js/security

js/security/index.ts

fino:security provides compact helpers for common backend security tasks.

The module includes cryptographic random bytes and tokens, security and CORS header builders, signed or sealed cookies, PBKDF2 password records, JWK/JWKS utilities, compact JWT/JWE helpers, and signed opaque JSON tokens.

Learn more:

import { createSecurityHeaders, randomToken } from 'fino:security';

const headers = createSecurityHeaders();
const token = randomToken();

Functions

function randomBytes(length: number): Uint8Array

Re-exported from random.randomBytes.

function randomBase64Url(length = 32): string

Re-exported from random.randomBase64Url.

function randomToken(bytes = 32): string

Re-exported from random.randomToken.

function randomInt(min: number, max: number): number

Re-exported from random.randomInt.

function createSecurityHeaders(options: SecurityHeadersOptions = {}): HeaderMap

Re-exported from headers.createSecurityHeaders.

function mergeHeaders(...sets: Array<HeaderMap | undefined>): HeaderMap

Re-exported from headers.mergeHeaders.

function buildCorsHeaders(options: CorsOptions): HeaderMap

Re-exported from cors.buildCorsHeaders.

function serializeCookie(name: string, value: string, options: CookieOptions = {}): string

Re-exported from cookie.serializeCookie.

function parseCookieHeader(header: string): Record<string, string>

Re-exported from cookie.parseCookieHeader.

function signCookie(value: string, secret: BufferLike): string

Re-exported from cookie.signCookie.

function verifyCookie(signed: string, secret: BufferLike): string | null

Re-exported from cookie.verifyCookie.

function sealCookie(value: string, secret: BufferLike): string

Re-exported from cookie.sealCookie.

function unsealCookie(sealed: string, secret: BufferLike): string | null

Re-exported from cookie.unsealCookie.

function issueToken( payload: Record<string, unknown>, secret: BufferLike, options: IssueTokenOptions = { } ): string

Re-exported from token.issueToken.

function verifyToken( token: string, secret: BufferLike, options: VerifyTokenOptions = { } ): Record<string, unknown> | null

Re-exported from token.verifyToken.

function hashPassword(password: string, options: HashPasswordOptions = {}): string

Re-exported from password.hashPassword.

function verifyPassword(password: string, record: string): boolean

Re-exported from password.verifyPassword.

async function generateJwk(options: GenerateJwkOptions): Promise<JsonWebKeyLike>

Re-exported from jwk.generateJwk.

async function importJwk(jwk: JsonWebKeyLike, usages: string[] = []): Promise<CryptoKey>

Re-exported from jwk.importJwk.

async function exportPublicJwk(key: JsonWebKeyLike | CryptoKey): Promise<JsonWebKeyLike>

Re-exported from jwk.exportPublicJwk.

async function jwkThumbprint(jwk: JsonWebKeyLike): Promise<string>

Re-exported from jwk.jwkThumbprint.

function selectJwk( jwks: JsonWebKeySet | JsonWebKeyLike[], selector: JwkSelector ): JsonWebKeyLike | undefined

Re-exported from jwk.selectJwk.

function jwkFromSecret(secret: string | Uint8Array, alg = 'HS256', kid?: string): JsonWebKeyLike

Re-exported from jwk.jwkFromSecret.

async function jwtSign( payload: Record<string, unknown>, key: JsonWebKeyLike, options: JwtSignOptions ): Promise<string>

Re-exported from jwt.jwtSign.

async function jwtVerify( token: string, keys: JwtKeyInput, options: JwtVerifyOptions = { } ): Promise<JwtResult>

Re-exported from jwt.jwtVerify.

async function jwtEncrypt( payload: Record<string, unknown>, key: JsonWebKeyLike, options: JwtEncryptOptions ): Promise<string>

Re-exported from jwt.jwtEncrypt.

async function jwtDecrypt(token: string, keys: JwtKeyInput): Promise<JwtResult>

Re-exported from jwt.jwtDecrypt.

async function discoverOAuthMetadata( issuer: string | URL, options: OAuthDiscoveryOptions = { } ): Promise<OAuthMetadata>

Re-exported from oauth.discoverOAuthMetadata.

async function discoverOpenIdProvider( issuer: string | URL, options: OAuthDiscoveryOptions = { } ): Promise<OAuthMetadata>

Re-exported from oauth.discoverOpenIdProvider.

async function createPkce(options: PkceOptions = {}): Promise<PkceMaterial>

Re-exported from oauth.createPkce.

