secure-web-token 1.0.1 → 1.0.3

package/README.md

@@ -1,178 +1,148 @@
-# 🔐 Secure Web Token (Fingerprint Based)
+# 🔐 Secure Web Token (SWT)
 
-A lightweight Node.js authentication package that allows you to **sign and verify tokens using one or more device fingerprints**.
+## 1. About the Package
 
-This helps prevent token misuse across different devices.
+**Secure Web Token (SWT)** is a Node.js authentication package that provides a more secure alternative to JWT by **encrypting token payloads** and **binding tokens to specific devices** using fingerprints.
 
----
-
-## ✨ Features
-
-- Supports **single or multiple fingerprints**
-- Simple `sign()` and `verify()` API
-- CommonJS compatible
-- Editor IntelliSense support
-- No heavy dependencies
+It is designed for applications where security and device-level access control matter.
 
 ---
 
-## 📦 Installation
+## 2. What Problem Does It Solve?
 
-```bash
-npm install secure-web-token
-```
+Traditional JWT has some well-known issues:
 
----
+- JWT payloads are **Base64 encoded**, not encrypted  
+- Anyone can decode the payload using online tools without the secret  
+- If a token leaks, it can be reused on **any device**  
+- No built-in way to restrict tokens to a specific device  
 
-## 📥 Import
+**Secure Web Token (SWT)** solves these problems by:
 
-```js
-const { sign, verify } = require("secure-web-token");
-```
-
----
+- Encrypting the payload using **AES-256-GCM**
+- Making payload data **completely unreadable without the secret**
+- Allowing tokens to be bound to **one or more device fingerprints**
+- Preventing token reuse from unauthorized devices
+- Supporting auto-generated device IDs for stronger protection
 
-## 🧠 What is Fingerprint?
-
-A fingerprint is any unique identifier of a device, for example:
-- Browser + OS (`Chrome-Linux`)
-- Device name
-- IP address
-- Custom string
-
-You can pass **one or multiple fingerprints**.
+This makes SWT especially useful for:
+- Course platforms (anti-piracy)
+- SaaS dashboards
+- Admin panels
+- Device-restricted systems
 
 ---
 
-## ✍️ sign()
-
-Creates a secure token with fingerprint validation.
+## 3. Available Functions
 
-### Syntax
+### `sign()`
+Creates an encrypted and signed token.
 
-```js
-sign(payload, secret, options)
-```
-
-### Parameters
-
-| Parameter | Type | Description |
-|---------|-----|-------------|
-| payload | Object | Data you want inside token |
-| secret | String | Secret key |
-| options.expiresIn | Number | Expiry time (seconds) |
-| options.fingerprint | String \| String[] | Allowed fingerprint(s) |
+**Features:**
+- Encrypts payload
+- Adds expiry (`iat`, `exp`)
+- Supports device fingerprint binding
+- Can auto-generate a device ID
 
 ---
 
-### Example: Single Fingerprint
+### `verify()`
+Verifies and decrypts a token.
 
-```js
-const token = sign(
-  { userId: 1 },
-  "my-secret",
-  {
-    expiresIn: 60,
-    fingerprint: "Chrome-Linux"
-  }
-);
-
-console.log("TOKEN:", token);
-```
+**Checks performed:**
+- Token format
+- Signature integrity
+- Token expiry
+- Device fingerprint validation
 
 ---
 
-### Example: Multiple Fingerprints
+## 4. Sample Code
 
-```js
-const token = sign(
-  { userId: 1 },
-  "my-secret",
-  {
-    expiresIn: 60,
-    fingerprint: ["Chrome-Linux", "Windows"]
-  }
-);
+### Installation
+
+```bash
+npm install secure-web-token
 ```
 
 ---
 
-## ✅ verify()
-
-Verifies the token and checks whether the fingerprint is valid.
-
-### Syntax
+### Import
 
