skyguard-js 1.1.3 → 1.1.5

package/README.md

@@ -55,12 +55,14 @@ import { createApp, Response } from "skyguard-js";
 
 const app = createApp();
 
+const PORT = 3000;
+
 app.get("/health", () => {
   return Response.json({ status: "ok" });
 });
 
-app.run(3000, () => {
-  console.log(`Server running in port: http://localhost:${3000}`);
+app.run(PORT, () => {
+  console.log(`Server running in port: http://localhost:${PORT}`);
 });
 ```
 
@@ -136,11 +138,12 @@ To enable CORS, use the built-in `cors` middleware.
 
 ```ts
 import { cors } from "skyguard-js/middlewares";
+import { HttpMethods } from "skyguard-js";
 
 app.middlewares([
   cors({
     origin: ["http://localhost:3000", "https://myapp.com"],
-    methods: ["GET", "POST"],
+    methods: [HttpMethods.get, HttpMethods.post],
     allowedHeaders: ["Content-Type", "Authorization"],
     credentials: true,
   }),
@@ -165,11 +168,12 @@ app.staticFiles(join(__dirname, "..", "static"));
 
 ## ⛔ Data Validation
 
-To validate data in the body of client requests, the framework provides the creation of validation schemas, which are created as follows:
+To validate the data in the body of client requests, the framework provides the creation of validation schemes and a middleware function to validate the body of HTTP requests, used as follows:
 
 ```ts
-import { v, schema } from "skyguard-js";
+import { v, schema, validateData } from "skyguard-js";
 
+// Created Schema
 const userSchema = schema({
   name: v.string({ maxLength: 60 }),
   email: v.email(),
@@ -178,17 +182,26 @@ const userSchema = schema({
   birthdate: v.date({ max: new Date() }),
 });
 
-app.post("/users", (request: Request) => {
-  const validatedData = request.validateData(userSchema);
+// Typing Interface
+interface User {
+  name: string;
+  email: string;
+  age: number;
+  active: boolean;
+  birthdate: Date;
+}
 
-  return Response.json({
-    success: true,
-    data: validatedData,
-  });
-});
+app.post(
+  "/test",
+  (request: Request) => {
+    const data = request.getData<User>();
+    return json(data).setStatusCode(201);
+  },
+  [validateData(userSchema)],
+);
 ```
 
-By default each property you define in the schema is required, to define it optional you use the `.optional()` or `.default(value)` function
+To type the request body, an interface is used and the .getData() method is used, which allows returning the typed bodym. By default each property you define in the schema is required, to define it optional you use the `.optional()` or `.default(value)` function
 
 Validation is:
 
@@ -289,7 +302,6 @@ The framework includes some password hashing and JWT token generation functions,
 
 ```ts
 import { hash, verify, createJWT } from "skyguard-js/security";
-import { authJWT } from "skyguard-js/middlewares";
 
 app.post("/register", async (request: Request) => {
   const { username, password } = request.data;
@@ -313,25 +325,13 @@ app.post("/login", async (request: Request) => {
     throw new UnauthorizedError("Invalid credentials");
   }
 
-  const token = createJWT(
-    { sub: user.id, role: user.role },
-    "secret-key",
-    3600,
-  );
+  const token = createJWT({ sub: "123" }, "secret-key", {
+    algorithm: "HS256",
+    expiresIn: "1h",
+  });
 
   return Response.json({ token });
 });
-
-app.get(
-  "/verify-jwt",
-  (request: Request) => {
-    // The request stores a user state; the middleware creates and assigns this state to the request.state object.
-    const user = request.state.user;
-
-    return json({ user });
-  },
-  [authJWT("secret-key")],
-);
 ```
 
 ---

package/dist/app.d.ts

@@ -24,10 +24,6 @@ export declare class App {
     private router;
     /** Static file handler (optional) */
     private staticFileHandler;
-    /** Logger instance for request logging */
-    private logger;
-    /** Timestamp marking the start of request processing (for logging) */
-    private startTime;
     /** View engine for rendering templates (optional) */
     private viewEngine;
     /**
@@ -62,6 +58,7 @@ export declare class App {
      *
      * @example
      * app.staticFiles("public");
+     * app.staticFiles(join(__dirname, "..", "public"));
      * // /public/css/style.css → /css/style.css
      */
     staticFiles(publicPath: string): void;
@@ -134,6 +131,14 @@ export declare class App {
      * Registers global middlewares.
      *
      * These are executed for every route.
+     *
+     * @example
+     * const auth = async (request, next) => {
+     *    console.log(request.header);
+     *    return await next(request);
+     * }
+     *
+     * app.middlewares(auth);
      */
     middlewares(middlewares: Middleware[]): void;
     /**

