@smertins27/jwt-auth-manager/dist/index.cjs.map

Modernes JWT-Management mit Access & Refresh Token Rotation

{"version":3,"sources":["../src/types.ts","../src/utils.ts","../src/token-manager.ts","../src/refresh-manager.ts","../src/middleware.ts","../src/blacklist.ts","../src/refresh-store/memory-refresh-store.ts","../src/refresh-store/redis-refresh-store.ts"],"names":["randomBytes","SignJWT","jwtVerify"],"mappings":";;;;;;AAiBO,IAAM,WAAA,GAAc;AAAA,EACvB,EAAA,EAAI,GAAA;AAAA,EACJ,OAAA,EAAS,GAAA;AAAA,EACT,WAAA,EAAa,GAAA;AAAA,EACb,YAAA,EAAc,GAAA;AAAA,EACd,SAAA,EAAW,GAAA;AAAA,EACX,SAAA,EAAW,GAAA;AAAA,EACX,qBAAA,EAAuB;AAC3B;AAqNO,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA,EACpC,WAAA,CACI,OAAA,EACO,UAAA,GAAqB,WAAA,CAAY,cACjC,IAAA,EACT;AACE,IAAA,KAAA,CAAM,OAAO,CAAA;AAHN,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAGP,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AAAA,EAChB;AACJ;AC5OO,SAAS,YAAY,MAAA,EAAiC;AACzD,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO,OAAO,EAAA,GAAK,EAAA;AACxB,EAAA,MAAM,GAAA,GAAM,QAAA,CAAS,KAAA,CAAM,CAAC,GAAG,EAAE,CAAA;AACjC,EAAA,QAAQ,KAAA,CAAM,CAAC,CAAA;AAAG,IACd,KAAK,GAAA;AAAK,MAAA,OAAO,GAAA;AAAA,IACjB,KAAK,GAAA;AAAK,MAAA,OAAO,GAAA,GAAM,EAAA;AAAA,IACvB,KAAK,GAAA;AAAK,MAAA,OAAO,GAAA,GAAM,IAAA;AAAA,IACvB,KAAK,GAAA;AAAK,MAAA,OAAO,GAAA,GAAM,KAAA;AAAA,IACvB;AAAS,MAAA,OAAO,EAAA,GAAK,EAAA;AAAA;AAE7B;AAOO,SAAS,eAAA,GAA0B;AACtC,EAAA,OAAOA,kBAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AACzC;;;ACvBO,IAAM,kBAAN,MAAsB;AAAA,EACR,MAAA;AAAA,EACT,MAAA;AAAA,EAER,YAAY,MAAA,EAAmB;AAE3B,IAAA,IAAA,CAAK,MAAA,GAAS,OAAO,MAAA,CAAO,MAAA,KAAW,QAAA,GACjC,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,MAAA,CAAO,MAAM,CAAA,GACtC,MAAA,CAAO,MAAA;AAEb,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACV,SAAA,EAAW,OAAO,SAAA,IAAa,OAAA;AAAA,MAC/B,iBAAA,EAAmB,OAAO,iBAAA,IAAqB,KAAA;AAAA,MAC/C,kBAAA,EAAoB,OAAO,kBAAA,IAAsB,IAAA;AAAA,MACjD,MAAA,EAAQ,OAAO,MAAA,IAAU,kBAAA;AAAA,MACzB,QAAA,EAAU,OAAO,QAAA,IAAY;AAAA,KACjC;AAGA,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,SAAA,KAAc,MAAA,EAAe;AACzC,MAAA,MAAM,IAAI,YAAA,CAAa,sDAAA,EAAwD,GAAA,EAAK,mBAAmB,CAAA;AAAA,IAC3G;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,kBAAkB,OAAA,EAA2C;AAC/D,IAAA,IAAI,CAAC,QAAQ,GAAA,EAAK;AACd,MAAA,MAAM,IAAI,YAAA,CAAa,sCAAA,EAAwC,GAAA,EAAK,aAAa,CAAA;AAAA,IACrF;AAGA,IAAA,MAAM,cAAc,MAAM,IAAIC,YAAA,CAAQ,EAAE,GAAG,OAAA,EAAS,CAAA,CAC/C,kBAAA,CAAmB,EAAE,GAAA,EAAK,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,CAAA,CACjD,WAAA,EAAY,CACZ,SAAA,CAAU,KAAK,MAAA,CAAO,MAAM,CAAA,CAC5B,iBAAA,CAAkB,KAAK,MAAA,CAAO,iBAAiB,CAAA,CAC/C,WAAA,CAAY,KAAK,MAAA,CAAO,QAAA,IAAY,QAAQ,CAAA,CAC5C,IAAA,CAAK,KAAK,MAAM,CAAA;AAGrB,IAAA,MAAM,MAAM,eAAA,EAAgB;AAC5B,IAAA,MAAM,cAAA,GAAsC;AAAA,MACxC,GAAG,OAAA;AAAA,MACH,GAAA;AAAA,MACA,IAAA,EAAM;AAAA,KACV;AAEA,IAAA,MAAM,eAAe,MAAM,IAAIA,YAAA,CAAQ,cAAc,EAChD,kBAAA,CAAmB,EAAE,GAAA,EAAK,IAAA,CAAK,OAAO,SAAA,EAAW,CAAA,CACjD,WAAA,GACA,SAAA,CAAU,IAAA,CAAK,MAAA,CAAO,MAAM,EAC5B,MAAA,CAAO,GAAG,CAAA,CACV,iBAAA,CAAkB,KAAK,MAAA,CAAO,kBAAkB,CAAA,CAChD,WAAA,CAAY,KAAK,MAAA,CAAO,QAAA,IAAY,SAAS,CAAA,CAC7C,IAAA,CAAK,KAAK,MAAM,CAAA;AAErB,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,IAAA,CAAK,MAAA,CAAO,iBAAiB,CAAA;AAE3D,IAAA,OAAO;AAAA,MACH,WAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACJ;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,oBAAoB,OAAA,EAAwC;AAC9D,IAAA,IAAI,CAAC,QAAQ,GAAA,EAAK;AACd,MAAA,MAAM,IAAI,YAAA,CAAa,sCAAA,EAAwC,GAAA,EAAK,aAAa,CAAA;AAAA,IACrF;AAEA,IAAA,OAAO,MAAM,IAAIA,YAAA,CAAQ,EAAE,GAAG,SAAS,CAAA,CAClC,kBAAA,CAAmB,EAAE,KAAK,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW,EACjD,WAAA,EAAY,CACZ,SAAA,CAAU,IAAA,CAAK,OAAO,MAAM,CAAA,CAC5B,iBAAA,CAAkB,IAAA,CAAK,OAAO,iBAAiB,CAAA,CAC/C,WAAA,CAAY,IAAA,CAAK,OAAO,QAAA,IAAY,QAAQ,CAAA,CAC5C,IAAA,CAAK,KAAK,MAAM,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,kBAAkB,KAAA,EAAqD;AACzE,IAAA,IAAI;AACA,MAAA,MAAM,EAAE,SAAS,eAAA,EAAgB,GAAI,MAAMC,cAAA,CAAU,KAAA,EAAO,KAAK,MAAA,EAAQ;AAAA,QACrE,UAAA,EAAY,CAAC,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA;AAAA,QAClC,MAAA,EAAQ,KAAK,MAAA,CAAO,MAAA;AAAA,QACpB,QAAA,EAAU,IAAA,CAAK,MAAA,CAAO,QAAA,IAAY;AAAA,OACrC,CAAA;AAED,MAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,IAAO,OAAO,OAAA,CAAQ,QAAQ,QAAA,EAAU;AACjD,QAAA,MAAM,IAAI,YAAA,CAAa,oCAAA,EAAsC,GAAA,EAAK,iBAAiB,CAAA;AAAA,MACvF;AAEA,MAAA,OAAO;AAAA,QACH,OAAA;AAAA,QACA;AAAA,OACJ;AAAA,IACJ,SAAS,KAAA,EAAY;AACjB,MAAA,IAAI,KAAA,CAAM,SAAS,iBAAA,EAAmB;AAClC,QAAA,MAAM,IAAI,YAAA,CAAa,0BAAA,EAA4B,GAAA,EAAK,eAAe,CAAA;AAAA,MAC3E;AACA,MAAA,IAAI,KAAA,CAAM,SAAS,uCAAA,EAAyC;AACxD,QAAA,MAAM,IAAI,YAAA,CAAa,yBAAA,EAA2B,GAAA,EAAK,mBAAmB,CAAA;AAAA,MAC9E;AACA,MAAA,MAAM,IAAI,YAAA,CAAa,yBAAA,EAA2B,GAAA,EAAK,eAAe,CAAA;AAAA,IAC1E;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,mBAAmB,KAAA,EAA4D;AACjF,IAAA,IAAI;AACA,MAAA,MAAM,EAAE,SAAS,eAAA,EAAgB,GAAI,MAAMA,cAAA,CAAU,KAAA,EAAO,KAAK,MAAA,EAAQ;AAAA,QACrE,UAAA,EAAY,CAAC,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA;AAAA,QAClC,MAAA,EAAQ,KAAK,MAAA,CAAO,MAAA;AAAA,QACpB,QAAA,EAAU,IAAA,CAAK,MAAA,CAAO,QAAA,IAAY;AAAA,OACrC,CAAA;AAED,MAAA,IAAI,CAAC,QAAQ,GAAA,IAAO,CAAC,QAAQ,GAAA,IAAO,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,EAAU;AACjE,QAAA,MAAM,IAAI,YAAA,CAAa,+BAAA,EAAiC,GAAA,EAAK,iBAAiB,CAAA;AAAA,MAClF;AAEA,MAAA,IAAI,OAAA,CAAQ,SAAS,SAAA,EAAW;AAC5B,QAAA,MAAM,IAAI,YAAA,CAAa,8BAAA,EAAgC,GAAA,EAAK,oBAAoB,CAAA;AAAA,MACpF;AAEA,MAAA,OAAO;AAAA,QACH,OAAA;AAAA,QACA;AAAA,OACJ;AAAA,IACJ,SAAS,KAAA,EAAY;AACjB,MAAA,IAAI,KAAA,CAAM,SAAS,iBAAA,EAAmB;AAClC,QAAA,MAAM,IAAI,YAAA,CAAa,2BAAA,EAA6B,GAAA,EAAK,uBAAuB,CAAA;AAAA,MACpF;AACA,MAAA,IAAI,KAAA,CAAM,SAAS,uCAAA,EAAyC;AACxD,QAAA,MAAM,IAAI,YAAA,CAAa,iCAAA,EAAmC,GAAA,EAAK,mBAAmB,CAAA;AAAA,MACtF;AACA,MAAA,MAAM,IAAI,YAAA,CAAa,0BAAA,EAA4B,GAAA,EAAK,uBAAuB,CAAA;AAAA,IACnF;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAY,KAAA,EAA2B;AACnC,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACpB,MAAA,MAAM,IAAI,YAAA,CAAa,sBAAA,EAAwB,GAAA,EAAK,iBAAiB,CAAA;AAAA,IACzE;AAEA,IAAA,OAAO,IAAA,CAAK,KAAA,CAAM,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,CAAC,CAAA,EAAG,WAAW,CAAA,CAAE,QAAA,EAAU,CAAA;AAAA,EACnE;AACJ;ACrLO,IAAM,sBAAN,MAA0B;AAAA,EAG7B,WAAA,CACY,YAAA,EACA,UAAA,EACR,MAAA,EACF;AAHU,IAAA,IAAA,CAAA,YAAA,GAAA,YAAA;AACA,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AAGR,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACV,kBAAA,EAAoB,QAAQ,kBAAA,IAAsB;AAAA,KACtD;AAAA,EACJ;AAAA,EAVQ,MAