@engjts/nexus 0.1.0

package/dist/security/auth/jwt.js

@@ -0,0 +1,198 @@
+"use strict";
+/**
+ * JWT Authentication Adapter
+ *
+ * Implements JWT-based authentication
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWTAuthAdapter = void 0;
+/**
+ * Simple JWT implementation (in production, use a library like jsonwebtoken)
+ * This is a basic implementation for demonstration
+ */
+class JWTAuthAdapter {
+    /**
+     * Verify JWT token and extract user
+     */
+    async verify(ctx, config) {
+        const token = this.extractToken(ctx, config);
+        if (!token) {
+            return null;
+        }
+        try {
+            const payload = this.decodeToken(token, config.secret);
+            // Check expiration
+            if (payload.exp && payload.exp < Date.now() / 1000) {
+                return null;
+            }
+            // Extract user from payload
+            // Destructure known fields and spread the rest to preserve custom fields like 'type'
+            const { sub, id, email, username, roles, permissions, user: nestedUser, iat, exp, ...rest } = payload;
+            const user = {
+                id: sub || id,
+                email,
+                username,
+                roles,
+                permissions,
+                ...nestedUser, // Spread nested user object if exists
+                ...rest // Spread remaining custom fields (e.g., type)
+            };
+            return user;
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    /**
+     * Generate JWT token for user
+     */
+    async generateToken(user, config) {
+        const payload = {
+            sub: user.id,
+            email: user.email,
+            username: user.username,
+            roles: user.roles,
+            permissions: user.permissions,
+            iat: Math.floor(Date.now() / 1000)
+        };
+        // Add expiration
+        if (config.expiresIn) {
+            const expiresIn = typeof config.expiresIn === 'string'
+                ? this.parseExpiration(config.expiresIn)
+                : config.expiresIn;
+            payload.exp = payload.iat + expiresIn;
+        }
+        return this.encodeToken(payload, config.secret);
+    }
+    /**
+     * Refresh JWT token (placeholder for future implementation)
+     */
+    async refreshToken(token, config) {
+        if (!config.refresh?.enabled) {
+            return null;
+        }
+        try {
+            const payload = this.decodeToken(token, config.secret);
+            // Re-generate with new exp
+            const newPayload = {
+                ...payload,
+                iat: Math.floor(Date.now() / 1000)
+            };
+            if (config.refresh.expiresIn) {
+                const expiresIn = typeof config.refresh.expiresIn === 'string'
+                    ? this.parseExpiration(config.refresh.expiresIn)
+                    : config.refresh.expiresIn;
+                newPayload.exp = newPayload.iat + expiresIn;
+            }
+            return this.encodeToken(newPayload, config.secret);
+        }
+        catch (error) {
+            return null;
+        }
+    }
+    /**
+     * Extract token from request
+     */
+    extractToken(ctx, config) {
+        // Use custom extractor if provided
+        if (config.getToken) {
+            return config.getToken(ctx);
+        }
+        // Try Authorization header
+        const authHeader = ctx.headers['authorization'] || ctx.headers['Authorization'];
+        if (authHeader) {
+            const headerValue = Array.isArray(authHeader) ? authHeader[0] : authHeader;
+            if (headerValue?.startsWith('Bearer ')) {
+                return headerValue.substring(7);
+            }
+        }
+        // Try cookie
+        const cookieHeader = ctx.headers['cookie'] || ctx.headers['Cookie'];
+        if (cookieHeader) {
+            const cookieValue = Array.isArray(cookieHeader) ? cookieHeader[0] : cookieHeader;
+            if (cookieValue) {
+                const match = cookieValue.match(/token=([^;]+)/);
+                if (match) {
+                    return match[1];
+                }
+            }
+        }
+        return null;
+    }
+    /**
+     * Encode JWT token (simplified HMAC-SHA256)
+     */
+    encodeToken(payload, secret) {
+        const header = { alg: 'HS256', typ: 'JWT' };
+        const encodedHeader = this.base64UrlEncode(JSON.stringify(header));
+        const encodedPayload = this.base64UrlEncode(JSON.stringify(payload));
+        const signature = this.sign(`${encodedHeader}.${encodedPayload}`, secret);
+        return `${encodedHeader}.${encodedPayload}.${signature}`;
+    }
+    /**
+     * Decode and verify JWT token
+     */
+    decodeToken(token, secret) {
+        const parts = token.split('.');
+        if (parts.length !== 3) {
+            throw new Error('Invalid token format');
+        }
+        const [encodedHeader, encodedPayload, signature] = parts;
+        // Verify signature
+        const expectedSignature = this.sign(`${encodedHeader}.${encodedPayload}`, secret);
+        if (signature !== expectedSignature) {
+            throw new Error('Invalid signature');
+        }
+        // Decode payload
+        const payload = JSON.parse(this.base64UrlDecode(encodedPayload));
+        return payload;
+    }
+    /**
+     * Base64 URL encode
+     */
+    base64UrlEncode(str) {
+        const base64 = Buffer.from(str).toString('base64');
+        return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    }
+    /**
+     * Base64 URL decode
+     */
+    base64UrlDecode(str) {
+        let base64 = str.replace(/-/g, '+').replace(/_/g, '/');
+        // Add padding
+        while (base64.length % 4) {
+            base64 += '=';
+        }
+        return Buffer.from(base64, 'base64').toString('utf-8');
+    }
+    /**
+     * Sign data with HMAC-SHA256
+     */
+    sign(data, secret) {
+        const crypto = require('crypto');
+        const hmac = crypto.createHmac('sha256', secret);
+        hmac.update(data);
+        const signature = hmac.digest('base64');
+        return signature.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+    }
+    /**
+     * Parse expiration string to seconds
+     */
+    parseExpiration(exp) {
+        const match = exp.match(/^(\d+)([smhd])$/);
+        if (!match) {
+            throw new Error('Invalid expiration format');
+        }
+        const value = parseInt(match[1]);
+        const unit = match[2];
+        const multipliers = {
+            s: 1,
+            m: 60,
+            h: 3600,
+            d: 86400
+        };
+        return value * multipliers[unit];
+    }
+}
+exports.JWTAuthAdapter = JWTAuthAdapter;
+//# sourceMappingURL=jwt.js.map

