@discover-cloud/shared 1.2.2 → 1.2.4

package/dist/jwt/index.d.ts

@@ -1 +1,2 @@
 export * from "./internal-jwt-verifier";
+export * from "./machine-token-client";

package/dist/jwt/index.js

@@ -15,3 +15,4 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./internal-jwt-verifier"), exports);
+__exportStar(require("./machine-token-client"), exports);

package/dist/jwt/machine-token-client.d.ts

@@ -0,0 +1,12 @@
+import { ILogger } from "../utils";
+export declare class MachineTokenClient {
+    private readonly gatewayUrl;
+    private readonly serviceId;
+    private readonly logger;
+    private cache;
+    private fetchPromise;
+    constructor(gatewayUrl: string, serviceId: string, logger?: ILogger);
+    getToken(requestId?: string): Promise<string>;
+    private isValid;
+    private fetchToken;
+}

package/dist/jwt/machine-token-client.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MachineTokenClient = void 0;
+const utils_1 = require("../utils");
+const REFRESH_BUFFER_S = 10;
+class MachineTokenClient {
+    constructor(gatewayUrl, serviceId, logger = utils_1.noopLogger) {
+        this.gatewayUrl = gatewayUrl;
+        this.serviceId = serviceId;
+        this.logger = logger;
+        this.cache = null;
+        this.fetchPromise = null;
+    }
+    async getToken(requestId) {
+        if (this.isValid()) {
+            return this.cache.token;
+        }
+        if (!this.fetchPromise) {
+            this.fetchPromise = this.fetchToken(requestId).finally(() => {
+                this.fetchPromise = null;
+            });
+        }
+        return this.fetchPromise;
+    }
+    isValid() {
+        if (!this.cache)
+            return false;
+        const nowS = Math.floor(Date.now() / 1000);
+        return this.cache.expiresAt - REFRESH_BUFFER_S > nowS;
+    }
+    async fetchToken(requestId) {
+        const url = `${this.gatewayUrl}/internal/machine-token`;
+        this.logger.debug({ serviceId: this.serviceId, requestId }, "Fetching machine token");
+        const response = await fetch(url, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ serviceId: this.serviceId, requestId }),
+        });
+        if (!response.ok) {
+            const text = await response.text().catch(() => "(unreadable)");
+            throw new Error(`MachineTokenClient: gateway returned ${response.status} fetching machine token: ${text}`);
+        }
+        const body = (await response.json());
+        const nowS = Math.floor(Date.now() / 1000);
+        this.cache = {
+            token: body.data.token,
+            expiresAt: nowS + body.data.expiresIn,
+        };
+        this.logger.info({ serviceId: this.serviceId, expiresAt: this.cache.expiresAt }, "Machine token cached");
+        return this.cache.token;
+    }
+}
+exports.MachineTokenClient = MachineTokenClient;

package/dist/middleware/authorize.middleware.js

@@ -58,11 +58,12 @@ exports.authorize = authorize;
  */
 const authorizeAny = (...permissions) => {
     return (req, res, next) => {
-        if (!req.accessContext) {
+        const ctx = req.accessContext;
+        if (!ctx) {
             (0, utils_1.failure)(res, req, "Unauthorized: No access context", "UNAUTHORIZED", 401);
             return;
         }
-        const hasAny = permissions.some((p) => internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(req.accessContext, p));
+        const hasAny = permissions.some((p) => internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(ctx, p));
         if (!hasAny) {
             (0, utils_1.failure)(res, req, `Forbidden: Missing one of [${permissions.join(", ")}]`, "FORBIDDEN", 403);
             return;
@@ -87,11 +88,12 @@ exports.authorizeAny = authorizeAny;
  */
 const authorizeAll = (...permissions) => {
     return (req, res, next) => {
-        if (!req.accessContext) {
+        const ctx = req.accessContext;
+        if (!ctx) {
             (0, utils_1.failure)(res, req, "Unauthorized: No access context", "UNAUTHORIZED", 401);
             return;
         }
-        const missingPermissions = permissions.filter((p) => !internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(req.accessContext, p));
+        const missingPermissions = permissions.filter((p) => !internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(ctx, p));
         if (missingPermissions.length > 0) {
             (0, utils_1.failure)(res, req, `Forbidden: Missing permissions [${missingPermissions.join(", ")}]`, "FORBIDDEN", 403);
             return;