package/dist/app.js

@@ -33,10 +33,6 @@ class App {
     router;
     /** Static file handler (optional) */
     staticFileHandler = null;
-    /** Logger instance for request logging */
-    logger;
-    /** Timestamp marking the start of request processing (for logging) */
-    startTime;
     /** View engine for rendering templates (optional) */
     viewEngine;
     /**
@@ -51,7 +47,6 @@ class App {
     static bootstrap() {
         const app = container_1.Container.singleton(App);
         app.router = container_1.Container.singleton(routing_1.Router);
-        app.logger = container_1.Container.singleton(http_1.Logger);
         app.viewEngine = container_1.Container.singleton(engineTemplate_1.ViewEngine);
         return app;
     }
@@ -93,6 +88,7 @@ class App {
      *
      * @example
      * app.staticFiles("public");
+     * app.staticFiles(join(__dirname, "..", "public"));
      * // /public/css/style.css → /css/style.css
      */
     staticFiles(publicPath) {
@@ -148,10 +144,8 @@ class App {
      */
     run(port, callback, hostname = "127.0.0.1") {
         (0, node_http_1.createServer)((req, res) => {
-            this.startTime = process.hrtime.bigint();
             const adapter = new http_1.NodeHttpAdapter(req, res);
             void this.handle(adapter);
-            this.logger.log(req, res, this.startTime);
         }).listen(port, hostname, () => {
             callback();
         });
@@ -192,6 +186,14 @@ class App {
      * Registers global middlewares.
      *
      * These are executed for every route.
+     *
+     * @example
+     * const auth = async (request, next) => {
+     *    console.log(request.header);
+     *    return await next(request);
+     * }
+     *
+     * app.middlewares(auth);
      */
     middlewares(middlewares) {
         this.router.middlewares(middlewares);

package/dist/crypto/hasher.d.ts

@@ -15,6 +15,9 @@ type ScryptOptions = {
  * @param params - Scrypt work-factor params. Defaults to `DEFAULT_PARAMS`.
  * @param pepper - Optional server secret mixed into the password (e.g., from env var).
  * @returns A compact encoded hash string containing algorithm parameters + salt + derived key.
+ *
+ * @example
+ * const passwordHash = await hash("password", 16);
  */
 export declare const hash: (password: string, saltLength?: number, params?: ScryptOptions, pepper?: string) => Promise<string>;
 /**
@@ -28,6 +31,9 @@ export declare const hash: (password: string, saltLength?: number, params?: Scry
  * @param storedHash - Stored hash string in the compact format.
  * @param pepper - Optional server secret; must match the one used when hashing.
  * @returns `true` if the password matches, otherwise `false`.
+ *
+ * @example
+ * const validPassword = await verify("password", "passwordHashed");
  */
 export declare const verify: (password: string, storedHash: string, pepper?: string) => Promise<boolean>;
 /**
@@ -42,6 +48,9 @@ export declare const verify: (password: string, storedHash: string, pepper?: str
  * @param storedHash - Stored hash string in compact format.
  * @param params - Desired/current scrypt params. Defaults to `DEFAULT_PARAMS`.
  * @returns `true` if the hash is missing/invalid or was produced with different parameters.
+ *
+ * @example
+ * const passwordRehash = needsRehash("passwordHashed");
  */
 export declare const needsRehash: (storedHash: string, params?: ScryptOptions) => boolean;
 /**
@@ -62,13 +71,13 @@ export declare const needsRehash: (storedHash: string, params?: ScryptOptions) =
  *   - pepper: optional server secret
  *   - concurrency: max simultaneous operations (default 4)
  * @returns Array of compact hash strings in the same order as input.
+ *
+ * @example
+ *
+ * const listPasswords = ["password1", "password2", "password3"];
+ * const passwordsHasherList = await hashBatch(listPasswords, 16);
  */
-export declare const hashBatch: (passwords: string[], options?: {
-    saltLength?: number;
-    params?: ScryptOptions;
-    pepper?: string;
-    concurrency?: number;
-}) => Promise<string[]>;
+export declare const hashBatch: (passwords: string[], saltLength?: number, concurrency?: number, params?: ScryptOptions, pepper?: string) => Promise<string[]>;
 /**
  * Verifies multiple password/hash pairs using controlled concurrency.
  *
@@ -80,12 +89,12 @@ export declare const hashBatch: (passwords: string[], options?: {
  *   - pepper: optional server secret
  *   - concurrency: max simultaneous operations (default 8)
  * @returns Array of booleans in the same order as input.
+ *
+ * @example
+ * const verifyPasswords = await verifyBatch([{ password: "test", hash: "testHash" }, { password: "test2", hash: "testHash2" }]);
  */
 export declare const verifyBatch: (credentials: Array<{
     password: string;
     hash: string;
-}>, options?: {
-    pepper?: string;
-    concurrency?: number;
-}) => Promise<boolean[]>;
+}>, concurrency?: number, pepper?: string) => Promise<boolean[]>;
 export {};

