secure-web-token 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/dist/sign.d.ts +6 -1
  2. package/dist/sign.d.ts.map +1 -1
  3. package/dist/sign.js +21 -12
  4. package/dist/store/memoryStore.d.ts +14 -1
  5. package/dist/store/memoryStore.d.ts.map +1 -1
  6. package/dist/store/memoryStore.js +6 -9
  7. package/dist/store/types.d.ts +13 -3
  8. package/dist/store/types.d.ts.map +1 -1
  9. package/dist/verify.d.ts +1 -0
  10. package/dist/verify.d.ts.map +1 -1
  11. package/dist/verify.js +18 -23
  12. package/package.json +1 -1
package/dist/sign.d.ts CHANGED
@@ -4,8 +4,13 @@ export interface SignOptions {
4
4
  fingerprint?: true;
5
5
  store?: StoreType;
6
6
  }
7
+ /**
8
+ * sign() now returns:
9
+ * - token (encrypted payload)
10
+ * - sessionId (to store in HttpOnly cookie)
11
+ */
7
12
  export default function sign(data: Record<string, any>, secret: string, options?: SignOptions): {
8
13
  token: string;
9
- deviceId?: string;
14
+ sessionId?: string;
10
15
  };
11
16
  //# sourceMappingURL=sign.d.ts.map
package/dist/sign.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAIA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAsDtC"}
1
+ {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../src/sign.ts"],"names":[],"mappings":"AAIA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED;;;;GAIG;AACH,MAAM,CAAC,OAAO,UAAU,IAAI,CAC1B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,WAAgB,GACxB;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAA;CAAE,CAoDvC"}
package/dist/sign.js CHANGED
@@ -42,30 +42,39 @@ const encrypt_1 = __importDefault(require("./encrypt"));
42
42
  const utils_1 = require("./utils");
43
43
  const device_1 = require("./device");
44
44
  const store_1 = require("./store");
45
+ /**
46
+ * sign() now returns:
47
+ * - token (encrypted payload)
48
+ * - sessionId (to store in HttpOnly cookie)
49
+ */
45
50
  function sign(data, secret, options = {}) {
46
- if (!secret || typeof secret !== "string") {
47
- throw new Error("Secret must be a non-empty string");
48
- }
49
- if (!data || typeof data !== "object") {
50
- throw new Error("Data must be an object");
51
- }
52
- if (!data.userId) {
53
- throw new Error("data.userId is required when using store");
54
- }
51
+ if (!secret || typeof secret !== "string")
52
+ throw new Error("Secret required");
53
+ if (!data || typeof data !== "object")
54
+ throw new Error("Data must be object");
55
+ if (!data.userId)
56
+ throw new Error("data.userId is required for session mode");
55
57
  const now = Math.floor(Date.now() / 1000);
56
58
  const payload = {
57
59
  data,
58
60
  iat: now,
59
61
  exp: now + (options.expiresIn ?? 900),
60
62
  };
63
+ let sessionId;
61
64
  let deviceId;
62
- // 🔐 Fingerprint + store registration
65
+ // Backend-only device/session mode
63
66
  if (options.fingerprint === true) {
64
67
  deviceId = (0, device_1.generateDeviceId)();
65
68
  payload.fp = deviceId;
69
+ sessionId = crypto.randomUUID();
66
70
  const store = (0, store_1.getStore)(options.store);
67
71
  if (store) {
68
- store.register(data.userId, deviceId);
72
+ store.registerSession({
73
+ sessionId,
74
+ userId: data.userId,
75
+ deviceId,
76
+ fingerprint: deviceId,
77
+ });
69
78
  }
70
79
  }
71
80
  const header = {
@@ -81,6 +90,6 @@ function sign(data, secret, options = {}) {
81
90
  .digest("base64url");
82
91
  return {
83
92
  token: `${dataToSign}.${signature}`,
84
- deviceId,
93
+ sessionId, // to set in HttpOnly cookie
85
94
  };
86
95
  }
package/dist/store/memoryStore.d.ts CHANGED
@@ -1,3 +1,16 @@
1
1
  import { Store } from "./types";
2
- export declare const memoryStore: Store;
2
+ interface Session {
3
+ sessionId: string;
4
+ userId: string | number;
5
+ deviceId: string;
6
+ fingerprint: string;
7
+ }
8
+ declare class MemoryStore implements Store {
9
+ private sessions;
10
+ registerSession(session: Session): void;
11
+ getSession(sessionId: string): Session | null;
12
+ revokeSession(sessionId: string): void;
13
+ }
14
+ export declare const memoryStore: MemoryStore;
15
+ export {};
3
16
  //# sourceMappingURL=memoryStore.d.ts.map
package/dist/store/memoryStore.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"memoryStore.d.ts","sourceRoot":"","sources":["../../src/store/memoryStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAsBhC,eAAO,MAAM,WAAW,EAAE,KAAyB,CAAC"}
1
+ {"version":3,"file":"memoryStore.d.ts","sourceRoot":"","sources":["../../src/store/memoryStore.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAEhC,UAAU,OAAO;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,cAAM,WAAY,YAAW,KAAK;IAC9B,OAAO,CAAC,QAAQ,CAA8B;IAE9C,eAAe,CAAC,OAAO,EAAE,OAAO;IAIhC,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,GAAG,IAAI;IAI7C,aAAa,CAAC,SAAS,EAAE,MAAM;CAGlC;AAED,eAAO,MAAM,WAAW,EAAE,WAA+B,CAAC"}
package/dist/store/memoryStore.js CHANGED
@@ -5,17 +5,14 @@ class MemoryStore {
5
5
  constructor() {
6
6
  this.sessions = new Map();
7
7
  }
8
- makeKey(userId, fingerprint) {
9
- return `${userId}:${fingerprint}`;
8
+ registerSession(session) {
9
+ this.sessions.set(session.sessionId, session);
10
10
  }
11
- register(userId, fingerprint) {
12
- this.sessions.set(this.makeKey(userId, fingerprint), true);
11
+ getSession(sessionId) {
12
+ return this.sessions.get(sessionId) || null;
