@authu/node 0.1.18

package/README.md

@@ -0,0 +1,214 @@
+# @authu/node
+
+Node.js SDK for AuthU - Centralized Multi-Tenant Authentication Service.
+
+## Installation
+
+```sh
+npm install @authu/node
+# or
+pnpm add @authu/node
+# or
+yarn add @authu/node
+```
+
+## Usage
+
+### 1. Verify JWT Tokens
+
+Use `verifyToken` to validate and decode JWT tokens:
+
+```typescript
+import {verifyToken} from '@authu/node';
+
+const result = await verifyToken(token, {
+  domain: 'auth.example.com',
+  audience: 'https://api.example.com'
+});
+
+console.log(result.payload.sub); // User ID
+console.log(result.payload.email); // User email
+```
+
+### 2. Fastify Middleware
+
+Use `createAuthUMiddleware` to protect your Fastify routes:
+
+```typescript
+import Fastify from 'fastify';
+import {createAuthUMiddleware} from '@authu/node';
+
+const fastify = Fastify();
+
+// Register the middleware
+fastify.register(
+  createAuthUMiddleware({
+    domain: 'auth.example.com',
+    audience: 'https://api.example.com'
+  })
+);
+
+// Protected route
+fastify.get(
+  '/api/profile',
+  {preHandler: [fastify.verifyAuthU]},
+  async request => {
+    // Access the authenticated user
+    return {user: request.authUUser};
+  }
+);
+```
+
+### 3. Optional Authentication
+
+For routes where authentication is optional:
+
+```typescript
+fastify.register(
+  createAuthUMiddleware({
+    domain: 'auth.example.com',
+    optional: true
+  })
+);
+
+fastify.get('/api/public', {preHandler: [fastify.verifyAuthU]}, async request => {
+  if (request.authUUser) {
+    return {message: `Hello ${request.authUUser.name}`};
+  }
+  return {message: 'Hello guest'};
+});
+```
+
+### 4. Custom JWKS Client
+
+For advanced use cases, you can provide your own JWKS client:
+
+```typescript
+import {JwksClient, verifyToken} from '@authu/node';
+
+const jwksClient = new JwksClient({
+  jwksUri: 'https://auth.example.com/.well-known/jwks.json',
+  cacheMaxAge: 300000 // 5 minutes cache
+});
+
+const result = await verifyToken(token, {
+  domain: 'auth.example.com',
+  jwksClient
+});
+```
+
+## API Reference
+
+### verifyToken(token, options)
+
+Verifies and decodes a JWT token.
+
+**Options:**
+
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `domain` | `string` | Yes | AuthU server domain (without https://) |
+| `audience` | `string` | No | Expected audience claim |
+| `issuer` | `string` | No | Expected issuer (default: `https://{domain}`) |
+| `jwksClient` | `JwksClient` | No | Custom JWKS client instance |
+
+**Returns:** `Promise<VerifiedToken>`
+
+### createAuthUMiddleware(options)
+
+Creates a Fastify plugin for JWT authentication.
+
+**Options:**
+
+| Option | Type | Required | Description |
+|--------|------|----------|-------------|
+| `domain` | `string` | Yes | AuthU server domain |
+| `audience` | `string` | No | Expected audience claim |
+| `issuer` | `string` | No | Expected issuer |
+| `optional` | `boolean` | No | If true, don't error on missing/invalid tokens |
+
+**Decorators added:**
+
+- `fastify.verifyAuthU` - Prehandler function for route protection
+- `request.authUUser` - Authenticated user data (or null if optional)
+
+### JwksClient
+
+JWKS client with automatic caching.
+
+```typescript
+const client = new JwksClient({
+  jwksUri: 'https://auth.example.com/.well-known/jwks.json',
+  cacheMaxAge: 600000 // 10 minutes (default)
+});
+
+// Get a key by kid
+const key = await client.getKey('key-id');
+
+// Get all keys
+const jwks = await client.getJwks();
+
+// Clear cache
+client.clearCache();
+```
+
+### Types
+
+```typescript
+interface AuthUUser {
+  sub: string;
+  email?: string;
+  emailVerified?: boolean;
+  name?: string;
+  picture?: string;
+  scope?: string;
+  clientId?: string;
+  tenantId?: string;
+}
+
+interface VerifiedToken {
+  payload: AuthUUser;
+  header: {
+    alg: string;
+    typ?: string;
+    kid?: string;
+  };
+}
+```
+
+## Development
+
+### Build
+
+```sh
+pnpm run build
+```
+
+### Lint
+
+```sh
+pnpm run lint
+```
+
+## Publishing
+
+### Prerequisites
+
+- Be logged in to npm: `npm login`
+- Have publish rights on `@authu` scope
+
+### Publish a New Version
+
+1. Update version in `package.json`
+2. Build and publish:
+
+```sh
+pnpm run build
+pnpm publish --access public
+```
+
+The `--access public` flag is required for scoped packages.
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,5 @@
+export { verifyToken, type VerifyTokenOptions } from './verifyToken.js';
+export { createAuthUMiddleware, type AuthUMiddlewareOptions } from './middleware.js';
+export { JwksClient } from './jwks.js';
+export type { AuthUUser, VerifiedToken, JWK, JWKS } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,WAAW,EAAE,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AACtE,OAAO,EACL,qBAAqB,EACrB,KAAK,sBAAsB,EAC5B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAC,UAAU,EAAC,MAAM,WAAW,CAAC;AACrC,YAAY,EAAC,SAAS,EAAE,aAAa,EAAE,GAAG,EAAE,IAAI,EAAC,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { verifyToken } from './verifyToken.js';
+export { createAuthUMiddleware } from './middleware.js';
+export { JwksClient } from './jwks.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,WAAW,EAA0B,MAAM,kBAAkB,CAAC;AACtE,OAAO,EACL,qBAAqB,EAEtB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAC,UAAU,EAAC,MAAM,WAAW,CAAC"}

