@anarchitects/auth-nest 0.4.2 → 0.5.0

package/README.md

@@ -2,36 +2,43 @@
 
 NestJS services, controllers, and infrastructure for the Anarchitecture authentication domain. This package wires contract-driven DTOs from `@anarchitects/auth-ts`, orchestrates user lifecycle flows (registration, activation, login/logout, password management, email verification), and persists auth state through pluggable repositories.
 
+## Developer + AI Agent Start Here
+
+- Read this README before generating integration code for `@anarchitects/auth-nest`.
+- Start with `AuthModule.forRoot(...)` or `AuthModule.forRootFromConfig(...)` from the root entry point unless you need explicit layered composition.
+- Keep shared mail transport setup at app root via `@anarchitects/common-nest-mailer`; keep auth mailer infrastructure adapter-only.
+- Use DTO contracts from `@anarchitects/auth-ts` and preserve `presentation -> application <- infrastructure` boundaries.
+
 ## Features
 
 - **Application layer** – `JwtAuthService`, `BcryptHashService`, JWT Passport strategy, CASL-based `PoliciesService` and `AbilityFactory` encapsulating business rules for tokens, passwords, and fine-grained access control.
 - **Presentation layer** – `AuthController` exposing REST handlers for the full auth lifecycle, `PoliciesGuard` and `@Policies()` decorator for route-level authorization.
 - **Infrastructure persistence** – `PersistenceModule` with TypeORM entities and repositories (users, roles, permissions, invalidated tokens). Configurable adapters to swap implementations while preserving the application contract.
-- **Infrastructure mailer** – `AuthMailerModule` wrapper over shared `CommonNodeMailerModule`; `NodeMailerAdapter` is re-exported for compatibility.
+- **Infrastructure mailer** – `AuthMailerModule` wrapper over shared `CommonMailerModule.forRoot(...)` provider wiring; `NodeMailerAdapter` is re-exported for compatibility.
 - **Config** – Typed `authConfig` namespace using `@nestjs/config` with an `InjectAuthConfig()` helper decorator.
 
 ## Installation
 
 ```bash
-npm install @anarchitects/auth-nest @anarchitects/common-nest-mailer
+npm install @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/passport @nestjs/platform-fastify @nestjs/typeorm typeorm
 # or
-yarn add @anarchitects/auth-nest @anarchitects/common-nest-mailer
+yarn add @anarchitects/auth-nest @nestjs/common @nestjs/config @nestjs/core @nestjs/jwt @nestjs/passport @nestjs/platform-fastify @nestjs/typeorm typeorm
 ```
 
 Peer requirements:
 
 - `@nestjs/common`, `@nestjs/core`, `@nestjs/jwt`, `@nestjs/typeorm`, `@nestjs/config`, `@nestjs/passport`
-- `@anarchitects/auth-ts` for DTOs and shared models
-- `@casl/ability` for RBAC policy evaluation
-- `@nestjs-modules/mailer` (when using the mailer module)
+- `@nestjs/platform-fastify`, `typeorm`
+
+The internal `@anarchitects/auth-ts` and `@anarchitects/common-nest-mailer` packages are installed transitively. Runtime utilities such as `@casl/ability`, `bcrypt`, and `passport-jwt` are direct dependencies of this package. Add `@nestjs-modules/mailer` only when your host app enables the shared/common mailer integration.
 
 ## Exports
 
 | Import path                                          | Contents                                                                                                                                         |
 | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `@anarchitects/auth-nest`                            | `AuthModule.forRoot(...)`, plus re-exports of layered entry points for convenience                                                               |
-| `@anarchitects/auth-nest/application`                | `AuthApplicationModule`, `AuthService`, `JwtAuthService`, `HashService`, `BcryptHashService`, `PoliciesService`, `AbilityFactory`, `JwtStrategy` |
-| `@anarchitects/auth-nest/presentation`               | `AuthPresentationModule`, `AuthController`, `PoliciesGuard`, `@Policies()` decorator                                                             |
+| `@anarchitects/auth-nest`                            | `AuthModule.forRoot(...)`, `AuthModule.forRootFromConfig(...)`, plus re-exports of layered entry points for convenience                          |
+| `@anarchitects/auth-nest/application`                | `AuthApplicationModule`, `AuthService`, `JwtAuthService`, `HashService`, `BcryptHashService`, `PoliciesService`, `AbilityFactory`, `JwtStrategy`, resource-authorization helpers/types |
+| `@anarchitects/auth-nest/presentation`               | `AuthPresentationModule`, `AuthController`, `PoliciesGuard`, `ResourceAuthorizationGuard`, `@Policies()`, `@AuthorizeResource()`, `@AuthorizedResource()`, `RoutePolicy` |
 | `@anarchitects/auth-nest/infrastructure-persistence` | `AuthPersistenceModule`, `AuthUserRepository`, `TypeormAuthUserRepository`, migration                                                            |
 | `@anarchitects/auth-nest/infrastructure-mailer`      | `AuthMailerModule`, `NodeMailerAdapter`                                                                                                          |
 | `@anarchitects/auth-nest/config`                     | `authConfig`, `AuthConfig` type, `InjectAuthConfig()`                                                                                            |
@@ -48,6 +55,9 @@ The library reads configuration through `@nestjs/config` using a namespaced `aut
 | `AUTH_JWT_ISSUER`           | Expected `iss` claim in the JWT.                                                     | `your_issuer`            |
 | `AUTH_ENCRYPTION_ALGORITHM` | Password hashing algorithm (`bcrypt`).                                               | `bcrypt`                 |
 | `AUTH_ENCRYPTION_KEY`       | Symmetric key for additional encryption needs. **Must** be overridden in production. | `default_encryption_key` |
+| `AUTH_PERSISTENCE`          | Persistence adapter key used by `forRootFromConfig(...)`.                            | `typeorm`                |
+| `AUTH_MAILER_PROVIDER`      | Domain mailer provider for `forRootFromConfig(...)` (`node` or `noop`).              | `node`                   |
+| `AUTH_STRATEGIES`           | Comma-separated auth strategies for config-driven module composition.                | `jwt`                    |
 
