feat: consolidated token logic and added compact tokens

aryanjassal · aryanjassal · commit b7b3bab74659 · 2025-07-10T12:38:31.000+10:00
diff --git a/src/tokens/Token.ts b/src/tokens/Token.ts
@@ -79,6 +79,23 @@ class Token<P extends TokenPayload = TokenPayload> {
     );
   }
 
+  public static fromCompact<P extends TokenPayload = TokenPayload>(
+    signedTokenEncoded: string,
+  ): Token<P> {
+    tokensUtils.assertCompactToken(signedTokenEncoded);
+    const [header, payload, signature] = signedTokenEncoded.split('.');
+    const tokenEncoded = {
+      payload: payload,
+      signatures: [
+        {
+          protected: header,
+          signature: signature,
+        },
+      ],
+    } as SignedTokenEncoded;
+    return this.fromEncoded(tokenEncoded);
+  }
+
   public constructor(
     payload: P,
     payloadEncoded: TokenPayloadEncoded,
@@ -257,6 +274,20 @@ class Token<P extends TokenPayload = TokenPayload> {
   public toJSON() {
     return this.toEncoded();
   }
+
+  /**
+   * The compact, xxxx.yyyy.zzzz representation of this `Token` is `string`. The
+   * token must have exactly one signature, otherwise it cannot be converted to
+   * a compact token. This function will return undefined in that case.
+   */
+  public toCompact(): string | undefined {
+    if (this.signatures.length !== 1) {
+      return;
+    }
+    const { payload, signatures } = this.toEncoded();
+    const { protected: header, signature } = signatures[0];
+    return `${header}.${payload}.${signature}`;
+  }
 }
 
 export default Token;
diff --git a/src/tokens/payloads/authSignedIdentity.ts b/src/tokens/payloads/authSignedIdentity.ts
@@ -0,0 +1,55 @@
+import type { SignedToken, TokenPayload } from '../types.js';
+import type { NodeIdEncoded } from '../../ids/types.js';
+import * as tokensUtils from '../utils.js';
+import * as ids from '../../ids/index.js';
+import * as validationErrors from '../../validation/errors.js';
+import * as utils from '../../utils/index.js';
+
+interface AuthSignedIdentity extends TokenPayload {
+  typ: 'AuthSignedIdentity';
+  iss: NodeIdEncoded;
+  exp: number;
+  jti: string;
+}
+
+function assertAuthSignedIdentity(
+  authSignedIdentity: unknown,
+): asserts authSignedIdentity is AuthSignedIdentity {
+  if (!utils.isObject(authSignedIdentity)) {
+    throw new validationErrors.ErrorParse('must be POJO');
+  }
+  if (authSignedIdentity['typ'] !== 'AuthSignedIdentity') {
+    throw new validationErrors.ErrorParse(
+      '`typ` property must be `AuthSignedToken`',
+    );
+  }
+  if (
+    authSignedIdentity['iss'] == null ||
+    ids.decodeNodeId(authSignedIdentity['iss'] == null)
+  ) {
+    throw new validationErrors.ErrorParse(
+      '`iss` property must be an encoded node ID',
+    );
+  }
+  if (typeof authSignedIdentity['exp'] !== 'number') {
+    throw new validationErrors.ErrorParse('`exp` property must be a number');
+  }
+  if (typeof authSignedIdentity['jti'] !== 'string') {
+    throw new validationErrors.ErrorParse('`jti` property must be a string');
+  }
+}
+
+function parseAuthSignedIdentity(
+  authIdentityEncoded: unknown,
+): SignedToken<AuthSignedIdentity> {
+  const encodedToken =
+    tokensUtils.parseSignedToken<AuthSignedIdentity>(authIdentityEncoded);
+  const authIdentity =
+    tokensUtils.parseTokenPayload<AuthSignedIdentity>(encodedToken);
+  assertAuthSignedIdentity(authIdentity);
+  return encodedToken;
+}
+
+export { assertAuthSignedIdentity, parseAuthSignedIdentity };
+
+export type { AuthSignedIdentity };
diff --git a/src/tokens/payloads/index.ts b/src/tokens/payloads/index.ts
@@ -0,0 +1 @@
+export * from './authSignedIdentity.js';
diff --git a/src/tokens/payloads/sessionToken.ts b/src/tokens/payloads/sessionToken.ts
@@ -0,0 +1,40 @@
+import type { SignedToken, TokenPayload } from '../types.js';
+import * as tokensUtils from '../utils.js';
+import * as validationErrors from '../../validation/errors.js';
+import * as utils from '../../utils/index.js';
+
+interface SessionToken extends TokenPayload {
+  iat: number;
+}
+
+function assertSessionToken(
+  sessionToken: unknown,
+): asserts sessionToken is SessionToken {
+  if (!utils.isObject(sessionToken)) {
+    throw new validationErrors.ErrorParse('must be POJO');
+  }
+  if (sessionToken['iat'] !== 'number') {
+    throw new validationErrors.ErrorParse('`iat` property must be a number');
+  }
+}
+
+function parseSessionToken(sessionToken: unknown): SignedToken<SessionToken> {
+  if (typeof sessionToken !== 'string') {
+    throw new validationErrors.ErrorParse('sessionToken must be a string');
+  }
+  let parsedToken: unknown;
+  try {
+    parsedToken = JSON.parse(sessionToken);
+  } catch {
+    throw new validationErrors.ErrorParse('sessionToken must be valid JSON');
+  }
+  const encodedToken = tokensUtils.parseSignedToken<SessionToken>(parsedToken);
+  const sessionPayload =
+    tokensUtils.parseTokenPayload<SessionToken>(encodedToken);
+  assertSessionToken(sessionPayload);
+  return encodedToken;
+}
+
+export { assertSessionToken, parseSessionToken };
+
+export type { SessionToken };
diff --git a/src/tokens/types.ts b/src/tokens/types.ts
@@ -118,6 +118,8 @@ type SignedTokenEncoded = {
   signatures: Array<TokenHeaderSignatureEncoded>;
 };
 
