@edium/halifax 2.1.0 → 2.2.0

package/dist/auth/AuthStrategy.d.ts

@@ -1,189 +1,6 @@
-import type { CrudAction, ResourceDefinition } from '../core/types.js';
-import type { HttpRequest } from '../core/types.js';
-/** Resolved user identity and access information returned by {@link AuthStrategy.authenticate}. */
-export interface AuthContext {
-    /** Unique identifier for the authenticated user. */
-    userId?: string;
-    /** Roles granted to the user (checked against `requiredPermissions`). */
-    roles?: string[];
-    /** Explicit permission strings granted to the user. */
-    permissions?: string[];
-    /** Raw claims from the token or session payload. */
-    claims?: Record<string, unknown>;
-    /** Always `true` for a successfully authenticated context. */
-    isAuthenticated: boolean;
-}
-/** Parameters passed to {@link AuthStrategy.authorize}. */
-export interface AuthorizeParams {
-    /** The resolved authentication context for the current request. */
-    auth: AuthContext;
-    /** The CRUD action being performed. */
-    action: CrudAction;
-    /** The resource being accessed. */
-    resource: ResourceDefinition;
-    /** Permissions required for this action on this resource. */
-    requiredPermissions: string[];
-    /** The incoming request. */
-    req: HttpRequest;
-}
-/** Contract for pluggable authentication and authorisation strategies. */
-export interface AuthStrategy {
-    /**
-     * Authenticate the request and return the caller's identity.
-     * @param req - The incoming HTTP request.
-     * @returns The resolved {@link AuthContext}, or a promise that resolves to one.
-     * @throws {@link AuthenticationError} when the request cannot be authenticated.
-     */
-    authenticate(req: HttpRequest): Promise<AuthContext> | AuthContext;
-    /**
-     * Determine whether the authenticated caller may perform `action`.
-     * @param params - Authorization context including the auth, action, resource, and required permissions.
-     * @returns `true` to allow, `false` to deny.
-     */
-    authorize?(params: AuthorizeParams): Promise<boolean> | boolean;
-}
-/** Passes every request through without any authentication checks. Useful for public APIs or testing. */
-export declare class AllowAllAuthStrategy implements AuthStrategy {
-    /**
-     * Always returns an authenticated context with no user details.
-     * @returns An {@link AuthContext} with `isAuthenticated: true`.
-     */
-    authenticate(): AuthContext;
-}
-/** Validates a static API key carried in a request header. */
-export declare class ApiKeyAuthStrategy implements AuthStrategy {
-    private readonly expectedApiKey;
-    private readonly headerName;
-    /**
-     * @param expectedApiKey - The secret key that callers must supply.
-     * @param headerName - Header to read the key from (default: `x-api-key`).
-     */
-    constructor(expectedApiKey: string, headerName?: string);
-    /**
-     * Checks the API key header and returns an authenticated context.
-     * @param req - The incoming HTTP request.
-     * @returns An {@link AuthContext} with `isAuthenticated: true`.
-     * @throws {@link AuthenticationError} when the key is absent (401).
-     * @throws {@link AuthorizationError} when the key is present but incorrect (403).
-     */
-    authenticate(req: HttpRequest): AuthContext;
-}
-/** Authenticates via a Bearer JWT and authorises using roles/permissions embedded in its claims. */
-export declare class JwtClaimsAuthStrategy implements AuthStrategy {
-    private readonly verifyToken;
-    /**
-     * @param verifyToken - Callback that verifies the JWT string and resolves to an {@link AuthContext}.
-     *   Throw to signal an invalid token.
-     */
-    constructor(verifyToken: (token: string, req: HttpRequest) => Promise<AuthContext> | AuthContext);
-    /**
-     * Extracts and verifies the Bearer token from the `Authorization` header.
-     * @param req - The incoming HTTP request.
-     * @returns The resolved {@link AuthContext} from the token verifier.
-     * @throws {@link AuthenticationError} when the token is missing or invalid.
-     */
-    authenticate(req: HttpRequest): Promise<AuthContext>;
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * Checks both `permissions` and `roles` arrays against each required permission string.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params: AuthorizeParams): boolean;
-}
-/** Delegates authentication to a caller-provided Passport authenticate wrapper. */
-export declare class PassportAuthStrategy implements AuthStrategy {
-    private readonly authenticateWithPassport;
-    /**
-     * @param authenticateWithPassport - Function that calls your Passport strategy