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBR,MAAM,mBAAmB,YAAA,EAA0C;AAG/D,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,IAAA,CAAK,YAAA,CAAa,mBAAmB,YAAY,CAAA;AAG3E,IAAA,MAAM,YAAY,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAG,CAAA;AAEvD,IAAA,IAAI,CAAC,SAAA,EAAW;AACZ,MAAA,MAAM,IAAI,YAAA;AAAA,QACN,oCAAA;AAAA,QACA,GAAA;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAEA,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAGrB,IAAA,IAAI,UAAU,MAAA,EAAQ;AAClB,MAAA,MAAM,cAAc,GAAA,CAAI,OAAA,KAAY,SAAA,CAAU,MAAA,CAAO,SAAQ,IAAK,GAAA;AAGlE,MAAA,IAAI,UAAA,IAAc,IAAA,CAAK,MAAA,CAAO,kBAAA,IAAsB,UAAU,SAAA,EAAW;AAErE,QAAA,MAAM,EAAE,SAAS,WAAA,EAAY,GAAI,MAAM,IAAA,CAAK,YAAA,CAAa,kBAAA,CAAmB,SAAA,CAAU,SAAS,CAAA;AAC/F,QAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,YAAA,CAAa,mBAAA,CAAoB;AAAA,UAC5D,KAAK,OAAA,CAAQ,GAAA;AAAA,UACb,GAAG,IAAA,CAAK,cAAA,CAAe,OAAO;AAAA,SACjC,CAAA;AAED,QAAA,OAAO;AAAA,UACH,WAAA;AAAA,UACA,cAAc,SAAA,CAAU,SAAA;AAAA,UACxB,SAAA,EAAW,IAAA,CAAK,YAAA,CAAa,QAAQ,CAAA,CAAE;AAAA,SAC3C;AAAA,MACJ;AAIA,MAAA,MAAM,IAAA,CAAK,UAAA,CAAW,qBAAA,CAAsB,SAAA,CAAU,WAAW,CAAA;AAEjE,MAAA,MAAM,IAAI,YAAA;AAAA,QACN,6DAAA;AAAA,QACA,GAAA;AAAA,QACA;AAAA,OACJ;AAAA,IACJ;AAGA,IAAA,MAAM,EAAE,GAAA,EAAK,GAAG,aAAY,GAAI,IAAA,CAAK,eAAe,OAAO,CAAA;AAG3D,IAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,eAAA;AAAA,MAC5B,EAAE,GAAA,EAAK,GAAG,WAAA,EAAY;AAAA,MACtB,SAAA,CAAU;AAAA,KACd;AAGA,IAAA,MAAM,KAAK,UAAA,CAAW,UAAA,CAAW,QAAQ,GAAA,EAAK,GAAA,EAAK,aAAa,YAAY,CAAA;AAE5E,IAAA,OAAO,YAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAA,CACF,OAAA,EACA,WAAA,EACkB;AAElB,IAAA,MAAM,MAAA,GAAS,WAAA,IAAe,IAAA,CAAK,mBAAA,EAAoB;AAEvD,IAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,YAAA,CAAa,kBAAkB,OAAO,CAAA;AAGnE,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,YAAA,CAAa,WAAA,CAAY,UAAU,YAAY,CAAA;AACpE,IAAA,MAAM,aAAa,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAErD,IAAA,MAAM,IAAA,CAAK,WAAW,IAAA,CAAK,OAAA,CAAQ,KAAe,OAAA,CAAQ,GAAA,EAAK,YAAY,MAAM,CAAA;AAEjF,IAAA,OAAO,SAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,MAAA,EAA+B;AACjD,IAAA,MAAM,IAAA,CAAK,UAAA,CAAW,oBAAA,CAAqB,MAAM,CAAA;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAA,GAA8B;AAClC,IAAA,OAAOF,kBAAAA,CAAY,EAAE,CAAA,CAAE,QAAA,CAAS,KAAK,CAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAe,OAAA,EAAmB;AACtC,IAAA,MAAM,EAAE,MAAM,GAAA,EAAK,GAAA,EAAK,KAAK,GAAA,EAAK,GAAA,EAAK,GAAG,IAAA,EAAK,GAAI,OAAA;AACnD,IAAA,OAAO,IAAA;AAAA,EACX;AACJ;;;AC/HO,SAAS,oBAAA,CAAqB,QAA0B,YAAA,EAA+B;AAC1F,EAAA,MAAM;AAAA,IACF,oBAAoB,EAAC;AAAA,IACrB,cAAA;AAAA,IACA;AAAA,GACJ,GAAI,MAAA;AAYJ,EAAA,OAAO,eAAe,cAAA,CAAe,GAAA,EAAkB,GAAA,EAAe,IAAA,EAAoB;AAEtF,IAAA,MAAM,aAAA,GAAgB,iBAAA,CAAkB,IAAA,CAAK,CAAA,CAAA,KAAK;AAC9C,MAAA,MAAM,WAAA,GAAc,CAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,IAAI,MAAoB,CAAA;AAC/D,MAAA,IAAI,OAAO,CAAA,CAAE,QAAA,KAAa,QAAA,EAAU;AAChC,QAAA,OAAO,WAAA,IAAe,GAAA,CAAI,GAAA,KAAQ,CAAA,CAAE,QAAA;AAAA,MACxC;AACA,MAAA,OAAO,WAAA,IAAe,CAAA,CAAE,QAAA,CAAS,IAAA,CAAK,IAAI,GAAG,CAAA;AAAA,IACjD,CAAC,CAAA;AACD,IAAA,IAAI,aAAA,SAAsB,IAAA,EAAK;AAG/B,IAAA,IAAI,KAAA;AACJ,IAAA,IAAI,OAAO,mBAAmB,UAAA,EAAY;AACtC,MAAA,KAAA,GAAQ,eAAe,GAAG,CAAA;AAAA,IAC9B;AACA,IAAA,IAAI,CAAC,KAAA,EAAO;AACR,MAAA,MAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,eAAe,CAAA;AACzC,MAAA,IAAI,MAAA,IAAU,MAAA,CAAO,UAAA,CAAW,SAAS,CAAA,EAAG;AACxC,QAAA,KAAA,GAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,MAC1B,CAAA,MAAO;AACH,QAAA,KAAA,GAAQ,IAAI,KAAA,CAAM,WAAA;AAAA,MACtB;AAAA,IACJ;AACA,IAAA,IAAI,CAAC,KAAA,EAAO;AACR,MAAA,OAAO,GAAA,CAAI,OAAO,WAAA,CAAY,YAAY,EAAE,IAAA,CAAK,EAAE,KAAA,EAAO,qBAAA,EAAuB,CAAA;AAAA,IACrF;AAEA,IAAA,IAAI;AAEA,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,YAAA,CAAa,kBAAkB,KAAK,CAAA;AAG9D,MAAA,IAAI,aAAA,IAAiB,MAAM,aAAA,CAAc,KAAA,EAAO,OAAO,CAAA,EAAG;AACtD,QAAA,OAAO,GAAA,CAAI,OAAO,WAAA,CAAY,YAAY,EAAE,IAAA,CAAK,EAAE,KAAA,EAAO,sBAAA,EAAwB,CAAA;AAAA,MACtF;AAEA,MAAA,IAAI,CAAC,QAAQ,GAAA,EAAK;AACd,QAAA,OAAO,GAAA,CAAI,OAAO,WAAA,CAAY,YAAY,EAAE,IAAA,CAAK,EAAE,KAAA,EAAO,iBAAA,EAAmB,CAAA;AAAA,MACjF;AACA,MAAA,GAAA,CAAI,OAAA,GAAU,EAAE,GAAG,OAAA,EAAQ;AAC3B,MAAA,GAAA,CAAI,KAAA,GAAQ,KAAA;AACZ,MAAA,IAAA,EAAK;AAAA,IACT,SAAS,KAAA,EAAY;AACjB,MAAA,OAAO,GAAA,CAAI,MAAA,CAAQ,KAAA,EAAO,UAAA,IAAc,WAAA,CAAY,YAAa,CAAA,CAAE,IAAA,CAAK,EAAE,KAAA,EAAO,KAAA,EAAO,OAAA,IAAW,wBAAwB,CAAA;AAAA,IAC/H;AAAA,EACJ,CAAA;AACJ;;;ACjEO,IAAM,uBAAN,MAAqD;AAAA,EAChD,WAAA,uBAAuC,GAAA,EAAI;AAAA,EAEnD,MAAM,GAAA,CAAI,KAAA,EAAe,aAAA,EAAuB;AAC5C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,GAAA,EAAI,GAAI,aAAA,GAAgB,GAAA;AAC5C,IAAA,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,KAAA,EAAO,MAAM,CAAA;AAAA,EACtC;AAAA,EACA,MAAM,cAAc,KAAA,EAAe;AAC/B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,WAAA,CAAY,GAAA,CAAI,KAAK,CAAA;AACzC,IAAA,OAAO,OAAO,MAAA,KAAW,QAAA,IAAY,IAAA,CAAK,KAAI,GAAI,MAAA;AAAA,EACtD;AAAA,EACA,MAAM,OAAA,GAAU;AACZ,IAAA,KAAA,MAAW,CAAC,KAAA,EAAO,MAAM,KAAK,IAAA,CAAK,WAAA,CAAY,SAAQ,EAAG;AACtD,MAAA,IAAI,IAAA,CAAK,GAAA,EAAI,IAAK,MAAA,EAAQ;AACtB,QAAA,IAAA,CAAK,WAAA,CAAY,OAAO,KAAK,CAAA;AAAA,MACjC;AAAA,IACJ;AAAA,EACJ;AACJ;;;AClBO,IAAM,0BAAN,MAA2D;AAAA,EACtD,KAAA,uBAA2C,GAAA,EAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWvD,MAAM,IAAA,CAAK,GAAA,EAAa,MAAA,EAAgB,YAAkB,WAAA,EAAoC;AAC1F,IAAA,IAAA,CAAK,KAAA,CAAM,IAAI,GAAA,EAAK;AAAA,MAChB,MAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA;AAAA,MACA,MAAA,EAAQ,MAAA;AAAA,MACR,SAAA,EAAW;AAAA,KACd,CAAA;AAAA,EACL;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,IAAI,GAAA,EAA+C;AACrD,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,IAAI,CAAC,MAAM,OAAO,IAAA;AAClB,IAAA,IAAI,IAAA,CAAK,UAAA,mBAAa,IAAI,IAAA,EAAK,EAAG;AAC9B,MAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AACrB,MAAA,OAAO,IAAA;AAAA,IACX;AACA,IAAA,OAAO,IAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,GAAA,EAA+B;AACxC,IAAA,OAAQ,MAAM,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA,KAAO,IAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAA,CAAW,GAAA,EAAa,MAAA,EAAc,SAAA,EAAkC;AAC1E,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,IAAI,IAAA,EAAM;AACN,MAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,MAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAAA,IACrB;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,WAAW,GAAA,EAA4B;AACzC,IAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,sBAAsB,WAAA,EAAoC;AAC5D,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,IAAI,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC5C,