npm - @baseplate-dev/plugin-auth - Versions diffs - 0.1.1 - Mend

@baseplate-dev/plugin-auth 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (241) hide show

package/dist/auth/generators/fastify/auth-module/generated/ts-templates.js ADDED Viewed

@@ -0,0 +1,94 @@
+import { createTsTemplateFile, createTsTemplateGroup, } from '@baseplate-dev/core-generators';
+import { authContextImportsProvider, authRolesImportsProvider, configServiceImportsProvider, errorHandlerServiceImportsProvider, pothosImportsProvider, requestServiceContextImportsProvider, userSessionTypesImportsProvider, } from '@baseplate-dev/fastify-generators';
+const schemaUserSessionMutations = createTsTemplateFile({
+    group: 'schema',
+    importMapProviders: { pothosImports: pothosImportsProvider },
+    name: 'schema-user-session-mutations',
+    projectExports: {},
+    source: { path: 'schema/user-session.mutations.ts' },
+    variables: {},
+});
+const schemaUserSessionQueries = createTsTemplateFile({
+    group: 'schema',
+    importMapProviders: { pothosImports: pothosImportsProvider },
+    name: 'schema-user-session-queries',
+    projectExports: {},
+    source: { path: 'schema/user-session.queries.ts' },
+    variables: { TPL_PRISMA_USER: {} },
+});
+const userSessionPayloadObjectType = createTsTemplateFile({
+    group: 'schema',
+    importMapProviders: { pothosImports: pothosImportsProvider },
+    name: 'user-session-payload-object-type',
+    projectExports: { userSessionPayload: {} },
+    source: { path: 'schema/user-session-payload.object-type.ts' },
+    variables: { TPL_PRISMA_USER: {}, TPL_USER_OBJECT_TYPE: {} },
+});
+const schemaGroup = createTsTemplateGroup({
+    templates: {
+        schemaUserSessionMutations: {
+            destination: 'user-session.mutations.ts',
+            template: schemaUserSessionMutations,
+        },
+        schemaUserSessionQueries: {
+            destination: 'user-session.queries.ts',
+            template: schemaUserSessionQueries,
+        },
+        userSessionPayloadObjectType: {
+            destination: 'user-session-payload.object-type.ts',
+            template: userSessionPayloadObjectType,
+        },
+    },
+});
+const servicesUserSessionService = createTsTemplateFile({
+    importMapProviders: {
+        authContextImports: authContextImportsProvider,
+        authRolesImports: authRolesImportsProvider,
+        configServiceImports: configServiceImportsProvider,
+        errorHandlerServiceImports: errorHandlerServiceImportsProvider,
+        requestServiceContextImports: requestServiceContextImportsProvider,
+        userSessionTypesImports: userSessionTypesImportsProvider,
+    },
+    name: 'services-user-session-service',
+    projectExports: { userSessionService: {} },
+    source: { path: 'services/user-session.service.ts' },
+    variables: { TPL_PRISMA_USER_SESSION: {} },
+});
+const userSessionConstants = createTsTemplateFile({
+    name: 'user-session-constants',
+    projectExports: {
+        USER_SESSION_DURATION_SEC: {},
+        USER_SESSION_MAX_LIFETIME_SEC: {},
+        USER_SESSION_RENEWAL_THRESHOLD_SEC: {},
+    },
+    source: { path: 'user-session.constants.ts' },
+    variables: {},
+});
+const utilsCookieSigner = createTsTemplateFile({
+    name: 'utils-cookie-signer',
+    projectExports: { sign: {}, signObject: {}, unsign: {}, unsignObject: {} },
+    source: { path: 'utils/cookie-signer.ts' },
+    variables: {},
+});
+const utilsSessionCookie = createTsTemplateFile({
+    importMapProviders: { configServiceImports: configServiceImportsProvider },
+    name: 'utils-session-cookie',
+    projectExports: { getUserSessionCookieName: {} },
+    source: { path: 'utils/session-cookie.ts' },
+    variables: {},
+});
+const utilsVerifyRequestOrigin = createTsTemplateFile({
+    name: 'utils-verify-request-origin',
+    projectExports: { verifyRequestOrigin: {} },
+    source: { path: 'utils/verify-request-origin.ts' },
+    variables: {},
+});
+export const FASTIFY_AUTH_MODULE_TS_TEMPLATES = {
+    schemaGroup,
+    servicesUserSessionService,
+    userSessionConstants,
+    utilsCookieSigner,
+    utilsSessionCookie,
+    utilsVerifyRequestOrigin,
+};
+//# sourceMappingURL=ts-templates.js.map