package/dist/security/auth/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../../../src/security/auth/jwt.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAMH;;;GAGG;AACH,MAAa,cAAc;IACvB;;OAEG;IACH,KAAK,CAAC,MAAM,CAAC,GAAY,EAAE,MAAiB;QACxC,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YAEvD,mBAAmB;YACnB,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;gBACjD,OAAO,IAAI,CAAC;YAChB,CAAC;YAED,4BAA4B;YAC5B,qFAAqF;YACrF,MAAM,EAAE,GAAG,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,GAAG,OAAO,CAAC;YAEtG,MAAM,IAAI,GAAS;gBACf,EAAE,EAAE,GAAG,IAAI,EAAE;gBACb,KAAK;gBACL,QAAQ;gBACR,KAAK;gBACL,WAAW;gBACX,GAAG,UAAU,EAAG,sCAAsC;gBACtD,GAAG,IAAI,CAAS,8CAA8C;aACjE,CAAC;YAEF,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,IAAU,EAAE,MAAiB;QAC7C,MAAM,OAAO,GAAQ;YACjB,GAAG,EAAE,IAAI,CAAC,EAAE;YACZ,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;SACrC,CAAC;QAEF,iBAAiB;QACjB,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACnB,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;gBAClD,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC;gBACxC,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC;YACvB,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;QAC1C,CAAC;QAED,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACpD,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CAAC,KAAa,EAAE,MAAiB;QAC/C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;YAEvD,2BAA2B;YAC3B,MAAM,UAAU,GAAG;gBACf,GAAG,OAAO;gBACV,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;aACrC,CAAC;YAEF,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,CAAC;gBAC3B,MAAM,SAAS,GAAG,OAAO,MAAM,CAAC,OAAO,CAAC,SAAS,KAAK,QAAQ;oBAC1D,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;oBAChD,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC;gBAC/B,UAAU,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,GAAG,SAAS,CAAC;YAChD,CAAC;YAED,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QACvD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,GAAY,EAAE,MAAiB;QAChD,mCAAmC;QACnC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YAClB,OAAO,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;QAED,2BAA2B;QAC3B,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAChF,IAAI,UAAU,EAAE,CAAC;YACb,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;YAC3E,IAAI,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACrC,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACpC,CAAC;QACL,CAAC;QAED,aAAa;QACb,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACpE,IAAI,YAAY,EAAE,CAAC;YACf,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;YACjF,IAAI,WAAW,EAAE,CAAC;gBACd,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;gBACjD,IAAI,KAAK,EAAE,CAAC;oBACR,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;gBACpB,CAAC;YACL,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,OAAY,EAAE,MAAc;QAC5C,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;QAE5C,MAAM,aAAa,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;QACnE,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;QAErE,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,EAAE,MAAM,CAAC,CAAC;QAE1E,OAAO,GAAG,aAAa,IAAI,cAAc,IAAI,SAAS,EAAE,CAAC;IAC7D,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAAa,EAAE,MAAc;QAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAE/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC5C,CAAC;QAED,MAAM,CAAC,aAAa,EAAE,cAAc,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,mBAAmB;QACnB,MAAM,iBAAiB,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,aAAa,IAAI,cAAc,EAAE,EAAE,MAAM,CAAC,CAAC;QAClF,IAAI,SAAS,KAAK,iBAAiB,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACzC,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC,CAAC;QAEjE,OAAO,OAAO,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,GAAW;QAC/B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,GAAW;QAC/B,IAAI,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAEvD,cAAc;QACd,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,GAAG,CAAC;QAClB,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACK,IAAI,CAAC,IAAY,EAAE,MAAc;QACrC,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxC,OAAO,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,GAAW;QAC/B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAE3C,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QACjD,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,MAAM,WAAW,GAA2B;YACxC,CAAC,EAAE,CAAC;YACJ,CAAC,EAAE,EAAE;YACL,CAAC,EAAE,IAAI;YACP,CAAC,EAAE,KAAK;SACX,CAAC;QAEF,OAAO,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACrC,CAAC;CACJ;AA3ND,wCA2NC"}