package/dist/jwks.d.ts

@@ -0,0 +1,18 @@
+import * as jose from 'jose';
+import type { JWKS } from './types.js';
+interface JwksClientOptions {
+    jwksUri: string;
+    cacheMaxAge?: number;
+}
+export declare class JwksClient {
+    private jwksUri;
+    private cacheMaxAge;
+    private cachedJwks;
+    private cacheExpiry;
+    constructor(options: JwksClientOptions);
+    getKey(kid: string): Promise<Awaited<ReturnType<typeof jose.importJWK>>>;
+    getJwks(): Promise<JWKS>;
+    clearCache(): void;
+}
+export {};
+//# sourceMappingURL=jwks.d.ts.map

package/dist/jwks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.d.ts","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AAErC,UAAU,iBAAiB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,WAAW,CAAS;IAC5B,OAAO,CAAC,UAAU,CAAqB;IACvC,OAAO,CAAC,WAAW,CAAa;gBAEpB,OAAO,EAAE,iBAAiB;IAKhC,MAAM,CACV,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;IAWhD,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAqB9B,UAAU,IAAI,IAAI;CAInB"}

package/dist/jwks.js

@@ -0,0 +1,37 @@
+import * as jose from 'jose';
+export class JwksClient {
+    jwksUri;
+    cacheMaxAge;
+    cachedJwks = null;
+    cacheExpiry = 0;
+    constructor(options) {
+        this.jwksUri = options.jwksUri;
+        this.cacheMaxAge = options.cacheMaxAge ?? 600000; // 10 minutes default
+    }
+    async getKey(kid) {
+        const jwks = await this.getJwks();
+        const key = jwks.keys.find(k => k.kid === kid);
+        if (!key) {
+            throw new Error(`Key with kid "${kid}" not found in JWKS`);
+        }
+        return jose.importJWK(key);
+    }
+    async getJwks() {
+        const now = Date.now();
+        if (this.cachedJwks && now < this.cacheExpiry) {
+            return this.cachedJwks;
+        }
+        const response = await fetch(this.jwksUri);
+        if (!response.ok) {
+            throw new Error(`Failed to fetch JWKS: ${response.status} ${response.statusText}`);
+        }
+        this.cachedJwks = (await response.json());
+        this.cacheExpiry = now + this.cacheMaxAge;
+        return this.cachedJwks;
+    }
+    clearCache() {
+        this.cachedJwks = null;
+        this.cacheExpiry = 0;
+    }
+}
+//# sourceMappingURL=jwks.js.map