package/dist/crypto/hasher.js

@@ -87,6 +87,9 @@ const parseHash = (hash) => {
  * @param params - Scrypt work-factor params. Defaults to `DEFAULT_PARAMS`.
  * @param pepper - Optional server secret mixed into the password (e.g., from env var).
  * @returns A compact encoded hash string containing algorithm parameters + salt + derived key.
+ *
+ * @example
+ * const passwordHash = await hash("password", 16);
  */
 const hash = async (password, saltLength = 16, params = DEFAULT_PARAMS, pepper) => {
     const salt = (0, node_crypto_1.randomBytes)(saltLength);
@@ -111,6 +114,9 @@ exports.hash = hash;
  * @param storedHash - Stored hash string in the compact format.
  * @param pepper - Optional server secret; must match the one used when hashing.
  * @returns `true` if the password matches, otherwise `false`.
+ *
+ * @example
+ * const validPassword = await verify("password", "passwordHashed");
  */
 const verify = async (password, storedHash, pepper) => {
     const parsed = parseHash(storedHash);
@@ -145,6 +151,9 @@ exports.verify = verify;
  * @param storedHash - Stored hash string in compact format.
  * @param params - Desired/current scrypt params. Defaults to `DEFAULT_PARAMS`.
  * @returns `true` if the hash is missing/invalid or was produced with different parameters.
+ *
+ * @example
+ * const passwordRehash = needsRehash("passwordHashed");
  */
 const needsRehash = (storedHash, params = DEFAULT_PARAMS) => {
     const parsed = parseHash(storedHash);
@@ -191,13 +200,14 @@ const mapLimit = async (items, limit, fn) => {
  *   - pepper: optional server secret
  *   - concurrency: max simultaneous operations (default 4)
  * @returns Array of compact hash strings in the same order as input.
+ *
+ * @example
+ *
+ * const listPasswords = ["password1", "password2", "password3"];
+ * const passwordsHasherList = await hashBatch(listPasswords, 16);
  */
-const hashBatch = async (passwords, options) => {
-    const saltLength = options?.saltLength ?? 16;
-    const params = options?.params ?? DEFAULT_PARAMS;
-    const pepper = options?.pepper;
-    const concurrency = options?.concurrency ?? 4;
-    return mapLimit(passwords, concurrency, p => (0, exports.hash)(p, saltLength, params, pepper));
+const hashBatch = async (passwords, saltLength = 16, concurrency = 4, params = DEFAULT_PARAMS, pepper) => {
+    return mapLimit(passwords, concurrency, password => (0, exports.hash)(password, saltLength, params, pepper));
 };
 exports.hashBatch = hashBatch;
 /**
@@ -211,10 +221,11 @@ exports.hashBatch = hashBatch;
  *   - pepper: optional server secret
  *   - concurrency: max simultaneous operations (default 8)
  * @returns Array of booleans in the same order as input.
+ *
+ * @example
+ * const verifyPasswords = await verifyBatch([{ password: "test", hash: "testHash" }, { password: "test2", hash: "testHash2" }]);
  */
-const verifyBatch = async (credentials, options) => {
-    const pepper = options?.pepper;
-    const concurrency = options?.concurrency ?? 8;
-    return mapLimit(credentials, concurrency, c => (0, exports.verify)(c.password, c.hash, pepper));
+const verifyBatch = async (credentials, concurrency = 8, pepper) => {
+    return mapLimit(credentials, concurrency, credential => (0, exports.verify)(credential.password, credential.hash, pepper));
 };
 exports.verifyBatch = verifyBatch;

