@flink-app/jwt-auth-plugin 2.0.0-alpha.75 → 2.0.0-alpha.77

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # @flink-app/jwt-auth-plugin
 
+## 2.0.0-alpha.77
+
+### Patch Changes
+
+-   @flink-app/flink@2.0.0-alpha.77
+
+## 2.0.0-alpha.76
+
+### Minor Changes
+
+-   Add resolveTokenTTL callback to jwt-auth-plugin for dynamic token TTL based on role. Fix renames in email-plugin and inbound-email-plugin. Fix tsconfig in generic-auth-plugin.
+
+### Patch Changes
+
+-   @flink-app/flink@2.0.0-alpha.76
+
 ## 2.0.0-alpha.75
 
 ### Patch Changes

package/dist/FlinkJwtAuthPlugin.d.ts

@@ -20,6 +20,16 @@ export type TokenExtractor = (req: FlinkRequest) => string | null | undefined;
  * @returns true if user has required permissions, false otherwise
  */
 export type PermissionChecker = (user: FlinkAuthUser, routePermissions: string[]) => Promise<boolean> | boolean;
+/**
+ * Custom token TTL resolver callback.
+ *
+ * Called during token creation to determine expiration dynamically based on roles.
+ *
+ * Return values:
+ * - `number`: TTL in milliseconds to use for this token
+ * - `undefined`: Fall back to static `tokenTTL` option (or default ~100 years)
+ */
+export type TokenTTLResolver = (roles: string[], payload: any) => number | undefined;
 export interface JwtAuthPluginOptions {
     secret: string;
     algo?: jwtSimple.TAlgorithm;
@@ -73,6 +83,23 @@ export interface JwtAuthPluginOptions {
      * ```
      */
     useDynamicRoles?: boolean;
+    /**
+     * Optional dynamic token TTL resolver.
+     *
+     * When provided, called during token creation with the user's roles and payload.
+     * Return a TTL in milliseconds to override the static `tokenTTL`, or `undefined`
+     * to fall back to `tokenTTL` (or the default).
+     *
+     * Example:
+     * ```typescript
+     * resolveTokenTTL: (roles) => {
+     *   if (roles.includes("service-account")) return 1000 * 60 * 60 * 24 * 365; // 1 year
+     *   if (roles.includes("admin")) return 1000 * 60 * 60 * 8; // 8 hours
+     *   return 1000 * 60 * 60; // 1 hour default
+     * }
+     * ```
+     */
+    resolveTokenTTL?: TokenTTLResolver;
 }
 export interface JwtAuthPlugin extends FlinkAuthPlugin {
     /**
@@ -95,5 +122,4 @@ export interface JwtAuthPlugin extends FlinkAuthPlugin {
 /**
  * Configures and creates authentication plugin.
  */
-export declare function jwtAuthPlugin({ secret, getUser, rolePermissions, algo, passwordPolicy, tokenTTL, //Defaults to hundred year
-tokenExtractor, checkPermissions, useDynamicRoles, }: JwtAuthPluginOptions): JwtAuthPlugin;
+export declare function jwtAuthPlugin({ secret, getUser, rolePermissions, algo, passwordPolicy, tokenTTL, tokenExtractor, checkPermissions, useDynamicRoles, resolveTokenTTL, }: JwtAuthPluginOptions): JwtAuthPlugin;

