@derian-cordoba/api-gateway 1.0.0 → 1.1.0

package/README.md

@@ -12,6 +12,9 @@ A generic, configuration-driven HTTP API gateway. Routes incoming requests to up
 - [Configuration](#configuration)
   - [Environment Variables](#environment-variables)
   - [Route Configuration](#route-configuration)
+- [Authentication](#authentication)
+  - [JWT](#jwt)
+  - [API Key](#api-key)
 - [Running the Gateway](#running-the-gateway)
 - [Health Check](#health-check)
 - [Project Structure](#project-structure)
@@ -23,6 +26,7 @@ A generic, configuration-driven HTTP API gateway. Routes incoming requests to up
 ## Features
 
 - **Configuration-driven routing** — define proxy routes in a JSON file, an environment variable, or both; changes take effect on restart with zero code changes
+- **Per-route authentication** — protect any route with a JWT Bearer token (HMAC or RSA/EC) or an API key; set `enabled: false` to bypass with zero overhead
 - **Per-route rate limiting** — each route can declare its own `max` requests / `windowMs` window, enforced by `express-rate-limit`
 - **Startup validation** — route config is validated with Zod at boot time; the process exits with a descriptive error rather than silently misbehaving
 - **Structured logging** — `pino` + `pino-http` emit newline-delimited JSON in production and human-readable output (via `pino-pretty`) in development
@@ -98,6 +102,13 @@ Copy `.env.example` to `.env` and edit as needed.
 | `ROUTES_FILE_PATH` | `routes.json` | Path to the JSON route config file, relative to `process.cwd()`. |
 | `ROUTES` | _(none)_ | Inline route definitions as a JSON array. Merged with `ROUTES_FILE_PATH`. Useful for containerised deployments where injecting a file is inconvenient. |
 
+#### Authentication
+
+| Variable | Default | Description |
+|---|---|---|
+| `JWT_SECRET` | _(none)_ | Fallback HMAC signing secret used when a JWT route has no inline `secret` field. |
+| `JWT_PUBLIC_KEY` | _(none)_ | Fallback PEM public key used when a JWT route has no inline `publicKey` field. Takes precedence over `JWT_SECRET`. |
+
 ---
 
 ### Route Configuration
@@ -135,6 +146,35 @@ Routes are defined as a JSON array. Each entry is a **Gateway** object:
 
 Responses include standard `RateLimit-*` headers (RFC draft-8).
 