 ```js
-verify(token, secret, options)
+const { sign, verify } = require("secure-web-token");
 ```
 
-### Parameters
-
-| Parameter | Type | Description |
-|---------|-----|-------------|
-| token | String | Token to verify |
-| secret | String | Same secret used while signing |
-| options.fingerprint | String \| String[] | Current device fingerprint |
-
 ---
 
-### Example: Successful Verification
+### Signing a Token (Auto Device Registration)
 
 ```js
-const payload = verify(token, "my-secret", {
-  fingerprint: "Chrome-Linux"
-});
+const secret = "my-super-secret";
 
-console.log("PAYLOAD:", payload);
-```
-
----
-
-### Example: Multiple Fingerprints Verification
+const { token, deviceId } = sign(
+  { userId: 1, role: "admin" },
+  secret,
+  { fingerprint: true }
+);
 
-```js
-const payload = verify(token, "my-secret", {
-  fingerprint: ["Chrome-Linux", "monjal"]
-});
+console.log("TOKEN:", token);
+console.log("DEVICE ID:", deviceId);
 ```
 
 ---
 
-## ❌ Invalid Fingerprint Example
+### Verifying the Token
 
 ```js
 try {
-  verify(token, "my-secret", {
-    fingerprint: "Unknown-Device"
+  const payload = verify(token, secret, {
+    fingerprint: deviceId
   });
+
+  console.log("USER DATA:", payload.data);
 } catch (err) {
-  console.error(err.message);
+  console.error("AUTH ERROR:", err.message);
 }
 ```
 
 ---
 
-## ⏰ Token Expiry Example
+### Using Custom Fingerprints
 
 ```js
-const token = sign(
-  { role: "admin" },
-  "secret-key",
+const { token } = sign(
+  { userId: 2 },
+  secret,
   {
-    expiresIn: 5,
-    fingerprint: "Chrome-Linux"
+    expiresIn: 60,
+    fingerprint: ["Chrome-Linux", "192.168.1.10"]
   }
 );
 