MAAA,IAAI,IAAA,CAAK,gBAAgB,WAAA,EAAa;AAClC,QAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,MACzB;AAAA,IACJ;AAAA,EACJ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,qBAAqB,MAAA,EAA+B;AACtD,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,IAAA,CAAK,KAAA,CAAM,SAAQ,EAAG;AAC7C,MAAA,IAAI,KAAA,CAAM,WAAW,MAAA,EAAQ;AACzB,QAAA,IAAA,CAAK,KAAA,CAAM,OAAO,GAAG,CAAA;AAAA,MACzB;AAAA,IACJ;AAAA,EACJ;AACJ;;;ACzFO,IAAM,yBAAN,MAA0D;AAAA,EACrD,KAAA;AAAA,EACS,WAAA;AAAA,EACA,eAAA;AAAA,EACA,iBAAA;AAAA,EAEjB,WAAA,CAAY,KAAA,EAAwB,OAAA,GAAyC,EAAC,EAAG;AAC7E,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AACb,IAAA,IAAA,CAAK,WAAA,GAAc,QAAQ,WAAA,IAAe,gBAAA;AAC1C,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAQ,eAAA,IAAmB,eAAA;AAClD,IAAA,IAAA,CAAK,iBAAA,GAAoB,QAAQ,iBAAA,IAAqB,iBAAA;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,SAAS,GAAA,EAAqB;AAClC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,WAAW,CAAA,EAAG,GAAG,CAAA,CAAA;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,QAAQ,MAAA,EAAwB;AACpC,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,eAAe,CAAA,EAAG,MAAM,CAAA,CAAA;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,UAAU,WAAA,EAA6B;AAC3C,IAAA,OAAO,CAAA,EAAG,IAAA,CAAK,iBAAiB,CAAA,EAAG,WAAW,CAAA,CAAA;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,IAAA,CAAK,GAAA,EAAa,MAAA,EAAgB,YAAkB,WAAA,EAAoC;AAC1F,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,OAAA,EAAQ,GAAI,KAAK,GAAA,EAAI;AAC9C,IAAA,IAAI,SAAS,CAAA,EAAG;AAEhB,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA;AAClC,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA;AACnC,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAE5C,IAAA,MAAM,SAAA,GAA8B;AAAA,MAChC,MAAA;AAAA,MACA,UAAA;AAAA,MACA,WAAA;AAAA,MACA,MAAA,EAAQ,MAAA;AAAA,MACR,SAAA,EAAW;AAAA,KACf;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,EAAM;AAG/B,IAAA,KAAA,CAAM,GAAA,CAAI,UAAU,IAAA,CAAK,SAAA,CAAU,SAAS,CAAA,EAAG,EAAE,EAAA,EAAI,KAAA,EAAO,CAAA;AAG5D,IAAA,KAAA,CAAM,IAAA,CAAK,SAAS,GAAG,CAAA;AACvB,IAAA,KAAA,CAAM,OAAA,CAAQ,SAAS,KAAK,CAAA;AAG5B,IAAA,KAAA,CAAM,IAAA,CAAK,WAAW,GAAG,CAAA;AACzB,IAAA,KAAA,CAAM,OAAA,CAAQ,WAAW,KAAK,CAAA;AAE9B,IAAA,MAAM,MAAM,IAAA,EAAK;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,IAAI,GAAA,EAA+C;AACrD,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA;AAClC,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAA,CAAK,KAAA,CAAM,IAAI,QAAQ,CAAA;AAE3C,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAO,IAAA,GAAyB,IAAA,CAAK,KAAA,CAAM,KAAK,CAAA;AAChD,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,UAAU,CAAA;AAC1C,IAAA,IAAI,KAAK,MAAA,EAAQ,IAAA,CAAK,SAAS,IAAI,IAAA,CAAK,KAAK,MAAM,CAAA;AAEnD,IAAA,OAAO,IAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,OAAO,GAAA,EAA+B;AACxC,IAAA,OAAQ,MAAM,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA,KAAO,IAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,UAAA,CAAW,GAAA,EAAa,MAAA,EAAc,SAAA,EAAkC;AAC1E,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA;AAC/B,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAEjB,IAAA,MAAM,QAAQ,IAAA,CAAK,UAAA,CAAW,OAAA,EAAQ,GAAI,KAAK,GAAA,EAAI;AACnD,IAAA,IAAI,SAAS,CAAA,EAAG;AAEhB,IAAA,MAAM,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,IAAA,CAAK,SAAS,GAAG,CAAA,EAAG,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA,EAAG,EAAE,EAAA,EAAI,OAAO,CAAA;AAAA,EAChF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,WAAW,GAAA,EAA4B;AACzC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,GAAG,CAAA;AAClC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,GAAA,CAAI,GAAG,CAAA;AAE/B,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,EAAM;AAC/B,IAAA,KAAA,CAAM,IAAI,QAAQ,CAAA;AAClB,IAAA,KAAA,CAAM,KAAK,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,MAAM,GAAG,GAAG,CAAA;AACzC,IAAA,KAAA,CAAM,KAAK,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,WAAW,GAAG,GAAG,CAAA;AAChD,IAAA,MAAM,MAAM,IAAA,EAAK;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,sBAAsB,WAAA,EAAoC;AAC5D,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAC5C,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,KAAA,CAAM,SAAS,SAAS,CAAA;AAEhD,IAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AAGvB,IAAA,MAAM,aAAA,GAAgB,MAAM,OAAA,CAAQ,GAAA;AAAA,MAChC,KAAK,GAAA,CAAI,CAAA,GAAA,KAAO,IAAA,CAAK,GAAA,CAAI,GAAG,CAAC;AAAA,KACjC;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,EAAM;AAE/B,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,IAAA,CAAK,QAAQ,CAAA,EAAA,EAAK;AAClC,MAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,MAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAE5B,MAAA,IAAI,IAAA,EAAM;AACN,QAAA,KAAA,CAAM,GAAA,CAAI,IAAA,CAAK,QAAA,CAAS,GAAG,CAAC,CAAA;AAC5B,QAAA,KAAA,CAAM,KAAK,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,MAAM,GAAG,GAAG,CAAA;AAAA,MAC7C;AAAA,IACJ;AAEA,IAAA,KAAA,CAAM,IAAI,SAAS,CAAA;AACnB,IAAA,MAAM,MAAM,IAAA,EAAK;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,qBAAqB,MAAA,EAA+B;AACtD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,MAAM,CAAA;AACnC,IAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,KAAA,CAAM,SAAS,OAAO,CAAA;AAE9C,IAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AAGvB,IAAA,MAAM,aAAA,GAAgB,MAAM,OAAA,CAAQ,GAAA;AAAA,MAChC,KAAK,GAAA,CAAI,CAAA,GAAA,KAAO,IAAA,CAAK,GAAA,CAAI,GAAG,CAAC;AAAA,KACjC;AAGA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,EAAM;AAE/B,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,IAAA,CAAK,QAAQ,CAAA,EAAA,EAAK;AAClC,MAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,MAAA,MAAM,IAAA,GAAO,cAAc,CAAC,CAAA;AAE5B,MAAA,IAAI,IAAA,EAAM;AACN,QAAA,KAAA,CAAM,GAAA,CAAI,IAAA,CAAK,QAAA,CAAS,GAAG,CAAC,CAAA;AAC5B,QAAA,KAAA,CAAM,KAAK,IAAA,CAAK,SAAA,CAAU,IAAA,CAAK,WAAW,GAAG,GAAG,CAAA;AAAA,MACpD;AAAA,IACJ;AAEA,IAAA,KAAA,CAAM,IAAI,OAAO,CAAA;AACjB,IAAA,MAAM,MAAM,IAAA,EAAK;AAAA,EACrB;AACJ","file":"index.cjs","sourcesContent":["import { Request } from 'express';\n\n\n/**\n * An object representing HTTP status codes with their corresponding standard values.\n * This constant provides a set of commonly used HTTP response status codes.\n * Each key represents the status name, and the value is the numeric HTTP status code.\n *\n * Properties:\n * - `OK`: HTTP status code 200, indicating a successful request.\n * - `CREATED`: HTTP status code 201, indicating that a resource has been successfully created.\n * - `BAD_REQUEST`: HTTP status code 400, indicating that the server could not understand the request due to invalid syntax.