|
|
|
|
@@ -3,14 +3,14 @@ if (typeof crypto === 'undefined' || !crypto.subtle)
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtAlgorithm
|
|
|
|
|
* @type {'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'}
|
|
|
|
|
* @type {'ES256' | 'ES384' | 'ES512' | 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512'}
|
|
|
|
|
*/
|
|
|
|
|
export type JwtAlgorithm = 'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'
|
|
|
|
|
export type JwtAlgorithm = 'ES256' | 'ES384' | 'ES512' | 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512'
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtAlgorithms
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtAlgorithms {
|
|
|
|
|
export type JwtAlgorithms = {
|
|
|
|
|
[key: string]: SubtleCryptoImportKeyAlgorithm
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -18,16 +18,14 @@ export interface JwtAlgorithms {
|
|
|
|
|
* @typedef JwtHeader
|
|
|
|
|
* @prop {string} [typ] Type
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtHeader {
|
|
|
|
|
export type JwtHeader<T = {}> = {
|
|
|
|
|
/**
|
|
|
|
|
* Type (default: `"JWT"`)
|
|
|
|
|
*
|
|
|
|
|
* @default "JWT"
|
|
|
|
|
*/
|
|
|
|
|
typ?: string
|
|
|
|
|
|
|
|
|
|
[key: string]: any
|
|
|
|
|
}
|
|
|
|
|
} & T
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtPayload
|
|
|
|
|
@@ -39,7 +37,7 @@ export interface JwtHeader {
|
|
|
|
|
* @prop {string} [iat] Issued At
|
|
|
|
|
* @prop {string} [jti] JWT ID
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtPayload {
|
|
|
|
|
export type JwtPayload<T = {}> = {
|
|
|
|
|
/** Issuer */
|
|
|
|
|
iss?: string
|
|
|
|
|
|
|
|
|
|
@@ -62,13 +60,13 @@ export interface JwtPayload {
|
|
|
|
|
jti?: string
|
|
|
|
|
|
|
|
|
|
[key: string]: any
|
|
|
|
|
}
|
|
|
|
|
} & T
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtOptions
|
|
|
|
|
* @prop {JwtAlgorithm | string} algorithm
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtOptions {
|
|
|
|
|
export type JwtOptions = {
|
|
|
|
|
algorithm?: JwtAlgorithm | string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -77,32 +75,32 @@ export interface JwtOptions {
|
|
|
|
|
* @extends JwtOptions
|
|
|
|
|
* @prop {JwtHeader} [header]
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtSignOptions extends JwtOptions {
|
|
|
|
|
header?: JwtHeader
|
|
|
|
|
}
|
|
|
|
|
export type JwtSignOptions<T> = {
|
|
|
|
|
header?: JwtHeader<T>
|
|
|
|
|
} & JwtOptions
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtVerifyOptions
|
|
|
|
|
* @extends JwtOptions
|
|
|
|
|
* @prop {boolean} [throwError=false] If `true` throw error if checks fail. (default: `false`)
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtVerifyOptions extends JwtOptions {
|
|
|
|
|
export type JwtVerifyOptions = {
|
|
|
|
|
/**
|
|
|
|
|
* If `true` throw error if checks fail. (default: `false`)
|
|
|
|
|
*
|
|
|
|
|
* @default false
|
|
|
|
|
*/
|
|
|
|
|
throwError?: boolean
|
|
|
|
|
}
|
|
|
|
|
} & JwtOptions
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @typedef JwtData
|
|
|
|
|
* @prop {JwtHeader} header
|
|
|
|
|
* @prop {JwtPayload} payload
|
|
|
|
|
*/
|
|
|
|
|
export interface JwtData {
|
|
|
|
|
header?: JwtHeader
|
|
|
|
|
payload?: JwtPayload
|
|
|
|
|
export type JwtData<Payload = {}, Header = {}> = {
|
|
|
|
|
header?: JwtHeader<Header>
|
|
|
|
|
payload?: JwtPayload<Payload>
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const algorithms: JwtAlgorithms = {
|
|
|
|
|
@@ -200,7 +198,10 @@ async function importKey(key: string | JsonWebKey, algorithm: SubtleCryptoImport
|
|
|
|
|
|
|
|
|
|
function decodePayload<T = any>(raw: string): T | undefined {
|
|
|
|
|
try {
|
|
|
|
|
return JSON.parse(atob(raw))
|
|
|
|
|
const bytes = Array.from(atob(raw), char => char.charCodeAt(0));
|
|
|
|
|
const decodedString = new TextDecoder('utf-8').decode(new Uint8Array(bytes));
|
|
|
|
|
|
|
|
|
|
return JSON.parse(decodedString);
|
|
|
|
|
} catch {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
@@ -210,22 +211,22 @@ function decodePayload<T = any>(raw: string): T | undefined {
|
|
|
|
|
* Signs a payload and returns the token
|
|
|
|
|
*
|
|
|
|
|
* @param {JwtPayload} payload The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload.