package/dist/middleware/index.d.ts

@@ -3,3 +3,5 @@ export * from "./validate.middleware";
 export * from "./request-id.middleware";
 export * from "./authorize.middleware";
 export * from "./validated-merge.middleware";
+export * from "./require-internal.middleware";
+export * from "./require-auth.middleware";

package/dist/middleware/index.js

@@ -19,3 +19,5 @@ __exportStar(require("./validate.middleware"), exports);
 __exportStar(require("./request-id.middleware"), exports);
 __exportStar(require("./authorize.middleware"), exports);
 __exportStar(require("./validated-merge.middleware"), exports);
+__exportStar(require("./require-internal.middleware"), exports);
+__exportStar(require("./require-auth.middleware"), exports);

package/dist/middleware/require-auth.middleware.d.ts

@@ -0,0 +1,86 @@
+import { Request, Response, NextFunction } from "express";
+import { AccountRole } from "../enums";
+import { GlobalPermission } from "../enums";
+import { ILogger } from "../utils";
+import { InternalJwtVerifier } from "../jwt/internal-jwt-verifier";
+/**
+ * REQUIRE AUTH MIDDLEWARE  (@discover-cloud/shared)
+ * ─────────────────────────────────────────────────────────────────────────
+ * Verifies the internal JWT, resolves permissions from the Redis cache,
+ * and attaches the typed AccessContext to req.accessContext.
+ *
+ * Moved to shared so every downstream service (auth, user, cloud, insights)
+ * uses the same verified implementation rather than maintaining their own copy.
+ *
+ * Token extraction:
+ *   Reads a Bearer token from the Authorization header.
+ *   Does not support cookie-based auth — that is the API gateway's responsibility.
+ *
+ * On success:
+ *   req.internalAuth  → raw verified JWT payload (use for jti, caller, requestId)
+ *   req.accessContext → clean typed context (use in controllers and services)
+ *
+ * On failure:
+ *   Returns a structured error response and does NOT call next().
+ *   next(err) is only called for genuinely unexpected errors (not auth failures).
+ *
+ * Inline guards (requirePermission, requireRole):
+ *   Convenience methods for single-route guards. For router-level permission
+ *   enforcement, prefer the standalone factories in permission.middleware.ts —
+ *   they don't require a reference to this class instance.
+ *
+ * Logging:
+ *   Unexpected errors are logged at "error" level with requestId for correlation.
+ *   Auth failures (expired, invalid token) are intentionally not logged at error
+ *   level — they are client errors, not server faults.
+ *
+ * Usage in each service's app.ts:
+ *   import { RequireAuthMiddleware } from "@discover-cloud/shared";
+ *
+ *   const requireAuth = new RequireAuthMiddleware(jwtVerifier, logger);
+ *   router.use(requireAuth.handle);
+ */
+export declare class RequireAuthMiddleware {
+    private readonly verifier;
+    private readonly logger;
+    constructor(verifier: InternalJwtVerifier, logger?: ILogger);
+    /**
+     * Core authentication middleware.
+     * Apply via: router.use(requireAuth.handle) or router.get("/", requireAuth.handle, controller.x)
+     */
+    handle: (req: Request, res: Response, next: NextFunction) => Promise<void>;
+    /**
+     * Inline permission guard — use when this class instance is available at the call site.
+     * For router-level guards, prefer requireGlobalPermission() from permission.middleware.ts.
+     *
+     * Usage: router.get("/", requireAuth.handle, requireAuth.requirePermission(P.READ_ACCOUNTS), controller.list)
+     */
+    requirePermission: (permission: GlobalPermission) => (req: Request, res: Response, next: NextFunction) => void;
+    /**
+     * Inline role guard — use when this class instance is available at the call site.
+     *
+     * Prefer permission-based guards over role-based guards where possible.
+     * Role checks are appropriate for coarse access gates (e.g. "only admins enter this router").
+     */
+    requireRole: (role: AccountRole) => (req: Request, res: Response, next: NextFunction) => void;
+    /**
+     * Extracts the Bearer token from the Authorization header.
+     * Returns null (not an error) if the header is absent or malformed —
+     * callers decide how to handle the missing token.
+     */
+    private extractBearer;
+    /**
+     * Maps jose verification errors to appropriate HTTP responses.
+     *
+     * Error categories:
+     *   JWTExpired              → 401 TOKEN_EXPIRED    (client should refresh)
+     *   JWTClaimValidationFailed,
+     *   JWSSignatureVerificationFailed,
+     *   JWSInvalid, JWTInvalid → 401 INVALID_TOKEN    (client should re-login)
+     *   Anything else           → 503 SERVICE_UNAVAILABLE (unexpected — log at error)
+     *
+     * Security note: generic "invalid token" messages are intentional.
+     * Never expose which specific claim failed — that aids token forgery attempts.
+     */
+    private handleJwtError;
+}

