@donkeylabs/cli 1.1.14 → 1.1.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@donkeylabs/cli",
-  "version": "1.1.14",
+  "version": "1.1.15",
   "type": "module",
   "description": "CLI for @donkeylabs/server - project scaffolding and code generation",
   "main": "./src/index.ts",

package/templates/sveltekit-app/src/server/index.ts

@@ -24,8 +24,38 @@ export const server = new AppServer({
   },
 });
 
-// Register plugins
-server.registerPlugin(authPlugin);  // Auth first - other plugins may depend on it
+// =============================================================================
+// AUTH PLUGIN CONFIGURATION
+// =============================================================================
+// Choose your auth strategy:
+//
+// 1. SESSION (default) - Stateful, stores sessions in database
+//    Best for: Web apps, server-rendered pages
+//    server.registerPlugin(authPlugin());
+//
+// 2. JWT - Stateless tokens, no database lookup needed
+//    Best for: Mobile apps, microservices, APIs
+//    server.registerPlugin(authPlugin({
+//      strategy: "jwt",
+//      jwt: { secret: process.env.JWT_SECRET! },
+//    }));
+//
+// 3. REFRESH-TOKEN - Short-lived access + long-lived refresh token
+//    Best for: SPAs, mobile apps needing token refresh
+//    server.registerPlugin(authPlugin({
+//      strategy: "refresh-token",
+//      jwt: {
+//        secret: process.env.JWT_SECRET!,
+//        accessExpiry: "15m",
+//        refreshExpiry: "30d",
+//      },
+//      cookie: { httpOnly: true, secure: true },
+//    }));
+//
+// =============================================================================
+
+// Using default session strategy for this template
+server.registerPlugin(authPlugin());
 server.registerPlugin(demoPlugin);
 server.registerPlugin(workflowDemoPlugin);
 

package/templates/sveltekit-app/src/server/plugins/auth/index.ts

@@ -1,16 +1,92 @@
 /**
- * Auth Plugin - User authentication with sessions
+ * Auth Plugin - Configurable authentication with multiple strategies
  *
- * Provides:
- * - User registration and login
- * - Password hashing with bcrypt
- * - Session-based authentication
- * - Auth middleware for protected routes
+ * Strategies:
+ * - session: Stateful, database sessions (default)
+ * - jwt: Stateless JWT tokens
+ * - refresh-token: Access token + refresh token pattern
+ *
+ * Storage:
+ * - cookie: HTTP-only cookies (recommended for web)
+ * - header: Authorization header (for APIs/mobile)
+ * - both: Support both methods
  */
 
 import { createPlugin, createMiddleware } from "@donkeylabs/server";
 import type { ColumnType } from "kysely";
 
+// =============================================================================
+// CONFIGURATION TYPES
+// =============================================================================
+
+export type AuthStrategy = "session" | "jwt" | "refresh-token";
+export type TokenStorage = "cookie" | "header" | "both";
+
+export interface AuthConfig {
+  /**
+   * Authentication strategy
+   * - session: Stateful, stores sessions in database
+   * - jwt: Stateless, token contains user info
+   * - refresh-token: Short-lived access + long-lived refresh token
+   * @default "session"
+   */
+  strategy?: AuthStrategy;
+
+  /**
+   * How tokens/sessions are transmitted
+   * - cookie: HTTP-only cookies (secure for web apps)
+   * - header: Authorization header (for APIs/mobile)
+   * - both: Accept both methods
+   * @default "both"
+   */
+  storage?: TokenStorage;
+
+  /**
+   * Cookie configuration (when storage includes cookies)
+   */
+  cookie?: {
+    /** Cookie name prefix @default "auth" */
+    name?: string;
+    /** HTTP-only flag @default true */
+    httpOnly?: boolean;
+    /** Secure flag (HTTPS only) @default true in production */
+    secure?: boolean;
+    /** SameSite policy @default "lax" */
+    sameSite?: "strict" | "lax" | "none";
+    /** Cookie path @default "/" */
+    path?: string;
+    /** Cookie domain (optional) */
+    domain?: string;
+  };
+
+  /**
+   * JWT configuration (for jwt and refresh-token strategies)
+   */
+  jwt?: {
+    /** Secret key for signing tokens (required for jwt/refresh-token) */
+    secret: string;
+    /** Access token expiry @default "15m" for refresh-token, "7d" for jwt */
+    accessExpiry?: string;
+    /** Refresh token expiry @default "30d" (refresh-token strategy only) */
+    refreshExpiry?: string;
+    /** Token issuer (optional) */
+    issuer?: string;
+  };
+
+  /**
+   * Session configuration (for session strategy)
+   */
+  session?: {
+    /** Session duration @default "7d" */
+    expiry?: string;
+  };
+
+  /**
+   * Password hashing cost @default 10
+   */
+  bcryptCost?: number;
+}
+
 // =============================================================================
 // DATABASE SCHEMA TYPES
 // =============================================================================
@@ -31,13 +107,22 @@ interface SessionsTable {
   created_at: ColumnType<string, string | undefined, never>;
 }
 