-     *   and resolves to an {@link AuthContext}.
-     */
-    constructor(authenticateWithPassport: (req: HttpRequest) => Promise<AuthContext> | AuthContext);
-    /**
-     * Delegates to the provided Passport authenticate wrapper.
-     * @param req - The incoming HTTP request.
-     * @returns The {@link AuthContext} resolved by the wrapper.
-     */
-    authenticate(req: HttpRequest): Promise<AuthContext>;
-}
-/** Minimal structural interface for a Passport.js instance (avoids a hard dependency on `passport`). */
-export interface PassportLike {
-    /**
-     * Authenticates a request using the named strategy.
-     * @param strategy - Name of the registered Passport strategy.
-     * @param options - Authentication options (e.g. `{ session: false }`).
-     * @param callback - Called with the error or authenticated user on completion.
-     * @returns An Express-style middleware function that drives the authentication flow.
-     */
-    authenticate(strategy: string, options: {
-        session: boolean;
-    }, callback: (err: unknown, user: unknown) => void): (req: unknown, res: unknown, next: (err?: unknown) => void) => void;
-}
-/** Options for {@link PassportJwtStrategy}. */
-export interface PassportJwtStrategyOptions {
-    /** A Passport instance with a JWT strategy registered. */
-    passport: PassportLike;
-    /** Name of the Passport strategy to invoke (default: `'jwt'`). */
-    strategy?: string;
-    /** Maps the raw Passport user payload to an {@link AuthContext}. Defaults to reading `sub`/`id`, `roles`, and `permissions`. */
-    mapUser?: (user: unknown) => AuthContext;
-}
-/** Authenticates via Passport's JWT strategy, invoking it programmatically without Express middleware. */
-export declare class PassportJwtStrategy implements AuthStrategy {
-    private readonly passport;
-    private readonly strategy;
-    private readonly mapUser;
-    /** @param options - Passport instance, optional strategy name, and optional user mapper. */
-    constructor(options: PassportJwtStrategyOptions);
-    /**
-     * Runs the Passport JWT authenticate handler and resolves to an {@link AuthContext}.
-     * @param req - The incoming HTTP request (must carry a `raw` property for Passport to read).
-     * @returns The resolved {@link AuthContext}.
-     * @throws {@link AuthenticationError} when Passport rejects the token or returns no user.
-     */
-    authenticate(req: HttpRequest): Promise<AuthContext>;
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params: AuthorizeParams): boolean;
-}
-/** Authenticates via Auth0-issued JWTs. Alias of {@link JwtClaimsAuthStrategy}. */
-export declare class Auth0JwtStrategy extends JwtClaimsAuthStrategy {
-}
-/** Authenticates via Firebase ID tokens. Alias of {@link JwtClaimsAuthStrategy}. */
-export declare class FirebaseJwtStrategy extends JwtClaimsAuthStrategy {
-}
-/**
- * Authenticates using Passport session cookies.
- *
- * Passport's session middleware must run before Halifax and populate `req.user`
- * automatically — this strategy simply reads that value and maps it to an
- * {@link AuthContext}. No passport instance is needed here.
- *
- * Prerequisites (add to your Express app before mounting Halifax):
- * ```ts
- * app.use(session({ ... }))
- * app.use(passport.initialize())
- * app.use(passport.session())
- * ```
- */
-export declare class PassportSessionStrategy implements AuthStrategy {
-    private readonly mapUser;
-    /** @param mapUser - Optional function to convert the raw session user to an {@link AuthContext}. */
-    constructor(mapUser?: (user: unknown) => AuthContext);
-    /**
-     * Reads `req.raw.user` (set by Passport session middleware) and maps it to an {@link AuthContext}.
-     * @param req - The incoming HTTP request whose `raw.user` property holds the session user.
-     * @returns The mapped {@link AuthContext}.
-     * @throws {@link AuthenticationError} when `req.raw.user` is absent (not authenticated).
-     */
-    authenticate(req: HttpRequest): AuthContext;
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params: AuthorizeParams): boolean;
-}
+export type { AuthContext, AuthorizeParams, SecurityScheme, AuthStrategy } from './strategies/types.js';
+export { AllowAllAuthStrategy } from './strategies/AllowAllAuthStrategy.js';
+export { ApiKeyAuthStrategy } from './strategies/ApiKeyAuthStrategy.js';
+export { JwtClaimsAuthStrategy, Auth0JwtStrategy, FirebaseJwtStrategy } from './strategies/JwtClaimsAuthStrategy.js';
+export type { PassportLike, PassportJwtStrategyOptions } from './strategies/PassportStrategies.js';
+export { PassportAuthStrategy, PassportJwtStrategy, PassportSessionStrategy } from './strategies/PassportStrategies.js';

