import { FlattenedJWSInput, JWSHeaderParameters, KeyLike } from 'jose'; import { SafeResult } from './safe-result.js'; type Jwks = (protectedHeader?: JWSHeaderParameters, token?: FlattenedJWSInput) => Promise; /** * Provider provided data. */ interface ProviderData { /** * Email address if provided. */ email?: string; /** * External authentication provider ID. */ externalId?: string; /** * User's name provided by the external authentication provider. */ name: string; /** * User's given name provided by the external authentication provider. */ givenName?: string; /** * User's family name provided by the external authentication provider. */ familyName?: string; /** * Date provider data was obtained. */ asOfDate: number; /** * Any other provider data. */ [propName: string]: unknown; } /** * Timestamps for a token. */ export interface TokenTimestamps { /** * JWT Not Before * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5 RFC7519#section-4.1.5} */ nbf: number; /** * JWT Expiration Time * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4 RFC7519#section-4.1.4} */ exp: number; /** * JWT Issued At * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6 RFC7519#section-4.1.6} */ iat: number; } /** * Checks if an exp timestamp is expired. * * @param exp the expiration timestamp in seconds * @param bufferSeconds the number of seconds before the expiration timestamp to consider the token expired */ export declare function isExpired(exp: number, bufferSeconds?: number): boolean; /** * Checks if a token is expired. * * @param token the token to check * @param bufferSeconds the number of seconds before the expiration timestamp to consider the token expired */ export declare function isTokenExpired(token: TokenTimestamps, bufferSeconds?: number): boolean; /** * Decoded ID Token. */ export interface DecodedIdToken extends TokenTimestamps { /** * JWT Issuer * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1 RFC7519#section-4.1.1} */ iss: string; /** * JWT Subject * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2 RFC7519#section-4.1.2} */ sub: string; /** * JWT Audience * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3 RFC7519#section-4.1.3} */ aud: string[]; /** * JWT ID * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7 RFC7519#section-4.1.7} */ jti: string; /** * Email address if one is provided. */ email?: string; /** * Name of user. */ name: string; /** * Given name of the user. */ givenName?: string; /** * Family name of the user. */ familyName?: string; /** * Identify provider used. */ idp?: string; /** * Identify provider ID. */ providerId?: string; /** * Identify provider type. */ providerType?: string; /** * Identify provider login hint. */ providerLoginHint?: string; /** * Provider provided data. */ providerData?: ProviderData; /** * Nonce used. */ nonce?: string; /** Any other JWT Claim Set member. */ [propName: string]: unknown; } /** * Decoded access token. */ export interface DecodedAccessToken extends TokenTimestamps { /** * JWT Issuer * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1 RFC7519#section-4.1.1} */ iss: string; /** * JWT Subject * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2 RFC7519#section-4.1.2} */ sub?: string; /** * JWT Audience * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3 RFC7519#section-4.1.3} */ aud: string[]; /** * JWT ID * * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7 RFC7519#section-4.1.7} */ jti: string; /** * Scopes allowed. */ scopes: string[]; /** * Client ID. */ clientId: string; /** * Identify provider used. */ idp?: string; /** * Any other JWT Claim Set member. */ [propName: string]: unknown; } /** * Decodes an access token without verifying it. * * @param accessToken the access token to decode */ export declare function decodeAccessToken(accessToken: string): DecodedAccessToken | null; /** * Safe version of decodeAccessToken that returns a result object instead of throwing an error. * * @param accessToken the access token to decode */ export declare function decodeAccessTokenSafe(accessToken: string): SafeResult; /** * Properties for verifying an ID token. */ export interface VerifyIdTokenProps { readonly idToken: string; readonly clientId: string; readonly issuer: string; } /** * Properties for verifying an access token. */ export interface VerifyAccessTokenProps { readonly accessToken: string; readonly audience: string; readonly issuer: string; } /** * Used to handle JWT verification handling JWKS caching. */ export declare class JwtVerifier { protected readonly jwks: Jwks; /** * Creates a new JWT verifier. * * @param jwks the JWKS instance, URL to the JWKS endpoint, or your AuthSure domain. */ constructor(jwks: string | Jwks); /** * Performs a JWT verification and returns the parsed payload. This method is * intended to be used on the client-side to verify the ID token. A null value * will be returned if verification failed. * * @param props the JWT and verification parameters */ verifyIdToken(props: VerifyIdTokenProps): Promise; /** * Safe version of verifyIdToken that returns a result object instead of throwing an error. * * @param props the JWT and verification parameters */ verifyIdTokenSafe(props: VerifyIdTokenProps): Promise>; /** * Performs a JWT verification and returns the parsed payload. This method is * intended to be used on the server-side to verify the access token. A null * value will be returned if verification failed. * * @param props the JWT and verification parameters */ verifyAccessToken(props: VerifyAccessTokenProps): Promise; /** * Safe version of verifyAccessToken that returns a result object instead of throwing an error. * * @param props the JWT and verification parameters */ verifyAccessTokenSafe(props: VerifyAccessTokenProps): Promise>; } export {}; //# sourceMappingURL=jwt-helper.d.ts.map