+#### `Auth`
+
+Adds authentication middleware to a route. When `enabled` is `false` the middleware is a no-op passthrough — no overhead, no token check.
+
+Two strategies are supported, selected with the `strategy` field.
+
+**`"jwt"` — Bearer token validation**
+
+| Field | Type | Required | Description |
+|---|---|---|---|
+| `enabled` | `boolean` | ✅ | `true` to enforce, `false` to bypass. |
+| `strategy` | `"jwt"` | ✅ | — |
+| `secret` | `string` | — | Shared secret for HMAC algorithms (HS256, HS384, HS512). Falls back to `JWT_SECRET` env var. |
+| `publicKey` | `string` | — | PEM-encoded public key or X.509 certificate for asymmetric algorithms (RS256, RS384, RS512, ES256 …). Falls back to `JWT_PUBLIC_KEY` env var. Takes precedence over `secret` when both are present. |
+| `algorithms` | `string[]` | — | Explicit algorithm allowlist. Defaults to `["RS256"]` when `publicKey` is used, `["HS256"]` otherwise. Recommended to prevent algorithm-confusion attacks. |
+
+The gateway expects the token in the `Authorization: Bearer <token>` header and returns `401` on a missing, malformed, or invalid token.
+
+**`"apiKey"` — Header-based API key**
+
+| Field | Type | Required | Description |
+|---|---|---|---|
+| `enabled` | `boolean` | ✅ | `true` to enforce, `false` to bypass. |
+| `strategy` | `"apiKey"` | ✅ | — |
+| `keys` | `string[]` | ✅ | List of valid API keys. At least one entry required. |
+| `header` | `string` | — | Header name to read the key from (default: `x-api-key`). |
+
+Returns `401` when the header is absent or the value is not in `keys`.
+
 #### Example `routes.json`
 
 ```json
@@ -158,11 +198,24 @@ Responses include standard `RateLimit-*` headers (RFC draft-8).
     "proxy": {
       "target": "http://orders-service:3002",
       "changeOrigin": true,
-      "pathRewrite": { "^/orders": "" },
-      "headers": {
-        "X-Internal-Source": "api-gateway"
-      },
-      "timeout": 5000
+      "pathRewrite": { "^/orders": "" }
+    },
+    "auth": {
+      "enabled": true,
+      "strategy": "jwt"
+    }
+  },
+  {
+    "baseURL": "/reports",
+    "proxy": {
+      "target": "http://reports-service:3003",
+      "changeOrigin": true,
+      "pathRewrite": { "^/reports": "" }
+    },
+    "auth": {
+      "enabled": true,
+      "strategy": "apiKey",
+      "keys": ["key-service-alpha-123", "key-service-beta-456"]
     }
   }
 ]
@@ -177,6 +230,93 @@ Routes are loaded from two sources and **merged**:
 
 ---
 
+## Authentication
+
+Authentication is optional and configured per route via the `auth` field. The middleware is applied before rate limiting and proxying. When `enabled: false` the handler is a single no-op function — zero overhead on unprotected routes.
+
+### JWT
+
+Protect a route with a Bearer token. The gateway validates the token signature; your upstream receives the request only if verification passes.
+
+```json
+{
+  "baseURL": "/orders",
+  "proxy": { "target": "http://orders-service:3002", "changeOrigin": true },
+  "auth": {
+    "enabled": true,
+    "strategy": "jwt"
+  }
+}
+```
+
+The signing key is resolved in this order:
+
+1. `publicKey` field in the route config (PEM — use for RS256 / ES256)
+2. `JWT_PUBLIC_KEY` environment variable
+3. `secret` field in the route config (string — use for HS256)
+4. `JWT_SECRET` environment variable
+
+`publicKey` always takes precedence over `secret`. If neither is present the gateway returns `401`.
+
+**HMAC (HS256) — shared secret:**
+
+```bash
+# .env
+JWT_SECRET=super-secret-key-change-in-production
+```
+
+```bash
+TOKEN=$(curl -s -X POST http://localhost:3000/auth/login \
+  -H "Content-Type: application/json" \
+  -d '{"username":"alice","password":"password123"}' | jq -r '.token')
+
+curl http://localhost:3000/orders \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**RSA (RS256) — public/private key pair:**
+
+```json
+{
+  "auth": {
+    "enabled": true,
+    "strategy": "jwt",
+    "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjAN...\n-----END PUBLIC KEY-----",
+    "algorithms": ["RS256"]
+  }
+}
+```
+
+### API Key
+
+Protect a route with a pre-shared key delivered in a request header.
+
+```json
+{
+  "baseURL": "/reports",
+  "proxy": { "target": "http://reports-service:3003", "changeOrigin": true },
+  "auth": {
+    "enabled": true,
+    "strategy": "apiKey",
+    "header": "x-api-key",
+    "keys": ["key-service-alpha-123", "key-service-beta-456"]
+  }
+}
+```
+
+```bash
+# Valid key → 200
+curl http://localhost:3000/reports \
+  -H "x-api-key: key-service-alpha-123"
+
+# Missing or wrong key → 401
+curl http://localhost:3000/reports
+```
+
+Multiple keys in `keys` let you rotate credentials without downtime — add the new key, deploy, then remove the old one.
+
+---
+
 ## Running the Gateway
 
 ### Development (hot-reload)
@@ -245,88 +385,98 @@ src/apps/api-gateway/
 │   ├── env/config.ts         # NODE_ENV → isDev flag
 │   ├── gateway/config.ts     # GATEWAY_PORT, GATEWAY_PREFIX
 │   ├── cors/config.ts        # CORS_ORIGINS, CORS_METHODS, CORS_HEADERS
-│   └── routes/config.ts      # ROUTES_FILE_PATH
+│   ├── routes/config.ts      # ROUTES_FILE_PATH
+│   └── auth/config.ts        # JWT_SECRET, JWT_PUBLIC_KEY
+│
+├── middleware/
+│   ├── authMiddleware.ts     # Factory — returns the right strategy or a no-op
+│   └── auth/
+│       ├── AuthStrategy.ts   # Interface (Strategy pattern)
+│       ├── JwtAuthStrategy.ts    # JWT Bearer token validation (HMAC + RSA/EC)
+│       └── ApiKeyAuthStrategy.ts # Header-based API key validation
 │
 ├── routes/
 │   ├── Router.ts             # Middleware pipeline (logging → security → CORS → body → proxy → errors)
 │   ├── ProxyManager.ts       # Reads, validates, and registers proxy routes
-│   ├── RouteValidator.ts     # Zod schemas for Gateway / Proxy / RateLimit types
+│   ├── RouteValidator.ts     # Zod schemas for Gateway / Proxy / RateLimit / Auth types
 │   └── HealthRouter.ts       # GET /health handler
 │
 └── types/
     ├── gateway.d.ts          # Gateway type
     ├── proxy.d.ts            # Proxy type
-    └── rate-limit.d.ts       # RateLimit type
+    ├── rate-limit.d.ts       # RateLimit type
+    └── auth.d.ts             # Auth type (JwtAuth | ApiKeyAuth)
 ```
 
