refactor: reorganize jwt claim set utils

Author: panva

src/jwt/decrypt.ts

@@ -6,7 +6,7 @@
 
 import type * as types from '../types.d.ts'
 import { compactDecrypt } from '../jwe/compact/decrypt.js'
-import jwtPayload from '../lib/jwt_claims_set.js'
+import { validateClaimsSet } from '../lib/jwt_claims_set.js'
 import { JWTClaimValidationFailed } from '../util/errors.js'
 
 /** Combination of JWE Decryption options and JWT Claims Set verification options. */
@@ -71,7 +71,7 @@ export async function jwtDecrypt(
   options?: JWTDecryptOptions,
 ) {
   const decrypted = await compactDecrypt(jwt, key as Parameters<typeof compactDecrypt>[1], options)
-  const payload = jwtPayload(decrypted.protectedHeader, decrypted.plaintext, options)
+  const payload = validateClaimsSet(decrypted.protectedHeader, decrypted.plaintext, options)
 
   const { protectedHeader } = decrypted
 

src/jwt/encrypt.ts

@@ -6,7 +6,7 @@
 
 import type * as types from '../types.d.ts'
 import { CompactEncrypt } from '../jwe/compact/encrypt.js'
-import { ProduceJWT } from './produce.js'
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js'
 
 /**
  * The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens.
@@ -44,15 +44,15 @@ export class EncryptJWT implements types.ProduceJWT {
 
   #replicateAudienceAsHeader!: boolean
 
-  #jwt: ProduceJWT
+  #jwt: JWTClaimsBuilder
 
   /**
    * {@link EncryptJWT} constructor
    *
    * @param payload The JWT Claims Set object. Defaults to an empty object.
    */
   constructor(payload: types.JWTPayload = {}) {
-    this.#jwt = new ProduceJWT(payload)
+    this.#jwt = new JWTClaimsBuilder(payload)
   }
 
   setIssuer(issuer: string): this {

src/jwt/produce.ts

@@ -7,7 +7,7 @@
 import { CompactSign } from '../jws/compact/sign.js'
 import { JWTInvalid } from '../util/errors.js'
 import type * as types from '../types.d.ts'
-import { ProduceJWT } from './produce.js'
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js'
 
 /**
  * The SignJWT class is used to build and sign Compact JWS formatted JSON Web Tokens.
@@ -116,15 +116,15 @@ import { ProduceJWT } from './produce.js'
 export class SignJWT implements types.ProduceJWT {
   #protectedHeader!: types.JWTHeaderParameters
 
-  #jwt: ProduceJWT
+  #jwt: JWTClaimsBuilder
 
   /**
    * {@link SignJWT} constructor
    *
    * @param payload The JWT Claims Set object. Defaults to an empty object.
    */
   constructor(payload: types.JWTPayload = {}) {
-    this.#jwt = new ProduceJWT(payload)
+    this.#jwt = new JWTClaimsBuilder(payload)
   }
 
   setIssuer(issuer: string): this {

src/jwt/sign.ts

@@ -9,8 +9,7 @@ import * as b64u from '../util/base64url.js'
 import type * as types from '../types.d.ts'
 import { decoder } from '../lib/buffer_utils.js'
 import { JWTInvalid } from '../util/errors.js'
-import jwtPayload from '../lib/jwt_claims_set.js'
-import { ProduceJWT } from './produce.js'
+import { validateClaimsSet, JWTClaimsBuilder } from '../lib/jwt_claims_set.js'
 
