown → dist/ (21 files, 30 kB)
 bun run prepublish  # build + publish
 ```

package/dist/crypto-Ln_Mj_zp.d.mts

@@ -0,0 +1,19 @@
+//#region src/crypto.d.ts
+type PasswordsMap = Record<string, string>;
+type Password = PasswordsMap | string;
+declare const sealData: (data: unknown, {
+  password,
+  ttl
+}: {
+  password: Password;
+  ttl?: number;
+}) => Promise<string>;
+declare const unsealData: <T>(seal: string, {
+  password,
+  ttl
+}: {
+  password: Password;
+  ttl?: number;
+}) => Promise<T>;
+//#endregion
+export { sealData as n, unsealData as r, Password as t };

package/dist/csrf.d.mts

@@ -0,0 +1,10 @@
+import { t as IronSession } from "./session-z20gaFVT.mjs";
+
+//#region src/csrf.d.ts
+interface CSRFOptions {
+  key?: string;
+}
+declare function generateCsrf(session: IronSession, options?: CSRFOptions): Promise<string>;
+declare function validateCsrf(session: IronSession, token: string, options?: CSRFOptions): boolean;
+//#endregion
+export { CSRFOptions, generateCsrf, validateCsrf };

package/dist/csrf.mjs

@@ -0,0 +1,13 @@
+//#region src/csrf.ts
+async function generateCsrf(session, options) {
+	const key = options?.key ?? "_csrfToken";
+	const token = crypto.randomUUID();
+	session[key] = token;
+	return token;
+}
+function validateCsrf(session, token, options) {
+	const stored = session[options?.key ?? "_csrfToken"];
+	return typeof stored === "string" && stored === token;
+}
+//#endregion
+export { generateCsrf, validateCsrf };

package/dist/elysia.d.mts

@@ -1,8 +1,8 @@
-import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-z20gaFVT.mjs";
 import { Elysia } from "elysia";
 
 //#region src/elysia.d.ts
-declare function session(options: SessionOptions): Elysia<"", {
+declare function session<T extends Record<string, unknown> = Record<string, unknown>>(options: SessionOptions): Elysia<"", {
   decorator: {};
   store: {};
   derive: {};
@@ -19,13 +19,13 @@ declare function session(options: SessionOptions): Elysia<"", {
   response: {};
 }, {}, {
   derive: {
-    readonly session: Record<string, unknown> & IronSession;
+    readonly session: T & IronSession;
   };
   resolve: {};
   schema: {};
   standaloneSchema: {};
   response: import("elysia").ExtractErrorFromHandle<{
-    readonly session: Record<string, unknown> & IronSession;
+    readonly session: T & IronSession;
   }>;
 }, {
   derive: {};
@@ -34,5 +34,35 @@ declare function session(options: SessionOptions): Elysia<"", {
   standaloneSchema: {};
   response: {};
 }>;
+declare function requireSession(): (app: Elysia) => Elysia<"", {
+  decorator: {};
+  store: {};
+  derive: {};
+  resolve: {};
+}, {
+  typebox: {};
+  error: {};
+}, {
+  schema: {};
+  standaloneSchema: {};
+  macro: {};
+  macroFn: {};
+  parser: {};
+  response: {};
+}, {}, {
+  derive: {};
+  resolve: {};
+  schema: {};
+  standaloneSchema: {};
+  response: {};
+}, {
+  derive: {};
+  resolve: {};
+  schema: {};
+  standaloneSchema: {};
+  response: {
+    200: Response;
+  };
+}>;
 //#endregion
-export { session };
+export { requireSession, session };

package/dist/elysia.mjs

@@ -13,5 +13,14 @@ function session(options) {
 		}, options) };
 	});
 }
+function requireSession() {
+	return (app) => app.onBeforeHandle((context) => {
+		const session = context.session;
+		if (!Object.keys(session).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig")) return new Response(JSON.stringify({ error: "unauthorized" }), {
+			status: 401,
+			headers: { "Content-Type": "application/json" }
+		});
+	});
+}
 //#endregion
-export { session };
+export { requireSession, session };

package/dist/hono.d.mts

@@ -1,12 +1,12 @@
-import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-z20gaFVT.mjs";
 import { MiddlewareHandler } from "hono";
 
 //#region src/hono.d.ts
-declare module 'hono' {
-  interface ContextVariableMap {
-    session: IronSession;
-  }
-}
-declare function session(options: SessionOptions): MiddlewareHandler;
+declare function session<T extends Record<string, unknown> = Record<string, unknown>>(options: SessionOptions): MiddlewareHandler<{
+  Variables: {
+    session: T & IronSession;
+  };
+}>;
+declare function requireSession(): MiddlewareHandler;
 //#endregion
-export { session };
+export { requireSession, session };

package/dist/hono.mjs

@@ -11,5 +11,12 @@ function session(options) {
 		await next();
 	});
 }
+function requireSession() {
+	return createMiddleware(async (c, next) => {
+		const s = c.var.session;
+		if (!Object.keys(s).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig")) return c.json({ error: "unauthorized" }, 401);
