@benefi/auth 1.0.4

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { createTokenVerifier } from "./src/verify";
+export { ERROR_CODES } from "./src/constants";
+export type { VerifyResult, VerifySuccess, VerifyError, DecodedJwt, SecretInput, JwtSecretConfig, ErrorCode, } from "./src/types";

package/dist/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ERROR_CODES = exports.createTokenVerifier = void 0;
+var verify_1 = require("./src/verify");
+Object.defineProperty(exports, "createTokenVerifier", { enumerable: true, get: function () { return verify_1.createTokenVerifier; } });
+var constants_1 = require("./src/constants");
+Object.defineProperty(exports, "ERROR_CODES", { enumerable: true, get: function () { return constants_1.ERROR_CODES; } });

package/dist/src/aws.d.ts

@@ -0,0 +1,9 @@
+import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
+import type { SecretInput } from "./types";
+export type { JwtSecretConfig, SecretInput } from "./types";
+export declare function normalizeSecretConfig(secretOrConfig: SecretInput): {
+    secretId: string;
+    region: string;
+};
+export declare function createSecretsManagerClient(region: string): SecretsManagerClient;
+export declare function getSecret(client: SecretsManagerClient, secretId: string, versionStage: "AWSCURRENT" | "AWSPREVIOUS"): Promise<string>;

package/dist/src/aws.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeSecretConfig = normalizeSecretConfig;
+exports.createSecretsManagerClient = createSecretsManagerClient;
+exports.getSecret = getSecret;
+const client_secrets_manager_1 = require("@aws-sdk/client-secrets-manager");
+const constants_1 = require("./constants");
+function normalizeSecretConfig(secretOrConfig) {
+    if (typeof secretOrConfig === "string") {
+        return { secretId: secretOrConfig, region: constants_1.DEFAULT_AWS_REGION };
+    }
+    return {
+        secretId: secretOrConfig.secretId,
+        region: secretOrConfig.region ?? constants_1.DEFAULT_AWS_REGION,
+    };
+}
+function createSecretsManagerClient(region) {
+    return new client_secrets_manager_1.SecretsManagerClient({ region });
+}
+async function getSecret(client, secretId, versionStage) {
+    const command = new client_secrets_manager_1.GetSecretValueCommand({
+        SecretId: secretId,
+        VersionStage: versionStage,
+    });
+    const response = await client.send(command);
+    if (!response.SecretString) {
+        throw new Error(`JWT secret "${secretId}" has empty SecretString for ${versionStage}`);
+    }
+    return response.SecretString;
+}

package/dist/src/constants.d.ts

@@ -0,0 +1,10 @@
+export declare const DEFAULT_AWS_REGION = "us-east-1";
+export declare const TOKEN_REQUIRED_MESSAGE = "Token is required";
+export declare const TOKEN_EXPIRED_MESSAGE = "Token has expired";
+export declare const TOKEN_INVALID_MESSAGE = "Invalid token";
+export declare const ERROR_CODES: {
+    readonly TOKEN_REQUIRED: "TOKEN_REQUIRED";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly INVALID_TOKEN: "INVALID_TOKEN";
+    readonly SECRET_ERROR: "SECRET_ERROR";
+};

package/dist/src/constants.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ERROR_CODES = exports.TOKEN_INVALID_MESSAGE = exports.TOKEN_EXPIRED_MESSAGE = exports.TOKEN_REQUIRED_MESSAGE = exports.DEFAULT_AWS_REGION = void 0;
+exports.DEFAULT_AWS_REGION = "us-east-1";
+exports.TOKEN_REQUIRED_MESSAGE = "Token is required";
+exports.TOKEN_EXPIRED_MESSAGE = "Token has expired";
+exports.TOKEN_INVALID_MESSAGE = "Invalid token";
+exports.ERROR_CODES = {
+    TOKEN_REQUIRED: "TOKEN_REQUIRED",
+    TOKEN_EXPIRED: "TOKEN_EXPIRED",
+    INVALID_TOKEN: "INVALID_TOKEN",
+    SECRET_ERROR: "SECRET_ERROR",
+};

package/dist/src/express.d.ts

@@ -0,0 +1,2 @@
+import { Request, Response, NextFunction } from "express";
+export declare function tokenValidationMiddleware(secret: string): (req: Request, res: Response, next: NextFunction) => Response<any, Record<string, any>> | undefined;