\n * - `UNAUTHORIZED`: HTTP status code 401, indicating that authentication is required but has failed or has not been provided.\n * - `FORBIDDEN`: HTTP status code 403, indicating that the request is understood by the server but it refuses to authorize it.\n * - `NOT_FOUND`: HTTP status code 404, indicating that the requested resource could not be found on the server.\n * - `INTERNAL_SERVER_ERROR`: HTTP status code 500, indicating an unexpected condition encountered on the server.\n */\nexport const HTTP_STATUS = {\n    OK: 200,\n    CREATED: 201,\n    BAD_REQUEST: 400,\n    UNAUTHORIZED: 401,\n    FORBIDDEN: 403,\n    NOT_FOUND: 404,\n    INTERNAL_SERVER_ERROR: 500,\n} as const;\n\n\n/**\n * Represents the HTTP methods that can be used in an HTTP request.\n *\n * These methods define the type of action to be performed on a specific resource.\n *\n * The available HTTP methods are:\n * - 'GET': Used to retrieve data from a resource without causing any state change.\n * - 'POST': Used to submit data to create or update a resource.\n * - 'PUT': Used to update or replace a resource with the provided data.\n * - 'PATCH': Used to apply partial modifications to a resource.\n * - 'DELETE': Used to delete a resource.\n * - 'HEAD': Similar to 'GET', but fetches only the headers without the body.\n * - 'OPTIONS': Used to describe the communication options for the target resource.\n */\nexport type HttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD' | 'OPTIONS';\n\n\n/**\n * Represents the payload contained within a token. This interface defines the structure\n * of the key-value pairs that include both predefined and custom claims.\n *\n * It defines a structure where a required user ID (uid) is included, as well as a flexible\n * set of custom claims represented by an index signature.\n *\n * Properties:\n * - `uid`: A string representing the unique ID of the user.\n * - `[key: string]`: An index signature allowing additional custom key-value pairs.\n *\n * Use this interface when defining or interacting with token payloads containing standardized\n * and custom claims.\n */\nexport interface TokenPayload {\n    uid: string;\n    [key: string]: any;\n}\n\n/**\n * Represents the payload structure for a refresh token.\n * Extends the base TokenPayload interface.\n *\n * This interface includes a unique token identifier (jti) and\n * specifies the token type as 'refresh'.\n */\nexport interface RefreshTokenPayload extends TokenPayload {\n    jti: string;\n    type: 'refresh';\n}\n\n/**\n * Represents the configuration for JWT (JSON Web Token) generation and verification.\n *\n * This configuration is used to define the parameters necessary for creating and validating tokens.\n *\n * - `secret`: The secret key or binary data used for signing or verifying the JWT.\n * - `algorithm`: Optional, specifies the algorithm to be employed for signing or verifying the JWT. Defaults to `HS256` if not provided.\n * - `accessTokenExpiry`: Optional, defines the expiration time for access tokens, represented as a string (e.g., '1h', '30m').\n * - `refreshTokenExpiry`: Optional, defines the expiration time for refresh tokens, represented as a string (e.g., '7d', '1d').\n * - `issuer`: Optional, specifies the entity (issuer) generating the token.\n * - `audience`: Optional, indicates the intended recipient(s) of the token.\n */\nexport interface JwtConfig {\n    secret: string | Uint8Array;\n    algorithm?: 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512' | 'ES256' | 'ES384' | 'ES512' | 'EdDSA';\n    accessTokenExpiry?: string;\n    refreshTokenExpiry?: string;\n    issuer?: string;\n    audience?: string;\n}\n\n/**\n * Represents a pair of tokens and associated metadata for authentication or authorization purposes.\n *\n * @interface TokenPair\n * @property {string} accessToken The token utilized for accessing secured resources or endpoints.\n * @property {string} refreshToken The token used to acquire a new access token upon expiration.\n * @property {number} expiresIn The duration in seconds until the access token expires.\n */\nexport interface TokenPair {\n    accessToken: string;\n    refreshToken: string;\n    expiresIn: number;\n}\n\n/**\n * Represents a token that has been successfully verified, containing its payload and protected header information.\n *\n * @template T - The shape of the token payload, defaults to `TokenPayload`.\n * @property {T} payload - The payload of the verified token, which contains the data encoded within the token.\n * @property {any} protectedHeader - The protected header of the verified token, which includes cryptographic and metadata information.\n */\nexport interface VerifiedToken<T = TokenPayload> {\n    payload: T;\n    protectedHeader: any;\n}\n\n/**\n * Represents an endpoint to be excluded based on specified patterns and allowed HTTP methods.\n */\nexport interface ExcludedEndpoint {\n    endpoint: string | RegExp;\n    methods: HttpMethod[];\n}\n\n/**\n * Configuration options for setting up middleware.\n *\n * This interface defines the properties needed to configure middleware behavior,\n * including token handling, algorithm settings, endpoint exclusions, and other customizations.\n */\nexport interface MiddlewareConfig {\n    secret: string | Uint8Array;\n    algorithm?: JwtConfig['algorithm'];\n    excludedEndpoints?: ExcludedEndpoint[];\n    tokenExtractor?: (req: Request) => string | undefined;\n    isBlacklisted?: (token: string, payload: TokenPayload) => Promise<boolean>;\n    corsOrigin?: string;\n}\n\n/**\n * Extends the Request interface to include additional properties for handling authentication.\n */\nexport interface AuthRequest extends Request {\n    payload?: {\n        uid: string;\n        [key: string]: any;\n    };\n    token?: string;\n}\n\n\n/**\n * Interface for managing a blacklist of tokens, typically used to handle JWT token invalidation.\n * Allows for adding tokens to the blacklist, checking if a token is blacklisted, and optionally cleaning up expired tokens.\n */\nexport interface TokenBlacklist {\n\n    /**\n     * Adds a token with an associated expiry time to the system.\n     *\n     * @param {string} token - The token string to be added.\n     * @param {number} expirySeconds - The time in seconds after which the token will expire.\n     * @return {Promise<void>} A promise that resolves when the token is successfully added.