@tsndr/cloudflare-worker-jwt
Version:
A lightweight JWT implementation with ZERO dependencies for Cloudflare Worker
132 lines (131 loc) • 4.1 kB
TypeScript
/**
* @typedef JwtAlgorithm
* @type {"none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512"}
*/
export type JwtAlgorithm = "none" | "ES256" | "ES384" | "ES512" | "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512";
/**
* @typedef JwtAlgorithms
*/
export type JwtAlgorithms = {
[key: string]: SubtleCryptoImportKeyAlgorithm;
};
/**
* @typedef JwtHeader
* @prop {string} [typ] Type
*/
export type JwtHeader<T = {}> = {
/**
* Type (default: `"JWT"`)
*
* @default "JWT"
*/
typ?: string;
/**
* Algorithm (default: `"HS256"`)
*
* @default "HS256"
*/
alg?: JwtAlgorithm;
} & T;
/**
* @typedef JwtPayload
* @prop {string} [iss] Issuer
* @prop {string} [sub] Subject
* @prop {string | string[]} [aud] Audience
* @prop {string} [exp] Expiration Time
* @prop {string} [nbf] Not Before
* @prop {string} [iat] Issued At
* @prop {string} [jti] JWT ID
*/
export type JwtPayload<T = {
[key: string]: any;
}> = {
/** Issuer */
iss?: string;
/** Subject */
sub?: string;
/** Audience */
aud?: string | string[];
/** Expiration Time */
exp?: number;
/** Not Before */
nbf?: number;
/** Issued At */
iat?: number;
/** JWT ID */
jti?: string;
} & T;
/**
* @typedef JwtOptions
* @prop {JwtAlgorithm | string} algorithm
*/
export type JwtOptions = {
algorithm?: JwtAlgorithm | string;
};
/**
* @typedef JwtSignOptions
* @extends JwtOptions
* @prop {JwtHeader} [header]
*/
export type JwtSignOptions<T> = {
header?: JwtHeader<T>;
} & JwtOptions;
/**
* @typedef JwtVerifyOptions
* @extends JwtOptions
* @prop {boolean} [throwError=false] If `true` throw error if checks fail. (default: `false`)
*/
export type JwtVerifyOptions = {
/**
* Clock tolerance to help with slightly out of sync systems
*/
clockTolerance?: number;
/**
* If `true` throw error if checks fail. (default: `false`)
*
* @default false
*/
throwError?: boolean;
} & JwtOptions;
/**
* @typedef JwtData
* @prop {JwtHeader} header
* @prop {JwtPayload} payload
*/
export type JwtData<Payload = {}, Header = {}> = {
header: JwtHeader<Header>;
payload: JwtPayload<Payload>;
};
/**
* Signs a payload and returns the token
*
* @param payload The payload object. To use `nbf` (Not Before) and/or `exp` (Expiration Time) add `nbf` and/or `exp` to the payload.
* @param secret A string which is used to sign the payload.
* @param [options={ algorithm: "HS256", header: { typ: "JWT" } }] The options object or the algorithm.
* @throws If there"s a validation issue.
* @returns Returns token as a `string`.
*/
export declare function sign<Payload = {}, Header = {}>(payload: JwtPayload<Payload>, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options?: JwtSignOptions<Header> | JwtAlgorithm): Promise<string>;
/**
* Verifies the integrity of the token and returns a boolean value.
*
* @param token The token string generated by `sign()`.
* @param secret The string which was used to sign the payload.
* @param options The options object or the algorithm.
* @throws Throws integration errors and if `options.throwError` is set to `true` also throws `NOT_YET_VALID`, `EXPIRED` or `INVALID_SIGNATURE`.
* @returns Returns the decoded token or `undefined`.
*/
export declare function verify<Payload = {}, Header = {}>(token: string, secret: string | JsonWebKeyWithKid | CryptoKey | undefined, options?: JwtVerifyOptions | JwtAlgorithm): Promise<JwtData<Payload, Header> | undefined>;
/**
* Returns the payload **without** verifying the integrity of the token. Please use `verify()` first to keep your application secure!
*
* @param token The token string generated by `sign()`.
* @returns Returns an `object` containing `header` and `payload`.
*/
export declare function decode<Payload = {}, Header = {}>(token: string): JwtData<Payload, Header>;
declare const _default: {
sign: typeof sign;
verify: typeof verify;
decode: typeof decode;
};
export default _default;