…4583)

* fix(validator): preserve literal union types in input type inference

* support optional

* use `InferInput`

* export InferInput

* use `utils.ts`

* ci: apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* perf(types): reduce `Simplify` in `ToSchema`

* ci: apply automated fixes

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…nse (#4602)

* fix(types): fix middleware union type merging in MergeMiddlewareResponse

* ci: apply automated fixes

* specify `fetch` as app.request

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

…4607)

… updated the corresponding test (#4618)

* feat(utils/jwt): add JwtAlgorithmRequired error type

Add a new error type to throw when algorithm is not specified
during JWT verification. This is part of the security fix to
prevent algorithm confusion attacks.

* fix(utils/jwt): require alg parameter in verify function

BREAKING CHANGE: The `alg` parameter is now required for JWT
verification. This prevents algorithm confusion attacks where
an attacker could forge tokens by exploiting the default
HS256 fallback with asymmetric keys.

- Remove HS256 default fallback in verify() function
- Make algOrOptions parameter required
- Add early validation for undefined algOrOptions
- Add validation for undefined alg in options object

* fix(middleware/jwt): require alg option in jwt middleware

BREAKING CHANGE: The `alg` option is now required when using
the JWT middleware. This prevents algorithm confusion attacks.

- Make alg property required in options type
- Add runtime validation to throw error if alg is not provided
- Update JSDoc to reflect required alg parameter
- Update example in documentation to include alg option

* test(jwt): update tests to use required alg parameter

Update existing tests to explicitly specify the alg parameter
as it is now required. This is a necessary change due to the
security fix that removes the default HS256 fallback.

* test(jwt): add security tests for algorithm confusion prevention

Add tests to verify the security fix prevents algorithm confusion
attacks:

- Test that verify() throws JwtAlgorithmRequired when alg is missing
- Test that verify() throws when alg is undefined in options
- Test that RS256 tokens cannot be verified with HS256 (attack scenario)
- Test that middleware throws when alg option is not provided
- Test that tokens with mismatched algorithms are rejected

* fix(jwt): add algorithm mismatch check between header.alg and options.alg

Add JwtAlgorithmMismatch error type and verify that the algorithm
specified in the JWT header matches the algorithm provided in options.
This prevents algorithm substitution attacks where an attacker might
try to use a different algorithm than expected.

- Add JwtAlgorithmMismatch error class in types.ts
- Check header.alg === options.alg in verify() function
- Update HS512/HS384 tests to use correct algorithm in verify
- Add explicit test for algorithm mismatch detection
- Update existing attack prevention test to expect JwtAlgorithmMismatch

* feat(utils/jwt): add JwtAlgorithmMismatch and JwtSymmetricAlgorithmNotAllowed error types

* fix(utils/jwt): prevent algorithm confusion attacks in verifyWithJwks

- Reject symmetric algorithms (HS256/HS384/HS512) in JWK verification
- Verify JWK alg matches JWT header alg when JWK has alg field
- Use header.alg for verification instead of JWK alg fallback

* test(utils/jwt): add security tests for verifyWithJwks

- Update header.alg fallback test to use asymmetric algorithm (RS256)
- Add tests for symmetric algorithm rejection (HS256/HS384/HS512)
- Add test for algorithm mismatch between JWK and JWT header
- Add test for algorithm confusion attack prevention

* feat(utils/jwt): add JwtAlgorithmNotAllowed error type

Add new error class for algorithm whitelist validation.
This error is thrown when JWT's algorithm is not in the allowed list.

* feat(utils/jwt): add algorithm whitelist support to verifyWithJwks

Add optional allowedAlgorithms parameter to verifyWithJwks function.
When specified, only tokens signed with algorithms in the whitelist
will be accepted. This provides an additional layer of security by
explicitly defining which algorithms are permitted.

Validation order:
1. Check algorithm against whitelist (if specified)
2. Reject symmetric algorithms (HS256/HS384/HS512)
3. Validate JWK alg matches header alg (if JWK has alg field)

* feat(middleware/jwk): add alg option for algorithm whitelist

Add alg option to JWK middleware to specify allowed algorithms.
This option is passed to verifyWithJwks as allowedAlgorithms.

Example usage:
  jwk({ keys, alg: ['RS256', 'ES256'] })

* test(utils/jwt): add algorithm whitelist tests for verifyWithJwks

Add tests for:
- Reject algorithm not in whitelist
- Accept algorithm in whitelist
- Accept any asymmetric algorithm when whitelist not specified
- Accept any asymmetric algorithm when whitelist is empty
- Reject symmetric algorithm even if in whitelist

* test(middleware/jwk): add algorithm whitelist tests

Add tests for JWK middleware alg option:
- Authorize RS256 token when RS256 is in whitelist
- Reject token when algorithm is not in whitelist
- Authorize RS256 token when multiple algorithms are in whitelist
- Authorize RS256 token when no whitelist is specified

* feat(utils/jwt): add AsymmetricAlgorithm and SymmetricAlgorithm type definitions

- Added SymmetricAlgorithm type for HMAC algorithms: HS256, HS384, HS512
- Added AsymmetricAlgorithm type for RSA/ECDSA/EdDSA algorithms
- Enables compile-time prevention of algorithm confusion attacks

* fix(utils/jwt): make allowedAlgorithms required in verifyWithJwks

BREAKING CHANGE: allowedAlgorithms is now a required parameter with type AsymmetricAlgorithm[]

- Changed allowedAlgorithms from optional to required
- Changed type from SignatureAlgorithm[] to AsymmetricAlgorithm[]
- Reordered validation: symmetric algorithm rejection before whitelist check
- Prevents algorithm confusion attacks at both runtime and compile-time

* fix(middleware/jwk): make alg option required

BREAKING CHANGE: alg option is now required with type AsymmetricAlgorithm[]

- Changed alg from optional to required
- Changed type from SignatureAlgorithm[] to AsymmetricAlgorithm[]
- Updated JSDoc to reflect breaking change
- Ensures users must explicitly specify allowed algorithms

* test(utils/jwt): update tests for required allowedAlgorithms

- Added allowedAlgorithms: ['RS256'] to all verifyWithJwks calls
- Removed tests for 'whitelist not specified' and 'empty whitelist' scenarios
- Added comments explaining breaking changes
- Renamed test to 'Should reject symmetric algorithm (HS256) in JWT header'

* test(middleware/jwk): update tests for required alg option

- Added alg: ['RS256'] to all jwk() middleware calls
- Removed test for 'no whitelist' scenario (no longer applicable)
- Added comments explaining breaking changes
- Updated verifyWithJwks test to include allowedAlgorithms

* test(utils/jwt): add type tests for algorithm type definitions

- Added tests for SymmetricAlgorithm type (HS256, HS384, HS512)
- Added tests for AsymmetricAlgorithm type (RS*, PS*, ES*, EdDSA)
- Added tests for SignatureAlgorithm type (all 13 algorithms)
- Tests verify type constraints at runtime

* fix(test): resolve TypeScript errors in JWK middleware tests

- Removed unused @ts-expect-error directive on line 40
- Added @ts-expect-error for empty object test (line 210)
- Added required alg option to crypto.subtle test (line 220)
- All 115 tests still passing

* refactor: use SymmetricAlgorithm type for symmetricAlgorithms array

* fix(utils/jwt): cast header.alg to SymmetricAlgorithm to prevent type errors

* fix(utils/jwt): update comment for clarity on algorithm validation

---------

Co-authored-by: Yusuke Wada <yusuke@kamawada.com>