feat(jose): add key derivation support to createJWT (#45)

* feat(jose): add key derivation support to createJWT

* chore(jose): update createJWT implementation

* feat(core): re-export `encryptJWE` and `decryptJWE`

* docs: update `CHANGELOG.md` files

Author: halvaradop

packages/core/CHANGELOG.md

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ## [Unreleased]
 
+### Added
+
+- Re-export the `encryptJWE` and `decryptJWE` functions for JWEs (Json Web Encryption) from the `jose` instance created from `createAuth` function. These functions are used internally for session and csrf token management and can be consumed for external reasons designed by the users. [#45](https://github.com/aura-stack-ts/auth/pull/45)
+
 ### Changed
 
 - Updated `cookies` configuration option in `createAuth` function to support granular per-cookie settings for all internal cookies used by Aura Auth (e.g., `state`, `redirect_to`, `code_verifier`, `sessionToken`, and `csrfToken`) using the overrides object. Renamed `name` to `prefix` field to add to all of the cookies (without cookie prefixes). [#43](https://github.com/aura-stack-ts/auth/pull/43)

packages/core/src/@types/index.ts

@@ -190,6 +190,8 @@ export interface JoseInstance {
     encodeJWT: (payload: JWTPayload) => Promise<string>
     signJWS: (payload: JWTPayload) => Promise<string>
     verifyJWS: (payload: string) => Promise<JWTPayload>
+    encryptJWE: (payload: string) => Promise<string>
+    decryptJWE: (payload: string) => Promise<string>
 }
 
 /**

packages/core/src/actions/callback/access-token.ts

@@ -1,7 +1,7 @@
+import { formatZodError } from "@/utils.js"
 import { AuthInternalError, OAuthProtocolError } from "@/errors.js"
 import { OAuthAccessToken, OAuthAccessTokenErrorResponse, OAuthAccessTokenResponse } from "@/schemas.js"
 import type { OAuthProviderCredentials } from "@/@types/index.js"
-import { formatZodError } from "@/utils.js"
 
 /**
  * Make a request to the OAuth provider to the token endpoint to exchange the authorization code provided
@@ -22,7 +22,7 @@ export const createAccessToken = async (
 ) => {
     const parsed = OAuthAccessToken.safeParse({ ...oauthConfig, redirectURI, code, codeVerifier })
     if (!parsed.success) {
-        const msg = formatZodError(parsed.error).toString()
+        const msg = JSON.stringify(formatZodError(parsed.error), null, 2)
         throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg)
     }
     const { accessToken, clientId, clientSecret, code: codeParsed, redirectURI: redirectParsed } = parsed.data

packages/core/src/actions/callback/userinfo.ts

@@ -49,10 +49,10 @@ export const getUserInfo = async (oauthConfig: OAuthProviderCredentials, accessT
         }
         return oauthConfig?.profile ? oauthConfig.profile(json) : getDefaultUserInfo(json)
     } catch (error) {
-        if(isOAuthProtocolError(error)) {
+        if (isOAuthProtocolError(error)) {
             throw error
         }
-        if(isNativeError(error)) {
+        if (isNativeError(error)) {
             throw new OAuthProtocolError("invalid_request", error.message, "", { cause: error })
         }
         throw new OAuthProtocolError("invalid_request", "Failed to fetch user information.", "", { cause: error })

packages/core/src/actions/signIn/authorization.ts

@@ -1,7 +1,7 @@
 import { isValidURL } from "@/assert.js"
 import { OAuthAuthorization } from "@/schemas.js"
-import { equals, formatZodError, getNormalizedOriginPath, sanitizeURL, toCastCase } from "@/utils.js"
 import { AuthInternalError, AuthSecurityError, isAuthSecurityError } from "@/errors.js"
+import { equals, formatZodError, getNormalizedOriginPath, sanitizeURL, toCastCase } from "@/utils.js"
 import type { OAuthProviderCredentials } from "@/@types/index.js"
 
 /**
@@ -26,7 +26,6 @@ export const createAuthorizationURL = (
     const parsed = OAuthAuthorization.safeParse({ ...oauthConfig, redirectURI, state, codeChallenge, codeChallengeMethod })
     if (!parsed.success) {
         const msg = JSON.stringify(formatZodError(parsed.error), null, 2)
-        console.log("OAuth Authorization URL Creation Error:", msg)
         throw new AuthInternalError("INVALID_OAUTH_CONFIGURATION", msg)
     }
     const { authorizeURL, ...options } = parsed.data

packages/core/src/jose.ts

@@ -1,7 +1,7 @@
 import "dotenv/config"
-import { createJWT, createJWS, createDeriveKey } from "@aura-stack/jose"
-import { createDerivedSalt } from "./secure.js"
-import { AuthInternalError } from "./errors.js"
+import { createJWT, createJWS, createJWE, createDeriveKey } from "@aura-stack/jose"
+import { createDerivedSalt } from "@/secure.js"
+import { AuthInternalError } from "@/errors.js"
 export type { JWTPayload } from "@aura-stack/jose/jose"
 