package/dist/src/express.js

@@ -0,0 +1,63 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.tokenValidationMiddleware = tokenValidationMiddleware;
+const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+function tokenValidationMiddleware(secret) {
+    return function (req, res, next) {
+        try {
+            const token = req.header("Authorization")?.replace(/^Bearer\s+/, "") ||
+                req.cookies.accessToken;
+            if (!token) {
+                return res
+                    .status(401)
+                    .json({ data: {}, error: { message: "Token is required" } });
+            }
+            const decoded = jsonwebtoken_1.default.verify(token, secret);
+            req.body.customerId = decoded.customerId;
+            next();
+        }
+        catch (err) {
+            if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+                return res
+                    .status(401)
+                    .json({ data: {}, error: { message: "Token has expired" } });
+            }
+            return res
+                .status(401)
+                .json({ data: {}, error: { message: "Invalid token" } });
+        }
+    };
+}

package/dist/src/middleware.d.ts

@@ -0,0 +1,10 @@
+import { Request, Response, NextFunction } from "express";
+import { NestMiddleware } from "@nestjs/common";
+import { SecretInput } from "./aws";
+export declare class TokenValidationMiddleware implements NestMiddleware {
+    private readonly verifyToken;
+    constructor(secretOrConfig: SecretInput);
+    private handle;
+    use(req: Request, res: Response, next: NextFunction): void;
+    express(): (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+}

package/dist/src/middleware.js

@@ -0,0 +1,97 @@
+"use strict";
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+var __setFunctionName = (this && this.__setFunctionName) || function (f, name, prefix) {
+    if (typeof name === "symbol") name = name.description ? "[".concat(name.description, "]") : "";
+    return Object.defineProperty(f, "name", { configurable: true, value: prefix ? "".concat(prefix, " ", name) : name });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenValidationMiddleware = void 0;
+const common_1 = require("@nestjs/common");
+const jsonwebtoken_1 = require("jsonwebtoken");
+const constants_1 = require("./constants");
+const validation_1 = require("./validation");
+let TokenValidationMiddleware = (() => {
+    let _classDecorators = [(0, common_1.Injectable)()];
+    let _classDescriptor;
+    let _classExtraInitializers = [];
+    let _classThis;
+    var TokenValidationMiddleware = _classThis = class {
+        constructor(secretOrConfig) {
+            this.verifyToken = (0, validation_1.createJwtVerifier)(secretOrConfig);
+        }
+        async handle(req, res, next) {
+            try {
+                const token = req.header("Authorization")?.replace(/^Bearer\s+/, "") ||
+                    req.cookies.accessToken;
+                if (!token) {
+                    return res
+                        .status(401)
+                        .json({ data: {}, error: { message: constants_1.TOKEN_REQUIRED_MESSAGE } });
+                }
+                const decoded = await this.verifyToken(token);
+                req.body.customerId = decoded.customerId;
+                return next();
+            }
+            catch (err) {
+                if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+                    return res
+                        .status(401)
+                        .json({ data: {}, error: { message: constants_1.TOKEN_EXPIRED_MESSAGE } });
+                }
+                return res
+                    .status(401)
+                    .json({ data: {}, error: { message: constants_1.TOKEN_INVALID_MESSAGE } });
+            }
+        }
+        // NestJS calls this
+        use(req, res, next) {
+            void this.handle(req, res, next);
+        }
+        express() {
+            return this.handle.bind(this);
+        }
+    };
+    __setFunctionName(_classThis, "TokenValidationMiddleware");
+    (() => {
+        const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
+        __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
+        TokenValidationMiddleware = _classThis = _classDescriptor.value;
+        if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+        __runInitializers(_classThis, _classExtraInitializers);
+    })();
+    return TokenValidationMiddleware = _classThis;
+})();
+exports.TokenValidationMiddleware = TokenValidationMiddleware;

package/dist/src/nest.d.ts

@@ -0,0 +1,7 @@
+import { NestMiddleware } from "@nestjs/common";
+import { Request, Response, NextFunction } from "express";
+export declare class TokenValidationMiddleware implements NestMiddleware {
+    private secret;
+    constructor(secret: string);
+    use(req: Request, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+}

