js/security
js/security/index.ts
fino:security provides compact helpers for common backend security tasks.
The module includes cryptographic random bytes and tokens, security and CORS header builders, signed or sealed cookies, PBKDF2 password records, JWK/JWKS utilities, compact JWT/JWE helpers, and signed opaque JSON tokens.
Learn more:
- Fetch CORS protocol: https://fetch.spec.whatwg.org/#http-cors-protocol
- HTTP cookies: https://www.rfc-editor.org/rfc/rfc6265
- JSON Web Token: https://www.rfc-editor.org/rfc/rfc7519
import { createSecurityHeaders, randomToken } from 'fino:security';
const headers = createSecurityHeaders();
const token = randomToken();
Functions
function randomBytes(length: number): Uint8Array
Re-exported from random.randomBytes.
function randomBase64Url(length = 32): string
Re-exported from random.randomBase64Url.
function randomToken(bytes = 32): string
Re-exported from random.randomToken.
function randomInt(min: number, max: number): number
Re-exported from random.randomInt.
function createSecurityHeaders(options: SecurityHeadersOptions = {}): HeaderMap
Re-exported from headers.createSecurityHeaders.
function mergeHeaders(...sets: Array<HeaderMap | undefined>): HeaderMap
Re-exported from headers.mergeHeaders.
function buildCorsHeaders(options: CorsOptions): HeaderMap
Re-exported from cors.buildCorsHeaders.
function serializeCookie(name: string, value: string, options: CookieOptions = {}): string
Re-exported from cookie.serializeCookie.
function parseCookieHeader(header: string): Record<string, string>
Re-exported from cookie.parseCookieHeader.
function signCookie(value: string, secret: BufferLike): string
Re-exported from cookie.signCookie.
function verifyCookie(signed: string, secret: BufferLike): string | null
Re-exported from cookie.verifyCookie.
function sealCookie(value: string, secret: BufferLike): string
Re-exported from cookie.sealCookie.
function unsealCookie(sealed: string, secret: BufferLike): string | null
Re-exported from cookie.unsealCookie.
function issueToken(
payload: Record<string, unknown>,
secret: BufferLike,
options: IssueTokenOptions = {
}
): string
Re-exported from token.issueToken.
function verifyToken(
token: string,
secret: BufferLike,
options: VerifyTokenOptions = {
}
): Record<string, unknown> | null
Re-exported from token.verifyToken.
function hashPassword(password: string, options: HashPasswordOptions = {}): string
Re-exported from password.hashPassword.
function verifyPassword(password: string, record: string): boolean
Re-exported from password.verifyPassword.
async function generateJwk(options: GenerateJwkOptions): Promise<JsonWebKeyLike>
Re-exported from jwk.generateJwk.
async function importJwk(jwk: JsonWebKeyLike, usages: string[] = []): Promise<CryptoKey>
Re-exported from jwk.importJwk.
async function exportPublicJwk(key: JsonWebKeyLike | CryptoKey): Promise<JsonWebKeyLike>
Re-exported from jwk.exportPublicJwk.
async function jwkThumbprint(jwk: JsonWebKeyLike): Promise<string>
Re-exported from jwk.jwkThumbprint.
function selectJwk(
jwks: JsonWebKeySet | JsonWebKeyLike[],
selector: JwkSelector
): JsonWebKeyLike | undefined
Re-exported from jwk.selectJwk.
function jwkFromSecret(secret: string | Uint8Array, alg = 'HS256', kid?: string): JsonWebKeyLike
Re-exported from jwk.jwkFromSecret.
async function jwtSign(
payload: Record<string, unknown>,
key: JsonWebKeyLike,
options: JwtSignOptions
): Promise<string>
Re-exported from jwt.jwtSign.
async function jwtVerify(
token: string,
keys: JwtKeyInput,
options: JwtVerifyOptions = {
}
): Promise<JwtResult>
Re-exported from jwt.jwtVerify.
async function jwtEncrypt(
payload: Record<string, unknown>,
key: JsonWebKeyLike,
options: JwtEncryptOptions
): Promise<string>
Re-exported from jwt.jwtEncrypt.
async function jwtDecrypt(token: string, keys: JwtKeyInput): Promise<JwtResult>
Re-exported from jwt.jwtDecrypt.
async function discoverOAuthMetadata(
issuer: string | URL,
options: OAuthDiscoveryOptions = {
}
): Promise<OAuthMetadata>
Re-exported from oauth.discoverOAuthMetadata.