package/dist/auth/AuthStrategy.js

@@ -1,220 +1,4 @@
-import { AuthenticationError } from '../errors/AuthenticationError.js';
-import { AuthorizationError } from '../errors/AuthorizationError.js';
-/** Passes every request through without any authentication checks. Useful for public APIs or testing. */
-export class AllowAllAuthStrategy {
-    /**
-     * Always returns an authenticated context with no user details.
-     * @returns An {@link AuthContext} with `isAuthenticated: true`.
-     */
-    authenticate() {
-        return { isAuthenticated: true };
-    }
-}
-/** Validates a static API key carried in a request header. */
-export class ApiKeyAuthStrategy {
-    expectedApiKey;
-    headerName;
-    /**
-     * @param expectedApiKey - The secret key that callers must supply.
-     * @param headerName - Header to read the key from (default: `x-api-key`).
-     */
-    constructor(expectedApiKey, headerName = 'x-api-key') {
-        this.expectedApiKey = expectedApiKey;
-        this.headerName = headerName;
-    }
-    /**
-     * Checks the API key header and returns an authenticated context.
-     * @param req - The incoming HTTP request.
-     * @returns An {@link AuthContext} with `isAuthenticated: true`.
-     * @throws {@link AuthenticationError} when the key is absent (401).
-     * @throws {@link AuthorizationError} when the key is present but incorrect (403).
-     */
-    authenticate(req) {
-        const header = req.headers[this.headerName.toLowerCase()] ?? req.headers[this.headerName];
-        const apiKey = Array.isArray(header) ? header[0] : header;
-        if (!apiKey)
-            throw new AuthenticationError('Missing API key');
-        if (apiKey !== this.expectedApiKey)
-            throw new AuthorizationError('Invalid API key');
-        return { isAuthenticated: true };
-    }
-}
-/** Authenticates via a Bearer JWT and authorises using roles/permissions embedded in its claims. */
-export class JwtClaimsAuthStrategy {
-    verifyToken;
-    /**
-     * @param verifyToken - Callback that verifies the JWT string and resolves to an {@link AuthContext}.
-     *   Throw to signal an invalid token.
-     */
-    constructor(verifyToken) {
-        this.verifyToken = verifyToken;
-    }
-    /**
-     * Extracts and verifies the Bearer token from the `Authorization` header.
-     * @param req - The incoming HTTP request.
-     * @returns The resolved {@link AuthContext} from the token verifier.
-     * @throws {@link AuthenticationError} when the token is missing or invalid.
-     */
-    async authenticate(req) {
-        const header = req.headers.authorization ?? req.headers.Authorization;
-        const value = Array.isArray(header) ? header[0] : header;
-        const match = typeof value === 'string' ? value.match(/^Bearer\s+(.+)$/i) : null;
-        if (!match) {
-            throw new AuthenticationError('Missing bearer token');
-        }
-        return await this.verifyToken(match[1], req);
-    }
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * Checks both `permissions` and `roles` arrays against each required permission string.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params) {
-        if (!params.requiredPermissions.length) {
-            return true;
-        }
-        const permissions = new Set(params.auth.permissions ?? []);
-        const roles = new Set(params.auth.roles ?? []);
-        return params.requiredPermissions.every((permission) => {
-            return permissions.has(permission) || roles.has(permission);
-        });
-    }
-}
-/** Delegates authentication to a caller-provided Passport authenticate wrapper. */
-export class PassportAuthStrategy {
-    authenticateWithPassport;
-    /**
-     * @param authenticateWithPassport - Function that calls your Passport strategy
-     *   and resolves to an {@link AuthContext}.
-     */
-    constructor(authenticateWithPassport) {
-        this.authenticateWithPassport = authenticateWithPassport;
-    }
-    /**
-     * Delegates to the provided Passport authenticate wrapper.
-     * @param req - The incoming HTTP request.
-     * @returns The {@link AuthContext} resolved by the wrapper.
-     */
-    async authenticate(req) {
-        return await this.authenticateWithPassport(req);
-    }
-}
-/**
- * Extracts `userId`, `roles`, `permissions`, and `claims` from a raw Passport user payload.
- * @param user - The raw user object returned by Passport (typically a decoded JWT payload).
- * @returns A fully populated {@link AuthContext}.
- */
-function defaultMapUser(user) {
-    const p = (user ?? {});
-    const userId = typeof p.sub === 'string' ? p.sub : typeof p.id === 'string' ? p.id : undefined;
-    const ctx = {
-        isAuthenticated: true,
-        roles: Array.isArray(p.roles) ? p.roles : [],