|
|
|
|
|
* @param {string | JsonWebKey} secret A string which is used to sign the payload.
|
|
|
|
|
* @param {string | JsonWebKey | CryptoKey} secret A string which is used to sign the payload.
|
|
|
|
|
* @param {JwtSignOptions | JwtAlgorithm | string} [options={ algorithm: 'HS256', header: { typ: 'JWT' } }] The options object or the algorithm.
|
|
|
|
|
* @throws {Error} If there's a validation issue.
|
|
|
|
|
* @returns {Promise<string>} Returns token as a `string`.
|
|
|
|
|
*/
|
|
|
|
|
export async function sign(payload: JwtPayload, secret: string | JsonWebKey, options: JwtSignOptions | JwtAlgorithm = 'HS256'): Promise<string> {
|
|
|
|
|
export async function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKey, options: JwtSignOptions<Header> | JwtAlgorithm = 'HS256'): Promise<string> {
|
|
|
|
|
if (typeof options === 'string')
|
|
|
|
|
options = { algorithm: options }
|
|
|
|
|
|
|
|
|
|
options = { algorithm: 'HS256', header: { typ: 'JWT' }, ...options }
|
|
|
|
|
options = { algorithm: 'HS256', header: { typ: 'JWT' } as JwtHeader<Header>, ...options }
|
|
|
|
|
|
|
|
|
|
if (!payload || typeof payload !== 'object')
|
|
|
|
|
throw new Error('payload must be an object')
|
|
|
|
|
|
|
|
|
|
if (!secret || (typeof secret !== 'string' && typeof secret !== 'object'))
|
|
|
|
|
throw new Error('secret must be a string or a JWK object')
|
|
|
|
|
throw new Error('secret must be a string, a JWK object or a CryptoKey object')
|
|
|
|
|
|
|
|
|
|
if (typeof options.algorithm !== 'string')
|
|
|
|
|
throw new Error('options.algorithm must be a string')
|
|
|
|
|
@@ -240,7 +241,7 @@ export async function sign(payload: JwtPayload, secret: string | JsonWebKey, opt
|
|
|
|
|
|
|
|
|
|
const partialToken = `${textToBase64Url(JSON.stringify({ ...options.header, alg: options.algorithm }))}.${textToBase64Url(JSON.stringify(payload))}`
|
|
|
|
|
|
|
|
|
|
const key = await importKey(secret, algorithm)
|
|
|
|
|
const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
|
|
|
|
|
const signature = await crypto.subtle.sign(algorithm, key, textToArrayBuffer(partialToken))
|
|
|
|
|
|
|
|
|
|
return `${partialToken}.${arrayBufferToBase64Url(signature)}`
|
|
|
|
|
@@ -250,12 +251,12 @@ export async function sign(payload: JwtPayload, secret: string | JsonWebKey, opt
|
|
|
|
|
* Verifies the integrity of the token and returns a boolean value.
