vincent/gerbeur
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20b9bfe7b4c9297ecda40697dd409f596c63d165
gerbeur/api/lib/jwt.ts
khannurien 20b9bfe7b4 v3: added password change/reset feature
2026-04-06 16:30:00 +00:00

117 lines
3.4 KiB
TypeScript
Raw Blame History

import { randomBytes, scrypt } from "node:crypto";
import { jwtVerify, SignJWT } from "@panva/jose";
import {
type AuthPayload,
InvitePayload,
isAuthPayload,
isInvitePayload,
isPasswordResetPayload,
type PasswordResetPayload,
} from "../model/interfaces.ts";
import { JWT_SECRET } from "../config.ts";
if (!JWT_SECRET) {
throw new Error(
"GERBEUR_JWT_SECRET environment variable is required. Generate one with: openssl rand -hex 32",
);
}
const JWT_KEY = new TextEncoder().encode(JWT_SECRET);
// ── Invite tokens ─────────────────────────────────────────────────────────────
export async function createInviteToken(inviterId: string): Promise<string> {
return await new SignJWT({ purpose: "invite", inviterId })
.setProtectedHeader({ alg: "HS256" })
.setJti(crypto.randomUUID())
.setExpirationTime("7d")
.sign(JWT_KEY);
}
export async function verifyInviteToken(
token: string,
): Promise<InvitePayload | null> {
try {
const { payload } = await jwtVerify(token, JWT_KEY);
if (!isInvitePayload(payload)) return null;
return payload as InvitePayload;
} catch {
return null;
}
}
// ── Password reset tokens ─────────────────────────────────────────────────────
export async function createPasswordResetToken(
userId: string,
): Promise<string> {
return await new SignJWT({ purpose: "password-reset", userId })
.setProtectedHeader({ alg: "HS256" })
.setJti(crypto.randomUUID())
.setExpirationTime("1h")
.sign(JWT_KEY);
}
export async function verifyPasswordResetToken(
token: string,
): Promise<PasswordResetPayload | null> {
try {
const { payload } = await jwtVerify(token, JWT_KEY);
if (!isPasswordResetPayload(payload)) return null;
return payload as PasswordResetPayload;
} catch {
return null;
}
}
// ── Auth tokens ───────────────────────────────────────────────────────────────
export async function createJWT(
payload: Omit<AuthPayload, "exp">,
): Promise<string> {
return await new SignJWT(payload)
.setProtectedHeader({ alg: "HS256" })
.setExpirationTime("24h")
.sign(JWT_KEY);
}
export async function verifyJWT(token: string): Promise<AuthPayload | null> {
try {
const { payload } = await jwtVerify(token, JWT_KEY);
if (!isAuthPayload(payload)) {
return null;
}
return payload;
} catch (err) {
console.error("JWT verification failed:", err);
return null;
}
}
export function hashPassword(password: string): Promise<string> {
const salt = randomBytes(16).toString("hex");
return new Promise((resolve, reject) => {
scrypt(password, salt, 64, (err, derivedKey) => {
if (err) reject(err);
else resolve(`${derivedKey.toString("hex")}.${salt}`);
});
});
}
export function verifyPassword(
password: string,
storedHash: string,
): Promise<boolean> {
const [hash, salt] = storedHash.split(".");
return new Promise((resolve, reject) => {
scrypt(password, salt, 64, (err, derivedKey) => {
if (err) reject(err);
else resolve(hash === derivedKey.toString("hex"));
});
});
}
Reference in New Issue View Git Blame Copy Permalink