 > **Security note:** The defaults for `AUTH_JWT_SECRET` and `AUTH_ENCRYPTION_KEY` are intentionally insecure placeholders. Always provide strong, unique values in any deployed environment.
 
@@ -97,18 +107,20 @@ import { authConfig } from '@anarchitects/auth-nest/config';
     }),
     CommonMailerModule.forRootFromConfig(),
     AuthModule.forRoot({
-      application: {
-        authStrategies: ['jwt'],
-        encryption: {
-          algorithm: 'bcrypt',
-          key: process.env.AUTH_ENCRYPTION_KEY!,
+      presentation: {
+        application: {
+          authStrategies: ['jwt'],
+          encryption: {
+            algorithm: 'bcrypt',
+            key: process.env.AUTH_ENCRYPTION_KEY!,
+          },
+          persistence: {
+            persistence: 'typeorm',
+          },
         },
       },
-      persistence: {
-        persistence: 'typeorm',
-      },
-      features: {
-        mailer: true,
+      mailer: {
+        provider: 'node',
       },
     }),
   ],
@@ -118,13 +130,15 @@ export class AuthApiModule {}
 
 `AuthModule.forRoot(...)` is the preferred integration path when you want a full auth stack with minimal host-module wiring.
 
+Use `AuthModule.forRootFromConfig()` when you want module composition fully driven by `AUTH_*`
+variables exposed via `authConfig`.
+
 Disable domain mailer wiring when not needed:
 
 ```ts
 AuthModule.forRoot({
-  application: { ... },
-  persistence: { persistence: 'typeorm' },
-  features: { mailer: false },
+  presentation: { application: { ... } },
+  mailer: { provider: 'noop' },
 });
 ```
 
@@ -136,7 +150,6 @@ import { ConfigModule } from '@nestjs/config';
 import { CommonMailerModule, mailerConfig } from '@anarchitects/common-nest-mailer';
 import { authConfig } from '@anarchitects/auth-nest/config';
 import { AuthApplicationModule } from '@anarchitects/auth-nest/application';
-import { AuthPersistenceModule } from '@anarchitects/auth-nest/infrastructure-persistence';
 import { AuthPresentationModule } from '@anarchitects/auth-nest/presentation';
 import { AuthMailerModule } from '@anarchitects/auth-nest/infrastructure-mailer';
 
@@ -153,10 +166,21 @@ import { AuthMailerModule } from '@anarchitects/auth-nest/infrastructure-mailer'
         algorithm: 'bcrypt',
         key: process.env.AUTH_ENCRYPTION_KEY!,
       },
+      persistence: { persistence: 'typeorm' },
+    }),
+    AuthPresentationModule.forRoot({
+      application: {
+        authStrategies: ['jwt'],
+        encryption: {
+          algorithm: 'bcrypt',
+          key: process.env.AUTH_ENCRYPTION_KEY!,
+        },
+        persistence: { persistence: 'typeorm' },
+      },
+    }),
+    AuthMailerModule.forRoot({
+      provider: 'node',
     }),
-    AuthPersistenceModule.forRoot({ persistence: 'typeorm' }),
-    AuthPresentationModule,
-    AuthMailerModule,
   ],
 })
 export class AuthApiModule {}
@@ -166,10 +190,11 @@ Use layered composition when you need to replace or selectively compose infrastr
 
 ## Mailer Migration Note
 
-`AuthMailerModule` is now adapter-only. It wraps the shared `CommonNodeMailerModule` from
-`@anarchitects/common-nest-mailer` and no longer configures transport with
+`AuthMailerModule` is now adapter-only. It wraps shared `CommonMailerModule.forRoot(...)`
+provider wiring from `@anarchitects/common-nest-mailer` and no longer configures transport with
 `MailerModule.forRootAsync(...)`.
-Configure transport once at app root with `CommonMailerModule` when `features.mailer` is enabled.
+Configure transport once at app root with `CommonMailerModule`.
+Set `mailer.provider: 'noop'` to disable active delivery behavior per domain.
 The shared mailer DI contract (`MailerPort`) and concrete `NodeMailerAdapter` now live in
 `@anarchitects/common-nest-mailer`.
 