\n     */\n    add(token: string, expirySeconds: number): Promise<void>;\n\n    /**\n     * Checks if the provided token is blacklisted.\n     *\n     * @param {string} token - The token to check against the blacklist.\n     * @return {Promise<boolean>} A promise that resolves to a boolean indicating whether the token is blacklisted.\n     */\n    isBlacklisted(token: string): Promise<boolean>;\n\n    /**\n     * Performs cleanup operations and releases any resources that were allocated.\n     * Typically used to ensure proper handling and disposal of resources.\n     *\n     * @return {Promise<void>} A promise that resolves when the cleanup process is complete.\n     */\n    cleanup?(): Promise<void>;\n}\n\n/**\n * Interface representing the data structure for a refresh token.\n *\n * This interface contains attributes related to a refresh token, including\n * identification, expiration details, token tracking for reuse detection,\n * and optional references to usage and subsequent tokens.\n *\n **/\nexport interface RefreshTokenData {\n    userId: string;\n    expiryDate: Date;\n    tokenFamily: string;      // Token-Familie für Reuse Detection\n    usedAt?: Date;            // Zeitpunkt der Verwendung\n    nextToken?: string;       // Referenz zum Nachfolge-Token\n}\n\n/**\n * Configuration options for Refresh Token Rotation.\n *\n * This interface defines properties to configure the behavior of refresh token rotation,\n * including a grace period to allow token reuse under certain conditions.\n *\n * Properties:\n * - `reuseWindowSeconds`: An optional number representing the grace period in seconds during which a refresh token can be reused without being considered invalid. Defaults to 10 seconds if not provided.\n */\nexport interface RefreshTokenRotationConfig {\n    reuseWindowSeconds?: number;  // Grace period (default: 10)\n}\n\n/**\n * An interface representing a store for managing refresh tokens, providing methods\n * to save, retrieve, validate, invalidate, and manage tokens, including token families.\n */\nexport interface RefreshTokenStore {\n    save(jti: string, userId: string, expiryDate: Date, tokenFamily: string): Promise<void>;\n    get(jti: string): Promise<RefreshTokenData | null>;\n    exists(jti: string): Promise<boolean>;\n    invalidate(jti: string): Promise<void>;\n    markAsUsed(jti: string, usedAt: Date, nextToken: string): Promise<void>;\n    invalidateAllForUser(userId: string): Promise<void>;\n    invalidateTokenFamily(tokenFamily: string): Promise<void>;  // NEU\n}\n\n/**\n * Represents an error related to JWT authentication.\n * This class extends the standard Error object to include additional properties\n * specific to authorization errors, such as an HTTP status code and an optional error code.\n */\nexport class JwtAuthError extends Error {\n    constructor(\n        message: string,\n        public statusCode: number = HTTP_STATUS.UNAUTHORIZED,\n        public code?: string\n    ) {\n        super(message);\n        this.name = 'JwtAuthError';\n    }\n}\n","import { randomBytes } from 'node:crypto';\n\n/**\n * Parses an expiry value provided as a string or number and converts it into seconds.\n * Supports string formats with time units: seconds (s), minutes (m), hours (h), and days (d).\n * Defaults to 15 minutes (900 seconds) if input is invalid or not provided in a proper format.\n *\n * @param {string | number} expiry - The expiry value as a number (in seconds) or string\n *                                   (e.g., \"10m\" for 10 minutes).\n * @return {number} - The expiry time in seconds.\n */\nexport function parseExpiry(expiry: string | number): number {\n    if (typeof expiry === 'number') return expiry;\n    const match = expiry.match(/^(\\d+)([smhd])$/);\n    if (!match) return 15 * 60; // default: 15 Min\n    const num = parseInt(match[1], 10);\n    switch (match[2]) {\n        case 's': return num;\n        case 'm': return num * 60;\n        case 'h': return num * 3600;\n        case 'd': return num * 86400;\n        default: return 15 * 60;\n    }\n}\n\n/**\n * Generates a unique token ID as a hexadecimal string.\n *\n * @return {string} A randomly generated 32-character hexadecimal token ID.\n */\nexport function generateTokenId(): string {\n    return randomBytes(16).toString('hex');\n}\n","import {type JWTPayload, jwtVerify, SignJWT} from 'jose';\nimport {JwtAuthError, JwtConfig, RefreshTokenPayload, TokenPair, TokenPayload, VerifiedToken} from './types.js';\nimport {generateTokenId, parseExpiry} from './utils.js';\n\n/**\n * Manages JWT token generation, verification, and decoding. This class provides methods\n * for creating access and refresh tokens, verifying their validity, and decoding tokens for debugging purposes.\n * It ensures tokens are signed and verified using secure algorithms.\n */\nexport class JwtTokenManager {\n    private readonly secret: Uint8Array;\n    private config: Required<Omit<JwtConfig, 'secret'>>;\n\n    constructor(config: JwtConfig) {\n        // Convert secret to Uint8Array for jose\n        this.secret = typeof config.secret === 'string'\n            ? new TextEncoder().encode(config.secret)\n            : config.secret;\n\n        this.config = {\n            algorithm: config.algorithm || 'HS256',\n            accessTokenExpiry: config.accessTokenExpiry || '15m',\n            refreshTokenExpiry: config.refreshTokenExpiry || '7d',\n            issuer: config.issuer || 'jwt-auth-manager',\n            audience: config.audience ?? 'jwt-audience'\n        };\n\n        // Security: Validate algorithm\n        if (this.config.algorithm === 'none' as any) {\n            throw new JwtAuthError('Algorithm \"none\" is not allowed for security reasons', 500, 'INVALID_ALGORITHM');\n        }\n    }\n\n    /**\n     * Generates a pair of tokens (access token and refresh token) based on the provided payload.\n     *\n     * @param {TokenPayload} payload - The data to include in the token payload. Must include a `uid` property representing the user ID.\n     * @return {Promise<TokenPair>} A promise resolving to an object containing the access token, refresh token, and the access token's expiration time.\n     * @throws {JwtAuthError} Throws an error if the `uid` property is missing from the payload.