package/dist/auth/generators/fastify/auth-module/generated/ts-templates.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"ts-templates.js","sourceRoot":"","sources":["../../../../../../src/auth/generators/fastify/auth-module/generated/ts-templates.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,0BAA0B,EAC1B,wBAAwB,EACxB,4BAA4B,EAC5B,kCAAkC,EAClC,qBAAqB,EACrB,oCAAoC,EACpC,+BAA+B,GAChC,MAAM,mCAAmC,CAAC;AAE3C,MAAM,0BAA0B,GAAG,oBAAoB,CAAC;IACtD,KAAK,EAAE,QAAQ;IACf,kBAAkB,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE;IAC5D,IAAI,EAAE,+BAA+B;IACrC,cAAc,EAAE,EAAE;IAClB,MAAM,EAAE,EAAE,IAAI,EAAE,kCAAkC,EAAE;IACpD,SAAS,EAAE,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,wBAAwB,GAAG,oBAAoB,CAAC;IACpD,KAAK,EAAE,QAAQ;IACf,kBAAkB,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE;IAC5D,IAAI,EAAE,6BAA6B;IACnC,cAAc,EAAE,EAAE;IAClB,MAAM,EAAE,EAAE,IAAI,EAAE,gCAAgC,EAAE;IAClD,SAAS,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE;CACnC,CAAC,CAAC;AAEH,MAAM,4BAA4B,GAAG,oBAAoB,CAAC;IACxD,KAAK,EAAE,QAAQ;IACf,kBAAkB,EAAE,EAAE,aAAa,EAAE,qBAAqB,EAAE;IAC5D,IAAI,EAAE,kCAAkC;IACxC,cAAc,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;IAC1C,MAAM,EAAE,EAAE,IAAI,EAAE,4CAA4C,EAAE;IAC9D,SAAS,EAAE,EAAE,eAAe,EAAE,EAAE,EAAE,oBAAoB,EAAE,EAAE,EAAE;CAC7D,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,qBAAqB,CAAC;IACxC,SAAS,EAAE;QACT,0BAA0B,EAAE;YAC1B,WAAW,EAAE,2BAA2B;YACxC,QAAQ,EAAE,0BAA0B;SACrC;QACD,wBAAwB,EAAE;YACxB,WAAW,EAAE,yBAAyB;YACtC,QAAQ,EAAE,wBAAwB;SACnC;QACD,4BAA4B,EAAE;YAC5B,WAAW,EAAE,qCAAqC;YAClD,QAAQ,EAAE,4BAA4B;SACvC;KACF;CACF,CAAC,CAAC;AAEH,MAAM,0BAA0B,GAAG,oBAAoB,CAAC;IACtD,kBAAkB,EAAE;QAClB,kBAAkB,EAAE,0BAA0B;QAC9C,gBAAgB,EAAE,wBAAwB;QAC1C,oBAAoB,EAAE,4BAA4B;QAClD,0BAA0B,EAAE,kCAAkC;QAC9D,4BAA4B,EAAE,oCAAoC;QAClE,uBAAuB,EAAE,+BAA+B;KACzD;IACD,IAAI,EAAE,+BAA+B;IACrC,cAAc,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE;IAC1C,MAAM,EAAE,EAAE,IAAI,EAAE,kCAAkC,EAAE;IACpD,SAAS,EAAE,EAAE,uBAAuB,EAAE,EAAE,EAAE;CAC3C,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,oBAAoB,CAAC;IAChD,IAAI,EAAE,wBAAwB;IAC9B,cAAc,EAAE;QACd,yBAAyB,EAAE,EAAE;QAC7B,6BAA6B,EAAE,EAAE;QACjC,kCAAkC,EAAE,EAAE;KACvC;IACD,MAAM,EAAE,EAAE,IAAI,EAAE,2BAA2B,EAAE;IAC7C,SAAS,EAAE,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;IAC7C,IAAI,EAAE,qBAAqB;IAC3B,cAAc,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE;IAC1E,MAAM,EAAE,EAAE,IAAI,EAAE,wBAAwB,EAAE;IAC1C,SAAS,EAAE,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;IAC9C,kBAAkB,EAAE,EAAE,oBAAoB,EAAE,4BAA4B,EAAE;IAC1E,IAAI,EAAE,sBAAsB;IAC5B,cAAc,EAAE,EAAE,wBAAwB,EAAE,EAAE,EAAE;IAChD,MAAM,EAAE,EAAE,IAAI,EAAE,yBAAyB,EAAE;IAC3C,SAAS,EAAE,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,wBAAwB,GAAG,oBAAoB,CAAC;IACpD,IAAI,EAAE,6BAA6B;IACnC,cAAc,EAAE,EAAE,mBAAmB,EAAE,EAAE,EAAE;IAC3C,MAAM,EAAE,EAAE,IAAI,EAAE,gCAAgC,EAAE;IAClD,SAAS,EAAE,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,gCAAgC,GAAG;IAC9C,WAAW;IACX,0BAA0B;IAC1B,oBAAoB;IACpB,iBAAiB;IACjB,kBAAkB;IAClB,wBAAwB;CACzB,CAAC"}

