src/lib/finalist-token.ts

import { createHmac, timingSafeEqual } from 'crypto'

export type FinalistTokenPayload = {
  confirmationId: string
  /** Unix seconds. Token is rejected after this. */
  exp: number
}

function getSecret(): string {
  const s = process.env.NEXTAUTH_SECRET
  if (!s) throw new Error('NEXTAUTH_SECRET is not set; cannot sign finalist tokens')
  return s
}

function hmac(payloadB64: string): string {
  return createHmac('sha256', getSecret()).update(payloadB64).digest('hex')
}

export function signFinalistToken(payload: FinalistTokenPayload): string {
  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url')
  const sig = hmac(payloadB64)
  return `${payloadB64}.${sig}`
}

export function verifyFinalistToken(token: string): FinalistTokenPayload {
  const parts = token.split('.')
  if (parts.length !== 2) throw new Error('Invalid finalist token: malformed')
  const [payloadB64, sig] = parts
  const expected = hmac(payloadB64)
  const a = Buffer.from(sig, 'hex')
  const b = Buffer.from(expected, 'hex')
  if (a.length !== b.length || !timingSafeEqual(a, b)) {
    throw new Error('Invalid finalist token: signature mismatch')
  }
  let payload: FinalistTokenPayload
  try {
    payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf-8'))
  } catch {
    throw new Error('Invalid finalist token: payload not parseable')
  }
  if (typeof payload.exp !== 'number' || payload.exp < Math.floor(Date.now() / 1000)) {
    throw new Error('Invalid finalist token: expired')
  }
  return payload
}
feat: HMAC-signed finalist confirmation token 2026-04-28 17:50:17 +02:00			`import { createHmac, timingSafeEqual } from 'crypto'`

			`export type FinalistTokenPayload = {`
			`confirmationId: string`
			`/** Unix seconds. Token is rejected after this. */`
			`exp: number`
			`}`

			`function getSecret(): string {`
			`const s = process.env.NEXTAUTH_SECRET`
			`if (!s) throw new Error('NEXTAUTH_SECRET is not set; cannot sign finalist tokens')`
			`return s`
			`}`

			`function hmac(payloadB64: string): string {`
			`return createHmac('sha256', getSecret()).update(payloadB64).digest('hex')`
			`}`

			`export function signFinalistToken(payload: FinalistTokenPayload): string {`
			`const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64url')`
			`const sig = hmac(payloadB64)`
			return `${payloadB64}.${sig}`
			`}`

			`export function verifyFinalistToken(token: string): FinalistTokenPayload {`
			`const parts = token.split('.')`
			`if (parts.length !== 2) throw new Error('Invalid finalist token: malformed')`
			`const [payloadB64, sig] = parts`
			`const expected = hmac(payloadB64)`
			`const a = Buffer.from(sig, 'hex')`
			`const b = Buffer.from(expected, 'hex')`
			`if (a.length !== b.length \|\| !timingSafeEqual(a, b)) {`
			`throw new Error('Invalid finalist token: signature mismatch')`
			`}`
			`let payload: FinalistTokenPayload`
			`try {`
			`payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString('utf-8'))`
			`} catch {`
			`throw new Error('Invalid finalist token: payload not parseable')`
			`}`
			`if (typeof payload.exp !== 'number' \|\| payload.exp < Math.floor(Date.now() / 1000)) {`
			`throw new Error('Invalid finalist token: expired')`
			`}`
			`return payload`
			`}`