package/dist/middleware/require-auth.middleware.js

@@ -0,0 +1,163 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequireAuthMiddleware = void 0;
+const jose_1 = require("jose");
+const utils_1 = require("../utils");
+const internal_jwt_verifier_1 = require("../jwt/internal-jwt-verifier");
+const utils_2 = require("../utils");
+/**
+ * REQUIRE AUTH MIDDLEWARE  (@discover-cloud/shared)
+ * ─────────────────────────────────────────────────────────────────────────
+ * Verifies the internal JWT, resolves permissions from the Redis cache,
+ * and attaches the typed AccessContext to req.accessContext.
+ *
+ * Moved to shared so every downstream service (auth, user, cloud, insights)
+ * uses the same verified implementation rather than maintaining their own copy.
+ *
+ * Token extraction:
+ *   Reads a Bearer token from the Authorization header.
+ *   Does not support cookie-based auth — that is the API gateway's responsibility.
+ *
+ * On success:
+ *   req.internalAuth  → raw verified JWT payload (use for jti, caller, requestId)
+ *   req.accessContext → clean typed context (use in controllers and services)
+ *
+ * On failure:
+ *   Returns a structured error response and does NOT call next().
+ *   next(err) is only called for genuinely unexpected errors (not auth failures).
+ *
+ * Inline guards (requirePermission, requireRole):
+ *   Convenience methods for single-route guards. For router-level permission
+ *   enforcement, prefer the standalone factories in permission.middleware.ts —
+ *   they don't require a reference to this class instance.
+ *
+ * Logging:
+ *   Unexpected errors are logged at "error" level with requestId for correlation.
+ *   Auth failures (expired, invalid token) are intentionally not logged at error
+ *   level — they are client errors, not server faults.
+ *
+ * Usage in each service's app.ts:
+ *   import { RequireAuthMiddleware } from "@discover-cloud/shared";
+ *
+ *   const requireAuth = new RequireAuthMiddleware(jwtVerifier, logger);
+ *   router.use(requireAuth.handle);
+ */
+class RequireAuthMiddleware {
+    constructor(verifier, logger = utils_1.noopLogger) {
+        this.verifier = verifier;
+        this.logger = logger;
+        /**
+         * Core authentication middleware.
+         * Apply via: router.use(requireAuth.handle) or router.get("/", requireAuth.handle, controller.x)
+         */
+        this.handle = async (req, res, next) => {
+            const token = this.extractBearer(req);
+            if (!token) {
+                (0, utils_2.failure)(res, req, "Missing Authorization header", "UNAUTHORIZED", 401);
+                return;
+            }
+            try {
+                const { payload, context } = await this.verifier.buildAccessContext(token);
+                req.internalAuth = payload;
+                req.accessContext = context;
+                this.logger.debug({
+                    requestId: req.id,
+                    // log accountId for humans, serviceId for machines — never log both
+                    identity: context.kind === "human" ? context.accountId : context.serviceId,
+                    kind: context.kind,
+                    caller: payload.caller,
+                }, "Request authenticated");
+                next();
+            }
+            catch (err) {
+                this.handleJwtError(err, req, res);
+            }
+        };
+        /**
+         * Inline permission guard — use when this class instance is available at the call site.
+         * For router-level guards, prefer requireGlobalPermission() from permission.middleware.ts.
+         *
+         * Usage: router.get("/", requireAuth.handle, requireAuth.requirePermission(P.READ_ACCOUNTS), controller.list)
+         */
+        this.requirePermission = (permission) => (req, res, next) => {