package/dist/security/auth/middleware.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Authentication Middleware
+ *
+ * Provides authentication and authorization middleware
+ */
+import type { Context, Middleware } from '../../core/types';
+import type { AuthContext, AuthStrategies } from '../types';
+import type { PermissionAdapter } from '../adapter';
+/**
+ * Authentication middleware factory
+ *
+ * @example
+ * ```ts
+ * // JWT authentication
+ * app.use(authenticate({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET,
+ *     expiresIn: '15m'
+ *   }
+ * }));
+ *
+ * // Optional authentication
+ * app.use(authenticate({ jwt: config }, { required: false }));
+ * ```
+ */
+export declare function authenticate(strategies: AuthStrategies, options?: {
+    required?: boolean;
+    strategies?: ('jwt' | 'oauth' | 'session')[];
+}): Middleware<Context, AuthContext>;
+/**
+ * Optional authentication - doesn't throw if no auth provided
+ */
+export declare function optionalAuth(strategies: AuthStrategies): Middleware<Context, Partial<AuthContext>>;
+/**
+ * Require authentication - throws 401 if not authenticated
+ */
+export declare function requireAuth(strategies: AuthStrategies): Middleware<Context, AuthContext>;
+/**
+ * Permission-based authorization middleware
+ *
+ * @example
+ * ```ts
+ * app.post('/admin/users',
+ *   authenticate({ jwt: config }),
+ *   requirePermissions(['admin', 'write:users']),
+ *   handler
+ * );
+ * ```
+ */
+export declare function requirePermissions(permissions: string[], adapter?: PermissionAdapter): Middleware<AuthContext, AuthContext>;
+/**
+ * Role-based authorization middleware
+ *
+ * @example
+ * ```ts
+ * app.get('/admin/*',
+ *   authenticate({ jwt: config }),
+ *   requireRoles(['admin']),
+ *   handler
+ * );
+ * ```
+ */
+export declare function requireRoles(roles: string[], adapter?: PermissionAdapter): Middleware<AuthContext, AuthContext>;
+//# sourceMappingURL=middleware.d.ts.map

package/dist/security/auth/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/security/auth/middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAQ,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAClE,OAAO,KAAK,EAAQ,WAAW,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAClE,OAAO,KAAK,EAAe,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAIjE;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,YAAY,CACxB,UAAU,EAAE,cAAc,EAC1B,OAAO,GAAE;IACL,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,UAAU,CAAC,EAAE,CAAC,KAAK,GAAG,OAAO,GAAG,SAAS,CAAC,EAAE,CAAC;CAC3C,GACP,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,CAgDlC;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,UAAU,EAAE,cAAc,GAAG,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,CAAC,CAElG;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,UAAU,EAAE,cAAc,GAAG,UAAU,CAAC,OAAO,EAAE,WAAW,CAAC,CAExF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAC9B,WAAW,EAAE,MAAM,EAAE,EACrB,OAAO,CAAC,EAAE,iBAAiB,GAC5B,UAAU,CAAC,WAAW,EAAE,WAAW,CAAC,CA4BtC;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CACxB,KAAK,EAAE,MAAM,EAAE,EACf,OAAO,CAAC,EAAE,iBAAiB,GAC5B,UAAU,CAAC,WAAW,EAAE,WAAW,CAAC,CA4BtC"}