+		await next();
+	});
+}
 //#endregion
-export { session };
+export { requireSession, session };

package/dist/index.d.mts

@@ -1,4 +1,7 @@
-import { a as Password, i as createSessionFromAdapter, n as SessionAdapter, o as sealData, r as SessionOptions, s as unsealData, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { n as sealData, r as unsealData, t as Password } from "./crypto-Ln_Mj_zp.mjs";
+import { i as createSessionFromAdapter, n as SessionAdapter, r as SessionOptions, t as IronSession } from "./session-z20gaFVT.mjs";
+import { CSRFOptions, generateCsrf, validateCsrf } from "./csrf.mjs";
+import { JWTOptions, signJWT, verifyJWT } from "./jwt.mjs";
 
 //#region src/password.d.ts
 interface HashOptions {
@@ -7,4 +10,18 @@ interface HashOptions {
 declare function hashPassword(password: string, options?: HashOptions): Promise<string>;
 declare function verifyPassword(hash: string, password: string): Promise<boolean>;
 //#endregion
-export { type IronSession, type Password, type SessionAdapter, type SessionOptions, createSessionFromAdapter, hashPassword, sealData, unsealData, verifyPassword };
+//#region src/reset-password.d.ts
+interface PasswordResetOptions {
+  password: Password;
+  exp?: number;
+}
+declare function createPasswordResetToken(userId: string, options: PasswordResetOptions): Promise<string>;
+declare function verifyPasswordResetToken(token: string, password: Password): Promise<{
+  userId: string;
+} | null>;
+declare function resetPassword(token: string, newPassword: string, password: Password): Promise<{
+  userId: string;
+  hash: string;
+} | null>;
+//#endregion
+export { type CSRFOptions, type IronSession, type JWTOptions, type Password, type PasswordResetOptions, type SessionAdapter, type SessionOptions, createPasswordResetToken, createSessionFromAdapter, generateCsrf, hashPassword, resetPassword, sealData, signJWT, unsealData, validateCsrf, verifyJWT, verifyPassword, verifyPasswordResetToken };

package/dist/index.mjs

@@ -1,4 +1,6 @@
 import { n as sealData, r as unsealData, t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
+import { generateCsrf, validateCsrf } from "./csrf.mjs";
+import { signJWT, verifyJWT } from "./jwt.mjs";
 import { compareSync, genSaltSync, hashSync } from "bcryptjs";
 //#region src/password.ts
 async function hashPassword(password, options = {}) {
@@ -8,4 +10,29 @@ async function verifyPassword(hash, password) {
 	return compareSync(password, hash);
 }
 //#endregion
-export { createSessionFromAdapter, hashPassword, sealData, unsealData, verifyPassword };
+//#region src/reset-password.ts
+const DEFAULT_EXPIRY = 3600;
+async function createPasswordResetToken(userId, options) {
+	return signJWT({
+		userId,
+		purpose: "password-reset"
+	}, {
+		password: options.password,
+		exp: options.exp ?? DEFAULT_EXPIRY
+	});
+}
+async function verifyPasswordResetToken(token, password) {
+	const payload = await verifyJWT(token, { password });
+	if (!payload || payload.purpose !== "password-reset") return null;
+	return { userId: payload.userId };
+}
+async function resetPassword(token, newPassword, password) {
+	const payload = await verifyPasswordResetToken(token, password);
+	if (!payload) return null;
+	return {
+		userId: payload.userId,
+		hash: await hashPassword(newPassword)
+	};
+}
+//#endregion
+export { createPasswordResetToken, createSessionFromAdapter, generateCsrf, hashPassword, resetPassword, sealData, signJWT, unsealData, validateCsrf, verifyJWT, verifyPassword, verifyPasswordResetToken };

package/dist/jwt.d.mts

@@ -0,0 +1,11 @@
+import { t as Password } from "./crypto-Ln_Mj_zp.mjs";
+
+//#region src/jwt.d.ts
+interface JWTOptions {
+  password: Password;
+  exp?: number;
+}
+declare function signJWT(payload: Record<string, unknown>, options: JWTOptions): Promise<string>;
+declare function verifyJWT<T = Record<string, unknown>>(token: string, options: JWTOptions): Promise<T | null>;
+//#endregion
+export { JWTOptions, signJWT, verifyJWT };

package/dist/jwt.mjs

@@ -0,0 +1,28 @@
+import * as jose from "jose";
+//#region src/jwt.ts
+function toPasswordMap(password) {
+	return typeof password === "string" ? { 1: password } : password;
+}
+function toKey(secret) {
+	return new TextEncoder().encode(secret);
+}
+async function signJWT(payload, options) {
+	const map = toPasswordMap(options.password);
+	const secret = map[Math.max(...Object.keys(map).map(Number)).toString()];
