@docusign/iam-sdk/dist/commonjs/security/jwt-assertion.js

Developer-friendly & type-safe Typescript SDK specifically catered to leverage *@docusign/iam-sdk* API.

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.FetchJwtUserTokenRequestSchema = void 0;
exports.createJwtAssertion = createJwtAssertion;
const node_crypto_1 = require("node:crypto");
const zod_1 = require("zod");
const scopes_js_1 = require("./scopes.js");
const types_js_1 = require("./types.js");
/**
 * Schema for JWT user token request parameters
 */
exports.FetchJwtUserTokenRequestSchema = zod_1.z.object({
    /**
     * Docusign OAuth Client ID (AKA Integrator Key)
     */
    clientId: zod_1.z.string({
        required_error: "Client ID (Integrator Key) is required",
        invalid_type_error: "Client ID must be a string",
    }),
    /**
     * The Docusign user ID for which to generate the token
     */
    userId: zod_1.z.string({
        required_error: "User ID is required",
        invalid_type_error: "User ID must be a string",
    }),
    /**
     * The environment to use for the OAuth flow.
     *
     * Use `account-d-docusign.com` for demo and `account.docusign.com` for
     * production.
     *
     * @default account-d.docusign.com
     */
    oauthBasePath: types_js_1.DocusignOAuthBasePathSchema.optional().default("account-d.docusign.com"),
    /**
     * Private key in PEM format used to sign the JWT
     */
    privateKey: types_js_1.RsaPrivateKeySchema,
    /**
     * Scopes for the OAuth flow.
     *
     * If no scopes are provided, all available scopes will be used.
     *
     * @link https://developers.docusign.com/platform/auth/scopes/
     */
    scopes: zod_1.z
        .string()
        .array()
        .readonly()
        .optional()
        .default(scopes_js_1.DOCUSIGN_IAM_OAUTH_SCOPES),
});
function createJwtAssertion(params) {
    const { clientId, userId, oauthBasePath, privateKey, scopes } = exports.FetchJwtUserTokenRequestSchema.parse(params);
    const header = {
        alg: "RS256",
        typ: "JWT",
    };
    const now = Math.floor(Date.now() / 1000); // Current time in seconds
    const exp = now + 3600; // Expiration time
    const payload = {
        iss: clientId,
        sub: userId,
        aud: oauthBasePath,
        iat: now,
        exp: exp,
        nbf: now,
        scope: scopes.join(" "),
    };
    const encodedHeader = Buffer.from(JSON.stringify(header)).toString("base64url");
    const encodedPayload = Buffer.from(JSON.stringify(payload)).toString("base64url");
    const signatureInput = `${encodedHeader}.${encodedPayload}`;
    const signer = (0, node_crypto_1.createSign)("RSA-SHA256");
    signer.update(signatureInput);
    const key = (0, node_crypto_1.createPrivateKey)(privateKey);
    const signature = signer.sign(key, "base64url");
    return `${signatureInput}.${signature}`;
}
//# sourceMappingURL=jwt-assertion.js.map