npm - vestauth - Versions diffs - 0.7.4 → 0.8.0 - Mend

vestauth 0.7.4 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +7 -1
package/package.json +1 -1
package/src/cli/actions/primitives/verify.js +1 -1
package/src/lib/helpers/errors.js +11 -0
package/src/lib/helpers/providerVerify.js +1 -33
package/src/lib/helpers/verify.js +65 -5

package/CHANGELOG.md CHANGED Viewed

@@ -2,7 +2,13 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
-[Unreleased](https://github.com/vestauth/vestauth/compare/v0.7.4...main)
+[Unreleased](https://github.com/vestauth/vestauth/compare/v0.8.0...main)
+## [0.8.0](https://github.com/vestauth/vestauth/compare/v0.7.4...v0.8.0) (2026-02-05)
+### Added
+* Return agent json on successful verify
 ## [0.7.4](https://github.com/vestauth/vestauth/compare/v0.7.3...v0.7.4) (2026-02-05)

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vestauth",
-  "version": "0.7.4",
+  "version": "0.8.0",
   "description": "auth for agents–from the creator of dotenvx",
   "keywords": [
     "vestauth"

package/src/cli/actions/primitives/verify.js CHANGED Viewed

@@ -25,7 +25,7 @@ async function verify (httpMethod, uri) {
       'Signature-Agent': options.signatureAgent
     }
-    const publicJwk = JSON.parse(options.publicJwk || {})
+    const publicJwk = options.publicJwk ? JSON.parse(options.publicJwk) : undefined
     const output = await primitives.verify(httpMethod, uri, headers, publicJwk)
     // const output = await primitive.verifyWebBotAuth(httpMethod, uri, signature, signatureInput, JSON.parse(publicJwk))

package/src/lib/helpers/errors.js CHANGED Viewed

@@ -63,6 +63,17 @@ class Errors {
     return e
   }
+  missingPublicJwk () {
+    const code = 'MISSING_PUBLIC_JWK'
+    const message = `[${code}] missing --public-jwk (AGENT_PUBLIC_JWK) or --signature-agent`
+    const help = `[${code}] provide a public JWK or a signature agent for lookup`
+    const e = new Error(message)
+    e.code = code
+    e.help = help
+    return e
+  }
   invalidSignatureAgent () {
     const code = 'INVALID_SIGNATURE_AGENT'
     const message = `[${code}] invalid --signature-agent`

package/src/lib/helpers/providerVerify.js CHANGED Viewed

@@ -1,7 +1,3 @@
-const { http } = require('./http')
-const buildApiError = require('./buildApiError')
-const parseSignatureAgentHeader = require('./parseSignatureAgentHeader')
-const verifyAgentFqdn = require('./verifyAgentFqdn')
 const verify = require('./verify')
 const Errors = require('./errors')
@@ -18,35 +14,7 @@ async function providerVerify (httpMethod, uri, headers = {}) {
     throw new Errors().missingSignatureAgent()
   }
-  const { value } = parseSignatureAgentHeader(signatureAgent) // sig1=agent-1234.agents.vestauth.com
-  const fqdn = value
-  verifyAgentFqdn(fqdn)
-  const origin = `https://${fqdn}` // https://agent-1234.agents.vestauth.com
-  // get jwks from .well-known
-  const url = `${origin}/.well-known/http-message-signatures-directory` // risk of SSRF ?
-  const resp = await http(url, { method: 'GET', headers: { 'Content-Type': 'application/json' } })
-  if (resp.statusCode >= 400) {
-    const json = await resp.body.json()
-    throw buildApiError(resp.statusCode, json)
-  }
-  const json = await resp.body.json()
-  // example json
-  // {
-  //   keys: [
-  //     {
-  //       x: 'IaqY8f2Qp8EpS1qP7AssY0QE4I8PJDwHInLwDfB9WaU',
-  //       crv: 'Ed25519',
-  //       kid: 'i1B0cEjNvnSBm_TSVS87nqDj7IRfC_Q2eU-SywVxtNI',
-  //       kty: 'OKP'
-  //     }
-  //   ]
-  // }
-  // use publicJwk to verify
-  const publicJwk = json.keys[0]
-  return await verify(httpMethod, uri, headers, publicJwk)
+  return verify(httpMethod, uri, headers)
 }
 module.exports = providerVerify