-// After 5 seconds
-verify(token, "secret-key", {
+verify(token, secret, {
   fingerprint: "Chrome-Linux"
 });
 ```
 
 ---
 
-## 📜 License
+## Payload Structure (Internal)
+
+```js
+{
+  data: {
+    userId: 1,
+    role: "admin"
+  },
+  iat: 1768368114,
+  exp: 1768369014,
+  fp: ["device-id"]
+}
+```
+
+---
+
+## License
 
 MIT License

package/dist/decrypt.d.ts

@@ -1,2 +1,9 @@
+/**
+ * Decrypts an encrypted SWT payload.
+ *
+ * @param encryptedPayload - Encrypted Base64URL payload
+ * @param secret - Secret key
+ * @returns Decrypted payload object
+ */
 export default function decrypt(encryptedPayload: string, secret: string): Record<string, any>;
 //# sourceMappingURL=decrypt.d.ts.map

package/dist/decrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,OAAO,UAAU,OAAO,CAC3B,gBAAgB,EAAE,MAAM,EACxB,MAAM,EAAE,MAAM,GACf,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CA0BrB"}
+{"version":3,"file":"decrypt.d.ts","sourceRoot":"","sources":["../src/decrypt.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AACH,MAAM,CAAC,OAAO,UAAU,OAAO,CAC7B,gBAAgB,EAAE,MAAM,EACxB,MAAM,EAAE,MAAM,GACb,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAqBrB"}

package/dist/decrypt.js

@@ -36,6 +36,13 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.default = decrypt;
 const crypto = __importStar(require("crypto"));
 const utils_1 = require("./utils");
+/**
+ * Decrypts an encrypted SWT payload.
+ *
+ * @param encryptedPayload - Encrypted Base64URL payload
+ * @param secret - Secret key
+ * @returns Decrypted payload object
+ */
 function decrypt(encryptedPayload, secret) {
     const data = (0, utils_1.base64urlDecode)(encryptedPayload);
     const iv = data.subarray(0, 12);

package/dist/device.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Generate a secure, random device ID.
+ * Used for Device Registration Model.
+ *
+ * @returns UUID v4 string
+ */
+export declare function generateDeviceId(): string;
+//# sourceMappingURL=device.d.ts.map

package/dist/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","sourceRoot":"","sources":["../src/device.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC"}

package/dist/device.js

@@ -0,0 +1,46 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateDeviceId = generateDeviceId;
+const crypto = __importStar(require("crypto"));
+/**
+ * Generate a secure, random device ID.
+ * Used for Device Registration Model.
+ *
+ * @returns UUID v4 string
+ */
+function generateDeviceId() {
+    return crypto.randomUUID();
+}

package/dist/encrypt.d.ts

@@ -1,2 +1,10 @@
+/**
+ * Encrypts payload using AES-256-GCM.
+ * Payload is fully encrypted (unlike JWT).
+ *
+ * @param payload - Object to encrypt
+ * @param secret - Secret key
+ * @returns Encrypted Base64URL string
+ */
 export default function encrypt(payload: Record<string, any>, secret: string): string;
 //# sourceMappingURL=encrypt.d.ts.map

package/dist/encrypt.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../src/encrypt.ts"],"names":[],"mappings":"AAGA,MAAM,CAAC,OAAO,UAAU,OAAO,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC5B,MAAM,EAAE,MAAM,GACf,MAAM,CAoBR"}
+{"version":3,"file":"encrypt.d.ts","sourceRoot":"","sources":["../src/encrypt.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,MAAM,CAAC,OAAO,UAAU,OAAO,CAC7B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC5B,MAAM,EAAE,MAAM,GACb,MAAM,CAkBR"}

package/dist/encrypt.js

@@ -36,6 +36,14 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.default = encrypt;
 const crypto = __importStar(require("crypto"));
 const utils_1 = require("./utils");
+/**
+ * Encrypts payload using AES-256-GCM.
+ * Payload is fully encrypted (unlike JWT).
+ *
+ * @param payload - Object to encrypt
+ * @param secret - Secret key
+ * @returns Encrypted Base64URL string
+ */
 function encrypt(payload, secret) {
     const iv = crypto.randomBytes(12);
     const key = crypto

package/dist/index.d.ts

@@ -1,3 +1,7 @@
+/**
+ * Secure Web Token (SWT)
+ * Encrypted, device-bound alternative to JWT
+ */
 export { default as sign } from "./sign";
 export { default as verify } from "./verify";
 export type { SignOptions } from "./sign";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,IAAI,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,UAAU,CAAC;AAE7C,YAAY,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,IAAI,IAAI,EAAE,MAAM,QAAQ,CAAC;AACzC,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,MAAM,UAAU,CAAC;AAE7C,YAAY,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AAC1C,YAAY,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -1,4 +1,8 @@
 "use strict";
+/**
+ * Secure Web Token (SWT)
+ * Encrypted, device-bound alternative to JWT