package/dist/jwks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks.js","sourceRoot":"","sources":["../src/jwks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAQ7B,MAAM,OAAO,UAAU;IACb,OAAO,CAAS;IAChB,WAAW,CAAS;IACpB,UAAU,GAAgB,IAAI,CAAC;IAC/B,WAAW,GAAW,CAAC,CAAC;IAEhC,YAAY,OAA0B;QACpC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,MAAM,CAAC,CAAC,qBAAqB;IACzE,CAAC;IAED,KAAK,CAAC,MAAM,CACV,GAAW;QAEX,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC;QAE/C,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,iBAAiB,GAAG,qBAAqB,CAAC,CAAC;QAC7D,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,GAAe,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,OAAO;QACX,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,IAAI,IAAI,CAAC,UAAU,IAAI,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC,UAAU,CAAC;QACzB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3C,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,yBAAyB,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,EAAE,CAClE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,UAAU,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAS,CAAC;QAClD,IAAI,CAAC,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,WAAW,CAAC;QAE1C,OAAO,IAAI,CAAC,UAAU,CAAC;IACzB,CAAC;IAED,UAAU;QACR,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,CAAC,CAAC;IACvB,CAAC;CACF"}

package/dist/middleware.d.ts

@@ -0,0 +1,22 @@
+import { type VerifyTokenOptions } from './verifyToken.js';
+import type { AuthUUser } from './types.js';
+export interface AuthUMiddlewareOptions extends VerifyTokenOptions {
+    optional?: boolean;
+}
+type FastifyRequest = {
+    headers: Record<string, string | string[] | undefined>;
+    authUUser?: AuthUUser;
+};
+type FastifyReply = {
+    status: (code: number) => FastifyReply;
+    send: (body: unknown) => void;
+};
+type FastifyInstance = {
+    decorate: (name: string, value: unknown) => void;
+    decorateRequest: (name: string, value: unknown) => void;
+    addHook: (hookName: string, handler: (request: FastifyRequest, reply: FastifyReply) => Promise<void>) => void;
+};
+type FastifyPluginCallback = (fastify: FastifyInstance, options: AuthUMiddlewareOptions, done: (err?: Error) => void) => void;
+export declare function createAuthUMiddleware(options: AuthUMiddlewareOptions): FastifyPluginCallback;
+export {};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AACtE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAE1C,MAAM,WAAW,sBAAuB,SAAQ,kBAAkB;IAChE,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAED,KAAK,cAAc,GAAG;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB,CAAC;AAEF,KAAK,YAAY,GAAG;IAClB,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,YAAY,CAAC;IACvC,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,KAAK,IAAI,CAAC;CAC/B,CAAC;AAEF,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IACjD,eAAe,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IACxD,OAAO,EAAE,CACP,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,CAAC,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,YAAY,KAAK,OAAO,CAAC,IAAI,CAAC,KACrE,IAAI,CAAC;CACX,CAAC;AAEF,KAAK,qBAAqB,GAAG,CAC3B,OAAO,EAAE,eAAe,EACxB,OAAO,EAAE,sBAAsB,EAC/B,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,KAAK,KAAK,IAAI,KACxB,IAAI,CAAC;AAEV,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,sBAAsB,GAC9B,qBAAqB,CA+CvB"}