 ---
 
 ## Example Project
 
-`examples/basic/` contains a self-contained demo with two mock upstream services and a pre-built gateway config.
-
-### What's included
-
-| File | Description |
-|---|---|
-| `routes.json` | Gateway config with two routes (`/users`, `/products`) each with rate limiting and path rewriting |
-| `.env` | Gateway environment for the example |
-| `upstream-users.js` | Mock Users service on port `4001` |
-| `upstream-products.js` | Mock Products service on port `4002` |
-| `run.sh` | Starts all three processes and stops them together on Ctrl+C |
-
-### Running the example
+`examples/` contains a self-contained demo that starts five upstream services and one gateway covering all features: rate limiting, JWT auth, and API key auth.
 
 ```bash
 pnpm example
 ```
 
-This copies `examples/basic/.env` to the project root and starts all three services. Once running:
-
-| Endpoint | Description |
-|---|---|
-| `http://localhost:3000/health` | Gateway health check |
-| `http://localhost:3000/users` | Proxied to Users service |
-| `http://localhost:3000/products` | Proxied to Products service |
-
-### Users service endpoints (`/users`)
-
-| Method | Path | Description |
-|---|---|---|
-| `GET` | `/users` | List all users |
-| `GET` | `/users/:id` | Get a user by ID |
-| `POST` | `/users` | Create a user (body: `{ name, email }`) |
-| `DELETE` | `/users/:id` | Delete a user by ID |
-
-### Products service endpoints (`/products`)
+This copies `examples/.env` to the project root and starts everything. Once running:
 
-| Method | Path | Description |
+| Endpoint | Auth | Description |
 |---|---|---|
-| `GET` | `/products` | List all products |
-| `GET` | `/products/:id` | Get a product by ID |
-| `POST` | `/products` | Create a product (body: `{ name, price }`) |
-| `PATCH` | `/products/:id/stock` | Adjust stock (body: `{ quantity: number }`) |
+| `http://localhost:3000/health` | — | Gateway health check |
+| `http://localhost:3000/users` | — | Users service (rate limited) |
+| `http://localhost:3000/products` | — | Products service (rate limited) |
+| `http://localhost:3000/auth/login` | — | Issues JWT tokens |
+| `http://localhost:3000/orders` | JWT Bearer | Orders service |
+| `http://localhost:3000/reports` | API key | Reports service |
 
-### Example requests
+### Public routes
 
 ```bash
-# List users
 curl http://localhost:3000/users
+curl http://localhost:3000/products/1
+```
+
+### JWT-protected route (`/orders`)
 
-# Create a user
-curl -X POST http://localhost:3000/users \
+```bash
+# 1. Log in to get a token (users: alice/password123, bob/password456)
+TOKEN=$(curl -s -X POST http://localhost:3000/auth/login \
   -H "Content-Type: application/json" \
-  -d '{"name": "Alice", "email": "alice@example.com"}'
+  -d '{"username":"alice","password":"password123"}' | jq -r '.token')
 
-# Get a product
-curl http://localhost:3000/products/1
+# 2. Access the protected route
+curl http://localhost:3000/orders \
+  -H "Authorization: Bearer $TOKEN"
 
-# Update product stock
-curl -X PATCH http://localhost:3000/products/1/stock \
+# 3. Create an order
+curl -X POST http://localhost:3000/orders \
+  -H "Authorization: Bearer $TOKEN" \
   -H "Content-Type: application/json" \
-  -d '{"quantity": 25}'
+  -d '{"userId":1,"items":[{"productId":2,"qty":1}],"total":24.99}'
 ```
 