\n     */\n    async generateTokenPair(payload: TokenPayload): Promise<TokenPair> {\n        if (!payload.uid) {\n            throw new JwtAuthError('User ID (uid) is required in payload', 400, 'MISSING_UID');\n        }\n\n        // Generate Access Token\n        const accessToken = await new SignJWT({ ...payload })\n            .setProtectedHeader({ alg: this.config.algorithm })\n            .setIssuedAt()\n            .setIssuer(this.config.issuer)\n            .setExpirationTime(this.config.accessTokenExpiry)\n            .setAudience(this.config.audience || 'access')\n            .sign(this.secret);\n\n        // Generate Refresh Token with unique JTI\n        const jti = generateTokenId();\n        const refreshPayload: RefreshTokenPayload = {\n            ...payload,\n            jti,\n            type: 'refresh',\n        };\n\n        const refreshToken = await new SignJWT(refreshPayload)\n            .setProtectedHeader({ alg: this.config.algorithm })\n            .setIssuedAt()\n            .setIssuer(this.config.issuer)\n            .setJti(jti)\n            .setExpirationTime(this.config.refreshTokenExpiry)\n            .setAudience(this.config.audience || 'refresh')\n            .sign(this.secret);\n\n        const expiresIn = parseExpiry(this.config.accessTokenExpiry);\n\n        return {\n            accessToken,\n            refreshToken,\n            expiresIn,\n        };\n    }\n\n    /**\n     * Generates a signed access token based on the given payload.\n     *\n     * @param {TokenPayload} payload - The payload object containing user-specific claims and details required for token generation.\n     * @return {Promise<string>} A promise that resolves to the generated access token as a string.\n     * @throws {JwtAuthError} If the payload does not include a valid user ID (uid).\n     */\n    async generateAccessToken(payload: TokenPayload): Promise<string> {\n        if (!payload.uid) {\n            throw new JwtAuthError('User ID (uid) is required in payload', 400, 'MISSING_UID');\n        }\n\n        return await new SignJWT({ ...payload })\n            .setProtectedHeader({ alg: this.config.algorithm })\n            .setIssuedAt()\n            .setIssuer(this.config.issuer)\n            .setExpirationTime(this.config.accessTokenExpiry)\n            .setAudience(this.config.audience || 'access')\n            .sign(this.secret);\n    }\n\n    /**\n     * Verifies the provided access token and returns the token payload and protected header if valid.\n     *\n     * @param {string} token - The access token to be verified.\n     * @return {Promise<VerifiedToken<TokenPayload>>} A promise that resolves with the verified payload and protected header if the token is valid.\n     * @throws {JwtAuthError} Throws an error if the token is invalid, expired, or has a signature verification failure.\n     */\n    async verifyAccessToken(token: string): Promise<VerifiedToken<TokenPayload>> {\n        try {\n            const { payload, protectedHeader } = await jwtVerify(token, this.secret, {\n                algorithms: [this.config.algorithm],\n                issuer: this.config.issuer,\n                audience: this.config.audience || 'access',\n            });\n\n            if (!payload.uid || typeof payload.uid !== 'string') {\n                throw new JwtAuthError('Invalid token payload: uid missing', 401, 'INVALID_PAYLOAD');\n            }\n\n            return {\n                payload: payload as unknown as TokenPayload,\n                protectedHeader,\n            };\n        } catch (error: any) {\n            if (error.code === 'ERR_JWT_EXPIRED') {\n                throw new JwtAuthError('Access token has expired', 401, 'TOKEN_EXPIRED');\n            }\n            if (error.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {\n                throw new JwtAuthError('Invalid token signature', 401, 'INVALID_SIGNATURE');\n            }\n            throw new JwtAuthError('Access token is invalid', 401, 'INVALID_TOKEN');\n        }\n    }\n\n    /**\n     * Verifies the provided refresh token and extracts its payload and protected header.\n     *\n     * @param {string} token - The refresh token to be verified.\n     * @return {Promise<VerifiedToken<RefreshTokenPayload>>} A promise that resolves to a VerifiedToken object containing the\n     * payload and protected header if the token is valid and meets all requirements.\n     * @throws {JwtAuthError} Throws an error if the token is invalid, expired, has an invalid payload, is of the wrong type,\n     * or fails signature verification.\n     */\n    async verifyRefreshToken(token: string): Promise<VerifiedToken<RefreshTokenPayload>> {\n        try {\n            const { payload, protectedHeader } = await jwtVerify(token, this.secret, {\n                algorithms: [this.config.algorithm],\n                issuer: this.config.issuer,\n                audience: this.config.audience || 'refresh',\n            });\n\n            if (!payload.uid || !payload.jti || typeof payload.uid !== 'string') {\n                throw new JwtAuthError('Invalid refresh token payload', 401, 'INVALID_PAYLOAD');\n            }\n\n            if (payload.type !== 'refresh') {\n                throw new JwtAuthError('Token is not a refresh token', 401, 'INVALID_TOKEN_TYPE');\n            }\n\n            return {\n                payload: payload as unknown as RefreshTokenPayload,\n                protectedHeader,\n            };\n        } catch (error: any) {\n            if (error.code === 'ERR_JWT_EXPIRED') {\n                throw new JwtAuthError('Refresh token has expired', 401, 'REFRESH_TOKEN_EXPIRED');\n            }\n            if (error.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {\n                throw new JwtAuthError('Invalid refresh token signature', 401, 'INVALID_SIGNATURE');\n            }\n            throw new JwtAuthError('Refresh token is invalid', 401, 'INVALID_REFRESH_TOKEN');\n        }\n    }\n\n    /**\n     * Decodes a given JSON Web Token (JWT) and extracts its payload.\n     *\n     * @param {string} token - The JSON Web Token to decode.\n     * @return {JWTPayload} The payload object extracted from the token.\n     * @throws {JwtAuthError} If the token format is invalid or cannot be decoded.\n     */\n    decodeToken(token: string): JWTPayload {\n        const parts = token.split('.');\n        if (parts.length !