package/dist/src/nest.js

@@ -0,0 +1,121 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn, decorators, contextIn, initializers, extraInitializers) {
+    function accept(f) { if (f !== void 0 && typeof f !== "function") throw new TypeError("Function expected"); return f; }
+    var kind = contextIn.kind, key = kind === "getter" ? "get" : kind === "setter" ? "set" : "value";
+    var target = !descriptorIn && ctor ? contextIn["static"] ? ctor : ctor.prototype : null;
+    var descriptor = descriptorIn || (target ? Object.getOwnPropertyDescriptor(target, contextIn.name) : {});
+    var _, done = false;
+    for (var i = decorators.length - 1; i >= 0; i--) {
+        var context = {};
+        for (var p in contextIn) context[p] = p === "access" ? {} : contextIn[p];
+        for (var p in contextIn.access) context.access[p] = contextIn.access[p];
+        context.addInitializer = function (f) { if (done) throw new TypeError("Cannot add initializers after decoration has completed"); extraInitializers.push(accept(f || null)); };
+        var result = (0, decorators[i])(kind === "accessor" ? { get: descriptor.get, set: descriptor.set } : descriptor[key], context);
+        if (kind === "accessor") {
+            if (result === void 0) continue;
+            if (result === null || typeof result !== "object") throw new TypeError("Object expected");
+            if (_ = accept(result.get)) descriptor.get = _;
+            if (_ = accept(result.set)) descriptor.set = _;
+            if (_ = accept(result.init)) initializers.unshift(_);
+        }
+        else if (_ = accept(result)) {
+            if (kind === "field") initializers.unshift(_);
+            else descriptor[key] = _;
+        }
+    }
+    if (target) Object.defineProperty(target, contextIn.name, descriptor);
+    done = true;
+};
+var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
+    var useValue = arguments.length > 2;
+    for (var i = 0; i < initializers.length; i++) {
+        value = useValue ? initializers[i].call(thisArg, value) : initializers[i].call(thisArg);
+    }
+    return useValue ? value : void 0;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __setFunctionName = (this && this.__setFunctionName) || function (f, name, prefix) {
+    if (typeof name === "symbol") name = name.description ? "[".concat(name.description, "]") : "";
+    return Object.defineProperty(f, "name", { configurable: true, value: prefix ? "".concat(prefix, " ", name) : name });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenValidationMiddleware = void 0;
+const common_1 = require("@nestjs/common");
+const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+let TokenValidationMiddleware = (() => {
+    let _classDecorators = [(0, common_1.Injectable)()];
+    let _classDescriptor;
+    let _classExtraInitializers = [];
+    let _classThis;
+    var TokenValidationMiddleware = _classThis = class {
+        constructor(secret) {
+            this.secret = secret;
+        }
+        use(req, res, next) {
+            try {
+                const token = req.header("Authorization")?.replace(/^Bearer\s+/, "") ||
+                    req.cookies.accessToken;
+                if (!token) {
+                    return res
+                        .status(401)
+                        .json({ data: {}, error: { message: "Token is required" } });
+                }
+                const decoded = jsonwebtoken_1.default.verify(token, this.secret);
+                req.body.customerId = decoded.customerId;
+                next();
+            }
+            catch (err) {
+                if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+                    return res
+                        .status(401)
+                        .json({ data: {}, error: { message: "Token has expired" } });
+                }
+                return res
+                    .status(401)
+                    .json({ data: {}, error: { message: "Invalid token" } });
+            }
+        }
+    };
+    __setFunctionName(_classThis, "TokenValidationMiddleware");
+    (() => {
+        const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
+        __esDecorate(null, _classDescriptor = { value: _classThis }, _classDecorators, { kind: "class", name: _classThis.name, metadata: _metadata }, null, _classExtraInitializers);
+        TokenValidationMiddleware = _classThis = _classDescriptor.value;
+        if (_metadata) Object.defineProperty(_classThis, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
+        __runInitializers(_classThis, _classExtraInitializers);
+    })();
+    return TokenValidationMiddleware = _classThis;
+})();
+exports.TokenValidationMiddleware = TokenValidationMiddleware;

package/dist/src/types.d.ts

@@ -0,0 +1,26 @@
+export type JwtSecretConfig = {
+    secretId: string;
+    region?: string;
+};
+export type SecretInput = string | JwtSecretConfig;
+export type DecodedJwt = {
+    customerId: string;
+    iat: number;
+    exp: number;
+};
+/** Error code returned when verification fails. */
+export type ErrorCode = "TOKEN_REQUIRED" | "TOKEN_EXPIRED" | "INVALID_TOKEN" | "SECRET_ERROR";
+/** Success result: decoded payload + original token. */
+export type VerifySuccess = {
+    success: true;
+    data: DecodedJwt;
+    token: string;
+};
+export type VerifyError = {
+    success: false;
+    error: {
+        code: ErrorCode;
+        message: string;
+    };
+};
+export type VerifyResult = VerifySuccess | VerifyError;

package/dist/src/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/validation.d.ts