@@ -202,20 +227,67 @@ await authUserRepository.invalidateTokens([hashedAccessToken, hashedRefreshToken
 ### Route-level authorization with policies
 
 ```ts
-import { Controller, Get, UseGuards } from '@nestjs/common';
-import { PoliciesGuard, Policies } from '@anarchitects/auth-nest/presentation';
+import { Controller, Patch, UseGuards } from '@nestjs/common';
+import { AuthorizedResource, AuthorizeResource, Policies, PoliciesGuard } from '@anarchitects/auth-nest/presentation';
 
-@Controller('admin')
+@Controller('posts')
 @UseGuards(PoliciesGuard)
-export class AdminController {
-  @Get()
-  @Policies({ action: 'manage', subject: 'User' })
-  getAdminDashboard() {
-    return { status: 'ok' };
+export class PostsController {
+  constructor(private readonly postsService: PostsService) {}
+
+  @Patch(':postId')
+  @Policies({ action: 'update', subject: 'Post' })
+  @AuthorizeResource({ action: 'update', subject: 'Post', idParam: 'postId' })
+  async updatePost(@AuthorizedResource() post: Post) {
+    return this.postsService.update(post);
   }
 }
 ```
 
+```ts
+import { AuthModule } from '@anarchitects/auth-nest';
+
+AuthModule.forRoot({
+  presentation: {
+    application: {
+      resourceAuthorization: {
+        loaders: {
+          Post: async ({ resourceId }) => postsRepository.findById(resourceId),
+        },
+      },
+    },
+  },
+});
+```
+
+`@Policies()` remains the coarse route-level pre-check. `@AuthorizeResource(...)` uses the app-registered loader to fetch the concrete entity, evaluates the instance-level CASL rule behind the scenes, and attaches the authorized resource to the request so `@AuthorizedResource()` can read it in the handler.
+
+## Authorization Model
+
+CASL integration in `@anarchitects/auth-nest` is intentionally split into two layers:
+
+- `@Policies()` uses `RoutePolicy` and performs a coarse route-level pre-check
+- `@AuthorizeResource(...)` performs the concrete instance-level check after loading the resource
+- `@AuthorizedResource()` gives the handler access to the already loaded and authorized entity
+
+Use this split to avoid overstating what route metadata can prove. Ownership-sensitive rules such as "writers may only update their own posts" need the concrete resource instance before CASL can decide correctly.
+
+### What the library enforces
+
+- persisted permission payloads are validated before they become `PolicyRule[]`
+- malformed persisted permission payloads fail closed with a server-side error
+- missing registered resource loader is treated as configuration error
+- missing route param yields `400`
+- missing resource yields `404`
+
+### What the host app must provide
+
+- subject-specific resource loaders for `@AuthorizeResource(...)`
+- domain resource retrieval logic and repository access
+- route resolver/handler composition that fits the app's domain model
+
+The library owns authorization orchestration. The host app still owns how domain resources are found.
+
 ## REST endpoints
 
 The `AuthController` exposes the following routes (all prefixed with `/auth`):
@@ -246,6 +318,7 @@ The `AuthController` exposes the following routes (all prefixed with `/auth`):
 - Default persistence is TypeORM with schema-qualified tables (see `libs/auth/nest/src/infrastructure-persistence`).
 - Invalidated tokens use an unlogged cache table for quick revocation lookups.
 - Route schemas are defined in `@anarchitects/auth-ts/dtos` and imported into controller `@RouteSchema` decorators — do not define inline schemas.
+- Keep `@Policies()` guidance coarse in docs and examples; use `@AuthorizeResource(...)` for instance-sensitive authorization.
 - OpenAPI metadata (`operationId`, `tags`) is assigned in `tools/api-specs/route-metadata.ts`, not in controllers.
 
 ## License

package/package.json

@@ -1,25 +1,29 @@
 {
   "name": "@anarchitects/auth-nest",
-  "version": "0.4.2",
+  "version": "0.5.0",
   "type": "commonjs",
   "main": "./src/index.js",
   "types": "./src/index.d.ts",
   "dependencies": {
+    "@better-auth/passkey": "^1.5.6",
+    "@anarchitects/auth-ts": "^0.5.0",
+    "@anarchitects/common-nest-mailer": "^0.3.0",
+    "@casl/ability": "^6.7.3",
+    "bcrypt": "^6.0.0",
+    "better-auth": "^1.5.6",
+    "passport-jwt": "^4.0.1",
     "tslib": "^2.3.0",
+    "uuidv7": "^1.0.2"
+  },
+  "peerDependencies": {
     "@nestjs/common": "^11.0.0",
+    "@nestjs/config": "^4.0.2",
+    "@nestjs/core": "^11.0.0",
     "@nestjs/jwt": "^11.0.1",
-    "@anarchitects/auth-ts": "0.1.4",
-    "bcrypt": "^6.0.0",
     "@nestjs/passport": "^11.0.5",
-    "passport-jwt": "^4.0.1",
-    "@nestjs/config": "^4.0.2",
-    "typeorm": "^0.3.27",
-    "uuidv7": "^1.0.2",
-    "@nestjs/typeorm": "^11.0.0",
     "@nestjs/platform-fastify": "^11.1.6",
-    "@casl/ability": "^6.7.3",
-    "@nestjs/core": "^11.0.0",
-    "@anarchitects/common-nest-mailer": "0.0.10"
+    "@nestjs/typeorm": "^11.0.0",
+    "typeorm": "^0.3.27"
   },
   "publishConfig": {
     "access": "public"
@@ -43,6 +47,15 @@
       ]
     }
   },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/anarchitects/anarchitecture-bricks-3tier.git",
+    "directory": "libs/auth/nest"
+  },
+  "homepage": "https://github.com/anarchitects/anarchitecture-bricks-3tier/tree/main/libs/auth/nest",
+  "bugs": {
+    "url": "https://github.com/anarchitects/anarchitecture-bricks-3tier/issues"
+  },
   "exports": {
     "./package.json": "./package.json",
     ".": {
@@ -60,4 +73,4 @@
     "./config": "./src/config/index.js",
     "./config/index": "./src/config/index.js"
   }
-}
+}

