secure-web-token 1.0.5 → 1.2.0

package/dist/sign.d.ts

@@ -1,29 +1,16 @@
-/**
- * Options for signing a Secure Web Token (SWT)
- */
+import { StoreType } from "./store";
 export interface SignOptions {
-    /**
-     * Token expiry time in seconds
-     * @default 900 (15 minutes)
-     */
     expiresIn?: number;
-    /**
-     * true → auto-generate a device ID
-     */
     fingerprint?: true;
+    store?: StoreType;
 }
 /**
- * Creates a Secure Web Token (SWT).
- * Payload structure:
- * {
- *   data: {...},
- *   iat,
- *   exp,
- *   fp
- * }
+ * sign() now returns:
+ * - token (encrypted payload)
+ * - sessionId (to store in HttpOnly cookie)
  */
 export default function sign(data: Record<string, any>, secret: string, options?: SignOptions): {
     token: string;
-    deviceId?: string;
+    sessionId?: string;
 };
 //# sourceMappingURL=sign.d.ts.map

package/dist/sign.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB;;OAEG;IACH,WAAW,CAAC,EAAE,IAAI,CAAC;CACpB;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CA4CtC"}
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAIA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAoDvC"}

package/dist/sign.js

@@ -41,38 +41,45 @@ const crypto = __importStar(require("crypto"));
 const encrypt_1 = __importDefault(require("./encrypt"));
 const utils_1 = require("./utils");
 const device_1 = require("./device");
+const store_1 = require("./store");
 /**
- * Creates a Secure Web Token (SWT).
- * Payload structure:
- * {
- *   data: {...},
- *   iat,
- *   exp,
- *   fp
- * }
+ * sign() now returns:
+ * - token (encrypted payload)
+ * - sessionId (to store in HttpOnly cookie)
  */
 function sign(data, secret, options = {}) {
-    if (!secret || typeof secret !== "string") {
-        throw new Error("Secret must be a non-empty string");
-    }
-    if (!data || typeof data !== "object") {
-        throw new Error("Data must be an object");
-    }
+    if (!secret || typeof secret !== "string")
+        throw new Error("Secret required");
+    if (!data || typeof data !== "object")
+        throw new Error("Data must be object");
+    if (!data.userId)
+        throw new Error("data.userId is required for session mode");
     const now = Math.floor(Date.now() / 1000);
     const payload = {
         data,
         iat: now,
-        exp: now + (options.expiresIn ?? 900)
+        exp: now + (options.expiresIn ?? 900),
     };
+    let sessionId;
     let deviceId;
-    // 🔐 Single-device registration
+    // Backend-only device/session mode
     if (options.fingerprint === true) {
         deviceId = (0, device_1.generateDeviceId)();
         payload.fp = deviceId;
+        sessionId = crypto.randomUUID();
+        const store = (0, store_1.getStore)(options.store);
+        if (store) {
+            store.registerSession({
+                sessionId,
+                userId: data.userId,
+                deviceId,
+                fingerprint: deviceId,
+            });
+        }
     }
     const header = {
         alg: "AES-256-GCM+HMAC",
-        typ: "SWT"
+        typ: "SWT",
     };
     const encodedHeader = (0, utils_1.base64urlEncode)(JSON.stringify(header));
     const encryptedPayload = (0, encrypt_1.default)(payload, secret);
@@ -83,6 +90,6 @@ function sign(data, secret, options = {}) {
         .digest("base64url");
     return {
         token: `${dataToSign}.${signature}`,
-        deviceId
+        sessionId, // to set in HttpOnly cookie
     };
 }

package/dist/store/index.d.ts

@@ -0,0 +1,4 @@
+import { Store } from "./types";
+export type StoreType = "memory";
+export declare function getStore(type?: StoreType): Store | null;
+//# sourceMappingURL=index.d.ts.map

package/dist/store/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/store/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,MAAM,MAAM,SAAS,GAAG,QAAQ,CAAC;AAEjC,wBAAgB,QAAQ,CAAC,IAAI,CAAC,EAAE,SAAS,GAAG,KAAK,GAAG,IAAI,CASvD"}

package/dist/store/index.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getStore = getStore;
+const memoryStore_1 = require("./memoryStore");
+function getStore(type) {
+    if (!type)
+        return null;
+    switch (type) {
+        case "memory":
+            return memoryStore_1.memoryStore;
+        default:
+            return null;
+    }
+}

package/dist/store/memoryStore.d.ts

@@ -0,0 +1,16 @@
+import { Store } from "./types";
+interface Session {
+    sessionId: string;
+    userId: string | number;
+    deviceId: string;
+    fingerprint: string;
+}
+declare class MemoryStore implements Store {
+    private sessions;
+    registerSession(session: Session): void;
+    getSession(sessionId: string): Session | null;
+    revokeSession(sessionId: string): void;
+}
+export declare const memoryStore: MemoryStore;
+export {};
+//# sourceMappingURL=memoryStore.d.ts.map