+interface RefreshTokensTable {
+  id: string;
+  user_id: string;
+  token_hash: string;
+  expires_at: string;
+  created_at: ColumnType<string, string | undefined, never>;
+}
+
 interface AuthSchema {
   users: UsersTable;
   sessions: SessionsTable;
+  refresh_tokens: RefreshTokensTable;
 }
 
 // =============================================================================
-// TYPES
+// EXPORTED TYPES
 // =============================================================================
 
 export interface AuthUser {
@@ -46,10 +131,117 @@ export interface AuthUser {
   name: string | null;
 }
 
-export interface Session {
-  id: string;
-  userId: string;
-  expiresAt: Date;
+export interface AuthTokens {
+  accessToken: string;
+  refreshToken?: string;
+  expiresIn: number;
+}
+
+export interface AuthResult {
+  user: AuthUser;
+  tokens: AuthTokens;
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+function parseExpiry(expiry: string): number {
+  const match = expiry.match(/^(\d+)(s|m|h|d)$/);
+  if (!match) return 7 * 24 * 60 * 60 * 1000; // Default 7 days
+
+  const value = parseInt(match[1]);
+  const unit = match[2];
+
+  switch (unit) {
+    case "s": return value * 1000;
+    case "m": return value * 60 * 1000;
+    case "h": return value * 60 * 60 * 1000;
+    case "d": return value * 24 * 60 * 60 * 1000;
+    default: return 7 * 24 * 60 * 60 * 1000;
+  }
+}
+
+interface JWTPayload {
+  sub: string;
+  email: string;
+  name: string | null;
+  iat: number;
+  exp: number;
+  iss?: string;
+  type?: "access" | "refresh";
+}
+
+function base64UrlEncode(data: string): string {
+  return btoa(data).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+function base64UrlDecode(data: string): string {
+  const padded = data + "=".repeat((4 - (data.length % 4)) % 4);
+  return atob(padded.replace(/-/g, "+").replace(/_/g, "/"));
+}
+
+async function signJWT(payload: JWTPayload, secret: string): Promise<string> {
+  const header = { alg: "HS256", typ: "JWT" };
+  const encodedHeader = base64UrlEncode(JSON.stringify(header));
+  const encodedPayload = base64UrlEncode(JSON.stringify(payload));
+
+  const data = `${encodedHeader}.${encodedPayload}`;
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    encoder.encode(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+
+  const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+  const encodedSignature = base64UrlEncode(
+    String.fromCharCode(...new Uint8Array(signature))
+  );
+
+  return `${data}.${encodedSignature}`;
+}
+
+async function verifyJWT(token: string, secret: string): Promise<JWTPayload | null> {
+  try {
+    const [encodedHeader, encodedPayload, encodedSignature] = token.split(".");
+    if (!encodedHeader || !encodedPayload || !encodedSignature) return null;
+
+    const data = `${encodedHeader}.${encodedPayload}`;
+    const encoder = new TextEncoder();
+    const key = await crypto.subtle.importKey(
+      "raw",
+      encoder.encode(secret),
+      { name: "HMAC", hash: "SHA-256" },
+      false,
+      ["verify"]
+    );
+
+    const signature = Uint8Array.from(
+      base64UrlDecode(encodedSignature),
+      (c) => c.charCodeAt(0)
+    );
+
+    const valid = await crypto.subtle.verify(
+      "HMAC",
+      key,
+      signature,
+      encoder.encode(data)
+    );
+
+    if (!valid) return null;
+
+    const payload: JWTPayload = JSON.parse(base64UrlDecode(encodedPayload));
+
+    // Check expiry
+    if (payload.exp * 1000 < Date.now()) return null;
+
+    return payload;
+  } catch {
+    return null;
+  }
 }
 