-        permissions: Array.isArray(p.permissions) ? p.permissions : [],
-        claims: p
-    };
-    if (userId !== undefined)
-        ctx.userId = userId;
-    return ctx;
-}
-/** Authenticates via Passport's JWT strategy, invoking it programmatically without Express middleware. */
-export class PassportJwtStrategy {
-    passport;
-    strategy;
-    mapUser;
-    /** @param options - Passport instance, optional strategy name, and optional user mapper. */
-    constructor(options) {
-        this.passport = options.passport;
-        this.strategy = options.strategy ?? 'jwt';
-        this.mapUser = options.mapUser ?? defaultMapUser;
-    }
-    /**
-     * Runs the Passport JWT authenticate handler and resolves to an {@link AuthContext}.
-     * @param req - The incoming HTTP request (must carry a `raw` property for Passport to read).
-     * @returns The resolved {@link AuthContext}.
-     * @throws {@link AuthenticationError} when Passport rejects the token or returns no user.
-     */
-    async authenticate(req) {
-        return new Promise((resolve, reject) => {
-            const handler = this.passport.authenticate(this.strategy, { session: false }, (err, user) => {
-                if (err) {
-                    reject(err instanceof Error ? err : new AuthenticationError(String(err)));
-                    return;
-                }
-                if (!user) {
-                    reject(new AuthenticationError('Unauthorized'));
-                    return;
-                }
-                resolve(this.mapUser(user));
-            });
-            handler(req.raw, {}, (err) => {
-                if (err)
-                    reject(err instanceof Error ? err : new AuthenticationError(String(err)));
-            });
-        });
-    }
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params) {
-        if (!params.requiredPermissions.length)
-            return true;
-        const permissions = new Set(params.auth.permissions ?? []);
-        const roles = new Set(params.auth.roles ?? []);
-        return params.requiredPermissions.every((p) => permissions.has(p) || roles.has(p));
-    }
-}
-/** Authenticates via Auth0-issued JWTs. Alias of {@link JwtClaimsAuthStrategy}. */
-export class Auth0JwtStrategy extends JwtClaimsAuthStrategy {
-}
-/** Authenticates via Firebase ID tokens. Alias of {@link JwtClaimsAuthStrategy}. */
-export class FirebaseJwtStrategy extends JwtClaimsAuthStrategy {
-}
-/**
- * Authenticates using Passport session cookies.
- *
- * Passport's session middleware must run before Halifax and populate `req.user`
- * automatically — this strategy simply reads that value and maps it to an
- * {@link AuthContext}. No passport instance is needed here.
- *
- * Prerequisites (add to your Express app before mounting Halifax):
- * ```ts
- * app.use(session({ ... }))
- * app.use(passport.initialize())
- * app.use(passport.session())
- * ```
- */
-export class PassportSessionStrategy {
-    mapUser;
-    /** @param mapUser - Optional function to convert the raw session user to an {@link AuthContext}. */
-    constructor(mapUser) {
-        this.mapUser = mapUser ?? defaultMapUser;
-    }
-    /**
-     * Reads `req.raw.user` (set by Passport session middleware) and maps it to an {@link AuthContext}.
-     * @param req - The incoming HTTP request whose `raw.user` property holds the session user.
-     * @returns The mapped {@link AuthContext}.
-     * @throws {@link AuthenticationError} when `req.raw.user` is absent (not authenticated).
-     */
-    authenticate(req) {
-        const user = req.raw != null ? req.raw['user'] : undefined;
-        if (!user)
-            throw new AuthenticationError('Not authenticated');
-        return this.mapUser(user);
-    }
-    /**
-     * Returns `true` when the auth context satisfies all required permissions.
-     * @param params - Authorization context including required permissions and the resolved auth.
-     * @returns `true` when all required permissions are satisfied, `false` otherwise.
-     */
-    authorize(params) {
-        if (!params.requiredPermissions.length)
-            return true;
-        const permissions = new Set(params.auth.permissions ?? []);
-        const roles = new Set(params.auth.roles ?? []);
-        return params.requiredPermissions.every((p) => permissions.has(p) || roles.has(p));
-    }
-}
+export { AllowAllAuthStrategy } from './strategies/AllowAllAuthStrategy.js';
+export { ApiKeyAuthStrategy } from './strategies/ApiKeyAuthStrategy.js';
+export { JwtClaimsAuthStrategy, Auth0JwtStrategy, FirebaseJwtStrategy } from './strategies/JwtClaimsAuthStrategy.js';
+export { PassportAuthStrategy, PassportJwtStrategy, PassportSessionStrategy } from './strategies/PassportStrategies.js';