package/dist/store/memoryStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memoryStore.d.ts","sourceRoot":"","sources":["../../src/store/memoryStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,UAAU,OAAO;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,cAAM,WAAY,YAAW,KAAK;IAC9B,OAAO,CAAC,QAAQ,CAA8B;IAE9C,eAAe,CAAC,OAAO,EAAE,OAAO;IAIhC,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI;IAI7C,aAAa,CAAC,SAAS,EAAE,MAAM;CAGlC;AAED,eAAO,MAAM,WAAW,EAAE,WAA+B,CAAC"}

package/dist/store/memoryStore.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.memoryStore = void 0;
+class MemoryStore {
+    constructor() {
+        this.sessions = new Map();
+    }
+    registerSession(session) {
+        this.sessions.set(session.sessionId, session);
+    }
+    getSession(sessionId) {
+        return this.sessions.get(sessionId) || null;
+    }
+    revokeSession(sessionId) {
+        this.sessions.delete(sessionId);
+    }
+}
+exports.memoryStore = new MemoryStore();

package/dist/store/types.d.ts

@@ -0,0 +1,16 @@
+export interface Store {
+    registerSession(session: {
+        sessionId: string;
+        userId: string | number;
+        deviceId: string;
+        fingerprint: string;
+    }): void;
+    getSession(sessionId: string): {
+        sessionId: string;
+        userId: string | number;
+        deviceId: string;
+        fingerprint: string;
+    } | null;
+    revokeSession(sessionId: string): void;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/store/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/store/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,KAAK;IAClB,eAAe,CAAC,OAAO,EAAE;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACvB,GAAG,IAAI,CAAC;IAET,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;QAC3B,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACvB,GAAG,IAAI,CAAC;IAET,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C"}

package/dist/store/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/verify.d.ts

@@ -1,14 +1,8 @@
-/**
- * Options for verifying a Secure Web Token
- */
+import { StoreType } from "./store";
 export interface VerifyOptions {
-    /**
-     * Device fingerprint for verification
-     */
+    sessionId?: string;
     fingerprint?: string;
+    store?: StoreType;
 }
-/**
- * Verifies and decrypts a Secure Web Token (SWT)
- */
 export default function verify(token: string, secret: string, options?: VerifyOptions): Record<string, any>;
 //# sourceMappingURL=verify.d.ts.map

package/dist/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAIA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CA+CrB"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAGA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAoCrB"}

package/dist/verify.js

@@ -40,39 +40,39 @@ exports.default = verify;
 const crypto = __importStar(require("crypto"));
 const decrypt_1 = __importDefault(require("./decrypt"));
 const utils_1 = require("./utils");
-/**
- * Verifies and decrypts a Secure Web Token (SWT)
- */
+const store_1 = require("./store");
 function verify(token, secret, options = {}) {
-    if (!token || typeof token !== "string") {
-        throw new Error("Token must be a string");
-    }
+    if (!token || typeof token !== "string")
+        throw new Error("Token must be string");
     const parts = token.split(".");
-    if (parts.length !== 3) {
+    if (parts.length !== 3)
         throw new Error("Invalid token format");
-    }
     const [header, encryptedPayload, signature] = parts;
     const dataToVerify = `${header}.${encryptedPayload}`;
     const expectedSignature = crypto
         .createHmac("sha256", secret)
         .update(dataToVerify)
         .digest("base64url");
-    if (!(0, utils_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature))) {
+    if (!(0, utils_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature)))
         throw new Error("Invalid signature");
-    }
     const payload = (0, decrypt_1.default)(encryptedPayload, secret);
     const now = Math.floor(Date.now() / 1000);
-    if (payload.exp < now) {
+    if (payload.exp < now)
         throw new Error("Token expired");
+    if (!payload.data || typeof payload.data !== "object")
+        throw new Error("Invalid payload");
+    // Server-side session verification
+    if (options.sessionId && options.fingerprint) {
+        const store = (0, store_1.getStore)(options.store);
+        if (!store)
+            throw new Error("No store available");
+        const session = store.getSession(options.sessionId);
+        if (!session)
+            throw new Error("Session revoked or invalid");
+        if (session.userId !== payload.data.userId)
+            throw new Error("User mismatch");
+        if (session.fingerprint !== options.fingerprint)
+            throw new Error("Device mismatch");
     }
-    if (!payload.data || typeof payload.data !== "object") {
-        throw new Error("Invalid payload structure");
-    }
-    // 🔐 Single-device verification
-    if (options.fingerprint) {
-        if (payload.fp !== options.fingerprint) {
-            throw new Error("Fingerprint mismatch");
-        }
-    }
-    return payload; // { data, iat, exp, fp }
+    return payload;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-web-token",
-  "version": "1.0.5",
+  "version": "1.2.0",
   "description": "A secure web token utility",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",