 // =============================================================================
@@ -58,10 +250,10 @@ export interface Session {
 
 export const authPlugin = createPlugin
   .withSchema<AuthSchema>()
+  .withConfig<AuthConfig>()
   .define({
     name: "auth",
 
-    // Custom errors for auth failures
     customErrors: {
       InvalidCredentials: {
         status: 401,
@@ -73,17 +265,199 @@ export const authPlugin = createPlugin
         code: "EMAIL_EXISTS",
         message: "An account with this email already exists",
       },
-      SessionExpired: {
+      InvalidToken: {
         status: 401,
-        code: "SESSION_EXPIRED",
-        message: "Your session has expired. Please log in again.",
+        code: "INVALID_TOKEN",
+        message: "Invalid or expired token",
+      },
+      RefreshTokenExpired: {
+        status: 401,
+        code: "REFRESH_TOKEN_EXPIRED",
+        message: "Refresh token has expired. Please log in again.",
       },
     },
 
     service: async (ctx) => {
-      const SESSION_DURATION_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+      const config = ctx.config || {};
+      const strategy = config.strategy || "session";
+      const storage = config.storage || "both";
+      const bcryptCost = config.bcryptCost || 10;
+
+      // Expiry defaults based on strategy
+      const accessExpiryMs = parseExpiry(
+        config.jwt?.accessExpiry ||
+        (strategy === "refresh-token" ? "15m" : "7d")
+      );
+      const refreshExpiryMs = parseExpiry(config.jwt?.refreshExpiry || "30d");
+      const sessionExpiryMs = parseExpiry(config.session?.expiry || "7d");
+
+      const jwtSecret = config.jwt?.secret || "";
+
+      // Validate config
+      if ((strategy === "jwt" || strategy === "refresh-token") && !jwtSecret) {
+        throw new Error("Auth plugin: jwt.secret is required for jwt/refresh-token strategy");
+      }
+
+      /**
+       * Create tokens based on strategy
+       */
+      async function createTokens(user: AuthUser): Promise<AuthTokens> {
+        const now = Math.floor(Date.now() / 1000);
+
+        if (strategy === "jwt") {
+          const payload: JWTPayload = {
+            sub: user.id,
+            email: user.email,
+            name: user.name,
+            iat: now,
+            exp: now + Math.floor(accessExpiryMs / 1000),
+            iss: config.jwt?.issuer,
+          };
+
+          const accessToken = await signJWT(payload, jwtSecret);
+          return {
+            accessToken,
+            expiresIn: Math.floor(accessExpiryMs / 1000),
+          };
+        }
+
+        if (strategy === "refresh-token") {
+          // Access token (short-lived)
+          const accessPayload: JWTPayload = {
+            sub: user.id,
+            email: user.email,
+            name: user.name,
+            iat: now,
+            exp: now + Math.floor(accessExpiryMs / 1000),
+            iss: config.jwt?.issuer,
+            type: "access",
+          };
+
+          // Refresh token (long-lived, stored in DB)
+          const refreshTokenId = crypto.randomUUID();
+          const refreshPayload: JWTPayload = {
+            sub: user.id,
+            email: user.email,
+            name: user.name,
+            iat: now,
+            exp: now + Math.floor(refreshExpiryMs / 1000),
+            iss: config.jwt?.issuer,
+            type: "refresh",
+          };
+
+          const accessToken = await signJWT(accessPayload, jwtSecret);
+          const refreshToken = await signJWT(refreshPayload, jwtSecret);
+
+          // Hash and store refresh token
+          const tokenHash = await Bun.password.hash(refreshToken, {
+            algorithm: "bcrypt",
+            cost: 4, // Lower cost for refresh tokens (checked less often)
+          });
+
+          await ctx.db
+            .insertInto("refresh_tokens")
+            .values({
+              id: refreshTokenId,
+              user_id: user.id,
+              token_hash: tokenHash,
+              expires_at: new Date(Date.now() + refreshExpiryMs).toISOString(),
+              created_at: new Date().toISOString(),
+            })
+            .execute();
+
+          return {
+            accessToken,
+            refreshToken,
+            expiresIn: Math.floor(accessExpiryMs / 1000),
+          };
+        }
+
+        // Session strategy - create DB session
+        const sessionId = crypto.randomUUID();
+        const expiresAt = new Date(Date.now() + sessionExpiryMs);
+
+        await ctx.db
+          .insertInto("sessions")
+          .values({
+            id: sessionId,
+            user_id: user.id,
+            expires_at: expiresAt.toISOString(),
+            created_at: new Date().toISOString(),
+          })
+          .execute();
+
+        return {
+          accessToken: sessionId,
+          expiresIn: Math.floor(sessionExpiryMs / 1000),
+        };
+      }
+
+      /**
+       * Validate token and return user
+       */
+      async function validateToken(token: string): Promise<AuthUser | null> {
+        if (strategy === "jwt" || strategy === "refresh-token") {
+          const payload = await verifyJWT(token, jwtSecret);
+          if (!payload) return null;
+
+          // For refresh-token strategy, only accept access tokens in middleware
+          if (strategy === "refresh-token" && payload.type !== "access") {
+            return null;
+          }
+
+          return {
+            id: payload.sub,
+            email: payload.email,
+            name: payload.name,
+          };
+        }
+
+        // Session strategy - lookup in DB
+        const session = await ctx.db
+          .selectFrom("sessions")
+          .where("id", "=", token)
+          .selectAll()
+          .executeTakeFirst();
+
+        if (!session) return null;
+
+        if (new Date(session.expires_at) < new Date()) {
+          await ctx.db.deleteFrom("sessions").where("id", "=", token).execute();
+          return null;
+        }
+
+        const user = await ctx.db
+          .selectFrom("users")
+          .where("id", "=", session.user_id)
+          .selectAll()
+          .executeTakeFirst();
+
+        if (!user) return null;
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+        };
+      }
 