package/dist/security/auth/middleware.js

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * Authentication Middleware
+ *
+ * Provides authentication and authorization middleware
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authenticate = authenticate;
+exports.optionalAuth = optionalAuth;
+exports.requireAuth = requireAuth;
+exports.requirePermissions = requirePermissions;
+exports.requireRoles = requireRoles;
+const adapter_1 = require("../adapter");
+const jwt_1 = require("./jwt");
+/**
+ * Authentication middleware factory
+ *
+ * @example
+ * ```ts
+ * // JWT authentication
+ * app.use(authenticate({
+ *   jwt: {
+ *     secret: process.env.JWT_SECRET,
+ *     expiresIn: '15m'
+ *   }
+ * }));
+ *
+ * // Optional authentication
+ * app.use(authenticate({ jwt: config }, { required: false }));
+ * ```
+ */
+function authenticate(strategies, options = {}) {
+    const adapters = new Map();
+    const required = options.required !== false;
+    const strategyOrder = options.strategies || ['jwt', 'oauth', 'session'];
+    // Initialize adapters
+    if (strategies.jwt) {
+        adapters.set('jwt', new jwt_1.JWTAuthAdapter());
+    }
+    // OAuth and Session will be added in future
+    // if (strategies.oauth) adapters.set('oauth', new OAuthAdapter());
+    // if (strategies.session) adapters.set('session', new SessionAdapter());
+    return (async (ctx, next, _deps) => {
+        let user = null;
+        // Try each strategy in order
+        for (const strategyName of strategyOrder) {
+            const adapter = adapters.get(strategyName);
+            const config = strategies[strategyName];
+            if (adapter && config) {
+                try {
+                    user = await adapter.verify(ctx, config);
+                    if (user) {
+                        break;
+                    }
+                }
+                catch (error) {
+                    // Try next strategy
+                    continue;
+                }
+            }
+        }
+        // If no user found and auth is required
+        if (!user && required) {
+            return {
+                statusCode: 401,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: 'Unauthorized' })
+            };
+        }
+        // Attach user to context
+        ctx.user = user;
+        return next(ctx);
+    });
+}
+/**
+ * Optional authentication - doesn't throw if no auth provided
+ */
+function optionalAuth(strategies) {
+    return authenticate(strategies, { required: false });
+}
+/**
+ * Require authentication - throws 401 if not authenticated
+ */
+function requireAuth(strategies) {
+    return authenticate(strategies, { required: true });
+}
+/**
+ * Permission-based authorization middleware
+ *
+ * @example
+ * ```ts
+ * app.post('/admin/users',
+ *   authenticate({ jwt: config }),
+ *   requirePermissions(['admin', 'write:users']),
+ *   handler
+ * );
+ * ```
+ */
+function requirePermissions(permissions, adapter) {
+    const permissionChecker = adapter || new adapter_1.DefaultPermissionAdapter();
+    return (async (ctx, next, _deps) => {
+        if (!ctx.user) {
+            return {
+                statusCode: 401,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: 'Unauthorized' })
+            };
+        }
+        const result = permissionChecker.checkPermissions(ctx.user, permissions);
+        if (!result.allowed) {
+            return {
+                statusCode: 403,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    error: 'Forbidden',
+                    message: 'Insufficient permissions',
+                    missing: result.missing
+                })
+            };
+        }
+        return next(ctx);
+    });
+}
+/**
+ * Role-based authorization middleware
+ *
+ * @example
+ * ```ts
+ * app.get('/admin/*',
+ *   authenticate({ jwt: config }),
+ *   requireRoles(['admin']),
+ *   handler
+ * );
+ * ```
+ */
+function requireRoles(roles, adapter) {
+    const permissionChecker = adapter || new adapter_1.DefaultPermissionAdapter();
+    return (async (ctx, next, _deps) => {
+        if (!ctx.user) {
+            return {
+                statusCode: 401,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ error: 'Unauthorized' })
+            };
+        }
+        const hasRole = permissionChecker.checkRoles(ctx.user, roles);
+        if (!hasRole) {
+            return {
+                statusCode: 403,
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                    error: 'Forbidden',
+                    message: 'Insufficient roles',
+                    required: roles
+                })
+            };
+        }
+        return next(ctx);
+    });
+}
+//# sourceMappingURL=middleware.js.map