+### API-key-protected route (`/reports`)
+
+```bash
+# Valid keys: key-service-alpha-123  ·  key-service-beta-456
+
+curl http://localhost:3000/reports \
+  -H "x-api-key: key-service-alpha-123"
+
+curl http://localhost:3000/reports/sales \
+  -H "x-api-key: key-service-beta-456"
+```
+
+### Individual example directories
+
+Each sub-directory is also usable as a standalone reference:
+
+| Directory | Description |
+|---|---|
+| `examples/basic/` | Rate limiting only — Users + Products services |
+| `examples/jwt-auth/` | JWT auth — Auth service + Orders service |
+| `examples/api-key-auth/` | API key auth — Reports service |
+
 ---
 
 ## Architecture
@@ -339,18 +489,19 @@ Client
   ▼
 Express app
   │
-  ├─ pino-http          structured request/response logging
-  ├─ helmet             security headers (CSP, HSTS, X-Frame-Options, …)
-  ├─ cors               configurable origin / method / header policy
-  ├─ express.json       body parsing
-  ├─ compression        gzip response compression
+  ├─ pino-http              structured request/response logging
+  ├─ helmet                 security headers (CSP, HSTS, X-Frame-Options, …)
+  ├─ cors                   configurable origin / method / header policy
+  ├─ express.json           body parsing
+  ├─ compression            gzip response compression
   │
-  ├─ GET /health        health check — short-circuits here
+  ├─ GET /health            health check — short-circuits here
   │
-  ├─ express-rate-limit per-route request throttling (applied per baseURL)
+  ├─ authMiddleware         per-route — JWT or API key check → 401 on failure
+  ├─ express-rate-limit     per-route request throttling → 429 on exceeded
   ├─ http-proxy-middleware  proxies request to upstream, forwards body
   │
-  └─ error handler      catches unhandled errors → 500 JSON response
+  └─ error handler          catches unhandled errors → 500 JSON response
 ```
 
 ### Startup sequence

package/dist/src/apps/api-gateway/config/app-env.d.ts

@@ -2,10 +2,12 @@ import { type GatewayConfig } from "./gateway/config";
 import { type CorsConfig } from "./cors/config";
 import { type RoutesConfig } from "./routes/config";
 import { type EnvConfig } from "./env/config";
+import { type AuthConfig } from "./auth/config";
 export type AppEnv = {
     env: EnvConfig;
     gateway: GatewayConfig;
     cors: CorsConfig;
     routes: RoutesConfig;
+    auth: AuthConfig;
 };
 export declare const appEnv: AppEnv;

package/dist/src/apps/api-gateway/config/app-env.js

@@ -5,9 +5,11 @@ const config_1 = require("./gateway/config");
 const config_2 = require("./cors/config");
 const config_3 = require("./routes/config");
 const config_4 = require("./env/config");
+const config_5 = require("./auth/config");
 exports.appEnv = {
     env: config_4.envConfig,
     gateway: config_1.gatewayConfig,
     cors: config_2.corsConfig,
     routes: config_3.routesConfig,
+    auth: config_5.authConfig,
 };

package/dist/src/apps/api-gateway/config/auth/config.d.ts

@@ -0,0 +1,5 @@
+export type AuthConfig = {
+    jwtSecret: string | undefined;
+    jwtPublicKey: string | undefined;
+};
+export declare const authConfig: AuthConfig;

package/dist/src/apps/api-gateway/config/auth/config.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authConfig = void 0;
+const { JWT_SECRET, JWT_PUBLIC_KEY, } = process.env;
+exports.authConfig = {
+    jwtSecret: JWT_SECRET,
+    jwtPublicKey: JWT_PUBLIC_KEY,
+};

package/dist/src/apps/api-gateway/middleware/auth/ApiKeyAuthStrategy.d.ts

@@ -0,0 +1,9 @@
+import type { Request, Response, NextFunction } from "express";
+import type { ApiKeyAuth } from "../../types/auth";
+import type { AuthStrategy } from "./AuthStrategy";
+export declare class ApiKeyAuthStrategy implements AuthStrategy {
+    private readonly auth;
+    private readonly headerName;
+    constructor(auth: ApiKeyAuth);
+    handle(req: Request, res: Response, next: NextFunction): void;
+}

package/dist/src/apps/api-gateway/middleware/auth/ApiKeyAuthStrategy.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyAuthStrategy = void 0;
+const http_status_codes_1 = require("http-status-codes");
+class ApiKeyAuthStrategy {
+    constructor(auth) {
+        var _a;
+        this.auth = auth;