package/dist/crypto/jwt.d.ts

@@ -1,12 +1,51 @@
+/**
+ * Represents the payload (claims set) of a JSON Web Token.
+ *
+ * A JWT payload may contain arbitrary custom claims.
+ * Common registered claims:
+ * - `exp` (Expiration Time) – Unix timestamp (seconds)
+ * - `iat` (Issued At) – Unix timestamp (seconds)
+ *
+ * Additional claims may be added depending on the application.
+ */
 interface JWTPayload {
     [key: string]: any;
     exp?: number;
     iat?: number;
 }
+/**
+ * Represents the header section of a JWT.
+ *
+ * - `alg` – Signing algorithm used
+ * - `typ` – Token type (typically `"JWT"`)
+ */
 interface JWTHeader {
     alg: string;
     typ: string;
 }
+/**
+ * Supported JWT signing algorithms.
+ *
+ * - HS* → HMAC (symmetric secret)
+ * - RS* → RSA (asymmetric public/private key)
+ */
+type Algorithm = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512";
+/**
+ * Options used when creating a JWT.
+ */
+interface CreateJWTOptions {
+    /**
+     * Signing algorithm.
+     * Defaults to `"HS256"` if not provided.
+     */
+    algorithm?: Algorithm;
+    /**
+     * Token expiration:
+     * - Number → seconds
+     * - String → time expression (e.g. `"1h"`, `"30m"`, `"2d"`)
+     */
+    expiresIn?: number | string;
+}
 /**
  * Creates a JSON Web Token (JWT) signed using HMAC-SHA256 (HS256).
  *
@@ -19,18 +58,24 @@ interface JWTHeader {
  * @param secret - Secret key used to sign the token.
  * @param expiresIn - Optional expiration time in seconds.
  * @returns Signed JWT string.
+ *
+ * @example
+ * const jwt = createJWT({ sub: "123" }, "secret", { algorithm: "HS512", expiresIn: "1h" });
  */
-export declare const createJWT: (payload: JWTPayload, secret: string, expiresIn?: number) => string;
+export declare const createJWT: (payload: JWTPayload, secret: string | Buffer, opts?: number | string | CreateJWTOptions) => string;
 /**
- * Verifies the integrity and validity of a JSON Web Token.
+ * Verifies the signature and validity of a JWT.
  *
- * If any validation step fails, the function returns `null`.
+ * Returns `null` if validation fails at any step.
  *
- * @param token - JWT string to verify.
- * @param secret - Secret used to sign the token.
- * @returns Decoded payload if the token is valid, otherwise `null`.
+ * @param token - JWT string.
+ * @param secret - Secret (HMAC) or public key (RSA).
+ * @returns Decoded payload if valid, otherwise `null`.
+ *
+ * @example
+ * const verifyToken = verifyJWT("token", "secret-key");
  */
-export declare const verifyJWT: (token: string, secret: string) => JWTPayload | null;
+export declare const verifyJWT: (token: string, secret: string | Buffer) => JWTPayload | null;
 /**
  * Decodes a JWT without verifying its signature.
  *
@@ -40,6 +85,9 @@ export declare const verifyJWT: (token: string, secret: string) => JWTPayload |
  *
  * @param token - JWT string to decode.
  * @returns Object containing decoded header and payload, or `null` if malformed.
+ *
+ * @example
+ * conste decodeToken = decodeJWT("token");
  */
 export declare const decodeJWT: (token: string) => {
     header: JWTHeader;

