"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.signActorToken = signActorToken; exports.verifyActorToken = verifyActorToken; exports.verifyAnyActorToken = verifyAnyActorToken; const jsonwebtoken_1 = __importDefault(require("jsonwebtoken")); const ISSUER = 'rentaldrivego-api'; const ALG = ['HS256']; function getJwtSecret() { const secret = process.env.JWT_SECRET; if (!secret) throw new Error('JWT_SECRET is required'); return secret; } function signActorToken(actorId, actorType, options = {}) { const { sessionVersion, last2faAt, ...signOptions } = options; return jsonwebtoken_1.default.sign({ sub: actorId, type: actorType, ...(sessionVersion === undefined ? {} : { sessionVersion }), ...(last2faAt === undefined ? {} : { last2faAt }), }, getJwtSecret(), { algorithm: 'HS256', issuer: ISSUER, audience: actorType, expiresIn: signOptions.expiresIn ?? '8h', }); } function verifyActorToken(token, expectedType) { const payload = jsonwebtoken_1.default.verify(token, getJwtSecret(), { algorithms: ALG, issuer: ISSUER, audience: expectedType, }); if (typeof payload.sub !== 'string' || payload.type !== expectedType) { throw new Error('Invalid actor token'); } return payload; } function verifyAnyActorToken(token) { const decoded = jsonwebtoken_1.default.decode(token); const actorType = decoded?.type; if (actorType !== 'admin' && actorType !== 'employee' && actorType !== 'renter') { throw new Error('Invalid actor token'); } return verifyActorToken(token, actorType); } //# sourceMappingURL=tokens.js.map