package/dist/auth/generators/fastify/auth-module/templates/management.ts ADDED Viewed

@@ -0,0 +1,22 @@
+// @ts-nocheck
+import { config } from '%configServiceImports';
+import { ManagementClient } from 'auth';
+let cachedClient: ManagementClient | null = null;
+export function getAuthManagementClient(): ManagementClient {
+  if (cachedClient) {
+    return cachedClient;
+  }
+  const client = new ManagementClient({
+    domain: config.AUTH_TENANT_DOMAIN,
+    clientId: config.AUTH_CLIENT_ID,
+    clientSecret: config.AUTH_CLIENT_SECRET,
+  });
+  cachedClient = client;
+  return client;
+}

package/dist/auth/generators/fastify/auth-module/templates/schema/user-session-payload.object-type.ts ADDED Viewed

@@ -0,0 +1,23 @@
+// @ts-nocheck
+import { builder } from '%pothosImports';
+export const userSessionPayload = builder.simpleObject(
+  'UserSessionPayload',
+  {
+    fields: (t) => ({
+      expiresAt: t.field({ type: 'DateTime' }),
+      userId: t.field({ type: 'Uuid' }),
+    }),
+  },
+  (t) => ({
+    user: t.prismaField({
+      type: TPL_USER_OBJECT_TYPE,
+      resolve: async (query, root) =>
+        TPL_PRISMA_USER.findUniqueOrThrow({
+          where: { id: root.userId },
+          ...query,
+        }),
+    }),
+  }),
+);

package/dist/auth/generators/fastify/auth-module/templates/schema/user-session.mutations.ts ADDED Viewed

@@ -0,0 +1,22 @@
+// @ts-nocheck
+import { builder } from '%pothosImports';
+import { userSessionService } from '../services/user-session.service.js';
+builder.mutationField('logOut', (t) =>
+  t.fieldWithInputPayload({
+    payload: {
+      success: t.payload.boolean({
+        description: 'Whether the logout was successful.',
+      }),
+    },
+    resolve: async (parent, args, context) => {
+      if (context.auth.session && context.auth.session.type === 'user') {
+        await userSessionService.clearSession(context.auth.session, context);
+      }
+      return { success: true };
+    },
+  }),
+);

package/dist/auth/generators/fastify/auth-module/templates/schema/user-session.queries.ts ADDED Viewed

@@ -0,0 +1,20 @@
+// @ts-nocheck
+import { builder } from '%pothosImports';
+builder.queryField('currentUser', (t) =>
+  t.prismaField({
+    type: 'User',
+    nullable: true,
+    resolve: async (query, root, args, { auth }) => {
+      if (!auth.userId) {
+        return null;
+      }
+      return TPL_PRISMA_USER.findUniqueOrThrow({
+        ...query,
+        where: { id: auth.userId },
+      });
+    },
+  }),
+);

package/dist/auth/generators/fastify/auth-module/templates/services/user-session.service.ts ADDED Viewed

