/** * Input validation utilities for defense-in-depth security. * * This module provides validation functions to protect against: * - DoS attacks via deeply nested structures * - Injection attacks via malformed input * - Resource exhaustion via oversized data */ import { BelticError } from '../errors/base.js'; export declare const MAX_TOKEN_LENGTH = 100000; export declare const MAX_CREDENTIAL_DEPTH = 20; export declare const MAX_ARRAY_LENGTH = 1000; export declare const MAX_STRING_LENGTH = 50000; export declare const MAX_URL_LENGTH = 2048; export declare const MAX_DID_LENGTH = 2048; export declare const DID_PATTERN: RegExp; export declare const KID_PATTERN: RegExp; export declare const URL_PATTERN: RegExp; export declare const BASE64URL_PATTERN: RegExp; export declare const CREDENTIAL_ID_PATTERN: RegExp; /** * Error raised when input validation fails. */ export declare class InputValidationError extends BelticError { /** The field that failed validation */ readonly field?: string; constructor(message: string, code: string, details?: Record, field?: string); } /** * Validate JWT token input before processing. * * Performs structural validation without cryptographic verification. * * @param token - The JWT token string * @throws InputValidationError if token is invalid * * @example * ```typescript * validateTokenInput('eyJ.eyJ.sig'); // Valid structure * validateTokenInput('invalid'); // Throws error * ``` */ export declare function validateTokenInput(token: unknown): asserts token is string; /** * Validate a Decentralized Identifier (DID). * * @param did - The DID string * @param fieldName - Name of the field for error messages * @throws InputValidationError if DID is invalid */ export declare function validateDid(did: unknown, fieldName?: string): asserts did is string; /** * Validate a key identifier (kid). * * @param kid - The kid string * @param fieldName - Name of the field for error messages * @throws InputValidationError if kid is invalid */ export declare function validateKid(kid: unknown, fieldName?: string): asserts kid is string; /** * Validate a URL string. * * Only HTTPS URLs are allowed for security. * * @param url - The URL string * @param fieldName - Name of the field for error messages * @throws InputValidationError if URL is invalid */ export declare function validateUrl(url: unknown, fieldName?: string): asserts url is string; /** * Options for credential structure validation. */ export interface ValidateCredentialStructureOptions { maxDepth?: number; maxArrayLength?: number; maxStringLength?: number; } /** * Validate credential structure to prevent DoS attacks. * * Checks for: * - Maximum nesting depth * - Maximum array lengths * - Maximum string lengths * * @param credential - The credential object * @param options - Validation options * @throws InputValidationError if structure is invalid */ export declare function validateCredentialStructure(credential: unknown, options?: ValidateCredentialStructureOptions): asserts credential is Record; /** * Validate a signing algorithm string. * * @param alg - The algorithm string * @throws InputValidationError if algorithm is invalid */ export declare function validateAlgorithm(alg: unknown): asserts alg is string; /** * Validate a base64url encoded string. * * @param data - The base64url string * @param fieldName - Name of the field for error messages * @throws InputValidationError if not valid base64url */ export declare function validateBase64url(data: unknown, fieldName?: string): asserts data is string; //# sourceMappingURL=input.d.ts.map