== 3) {\n            throw new JwtAuthError('Invalid token format', 400, 'MALFORMED_TOKEN');\n        }\n\n        return JSON.parse(Buffer.from(parts[1], 'base64url').toString());\n    }\n}\n","import { randomBytes } from 'node:crypto';\nimport { JwtTokenManager } from './token-manager.js';\nimport { RefreshTokenStore, TokenPair, JwtAuthError, RefreshTokenRotationConfig } from './types.js';\n\n/**\n * The `RefreshTokenManager` class is responsible for managing the lifecycle of refresh tokens,\n * including token rotation, validation, and revocation. It also implements detection for reuse attempts\n * and provides a grace period mechanism for managing concurrent requests.\n */\nexport class RefreshTokenManager {\n    private config: Required<RefreshTokenRotationConfig>;\n\n    constructor(\n        private tokenManager: JwtTokenManager,\n        private tokenStore: RefreshTokenStore,\n        config?: RefreshTokenRotationConfig\n    ) {\n        this.config = {\n            reuseWindowSeconds: config?.reuseWindowSeconds ?? 10\n        };\n    }\n\n    /**\n     * Rotates the provided refresh token by validating its authenticity, checking for reuse, and generating a new token pair.\n     * If the token has been reused within a specific grace period, it returns the existing new token pair.\n     * If the token is reused outside the grace period, it invalidates the entire token family.\n     * If the token is unused, it generates a new token pair with the same token family.\n     *\n     * @param {string} refreshToken The refresh token to be validated and rotated.\n     * @return {Promise<TokenPair>} A Promise that resolves to a new token pair containing a new refresh token and an access token.\n     * @throws {JwtAuthError} If the refresh token is invalid, expired, or reused suspiciously.\n     */\n    async rotateRefreshToken(refreshToken: string): Promise<TokenPair> {\n\n        // 1. Verify Refresh Token\n        const { payload } = await this.tokenManager.verifyRefreshToken(refreshToken);\n\n        // 2. Token-Daten aus Store holen\n        const tokenData = await this.tokenStore.get(payload.jti);\n\n        if (!tokenData) {\n            throw new JwtAuthError(\n                'Refresh token not found or expired',\n                401,\n                'TOKEN_NOT_FOUND'\n            );\n        }\n\n        const now = new Date();\n\n\n        if (tokenData.usedAt) {\n            const ageSeconds = (now.getTime() - tokenData.usedAt.getTime()) / 1000;\n\n            // 3a. Innerhalb der Grace Period: Gib den gleichen neuen Token zurück\n            if (ageSeconds <= this.config.reuseWindowSeconds && tokenData.nextToken) {\n                // Legitimate concurrent request - gib das bereits generierte Token-Pair zurück\n                const { payload: nextPayload } = await this.tokenManager.verifyRefreshToken(tokenData.nextToken);\n                const accessToken = await this.tokenManager.generateAccessToken({\n                    uid: payload.uid,\n                    ...this.stripJwtClaims(payload)\n                });\n\n                return {\n                    accessToken,\n                    refreshToken: tokenData.nextToken,\n                    expiresIn: this.tokenManager['config'].accessTokenExpiry as any\n                };\n            }\n\n            // 3b. Außerhalb der Grace Period: SUSPICIOUS REUSE!\n            // Invalidiere die gesamte Token-Familie\n            await this.tokenStore.invalidateTokenFamily(tokenData.tokenFamily);\n\n            throw new JwtAuthError(\n                'Refresh token reuse detected - all tokens in family revoked',\n                401,\n                'TOKEN_REUSE_DETECTED'\n            );\n        }\n\n        // 4. Token ist noch unbenutzt - normale Rotation\n        const { uid, ...userPayload } = this.stripJwtClaims(payload);\n\n        // Generiere neues Token-Pair mit gleicher tokenFamily\n        const newTokenPair = await this.createTokenPair(\n            { uid, ...userPayload },\n            tokenData.tokenFamily\n        );\n\n        // 5. Markiere alten Token als verwendet und speichere Referenz zum neuen\n        await this.tokenStore.markAsUsed(payload.jti, now, newTokenPair.refreshToken);\n\n        return newTokenPair;\n    }\n\n    /**\n     * Erstellt initiales Token Pair mit neuer Token-Familie\n     */\n    async createTokenPair(\n        payload: { uid: string; [key: string]: any },\n        tokenFamily?: string\n    ): Promise<TokenPair> {\n        // Neue Token-Familie bei initialem Login\n        const family = tokenFamily ?? this.generateTokenFamily();\n\n        const tokenPair = await this.tokenManager.generateTokenPair(payload);\n\n        // Store refresh token mit Token-Familie\n        const decoded = this.tokenManager.decodeToken(tokenPair.refreshToken);\n        const expiryDate = new Date((decoded.exp || 0) * 1000);\n\n        await this.tokenStore.save(decoded.jti as string, payload.uid, expiryDate, family);\n\n        return tokenPair;\n    }\n\n    /**\n     * Revoke alle Tokens eines Users\n     */\n    async revokeAllTokens(userId: string): Promise<void> {\n        await this.tokenStore.invalidateAllForUser(userId);\n    }\n\n    /**\n     * Generiert eine eindeutige Token-Familie-ID\n     */\n    private generateTokenFamily(): string {\n        return randomBytes(16).toString('hex');\n    }\n\n    /**\n     * Entfernt JWT-Standard-Claims aus Payload\n     */\n    private stripJwtClaims(payload: any): any {\n        const { type, jti, iat, exp, iss, aud, ...rest } = payload;\n        return rest;\n    }\n}\n","import { Request, Response, NextFunction } from 'express';\nimport { JwtTokenManager } from './token-manager.js';\nimport { MiddlewareConfig, AuthRequest, HttpMethod, JwtAuthError, TokenPayload, HTTP_STATUS } from './types.js';\n\n/**\n * Creates an authentication middleware function for verifying and handling access tokens.\n *\n * @param {MiddlewareConfig} config Configuration object for the middleware setup. Includes options such as excluded endpoints, token extractor, blacklist checker, and CORS origin.\n * @param {JwtTokenManager} tokenManager An instance of a JWT token manager, used for verifying access tokens.\n * @return {Function} An Express.js middleware function that validates access tokens, checks for blacklisted tokens, and manages CORS headers.