13
13
  }
14
- isValid(userId, fingerprint) {
15
- return this.sessions.has(this.makeKey(userId, fingerprint));
16
- }
17
- revoke(userId, fingerprint) {
18
- this.sessions.delete(this.makeKey(userId, fingerprint));
14
+ revokeSession(sessionId) {
15
+ this.sessions.delete(sessionId);
19
16
  }
20
17
  }
21
18
  exports.memoryStore = new MemoryStore();
package/dist/store/types.d.ts CHANGED
@@ -1,6 +1,16 @@
1
1
  export interface Store {
2
- register(userId: string | number, fingerprint: string): void;
3
- isValid(userId: string | number, fingerprint: string): boolean;
4
- revoke(userId: string | number, fingerprint: string): void;
2
+ registerSession(session: {
3
+ sessionId: string;
4
+ userId: string | number;
5
+ deviceId: string;
6
+ fingerprint: string;
7
+ }): void;
8
+ getSession(sessionId: string): {
9
+ sessionId: string;
10
+ userId: string | number;
11
+ deviceId: string;
12
+ fingerprint: string;
13
+ } | null;
14
+ revokeSession(sessionId: string): void;
5
15
  }
6
16
  //# sourceMappingURL=types.d.ts.map
package/dist/store/types.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/store/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,KAAK;IAClB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7D,OAAO,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/D,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9D"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/store/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,KAAK;IAClB,eAAe,CAAC,OAAO,EAAE;QACrB,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACvB,GAAG,IAAI,CAAC;IAET,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG;QAC3B,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;QACxB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;KACvB,GAAG,IAAI,CAAC;IAET,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1C"}
package/dist/verify.d.ts CHANGED
@@ -1,5 +1,6 @@
1
1
  import { StoreType } from "./store";
2
2
  export interface VerifyOptions {
3
+ sessionId?: string;
3
4
  fingerprint?: string;
4
5
  store?: StoreType;
5
6
  }
package/dist/verify.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAGA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,aAAa;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAuDrB"}
1
+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAGA,OAAO,EAAY,SAAS,EAAE,MAAM,SAAS,CAAC;AAE9C,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED,MAAM,CAAC,OAAO,UAAU,MAAM,CAC5B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,aAAkB,GAC1B,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAoCrB"}
package/dist/verify.js CHANGED
@@ -42,42 +42,37 @@ const decrypt_1 = __importDefault(require("./decrypt"));
42
42
  const utils_1 = require("./utils");
43
43
  const store_1 = require("./store");
44
44
  function verify(token, secret, options = {}) {
45
- if (!token || typeof token !== "string") {
46
- throw new Error("Token must be a string");
47
- }
45
+ if (!token || typeof token !== "string")
46
+ throw new Error("Token must be string");
48
47
  const parts = token.split(".");
49
- if (parts.length !== 3) {
48
+ if (parts.length !== 3)
50
49
  throw new Error("Invalid token format");
51
- }
52
50
  const [header, encryptedPayload, signature] = parts;
53
51
  const dataToVerify = `${header}.${encryptedPayload}`;
54
52
  const expectedSignature = crypto
55
53
  .createHmac("sha256", secret)
56
54
  .update(dataToVerify)
57
55
  .digest("base64url");
58
- if (!(0, utils_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature))) {
56
+ if (!(0, utils_1.timingSafeEqual)(Buffer.from(signature), Buffer.from(expectedSignature)))
59
57
  throw new Error("Invalid signature");
60
- }
61
58
  const payload = (0, decrypt_1.default)(encryptedPayload, secret);
62
59
  const now = Math.floor(Date.now() / 1000);
63
- if (payload.exp < now) {
60
+ if (payload.exp < now)
64
61
  throw new Error("Token expired");
65
- }
66
- if (!payload.data || typeof payload.data !== "object") {
67
- throw new Error("Invalid payload structure");
68
- }
69
- // 🔐 Fingerprint + store validation
70
- if (options.fingerprint) {
71
- if (payload.fp !== options.fingerprint) {
72
- throw new Error("Fingerprint mismatch");
73
- }
62
+ if (!payload.data || typeof payload.data !== "object")
63
+ throw new Error("Invalid payload");
64
+ // Server-side session verification
65
+ if (options.sessionId && options.fingerprint) {
74
66
  const store = (0, store_1.getStore)(options.store);
75
- if (store) {
76
- const valid = store.isValid(payload.data.userId, payload.fp);
77
- if (!valid) {
78
- throw new Error("Session revoked or invalid device");
79
- }
80
- }
67
+ if (!store)
68
+ throw new Error("No store available");
69
+ const session = store.getSession(options.sessionId);
70
+ if (!session)
71
+ throw new Error("Session revoked or invalid");
72
+ if (session.userId !== payload.data.userId)
73
+ throw new Error("User mismatch");
74
+ if (session.fingerprint !== options.fingerprint)
75
+ throw new Error("Device mismatch");
81
76
  }
82
77
  return payload;
83
78
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "secure-web-token",
3
- "version": "1.1.0",
3
+ "version": "1.2.0",
4
4
  "description": "A secure web token utility",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",