+type CompactToken = Opaque<'CompactToken', string>;
+
 export type {
   TokenPayload,
   TokenPayloadEncoded,
@@ -132,4 +134,5 @@ export type {
   SignedToken,
   SignedTokenJSON,
   SignedTokenEncoded,
+  CompactToken,
 };
diff --git a/src/tokens/utils.ts b/src/tokens/utils.ts
@@ -9,6 +9,7 @@ import type {
   SignedToken,
   SignedTokenEncoded,
   TokenHeaderSignatureEncoded,
+  CompactToken,
 } from './types.js';
 import { Buffer } from 'buffer';
 import canonicalize from 'canonicalize';
@@ -17,6 +18,9 @@ import * as validationErrors from '../validation/errors.js';
 import * as keysUtils from '../keys/utils/index.js';
 import * as utils from '../utils/index.js';
 
+const compactTokenAssertRegex =
+  /^[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+$/;
+
 function generateTokenPayload(payload: TokenPayload): TokenPayloadEncoded {
   // @ts-ignore: canonicalize exports is function improperly for ESM
   const payloadJSON = canonicalize(payload)!;
@@ -250,6 +254,22 @@ function parseSignedToken<P extends TokenPayload = TokenPayload>(
   };
 }
 
+/**
+ * Asserts a value is a valid compact token
+ */
+function assertCompactToken(
+  compactToken: unknown,
+): asserts compactToken is CompactToken {
+  if (typeof compactToken !== 'string') {
+    throw new validationErrors.ErrorParse('token must be a string');
+  }
+  if (!compactTokenAssertRegex.test(compactToken)) {
+    throw new validationErrors.ErrorParse(
+      'Input is not a compact JWT (format: xxxx.yyyy.zzzz, base64url-encoded)',
+    );
+  }
+}
+
 export {
   generateTokenPayload,
   generateTokenProtectedHeader,
@@ -261,4 +281,5 @@ export {
   parseTokenSignature,
   parseTokenHeaderSignature,
   parseSignedToken,
+  assertCompactToken,
 };

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+export * from './authSignedIdentity.js';`