src/token/index.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

import { createHmac, randomBytes } from 'crypto';
import { Either, type IEither } from '@emprespresso/pengueno';

export interface TokenPayload {
    routeName: string;
    timestamp: number;
}

export class TokenSigner {
    private readonly secret: string;
    private readonly ttlSeconds: number;

    constructor(secret?: string, ttlSeconds: number = 30) {
        this.secret = secret || randomBytes(32).toString('hex');
        this.ttlSeconds = ttlSeconds;
    }

    generate(routeName: string): string {
        const timestamp = Date.now();
        const payload = JSON.stringify({ routeName, timestamp });
        const signature = this.sign(payload);
        const token = Buffer.from(`${payload}.${signature}`).toString('base64url');
        return token;
    }

    validate(token: string, expectedRoute: string): IEither<Error, TokenPayload> {
        try {
            const decoded = Buffer.from(token, 'base64url').toString('utf-8');
            const lastDotIndex = decoded.lastIndexOf('.');

            if (lastDotIndex === -1) {
                return Either.left(new Error('Invalid token format'));
            }

            const payload = decoded.substring(0, lastDotIndex);
            const signature = decoded.substring(lastDotIndex + 1);

            // Verify signature
            const expectedSignature = this.sign(payload);
            if (signature !== expectedSignature) {
                return Either.left(new Error('Invalid token signature'));
            }

            // Parse payload
            const parsed: TokenPayload = JSON.parse(payload);

            // Check route name
            if (parsed.routeName !== expectedRoute) {
                return Either.left(new Error('Token route mismatch'));
            }

            // Check expiration
            const now = Date.now();
            const age = (now - parsed.timestamp) / 1000;
            if (age > this.ttlSeconds) {
                return Either.left(new Error('Token expired'));
            }

            if (age < 0) {
                return Either.left(new Error('Token from future'));
            }

            return Either.right(parsed);
        } catch (err) {
            return Either.left(err instanceof Error ? err : new Error(String(err)));
        }
    }

    private sign(payload: string): string {
        return createHmac('sha256', this.secret).update(payload).digest('hex');
    }

    getSecret(): string {
        return this.secret;
    }
}