package/dist/security/auth/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../../src/security/auth/middleware.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;AAyBH,oCAsDC;AAKD,oCAEC;AAKD,kCAEC;AAcD,gDA+BC;AAcD,oCA+BC;AAlLD,wCAAsD;AACtD,+BAAuC;AAEvC;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,YAAY,CACxB,UAA0B,EAC1B,UAGI,EAAE;IAEN,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAuB,CAAC;IAChD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC;IAC5C,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,IAAI,CAAC,KAAK,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;IAExE,sBAAsB;IACtB,IAAI,UAAU,CAAC,GAAG,EAAE,CAAC;QACjB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,oBAAc,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,4CAA4C;IAC5C,mEAAmE;IACnE,yEAAyE;IAEzE,OAAO,CAAC,KAAK,EAAE,GAAY,EAAE,IAAU,EAAE,KAAU,EAAE,EAAE;QACnD,IAAI,IAAI,GAAgB,IAAI,CAAC;QAE7B,6BAA6B;QAC7B,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,MAAM,GAAI,UAAkB,CAAC,YAAY,CAAC,CAAC;YAEjD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;gBACpB,IAAI,CAAC;oBACD,IAAI,GAAG,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;oBACzC,IAAI,IAAI,EAAE,CAAC;wBACP,MAAM;oBACV,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACb,oBAAoB;oBACpB,SAAS;gBACb,CAAC;YACL,CAAC;QACL,CAAC;QAED,wCAAwC;QACxC,IAAI,CAAC,IAAI,IAAI,QAAQ,EAAE,CAAC;YACpB,OAAO;gBACH,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;aAClD,CAAC;QACN,CAAC;QAED,yBAAyB;QACxB,GAA8B,CAAC,IAAI,GAAG,IAAK,CAAC;QAE7C,OAAO,IAAI,CAAC,GAA6B,CAAC,CAAC;IAC/C,CAAC,CAAqC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,YAAY,CAAC,UAA0B;IACnD,OAAO,YAAY,CAAC,UAAU,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAQ,CAAC;AAChE,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CAAC,UAA0B;IAClD,OAAO,YAAY,CAAC,UAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAC9B,WAAqB,EACrB,OAA2B;IAE3B,MAAM,iBAAiB,GAAG,OAAO,IAAI,IAAI,kCAAwB,EAAE,CAAC;IAEpE,OAAO,CAAC,KAAK,EAAE,GAAgB,EAAE,IAAU,EAAE,KAAU,EAAE,EAAE;QACvD,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO;gBACH,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;aAClD,CAAC;QACN,CAAC;QAED,MAAM,MAAM,GAAG,iBAAiB,CAAC,gBAAgB,CAAC,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO;gBACH,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACjB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,0BAA0B;oBACnC,OAAO,EAAE,MAAM,CAAC,OAAO;iBAC1B,CAAC;aACL,CAAC;QACN,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAyC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,YAAY,CACxB,KAAe,EACf,OAA2B;IAE3B,MAAM,iBAAiB,GAAG,OAAO,IAAI,IAAI,kCAAwB,EAAE,CAAC;IAEpE,OAAO,CAAC,KAAK,EAAE,GAAgB,EAAE,IAAU,EAAE,KAAU,EAAE,EAAE;QACvD,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACZ,OAAO;gBACH,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;aAClD,CAAC;QACN,CAAC;QAED,MAAM,OAAO,GAAG,iBAAiB,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAE9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO;gBACH,UAAU,EAAE,GAAG;gBACf,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;gBAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACjB,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,oBAAoB;oBAC7B,QAAQ,EAAE,KAAK;iBAClB,CAAC;aACL,CAAC;QACN,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAyC,CAAC;AAC/C,CAAC"}