package/src/application/application.module-definition.d.ts

@@ -1,25 +1,8 @@
-export declare const ConfigurableModuleClass: import("@nestjs/common").ConfigurableModuleCls<{
-    authStrategies: string[];
-    encryption: {
-        algorithm: "bcrypt" | "argon2";
-        key: string;
-    };
-}, "forRoot", "create", {
+import type { ResolvedAuthApplicationModuleOptions } from '../config';
+export declare const ConfigurableModuleClass: import("@nestjs/common").ConfigurableModuleCls<ResolvedAuthApplicationModuleOptions, "forRoot", "create", {
     isGlobal?: boolean;
-}>, AUTH_APPLICATION_MODULE_OPTIONS: string | symbol, OPTIONS_TYPE: {
-    authStrategies: string[];
-    encryption: {
-        algorithm: "bcrypt" | "argon2";
-        key: string;
-    };
-} & Partial<{
+}>, AUTH_APPLICATION_MODULE_OPTIONS: string | symbol, OPTIONS_TYPE: ResolvedAuthApplicationModuleOptions & Partial<{
     isGlobal?: boolean;
-}>, ASYNC_OPTIONS_TYPE: import("@nestjs/common").ConfigurableModuleAsyncOptions<{
-    authStrategies: string[];
-    encryption: {
-        algorithm: "bcrypt" | "argon2";
-        key: string;
-    };
-}, "create"> & Partial<{
+}>, ASYNC_OPTIONS_TYPE: import("@nestjs/common").ConfigurableModuleAsyncOptions<ResolvedAuthApplicationModuleOptions, "create"> & Partial<{
     isGlobal?: boolean;
 }>;

package/src/application/application.module-definition.js.map

@@ -1 +1 @@
-{"version":3,"file":"application.module-definition.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module-definition.ts"],"names":[],"mappings":";;;;AAAA,2CAA2D;AAE9C,KAKT,IAAI,kCAAyB,EAG7B;KACD,kBAAkB,CAAC,SAAS,CAAC;KAC7B,SAAS,CACR,EAAE,QAAQ,EAAE,IAAI,EAAE,EAClB,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,GAAG,UAAU;IACb,MAAM,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;CACjC,CAAC,CACH;KACA,KAAK,EAAE,EAhBR,+BAAuB,+BACD,uCAA+B,4BACrD,oBAAY,oBACZ,0BAAkB,yBAaT"}
+{"version":3,"file":"application.module-definition.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module-definition.ts"],"names":[],"mappings":";;;;AAAA,2CAA2D;AAG9C,KAKT,IAAI,kCAAyB,EAAwC;KACtE,kBAAkB,CAAC,SAAS,CAAC;KAC7B,SAAS,CACR,EAAE,QAAQ,EAAE,IAAI,EAAE,EAClB,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IACvB,GAAG,UAAU;IACb,MAAM,EAAE,MAAM,CAAC,QAAQ,IAAI,KAAK;CACjC,CAAC,CACH;KACA,KAAK,EAAE,EAbR,+BAAuB,+BACD,uCAA+B,4BACrD,oBAAY,oBACZ,0BAAkB,yBAUT"}

package/src/application/application.module.d.ts

@@ -1,24 +1,7 @@
-import { ConfigurableModuleClass, OPTIONS_TYPE } from './application.module-definition';
-import { AbilityFactory } from './factories/ability.factory';
-import { AuthService } from './services/auth.service';
-import { BcryptHashService } from './services/bcrypt-hash.service';
-import { HashService } from './services/hash.service';
-import { JwtAuthService } from './services/jwt-auth.service';
-import { PoliciesService } from './services/policies.service';
-import { JwtStrategy } from './strategies/jwt/strategy';
+import { DynamicModule } from '@nestjs/common';
+import type { AuthApplicationModuleOptions } from '../config';
+import { ConfigurableModuleClass } from './application.module-definition';
 export declare class AuthApplicationModule extends ConfigurableModuleClass {
-    static forRoot(options: typeof OPTIONS_TYPE): {
-        imports: import("@nestjs/common").DynamicModule[];
-        providers: (typeof AbilityFactory | typeof BcryptHashService | typeof JwtAuthService | typeof PoliciesService | typeof JwtStrategy | {
-            provide: typeof HashService;
-            useExisting: typeof BcryptHashService;
-        } | {
-            provide: typeof AuthService;
-            useExisting: typeof JwtAuthService;
-        })[];
-        exports: (typeof AuthService | typeof HashService)[];
-        module: import("@nestjs/common").Type<any>;
-        global?: boolean;
-        controllers?: import("@nestjs/common").Type<any>[];
-    };
+    static forRoot(options?: AuthApplicationModuleOptions): DynamicModule;
+    static forRootFromConfig(overrides?: AuthApplicationModuleOptions): DynamicModule;
 }

