1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
import crypto from "node:crypto";
import { z } from "zod";
import serverConfig from "./config";
const zTokenPayload = z.object({
payload: z.unknown(),
expiresAt: z.number(),
});
const zSignedTokenPayload = z.object({
payload: zTokenPayload,
signature: z.string(),
});
export type SignedTokenPayload = z.infer<typeof zSignedTokenPayload>;
export function createSignedToken(
payload: unknown,
expiryEpoch?: number,
): string {
const expiresAt = expiryEpoch ?? Date.now() + 5 * 60 * 1000; // 5 minutes from now
const toBeSigned: z.infer<typeof zTokenPayload> = {
payload,
expiresAt,
};
const payloadString = JSON.stringify(toBeSigned);
const signature = crypto
.createHmac("sha256", serverConfig.signingSecret())
.update(payloadString)
.digest("hex");
const tokenData: z.infer<typeof zSignedTokenPayload> = {
payload: toBeSigned,
signature,
};
return Buffer.from(JSON.stringify(tokenData)).toString("base64");
}
export function verifySignedToken<T>(
token: string,
schema: z.ZodSchema<T>,
): T | null {
try {
const tokenData = zSignedTokenPayload.parse(
JSON.parse(Buffer.from(token, "base64").toString()),
);
const { payload, signature } = tokenData;
// Verify signature
const expectedSignature = crypto
.createHmac("sha256", serverConfig.signingSecret())
.update(JSON.stringify(payload))
.digest("hex");
if (signature !== expectedSignature) {
return null;
}
// Check expiry
if (Date.now() > payload.expiresAt) {
return null;
}
return schema.parse(payload.payload);
} catch {
return null;
}
}
|