package/dist/security/csrf.d.ts

@@ -0,0 +1,41 @@
+/**
+ * CSRF Protection Middleware
+ *
+ * Implements Cross-Site Request Forgery protection
+ */
+import type { Middleware } from '../core/types';
+import type { CSRFConfig } from './types';
+import type { CSRFAdapter } from './adapter';
+/**
+ * CSRF protection middleware
+ *
+ * @example
+ * ```ts
+ * app.use(csrf({
+ *   cookie: { sameSite: 'strict' },
+ *   excludeRoutes: ['/api/webhook/*']
+ * }));
+ * ```
+ */
+export declare function csrf(config?: CSRFConfig, adapter?: CSRFAdapter): Middleware;
+/**
+ * Generate CSRF token middleware
+ * Attaches token to context and sets cookie
+ *
+ * @example
+ * ```ts
+ * app.use(generateCSRFToken());
+ *
+ * // In handler
+ * app.get('/form', async (ctx) => {
+ *   const token = ctx.csrfToken;
+ *   return ctx.html(`<input type="hidden" name="_csrf" value="${token}">`);
+ * });
+ * ```
+ */
+export declare function generateCSRFToken(config?: CSRFConfig, adapter?: CSRFAdapter): Middleware;
+/**
+ * Combined CSRF middleware - generates and validates tokens
+ */
+export declare function csrfProtection(config?: CSRFConfig): Middleware;
+//# sourceMappingURL=csrf.d.ts.map

package/dist/security/csrf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csrf.d.ts","sourceRoot":"","sources":["../../src/security/csrf.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAiB,UAAU,EAAE,MAAM,eAAe,CAAC;AAC/D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AA+E7C;;;;;;;;;;GAUG;AACH,wBAAgB,IAAI,CAChB,MAAM,GAAE,UAAe,EACvB,OAAO,CAAC,EAAE,WAAW,GACtB,UAAU,CAiDZ;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iBAAiB,CAC7B,MAAM,GAAE,UAAe,EACvB,OAAO,CAAC,EAAE,WAAW,GACtB,UAAU,CAiCZ;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,GAAE,UAAe,GAAG,UAAU,CAWlE"}