       return {
+        /** Get current strategy */
+        getStrategy: () => strategy,
+
+        /** Get storage type */
+        getStorage: () => storage,
+
+        /** Get cookie config */
+        getCookieConfig: () => ({
+          name: config.cookie?.name || "auth",
+          httpOnly: config.cookie?.httpOnly ?? true,
+          secure: config.cookie?.secure ?? process.env.NODE_ENV === "production",
+          sameSite: config.cookie?.sameSite || "lax",
+          path: config.cookie?.path || "/",
+          domain: config.cookie?.domain,
+        }),
+
         /**
          * Register a new user
          */
@@ -91,10 +465,9 @@ export const authPlugin = createPlugin
           email: string;
           password: string;
           name?: string;
-        }): Promise<{ user: AuthUser; sessionId: string }> => {
+        }): Promise<AuthResult> => {
           const { email, password, name } = data;
 
-          // Check if email already exists
           const existing = await ctx.db
             .selectFrom("users")
             .where("email", "=", email.toLowerCase())
@@ -105,16 +478,14 @@ export const authPlugin = createPlugin
             throw ctx.errors.EmailAlreadyExists();
           }
 
-          // Hash password
           const passwordHash = await Bun.password.hash(password, {
             algorithm: "bcrypt",
-            cost: 10,
+            cost: bcryptCost,
           });
 
           const userId = crypto.randomUUID();
           const now = new Date().toISOString();
 
-          // Create user
           await ctx.db
             .insertInto("users")
             .values({
@@ -127,26 +498,17 @@ export const authPlugin = createPlugin
             })
             .execute();
 
-          // Create session
-          const sessionId = crypto.randomUUID();
-          const expiresAt = new Date(Date.now() + SESSION_DURATION_MS);
+          const user: AuthUser = {
+            id: userId,
+            email: email.toLowerCase(),
+            name: name || null,
+          };
 
-          await ctx.db
-            .insertInto("sessions")
-            .values({
-              id: sessionId,
-              user_id: userId,
-              expires_at: expiresAt.toISOString(),
-              created_at: now,
-            })
-            .execute();
+          const tokens = await createTokens(user);
 
-          ctx.core.logger.info("User registered", { userId, email });
+          ctx.core.logger.info("User registered", { userId, email, strategy });
 
-          return {
-            user: { id: userId, email: email.toLowerCase(), name: name || null },
-            sessionId,
-          };
+          return { user, tokens };
         },
 
         /**
@@ -155,100 +517,137 @@ export const authPlugin = createPlugin
         login: async (data: {
           email: string;
           password: string;
-        }): Promise<{ user: AuthUser; sessionId: string }> => {
+        }): Promise<AuthResult> => {
           const { email, password } = data;
 