+            const ctx = req.accessContext;
+            if (!ctx) {
+                // Should not happen after handle() — indicates middleware ordering bug
+                (0, utils_2.failure)(res, req, "No access context — ensure requireAuth runs first", "UNAUTHORIZED", 401);
+                return;
+            }
+            if (!internal_jwt_verifier_1.InternalJwtVerifier.hasPermission(ctx, permission)) {
+                (0, utils_2.failure)(res, req, `Missing required permission: ${permission}`, "FORBIDDEN", 403);
+                return;
+            }
+            next();
+        };
+        /**
+         * Inline role guard — use when this class instance is available at the call site.
+         *
+         * Prefer permission-based guards over role-based guards where possible.
+         * Role checks are appropriate for coarse access gates (e.g. "only admins enter this router").
+         */
+        this.requireRole = (role) => (req, res, next) => {
+            const ctx = req.accessContext;
+            if (!ctx) {
+                (0, utils_2.failure)(res, req, "No access context — ensure requireAuth runs first", "UNAUTHORIZED", 401);
+                return;
+            }
+            if (!internal_jwt_verifier_1.InternalJwtVerifier.hasRole(ctx, role)) {
+                (0, utils_2.failure)(res, req, `Missing required role: ${role}`, "FORBIDDEN", 403);
+                return;
+            }
+            next();
+        };
+    }
+    /* ────────────────────────────────────────────────────────────────────
+       PRIVATE HELPERS
+    ──────────────────────────────────────────────────────────────────── */
+    /**
+     * Extracts the Bearer token from the Authorization header.
+     * Returns null (not an error) if the header is absent or malformed —
+     * callers decide how to handle the missing token.
+     */
+    extractBearer(req) {
+        const header = req.headers.authorization;
+        if (!header) {
+            return null;
+        }
+        const [scheme, token] = header.trim().split(/\s+/);
+        if (scheme !== "Bearer" || !token) {
+            return null;
+        }
+        return token;
+    }
+    /**
+     * Maps jose verification errors to appropriate HTTP responses.
+     *
+     * Error categories:
+     *   JWTExpired              → 401 TOKEN_EXPIRED    (client should refresh)
+     *   JWTClaimValidationFailed,
+     *   JWSSignatureVerificationFailed,
+     *   JWSInvalid, JWTInvalid → 401 INVALID_TOKEN    (client should re-login)
+     *   Anything else           → 503 SERVICE_UNAVAILABLE (unexpected — log at error)
+     *
+     * Security note: generic "invalid token" messages are intentional.
+     * Never expose which specific claim failed — that aids token forgery attempts.
+     */
+    handleJwtError(err, req, res) {
+        if (err instanceof jose_1.errors.JWTExpired) {
+            (0, utils_2.failure)(res, req, "Your session has expired. Please log in again.", "TOKEN_EXPIRED", 401);
+            return;
+        }
+        if (err instanceof jose_1.errors.JWTClaimValidationFailed ||
+            err instanceof jose_1.errors.JWSSignatureVerificationFailed ||
+            err instanceof jose_1.errors.JWSInvalid ||
+            err instanceof jose_1.errors.JWTInvalid) {
+            (0, utils_2.failure)(res, req, "Token is invalid or has been tampered with.", "INVALID_TOKEN", 401);
+            return;
+        }
+        // Unexpected error — log for investigation, return a safe 503
+        this.logger.error({ err, requestId: req.id }, "RequireAuthMiddleware: unexpected error during JWT verification");
+        (0, utils_2.failure)(res, req, "Authentication service is temporarily unavailable.", "SERVICE_UNAVAILABLE", 503);
+    }
+}
+exports.RequireAuthMiddleware = RequireAuthMiddleware;