\n */\nexport function createAuthMiddleware(config: MiddlewareConfig, tokenManager: JwtTokenManager) {\n    const {\n        excludedEndpoints = [],\n        tokenExtractor,\n        isBlacklisted\n    } = config;\n\n    /**\n     * Middleware function to authenticate requests by verifying access tokens.\n     * This middleware checks for access tokens in request headers, query parameters, or custom extractors.\n     * It performs token validation, checks for blacklisting, and ensures valid payloads before proceeding.\n     *\n     * @param {AuthRequest} req - The request object, containing client request data and potential access tokens.\n     * @param {Response} res - The response object used to send back HTTP responses.\n     * @param {NextFunction} next - The next middleware or request handler in the stack to be invoked after successful authentication.\n     *\n     */\n    return async function authMiddleware(req: AuthRequest, res: Response, next: NextFunction) {\n        // Excluded Endpoints prüfen\n        const shouldExclude = excludedEndpoints.some(e => {\n            const methodMatch = e.methods.includes(req.method as HttpMethod);\n            if (typeof e.endpoint === 'string') {\n                return methodMatch && req.url === e.endpoint;\n            }\n            return methodMatch && e.endpoint.test(req.url);\n        });\n        if (shouldExclude) return next();\n\n        // Token aus Header, Query, oder Custom Extractor\n        let token: string | undefined;\n        if (typeof tokenExtractor === 'function') {\n            token = tokenExtractor(req);\n        }\n        if (!token) {\n            const header = req.header('Authorization');\n            if (header && header.startsWith('Bearer ')) {\n                token = header.slice(7);\n            } else {\n                token = req.query.accessToken as string | undefined;\n            }\n        }\n        if (!token) {\n            return res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'No access token set' });\n        }\n\n        try {\n            // Signatur & Payload prüfen\n            const { payload } = await tokenManager.verifyAccessToken(token);\n\n            // Blacklisting prüfen\n            if (isBlacklisted && await isBlacklisted(token, payload)) {\n                return res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'Access token revoked' });\n            }\n\n            if (!payload.uid) {\n                return res.status(HTTP_STATUS.UNAUTHORIZED).json({ error: 'User id not set' });\n            }\n            req.payload = { ...payload };\n            req.token = token;\n            next();\n        } catch (error: any) {\n            return res.status((error?.statusCode ?? HTTP_STATUS.UNAUTHORIZED)).json({ error: error?.message ?? 'Invalid access token' });\n        }\n    };\n}\n","import { TokenBlacklist } from './types.js';\n\n/**\n * A memory-based implementation of a token blacklist.\n * This class allows adding tokens to a blacklist with an expiration time,\n * checking whether a token is currently blacklisted,\n * and cleaning up expired tokens from the blacklist.\n *\n * Implements the `TokenBlacklist` interface.\n */\nexport class MemoryTokenBlacklist implements TokenBlacklist {\n    private blacklisted: Map<string, number> = new Map();\n\n    async add(token: string, expirySeconds: number) {\n        const expiry = Date.now() + expirySeconds * 1000;\n        this.blacklisted.set(token, expiry);\n    }\n    async isBlacklisted(token: string) {\n        const expiry = this.blacklisted.get(token);\n        return typeof expiry === 'number' && Date.now() < expiry;\n    }\n    async cleanup() {\n        for (const [token, expiry] of this.blacklisted.entries()) {\n            if (Date.now() >= expiry) {\n                this.blacklisted.delete(token);\n            }\n        }\n    }\n}\n","import { RefreshTokenStore, RefreshTokenData } from '../types.js';\n\n/**\n * A memory-based implementation of the `RefreshTokenStore` interface.\n * This class manages refresh tokens using an in-memory `Map` to store the tokens and related metadata.\n * It provides methods to save, retrieve, validate, mark, and invalidate refresh tokens.\n *\n * Note that this implementation is not suitable for production use, as all data is stored in memory\n * and will be lost when the application stops. It is intended for testing or simple use cases only.\n */\nexport class MemoryRefreshTokenStore implements RefreshTokenStore {\n    private store: Map<string, RefreshTokenData> = new Map();\n\n    /**\n     * Saves a token's metadata into the store.\n     *\n     * @param {string} jti - The unique token identifier.\n     * @param {string} userId - The user ID associated with the token.\n     * @param {Date} expiryDate - The expiration date of the token.\n     * @param {string} tokenFamily - The family or category of the token.\n     * @return {Promise<void>} A promise that resolves when the token is saved.\n     */\n    async save(jti: string, userId: string, expiryDate: Date, tokenFamily: string): Promise<void> {\n        this.store.set(jti, {\n            userId,\n            expiryDate,\n            tokenFamily,\n            usedAt: undefined,\n            nextToken: undefined\n        });\n    }\n\n    /**\n     * Retrieves refresh token data identified by the given jti (JSON Token Identifier).\n     * Ensures the token has not expired; deletes expired tokens and returns null.\n     *\n     * @param {string} jti - The unique identifier of the refresh token to retrieve.\n     * @return {Promise<RefreshTokenData | null>} A promise that resolves to the refresh token data if found and valid, or null if not found or expired.\n     */\n    async get(jti: string): Promise<RefreshTokenData | null> {\n        const data = this.store.get(jti);\n        if (!data) return null;\n        if (data.expiryDate < new Date()) {\n            this.store.delete(jti);\n            return null;\n        }\n        return data;\n    }\n\n    /**\n     * Checks if a given identifier (jti) exists in the storage.\n     *\n     * @param {string} jti - The unique identifier to check for existence.\n     * @return {Promise<boolean>} A promise that resolves to true if the identifier exists, false otherwise.\n     */\n    async exists(jti: string): Promise<boolean> {\n        return (await this.get(jti)) !== null;\n    }\n\n    /**\n     * Marks a token as used by updating its associated