@axeom/auth 0.1.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Axeom
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.

package/dist/index.cjs

@@ -0,0 +1,132 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  authPlugin: () => authPlugin,
+  authRoutes: () => authRoutes,
+  bearerGuard: () => bearerGuard,
+  default: () => index_default
+});
+module.exports = __toCommonJS(index_exports);
+var import_schema = require("@axeom/schema");
+var import_jose = require("jose");
+var authPlugin = (options) => {
+  const encoder = new TextEncoder();
+  const rawSecret = encoder.encode(options.secret);
+  return (app) => {
+    return app.decorate({
+      auth: {
+        /**
+         * Signs a new JWT token with the provided payload.
+         */
+        sign: async (payload) => {
+          return await new import_jose.SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setIssuer(options.issuer || "Axeom").setAudience(options.audience || "Axeom-app").setExpirationTime(options.expiresIn || "2h").sign(rawSecret);
+        },
+        /**
+         * Verifies a JWT token and returns the payload if valid.
+         */
+        verify: async (token) => {
+          try {
+            const { payload } = await (0, import_jose.jwtVerify)(token, rawSecret, {
+              issuer: options.issuer || "Axeom",
+              audience: options.audience || "Axeom-app"
+            });
+            return payload;
+          } catch (e) {
+            console.error("[Auth Plugin] Verify Error:", e);
+            return null;
+          }
+        }
+      }
+    });
+  };
+};
+var bearerGuard = () => {
+  return async (ctx) => {
+    let token = null;
+    const authHeader = ctx.headers.get("Authorization");
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      token = authHeader.split(" ")[1];
+    } else {
+      const cookieHeader = ctx.headers.get("Cookie");
+      if (cookieHeader) {
+        const match = cookieHeader.match(/axeom_token=([^;]+)/);
+        if (match) token = match[1];
+      }
+    }
+    if (!token) {
+      return new Response(
+        JSON.stringify({
+          status: "error",
+          code: "UNAUTHORIZED",
+          message: "Authorization required (Header or Cookie missing)"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const user = await ctx.auth.verify(token);
+    if (!user) {
+      return new Response(
+        JSON.stringify({
+          status: "error",
+          code: "UNAUTHORIZED",
+          message: "Invalid or expired session"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return { user };
+  };
+};
+var authRoutes = (app) => {
+  const authApp = app;
+  return authApp.group("/auth", (group) => {
+    return group.post(
+      "/login",
+      async (ctx) => {
+        const { username } = ctx.body;
+        const token = await ctx.auth.sign({ id: "123", name: username });
+        return { token };
+      },
+      {
+        body: import_schema.s.object({
+          username: import_schema.s.string().min(3),
+          password: import_schema.s.string().min(6)
+        })
+      }
+    ).group("/me", (me) => {
+      return me.derive(bearerGuard()).get("/", ({ user }) => user);
+    });
+  });
+};
+var index_default = authPlugin;
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  authPlugin,
+  authRoutes,
+  bearerGuard
+});

package/dist/index.d.cts

@@ -0,0 +1,50 @@
+import { Axeom, Context } from '@axeom/core';
+
+interface AuthOptions {
+    secret: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: string;
+}
+interface User {
+    id: string;
+    [key: string]: any;
+}
+/**
+ * The Axeom Auth Plugin.
+ * Adds JWT signing and verification utilities to the context.
+ */
+declare const authPlugin: (options: AuthOptions) => <T extends Record<string, any>, D extends Record<string, any>>(app: Axeom<T, D>) => Axeom<T, D & {
+    auth: {
+        /**
+         * Signs a new JWT token with the provided payload.
+         */
+        sign: (payload: any) => Promise<string>;
+        /**
+         * Verifies a JWT token and returns the payload if valid.
+         */
+        verify: (token: string) => Promise<User | null>;
+    };
+}>;
+/**
+ * A derivation that verifies the 'Authorization: Bearer <token>' header.
+ *
+ * If successful, it adds 'user' to the context.
+ * If it fails, it returns a 401 Unauthorized response.
+ *
+ * Usage:
+ * Axeom.group("/admin", (admin) => admin.derive(bearerGuard()).get("/dashboard", ({ user }) => ...))
+ */
+declare const bearerGuard: () => <T extends Record<string, any>, D extends Record<string, any>>(ctx: Context<any, any, D & {
+    auth: {
+        verify: (t: string) => Promise<User | null>;
+    };
+}>) => Promise<Response | {
+    user: User;
+}>;
+/**
+ * A helper to register standard login/profile routes.
+ */
+declare const authRoutes: <T extends Record<string, any>, D extends Record<string, any>>(app: Axeom<T, D>) => Axeom<any, any>;
+
+export { type AuthOptions, type User, authPlugin, authRoutes, bearerGuard, authPlugin as default };