package/dist/auth/strategies/AllowAllAuthStrategy.d.ts

@@ -0,0 +1,6 @@
+import type { HttpRequest } from '../../core/types.js';
+import type { AuthContext, AuthStrategy } from './types.js';
+/** Passes every request through without any authentication checks. Useful for public APIs or testing. */
+export declare class AllowAllAuthStrategy implements AuthStrategy {
+    authenticate(_req: HttpRequest): AuthContext;
+}

package/dist/auth/strategies/AllowAllAuthStrategy.js

@@ -0,0 +1,6 @@
+/** Passes every request through without any authentication checks. Useful for public APIs or testing. */
+export class AllowAllAuthStrategy {
+    authenticate(_req) {
+        return { isAuthenticated: true };
+    }
+}

package/dist/auth/strategies/ApiKeyAuthStrategy.d.ts

@@ -0,0 +1,25 @@
+import type { HttpRequest } from '../../core/types.js';
+import type { AuthContext, AuthStrategy, SecurityScheme } from './types.js';
+/** Validates a static API key carried in a request header. */
+export declare class ApiKeyAuthStrategy implements AuthStrategy {
+    private readonly expectedApiKey;
+    private readonly headerName;
+    private readonly roles;
+    /**
+     * @param expectedApiKey - The secret key that callers must supply.
+     * @param headerName - Header to read the key from (default: `x-api-key`).
+     * @param roles - Roles to attach to every successfully authenticated context.
+     *   Use this when resources define per-field `readRoles`/`writeRoles` and
+     *   all valid API key holders should carry a known set of roles.
+     */
+    constructor(expectedApiKey: string, headerName?: string, roles?: string[]);
+    /**
+     * Checks the API key header and returns an authenticated context.
+     * @param req - The incoming HTTP request.
+     * @returns An {@link AuthContext} with `isAuthenticated: true`.
+     * @throws {@link AuthenticationError} when the key is absent (401).
+     * @throws {@link AuthorizationError} when the key is present but incorrect (403).
+     */
+    authenticate(req: HttpRequest): AuthContext;
+    openApiScheme(): SecurityScheme;
+}

package/dist/auth/strategies/ApiKeyAuthStrategy.js

@@ -0,0 +1,39 @@
+import { AuthenticationError } from '../../errors/AuthenticationError.js';
+import { AuthorizationError } from '../../errors/AuthorizationError.js';
+/** Validates a static API key carried in a request header. */
+export class ApiKeyAuthStrategy {
+    expectedApiKey;
+    headerName;
+    roles;
+    /**
+     * @param expectedApiKey - The secret key that callers must supply.
+     * @param headerName - Header to read the key from (default: `x-api-key`).
+     * @param roles - Roles to attach to every successfully authenticated context.
+     *   Use this when resources define per-field `readRoles`/`writeRoles` and
+     *   all valid API key holders should carry a known set of roles.
+     */
+    constructor(expectedApiKey, headerName = 'x-api-key', roles = []) {
+        this.expectedApiKey = expectedApiKey;
+        this.headerName = headerName;
+        this.roles = roles;
+    }
+    /**
+     * Checks the API key header and returns an authenticated context.
+     * @param req - The incoming HTTP request.
+     * @returns An {@link AuthContext} with `isAuthenticated: true`.
+     * @throws {@link AuthenticationError} when the key is absent (401).
+     * @throws {@link AuthorizationError} when the key is present but incorrect (403).
+     */
+    authenticate(req) {
+        const header = req.headers[this.headerName.toLowerCase()] ?? req.headers[this.headerName];
+        const apiKey = Array.isArray(header) ? header[0] : header;
+        if (!apiKey)
+            throw new AuthenticationError('Missing API key');
+        if (apiKey !== this.expectedApiKey)
+            throw new AuthorizationError('Invalid API key');
+        return { isAuthenticated: true, roles: this.roles };
+    }
+    openApiScheme() {
+        return { type: 'apiKey', in: 'header', name: this.headerName };
+    }
+}