async function discoverOpenIdProvider(
issuer: string | URL,
options: OAuthDiscoveryOptions = {
}
): Promise<OAuthMetadata>
Re-exported from oauth.discoverOpenIdProvider.
async function createPkce(options: PkceOptions = {}): Promise<PkceMaterial>
Re-exported from oauth.createPkce.
function authorizationUrl(options: AuthorizationUrlOptions): URL
Re-exported from oauth.authorizationUrl.
async function exchangeAuthorizationCode(
options: ExchangeAuthorizationCodeOptions
): Promise<Record<string, unknown>>
Re-exported from oauth.exchangeAuthorizationCode.
async function refreshAccessToken(
options: RefreshAccessTokenOptions
): Promise<Record<string, unknown>>
Re-exported from oauth.refreshAccessToken.
function oauthLogin(options: OAuthLoginOptions)
Re-exported from oauth.oauthLogin.
function oauthCallback(options: OAuthCallbackOptions)
Re-exported from oauth.oauthCallback.
async function verifyIdToken(token: string, keys: JwtKeyInput, options: JwtVerifyOptions = {})
Re-exported from oauth.verifyIdToken.
async function verifyBearerJwt(
header: string | null,
keys: JwtKeyInput,
options: JwtVerifyOptions = {
}
)
Re-exported from oauth.verifyBearerJwt.
function bearerAuth(keys: JwtKeyInput, options: JwtVerifyOptions = {})
Re-exported from oauth.bearerAuth.
Types
type HeaderMap = Record<string, string>
Re-exported from headers.HeaderMap.
type BufferLike = SecurityBufferLike
Re-exported from cookie.BufferLike.
type JsonWebKeyLike = Record<string, unknown>
Re-exported from jwk.JsonWebKeyLike.
type JwtAlgorithm = 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512' | 'PS256' | 'PS384' | 'PS512' | 'ES256' | 'ES384' | 'ES512'
Re-exported from jwt.JwtAlgorithm.
type JweAlgorithm = 'dir' | 'RSA-OAEP' | 'RSA-OAEP-256'
Re-exported from jwt.JweAlgorithm.
type JweEncryption = 'A128GCM' | 'A256GCM'
Re-exported from jwt.JweEncryption.
type JwtKeyInput = JsonWebKeyLike | JsonWebKeySet | JsonWebKeyLike[]
Re-exported from jwt.JwtKeyInput.
type OAuthMetadata = Record<string, unknown> & {
authorization_endpoint?: string;
token_endpoint?: string;
jwks_uri?: string;
issuer?: string;
}
Re-exported from oauth.OAuthMetadata.
Interfaces
interface SecurityHeadersOptions {
Re-exported from headers.SecurityHeadersOptions.
interface CorsOptions {
Re-exported from cors.CorsOptions.
interface CookieOptions {
Re-exported from cookie.CookieOptions.
interface IssueTokenOptions {
Re-exported from token.IssueTokenOptions.
interface VerifyTokenOptions {
Re-exported from token.VerifyTokenOptions.
interface HashPasswordOptions {
Re-exported from password.HashPasswordOptions.
interface JsonWebKeySet {
Re-exported from jwk.JsonWebKeySet.
interface GenerateJwkOptions {
Re-exported from jwk.GenerateJwkOptions.
interface JwkSelector {
Re-exported from jwk.JwkSelector.
interface JwtSignOptions {
Re-exported from jwt.JwtSignOptions.
interface JwtVerifyOptions {
Re-exported from jwt.JwtVerifyOptions.
interface JwtEncryptOptions {
Re-exported from jwt.JwtEncryptOptions.
interface JwtResult {
Re-exported from jwt.JwtResult.
interface OAuthProvider {
Re-exported from oauth.OAuthProvider.
interface OAuthDiscoveryOptions {
Re-exported from oauth.OAuthDiscoveryOptions.
interface PkceMaterial {
Re-exported from oauth.PkceMaterial.
interface PkceOptions {
Re-exported from oauth.PkceOptions.
interface AuthorizationUrlOptions {
Re-exported from oauth.AuthorizationUrlOptions.
interface ExchangeAuthorizationCodeOptions {
Re-exported from oauth.ExchangeAuthorizationCodeOptions.
interface RefreshAccessTokenOptions {
Re-exported from oauth.RefreshAccessTokenOptions.
interface OAuthLoginOptions {
Re-exported from oauth.OAuthLoginOptions.
interface OAuthCallbackResult {
Re-exported from oauth.OAuthCallbackResult.
interface OAuthCallbackOptions {
Re-exported from oauth.OAuthCallbackOptions.
Classes
class CookieJar {
Re-exported from cookie.CookieJar.