-          // Find user
-          const user = await ctx.db
+          const dbUser = await ctx.db
             .selectFrom("users")
             .where("email", "=", email.toLowerCase())
             .selectAll()
             .executeTakeFirst();
 
-          if (!user) {
+          if (!dbUser) {
             throw ctx.errors.InvalidCredentials();
           }
 
-          // Verify password
-          const valid = await Bun.password.verify(password, user.password_hash);
+          const valid = await Bun.password.verify(password, dbUser.password_hash);
           if (!valid) {
             throw ctx.errors.InvalidCredentials();
           }
 
-          // Create session
-          const sessionId = crypto.randomUUID();
-          const expiresAt = new Date(Date.now() + SESSION_DURATION_MS);
+          const user: AuthUser = {
+            id: dbUser.id,
+            email: dbUser.email,
+            name: dbUser.name,
+          };
 
-          await ctx.db
-            .insertInto("sessions")
-            .values({
-              id: sessionId,
-              user_id: user.id,
-              expires_at: expiresAt.toISOString(),
-              created_at: new Date().toISOString(),
-            })
-            .execute();
+          const tokens = await createTokens(user);
 
-          ctx.core.logger.info("User logged in", { userId: user.id });
+          ctx.core.logger.info("User logged in", { userId: user.id, strategy });
 
-          return {
-            user: { id: user.id, email: user.email, name: user.name },
-            sessionId,
-          };
+          return { user, tokens };
         },
 
         /**
-         * Logout - invalidate session
+         * Refresh access token (refresh-token strategy only)
          */
-        logout: async (sessionId: string): Promise<void> => {
-          await ctx.db
-            .deleteFrom("sessions")
-            .where("id", "=", sessionId)
-            .execute();
-        },
+        refresh: async (refreshToken: string): Promise<AuthTokens> => {
+          if (strategy !== "refresh-token") {
+            throw new Error("refresh() only available with refresh-token strategy");
+          }
 
-        /**
-         * Validate session and get user
-         */
-        validateSession: async (sessionId: string): Promise<AuthUser | null> => {
-          const session = await ctx.db
-            .selectFrom("sessions")
-            .where("id", "=", sessionId)
+          const payload = await verifyJWT(refreshToken, jwtSecret);
+          if (!payload || payload.type !== "refresh") {
+            throw ctx.errors.InvalidToken();
+          }
+
+          // Verify refresh token exists in DB (not revoked)
+          const stored = await ctx.db
+            .selectFrom("refresh_tokens")
+            .where("user_id", "=", payload.sub)
             .selectAll()
-            .executeTakeFirst();
+            .execute();
 
-          if (!session) {
-            return null;
+          let validToken = false;
+          for (const t of stored) {
+            if (await Bun.password.verify(refreshToken, t.token_hash)) {
+              validToken = true;
+              break;
+            }
           }
 
-          // Check if expired
-          if (new Date(session.expires_at) < new Date()) {
-            // Clean up expired session
-            await ctx.db
-              .deleteFrom("sessions")
-              .where("id", "=", sessionId)
-              .execute();
-            return null;
+          if (!validToken) {
+            throw ctx.errors.RefreshTokenExpired();
           }
 
           // Get user
           const user = await ctx.db
             .selectFrom("users")
-            .where("id", "=", session.user_id)
+            .where("id", "=", payload.sub)
             .selectAll()
             .executeTakeFirst();
 
           if (!user) {
-            return null;
+            throw ctx.errors.InvalidToken();
           }
 
-          return {
-            id: user.id,
+          // Create new access token (keep same refresh token)
+          const now = Math.floor(Date.now() / 1000);
+          const accessPayload: JWTPayload = {
+            sub: user.id,
             email: user.email,
             name: user.name,
+            iat: now,
+            exp: now + Math.floor(accessExpiryMs / 1000),
+            iss: config.jwt?.issuer,
+            type: "access",
+          };
+
+          const accessToken = await signJWT(accessPayload, jwtSecret);
+
+          return {
+            accessToken,
+            expiresIn: Math.floor(accessExpiryMs / 1000),
           };
         },
 