+        this.headerName = ((_a = auth.header) !== null && _a !== void 0 ? _a : "x-api-key").toLowerCase();
+    }
+    handle(req, res, next) {
+        const provided = req.headers[this.headerName];
+        if (typeof provided !== "string" || !this.auth.keys.includes(provided)) {
+            res.status(http_status_codes_1.StatusCodes.UNAUTHORIZED).json({ error: "Invalid or missing API key" });
+            return;
+        }
+        next();
+    }
+}
+exports.ApiKeyAuthStrategy = ApiKeyAuthStrategy;

package/dist/src/apps/api-gateway/middleware/auth/AuthStrategy.d.ts

@@ -0,0 +1,4 @@
+import type { Request, Response, NextFunction } from "express";
+export interface AuthStrategy {
+    handle(req: Request, res: Response, next: NextFunction): void;
+}

package/dist/src/apps/api-gateway/middleware/auth/AuthStrategy.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/apps/api-gateway/middleware/auth/JwtAuthStrategy.d.ts

@@ -0,0 +1,11 @@
+import type { Request, Response, NextFunction } from "express";
+import type { JwtAuth } from "../../types/auth";
+import type { AuthStrategy } from "./AuthStrategy";
+export declare class JwtAuthStrategy implements AuthStrategy {
+    private readonly auth;
+    constructor(auth: JwtAuth);
+    handle(req: Request, res: Response, next: NextFunction): void;
+    private extractToken;
+    private resolveKey;
+    private resolveAlgorithms;
+}

package/dist/src/apps/api-gateway/middleware/auth/JwtAuthStrategy.js

@@ -0,0 +1,55 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthStrategy = void 0;
+const http_status_codes_1 = require("http-status-codes");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const app_env_1 = require("../../config/app-env");
+class JwtAuthStrategy {
+    constructor(auth) {
+        this.auth = auth;
+    }
+    handle(req, res, next) {
+        const token = this.extractToken(req);
+        if (!token) {
+            res.status(http_status_codes_1.StatusCodes.UNAUTHORIZED).json({ error: "Missing or malformed Authorization header" });
+            return;
+        }
+        const resolved = this.resolveKey();
+        if (!resolved) {
+            res.status(http_status_codes_1.StatusCodes.UNAUTHORIZED).json({ error: "JWT key not configured" });
+            return;
+        }
+        try {
+            jsonwebtoken_1.default.verify(token, resolved.key, { algorithms: this.resolveAlgorithms(resolved.isAsymmetric) });
+            next();
+        }
+        catch (_a) {
+            res.status(http_status_codes_1.StatusCodes.UNAUTHORIZED).json({ error: "Invalid or expired token" });
+        }
+    }
+    extractToken(req) {
+        const { authorization } = req.headers;
+        if (!(authorization === null || authorization === void 0 ? void 0 : authorization.startsWith("Bearer ")))
+            return null;
+        return authorization.slice(7);
+    }
+    resolveKey() {
+        var _a, _b;
+        const publicKey = (_a = this.auth.publicKey) !== null && _a !== void 0 ? _a : app_env_1.appEnv.auth.jwtPublicKey;
+        if (publicKey)
+            return { key: publicKey, isAsymmetric: true };
+        const secret = (_b = this.auth.secret) !== null && _b !== void 0 ? _b : app_env_1.appEnv.auth.jwtSecret;
+        if (secret)
+            return { key: secret, isAsymmetric: false };
+        return null;
+    }
+    resolveAlgorithms(isAsymmetric) {
+        if (this.auth.algorithms)
+            return this.auth.algorithms;
+        return isAsymmetric ? ["RS256"] : ["HS256"];
+    }
+}
+exports.JwtAuthStrategy = JwtAuthStrategy;

package/dist/src/apps/api-gateway/middleware/authMiddleware.d.ts

@@ -0,0 +1,3 @@
+import type { RequestHandler } from "express";
+import type { Auth } from "../types/auth";
+export declare function createAuthMiddleware(auth: Auth): RequestHandler;

package/dist/src/apps/api-gateway/middleware/authMiddleware.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAuthMiddleware = createAuthMiddleware;
+const JwtAuthStrategy_1 = require("./auth/JwtAuthStrategy");
+const ApiKeyAuthStrategy_1 = require("./auth/ApiKeyAuthStrategy");
+const strategyFactories = {
+    jwt: (auth) => new JwtAuthStrategy_1.JwtAuthStrategy(auth),
+    apiKey: (auth) => new ApiKeyAuthStrategy_1.ApiKeyAuthStrategy(auth),
+};
+function createAuthMiddleware(auth) {
+    if (!auth.enabled) {