@@ -0,0 +1,251 @@
+// @ts-nocheck
+import type { AuthUserSessionInfo } from '%authContextImports';
+import type { AuthRole } from '%authRolesImports';
+import type { RequestServiceContext } from '%requestServiceContextImports';
+import type {
+  UserSessionPayload,
+  UserSessionService,
+} from '%userSessionTypesImports';
+import type { CookieSerializeOptions } from '@fastify/cookie';
+import type { FastifyReply, FastifyRequest } from 'fastify';
+import { InvalidSessionError } from '%authContextImports';
+import { DEFAULT_USER_ROLES } from '%authRolesImports';
+import { config } from '%configServiceImports';
+import { ForbiddenError } from '%errorHandlerServiceImports';
+import { randomBytes } from 'node:crypto';
+import {
+  USER_SESSION_DURATION_SEC,
+  USER_SESSION_MAX_LIFETIME_SEC,
+  USER_SESSION_RENEWAL_THRESHOLD_SEC,
+} from '../constants/user-session.constants.js';
+import { signObject, unsignObject } from '../utils/cookie-signer.js';
+import { getUserSessionCookieName } from '../utils/session-cookie.js';
+import { verifyRequestOrigin } from '../utils/verify-request-origin.js';
+interface SessionCookieValue {
+  // Session token
+  token: string;
+}
+const COOKIE_OPTIONS: CookieSerializeOptions = {
+  httpOnly: true,
+  sameSite: 'lax',
+  secure: config.APP_ENVIRONMENT !== 'development',
+  maxAge: USER_SESSION_DURATION_SEC,
+  path: '/',
+};
+/**
+ * Validates the expiry of a user session and determines if it needs to be renewed.
+ *
+ * @param currentDate The current date and time.
+ * @param userSession The session details.
+ * @param userSession.expiresAt The date and time when the session expires.
+ * @param userSession.createdAt The date and time when the session was created.
+ * @param userSession.renewedAt The date and time when the session was last renewed.
+ * @returns The validity of the session and the new expiry date if applicable.
+ */
+function validateSessionExpiry(
+  currentDate: Date,
+  userSession: {
+    expiresAt: Date;
+    createdAt: Date;
+    renewedAt: Date;
+  },
+): { valid: boolean; newExpiry: Date | null } {
+  // check if session is expired
+  if (userSession.expiresAt < currentDate) {
+    return { valid: false, newExpiry: null };
+  }
+  // check if session needs renewal
+  const shouldRenewBy =
+    userSession.renewedAt.getTime() + USER_SESSION_RENEWAL_THRESHOLD_SEC * 1000;
+  if (shouldRenewBy < currentDate.getTime()) {
+    const newExpiry = currentDate.getTime() + USER_SESSION_DURATION_SEC * 1000;
+    const maxExpiry =
+      USER_SESSION_MAX_LIFETIME_SEC === 0
+        ? undefined
+        : userSession.createdAt.getTime() +
+          USER_SESSION_MAX_LIFETIME_SEC * 1000;
+    return {
+      valid: true,
+      newExpiry: new Date(Math.min(newExpiry, maxExpiry ?? newExpiry)),
+    };
+  }
+  return { valid: true, newExpiry: null };
+}
+/**
+ * Generates a session token
+ *
+ * @returns The session token
+ */
+function generateSessionToken(): string {
+  return randomBytes(16).toString('base64url');
+}
+export class CookieUserSessionService implements UserSessionService {
+  /**
+   * Creates a user session cookie and sets it in the response.
+   *
+   * @param userId The ID of the user for whom the session is being created.
+   * @param context The request service context
+   * @param currentDate The current date and time. Defaults to the current date and time.
+   * @returns The session payload
+   */
+  async createSession(
+    userId: string,
+    context: RequestServiceContext,
+    currentDate: Date = new Date(),
+  ): Promise<UserSessionPayload> {
+    const token = generateSessionToken();
+    const expiresAt = new Date(
+      currentDate.getTime() + USER_SESSION_DURATION_SEC * 1000,
+    );
+    await TPL_PRISMA_USER_SESSION.create({
+      data: {
+        user: { connect: { id: userId } },
+        token,
+        expiresAt,
+      },
+    });
+    const cookieName = getUserSessionCookieName(context.reqInfo.headers);
+    const cookieValue = signObject({ token }, config.AUTH_SECRET);
+    context.cookieStore.set(cookieName, cookieValue, COOKIE_OPTIONS);
+    return { userId, expiresAt };
+  }
+  /**