+ */
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };

package/dist/sign.d.ts

@@ -1,5 +1,5 @@
 /**
- * Options for signing a secure token
+ * Options for signing a Secure Web Token (SWT)
  */
 export interface SignOptions {
     /**
@@ -8,22 +8,17 @@ export interface SignOptions {
      */
     expiresIn?: number;
     /**
-     * One or more fingerprints allowed to use this token
-     * Example: device hash, IP hash, browser hash
+     * true → auto-generate device ID
+     * string | string[] → custom fingerprints
      */
-    fingerprint?: string | string[];
+    fingerprint?: true | string | string[];
 }
 /**
- * Creates a secure encrypted token.
- *
- * @param payload - Data you want to store inside the token
- * @param secret - Secret key used for encryption & signature
- * @param options - Optional token settings (expiry, fingerprint)
- *
- * @returns Encrypted and signed token string
- *
- * @example
- * sign({ userId: 1 }, "secret", { expiresIn: 60 })
+ * Creates a Secure Web Token (SWT).
+ * User data is stored inside `payload.data`.
  */
-export default function sign(payload: Record<string, any>, secret: string, options?: SignOptions): string;
+export default function sign(data: Record<string, any>, secret: string, options?: SignOptions): {
+    token: string;
+    deviceId?: string;
+};
 //# sourceMappingURL=sign.d.ts.map

package/dist/sign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CACjC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAC5B,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB,MAAM,CA0BR"}
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;;OAGG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,EAAE,CAAC;CACxC;AAED;;;GAGG;AACH,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAgDtC"}

package/dist/sign.js

@@ -40,31 +40,39 @@ exports.default = sign;
 const crypto = __importStar(require("crypto"));
 const encrypt_1 = __importDefault(require("./encrypt"));
 const utils_1 = require("./utils");
+const device_1 = require("./device");
 /**
- * Creates a secure encrypted token.
- *
- * @param payload - Data you want to store inside the token
- * @param secret - Secret key used for encryption & signature
- * @param options - Optional token settings (expiry, fingerprint)
- *
- * @returns Encrypted and signed token string
- *
- * @example
- * sign({ userId: 1 }, "secret", { expiresIn: 60 })
+ * Creates a Secure Web Token (SWT).
+ * User data is stored inside `payload.data`.
  */
-function sign(payload, secret, options = {}) {
-    const header = {
-        alg: "AES-256-GCM+HMAC",
-        typ: "STK",
-    };
+function sign(data, secret, options = {}) {
+    if (!secret || typeof secret !== "string") {
+        throw new Error("Secret must be a non-empty string");
+    }
+    if (!data || typeof data !== "object") {
+        throw new Error("Data must be an object");
+    }
     const now = Math.floor(Date.now() / 1000);
-    payload.iat = now;
-    payload.exp = now + (options.expiresIn ?? 900);
-    if (options.fingerprint) {
+    const payload = {
+        data, // 👈 user data lives here
+        iat: now,
+        exp: now + (options.expiresIn ?? 900),
+    };
+    let deviceId;
+    // 🔐 Device Registration Model
+    if (options.fingerprint === true) {
+        deviceId = (0, device_1.generateDeviceId)();
+        payload.fp = [deviceId];
+    }
+    else if (options.fingerprint) {
         payload.fp = Array.isArray(options.fingerprint)
             ? options.fingerprint
             : [options.fingerprint];
     }
+    const header = {
+        alg: "AES-256-GCM+HMAC",
+        typ: "SWT",
+    };
     const encodedHeader = (0, utils_1.base64urlEncode)(JSON.stringify(header));
     const encryptedPayload = (0, encrypt_1.default)(payload, secret);
     const dataToSign = `${encodedHeader}.${encryptedPayload}`;
@@ -72,5 +80,8 @@ function sign(payload, secret, options = {}) {
         .createHmac("sha256", secret)
         .update(dataToSign)
         .digest("base64url");
-    return `${dataToSign}.${signature}`;
+    return {
+        token: `${dataToSign}.${signature}`,
+        deviceId,
+    };
 }

package/dist/utils.d.ts

@@ -1,5 +1,33 @@
+/**
+ * Encode data into Base64URL format.
+ * Used to make tokens URL-safe.
+ *
+ * @param input - Buffer or string to encode
+ * @returns Base64URL encoded string
+ */
 export declare function base64urlEncode(input: Buffer | string): string;
+/**
+ * Decode Base64URL encoded data back into Buffer.
+ *
+ * @param input - Base64URL string
+ * @returns Decoded Buffer
+ */
 export declare function base64urlDecode(input: string): Buffer;
+/**
+ * Create a SHA-256 hash.