+        return (_req, _res, next) => next();
+    }
+    const strategy = strategyFactories[auth.strategy](auth);
+    return (req, res, next) => strategy.handle(req, res, next);
+}

package/dist/src/apps/api-gateway/routes/ProxyManager.js

@@ -18,6 +18,7 @@ const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
 const http_status_codes_1 = require("http-status-codes");
 const promises_1 = require("node:fs/promises");
 const RouteValidator_1 = require("./RouteValidator");
+const authMiddleware_1 = require("../middleware/authMiddleware");
 const logger_1 = require("../logger");
 const app_env_1 = require("../config/app-env");
 class ProxyManager {
@@ -37,6 +38,10 @@ class ProxyManager {
             }
             routes.forEach((route) => {
                 var _a, _b;
+                // Apply per-route authentication when configured
+                if (route.auth) {
+                    this.router.use(route.baseURL, (0, authMiddleware_1.createAuthMiddleware)(route.auth));
+                }
                 // Apply per-route rate limiting when configured
                 if (route.rateLimit) {
                     this.router.use(route.baseURL, (0, express_rate_limit_1.default)({

package/dist/src/apps/api-gateway/routes/RouteValidator.d.ts

@@ -17,5 +17,17 @@ export declare const GatewaysSchema: z.ZodArray<z.ZodObject<{
         statusCode: z.ZodOptional<z.ZodNumber>;
         message: z.ZodOptional<z.ZodString>;
     }, z.core.$strip>>;
+    auth: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        enabled: z.ZodBoolean;
+        strategy: z.ZodLiteral<"jwt">;
+        secret: z.ZodOptional<z.ZodString>;
+        publicKey: z.ZodOptional<z.ZodString>;
+        algorithms: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    }, z.core.$strip>, z.ZodObject<{
+        enabled: z.ZodBoolean;
+        strategy: z.ZodLiteral<"apiKey">;
+        header: z.ZodOptional<z.ZodString>;
+        keys: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>], "strategy">>;
 }, z.core.$strip>>;
 export declare function validateRoutes(data: unknown): Gateway[];

package/dist/src/apps/api-gateway/routes/RouteValidator.js

@@ -18,10 +18,25 @@ const RateLimitSchema = zod_1.z.object({
     statusCode: zod_1.z.number().optional(),
     message: zod_1.z.string().optional(),
 });
+const JwtAuthSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean(),
+    strategy: zod_1.z.literal("jwt"),
+    secret: zod_1.z.string().optional(),
+    publicKey: zod_1.z.string().optional(),
+    algorithms: zod_1.z.array(zod_1.z.string()).optional(),
+});
+const ApiKeyAuthSchema = zod_1.z.object({
+    enabled: zod_1.z.boolean(),
+    strategy: zod_1.z.literal("apiKey"),
+    header: zod_1.z.string().optional(),
+    keys: zod_1.z.array(zod_1.z.string()).min(1, "apiKey auth requires at least one key"),
+});
+const AuthSchema = zod_1.z.discriminatedUnion("strategy", [JwtAuthSchema, ApiKeyAuthSchema]);
 const GatewaySchema = zod_1.z.object({
     baseURL: zod_1.z.string().startsWith("/", "baseURL must start with /"),
     proxy: ProxySchema,
     rateLimit: RateLimitSchema.optional(),
+    auth: AuthSchema.optional(),
 });
 exports.GatewaysSchema = zod_1.z.array(GatewaySchema);
 function validateRoutes(data) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@derian-cordoba/api-gateway",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "A generic, configuration-driven HTTP API gateway with per-route rate limiting, structured logging, and security headers",
   "main": "./dist/src/apps/api-gateway/index.js",
   "types": "./dist/src/apps/api-gateway/index.d.ts",
@@ -37,12 +37,13 @@
     "prepare": "pnpm build",
     "test": "vitest run",
     "test:watch": "vitest",
-    "example": "bash examples/basic/run.sh"
+    "example": "bash examples/run.sh"
   },
   "devDependencies": {
     "@types/compression": "^1.8.0",
     "@types/cors": "^2.8.18",
     "@types/express": "^5.0.2",
+    "@types/jsonwebtoken": "^9.0.10",
     "@types/node": "^22.15.21",
     "@types/supertest": "^7.2.0",
     "pino-pretty": "^13.1.3",
@@ -60,6 +61,7 @@
     "helmet": "^8.1.0",
     "http-proxy-middleware": "^3.0.5",
     "http-status-codes": "^2.3.0",
+    "jsonwebtoken": "^9.0.3",
     "pino": "^10.3.1",
     "pino-http": "^11.0.0",
     "zod": "^4.4.3"