@@ -0,0 +1,5 @@
+import { TokenExpiredError } from "jsonwebtoken";
+import type { DecodedJwt, SecretInput } from "./types";
+export type { DecodedJwt } from "./types";
+export { TokenExpiredError };
+export declare function createJwtVerifier(secretOrConfig: SecretInput): (token: string) => Promise<DecodedJwt>;

package/dist/src/validation.js

@@ -0,0 +1,69 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenExpiredError = void 0;
+exports.createJwtVerifier = createJwtVerifier;
+const jsonwebtoken_1 = __importStar(require("jsonwebtoken"));
+Object.defineProperty(exports, "TokenExpiredError", { enumerable: true, get: function () { return jsonwebtoken_1.TokenExpiredError; } });
+const aws_1 = require("./aws");
+function toDecodedJwt(payload) {
+    return {
+        customerId: String(payload.customerId ?? ""),
+        iat: Number(payload.iat ?? 0),
+        exp: Number(payload.exp ?? 0),
+    };
+}
+function createJwtVerifier(secretOrConfig) {
+    const { secretId, region } = (0, aws_1.normalizeSecretConfig)(secretOrConfig);
+    const client = (0, aws_1.createSecretsManagerClient)(region);
+    return async function verifyTokenWithRotation(token) {
+        // 1) Try latest version (AWSCURRENT)
+        const currentSecret = await (0, aws_1.getSecret)(client, secretId, "AWSCURRENT");
+        try {
+            const payload = jsonwebtoken_1.default.verify(token, currentSecret);
+            return toDecodedJwt(payload);
+        }
+        catch (err) {
+            // If token is expired with the current secret, surface that directly.
+            if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+                throw err;
+            }
+            // 2) Any other verification error with current → try previous version
+            const previousSecret = await (0, aws_1.getSecret)(client, secretId, "AWSPREVIOUS");
+            const payload = jsonwebtoken_1.default.verify(token, previousSecret);
+            return toDecodedJwt(payload);
+        }
+    };
+}

package/dist/src/verify.d.ts

@@ -0,0 +1,15 @@
+import type { SecretInput, VerifyResult } from "./types";
+export type { VerifyResult, VerifySuccess, VerifyError } from "./types";
+/**
+ * Creates a verifier that takes a token and returns either the decoded payload
+ * or a structured error. You handle 401/other status codes in your app.
+ *
+ * @example
+ * const verifier = createTokenVerifier({ secretId: process.env.DEV_JWT_SECRET!, region: "us-east-1" });
+ * const result = await verifier(token);
+ * if (!result.success) {
+ *   return res.status(401).json({ error: result.error });
+ * }
+ * req.customerId = result.data.customerId;
+ */
+export declare function createTokenVerifier(secretOrConfig: SecretInput): (token: string) => Promise<VerifyResult>;

package/dist/src/verify.js

@@ -0,0 +1,62 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTokenVerifier = createTokenVerifier;
+const jsonwebtoken_1 = require("jsonwebtoken");
+const constants_1 = require("./constants");
+const validation_1 = require("./validation");
+/**
+ * Creates a verifier that takes a token and returns either the decoded payload
+ * or a structured error. You handle 401/other status codes in your app.
+ *
+ * @example
+ * const verifier = createTokenVerifier({ secretId: process.env.DEV_JWT_SECRET!, region: "us-east-1" });
+ * const result = await verifier(token);
+ * if (!result.success) {
+ *   return res.status(401).json({ error: result.error });
+ * }
+ * req.customerId = result.data.customerId;
+ */
+function createTokenVerifier(secretOrConfig) {
+    const verifyToken = (0, validation_1.createJwtVerifier)(secretOrConfig);
+    return async function verify(token) {
+        if (!token || typeof token !== "string" || !token.trim()) {
+            return {
+                success: false,
+                error: {
+                    code: "TOKEN_REQUIRED",
+                    message: constants_1.TOKEN_REQUIRED_MESSAGE,
+                },
+            };
+        }
+        const trimmedToken = token.trim();
+        try {
+            const data = await verifyToken(trimmedToken);
+            return { success: true, data, token: trimmedToken };
+        }
+        catch (err) {
+            if (err instanceof jsonwebtoken_1.TokenExpiredError) {
+                return {
+                    success: false,
+                    error: {
+                        code: "TOKEN_EXPIRED",
+                        message: constants_1.TOKEN_EXPIRED_MESSAGE,
+                    },
+                };
+            }
+            // AWS or other verification failure
+            const isAwsError = err &&
+                typeof err === "object" &&
+                "name" in err &&
+                err.name?.startsWith("SecretsManager");
+            return {
+                success: false,
+                error: {
+                    code: isAwsError ? "SECRET_ERROR" : "INVALID_TOKEN",
+                    message: isAwsError
+                        ? (err instanceof Error ? err.message : "Failed to fetch secret")
+                        : constants_1.TOKEN_INVALID_MESSAGE,
+                },
+            };
+        }
+    };
+}