+        /**
+         * Logout - invalidate session/refresh token
+         */
+        logout: async (token: string): Promise<void> => {
+          if (strategy === "session") {
+            await ctx.db.deleteFrom("sessions").where("id", "=", token).execute();
+          } else if (strategy === "refresh-token") {
+            // For refresh-token, we receive the refresh token to revoke
+            const payload = await verifyJWT(token, jwtSecret);
+            if (payload) {
+              // Delete all refresh tokens for this user (logout everywhere)
+              // Or could do selective deletion by matching hash
+              await ctx.db
+                .deleteFrom("refresh_tokens")
+                .where("user_id", "=", payload.sub)
+                .execute();
+            }
+          }
+          // JWT strategy: tokens are stateless, nothing to invalidate
+        },
+
+        /**
+         * Logout from all devices
+         */
+        logoutAll: async (userId: string): Promise<void> => {
+          if (strategy === "session") {
+            await ctx.db.deleteFrom("sessions").where("user_id", "=", userId).execute();
+          } else if (strategy === "refresh-token") {
+            await ctx.db.deleteFrom("refresh_tokens").where("user_id", "=", userId).execute();
+          }
+        },
+
+        /**
+         * Validate token/session and get user
+         */
+        validateToken,
+
         /**
          * Get user by ID
          */
@@ -259,9 +658,7 @@ export const authPlugin = createPlugin
             .selectAll()
             .executeTakeFirst();
 
-          if (!user) {
-            return null;
-          }
+          if (!user) return null;
 
           return {
             id: user.id,
@@ -286,7 +683,6 @@ export const authPlugin = createPlugin
           }
 
           if (data.email !== undefined) {
-            // Check if email is taken by another user
             const existing = await ctx.db
               .selectFrom("users")
               .where("email", "=", data.email.toLowerCase())
@@ -321,52 +717,71 @@ export const authPlugin = createPlugin
         },
 
         /**
-         * Delete all expired sessions (cleanup job)
+         * Cleanup expired sessions/tokens
          */
-        cleanupExpiredSessions: async (): Promise<number> => {
-          const result = await ctx.db
-            .deleteFrom("sessions")
-            .where("expires_at", "<", new Date().toISOString())
-            .executeTakeFirst();
+        cleanup: async (): Promise<number> => {
+          const now = new Date().toISOString();
+          let count = 0;
+
+          if (strategy === "session") {
+            const result = await ctx.db
+              .deleteFrom("sessions")
+              .where("expires_at", "<", now)
+              .executeTakeFirst();
+            count = Number(result.numDeletedRows);
+          } else if (strategy === "refresh-token") {
+            const result = await ctx.db
+              .deleteFrom("refresh_tokens")
+              .where("expires_at", "<", now)
+              .executeTakeFirst();
+            count = Number(result.numDeletedRows);
+          }
 
-          const count = Number(result.numDeletedRows);
           if (count > 0) {
-            ctx.core.logger.info("Cleaned up expired sessions", { count });
+            ctx.core.logger.info("Auth cleanup completed", { count, strategy });
           }
           return count;
         },
       };
     },
 
-    /**
-     * Auth middleware - validates session from cookie/header
-     */
     middleware: (ctx, service) => ({
       /**
-       * Require authentication middleware
-       * Sets ctx.user if valid session found
-       * Returns 401 if required and no valid session
+       * Auth middleware - validates token from cookie/header
        */
       auth: createMiddleware<{ required?: boolean }>(
-        async (req, reqCtx, next, config) => {
-          // Get session ID from cookie or Authorization header
-          const cookies = req.headers.get("cookie") || "";
-          const cookieMatch = cookies.match(/session=([^;]+)/);
-          const headerToken = req.headers.get("authorization")?.replace("Bearer ", "");
+        async (req, reqCtx, next, middlewareConfig) => {
+          const storage = service.getStorage();
+          const cookieConfig = service.getCookieConfig();
+
+          let token: string | null = null;
+
+          // Try cookie first (if enabled)
+          if (storage === "cookie" || storage === "both") {
+            const cookies = req.headers.get("cookie") || "";
+            const cookieMatch = cookies.match(
+              new RegExp(`${cookieConfig.name}=([^;]+)`)
+            );
+            token = cookieMatch?.[1] || null;
+          }
 
-          const sessionId = cookieMatch?.[1] || headerToken;
+          // Try header (if enabled and no cookie found)
+          if (!token && (storage === "header" || storage === "both")) {
+            const authHeader = req.headers.get("authorization");
+            if (authHeader?.startsWith("Bearer ")) {
+              token = authHeader.slice(7);
+            }
+          }
 