package/src/application/application.module.js

@@ -6,21 +6,35 @@ const common_1 = require("@nestjs/common");
 const config_1 = require("@nestjs/config");
 const jwt_1 = require("@nestjs/jwt");
 const config_2 = require("../config");
+const better_auth_auth_engine_adapter_1 = require("../infrastructure-engine/better-auth/better-auth-auth-engine.adapter");
+const legacy_jwt_auth_engine_adapter_1 = require("../infrastructure-engine/legacy-jwt-auth-engine.adapter");
+const infrastructure_persistence_1 = require("../infrastructure-persistence");
 const application_module_definition_1 = require("./application.module-definition");
 const ability_factory_1 = require("./factories/ability.factory");
+const resource_authorization_tokens_1 = require("./resource-authorization.tokens");
+const auth_engine_port_1 = require("./services/auth-engine.port");
+const auth_orchestration_service_1 = require("./services/auth-orchestration.service");
 const auth_service_1 = require("./services/auth.service");
 const bcrypt_hash_service_1 = require("./services/bcrypt-hash.service");
 const hash_service_1 = require("./services/hash.service");
 const jwt_auth_service_1 = require("./services/jwt-auth.service");
 const policies_service_1 = require("./services/policies.service");
-const strategy_1 = require("./strategies/jwt/strategy");
+const jwt_strategy_1 = require("./strategies/jwt-strategy");
 let AuthApplicationModule = class AuthApplicationModule extends application_module_definition_1.ConfigurableModuleClass {
-    static forRoot(options) {
-        const { authStrategies, encryption } = options;
-        const imports = [config_1.ConfigModule.forFeature(config_2.authConfig)];
+    static forRoot(options = {}) {
+        const resolvedOptions = (0, config_2.resolveAuthApplicationModuleOptions)(options);
+        const { authStrategies, engine, encryption, persistence, resourceAuthorization, } = resolvedOptions;
+        const imports = [
+            config_1.ConfigModule.forFeature(config_2.authConfig),
+            infrastructure_persistence_1.AuthPersistenceModule.forRoot(persistence),
+        ];
         const providers = [];
         const exports = [];
-        providers.push(ability_factory_1.AbilityFactory, policies_service_1.PoliciesService);
+        providers.push(ability_factory_1.AbilityFactory, policies_service_1.PoliciesService, {
+            provide: resource_authorization_tokens_1.AUTH_RESOURCE_AUTHORIZATION_LOADERS,
+            useValue: resourceAuthorization.loaders,
+        });
+        exports.push(resource_authorization_tokens_1.AUTH_RESOURCE_AUTHORIZATION_LOADERS, policies_service_1.PoliciesService);
         switch (encryption.algorithm) {
             case 'bcrypt':
                 providers.push(bcrypt_hash_service_1.BcryptHashService, {
@@ -48,19 +62,56 @@ let AuthApplicationModule = class AuthApplicationModule extends application_modu
                     },
                 }),
             }));
-            providers.push(jwt_auth_service_1.JwtAuthService, strategy_1.JwtStrategy, {
+            providers.push(auth_orchestration_service_1.AuthOrchestrationService, jwt_strategy_1.JwtStrategy, {
                 provide: auth_service_1.AuthService,
-                useExisting: jwt_auth_service_1.JwtAuthService,
+                useExisting: auth_orchestration_service_1.AuthOrchestrationService,
+            }, {
+                provide: jwt_auth_service_1.JwtAuthService,
+                useExisting: auth_orchestration_service_1.AuthOrchestrationService,
             });
             exports.push(auth_service_1.AuthService);
         }
+        if (engine === 'better-auth') {
+            providers.push(better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter, {
+                provide: auth_engine_port_1.AuthEnginePort,
+                useExisting: better_auth_auth_engine_adapter_1.BetterAuthAuthEngineAdapter,
+            });
+        }
+        else {
+            providers.push(legacy_jwt_auth_engine_adapter_1.LegacyJwtAuthEngineAdapter, {
+                provide: auth_engine_port_1.AuthEnginePort,
+                useExisting: legacy_jwt_auth_engine_adapter_1.LegacyJwtAuthEngineAdapter,
+            });
+        }
         return {
-            ...super.forRoot(options),
+            ...super.forRoot(resolvedOptions),
             imports,
             providers,
             exports,
         };
     }
+    static forRootFromConfig(overrides = {}) {
+        const configOptions = (0, config_2.mapAuthConfigToApplicationModuleOptions)((0, config_2.authConfig)());
+        const moduleDefinition = this.forRoot({
+            ...configOptions,
+            ...overrides,
+            encryption: {
+                ...configOptions.encryption,
+                ...overrides.encryption,
+            },
+            persistence: {
+                ...configOptions.persistence,
+                ...overrides.persistence,
+            },
+        });
+        return {
+            ...moduleDefinition,
+            imports: [
+                config_1.ConfigModule.forFeature(config_2.authConfig),
+                ...(moduleDefinition.imports ?? []),
+            ],
+        };
+    }
 };
 exports.AuthApplicationModule = AuthApplicationModule;
 exports.AuthApplicationModule = AuthApplicationModule = tslib_1.__decorate([