package/dist/middleware/require-internal.middleware.d.ts

@@ -0,0 +1,18 @@
+import { Request, Response, NextFunction } from "express";
+import { ILogger } from "../utils/logger.utils";
+export interface RequireInternalOptions {
+    /**
+     * Gateway JWKS URI.
+     * Defaults to GATEWAY_JWKS_URI env var, then the docker-compose default.
+     * Must point to the gateway, not any individual service.
+     */
+    gatewayJwksUri?: string;
+    /**
+     * Permitted serviceIds. Reject any machine token whose serviceId is
+     * not in this list, even if the signature is valid.
+     * Omit to accept any valid machine token (not recommended in production).
+     */
+    allowedServices?: string[];
+    logger?: ILogger;
+}
+export declare function requireInternal(options?: RequireInternalOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;

package/dist/middleware/require-internal.middleware.js

@@ -0,0 +1,175 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireInternal = requireInternal;
+const jose = __importStar(require("jose"));
+const logger_utils_1 = require("../utils/logger.utils");
+/**
+ * REQUIRE INTERNAL MIDDLEWARE  (@discover-cloud/shared)
+ * ─────────────────────────────────────────────────────────────────────────
+ * Protects /internal/* routes by verifying a gateway-signed machine JWT.
+ * Replaces X-Internal-Secret on all service-to-service endpoints.
+ *
+ * Trust model:
+ *   All machine tokens are signed by the gateway's private key and verified
+ *   against the gateway's JWKS endpoint — the same trust root used for
+ *   human tokens. There is exactly one signing authority in the system.
+ *
+ * Verification:
+ *   1. Extract Bearer token from Authorization header
+ *   2. Verify RS256 signature against gateway JWKS
+ *   3. Assert typ === "internal" (token confusion defence)
+ *   4. Assert isMachine === true (rejects human tokens on internal routes)
+ *   5. Assert serviceId is in the allowlist (optional but recommended)
+ *   6. Attach MachineAccessContext to req.accessContext
+ *
+ * JWKS caching:
+ *   One RemoteJWKSet instance is created per middleware instance (i.e. per
+ *   service process), cached internally by jose for JWKS_CACHE_MAX_AGE_MS.
+ *   No per-request network call under normal operation.
+ *
+ * Allowlist:
+ *   Pass allowedServices to restrict which services can call this endpoint.
+ *   Example: requireInternal({ allowedServices: ["cloud-service"] })
+ *   Defaults to accepting any valid machine token if omitted.
+ *   Always set this in production — it limits blast radius if a service
+ *   is compromised.
+ *
+ * Usage:
+ *   // insights-service internal routes
+ *   router.use("/internal", requireInternal({
+ *     gatewayJwksUri: process.env.GATEWAY_JWKS_URI,
+ *     allowedServices: ["cloud-service"],
+ *     logger,
+ *   }));
+ */
+const CLOCK_TOLERANCE_S = 30;
+const JWKS_CACHE_MAX_AGE_MS = 10 * 60 * 1000;
+const JWKS_FETCH_TIMEOUT_MS = 5000;
+function requireInternal(options = {}) {
+    const logger = options.logger ?? logger_utils_1.noopLogger;
+    const jwksUri = options.gatewayJwksUri ??
+        process.env["GATEWAY_JWKS_URI"] ??
+        "http://api-gateway:3000/.well-known/jwks.json";
+    const issuer = process.env["INTERNAL_JWT_ISSUER"] ?? "discover-cloud:api-gateway";
+    const audience = process.env["INTERNAL_JWT_AUDIENCE"] ?? "discover-cloud:internal";
+    // One JWKS instance per middleware — jose caches the key set internally
+    const jwks = jose.createRemoteJWKSet(new URL(jwksUri), {
+        cacheMaxAge: JWKS_CACHE_MAX_AGE_MS,
+        timeoutDuration: JWKS_FETCH_TIMEOUT_MS,
+    });
+    const { allowedServices } = options;
+    return async (req, res, next) => {
+        const header = req.headers.authorization;
+        if (!header?.startsWith("Bearer ")) {
+            res.status(401).json({
+                success: false,
+                error: { code: "UNAUTHORIZED", message: "Missing Authorization header" },
+            });
+            return;
+        }