|
|
|
|
|
*
|
|
|
|
|
* @param {string} token The token string generated by `jwt.sign()`.
|
|
|
|
|
* @param {string | JsonWebKey} secret The string which was used to sign the payload.
|
|
|
|
|
* @param {string | JsonWebKey | CryptoKey} secret The string which was used to sign the payload.
|
|
|
|
|
* @param {JWTVerifyOptions | JWTAlgorithm} options The options object or the algorithm.
|
|
|
|
|
* @throws {Error | string} Throws an error `string` if the token is invalid or an `Error-Object` if there's a validation issue.
|
|
|
|
|
* @returns {Promise<boolean>} Returns `true` if signature, `nbf` (if set) and `exp` (if set) are valid, otherwise returns `false`.
|
|
|
|
|
*/
|
|
|
|
|
export async function verify(token: string, secret: string | JsonWebKey, options: JwtVerifyOptions | JwtAlgorithm = { algorithm: 'HS256', throwError: false }): Promise<boolean> {
|
|
|
|
|
export async function verify(token: string, secret: string | JsonWebKey | CryptoKey, options: JwtVerifyOptions | JwtAlgorithm = { algorithm: 'HS256', throwError: false }): Promise<boolean> {
|
|
|
|
|
if (typeof options === 'string')
|
|
|
|
|
options = { algorithm: options, throwError: false }
|
|
|
|
|
|
|
|
|
|
@@ -265,7 +266,7 @@ export async function verify(token: string, secret: string | JsonWebKey, options
|
|
|
|
|
throw new Error('token must be a string')
|
|
|
|
|
|
|
|
|
|
if (typeof secret !== 'string' && typeof secret !== 'object')
|
|
|
|
|
throw new Error('secret must be a string or a JWK object')
|
|
|
|
|
throw new Error('secret must be a string, a JWK object or a CryptoKey object')
|
|
|
|
|
|
|
|
|
|
if (typeof options.algorithm !== 'string')
|
|
|
|
|
throw new Error('options.algorithm must be a string')
|
|
|
|
|
@@ -292,7 +293,7 @@ export async function verify(token: string, secret: string | JsonWebKey, options
|
|
|
|
|
if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000))
|
|
|
|
|
throw new Error('EXPIRED')
|
|
|
|
|
|
|
|
|
|
const key = await importKey(secret, algorithm)
|
|
|
|
|
const key = secret instanceof CryptoKey ? secret : await importKey(secret, algorithm)
|
|
|
|
|
|
|
|
|
|
return await crypto.subtle.verify(algorithm, key, base64UrlToArrayBuffer(tokenParts[2]), textToArrayBuffer(`${tokenParts[0]}.${tokenParts[1]}`))
|
|
|
|
|
} catch(err) {
|
|
|
|
|
@@ -309,10 +310,10 @@ export async function verify(token: string, secret: string | JsonWebKey, options
|
|
|
|
|
* @param {string} token The token string generated by `jwt.sign()`.
|
|
|
|
|
* @returns {JwtData} Returns an `object` containing `header` and `payload`.
|
|
|
|
|
*/
|
|
|
|
|
export function decode(token: string): JwtData {
|
|
|
|
|
export function decode<Payload = {}, Header = {}>(token: string): JwtData<Payload, Header> {
|
|
|
|
|
return {
|
|
|
|
|
header: decodePayload<JwtHeader>(token.split('.')[0].replace(/-/g, '+').replace(/_/g, '/')),
|
|
|
|
|
payload: decodePayload<JwtPayload>(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/'))
|
|
|
|
|
header: decodePayload<JwtHeader<Header>>(token.split('.')[0].replace(/-/g, '+').replace(/_/g, '/')),
|
|
|
|
|
payload: decodePayload<JwtPayload<Payload>>(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/'))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@@ -320,4 +321,4 @@ export default {
|
|
|
|
|
sign,
|
|
|
|
|
verify,
|
|
|
|
|
decode
|
|
|
|
|
}
|
|
|
|
|
}
|
