UNPKG

vouchsafe

Version:

Self-verifying identity and offline trust verification for JWTs, including attestations, vouches, revocations, and multi-hop trust chains.

getvouchsafe.org

ionzero/vouchsafe-js

104 lines (89 loc) 2.9 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// src/identity.mjs // Minimal OO wrapper around the existing functional API import { createVouchsafeIdentity, createVouchsafeIdentityFromKeypair, verifyUrnMatchesKey } from './urn.mjs'; import { createJwt, verifyJwt } from './jwt.mjs'; import { createAttestation, createVouchToken, validateVouchToken, revokeVouchToken } from './vouch.mjs'; function normalizePurpose(purpose) { if (!purpose) return undefined; return Array.isArray(purpose) ? purpose.join(' ') : purpose; } /** * Usage: * // rehydrate from existing material * const id = new Identity({ urn, keypair }); * * // or generate: * const id = await Identity.create('alice'); * * // or derive a URN from an existing keypair + label: * const id = await Identity.fromKeypair('alice', keypair); */ export class Identity { constructor(init) { if (!init || typeof init !== 'object') { throw new TypeError('Identity ctor expects { urn, keypair }'); } const { urn, keypair } = init; if (!urn || !keypair || !keypair.publicKey || !keypair.privateKey) { throw new Error('Identity requires a valid { urn, keypair:{ publicKey, privateKey } }'); } this.urn = urn; this.keypair = keypair; } // --- factories (async) --- static async create(label, ...rest) { // passthrough any extra args (e.g., hashAlg) as your createVouchsafeIdentity supports const { urn, keypair } = await createVouchsafeIdentity(label, ...rest); return new Identity({ urn, keypair }); } static async from(init, { verify = true } = {}) { // Rehydrate from { urn, keypair } and (optionally) verify the binding if (!init || !init.urn || !init.keypair) { throw new Error('Identity.from requires { urn, keypair }'); } if (verify) { await verifyUrnMatchesKey(init.urn, init.keypair.publicKey); } return new Identity(init); } static async fromKeypair(label, keypair) { const { urn, keypair: kp } = await createVouchsafeIdentityFromKeypair(label, keypair); return new Identity({ urn, keypair: kp }); } // --- token creation --- async attest(claims = {}) { // Default vch_iss to this identity when omitted const c = { ...claims, purpose: normalizePurpose(claims.purpose) }; return createAttestation(this.urn, this.keypair, c); } async vouch(subjectToken, opts = {}) { const c = { ...opts, purpose: normalizePurpose(opts.purpose) }; return createVouchToken(subjectToken, this.urn, this.keypair, c); } async revoke(vouchToken, opts = {}) { // Revoke a specific vouch, or pass { revokes: 'all' } to revoke all for that subject return revokeVouchToken(vouchToken, this.keypair, opts); } async verify(token) { return validateVouchToken(token); } // --- utilities --- toJSON() { return { urn: this.urn, keypair: this.keypair }; } }