package/src/lib/helpers/verify.js CHANGED Viewed

@@ -1,14 +1,65 @@
 const crypto = require('crypto')
+const { http } = require('./http')
+const buildApiError = require('./buildApiError')
+const parseSignatureAgentHeader = require('./parseSignatureAgentHeader')
 const parseSignatureInputHeader = require('./parseSignatureInputHeader')
 const stripDictionaryKey = require('./stripDictionaryKey')
 const authorityMessage = require('./authorityMessage')
 const publicJwkObject = require('./publicJwkObject')
+const verifyAgentFqdn = require('./verifyAgentFqdn')
 const Errors = require('./errors')
-function verify (httpMethod, uri, headers = {}, publicJwk) {
+async function resolvePublicJwk ({ signatureInput, signatureAgent, publicJwk }) {
+  let uid
+  let wellKnownUrl
+  const { values } = parseSignatureInputHeader(signatureInput)
+  const kid = values.keyid
+  if (signatureAgent) {
+    const { value } = parseSignatureAgentHeader(signatureAgent)
+    const fqdn = value
+    verifyAgentFqdn(fqdn)
+    const origin = `https://${fqdn}`
+    uid = fqdn.split('.')[0]
+    wellKnownUrl = `${origin}/.well-known/http-message-signatures-directory`
+  }
+  if (publicJwk) {
+    return { uid, kid, publicJwk, wellKnownUrl }
+  }
+  if (!signatureAgent) {
+    return { publicJwk: null }
+  }
+  const resp = await http(wellKnownUrl, { method: 'GET', headers: { 'Content-Type': 'application/json' } })
+  if (resp.statusCode >= 400) {
+    const json = await resp.body.json()
+    throw buildApiError(resp.statusCode, json)
+  }
+  const json = await resp.body.json()
+  let resolvedPublicJwk = json.keys[0]
+  if (kid) {
+    resolvedPublicJwk = json.keys.find((key) => key.kid === kid)
+    if (!resolvedPublicJwk) {
+      throw new Errors().invalidSignature()
+    }
+  }
+  return {
+    uid,
+    kid,
+    publicJwk: resolvedPublicJwk,
+    wellKnownUrl
+  }
+}
+async function verify (httpMethod, uri, headers = {}, publicJwk) {
   const signature = headers.Signature || headers.signature
   const signatureInput = headers['Signature-Input'] || headers['signature-input']
+  const signatureAgent = headers['Signature-Agent'] || headers['signature-agent']
   const { values } = parseSignatureInputHeader(signatureInput)
   const { expires } = values
@@ -16,6 +67,11 @@ function verify (httpMethod, uri, headers = {}, publicJwk) {
     throw new Errors().expiredSignature()
   }
+  const resolved = await resolvePublicJwk({ signatureInput, signatureAgent, publicJwk })
+  if (!resolved.publicJwk) {
+    throw new Errors().missingPublicJwk()
+  }
   const signatureParams = stripDictionaryKey(signatureInput)
   const sig = stripDictionaryKey(signature)
   const message = authorityMessage(uri, signatureParams)
@@ -23,7 +79,7 @@ function verify (httpMethod, uri, headers = {}, publicJwk) {
   const success = crypto.verify(
     null,
     Buffer.from(message, 'utf8'),
-    publicJwkObject(publicJwk),
+    publicJwkObject(resolved.publicJwk),
     Buffer.from(sig, 'base64')
   )
@@ -31,9 +87,13 @@ function verify (httpMethod, uri, headers = {}, publicJwk) {
     throw new Errors().invalidSignature()
   }
-  return {
-    success
-  }
+  const output = {}
+  if (resolved.uid) output.uid = resolved.uid
+  if (resolved.kid) output.kid = resolved.kid
+  if (resolved.publicJwk) output.public_jwk = resolved.publicJwk
+  if (resolved.wellKnownUrl) output.well_known_url = resolved.wellKnownUrl
+  return output
 }
 module.exports = verify