+   * Ends the user session by clearing the session cookie and deleting the session from the database.
+   *
+   * @param sessionInfo The session info
+   * @param context The request service context
+   */
+  async clearSession(
+    sessionInfo: AuthUserSessionInfo,
+    context: RequestServiceContext,
+  ): Promise<void> {
+    await TPL_PRISMA_USER_SESSION.delete({
+      where: { id: sessionInfo.id },
+    });
+    const cookieName = getUserSessionCookieName(context.reqInfo.headers);
+    context.cookieStore.clear(cookieName);
+  }
+  /**
+   * Retrieves the user session information from the request.
+   *
+   * @param req - The Fastify request object containing the cookies.
+   * @param reply - The Fastify reply object used to set or clear cookies.
+   * @param currentDate - The current date used for session validation. Defaults to the current date and time.
+   * @returns A promise that resolves to the authenticated user session information or null if the session is invalid.
+   * @throws {InvalidSessionError} If the session is invalid or expired.
+   */
+  async getSessionInfoFromRequest(
+    req: FastifyRequest,
+    reply?: FastifyReply,
+  ): Promise<AuthUserSessionInfo | undefined> {
+    const currentDate = new Date();
+    // Check Origin header for non-GET/HEAD requests to prevent CSRF attacks
+    if (
+      (req.method !== 'GET' ||
+        req.headers.upgrade?.toLowerCase() === 'websocket') &&
+      req.method !== 'HEAD' &&
+      !verifyRequestOrigin(req, [req.host])
+    ) {
+      throw new ForbiddenError('Invalid Origin header');
+    }
+    const cookieName = getUserSessionCookieName(req.headers);
+    try {
+      // Check if the session cookie is present
+      const sessionCookieValue = req.cookies[cookieName];
+      if (!sessionCookieValue) return undefined;
+      // Unsign the session cookie
+      const sessionCookieResult = unsignObject(
+        sessionCookieValue,
+        config.AUTH_SECRET,
+      ) as SessionCookieValue | undefined;
+      if (!sessionCookieResult) throw new InvalidSessionError();
+      const { token } = sessionCookieResult;
+      if (typeof token !== 'string') throw new InvalidSessionError();
+      // Fetch and validate user session
+      const userSession = await TPL_PRISMA_USER_SESSION.findUnique({
+        where: { token },
+        include: { user: { select: { id: true, roles: true } } },
+      });
+      if (!userSession) throw new InvalidSessionError();
+      const sessionExpiryResult = validateSessionExpiry(
+        currentDate,
+        userSession,
+      );
+      if (!sessionExpiryResult.valid)
+        throw new InvalidSessionError('Session expired');
+      // renew the session if needed
+      if (sessionExpiryResult.newExpiry && reply) {
+        await TPL_PRISMA_USER_SESSION.update({
+          where: { id: userSession.id },
+          data: {
+            renewedAt: currentDate,
+            expiresAt: sessionExpiryResult.newExpiry,
+          },
+        });
+        const newSignedCookie = signObject({ token }, config.AUTH_SECRET);
+        reply.setCookie(cookieName, newSignedCookie, COOKIE_OPTIONS);
+      }
+      const { user } = userSession;
+      const expiresAt = sessionExpiryResult.newExpiry ?? userSession.expiresAt;
+      return {
+        id: userSession.id,
+        type: 'user',
+        roles: [
+          ...DEFAULT_USER_ROLES,
+          ...user.roles.map((role) => role.role as AuthRole),
+        ],
+        userId: user.id,
+        expiresAt,
+      };
+    } catch (err) {
+      // clear the cookie if it's invalid
+      if (err instanceof InvalidSessionError && reply) {
+        reply.clearCookie(cookieName);
+      }
+      throw err;
+    }
+  }
+  /**
+   * Retrieves the user session information from the authentication token
+   *
+   * Note: Since we use cookies, we ignore the authToken parameter
+   *
+   * @param req The request object
+   * @returns The session info or undefined if no session is found
+   */
+  async getSessionInfoFromToken(
+    req: FastifyRequest,
+  ): Promise<AuthUserSessionInfo | undefined> {
+    return this.getSessionInfoFromRequest(req, undefined);
+  }
+}
+export const userSessionService = new CookieUserSessionService();