package/dist/middleware.js

@@ -0,0 +1,41 @@
+import { verifyToken } from './verifyToken.js';
+export function createAuthUMiddleware(options) {
+    return (fastify, _opts, done) => {
+        fastify.decorateRequest('authUUser', null);
+        fastify.decorate('verifyAuthU', async (request, reply) => {
+            const authHeader = request.headers.authorization;
+            if (!authHeader || typeof authHeader !== 'string') {
+                if (options.optional) {
+                    return;
+                }
+                reply.status(401).send({ error: 'Missing authorization header' });
+                return;
+            }
+            const [scheme, token] = authHeader.split(' ');
+            if (scheme?.toLowerCase() !== 'bearer' || !token) {
+                if (options.optional) {
+                    return;
+                }
+                reply
+                    .status(401)
+                    .send({ error: 'Invalid authorization header format' });
+                return;
+            }
+            try {
+                const verified = await verifyToken(token, options);
+                request.authUUser = verified.payload;
+            }
+            catch (err) {
+                if (options.optional) {
+                    return;
+                }
+                reply.status(401).send({
+                    error: 'Invalid token',
+                    message: err instanceof Error ? err.message : 'Token verification failed'
+                });
+            }
+        });
+        done();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,WAAW,EAA0B,MAAM,kBAAkB,CAAC;AAgCtE,MAAM,UAAU,qBAAqB,CACnC,OAA+B;IAE/B,OAAO,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAC9B,OAAO,CAAC,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC;QAE3C,OAAO,CAAC,QAAQ,CACd,aAAa,EACb,KAAK,EAAE,OAAuB,EAAE,KAAmB,EAAiB,EAAE;YACpE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;YAEjD,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;gBAClD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO;gBACT,CAAC;gBACD,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,8BAA8B,EAAC,CAAC,CAAC;gBAChE,OAAO;YACT,CAAC;YAED,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAE9C,IAAI,MAAM,EAAE,WAAW,EAAE,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBACjD,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO;gBACT,CAAC;gBACD,KAAK;qBACF,MAAM,CAAC,GAAG,CAAC;qBACX,IAAI,CAAC,EAAC,KAAK,EAAE,qCAAqC,EAAC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;gBACnD,OAAO,CAAC,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC;YACvC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;oBACrB,OAAO;gBACT,CAAC;gBACD,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACrB,KAAK,EAAE,eAAe;oBACtB,OAAO,EACL,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,2BAA2B;iBACnE,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CACF,CAAC;QAEF,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,30 @@
+export interface AuthUUser {
+    sub: string;
+    email?: string;
+    emailVerified?: boolean;
+    name?: string;
+    picture?: string;
+    scope?: string;
+    clientId?: string;
+    tenantId?: string;
+}
+export interface VerifiedToken {
+    payload: AuthUUser;
+    header: {
+        alg: string;
+        typ?: string;
+        kid?: string;
+    };
+}
+export interface JWK {
+    kty: string;
+    kid: string;
+    use?: string;
+    alg?: string;
+    n?: string;
+    e?: string;
+}
+export interface JWKS {
+    keys: JWK[];
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,SAAS,CAAC;IACnB,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,CAAC,CAAC,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/dist/verifyToken.d.ts

@@ -0,0 +1,10 @@
+import { JwksClient } from './jwks.js';
+import type { VerifiedToken } from './types.js';
+export interface VerifyTokenOptions {
+    domain: string;
+    audience?: string;
+    issuer?: string;
+    jwksClient?: JwksClient;
+}
+export declare function verifyToken(token: string, options: VerifyTokenOptions): Promise<VerifiedToken>;
+//# sourceMappingURL=verifyToken.d.ts.map

package/dist/verifyToken.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyToken.d.ts","sourceRoot":"","sources":["../src/verifyToken.ts"],"names":[],"mappings":"AACA,OAAO,EAAC,UAAU,EAAC,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAY,aAAa,EAAC,MAAM,YAAY,CAAC;AAEzD,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAgBD,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,aAAa,CAAC,CAuCxB"}

package/dist/verifyToken.js

@@ -0,0 +1,44 @@
+import * as jose from 'jose';
+import { JwksClient } from './jwks.js';
+const clientCache = new Map();
+function getJwksClient(domain) {
+    if (!clientCache.has(domain)) {
+        clientCache.set(domain, new JwksClient({
+            jwksUri: `https://${domain}/.well-known/jwks.json`
+        }));
+    }
+    return clientCache.get(domain);
+}
+export async function verifyToken(token, options) {
+    const { domain, audience, issuer } = options;
+    const jwksClient = options.jwksClient ?? getJwksClient(domain);
+    const expectedIssuer = issuer ?? `https://${domain}`;
+    const { payload, protectedHeader } = await jose.jwtVerify(token, async (header) => {
+        if (!header.kid) {
+            throw new Error('Token missing kid header');
+        }
+        return jwksClient.getKey(header.kid);
+    }, {
+        issuer: expectedIssuer,
+        audience
+    });
+    const user = {
+        sub: payload.sub,
+        email: payload.email,
+        emailVerified: payload.email_verified,
+        name: payload.name,
+        picture: payload.picture,
+        scope: payload.scope,
+        clientId: payload.client_id,
+        tenantId: payload.tenant_id
+    };
+    return {
+        payload: user,
+        header: {
+            alg: protectedHeader.alg,
+            typ: protectedHeader.typ,
+            kid: protectedHeader.kid
+        }
+    };
+}
+//# sourceMappingURL=verifyToken.js.map