package/index.ts

@@ -0,0 +1,12 @@
+export { createTokenVerifier } from "./src/verify";
+export { ERROR_CODES } from "./src/constants";
+
+export type {
+  VerifyResult,
+  VerifySuccess,
+  VerifyError,
+  DecodedJwt,
+  SecretInput,
+  JwtSecretConfig,
+  ErrorCode,
+} from "./src/types";

package/package.json

@@ -0,0 +1,19 @@
+{
+  "name": "@benefi/auth",
+  "version": "1.0.4",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc"
+  },
+  "license": "MIT",
+  "dependencies": {
+    "@aws-sdk/client-secrets-manager": "^3.716.0",
+    "jsonwebtoken": "^9.0.2"
+  },
+  "devDependencies": {
+    "@types/express": "^5.0.1",
+    "@types/jsonwebtoken": "^9.0.9",
+    "typescript": "^5.8.3"
+  }
+}

package/src/aws.ts

@@ -0,0 +1,42 @@
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand,
+} from "@aws-sdk/client-secrets-manager";
+import { DEFAULT_AWS_REGION } from "./constants";
+import type { SecretInput } from "./types";
+
+export type { JwtSecretConfig, SecretInput } from "./types";
+
+export function normalizeSecretConfig(
+    secretOrConfig: SecretInput
+): { secretId: string; region: string } {
+  if (typeof secretOrConfig === "string") {
+    return { secretId: secretOrConfig, region: DEFAULT_AWS_REGION };
+  }
+  return {
+    secretId: secretOrConfig.secretId,
+    region: secretOrConfig.region ?? DEFAULT_AWS_REGION,
+  };
+}
+
+export function createSecretsManagerClient(region: string) {
+  return new SecretsManagerClient({ region });
+}
+
+export async function getSecret(
+  client: SecretsManagerClient,
+  secretId: string,
+  versionStage: "AWSCURRENT" | "AWSPREVIOUS"
+): Promise<string> {
+  const command = new GetSecretValueCommand({
+    SecretId: secretId,
+    VersionStage: versionStage,
+  });
+  const response = await client.send(command);
+  if (!response.SecretString) {
+    throw new Error(
+      `JWT secret "${secretId}" has empty SecretString for ${versionStage}`
+    );
+  }
+  return response.SecretString;
+}

package/src/constants.ts

@@ -0,0 +1,12 @@
+export const DEFAULT_AWS_REGION = "us-east-1";
+
+export const TOKEN_REQUIRED_MESSAGE = "Token is required";
+export const TOKEN_EXPIRED_MESSAGE = "Token has expired";
+export const TOKEN_INVALID_MESSAGE = "Invalid token";
+
+export const ERROR_CODES = {
+  TOKEN_REQUIRED: "TOKEN_REQUIRED",
+  TOKEN_EXPIRED: "TOKEN_EXPIRED",
+  INVALID_TOKEN: "INVALID_TOKEN",
+  SECRET_ERROR: "SECRET_ERROR",
+} as const;

package/src/types.ts

@@ -0,0 +1,38 @@
+export type JwtSecretConfig = {
+  secretId: string;
+  region?: string;
+};
+
+
+export type SecretInput = string | JwtSecretConfig;
+
+
+export type DecodedJwt = {
+  customerId: string;
+  iat: number;
+  exp: number;
+};
+
+/** Error code returned when verification fails. */
+export type ErrorCode =
+  | "TOKEN_REQUIRED"
+  | "TOKEN_EXPIRED"
+  | "INVALID_TOKEN"
+  | "SECRET_ERROR";
+
+/** Success result: decoded payload + original token. */
+export type VerifySuccess = {
+  success: true;
+  data: DecodedJwt;
+  token: string;
+};
+
+export type VerifyError = {
+  success: false;
+  error: {
+    code: ErrorCode;
+    message: string;
+  };
+};
+
+export type VerifyResult = VerifySuccess | VerifyError;

