@digilogiclabs/platform-core 1.16.0 → 1.17.0

package/dist/auth.d.mts

@@ -518,6 +518,20 @@ interface SecureTimedAudit {
     success: (metadata?: Record<string, unknown>) => Promise<void>;
     failure: (reason: string, metadata?: Record<string, unknown>) => Promise<void>;
 }
+/** Authentication method — how the request was authenticated */
+type SecureAuthMethod = "session" | "legacy_token" | "none";
+/**
+ * Object-style audit configuration (used by DLL and other apps with
+ * structured audit enums). This is an alternative to the flat string form.
+ */
+interface SecureAuditConfig {
+    /** The audit action (string or enum value) */
+    action: string;
+    /** Resource type being acted upon */
+    resource?: string;
+    /** Extract resource ID from request/params for audit (called after validation) */
+    getResourceId?: (request: Request, params: Record<string, string>, validated: unknown) => string | undefined;
+}
 /** Per-route config */
 interface SecureRouteConfig<TValidated = unknown, TPresetKey extends string = string> {
     /** Rate limit preset key */
@@ -540,11 +554,16 @@ interface SecureRouteConfig<TValidated = unknown, TPresetKey extends string = st
             };
         };
     };
-    /** Audit action name */
-    audit?: string;
-    /** Audit resource type */
+    /**
+     * Audit configuration — accepts either:
+     * - A string (action name, with optional `auditResource` for resource type)
+     * - An object `{ action, resource?, getResourceId? }` for structured audit enums
+     */
+    audit?: string | SecureAuditConfig;
+    /** Audit resource type (used when `audit` is a string) */
     auditResource?: string;
-    /** Extract resource ID from request/params for audit (called after validation) */
+    /** Extract resource ID from request/params for audit (called after validation).
+     *  Used when `audit` is a string. When `audit` is an object, use its `getResourceId` instead. */
     getResourceId?: (request: Request, params: Record<string, string>, validated: unknown) => string | undefined;
     /** Custom operation name for logging */
     operation?: string;
@@ -555,6 +574,8 @@ interface SecureRouteContext<TSession extends SecureSession = SecureSession, TVa
     session: TSession | null;
     /** Whether request was authenticated via legacy token */
     isLegacyToken: boolean;
+    /** How the request was authenticated */
+    authMethod: SecureAuthMethod;
     /** Whether the user has admin privileges */
     isAdmin: boolean;
     /** Validated input data */
@@ -599,4 +620,4 @@ declare function createSecureHandlerFactory<TSession extends SecureSession = Sec
     }) => Promise<Response>;
 };
 
-export { type FederatedLogoutConfig, type LazyRateLimitStoreOptions, RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, type SecureHandlerFactoryConfig, type SecureLogger, type SecureRateLimitResult, type SecureRouteConfig, type SecureRouteContext, type SecureRouteHandler, type SecureSession, type SecureTimedAudit, addRateLimitHeaders, buildFederatedLogoutHandler, createLazyRateLimitStore, createRedisRateLimitStore, createSecureHandlerFactory, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };
+export { type FederatedLogoutConfig, type LazyRateLimitStoreOptions, RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, type SecureAuditConfig, type SecureAuthMethod, type SecureHandlerFactoryConfig, type SecureLogger, type SecureRateLimitResult, type SecureRouteConfig, type SecureRouteContext, type SecureRouteHandler, type SecureSession, type SecureTimedAudit, addRateLimitHeaders, buildFederatedLogoutHandler, createLazyRateLimitStore, createRedisRateLimitStore, createSecureHandlerFactory, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };

package/dist/auth.d.ts

@@ -518,6 +518,20 @@ interface SecureTimedAudit {
     success: (metadata?: Record<string, unknown>) => Promise<void>;
     failure: (reason: string, metadata?: Record<string, unknown>) => Promise<void>;
 }
+/** Authentication method — how the request was authenticated */
+type SecureAuthMethod = "session" | "legacy_token" | "none";
+/**
+ * Object-style audit configuration (used by DLL and other apps with
+ * structured audit enums). This is an alternative to the flat string form.
+ */
+interface SecureAuditConfig {
+    /** The audit action (string or enum value) */
+    action: string;
+    /** Resource type being acted upon */
+    resource?: string;
+    /** Extract resource ID from request/params for audit (called after validation) */
+    getResourceId?: (request: Request, params: Record<string, string>, validated: unknown) => string | undefined;
+}
 /** Per-route config */
 interface SecureRouteConfig<TValidated = unknown, TPresetKey extends string = string> {
     /** Rate limit preset key */
@@ -540,11 +554,16 @@ interface SecureRouteConfig<TValidated = unknown, TPresetKey extends string = st
             };
         };
     };
-    /** Audit action name */
-    audit?: string;
-    /** Audit resource type */
+    /**
+     * Audit configuration — accepts either:
+     * - A string (action name, with optional `auditResource` for resource type)
+     * - An object `{ action, resource?, getResourceId? }` for structured audit enums
+     */
+    audit?: string | SecureAuditConfig;
+    /** Audit resource type (used when `audit` is a string) */
     auditResource?: string;
-    /** Extract resource ID from request/params for audit (called after validation) */
+    /** Extract resource ID from request/params for audit (called after validation).
+     *  Used when `audit` is a string. When `audit` is an object, use its `getResourceId` instead. */
     getResourceId?: (request: Request, params: Record<string, string>, validated: unknown) => string | undefined;
     /** Custom operation name for logging */
     operation?: string;
@@ -555,6 +574,8 @@ interface SecureRouteContext<TSession extends SecureSession = SecureSession, TVa
     session: TSession | null;
     /** Whether request was authenticated via legacy token */
     isLegacyToken: boolean;
+    /** How the request was authenticated */
+    authMethod: SecureAuthMethod;
     /** Whether the user has admin privileges */
     isAdmin: boolean;
     /** Validated input data */
@@ -599,4 +620,4 @@ declare function createSecureHandlerFactory<TSession extends SecureSession = Sec
     }) => Promise<Response>;
 };
 
