Skip to main content
Module

x/darkflare/jwt/mod.ts

The API Engine
azurystudio/darkflare
Go to Latest
File
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299
/** * @typedef JwtAlgorithm * @type {'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'} */export type JwtAlgorithm = 'ES256'|'ES384'|'ES512'|'HS256'|'HS384'|'HS512'|'RS256'|'RS384'|'RS512'
/** * @typedef JwtAlgorithms */export interface JwtAlgorithms {    [key: string]: SubtleCryptoImportKeyAlgorithm}
/** * @typedef JwtHeader * @prop {string} [typ] Type */export interface JwtHeader {    /**     * Type (default: `"JWT"`)     *     * @default "JWT"     */    typ?: string
    [key: string]: any}
/** * @typedef JwtPayload * @prop {string} [iss] Issuer * @prop {string} [sub] Subject * @prop {string} [aud] Audience * @prop {string} [exp] Expiration Time * @prop {string} [nbf] Not Before * @prop {string} [iat] Issued At * @prop {string} [jti] JWT ID */export interface JwtPayload {    /** Issuer */    iss?: string
    /** Subject */    sub?: string
    /** Audience */    aud?: string
    /** Expiration Time */    exp?: number
    /** Not Before */    nbf?: number
    /** Issued At */    iat?: number
    /** JWT ID */    jti?: string
    [key: string]: any}
/** * @typedef JwtOptions * @prop {JwtAlgorithm | string} algorithm */export interface JwtOptions {    algorithm?: JwtAlgorithm | string}
/** * @typedef JwtSignOptions * @extends JwtOptions * @prop {JwtHeader} [header] */export interface JwtSignOptions extends JwtOptions {    header?: JwtHeader}
/** * @typedef JwtVerifyOptions * @extends JwtOptions * @prop {boolean} [throwError=false] If `true` throw error if checks fail. (default: `false`) */export interface JwtVerifyOptions extends JwtOptions {    /**     * If `true` throw error if checks fail. (default: `false`)     *     * @default false    */    throwError?: boolean}
/** * @typedef JwtData * @prop {JwtHeader} header * @prop {JwtPayload} payload */export interface JwtData {    header: JwtHeader    payload: JwtPayload}
function base64UrlParse(s: string): Uint8Array {    // @ts-ignore    return new Uint8Array(Array.prototype.map.call(atob(s.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, '')), c => c.charCodeAt(0)))    // return new Uint8Array(Array.from(atob(s.replace(/-/g, '+').replace(/_/g, '/').replace(/\s/g, ''))).map(c => c.charCodeAt(0)))}
function base64UrlStringify(a: Uint8Array): string {    // @ts-ignore    return btoa(String.fromCharCode.apply(0, a)).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')    // return btoa(String.fromCharCode.apply(0, Array.from(a))).replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')}
const algorithms: JwtAlgorithms = {    ES256: { name: 'ECDSA', namedCurve: 'P-256', hash: { name: 'SHA-256' } },    ES384: { name: 'ECDSA', namedCurve: 'P-384', hash: { name: 'SHA-384' } },    ES512: { name: 'ECDSA', namedCurve: 'P-521', hash: { name: 'SHA-512' } },    HS256: { name: 'HMAC', hash: { name: 'SHA-256' } },    HS384: { name: 'HMAC', hash: { name: 'SHA-384' } },    HS512: { name: 'HMAC', hash: { name: 'SHA-512' } },    RS256: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-256' } },    RS384: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-384' } },    RS512: { name: 'RSASSA-PKCS1-v1_5', hash: { name: 'SHA-512' } }}
function _utf8ToUint8Array(str: string): Uint8Array {    return base64UrlParse(btoa(unescape(encodeURIComponent(str))))}
function _str2ab(str: string): ArrayBuffer {    str = atob(str)
    const buf = new ArrayBuffer(str.length);    const bufView = new Uint8Array(buf);
    for (let i = 0, strLen = str.length; i < strLen; i++) {        bufView[i] = str.charCodeAt(i);    }
    return buf;}
function _decodePayload(raw: string): JwtHeader | JwtPayload | null {    switch (raw.length % 4) {        case 0:            break        case 2:            raw += '=='            break        case 3:            raw += '='            break        default:            throw new Error('Illegal base64url string!')    }
    try {        return JSON.parse(decodeURIComponent(escape(atob(raw))))    } catch {        return null    }}
/** * Signs a payload and returns the token * * @param {JwtPayload} payload The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload. * @param {string} secret A string which is used to sign the payload. * @param {JwtSignOptions | JwtAlgorithm | string} [options={ algorithm: 'HS256', header: { typ: 'JWT' } }] The options object or the algorithm. * @throws {Error} If there's a validation issue. * @returns {Promise<string>} Returns token as a `string`. */export async function jwtSign(payload: JwtPayload, secret: string, options: JwtSignOptions | JwtAlgorithm = { algorithm: 'HS256', header: { typ: 'JWT' } }): Promise<string> {    if (typeof options === 'string')        options = { algorithm: options, header: { typ: 'JWT' } }