-          if (sessionId) {
-            const user = await service.validateSession(sessionId);
+          if (token) {
+            const user = await service.validateToken(token);
             if (user) {
-              // Set user on request context
               (reqCtx as any).user = user;
-              (reqCtx as any).sessionId = sessionId;
+              (reqCtx as any).token = token;
             }
           }
 
-          // If auth is required and no user, return 401
-          if (config?.required && !(reqCtx as any).user) {
+          if (middlewareConfig?.required && !(reqCtx as any).user) {
             return Response.json(
               { error: "Unauthorized", code: "UNAUTHORIZED" },
               { status: 401 }
@@ -378,19 +793,23 @@ export const authPlugin = createPlugin
       ),
     }),
 
-    /**
-     * Initialize cleanup cron job
-     */
     init: async (ctx, service) => {
-      // Clean up expired sessions daily at 3am
-      ctx.core.cron.schedule(
-        "0 3 * * *",
-        async () => {
-          await service.cleanupExpiredSessions();
-        },
-        { name: "auth-session-cleanup" }
-      );
-
-      ctx.core.logger.info("Auth plugin initialized");
+      const strategy = service.getStrategy();
+
+      // Schedule cleanup based on strategy
+      if (strategy === "session" || strategy === "refresh-token") {
+        ctx.core.cron.schedule(
+          "0 3 * * *", // Daily at 3am
+          async () => {
+            await service.cleanup();
+          },
+          { name: "auth-cleanup" }
+        );
+      }
+
+      ctx.core.logger.info("Auth plugin initialized", {
+        strategy,
+        storage: service.getStorage(),
+      });
     },
   });

package/templates/sveltekit-app/src/server/plugins/auth/migrations/003_create_refresh_tokens.ts

@@ -0,0 +1,33 @@
+import type { Kysely } from "kysely";
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await db.schema
+    .createTable("refresh_tokens")
+    .ifNotExists()
+    .addColumn("id", "text", (col) => col.primaryKey())
+    .addColumn("user_id", "text", (col) =>
+      col.notNull().references("users.id").onDelete("cascade")
+    )
+    .addColumn("token_hash", "text", (col) => col.notNull())
+    .addColumn("expires_at", "text", (col) => col.notNull())
+    .addColumn("created_at", "text", (col) => col.notNull().defaultTo("CURRENT_TIMESTAMP"))
+    .execute();
+
+  await db.schema
+    .createIndex("idx_refresh_tokens_user_id")
+    .ifNotExists()
+    .on("refresh_tokens")
+    .column("user_id")
+    .execute();
+
+  await db.schema
+    .createIndex("idx_refresh_tokens_expires_at")
+    .ifNotExists()
+    .on("refresh_tokens")
+    .column("expires_at")
+    .execute();
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await db.schema.dropTable("refresh_tokens").ifExists().execute();
+}

package/templates/sveltekit-app/src/server/routes/auth/auth.schemas.ts

@@ -15,6 +15,10 @@ export const loginSchema = z.object({
   password: z.string().min(1, "Password is required"),
 });
 
+export const refreshSchema = z.object({
+  refreshToken: z.string(),
+});
+
 export const updateProfileSchema = z.object({
   name: z.string().min(1).optional(),
   email: z.string().email().optional(),
@@ -30,11 +34,19 @@ export const userSchema = z.object({
   name: z.string().nullable(),
 });
 
+export const tokensSchema = z.object({
+  accessToken: z.string(),
+  refreshToken: z.string().optional(),
+  expiresIn: z.number(),
+});
+
 export const authResponseSchema = z.object({
   user: userSchema,
-  sessionId: z.string(),
+  tokens: tokensSchema,
 });
 
+export const refreshResponseSchema = tokensSchema;
+
 export const meResponseSchema = userSchema.nullable();
 
 export const logoutResponseSchema = z.object({
@@ -47,6 +59,8 @@ export const logoutResponseSchema = z.object({
 
 export type RegisterInput = z.infer<typeof registerSchema>;
 export type LoginInput = z.infer<typeof loginSchema>;
+export type RefreshInput = z.infer<typeof refreshSchema>;
 export type UpdateProfileInput = z.infer<typeof updateProfileSchema>;
 export type User = z.infer<typeof userSchema>;
+export type Tokens = z.infer<typeof tokensSchema>;
 export type AuthResponse = z.infer<typeof authResponseSchema>;

package/templates/sveltekit-app/src/server/routes/auth/handlers/login.handler.ts

@@ -1,7 +1,7 @@
 import type { Handler, Routes, AppContext } from "$server/api";
 