+	if (!secret || secret.length < 32) throw new Error("peta-auth/jwt: password must be at least 32 characters");
+	const jwt = new jose.SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt();
+	if (options.exp !== void 0) jwt.setExpirationTime(Math.floor(Date.now() / 1e3) + options.exp);
+	return jwt.sign(toKey(secret));
+}
+async function verifyJWT(token, options) {
+	for (const secret of Object.values(toPasswordMap(options.password))) {
+		if (!secret) continue;
+		try {
+			const { payload } = await jose.jwtVerify(token, toKey(secret));
+			return payload;
+		} catch {}
+	}
+	return null;
+}
+//#endregion
+export { signJWT, verifyJWT };

package/dist/nuxt.d.mts

@@ -1,7 +1,8 @@
-import { r as SessionOptions, t as IronSession } from "./session-DYH_m3lO.mjs";
+import { r as SessionOptions, t as IronSession } from "./session-z20gaFVT.mjs";
 import { H3Event } from "h3";
 
 //#region src/nuxt.d.ts
-declare function useSession(event: H3Event, options: SessionOptions): Promise<IronSession>;
+declare function useSession<T extends Record<string, unknown> = Record<string, unknown>>(event: H3Event, options: SessionOptions): Promise<T & IronSession>;
+declare function requireSession(_event: H3Event, session: IronSession): void;
 //#endregion
-export { useSession };
+export { requireSession, useSession };

package/dist/nuxt.mjs

@@ -1,5 +1,5 @@
 import { t as createSessionFromAdapter } from "./session-DSwf3XPH.mjs";
-import { appendHeader, getCookie } from "h3";
+import { appendHeader, createError, getCookie } from "h3";
 //#region src/nuxt.ts
 function useSession(event, options) {
 	const password = options.password ?? process.env.NUXT_SESSION_PASSWORD;
@@ -14,5 +14,11 @@ function useSession(event, options) {
 		cookieOptions: options?.cookieOptions
 	});
 }
+function requireSession(_event, session) {
+	if (!Object.keys(session).some((k) => k !== "save" && k !== "destroy" && k !== "updateConfig")) throw createError({
+		statusCode: 401,
+		statusMessage: "unauthorized"
+	});
+}
 //#endregion
-export { useSession };
+export { requireSession, useSession };

package/dist/{session-DYH_m3lO.d.mts → session-z20gaFVT.d.mts}

@@ -1,23 +1,6 @@
+import { t as Password } from "./crypto-Ln_Mj_zp.mjs";
 import { SerializeOptions } from "cookie";
 
-//#region src/crypto.d.ts
-type PasswordsMap = Record<string, string>;
-type Password = PasswordsMap | string;
-declare const sealData: (data: unknown, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<string>;
-declare const unsealData: <T>(seal: string, {
-  password,
-  ttl
-}: {
-  password: Password;
-  ttl?: number;
-}) => Promise<T>;
-//#endregion
 //#region src/session.d.ts
 interface SessionOptions {
   password: Password;
@@ -37,4 +20,4 @@ interface SessionAdapter {
 }
 declare function createSessionFromAdapter<T extends Record<string, unknown> = Record<string, unknown>>(adapter: SessionAdapter, options: SessionOptions): Promise<T & IronSession>;
 //#endregion
-export { Password as a, createSessionFromAdapter as i, SessionAdapter as n, sealData as o, SessionOptions as r, unsealData as s, IronSession as t };
+export { createSessionFromAdapter as i, SessionAdapter as n, SessionOptions as r, IronSession as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "peta-auth",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Encrypted cookie sessions for Bun — Hono, ElysiaJS & Nuxt adapters",
   "type": "module",
   "module": "./dist/index.mjs",
@@ -22,6 +22,14 @@
       "types": "./dist/nuxt.d.mts",
       "import": "./dist/nuxt.mjs"
     },
+    "./jwt": {
+      "types": "./dist/jwt.d.mts",
+      "import": "./dist/jwt.mjs"
+    },
+    "./csrf": {
+      "types": "./dist/csrf.d.mts",
+      "import": "./dist/csrf.mjs"
+    },
     "./oauth/github": {
       "types": "./dist/oauth/github.d.mts",
       "import": "./dist/oauth/github.mjs"
@@ -39,18 +47,20 @@
     "lint": "biome check --write .",
     "lint:ci": "biome ci .",
     "prepublish": "bun run build",
-    "test": "bun test"
+    "test": "bun test",
+    "typecheck": "tsc --noEmit"
   },
   "dependencies": {
     "bcryptjs": "^3.0.3",
     "cookie": "^1.0.2",
-    "iron-webcrypto": "^1.2.1"
+    "iron-webcrypto": "^1.2.1",
+    "jose": "^6.2.3"
   },
   "peerDependencies": {
     "elysia": ">=1.0.0",
     "h3": ">=1.15.0",
     "hono": ">=4.0.0",
-    "typescript": "^5.0.0"
+    "typescript": "^6.0.0"
   },
   "peerDependenciesMeta": {
     "elysia": {
@@ -71,6 +81,6 @@
     "h3": "latest",
     "hono": "latest",
     "tsdown": "latest",
-    "typescript": "^5.0.0"
+    "typescript": "^6.0.3"
   }
 }