    options = { algorithm: 'HS256', header: { typ: 'JWT' }, ...options }
    if (payload === null || typeof payload !== 'object')        throw new Error('payload must be an object')
    if (typeof secret !== 'string')        throw new Error('secret must be a string')
    if (typeof options.algorithm !== 'string')        throw new Error('options.algorithm must be a string')
    const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
    if (!algorithm)        throw new Error('algorithm not found')
    if (!payload.iat)        payload.iat = Math.floor(Date.now() / 1000)
    const payloadAsJSON = JSON.stringify(payload)    const partialToken = `${base64UrlStringify(_utf8ToUint8Array(JSON.stringify({ ...options.header, alg: options.algorithm })))}.${base64UrlStringify(_utf8ToUint8Array(payloadAsJSON))}`    let keyFormat: 'raw' | 'pkcs8' = 'raw'    let keyData    if (secret.startsWith('-----BEGIN')) {        keyFormat = 'pkcs8'        keyData = _str2ab(secret.replace(/-----BEGIN.*?-----/g, '').replace(/-----END.*?-----/g, '').replace(/\s/g, ''))    } else        keyData = _utf8ToUint8Array(secret)    const key = await crypto.subtle.importKey(keyFormat, keyData, algorithm, false, ['sign'])    const signature = await crypto.subtle.sign(algorithm, key, _utf8ToUint8Array(partialToken))
    return `${partialToken}.${base64UrlStringify(new Uint8Array(signature))}`}
/** * Verifies the integrity of the token and returns a boolean value. * * @param {string} token The token string generated by `jwt.sign()`. * @param {string} secret The string which was used to sign the payload. * @param {JWTVerifyOptions | JWTAlgorithm} options The options object or the algorithm. * @throws {Error | string} Throws an error `string` if the token is invalid or an `Error-Object` if there's a validation issue. * @returns {Promise<boolean>} Returns `true` if signature, `nbf` (if set) and `exp` (if set) are valid, otherwise returns `false`. */export async function jwtVerify(token: string, secret: string, options: JwtVerifyOptions | JwtAlgorithm = { algorithm: 'HS256', throwError: false }): Promise<boolean> {    if (typeof options === 'string')        options = { algorithm: options, throwError: false }
    options = { algorithm: 'HS256', throwError: false, ...options }
    if (typeof token !== 'string')        throw new Error('token must be a string')
    if (typeof secret !== 'string')        throw new Error('secret must be a string')
    if (typeof options.algorithm !== 'string')        throw new Error('options.algorithm must be a string')
    const tokenParts = token.split('.')
    if (tokenParts.length !== 3)        throw new Error('token must consist of 3 parts')
    const algorithm: SubtleCryptoImportKeyAlgorithm = algorithms[options.algorithm]
    if (!algorithm)        throw new Error('algorithm not found')
    const { payload } = jwtDecode(token)
    if (!payload) {        if (options.throwError)            throw 'PARSE_ERROR'
        return false    }
    if (payload.nbf && payload.nbf > Math.floor(Date.now() / 1000)) {        if (options.throwError)            throw 'NOT_YET_VALID'
        return false    }
    if (payload.exp && payload.exp <= Math.floor(Date.now() / 1000)) {        if (options.throwError)            throw 'EXPIRED'
        return false    }    let keyFormat: 'raw' | 'spki' = 'raw'    let keyData    if (secret.startsWith('-----BEGIN')) {        keyFormat = 'spki'        keyData = _str2ab(secret.replace(/-----BEGIN.*?-----/g, '').replace(/-----END.*?-----/g, '').replace(/\s/g, ''))    } else        keyData = _utf8ToUint8Array(secret)    const key = await crypto.subtle.importKey(keyFormat, keyData, algorithm, false, ['verify'])    return await crypto.subtle.verify(algorithm, key, base64UrlParse(tokenParts[2]), _utf8ToUint8Array(`${tokenParts[0]}.${tokenParts[1]}`))}
/** * Returns the payload **without** verifying the integrity of the token. Please use `jwt.verify()` first to keep your application secure! * * @param {string} token The token string generated by `jwt.sign()`. * @returns {JwtData} Returns an `object` containing `header` and `payload`. */export function jwtDecode(token: string): JwtData {    return {        header: _decodePayload(token.split('.')[0].replace(/-/g, '+').replace(/_/g, '/')) as JwtHeader,        payload: _decodePayload(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')) as JwtPayload    }}
export default {    jwtSign,    jwtVerify,    jwtDecode}