package/dist/crypto/jwt.js

@@ -1,7 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.decodeJWT = exports.verifyJWT = exports.createJWT = void 0;
+const baseException_1 = require("../exceptions/baseException");
 const node_crypto_1 = require("node:crypto");
+class JWTGeneratorException extends baseException_1.BaseException {
+    constructor(algorithm) {
+        super(`Unsupported algorithm: ${algorithm}`, "JWT_GENERATOR_EXCEPTION");
+        this.name = "JWTGeneratorException";
+    }
+}
 /**
  * Encodes a string using Base64URL encoding (RFC 7515).
  *
@@ -33,6 +40,31 @@ function base64UrlDecode(str) {
     }
     return Buffer.from(base64, "base64").toString("utf-8");
 }
+/**
+ * Converts a Base64 string into Base64URL format.
+ *
+ * Used after cryptographic signing operations that return standard Base64.
+ *
+ * @param b64 - Standard Base64 string.
+ * @returns Base64URL-compatible string.
+ */
+function base64ToBase64Url(b64) {
+    return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+/**
+ * Converts a Base64URL string into a Buffer.
+ *
+ * Restores Base64 padding before decoding.
+ *
+ * @param str - Standard Base64 string.
+ * @returns Buffer data
+ */
+function base64UrlToBuffer(str) {
+    let base64 = str.replace(/-/g, "+").replace(/_/g, "/");
+    while (base64.length % 4)
+        base64 += "=";
+    return Buffer.from(base64, "base64");
+}
 /**
  * Creates a JSON Web Token (JWT) signed using HMAC-SHA256 (HS256).
  *
@@ -45,10 +77,17 @@ function base64UrlDecode(str) {
  * @param secret - Secret key used to sign the token.
  * @param expiresIn - Optional expiration time in seconds.
  * @returns Signed JWT string.
+ *
+ * @example
+ * const jwt = createJWT({ sub: "123" }, "secret", { algorithm: "HS512", expiresIn: "1h" });
  */
-const createJWT = (payload, secret, expiresIn) => {
+const createJWT = (payload, secret, opts = {}) => {
+    const options = typeof opts === "object" && opts !== null
+        ? opts
+        : { expiresIn: opts };
+    const algorithm = options.algorithm ?? "HS256";
     const header = {
-        alg: "HS256",
+        alg: algorithm,
         typ: "JWT",
     };
     const now = Math.floor(Date.now() / 1000);
@@ -56,28 +95,29 @@ const createJWT = (payload, secret, expiresIn) => {
         ...payload,
         iat: now,
     };
-    if (expiresIn)
-        tokenPayload.exp = now + expiresIn;
+    if (options.expiresIn !== undefined) {
+        const secs = parseExpiresIn(options.expiresIn);
+        if (secs)
+            tokenPayload.exp = now + secs;
+    }
     const encodedHeader = base64UrlEncode(JSON.stringify(header));
     const encodedPayload = base64UrlEncode(JSON.stringify(tokenPayload));
     const data = `${encodedHeader}.${encodedPayload}`;
-    const signature = (0, node_crypto_1.createHmac)("sha256", secret)
-        .update(data)
-        .digest("base64")
-        .replace(/\+/g, "-")
-        .replace(/\//g, "_")
-        .replace(/=/g, "");
+    const signature = signData(algorithm, data, secret);
     return `${data}.${signature}`;
 };
 exports.createJWT = createJWT;
 /**
- * Verifies the integrity and validity of a JSON Web Token.
+ * Verifies the signature and validity of a JWT.
  *
- * If any validation step fails, the function returns `null`.
+ * Returns `null` if validation fails at any step.
  *
- * @param token - JWT string to verify.
- * @param secret - Secret used to sign the token.
- * @returns Decoded payload if the token is valid, otherwise `null`.
+ * @param token - JWT string.
+ * @param secret - Secret (HMAC) or public key (RSA).
+ * @returns Decoded payload if valid, otherwise `null`.
+ *
+ * @example
+ * const verifyToken = verifyJWT("token", "secret-key");
  */
 const verifyJWT = (token, secret) => {
     try {
@@ -85,18 +125,11 @@ const verifyJWT = (token, secret) => {
         if (parts.length !== 3)
             return null;
         const [encodedHeader, encodedPayload, signature] = parts;
+        const header = JSON.parse(base64UrlDecode(encodedHeader));
+        const alg = header.alg;
         const data = `${encodedHeader}.${encodedPayload}`;
-        const expectedSignature = (0, node_crypto_1.createHmac)("sha256", secret)
-            .update(data)
-            .digest("base64")
-            .replace(/\+/g, "-")
-            .replace(/\//g, "_")
-            .replace(/=/g, "");