package/src/application/application.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"application.module.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module.ts"],"names":[],"mappings":";;;;AAAA,2CAAwC;AACxC,2CAA8C;AAC9C,qCAAwC;AACxC,sCAAmD;AACnD,mFAGyC;AACzC,iEAA6D;AAC7D,0DAAsD;AACtD,wEAAmE;AACnE,0DAAsD;AACtD,kEAA6D;AAC7D,kEAA8D;AAC9D,wDAAwD;AAGjD,IAAM,qBAAqB,GAA3B,MAAM,qBAAsB,SAAQ,uDAAuB;IAChE,MAAM,CAAC,OAAO,CAAC,OAA4B;QACzC,MAAM,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;QAC/C,MAAM,OAAO,GAAG,CAAC,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC,CAAC,CAAC;QACtD,MAAM,SAAS,GAAG,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,EAAE,CAAC;QACnB,SAAS,CAAC,IAAI,CAAC,gCAAc,EAAE,kCAAe,CAAC,CAAC;QAChD,QAAQ,UAAU,CAAC,SAAS,EAAE,CAAC;YAC7B,KAAK,QAAQ;gBACX,SAAS,CAAC,IAAI,CAAC,uCAAiB,EAAE;oBAChC,OAAO,EAAE,0BAAW;oBACpB,WAAW,EAAE,uCAAiB;iBAC/B,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,QAAQ;gBACX,gEAAgE;gBAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D;gBACE,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,CAAC,SAAS,EAAE,CAC5D,CAAC;QACN,CAAC;QACD,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CACV,eAAS,CAAC,aAAa,CAAC;gBACtB,OAAO,EAAE,CAAC,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC,CAAC;gBAC9C,MAAM,EAAE,CAAC,mBAAU,CAAC,GAAG,CAAC;gBACxB,UAAU,EAAE,CAAC,UAAsB,EAAE,EAAE,CAAC,CAAC;oBACvC,MAAM,EAAE,UAAU,CAAC,SAAS;oBAC5B,WAAW,EAAE;wBACX,SAAS,EAAE,QAAQ,CAAC,UAAU,CAAC,aAAa,EAAE,EAAE,CAAC;wBACjD,QAAQ,EAAE,UAAU,CAAC,WAAW;wBAChC,MAAM,EAAE,UAAU,CAAC,SAAS;qBAC7B;iBACF,CAAC;aACH,CAAC,CACH,CAAC;YACF,SAAS,CAAC,IAAI,CAAC,iCAAc,EAAE,sBAAW,EAAE;gBAC1C,OAAO,EAAE,0BAAW;gBACpB,WAAW,EAAE,iCAAc;aAC5B,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;QAC5B,CAAC;QACD,OAAO;YACL,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC;YACzB,OAAO;YACP,SAAS;YACT,OAAO;SACR,CAAC;IACJ,CAAC;CACF,CAAA;AAnDY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,qBAAqB,CAmDjC"}
+{"version":3,"file":"application.module.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/application.module.ts"],"names":[],"mappings":";;;;AAAA,2CAAuD;AACvD,2CAA8C;AAC9C,qCAAwC;AAExC,sCAKmB;AACnB,0HAAmH;AACnH,4GAAqG;AACrG,8EAAsE;AACtE,mFAGyC;AACzC,iEAA6D;AAC7D,mFAAsF;AACtF,kEAA6D;AAC7D,sFAAiF;AACjF,0DAAsD;AACtD,wEAAmE;AACnE,0DAAsD;AACtD,kEAA6D;AAC7D,kEAA8D;AAC9D,4DAAwD;AAGjD,IAAM,qBAAqB,GAA3B,MAAM,qBAAsB,SAAQ,uDAAuB;IAChE,MAAM,CAAC,OAAO,CAAC,UAAwC,EAAE;QACvD,MAAM,eAAe,GACnB,IAAA,4CAAmC,EAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,EACJ,cAAc,EACd,MAAM,EACN,UAAU,EACV,WAAW,EACX,qBAAqB,GACtB,GAAG,eAAe,CAAC;QACpB,MAAM,OAAO,GAAG;YACd,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;YACnC,kDAAqB,CAAC,OAAO,CAAC,WAAW,CAAC;SAC3C,CAAC;QACF,MAAM,SAAS,GAAG,EAAE,CAAC;QACrB,MAAM,OAAO,GAAG,EAAE,CAAC;QAEnB,SAAS,CAAC,IAAI,CAAC,gCAAc,EAAE,kCAAe,EAAE;YAC9C,OAAO,EAAE,mEAAmC;YAC5C,QAAQ,EAAE,qBAAqB,CAAC,OAAO;SACxC,CAAC,CAAC;QACH,OAAO,CAAC,IAAI,CAAC,mEAAmC,EAAE,kCAAe,CAAC,CAAC;QAEnE,QAAQ,UAAU,CAAC,SAAS,EAAE,CAAC;YAC7B,KAAK,QAAQ;gBACX,SAAS,CAAC,IAAI,CAAC,uCAAiB,EAAE;oBAChC,OAAO,EAAE,0BAAW;oBACpB,WAAW,EAAE,uCAAiB;iBAC/B,CAAC,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;gBAC1B,MAAM;YACR,KAAK,QAAQ;gBACX,gEAAgE;gBAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC3D;gBACE,MAAM,IAAI,KAAK,CACb,qCAAqC,UAAU,CAAC,SAAS,EAAE,CAC5D,CAAC;QACN,CAAC;QAED,IAAI,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CACV,eAAS,CAAC,aAAa,CAAC;gBACtB,OAAO,EAAE,CAAC,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC,CAAC;gBAC9C,MAAM,EAAE,CAAC,mBAAU,CAAC,GAAG,CAAC;gBACxB,UAAU,EAAE,CAAC,UAAsB,EAAE,EAAE,CAAC,CAAC;oBACvC,MAAM,EAAE,UAAU,CAAC,SAAS;oBAC5B,WAAW,EAAE;wBACX,SAAS,EAAE,QAAQ,CAAC,UAAU,CAAC,aAAa,EAAE,EAAE,CAAC;wBACjD,QAAQ,EAAE,UAAU,CAAC,WAAW;wBAChC,MAAM,EAAE,UAAU,CAAC,SAAS;qBAC7B;iBACF,CAAC;aACH,CAAC,CACH,CAAC;YAEF,SAAS,CAAC,IAAI,CACZ,qDAAwB,EACxB,0BAAW,EACX;gBACE,OAAO,EAAE,0BAAW;gBACpB,WAAW,EAAE,qDAAwB;aACtC,EACD;gBACE,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,qDAAwB;aACtC,CACF,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,0BAAW,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;YAC7B,SAAS,CAAC,IAAI,CAAC,6DAA2B,EAAE;gBAC1C,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,6DAA2B;aACzC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,IAAI,CAAC,2DAA0B,EAAE;gBACzC,OAAO,EAAE,iCAAc;gBACvB,WAAW,EAAE,2DAA0B;aACxC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;YACjC,OAAO;YACP,SAAS;YACT,OAAO;SACR,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,iBAAiB,CACtB,YAA0C,EAAE;QAE5C,MAAM,aAAa,GAAG,IAAA,gDAAuC,EAAC,IAAA,mBAAU,GAAE,CAAC,CAAC;QAC5E,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC;YACpC,GAAG,aAAa;YAChB,GAAG,SAAS;YACZ,UAAU,EAAE;gBACV,GAAG,aAAa,CAAC,UAAU;gBAC3B,GAAG,SAAS,CAAC,UAAU;aACxB;YACD,WAAW,EAAE;gBACX,GAAG,aAAa,CAAC,WAAW;gBAC5B,GAAG,SAAS,CAAC,WAAW;aACzB;SACF,CAAC,CAAC;QAEH,OAAO;YACL,GAAG,gBAAgB;YACnB,OAAO,EAAE;gBACP,qBAAY,CAAC,UAAU,CAAC,mBAAU,CAAC;gBACnC,GAAG,CAAC,gBAAgB,CAAC,OAAO,IAAI,EAAE,CAAC;aACpC;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AArHY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,qBAAqB,CAqHjC"}