package/dist/auth/generators/fastify/auth-module/templates/user-session.constants.ts ADDED Viewed

@@ -0,0 +1,19 @@
+// @ts-nocheck
+/**
+ * Defines the duration of a user session before it expires, in seconds.
+ */
+export const USER_SESSION_DURATION_SEC = 14 * 24 * 60 * 60; // 14 days
+/**
+ * Defines the duration after which a user session should be renewed, in seconds.
+ */
+export const USER_SESSION_RENEWAL_THRESHOLD_SEC = 1 * 24 * 60 * 60; // 1 day
+/**
+ * Sets the maximum possible lifespan of a user session, in seconds, including renewals.
+ *
+ * A value of 0 allows the session to persist indefinitely, provided it is renewed
+ * before the session expiration.
+ */
+export const USER_SESSION_MAX_LIFETIME_SEC = 0 as number;

package/dist/auth/generators/fastify/auth-module/templates/user-session.service.ts ADDED Viewed

@@ -0,0 +1,101 @@
+// @ts-nocheck
+import type { AuthUserSessionInfo } from '%authContextImports';
+import type { AuthRole } from '%authRolesImports';
+import type { UserSessionService } from '%userSessionTypesImports';
+import type { FastifyRequest } from 'fastify';
+import { DEFAULT_USER_ROLES } from '%authRolesImports';
+const USER_ID_CLAIM = 'https://app.com/user_id';
+const EMAIL_CLAIM = 'https://app.com/email';
+const EMAIL_VERIFIED_CLAIM = 'https://app.com/email_verified';
+const ROLES_CLAIM = 'https://app.com/roles';
+interface AuthJwt {
+  [USER_ID_CLAIM]?: string;
+  [EMAIL_CLAIM]?: string;
+  [EMAIL_VERIFIED_CLAIM]?: boolean;
+  [ROLES_CLAIM]?: string[];
+  sub: string;
+  email: string;
+  exp: number;
+}
+export class AuthUserSessionService implements UserSessionService {
+  /**
+   * Retrieves the user session information from the request.
+   *
+   * @param req - The Fastify request object containing the cookies.
+   * @param reply - The Fastify reply object used to set or clear cookies.
+   * @param currentDate - The current date used for session validation. Defaults to the current date and time.
+   * @returns A promise that resolves to the authenticated user session information or null if the session is invalid.
+   * @throws {InvalidSessionError} If the session is invalid or expired.
+   */
+  async getSessionInfoFromRequest(
+    req: FastifyRequest,
+  ): Promise<AuthUserSessionInfo | undefined> {
+    if (!req.headers.authorization) {
+      return undefined;
+    }
+    const verifiedJwt = await req.jwtVerify<AuthJwt>();
+    const userId = verifiedJwt[USER_ID_CLAIM];
+    const roles = verifiedJwt[ROLES_CLAIM] ?? [];
+    const email = verifiedJwt[EMAIL_CLAIM];
+    if (!userId) {
+      throw new Error(`Missing user id in JWT`);
+    }
+    const user = await TPL_USER_MODEL.findUnique({ where: { id: userId } });
+    // create user if one does not exist already
+    if (!email) {
+      throw new Error(`Missing email claim in JWT`);
+    }
+    if (!user) {
+      // Use createMany to avoid race-conditions with creating the user
+      await TPL_USER_MODEL.createMany({
+        data: [
+          {
+            id: userId,
+            authId: verifiedJwt.sub,
+            email,
+          },
+        ],
+        skipDuplicates: true,
+      });
+    }
+    return {
+      id: verifiedJwt.sub,
+      type: 'user',
+      userId,
+      roles: [...DEFAULT_USER_ROLES, ...roles] as AuthRole[],
+      expiresAt:
+        typeof verifiedJwt.exp === 'number'
+          ? new Date(verifiedJwt.exp * 1000)
+          : undefined,
+    };
+  }
+  /**
+   * Retrieves the user session information from the authentication token
+   *
+   * @param req The request object
+   * @returns The session info or undefined if no session is found
+   */
+  async getSessionInfoFromToken(
+    req: FastifyRequest,
+    token?: string | null,
+  ): Promise<AuthUserSessionInfo | undefined> {
+    // We have to manually add the header to the request since we can't
+    // use server.jwt.verify due to an error
+    req.headers.authorization = token ?? undefined;
+    return this.getSessionInfoFromRequest(req);
+  }
+}
+export const userSessionService = new AuthUserSessionService();

package/dist/auth/generators/fastify/auth-module/templates/utils/cookie-signer.ts ADDED Viewed