package/dist/verifyToken.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyToken.js","sourceRoot":"","sources":["../src/verifyToken.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAC,UAAU,EAAC,MAAM,WAAW,CAAC;AAUrC,MAAM,WAAW,GAAG,IAAI,GAAG,EAAsB,CAAC;AAElD,SAAS,aAAa,CAAC,MAAc;IACnC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,WAAW,CAAC,GAAG,CACb,MAAM,EACN,IAAI,UAAU,CAAC;YACb,OAAO,EAAE,WAAW,MAAM,wBAAwB;SACnD,CAAC,CACH,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,OAA2B;IAE3B,MAAM,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAC,GAAG,OAAO,CAAC;IAC3C,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,aAAa,CAAC,MAAM,CAAC,CAAC;IAE/D,MAAM,cAAc,GAAG,MAAM,IAAI,WAAW,MAAM,EAAE,CAAC;IAErD,MAAM,EAAC,OAAO,EAAE,eAAe,EAAC,GAAG,MAAM,IAAI,CAAC,SAAS,CACrD,KAAK,EACL,KAAK,EAAC,MAAM,EAAC,EAAE;QACb,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC9C,CAAC;QACD,OAAO,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC,EACD;QACE,MAAM,EAAE,cAAc;QACtB,QAAQ;KACT,CACF,CAAC;IAEF,MAAM,IAAI,GAAc;QACtB,GAAG,EAAE,OAAO,CAAC,GAAa;QAC1B,KAAK,EAAE,OAAO,CAAC,KAA2B;QAC1C,aAAa,EAAE,OAAO,CAAC,cAAqC;QAC5D,IAAI,EAAE,OAAO,CAAC,IAA0B;QACxC,OAAO,EAAE,OAAO,CAAC,OAA6B;QAC9C,KAAK,EAAE,OAAO,CAAC,KAA2B;QAC1C,QAAQ,EAAE,OAAO,CAAC,SAA+B;QACjD,QAAQ,EAAE,OAAO,CAAC,SAA+B;KAClD,CAAC;IAEF,OAAO;QACL,OAAO,EAAE,IAAI;QACb,MAAM,EAAE;YACN,GAAG,EAAE,eAAe,CAAC,GAAG;YACxB,GAAG,EAAE,eAAe,CAAC,GAAG;YACxB,GAAG,EAAE,eAAe,CAAC,GAAG;SACzB;KACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@authu/node",
+  "version": "0.1.18",
+  "description": "Node.js SDK for AuthU - Centralized Multi-Tenant Authentication Service",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "authu",
+    "auth",
+    "authentication",
+    "oauth2",
+    "oidc",
+    "node",
+    "fastify",
+    "jwt",
+    "jwks"
+  ],
+  "author": "Uralys",
+  "license": "MIT",
+  "dependencies": {
+    "jose": "^6.0.0",
+    "@authu/shared": "0.1.18"
+  },
+  "devDependencies": {
+    "@eslint/js": "^9.33.0",
+    "@types/node": "^22.10.7",
+    "eslint": "^9.33.0",
+    "eslint-plugin-prettier": "^5.5.4",
+    "prettier": "^3.6.2",
+    "typescript": "^5.7.3",
+    "typescript-eslint": "^8.40.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "eslint": "eslint src --cache",
+    "typecheck": "tsc --noEmit",
+    "lint": "pnpm run eslint && pnpm run typecheck"
+  }
+}