package/src/application/factories/ability.factory.js

@@ -9,12 +9,12 @@ let AbilityFactory = class AbilityFactory {
         const { can, cannot, build } = new ability_1.AbilityBuilder(ability_1.createMongoAbility);
         for (const rule of rules) {
             const args = [rule.action, rule.subject];
+            if (rule.fields?.length) {
+                args.push(rule.fields);
+            }
             if (rule.conditions) {
                 args.push(rule.conditions);
             }
-            if (rule.fields?.length) {
-                args.push({ fields: rule.fields });
-            }
             if (rule.inverted) {
                 cannot(...args);
             }

package/src/application/factories/ability.factory.js.map

@@ -1 +1 @@
-{"version":3,"file":"ability.factory.js","sourceRoot":"","sources":["../../../../../../../libs/auth/nest/src/application/factories/ability.factory.ts"],"names":[],"mappings":";;;;AAEA,2CAIuB;AACvB,2CAA4C;AAIrC,IAAM,cAAc,GAApB,MAAM,cAAc;IACzB,YAAY,CAAC,KAAmB;QAC9B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,wBAAc,CAC/C,4BAAkB,CACnB,CAAC;QACF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACrC,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACjB,MAAc,CAAC,GAAG,IAAI,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACL,GAAW,CAAC,GAAG,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;YACX,iBAAiB,EAAE,CAAC,GAAG,EAAE,EAAE,CACxB,GAAW,CAAC,mBAAmB,IAAI,GAAG,EAAE,WAAW,EAAE,IAAI,IAAI,KAAK;SACtE,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AAxBY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAU,GAAE;GACA,cAAc,CAwB1B"}
+{"version":3,"file":"ability.factory.js","sourceRoot":"","sources":["../../../../../../../libs/auth/nest/src/application/factories/ability.factory.ts"],"names":[],"mappings":";;;;AAEA,2CAIuB;AACvB,2CAA4C;AAIrC,IAAM,cAAc,GAApB,MAAM,cAAc;IACzB,YAAY,CAAC,KAAmB;QAC9B,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,wBAAc,CAC/C,4BAAkB,CACnB,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;YAChD,IAAI,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC;gBACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;gBACpB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7B,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACjB,MAAc,CAAC,GAAG,IAAI,CAAC,CAAC;YAC3B,CAAC;iBAAM,CAAC;gBACL,GAAW,CAAC,GAAG,IAAI,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;YACX,iBAAiB,EAAE,CAAC,GAAG,EAAE,EAAE,CACxB,GAAW,CAAC,mBAAmB,IAAI,GAAG,EAAE,WAAW,EAAE,IAAI,IAAI,KAAK;SACtE,CAAC,CAAC;IACL,CAAC;CACF,CAAA;AAzBY,wCAAc;yBAAd,cAAc;IAD1B,IAAA,mBAAU,GAAE;GACA,cAAc,CAyB1B"}