@@ -0,0 +1,71 @@
+// @ts-nocheck
+import * as crypto from 'node:crypto';
+/**
+ * Sign the given `val` with `secret` using HMAC-SHA256.
+ *
+ * @param val - The value to sign.
+ * @param secret - The secret key to use for signing.
+ * @returns The signed value.
+ */
+export function sign(val: string, secret: string): string {
+  return `${val}.${crypto
+    .createHmac('sha256', secret)
+    .update(val)
+    .digest('base64')
+    // remove all equal signs since they are not valid in cookie values
+    .replaceAll('=', '')}`;
+}
+/**
+ * Unsign and decode the given `input` with `secret`,
+ *
+ * @param input - The signed cookie string to unsign.
+ * @param secret - The secret key used for signing.
+ * @returns The unsigned value or undefined if the signature is invalid.
+ */
+export function unsign(input: string, secret: string): string | undefined {
+  const tentativeValue = input.slice(0, input.lastIndexOf('.'));
+  const expectedInput = sign(tentativeValue, secret);
+  const expectedBuffer = Buffer.from(expectedInput);
+  const inputBuffer = Buffer.from(input);
+  if (
+    expectedBuffer.length !== inputBuffer.length ||
+    !crypto.timingSafeEqual(expectedBuffer, inputBuffer)
+  ) {
+    return undefined;
+  }
+  return tentativeValue;
+}
+/**
+ * Sign an object by JSON stringifying and base64 encoding it, then signing with secret.
+ *
+ * @param obj - The object to sign.
+ * @param secret - The secret key to use for signing.
+ * @returns The signed encoded object.
+ */
+export function signObject(obj: unknown, secret: string): string {
+  const encoded = Buffer.from(JSON.stringify(obj)).toString('base64url');
+  return sign(encoded, secret);
+}
+/**
+ * Unsign and decode an object that was signed with signObject.
+ *
+ * @param input - The signed encoded object string to unsign.
+ * @param secret - The secret key used for signing.
+ * @returns The decoded object or undefined if the signature is invalid.
+ */
+export function unsignObject(input: string, secret: string): unknown {
+  const unsigned = unsign(input, secret);
+  if (!unsigned) return undefined;
+  try {
+    const decoded = Buffer.from(unsigned, 'base64url').toString('utf8');
+    return JSON.parse(decoded);
+  } catch {
+    return undefined;
+  }
+}

package/dist/auth/generators/fastify/auth-module/templates/utils/session-cookie.ts ADDED Viewed

@@ -0,0 +1,42 @@
+// @ts-nocheck
+import type { FastifyRequest } from 'fastify';
+import { config } from '%configServiceImports';
+const COOKIE_NAME = 'user-session';
+/**
+ * Retrieves the name of the session cookie based on the provided request.
+ * If the application environment is not 'development', the cookie name will be prefixed with '__Host-'.
+ * In development, the cookie name will be suffixed with the port number.
+ *
+ * @param req - The FastifyRequest object representing the incoming request.
+ * @returns The name of the Iron session cookie.
+ */
+export function getUserSessionCookieName(
+  headers: FastifyRequest['headers'],
+): string {
+  if (config.APP_ENVIRONMENT !== 'development') {
+    return `__Host-${COOKIE_NAME}`;
+  }
+  // in development, localhost does not support the __Host prefix and should be scoped to port
+  // use origin/referer header to determine hostname because dev reverse proxies use origin/referer to signal the original host
+  const { origin, referer } = headers;
+  const originalHost = origin ?? referer;
+  let port;
+  try {
+    if (!originalHost) {
+      port = config.SERVER_PORT;
+    } else {
+      const url = new URL(originalHost);
+      const parsedPort = Number.parseInt(url.port, 10);
+      // Validate port is in valid range (1-65535)
+      port =
+        parsedPort > 0 && parsedPort < 65_536 ? parsedPort : config.SERVER_PORT;
+    }
+  } catch {
+    port = config.SERVER_PORT;
+  }
+  return `${COOKIE_NAME}-${port}`;
+}