+ * Useful for hashing fingerprints or secrets.
+ *
+ * @param data - String or Buffer to hash
+ * @returns SHA-256 hash Buffer
+ */
 export declare function hash(data: string | Buffer): Buffer;
+/**
+ * Compare two buffers in constant time.
+ * Prevents timing attacks.
+ *
+ * @param a - First buffer
+ * @param b - Second buffer
+ * @returns True if equal, false otherwise
+ */
 export declare function timingSafeEqual(a: Buffer, b: Buffer): boolean;
 //# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAEA,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAE9D;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD;AAED,wBAAgB,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAElD;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAG7D"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAE9D;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAErD;AAED;;;;;;GAMG;AACH,wBAAgB,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAElD;AAED;;;;;;;GAOG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAG7D"}

package/dist/utils.js

@@ -38,15 +38,43 @@ exports.base64urlDecode = base64urlDecode;
 exports.hash = hash;
 exports.timingSafeEqual = timingSafeEqual;
 const crypto = __importStar(require("crypto"));
+/**
+ * Encode data into Base64URL format.
+ * Used to make tokens URL-safe.
+ *
+ * @param input - Buffer or string to encode
+ * @returns Base64URL encoded string
+ */
 function base64urlEncode(input) {
     return Buffer.from(input).toString("base64url");
 }
+/**
+ * Decode Base64URL encoded data back into Buffer.
+ *
+ * @param input - Base64URL string
+ * @returns Decoded Buffer
+ */
 function base64urlDecode(input) {
     return Buffer.from(input, "base64url");
 }
+/**
+ * Create a SHA-256 hash.
+ * Useful for hashing fingerprints or secrets.
+ *
+ * @param data - String or Buffer to hash
+ * @returns SHA-256 hash Buffer
+ */
 function hash(data) {
     return crypto.createHash("sha256").update(data).digest();
 }
+/**
+ * Compare two buffers in constant time.
+ * Prevents timing attacks.
+ *
+ * @param a - First buffer
+ * @param b - Second buffer
+ * @returns True if equal, false otherwise
+ */
 function timingSafeEqual(a, b) {
     if (a.length !== b.length)
         return false;

package/dist/verify.d.ts

@@ -1,5 +1,14 @@
+/**
+ * Options for verifying a Secure Web Token
+ */
 export interface VerifyOptions {
-    fingerprint?: string | string[];
+    /**
+     * Device fingerprint(s) allowed to verify token
+     */
+    fingerprint?: string;
 }
+/**
+ * Verifies and decrypts a Secure Web Token.
+ */
 export default function verify(token: string, secret: string, options?: VerifyOptions): Record<string, any>;
 //# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,aAAa;IAC1B,WAAW,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CACnC;AAED,MAAM,CAAC,OAAO,UAAU,MAAM,CAC1B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC5B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAiDrB"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAmDrB"}

package/dist/verify.js

@@ -40,7 +40,13 @@ exports.default = verify;
 const crypto = __importStar(require("crypto"));
 const decrypt_1 = __importDefault(require("./decrypt"));
 const utils_1 = require("./utils");
+/**
+ * Verifies and decrypts a Secure Web Token.
+ */
 function verify(token, secret, options = {}) {
+    if (!token || typeof token !== "string") {
+        throw new Error("Token must be a string");
+    }
     const parts = token.split(".");
     if (parts.length !== 3) {
         throw new Error("Invalid token format");
@@ -59,17 +65,16 @@ function verify(token, secret, options = {}) {
     if (payload.exp < now) {
         throw new Error("Token expired");
     }
+    if (!payload.data || typeof payload.data !== "object") {
+        throw new Error("Invalid payload structure");
+    }
     if (options.fingerprint) {
-        const provided = Array.isArray(options.fingerprint)
-            ? options.fingerprint
-            : [options.fingerprint];
-        const stored = Array.isArray(payload.fp)
-            ? payload.fp
-            : [];
-        const matched = provided.some(fp => stored.includes(fp));
+        const provided = options.fingerprint;
+        const stored = payload.fp;
+        const matched = provided === stored;
         if (!matched) {
             throw new Error("Fingerprint mismatch");
         }
     }
-    return payload;
+    return payload; // { data, iat, exp, fp }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-web-token",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "A secure web token utility",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",