FastAPI and TypeScript improved

backends/mizan-ts/src/token.ts

@@ -0,0 +1,110 @@
+/**
+ * MWT / JWT decode — HS256 verification, cross-language parity with
+ * cores/mizan-python/src/mizan_core/mwt.py.
+ *
+ * Returns null on ANY failure (bad signature, expired, future nbf, wrong
+ * aud, malformed). Never throws.
+ */
+
+import { createHmac, timingSafeEqual } from 'crypto'
+import type { Identity } from './identity'
+
+export interface MwtPayload {
+    sub: string
+    staff: boolean
+    super: boolean
+    pkey: string
+    kid: string
+    aud: string
+    iat: number
+    exp: number
+}
+
+function base64urlDecode(input: string): Buffer | null {
+    if (!/^[A-Za-z0-9_-]*$/.test(input)) return null
+    return Buffer.from(input, 'base64url')
+}
+
+function constantTimeEqual(a: Buffer, b: Buffer): boolean {
+    if (a.length !== b.length) return false
+    return timingSafeEqual(a, b)
+}
+
+/**
+ * Decode and validate an MWT (HS256 JWT with Mizan claims).
+ * Returns MwtPayload on success, null on any failure.
+ */
+export function decodeMwt(
+    token: string,
+    secret: string,
+    audience: string = 'mizan',
+): MwtPayload | null {
+    try {
+        const parts = token.split('.')
+        if (parts.length !== 3) return null
+        const [headerB64, payloadB64, signatureB64] = parts
+
+        const headerBytes = base64urlDecode(headerB64)
+        const payloadBytes = base64urlDecode(payloadB64)
+        const signatureBytes = base64urlDecode(signatureB64)
+        if (!headerBytes || !payloadBytes || !signatureBytes) return null
+
+        const header = JSON.parse(headerBytes.toString('utf-8'))
+        if (header.alg !== 'HS256') return null
+
+        // Recompute HMAC over `${headerB64}.${payloadB64}`
+        const expected = createHmac('sha256', secret)
+            .update(`${headerB64}.${payloadB64}`)
+            .digest()
+        if (!constantTimeEqual(expected, signatureBytes)) return null
+
+        const data = JSON.parse(payloadBytes.toString('utf-8'))
+
+        const now = Math.floor(Date.now() / 1000)
+        if (typeof data.exp !== 'number' || data.exp <= now) return null
+        if (data.nbf !== undefined && typeof data.nbf === 'number' && data.nbf > now) return null
+        if (data.aud !== audience) return null
+
+        const kid = typeof header.kid === 'string' ? header.kid : 'v1'
+
+        return {
+            sub: String(data.sub),
+            staff: Boolean(data.staff),
+            super: Boolean(data.super),
+            pkey: typeof data.pkey === 'string' ? data.pkey : '',
+            kid,
+            aud: audience,
+            iat: data.iat,
+            exp: data.exp,
+        }
+    } catch {
+        return null
+    }
+}
+
+/**
+ * Decode a Bearer JWT from an Authorization header value.
+ * Strips the "Bearer " prefix, then validates as an MWT.
+ */
+export function decodeJwtBearer(
+    authHeader: string,
+    secret: string,
+    audience: string = 'mizan',
+): MwtPayload | null {
+    if (!authHeader) return null
+    const prefix = 'Bearer '
+    const token = authHeader.startsWith(prefix)
+        ? authHeader.slice(prefix.length)
+        : authHeader
+    return decodeMwt(token, secret, audience)
+}
+
+/** Build an Identity from a decoded MWT payload. */
+export function identityFromMwt(payload: MwtPayload): Identity {
+    return {
+        isAuthenticated: true,
+        isStaff: payload.staff,
+        isSuperuser: payload.super,
+        id: Number(payload.sub),
+    }
+}