package/src/application/index.d.ts

@@ -1,8 +1,12 @@
+export type { AuthApplicationModuleOptions } from '../config';
 export * from './application.module';
+export * from './factories/ability.factory';
+export * from './resource-authorization.tokens';
+export * from './resource-authorization.types';
 export * from './services/auth.service';
-export * from './services/jwt-auth.service';
-export * from './services/hash.service';
 export * from './services/bcrypt-hash.service';
+export * from './services/hash.service';
+export * from './services/jwt-auth.service';
 export * from './services/policies.service';
-export * from './strategies/jwt/strategy';
-export * from './factories/ability.factory';
+export * from './services/resource-authorization';
+export * from './strategies/jwt-strategy';

package/src/application/index.js

@@ -2,11 +2,14 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const tslib_1 = require("tslib");
 tslib_1.__exportStar(require("./application.module"), exports);
+tslib_1.__exportStar(require("./factories/ability.factory"), exports);
+tslib_1.__exportStar(require("./resource-authorization.tokens"), exports);
+tslib_1.__exportStar(require("./resource-authorization.types"), exports);
 tslib_1.__exportStar(require("./services/auth.service"), exports);
-tslib_1.__exportStar(require("./services/jwt-auth.service"), exports);
-tslib_1.__exportStar(require("./services/hash.service"), exports);
 tslib_1.__exportStar(require("./services/bcrypt-hash.service"), exports);
+tslib_1.__exportStar(require("./services/hash.service"), exports);
+tslib_1.__exportStar(require("./services/jwt-auth.service"), exports);
 tslib_1.__exportStar(require("./services/policies.service"), exports);
-tslib_1.__exportStar(require("./strategies/jwt/strategy"), exports);
-tslib_1.__exportStar(require("./factories/ability.factory"), exports);
+tslib_1.__exportStar(require("./services/resource-authorization"), exports);
+tslib_1.__exportStar(require("./strategies/jwt-strategy"), exports);
 //# sourceMappingURL=index.js.map

package/src/application/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/index.ts"],"names":[],"mappings":";;;AAAA,+DAAqC;AACrC,kEAAwC;AACxC,sEAA4C;AAC5C,kEAAwC;AACxC,yEAA+C;AAC/C,sEAA4C;AAC5C,oEAA0C;AAC1C,sEAA4C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/index.ts"],"names":[],"mappings":";;;AACA,+DAAqC;AACrC,sEAA4C;AAC5C,0EAAgD;AAChD,yEAA+C;AAC/C,kEAAwC;AACxC,yEAA+C;AAC/C,kEAAwC;AACxC,sEAA4C;AAC5C,sEAA4C;AAC5C,4EAAkD;AAClD,oEAA0C"}

package/src/application/resource-authorization.tokens.d.ts

@@ -0,0 +1 @@
+export declare const AUTH_RESOURCE_AUTHORIZATION_LOADERS: unique symbol;

package/src/application/resource-authorization.tokens.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AUTH_RESOURCE_AUTHORIZATION_LOADERS = void 0;
+exports.AUTH_RESOURCE_AUTHORIZATION_LOADERS = Symbol('AUTH_RESOURCE_AUTHORIZATION_LOADERS');
+//# sourceMappingURL=resource-authorization.tokens.js.map

package/src/application/resource-authorization.tokens.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-authorization.tokens.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/resource-authorization.tokens.ts"],"names":[],"mappings":";;;AAAa,QAAA,mCAAmC,GAAG,MAAM,CACvD,qCAAqC,CACtC,CAAC"}

package/src/application/resource-authorization.types.d.ts

@@ -0,0 +1,16 @@
+import { Action, Subject, User } from '@anarchitects/auth-ts/models';
+export type AuthorizableResource = Record<string, unknown>;
+export type ResourceAuthorizationLoaderInput = {
+    user: User;
+    resourceId: string;
+};
+export type ResourceAuthorizationLoader<TResource extends AuthorizableResource = AuthorizableResource> = (input: ResourceAuthorizationLoaderInput) => Promise<TResource | null> | TResource | null;
+export type ResourceAuthorizationLoaders = Record<string, ResourceAuthorizationLoader>;
+export type ResourceAuthorizationOptions = {
+    loaders?: ResourceAuthorizationLoaders;
+};
+export type ResourceAuthorizationRoute = {
+    action: Action;
+    subject: Subject;
+    idParam: string;
+};

package/src/application/resource-authorization.types.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=resource-authorization.types.js.map

package/src/application/resource-authorization.types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-authorization.types.js","sourceRoot":"","sources":["../../../../../../libs/auth/nest/src/application/resource-authorization.types.ts"],"names":[],"mappings":""}