UNPKG

@auth/core

Version:

Authentication for the Web.

authjs.dev

nextauthjs/next-auth

127 lines 4.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
/** * * * This module contains functions and types * to encode and decode {@link https://authjs.dev/concepts/session-strategies#jwt-session JWT}s * issued and used by Auth.js. * * The JWT issued by Auth.js is _encrypted by default_, using the _A256CBC-HS512_ algorithm ({@link https://www.rfc-editor.org/rfc/rfc7518.html#section-5.2.5 JWE}). * It uses the `AUTH_SECRET` environment variable or the passed `secret` propery to derive a suitable encryption key. * * :::info Note * Auth.js JWTs are meant to be used by the same app that issued them. * If you need JWT authentication for your third-party API, you should rely on your Identity Provider instead. * ::: * * ## Installation * * ```bash npm2yarn * npm install @auth/core * ``` * * You can then import this submodule from `@auth/core/jwt`. * * ## Usage * * :::warning Warning * This module *will* be refactored/changed. We do not recommend relying on it right now. * ::: * * * ## Resources * * - [What is a JWT session strategy](https://authjs.dev/concepts/session-strategies#jwt-session) * - [RFC7519 - JSON Web Token (JWT)](https://www.rfc-editor.org/rfc/rfc7519) * * @module jwt */ import { Awaitable } from "./types.js"; import type { LoggerInstance } from "./lib/utils/logger.js"; /** Issues a JWT. By default, the JWT is encrypted using "A256CBC-HS512". */ export declare function encode<Payload = JWT>(params: JWTEncodeParams<Payload>): Promise<string>; /** Decodes a Auth.js issued JWT. */ export declare function decode<Payload = JWT>(params: JWTDecodeParams): Promise<Payload | null>; export interface GetTokenParams<R extends boolean = false> extends Pick<JWTDecodeParams, "salt" | "secret"> { /** The request containing the JWT either in the cookies or in the `Authorization` header. */ req: Request | { headers: Headers | Record<string, string>; }; /** * Use secure prefix for cookie name, unless URL in `NEXTAUTH_URL` is http:// * or not set (e.g. development or test instance) case use unprefixed name */ secureCookie?: boolean; /** If the JWT is in the cookie, what name `getToken()` should look for. */ cookieName?: string; /** * `getToken()` will return the raw JWT if this is set to `true` * * @default false */ raw?: R; decode?: JWTOptions["decode"]; logger?: LoggerInstance | Console; } /** * Takes an Auth.js request (`req`) and returns either the Auth.js issued JWT's payload, * or the raw JWT string. We look for the JWT in the either the cookies, or the `Authorization` header. */ export declare function getToken<R extends boolean = false>(params: GetTokenParams<R>): Promise<R extends true ? string : JWT | null>; export interface DefaultJWT extends Record<string, unknown> { name?: string | null; email?: string | null; picture?: string | null; sub?: string; iat?: number; exp?: number; jti?: string; } /** * Returned by the `jwt` callback when using JWT sessions * * [`jwt` callback](https://authjs.dev/reference/core/types#jwt) */ export interface JWT extends Record<string, unknown>, DefaultJWT { } export interface JWTEncodeParams<Payload = JWT> { /** * The maximum age of the Auth.js issued JWT in seconds. * * @default 30 * 24 * 60 * 60 // 30 days */ maxAge?: number; /** Used in combination with `secret`, to derive the encryption secret for JWTs. */ salt: string; /** Used in combination with `salt`, to derive the encryption secret for JWTs. */ secret: string | string[]; /** The JWT payload. */ token?: Payload; } export interface JWTDecodeParams { /** Used in combination with `secret`, to derive the encryption secret for JWTs. */ salt: string; /** * Used in combination with `salt`, to derive the encryption secret for JWTs. * * @note * You can also pass an array of secrets, in which case the first secret that successfully * decrypts the JWT will be used. This is useful for rotating secrets without invalidating existing sessions. * The newer secret should be added to the start of the array, which will be used for all new sessions. */ secret: string | string[]; /** The Auth.js issued JWT to be decoded */ token?: string; } export interface JWTOptions { /** * The maximum age of the Auth.js issued JWT in seconds. * * @default 30 * 24 * 60 * 60 // 30 days */ maxAge: number; /** Override this method to control the Auth.js issued JWT encoding. */ encode: (params: JWTEncodeParams) => Awaitable<string>; /** Override this method to control the Auth.js issued JWT decoding. */ decode: (params: JWTDecodeParams) => Awaitable<JWT | null>; } //# sourceMappingURL=jwt.d.ts.map