 /**
@@ -16,20 +16,27 @@ export type { JWTPayload } from "@aura-stack/jose/jose"
 export const createJoseInstance = (secret?: string) => {
     secret ??= process.env.AURA_AUTH_SECRET!
     if (!secret) {
-        throw new AuthInternalError("JOSE_INITIALIZATION_FAILED", "AURA_AUTH_SECRET environment variable is not set and no secret was provided.")
+        throw new AuthInternalError(
+            "JOSE_INITIALIZATION_FAILED",
+            "AURA_AUTH_SECRET environment variable is not set and no secret was provided."
+        )
     }
 
     const salt = process.env.AURA_AUTH_SALT ?? createDerivedSalt(secret)
-    const { derivedKey: derivedSessionKey } = createDeriveKey(secret, salt, "session")
+    const { derivedKey: derivedSigningKey } = createDeriveKey(secret, salt, "signing")
+    const { derivedKey: derivedEncryptionKey } = createDeriveKey(secret, salt, "encryption")
     const { derivedKey: derivedCsrfTokenKey } = createDeriveKey(secret, salt, "csrfToken")
 
-    const { decodeJWT, encodeJWT } = createJWT(derivedSessionKey)
+    const { decodeJWT, encodeJWT } = createJWT({ jws: derivedSigningKey, jwe: derivedEncryptionKey })
     const { signJWS, verifyJWS } = createJWS(derivedCsrfTokenKey)
+    const { encryptJWE, decryptJWE } = createJWE(derivedEncryptionKey)
 
     return {
         decodeJWT,
         encodeJWT,
         signJWS,
         verifyJWS,
+        encryptJWE,
+        decryptJWE,
     }
 }

packages/core/src/utils.ts

@@ -111,10 +111,7 @@ export const isValidRelativePath = (path: string | undefined | null): boolean =>
 export const onErrorHandler: RouterConfig["onError"] = (error) => {
     if (isRouterError(error)) {
         const { message, status, statusText } = error
-        return Response.json(
-            { type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message },
-            { status, statusText }
-        )
+        return Response.json({ type: "ROUTER_ERROR", code: "ROUTER_INTERNAL_ERROR", message }, { status, statusText })
     }
     if (isInvalidZodSchemaError(error)) {
         return Response.json({ type: "ROUTER_ERROR", code: "INVALID_REQUEST", message: error.errors }, { status: 422 })

packages/jose/CHANGELOG.md

@@ -8,6 +8,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 
 ## [Unreleased]
 
+### Added
+
+- Added Key derivation support to `createJWT`, `encodeJWT` and `decodeJWT` functions which allows to pass the separated keys for signing and encrypting the JWTs using the `jws` and `jwe` properties as argument in the functions. [#45](https://github.com/aura-stack-ts/auth/pull/45)
+
 ---
 
 ## [0.1.0] - 2025-12-28

packages/jose/src/assert.ts

@@ -12,11 +12,14 @@ export const isFalsy = (value: unknown): boolean => {
     return value === null || value === undefined || value === false || value === 0 || value === "" || Number.isNaN(value)
 }
 
+export const isObject = (value: unknown): value is Record<string, unknown> => {
+    return typeof value === "object" && value !== null && !Array.isArray(value)
+}
+
 export const isInvalidPayload = (payload: unknown): boolean => {
     return (
         isFalsy(payload) ||
-        typeof payload !== "object" ||
-        Array.isArray(payload) ||
+        !isObject(payload) ||
         (typeof payload === "object" && payload !== null && !Array.isArray(payload) && Object.keys(payload).length === 0)
     )
 }

packages/jose/src/encrypt.ts

@@ -22,7 +22,7 @@ export interface EncryptedPayload {
  */
 export const encryptJWE = async (payload: string, secret: SecretInput) => {
     try {
-        if(isFalsy(payload)) {
+        if (isFalsy(payload)) {
             throw new InvalidPayloadError("The payload must be a non-empty string")
         }
         const secretKey = createSecret(secret)
@@ -52,7 +52,7 @@ export const encryptJWE = async (payload: string, secret: SecretInput) => {
  */
 export const decryptJWE = async (token: string, secret: SecretInput) => {
     try {
-        if(isFalsy(token)) {
+        if (isFalsy(token)) {
             throw new InvalidPayloadError("The token must be a non-empty string")
         }
         const secretKey = createSecret(secret)