package/dist/auth/strategies/JwtClaimsAuthStrategy.d.ts

@@ -0,0 +1,32 @@
+import type { HttpRequest } from '../../core/types.js';
+import type { AuthContext, AuthorizeParams, AuthStrategy, SecurityScheme } from './types.js';
+/** Authenticates via a Bearer JWT and authorises using roles/permissions embedded in its claims. */
+export declare class JwtClaimsAuthStrategy implements AuthStrategy {
+    private readonly verifyToken;
+    /**
+     * @param verifyToken - Callback that verifies the JWT string and resolves to an {@link AuthContext}.
+     *   Throw to signal an invalid token.
+     */
+    constructor(verifyToken: (token: string, req: HttpRequest) => Promise<AuthContext> | AuthContext);
+    /**
+     * Extracts and verifies the Bearer token from the `Authorization` header.
+     * @param req - The incoming HTTP request.
+     * @returns The resolved {@link AuthContext} from the token verifier.
+     * @throws {@link AuthenticationError} when the token is missing or invalid.
+     */
+    authenticate(req: HttpRequest): Promise<AuthContext>;
+    /**
+     * Returns `true` when the auth context satisfies all required permissions.
+     * Checks both `permissions` and `roles` arrays against each required permission string.
+     * @param params - Authorization context including required permissions and the resolved auth.
+     * @returns `true` when all required permissions are satisfied, `false` otherwise.
+     */
+    authorize(params: AuthorizeParams): boolean;
+    openApiScheme(): SecurityScheme;
+}
+/** Authenticates via Auth0-issued JWTs. Alias of {@link JwtClaimsAuthStrategy}. */
+export declare class Auth0JwtStrategy extends JwtClaimsAuthStrategy {
+}
+/** Authenticates via Firebase ID tokens. Alias of {@link JwtClaimsAuthStrategy}. */
+export declare class FirebaseJwtStrategy extends JwtClaimsAuthStrategy {
+}

package/dist/auth/strategies/JwtClaimsAuthStrategy.js

@@ -0,0 +1,52 @@
+import { AuthenticationError } from '../../errors/AuthenticationError.js';
+/** Authenticates via a Bearer JWT and authorises using roles/permissions embedded in its claims. */
+export class JwtClaimsAuthStrategy {
+    verifyToken;
+    /**
+     * @param verifyToken - Callback that verifies the JWT string and resolves to an {@link AuthContext}.
+     *   Throw to signal an invalid token.
+     */
+    constructor(verifyToken) {
+        this.verifyToken = verifyToken;
+    }
+    /**
+     * Extracts and verifies the Bearer token from the `Authorization` header.
+     * @param req - The incoming HTTP request.
+     * @returns The resolved {@link AuthContext} from the token verifier.
+     * @throws {@link AuthenticationError} when the token is missing or invalid.
+     */
+    async authenticate(req) {
+        const header = req.headers.authorization ?? req.headers.Authorization;
+        const value = Array.isArray(header) ? header[0] : header;
+        const match = typeof value === 'string' ? value.match(/^Bearer\s+(.+)$/i) : null;
+        if (!match) {
+            throw new AuthenticationError('Missing bearer token');
+        }
+        return await this.verifyToken(match[1], req);
+    }
+    /**
+     * Returns `true` when the auth context satisfies all required permissions.
+     * Checks both `permissions` and `roles` arrays against each required permission string.
+     * @param params - Authorization context including required permissions and the resolved auth.
+     * @returns `true` when all required permissions are satisfied, `false` otherwise.
+     */
+    authorize(params) {
+        if (!params.requiredPermissions.length) {
+            return true;
+        }
+        const permissions = new Set(params.auth.permissions ?? []);
+        const roles = new Set(params.auth.roles ?? []);
+        return params.requiredPermissions.every((permission) => {
+            return permissions.has(permission) || roles.has(permission);
+        });
+    }
+    openApiScheme() {
+        return { type: 'http', scheme: 'bearer', bearerFormat: 'JWT' };
+    }
+}
+/** Authenticates via Auth0-issued JWTs. Alias of {@link JwtClaimsAuthStrategy}. */
+export class Auth0JwtStrategy extends JwtClaimsAuthStrategy {
+}
+/** Authenticates via Firebase ID tokens. Alias of {@link JwtClaimsAuthStrategy}. */
+export class FirebaseJwtStrategy extends JwtClaimsAuthStrategy {
+}