+        const token = header.slice(7);
+        try {
+            const { payload } = await jose.jwtVerify(token, jwks, {
+                issuer,
+                audience,
+                algorithms: ["RS256"],
+                clockTolerance: CLOCK_TOLERANCE_S,
+            });
+            // Token confusion defence — reject human tokens that somehow
+            // reach an internal route (wrong header forwarded by caller)
+            if (payload["typ"] !== "internal") {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Token type must be 'internal'" },
+                });
+                return;
+            }
+            // Machine guard — reject human internal tokens on machine-only routes
+            if (payload["isMachine"] !== true) {
+                res.status(403).json({
+                    success: false,
+                    error: { code: "FORBIDDEN", message: "Machine token required for internal routes" },
+                });
+                return;
+            }
+            const serviceId = payload["serviceId"];
+            if (typeof serviceId !== "string") {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Token missing serviceId" },
+                });
+                return;
+            }
+            // Allowlist — tightest possible scope per endpoint
+            if (allowedServices && !allowedServices.includes(serviceId)) {
+                logger.warn({ requestId: req.id, serviceId }, "[requireInternal] serviceId not in allowlist");
+                res.status(403).json({
+                    success: false,
+                    error: { code: "FORBIDDEN", message: "Service not permitted to call this endpoint" },
+                });
+                return;
+            }
+            const context = { kind: "machine", serviceId };
+            req.accessContext = context;
+            logger.debug({ requestId: req.id, serviceId, jti: payload.jti }, "[requireInternal] Machine token verified");
+            next();
+        }
+        catch (err) {
+            if (err instanceof jose.errors.JWTExpired) {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "TOKEN_EXPIRED", message: "Machine token has expired" },
+                });
+                return;
+            }
+            if (err instanceof jose.errors.JWSSignatureVerificationFailed ||
+                err instanceof jose.errors.JWTClaimValidationFailed ||
+                err instanceof jose.errors.JWSInvalid ||
+                err instanceof jose.errors.JWTInvalid) {
+                res.status(401).json({
+                    success: false,
+                    error: { code: "INVALID_TOKEN", message: "Machine token is invalid" },
+                });
+                return;
+            }
+            logger.error({ err, requestId: req.id }, "[requireInternal] Unexpected error verifying machine token");
+            res.status(503).json({
+                success: false,
+                error: { code: "SERVICE_UNAVAILABLE", message: "Authentication temporarily unavailable" },
+            });
+        }
+    };
+}

package/dist/types/express.types.d.ts

@@ -60,7 +60,8 @@ export interface HumanInternalJwtPayload extends BaseInternalJwtPayload {
     isMachine: false;
     accountId: string;
     accountRole: AccountRole;
-    externalJti?: string;
+    externalJti: string;
+    externalExp: number;
 }
 /**
  * MachineInternalJwtPayload
@@ -73,6 +74,10 @@ export interface MachineInternalJwtPayload extends BaseInternalJwtPayload {
 }
 /** Full internal JWT payload union — use in verifiers and auth middleware */
 export type InternalJwtPayload = HumanInternalJwtPayload | MachineInternalJwtPayload;
+export interface TokenRevocationContext {
+    jti: string;
+    exp: number;
+}
 export interface HumanAccessContext {
     kind: "human";
     accountId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@discover-cloud/shared",
-  "version": "1.2.2",
+  "version": "1.2.4",
   "private": false,
   "type": "commonjs",
   "main": "dist/index.js",