package/dist/security/csrf.js

@@ -0,0 +1,185 @@
+"use strict";
+/**
+ * CSRF Protection Middleware
+ *
+ * Implements Cross-Site Request Forgery protection
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.csrf = csrf;
+exports.generateCSRFToken = generateCSRFToken;
+exports.csrfProtection = csrfProtection;
+/**
+ * Default CSRF token adapter
+ * Uses double-submit cookie pattern
+ */
+class DefaultCSRFAdapter {
+    tokenLength;
+    constructor(tokenLength = 32) {
+        this.tokenLength = tokenLength;
+    }
+    generateToken(_ctx) {
+        // Generate random token
+        const bytes = crypto.getRandomValues(new Uint8Array(this.tokenLength));
+        return Array.from(bytes)
+            .map(b => b.toString(16).padStart(2, '0'))
+            .join('');
+    }
+    validateToken(ctx, token) {
+        // In double-submit cookie pattern, token in cookie should match token in header/body
+        const cookieToken = this.extractTokenFromCookie(ctx);
+        if (!cookieToken) {
+            return false;
+        }
+        // Constant-time comparison to prevent timing attacks
+        return this.constantTimeCompare(token, cookieToken);
+    }
+    extractToken(ctx) {
+        // Try header first
+        const csrfHeader = ctx.headers['x-csrf-token'] || ctx.headers['X-CSRF-Token'];
+        if (csrfHeader) {
+            return Array.isArray(csrfHeader) ? csrfHeader[0] : csrfHeader;
+        }
+        const csrfTokenHeader = ctx.headers['csrf-token'] || ctx.headers['CSRF-Token'];
+        if (csrfTokenHeader) {
+            return Array.isArray(csrfTokenHeader) ? csrfTokenHeader[0] : csrfTokenHeader;
+        }
+        // Try body
+        if (ctx.body && typeof ctx.body === 'object') {
+            return ctx.body._csrf || ctx.body.csrf_token || null;
+        }
+        return null;
+    }
+    extractTokenFromCookie(ctx) {
+        const cookieHeaderRaw = ctx.headers['cookie'] || ctx.headers['Cookie'];
+        if (!cookieHeaderRaw) {
+            return null;
+        }
+        const cookieHeader = Array.isArray(cookieHeaderRaw) ? cookieHeaderRaw[0] : cookieHeaderRaw;
+        const match = cookieHeader.match(/_csrf=([^;]+)/);
+        return match ? match[1] : null;
+    }
+    constantTimeCompare(a, b) {
+        if (a.length !== b.length) {
+            return false;
+        }
+        let result = 0;
+        for (let i = 0; i < a.length; i++) {
+            result |= a.charCodeAt(i) ^ b.charCodeAt(i);
+        }
+        return result === 0;
+    }
+}
+/**
+ * CSRF protection middleware
+ *
+ * @example
+ * ```ts
+ * app.use(csrf({
+ *   cookie: { sameSite: 'strict' },
+ *   excludeRoutes: ['/api/webhook/*']
+ * }));
+ * ```
+ */
+function csrf(config = {}, adapter) {
+    const csrfAdapter = adapter || new DefaultCSRFAdapter(config.tokenLength);
+    const auto = config.auto !== false;
+    const excludeMethods = config.excludeMethods || ['GET', 'HEAD', 'OPTIONS'];
+    const excludeRoutes = config.excludeRoutes || [];
+    return async (ctx, next, _deps) => {
+        // Skip safe methods
+        if (excludeMethods.includes(ctx.method)) {
+            return next(ctx);
+        }
+        // Skip excluded routes
+        for (const pattern of excludeRoutes) {
+            const regex = new RegExp('^' + pattern.replace('*', '.*') + '$');
+            if (regex.test(ctx.path)) {
+                return next(ctx);
+            }
+        }
+        // Validate CSRF token
+        if (auto) {
+            const token = csrfAdapter.extractToken(ctx);
+            if (!token) {
+                return {
+                    statusCode: 403,
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        error: 'CSRF token missing'
+                    })
+                };
+            }
+            const valid = csrfAdapter.validateToken(ctx, token);
+            if (!valid) {
+                return {
+                    statusCode: 403,
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({
+                        error: 'CSRF token invalid'
+                    })
+                };
+            }
+        }
+        return next(ctx);
+    };
+}
+/**
+ * Generate CSRF token middleware
+ * Attaches token to context and sets cookie
+ *
+ * @example
+ * ```ts
+ * app.use(generateCSRFToken());
+ *
+ * // In handler
+ * app.get('/form', async (ctx) => {
+ *   const token = ctx.csrfToken;
+ *   return ctx.html(`<input type="hidden" name="_csrf" value="${token}">`);
+ * });
+ * ```
+ */
+function generateCSRFToken(config = {}, adapter) {
+    const csrfAdapter = adapter || new DefaultCSRFAdapter(config.tokenLength);
+    const cookieName = config.cookie?.name || '_csrf';
+    const cookieOptions = {
+        sameSite: config.cookie?.sameSite || 'strict',
+        secure: config.cookie?.secure !== false,
+        httpOnly: config.cookie?.httpOnly !== false
+    };
+    return async (ctx, next, _deps) => {
+        // Generate token
+        const token = csrfAdapter.generateToken(ctx);
+        // Attach to context
+        ctx.csrfToken = token;
+        // Execute handler
+        const response = await next(ctx);
+        // Set cookie
+        const cookieValue = `${cookieName}=${token}; SameSite=${cookieOptions.sameSite}${cookieOptions.secure ? '; Secure' : ''}${cookieOptions.httpOnly ? '; HttpOnly' : ''}; Path=/`;
+        // Append cookie to response headers
+        if (!response.headers['Set-Cookie']) {
+            response.headers['Set-Cookie'] = cookieValue;
+        }
+        else if (Array.isArray(response.headers['Set-Cookie'])) {
+            response.headers['Set-Cookie'].push(cookieValue);
+        }
+        else {
+            response.headers['Set-Cookie'] = [response.headers['Set-Cookie'], cookieValue];
+        }
+        return response;
+    };
+}
+/**
+ * Combined CSRF middleware - generates and validates tokens
+ */
+function csrfProtection(config = {}) {
+    const generateMiddleware = generateCSRFToken(config);
+    const validateMiddleware = csrf(config);
+    return async (ctx, next, deps) => {
+        // First generate token
+        return generateMiddleware(ctx, async (ctxWithToken) => {
+            // Then validate on unsafe methods
+            return validateMiddleware(ctxWithToken, next, deps);
+        }, deps);
+    };
+}
+//# sourceMappingURL=csrf.js.map