-export { type FederatedLogoutConfig, type LazyRateLimitStoreOptions, RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, type SecureHandlerFactoryConfig, type SecureLogger, type SecureRateLimitResult, type SecureRouteConfig, type SecureRouteContext, type SecureRouteHandler, type SecureSession, type SecureTimedAudit, addRateLimitHeaders, buildFederatedLogoutHandler, createLazyRateLimitStore, createRedisRateLimitStore, createSecureHandlerFactory, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };
+export { type FederatedLogoutConfig, type LazyRateLimitStoreOptions, RateLimitOptions, type RateLimitResult, RateLimitRule, RateLimitStore, type RedisRateLimitClient, type RedisRateLimitStoreOptions, type SecureAuditConfig, type SecureAuthMethod, type SecureHandlerFactoryConfig, type SecureLogger, type SecureRateLimitResult, type SecureRouteConfig, type SecureRouteContext, type SecureRouteHandler, type SecureSession, type SecureTimedAudit, addRateLimitHeaders, buildFederatedLogoutHandler, createLazyRateLimitStore, createRedisRateLimitStore, createSecureHandlerFactory, enforceRateLimit, errorResponse, extractBearerToken, getClientIp, isValidBearerToken, rateLimitResponse, safeValidate, verifyCronAuth, zodErrorResponse };

package/dist/auth.js

@@ -1595,6 +1595,10 @@ function createSecureHandlerFactory(factoryConfig) {
       let isAdmin = false;
       let isLegacyToken = false;
       let timedAudit;
+      const auditCfg = routeConfig.audit;
+      const resolvedAuditAction = typeof auditCfg === "object" && auditCfg !== null ? auditCfg.action : auditCfg;
+      const resolvedAuditResource = typeof auditCfg === "object" && auditCfg !== null ? auditCfg.resource : routeConfig.auditResource;
+      const resolvedGetResourceId = typeof auditCfg === "object" && auditCfg !== null ? auditCfg.getResourceId : routeConfig.getResourceId;
       try {
         if (routeConfig.requireAuth || routeConfig.requireAdmin || routeConfig.requireRoles?.length) {
           session = await factoryConfig.getSession();
@@ -1665,17 +1669,17 @@ function createSecureHandlerFactory(factoryConfig) {
         const actorId = isLegacyToken ? "admin_token" : session?.user?.id || "anonymous";
         const actorType = isLegacyToken ? "admin" : "user";
         const actorEmail = session?.user?.email ?? void 0;
-        const resourceId = routeConfig.getResourceId ? routeConfig.getResourceId(
+        const resourceId = resolvedGetResourceId ? resolvedGetResourceId(
           request,
           params,
           validated
         ) : void 0;
-        if (routeConfig.audit && factoryConfig.createTimedAudit) {
+        if (resolvedAuditAction && factoryConfig.createTimedAudit) {
           timedAudit = factoryConfig.createTimedAudit(
             {
-              action: routeConfig.audit,
-              resource: routeConfig.auditResource ? {
-                type: routeConfig.auditResource,
+              action: resolvedAuditAction,
+              resource: resolvedAuditResource ? {
+                type: resolvedAuditResource,
                 id: resourceId
               } : void 0,
               actor: {
@@ -1687,9 +1691,11 @@ function createSecureHandlerFactory(factoryConfig) {
             request
           );
         }
+        const authMethod = isLegacyToken ? "legacy_token" : session?.user ? "session" : "none";
         const ctx = {
           session,
           isLegacyToken,
+          authMethod,
           isAdmin,
           validated,
           logger: log,
@@ -1699,16 +1705,16 @@ function createSecureHandlerFactory(factoryConfig) {
         };
         const response = await handler(request, ctx);
         response.headers.set("X-Request-ID", requestId);
-        if (routeConfig.audit && factoryConfig.auditLog && !timedAudit) {
+        if (resolvedAuditAction && factoryConfig.auditLog && !timedAudit) {
           await factoryConfig.auditLog({
             actor: {
               id: actorId,
               type: actorType,
               email: actorEmail
             },
-            action: routeConfig.audit,
-            resource: routeConfig.auditResource ? {
-              type: routeConfig.auditResource,
+            action: resolvedAuditAction,
+            resource: resolvedAuditResource ? {
+              type: resolvedAuditResource,
               id: resourceId ?? "unknown"
             } : void 0,
             outcome: "success"
@@ -1724,13 +1730,13 @@ function createSecureHandlerFactory(factoryConfig) {
         if (timedAudit) {
           await timedAudit.failure(errReason).catch(() => {
           });
-        } else if (routeConfig.audit && factoryConfig.auditLog) {
+        } else if (resolvedAuditAction && factoryConfig.auditLog) {
           await factoryConfig.auditLog({
             actor: {
               id: session?.user?.id || "unknown",
               type: "user"
             },
-            action: routeConfig.audit,
+            action: resolvedAuditAction,
             outcome: "failure",
             reason: errReason
           }).catch(() => {