package/dist/index.d.ts

@@ -0,0 +1,50 @@
+import { Axeom, Context } from '@axeom/core';
+
+interface AuthOptions {
+    secret: string;
+    issuer?: string;
+    audience?: string;
+    expiresIn?: string;
+}
+interface User {
+    id: string;
+    [key: string]: any;
+}
+/**
+ * The Axeom Auth Plugin.
+ * Adds JWT signing and verification utilities to the context.
+ */
+declare const authPlugin: (options: AuthOptions) => <T extends Record<string, any>, D extends Record<string, any>>(app: Axeom<T, D>) => Axeom<T, D & {
+    auth: {
+        /**
+         * Signs a new JWT token with the provided payload.
+         */
+        sign: (payload: any) => Promise<string>;
+        /**
+         * Verifies a JWT token and returns the payload if valid.
+         */
+        verify: (token: string) => Promise<User | null>;
+    };
+}>;
+/**
+ * A derivation that verifies the 'Authorization: Bearer <token>' header.
+ *
+ * If successful, it adds 'user' to the context.
+ * If it fails, it returns a 401 Unauthorized response.
+ *
+ * Usage:
+ * Axeom.group("/admin", (admin) => admin.derive(bearerGuard()).get("/dashboard", ({ user }) => ...))
+ */
+declare const bearerGuard: () => <T extends Record<string, any>, D extends Record<string, any>>(ctx: Context<any, any, D & {
+    auth: {
+        verify: (t: string) => Promise<User | null>;
+    };
+}>) => Promise<Response | {
+    user: User;
+}>;
+/**
+ * A helper to register standard login/profile routes.
+ */
+declare const authRoutes: <T extends Record<string, any>, D extends Record<string, any>>(app: Axeom<T, D>) => Axeom<any, any>;
+
+export { type AuthOptions, type User, authPlugin, authRoutes, bearerGuard, authPlugin as default };

package/dist/index.js

@@ -0,0 +1,105 @@
+// src/index.ts
+import { s } from "@axeom/schema";
+import { jwtVerify, SignJWT } from "jose";
+var authPlugin = (options) => {
+  const encoder = new TextEncoder();
+  const rawSecret = encoder.encode(options.secret);
+  return (app) => {
+    return app.decorate({
+      auth: {
+        /**
+         * Signs a new JWT token with the provided payload.
+         */
+        sign: async (payload) => {
+          return await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setIssuer(options.issuer || "Axeom").setAudience(options.audience || "Axeom-app").setExpirationTime(options.expiresIn || "2h").sign(rawSecret);
+        },
+        /**
+         * Verifies a JWT token and returns the payload if valid.
+         */
+        verify: async (token) => {
+          try {
+            const { payload } = await jwtVerify(token, rawSecret, {
+              issuer: options.issuer || "Axeom",
+              audience: options.audience || "Axeom-app"
+            });
+            return payload;
+          } catch (e) {
+            console.error("[Auth Plugin] Verify Error:", e);
+            return null;
+          }
+        }
+      }
+    });
+  };
+};
+var bearerGuard = () => {
+  return async (ctx) => {
+    let token = null;
+    const authHeader = ctx.headers.get("Authorization");
+    if (authHeader && authHeader.startsWith("Bearer ")) {
+      token = authHeader.split(" ")[1];
+    } else {
+      const cookieHeader = ctx.headers.get("Cookie");
+      if (cookieHeader) {
+        const match = cookieHeader.match(/axeom_token=([^;]+)/);
+        if (match) token = match[1];
+      }
+    }
+    if (!token) {
+      return new Response(
+        JSON.stringify({
+          status: "error",
+          code: "UNAUTHORIZED",
+          message: "Authorization required (Header or Cookie missing)"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    const user = await ctx.auth.verify(token);
+    if (!user) {
+      return new Response(
+        JSON.stringify({
+          status: "error",
+          code: "UNAUTHORIZED",
+          message: "Invalid or expired session"
+        }),
+        {
+          status: 401,
+          headers: { "Content-Type": "application/json" }
+        }
+      );
+    }
+    return { user };
+  };
+};
+var authRoutes = (app) => {
+  const authApp = app;
+  return authApp.group("/auth", (group) => {
+    return group.post(
+      "/login",
+      async (ctx) => {
+        const { username } = ctx.body;
+        const token = await ctx.auth.sign({ id: "123", name: username });
+        return { token };
+      },
+      {
+        body: s.object({
+          username: s.string().min(3),
+          password: s.string().min(6)
+        })
+      }
+    ).group("/me", (me) => {
+      return me.derive(bearerGuard()).get("/", ({ user }) => user);
+    });
+  });
+};
+var index_default = authPlugin;
+export {
+  authPlugin,
+  authRoutes,
+  bearerGuard,
+  index_default as default
+};

package/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "@axeom/auth",
+  "version": "0.1.1",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "types": "./dist/index.d.ts",
+  "dependencies": {
+    "jose": "^6.0.8",
+    "@axeom/core": "0.1.1",
+    "@axeom/schema": "0.1.1"
+  },
+  "module": "./dist/index.js",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch"
+  }
+}