package/src/validation.ts

@@ -0,0 +1,46 @@
+import jwt, { TokenExpiredError } from "jsonwebtoken";
+import {
+  normalizeSecretConfig,
+  createSecretsManagerClient,
+  getSecret,
+} from "./aws";
+import type { DecodedJwt, SecretInput } from "./types";
+
+export type { DecodedJwt } from "./types";
+
+function toDecodedJwt(payload: Record<string, unknown>): DecodedJwt {
+  return {
+    customerId: String(payload.customerId ?? ""),
+    iat: Number(payload.iat ?? 0),
+    exp: Number(payload.exp ?? 0),
+  };
+}
+
+export { TokenExpiredError };
+
+export function createJwtVerifier(secretOrConfig: SecretInput) {
+  const { secretId, region } = normalizeSecretConfig(secretOrConfig);
+  const client = createSecretsManagerClient(region);
+
+  return async function verifyTokenWithRotation(
+    token: string
+  ): Promise<DecodedJwt> {
+    // 1) Try latest version (AWSCURRENT)
+    const currentSecret = await getSecret(client, secretId, "AWSCURRENT");
+
+    try {
+      const payload = jwt.verify(token, currentSecret) as Record<string, unknown>;
+      return toDecodedJwt(payload);
+    } catch (err) {
+      // If token is expired with the current secret, surface that directly.
+      if (err instanceof TokenExpiredError) {
+        throw err;
+      }
+
+      // 2) Any other verification error with current → try previous version
+      const previousSecret = await getSecret(client, secretId, "AWSPREVIOUS");
+      const payload = jwt.verify(token, previousSecret) as Record<string, unknown>;
+      return toDecodedJwt(payload);
+    }
+  };
+}

package/src/verify.ts

@@ -0,0 +1,71 @@
+import { TokenExpiredError } from "jsonwebtoken";
+import {
+  TOKEN_REQUIRED_MESSAGE,
+  TOKEN_EXPIRED_MESSAGE,
+  TOKEN_INVALID_MESSAGE,
+} from "./constants";
+import type { SecretInput, VerifyResult } from "./types";
+import { createJwtVerifier } from "./validation";
+
+export type { VerifyResult, VerifySuccess, VerifyError } from "./types";
+
+/**
+ * Creates a verifier that takes a token and returns either the decoded payload
+ * or a structured error. You handle 401/other status codes in your app.
+ *
+ * @example
+ * const verifier = createTokenVerifier({ secretId: process.env.DEV_JWT_SECRET!, region: "us-east-1" });
+ * const result = await verifier(token);
+ * if (!result.success) {
+ *   return res.status(401).json({ error: result.error });
+ * }
+ * req.customerId = result.data.customerId;
+ */
+export function createTokenVerifier(secretOrConfig: SecretInput) {
+  const verifyToken = createJwtVerifier(secretOrConfig);
+
+  return async function verify(token: string): Promise<VerifyResult> {
+    if (!token || typeof token !== "string" || !token.trim()) {
+      return {
+        success: false,
+        error: {
+          code: "TOKEN_REQUIRED",
+          message: TOKEN_REQUIRED_MESSAGE,
+        },
+      };
+    }
+
+    const trimmedToken = token.trim();
+    try {
+      const data = await verifyToken(trimmedToken);
+      return { success: true, data, token: trimmedToken };
+    } catch (err) {
+      if (err instanceof TokenExpiredError) {
+        return {
+          success: false,
+          error: {
+            code: "TOKEN_EXPIRED",
+            message: TOKEN_EXPIRED_MESSAGE,
+          },
+        };
+      }
+
+      // AWS or other verification failure
+      const isAwsError =
+        err &&
+        typeof err === "object" &&
+        "name" in err &&
+        (err as { name?: string }).name?.startsWith("SecretsManager");
+
+      return {
+        success: false,
+        error: {
+          code: isAwsError ? "SECRET_ERROR" : "INVALID_TOKEN",
+          message: isAwsError
+            ? (err instanceof Error ? err.message : "Failed to fetch secret")
+            : TOKEN_INVALID_MESSAGE,
+        },
+      };
+    }
+  };
+}

package/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "CommonJS",
+    "declaration": true,
+    "outDir": "./dist",
+    "strict": true,
+    "esModuleInterop": true,
+    "moduleResolution": "node",
+    "forceConsistentCasingInFileNames": true,
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*", "index.ts"]
+}