-        const signatureBuffer = Buffer.from(signature);
-        const computedBuffer = Buffer.from(expectedSignature);
-        if (signatureBuffer.length !== computedBuffer.length)
-            return null;
-        if (!(0, node_crypto_1.timingSafeEqual)(signatureBuffer, computedBuffer))
+        const validJWT = verifyData(alg, data, secret, signature);
+        if (!validJWT)
             return null;
         const payload = JSON.parse(base64UrlDecode(encodedPayload));
         if (!payload.exp)
@@ -120,6 +153,9 @@ exports.verifyJWT = verifyJWT;
  *
  * @param token - JWT string to decode.
  * @returns Object containing decoded header and payload, or `null` if malformed.
+ *
+ * @example
+ * conste decodeToken = decodeJWT("token");
  */
 const decodeJWT = (token) => {
     try {
@@ -136,3 +172,118 @@ const decodeJWT = (token) => {
     }
 };
 exports.decodeJWT = decodeJWT;
+/**
+ * Parses an `expiresIn` value.
+ *
+ * Accepts:
+ * - Number → seconds
+ * - String format:
+ *   - "30s"
+ *   - "15m"
+ *   - "2h"
+ *   - "7d"
+ *   - "1y"
+ *
+ * Returns the duration in seconds.
+ *
+ * @param input - Expiration value.
+ * @returns Seconds or undefined if invalid.
+ */
+function parseExpiresIn(input) {
+    if (input === undefined)
+        return undefined;
+    if (typeof input === "number")
+        return input;
+    const match = `${input}`.trim().match(/^(\d+)\s*(s|m|h|d|y)?$/i);
+    if (!match)
+        return undefined;
+    const value = parseInt(match[1], 10);
+    const unit = (match[2] || "s").toLowerCase();
+    switch (unit) {
+        case "s":
+            return value;
+        case "m":
+            return value * 60;
+        case "h":
+            return value * 60 * 60;
+        case "d":
+            return value * 60 * 60 * 24;
+        case "y":
+            return value * 60 * 60 * 24 * 365;
+        default:
+            return undefined;
+    }
+}
+const hmacAlgorithm = (algorithm) => {
+    const verifyAlg = algorithm === "HS256"
+        ? "sha256"
+        : algorithm === "HS384"
+            ? "sha384"
+            : "sha512";
+    return verifyAlg;
+};
+const rsaAlgorithm = (algorithm) => {
+    const verifyAlg = algorithm === "RS256"
+        ? "RSA-SHA256"
+        : algorithm === "RS384"
+            ? "RSA-SHA384"
+            : "RSA-SHA512";
+    return verifyAlg;
+};
+/**
+ * Signs JWT data using the specified algorithm.
+ *
+ * - HS* → HMAC (shared secret)
+ * - RS* → RSA (private key)
+ *
+ * @param algorithm - JWT signing algorithm.
+ * @param data - Header + payload.
+ * @param key - Secret or private key.
+ * @returns Base64URL signature string.
+ */
+function signData(algorithm, data, key) {
+    if (algorithm.startsWith("HS")) {
+        const b64 = (0, node_crypto_1.createHmac)(hmacAlgorithm(algorithm), key)
+            .update(data)
+            .digest("base64");
+        return base64ToBase64Url(b64);
+    }
+    if (algorithm.startsWith("RS")) {
+        const b64 = (0, node_crypto_1.createSign)(rsaAlgorithm(algorithm))
+            .update(data)
+            .sign(key, "base64");
+        return base64ToBase64Url(b64);
+    }
+    throw new JWTGeneratorException(algorithm);
+}
+/**
+ * Verifies JWT signature using constant-time comparison (HMAC)
+ * or RSA verification.
+ *
+ * - HS* → Uses `timingSafeEqual` to prevent timing attacks.
+ * - RS* → Uses Node.js `verify`.
+ *
+ * @param algorithm - JWT algorithm.
+ * @param data - Signed data.
+ * @param key - Secret or public key.
+ * @param signature - Signature (Base64URL).
+ * @returns `true` if signature is valid.
+ */
+function verifyData(algorithm, data, key, signature) {
+    if (algorithm.startsWith("HS")) {
+        const expectedB64 = (0, node_crypto_1.createHmac)(hmacAlgorithm(algorithm), key)
+            .update(data)
+            .digest("base64");
+        const expectedBuf = base64UrlToBuffer(base64ToBase64Url(expectedB64));
+        const sigBuf = base64UrlToBuffer(signature);
+        if (expectedBuf.length !== sigBuf.length)
+            return false;
+        return (0, node_crypto_1.timingSafeEqual)(expectedBuf, sigBuf);
+    }
+    if (algorithm.startsWith("RS")) {
+        const verifier = (0, node_crypto_1.createVerify)(rsaAlgorithm(algorithm)).update(data);
+        const sigBuf = base64UrlToBuffer(signature);
+        return verifier.verify(key, sigBuf);
+    }
+    return false;
+}