 /**
- * Login Handler - Authenticate user and create session
+ * Login Handler - Authenticate user and create session/token
  */
 export class LoginHandler implements Handler<Routes.Auth.Login> {
   constructor(private ctx: AppContext) {}
@@ -14,7 +14,7 @@ export class LoginHandler implements Handler<Routes.Auth.Login> {
 
     return {
       user: result.user,
-      sessionId: result.sessionId,
+      tokens: result.tokens,
     };
   }
 }

package/templates/sveltekit-app/src/server/routes/auth/handlers/logout.handler.ts

@@ -1,17 +1,17 @@
 import type { Handler, Routes, AppContext } from "$server/api";
 
 /**
- * Logout Handler - Invalidate current session
+ * Logout Handler - Invalidate current session/token
  */
 export class LogoutHandler implements Handler<Routes.Auth.Logout> {
   constructor(private ctx: AppContext) {}
 
   async handle(_input: Routes.Auth.Logout.Input): Promise<Routes.Auth.Logout.Output> {
-    // Get session ID from request context (set by auth middleware)
-    const sessionId = (this.ctx as any).sessionId;
+    // Get token from request context (set by auth middleware)
+    const token = (this.ctx as any).token;
 
-    if (sessionId) {
-      await this.ctx.plugins.auth.logout(sessionId);
+    if (token) {
+      await this.ctx.plugins.auth.logout(token);
     }
 
     return { success: true };

package/templates/sveltekit-app/src/server/routes/auth/handlers/refresh.handler.ts

@@ -0,0 +1,19 @@
+import type { Handler, Routes, AppContext } from "$server/api";
+
+/**
+ * Refresh Handler - Get new access token using refresh token
+ * Only available with refresh-token strategy
+ */
+export class RefreshHandler implements Handler<Routes.Auth.Refresh> {
+  constructor(private ctx: AppContext) {}
+
+  async handle(input: Routes.Auth.Refresh.Input): Promise<Routes.Auth.Refresh.Output> {
+    const tokens = await this.ctx.plugins.auth.refresh(input.refreshToken);
+
+    return {
+      accessToken: tokens.accessToken,
+      refreshToken: tokens.refreshToken,
+      expiresIn: tokens.expiresIn,
+    };
+  }
+}

package/templates/sveltekit-app/src/server/routes/auth/handlers/register.handler.ts

@@ -15,7 +15,7 @@ export class RegisterHandler implements Handler<Routes.Auth.Register> {
 
     return {
       user: result.user,
-      sessionId: result.sessionId,
+      tokens: result.tokens,
     };
   }
 }

package/templates/sveltekit-app/src/server/routes/auth/index.ts

@@ -3,8 +3,9 @@
  *
  * Provides:
  * - auth.register - Create new account
- * - auth.login - Login and get session
- * - auth.logout - Invalidate session (requires auth)
+ * - auth.login - Login and get tokens
+ * - auth.refresh - Refresh access token (refresh-token strategy only)
+ * - auth.logout - Invalidate session/token (requires auth)
  * - auth.me - Get current user (optional auth)
  * - auth.updateProfile - Update profile (requires auth)
  */
@@ -14,13 +15,16 @@ import { z } from "zod";
 import {
   registerSchema,
   loginSchema,
+  refreshSchema,
   updateProfileSchema,
   authResponseSchema,
+  refreshResponseSchema,
   userSchema,
   logoutResponseSchema,
 } from "./auth.schemas";
 import { RegisterHandler } from "./handlers/register.handler";
 import { LoginHandler } from "./handlers/login.handler";
+import { RefreshHandler } from "./handlers/refresh.handler";
 import { LogoutHandler } from "./handlers/logout.handler";
 import { MeHandler } from "./handlers/me.handler";
 import { UpdateProfileHandler } from "./handlers/update-profile.handler";
@@ -40,6 +44,13 @@ export const authRouter = createRouter("auth")
     handle: LoginHandler,
   })
 
+  // Refresh token (for refresh-token strategy)
+  .route("refresh").typed({
+    input: refreshSchema,
+    output: refreshResponseSchema,
+    handle: RefreshHandler,
+  })
+
   // Optional auth - returns user if logged in, null otherwise
   .middleware.auth({ required: false })
   .route("me").typed({