function authorizationUrl(options: AuthorizationUrlOptions): URL

Re-exported from oauth.authorizationUrl.

async function exchangeAuthorizationCode( options: ExchangeAuthorizationCodeOptions ): Promise<Record<string, unknown>>

Re-exported from oauth.exchangeAuthorizationCode.

async function refreshAccessToken( options: RefreshAccessTokenOptions ): Promise<Record<string, unknown>>

Re-exported from oauth.refreshAccessToken.

function oauthLogin(options: OAuthLoginOptions)

Re-exported from oauth.oauthLogin.

function oauthCallback(options: OAuthCallbackOptions)

Re-exported from oauth.oauthCallback.

async function verifyIdToken(token: string, keys: JwtKeyInput, options: JwtVerifyOptions = {})

Re-exported from oauth.verifyIdToken.

async function verifyBearerJwt( header: string | null, keys: JwtKeyInput, options: JwtVerifyOptions = { } )

Re-exported from oauth.verifyBearerJwt.

function bearerAuth(keys: JwtKeyInput, options: JwtVerifyOptions = {})

Re-exported from oauth.bearerAuth.

Types

type HeaderMap = Record<string, string>

Re-exported from headers.HeaderMap.

type BufferLike = SecurityBufferLike

Re-exported from cookie.BufferLike.

type JsonWebKeyLike = Record<string, unknown>

Re-exported from jwk.JsonWebKeyLike.

type JwtAlgorithm = 'HS256' | 'HS384' | 'HS512' | 'RS256' | 'RS384' | 'RS512' | 'PS256' | 'PS384' | 'PS512' | 'ES256' | 'ES384' | 'ES512'

Re-exported from jwt.JwtAlgorithm.

type JweAlgorithm = 'dir' | 'RSA-OAEP' | 'RSA-OAEP-256'

Re-exported from jwt.JweAlgorithm.

type JweEncryption = 'A128GCM' | 'A256GCM'

Re-exported from jwt.JweEncryption.

type JwtKeyInput = JsonWebKeyLike | JsonWebKeySet | JsonWebKeyLike[]

Re-exported from jwt.JwtKeyInput.

type OAuthMetadata = Record<string, unknown> & { authorization_endpoint?: string; token_endpoint?: string; jwks_uri?: string; issuer?: string; }

Re-exported from oauth.OAuthMetadata.

Interfaces

interface SecurityHeadersOptions {

Re-exported from headers.SecurityHeadersOptions.

interface CorsOptions {

Re-exported from cors.CorsOptions.

interface CookieOptions {

Re-exported from cookie.CookieOptions.

interface IssueTokenOptions {

Re-exported from token.IssueTokenOptions.

interface VerifyTokenOptions {

Re-exported from token.VerifyTokenOptions.

interface HashPasswordOptions {

Re-exported from password.HashPasswordOptions.

interface JsonWebKeySet {

Re-exported from jwk.JsonWebKeySet.

interface GenerateJwkOptions {

Re-exported from jwk.GenerateJwkOptions.

interface JwkSelector {

Re-exported from jwk.JwkSelector.

interface JwtSignOptions {

Re-exported from jwt.JwtSignOptions.

interface JwtVerifyOptions {

Re-exported from jwt.JwtVerifyOptions.

interface JwtEncryptOptions {

Re-exported from jwt.JwtEncryptOptions.

interface JwtResult {

Re-exported from jwt.JwtResult.

interface OAuthProvider {

Re-exported from oauth.OAuthProvider.

interface OAuthDiscoveryOptions {

Re-exported from oauth.OAuthDiscoveryOptions.

interface PkceMaterial {

Re-exported from oauth.PkceMaterial.

interface PkceOptions {

Re-exported from oauth.PkceOptions.

interface AuthorizationUrlOptions {

Re-exported from oauth.AuthorizationUrlOptions.

interface ExchangeAuthorizationCodeOptions {

Re-exported from oauth.ExchangeAuthorizationCodeOptions.

interface RefreshAccessTokenOptions {

Re-exported from oauth.RefreshAccessTokenOptions.

interface OAuthLoginOptions {

Re-exported from oauth.OAuthLoginOptions.

interface OAuthCallbackResult {

Re-exported from oauth.OAuthCallbackResult.

interface OAuthCallbackOptions {

Re-exported from oauth.OAuthCallbackOptions.

Classes

class CookieJar {

Re-exported from cookie.CookieJar.