 /** Result of decoding an Unsecured JWT. */
 export interface UnsecuredResult<PayloadType = types.JWTPayload> {
@@ -53,15 +52,15 @@ export interface UnsecuredResult<PayloadType = types.JWTPayload> {
  * ```
  */
 export class UnsecuredJWT implements types.ProduceJWT {
-  #jwt: ProduceJWT
+  #jwt: JWTClaimsBuilder
 
   /**
    * {@link UnsecuredJWT} constructor
    *
    * @param payload The JWT Claims Set object. Defaults to an empty object.
    */
   constructor(payload: types.JWTPayload = {}) {
-    this.#jwt = new ProduceJWT(payload)
+    this.#jwt = new JWTClaimsBuilder(payload)
   }
 
   /** Encodes the Unsecured JWT. */
@@ -134,7 +133,7 @@ export class UnsecuredJWT implements types.ProduceJWT {
       throw new JWTInvalid('Invalid Unsecured JWT')
     }
 
-    const payload = jwtPayload(
+    const payload = validateClaimsSet(
       header,
       b64u.decode(encodedPayload),
       options,

src/jwt/unsecured.ts

@@ -6,7 +6,7 @@
 
 import { compactVerify } from '../jws/compact/verify.js'
 import type * as types from '../types.d.ts'
-import jwtPayload from '../lib/jwt_claims_set.js'
+import { validateClaimsSet } from '../lib/jwt_claims_set.js'
 import { JWTInvalid } from '../util/errors.js'
 
 /** Combination of JWS Verification options and JWT Claims Set verification options. */
@@ -151,7 +151,7 @@ export async function jwtVerify(
   if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {
     throw new JWTInvalid('JWTs MUST NOT use unencoded payload')
   }
-  const payload = jwtPayload(verified.protectedHeader, verified.payload, options)
+  const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options)
   const result = { payload, protectedHeader: verified.protectedHeader }
   if (typeof key === 'function') {
     return { ...result, key: verified.key }

src/jwt/verify.ts

@@ -4,6 +4,15 @@ import { decoder } from './buffer_utils.js'
 import epoch from './epoch.js'
 import secs from './secs.js'
 import isObject from './is_object.js'
+import { encoder } from './buffer_utils.js'
+
+function validateInput(label: string, input: number) {
+  if (!Number.isFinite(input)) {
+    throw new TypeError(`Invalid ${label} input`)
+  }
+
+  return input
+}
 
 const normalizeTyp = (value: string) => value.toLowerCase().replace(/^application\//, '')
 
@@ -21,11 +30,11 @@ const checkAudiencePresence = (audPayload: unknown, audOption: unknown[]) => {
   return false
 }
 
-export default (
+export function validateClaimsSet(
   protectedHeader: types.JWEHeaderParameters | types.JWSHeaderParameters,
   encodedPayload: Uint8Array,
   options: types.JWTClaimVerificationOptions = {},
-) => {
+) {
   let payload!: { [propName: string]: unknown }
   try {
     payload = JSON.parse(decoder.decode(encodedPayload))
@@ -174,3 +183,94 @@ export default (
 
   return payload as types.JWTPayload
 }
+
+export class JWTClaimsBuilder {
+  #payload!: types.JWTPayload
+
+  constructor(payload: types.JWTPayload) {
+    if (!isObject(payload)) {
+      throw new TypeError('JWT Claims Set MUST be an object')
+    }
+    this.#payload = structuredClone(payload)
+  }
+
+  data(): Uint8Array {
+    return encoder.encode(JSON.stringify(this.#payload))
+  }
+
+  get iss(): string | undefined {
+    return this.#payload.iss
+  }
+
+  set iss(value: string) {
+    this.#payload.iss = value
+  }
+
+  get sub(): string | undefined {
+    return this.#payload.sub
+  }
+
+  set sub(value: string) {
+    this.#payload.sub = value
+  }
+
+  get aud(): string | string[] | undefined {
+    return this.#payload.aud
+  }
+
+  set aud(value: string | string[]) {
+    this.#payload.aud = value
+  }
+
+  get jti(): string | undefined {
+    return this.#payload.jti
+  }
+
+  set jti(value: string) {
+    this.#payload.jti = value
+  }
+
+  get nbf(): number | undefined {
+    return this.#payload.nbf
+  }
+
+  set nbf(value: number | string | Date) {
+    if (typeof value === 'number') {
+      this.#payload.nbf = validateInput('setNotBefore', value)
+    } else if (value instanceof Date) {
+      this.#payload.nbf = validateInput('setNotBefore', epoch(value))
+    } else {
+      this.#payload.nbf = epoch(new Date()) + secs(value)
+    }
+  }
+
+  get exp(): number | undefined {
+    return this.#payload.exp
+  }
+
+  set exp(value: number | string | Date) {
+    if (typeof value === 'number') {
+      this.#payload.exp = validateInput('setExpirationTime', value)
+    } else if (value instanceof Date) {
+      this.#payload.exp = validateInput('setExpirationTime', epoch(value))
+    } else {
+      this.#payload.exp = epoch(new Date()) + secs(value)
+    }
+  }
+
+  get iat(): number | undefined {
+    return this.#payload.iat
+  }
+
+  set iat(value: number | string | Date | undefined) {
+    if (typeof value === 'undefined') {
+      this.#payload.iat = epoch(new Date())
+    } else if (value instanceof Date) {
+      this.#payload.iat = validateInput('setIssuedAt', epoch(value))
+    } else if (typeof value === 'string') {
+      this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value))
+    } else {
+      this.#payload.iat = validateInput('setIssuedAt', value)
+    }
+  }
+}

src/lib/jwt_claims_set.ts

@@ -4,35 +4,13 @@
   "hideBreadcrumbs": true,
   "entryPoints": [
     "src/types.d.ts",
-    "src/jwt/decrypt.ts",
-    "src/jwt/encrypt.ts",
-    "src/jwt/sign.ts",
-    "src/jwt/unsecured.ts",
-    "src/jwt/verify.ts",
-    "src/jwe/compact/encrypt.ts",
-    "src/jwe/compact/decrypt.ts",
-    "src/jwe/flattened/encrypt.ts",
-    "src/jwe/flattened/decrypt.ts",
-    "src/jwe/general/encrypt.ts",
-    "src/jwe/general/decrypt.ts",
-    "src/jws/compact/sign.ts",
-    "src/jws/compact/verify.ts",
-    "src/jws/flattened/sign.ts",
-    "src/jws/flattened/verify.ts",
-    "src/jws/general/sign.ts",
-    "src/jws/general/verify.ts",
-    "src/jwk/embedded.ts",
-    "src/jwk/thumbprint.ts",
-    "src/jwks/local.ts",
-    "src/jwks/remote.ts",
-    "src/util/base64url.ts",
-    "src/util/decode_jwt.ts",
-    "src/util/decode_protected_header.ts",
-    "src/util/errors.ts",
-    "src/key/export.ts",
-    "src/key/generate_key_pair.ts",
-    "src/key/generate_secret.ts",
-    "src/key/import.ts"
+    "src/jwe/**/*.ts",
+    "src/jwk/*.ts",
+    "src/jwks/*.ts",
+    "src/jws/**/*.ts",
+    "src/jwt/*.ts",
+    "src/key/*.ts",
+    "src/util/*.ts",
   ],
   "excludeExternals": true,
   "excludePrivate": true,