package/dist/FlinkJwtAuthPlugin.js

@@ -65,8 +65,7 @@ var defaultPasswordPolicy = /^(?=.*[A-Za-z])(?=.*\d)[A-Za-z\d]{8,}$/;
  */
 function jwtAuthPlugin(_a) {
     var _this = this;
-    var secret = _a.secret, getUser = _a.getUser, rolePermissions = _a.rolePermissions, _b = _a.algo, algo = _b === void 0 ? "HS256" : _b, _c = _a.passwordPolicy, passwordPolicy = _c === void 0 ? defaultPasswordPolicy : _c, _d = _a.tokenTTL, tokenTTL = _d === void 0 ? 1000 * 60 * 60 * 24 * 365 * 100 : _d, //Defaults to hundred year
-    tokenExtractor = _a.tokenExtractor, checkPermissions = _a.checkPermissions, _e = _a.useDynamicRoles, useDynamicRoles = _e === void 0 ? false : _e;
+    var secret = _a.secret, getUser = _a.getUser, rolePermissions = _a.rolePermissions, _b = _a.algo, algo = _b === void 0 ? "HS256" : _b, _c = _a.passwordPolicy, passwordPolicy = _c === void 0 ? defaultPasswordPolicy : _c, tokenTTL = _a.tokenTTL, tokenExtractor = _a.tokenExtractor, checkPermissions = _a.checkPermissions, _d = _a.useDynamicRoles, useDynamicRoles = _d === void 0 ? false : _d, resolveTokenTTL = _a.resolveTokenTTL;
     return {
         authenticateRequest: function (req, permissions) { return __awaiter(_this, void 0, void 0, function () {
             return __generator(this, function (_a) {
@@ -80,7 +79,7 @@ function jwtAuthPlugin(_a) {
                     })];
             });
         }); },
-        createToken: function (payload, roles) { return createToken(__assign(__assign({}, payload), { roles: roles }), { algo: algo, secret: secret, tokenTTL: tokenTTL }); },
+        createToken: function (payload, roles) { return createToken(__assign(__assign({}, payload), { roles: roles }), { algo: algo, secret: secret, tokenTTL: tokenTTL, resolveTokenTTL: resolveTokenTTL }, roles); },
         createPasswordHashAndSalt: function (password) { return createPasswordHashAndSalt(password, passwordPolicy); },
         validatePassword: validatePassword,
     };
@@ -169,14 +168,18 @@ function getTokenFromReq(req) {
     }
     return;
 }
-function createToken(payload_1, _a) {
-    return __awaiter(this, arguments, void 0, function (payload, _b) {
-        var secret = _b.secret, algo = _b.algo, tokenTTL = _b.tokenTTL;
-        return __generator(this, function (_c) {
+function createToken(payload_1, _a, roles_1) {
+    return __awaiter(this, arguments, void 0, function (payload, _b, roles) {
+        var resolvedTTL, effectiveTTL;
+        var _c;
+        var secret = _b.secret, algo = _b.algo, tokenTTL = _b.tokenTTL, resolveTokenTTL = _b.resolveTokenTTL;
+        return __generator(this, function (_d) {
             if (!payload) {
                 throw new Error("Cannot create token - payload is missing");
             }
-            return [2 /*return*/, jwt_simple_1.default.encode(__assign({ exp: _calculateExpiration(tokenTTL || 1000 * 60 * 60 * 24 * 365 * 100) }, payload), secret, algo)];
+            resolvedTTL = resolveTokenTTL === null || resolveTokenTTL === void 0 ? void 0 : resolveTokenTTL(roles, payload);
+            effectiveTTL = (_c = resolvedTTL !== null && resolvedTTL !== void 0 ? resolvedTTL : tokenTTL) !== null && _c !== void 0 ? _c : 1000 * 60 * 60 * 24 * 365 * 100;
+            return [2 /*return*/, jwt_simple_1.default.encode(__assign({ exp: _calculateExpiration(effectiveTTL) }, payload), secret, algo)];
         });
     });
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flink-app/jwt-auth-plugin",
-  "version": "2.0.0-alpha.75",
+  "version": "2.0.0-alpha.77",
   "description": "Flink plugin for JWT auth",
   "author": "joel@frost.se",
   "license": "MIT",
@@ -19,10 +19,10 @@
     "@types/node": "22.13.10",
     "ts-node": "^10.9.2",
     "tsc-watch": "^4.2.9",
-    "@flink-app/flink": "2.0.0-alpha.75"
+    "@flink-app/flink": "2.0.0-alpha.77"
   },
   "peerDependencies": {
-    "@flink-app/flink": ">=2.0.0-alpha.75"
+    "@flink-app/flink": ">=2.0.0-alpha.77"
   },
   "gitHead": "4243e3b3cd6d4e1ca001a61baa8436bf2bbe4113",
   "scripts": {

package/spec/FlinkJwtAuthPlugin.spec.ts

@@ -813,4 +813,110 @@ describe("FlinkJwtAuthPlugin", () => {
       expect(capturedHeaders["x-custom-header"]).toBe("custom-value");
     });
   });
+
+  describe("resolveTokenTTL", () => {
+    it("should use resolved TTL when callback returns a number", async () => {
+      const secret = "secret";
+      const ttl = 1000 * 60 * 60 * 8; // 8 hours
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async () => ({ id: "1", username: "u" }),
+        rolePermissions: {},
+        resolveTokenTTL: () => ttl,
+      });
+
+      const token = await plugin.createToken({ id: "1" }, ["admin"]);
+      const decoded = jwtSimple.decode(token, secret);
+      const expectedExp = Math.floor((Date.now() + ttl) / 1000);
+
+      expect(decoded.exp).toBeCloseTo(expectedExp, -1);
+    });
+
+    it("should fall back to static tokenTTL when callback returns undefined", async () => {
+      const secret = "secret";
+      const staticTTL = 1000 * 60 * 60 * 2; // 2 hours
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async () => ({ id: "1", username: "u" }),
+        rolePermissions: {},
+        tokenTTL: staticTTL,
+        resolveTokenTTL: () => undefined,
+      });
+
+      const token = await plugin.createToken({ id: "1" }, ["user"]);
+      const decoded = jwtSimple.decode(token, secret);
+      const expectedExp = Math.floor((Date.now() + staticTTL) / 1000);
+
+      expect(decoded.exp).toBeCloseTo(expectedExp, -1);
+    });
+
+    it("should fall back to default TTL when neither option is provided", async () => {
+      const secret = "secret";
+      const hundredYears = 1000 * 60 * 60 * 24 * 365 * 100;
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async () => ({ id: "1", username: "u" }),
+        rolePermissions: {},
+      });
+
+      const token = await plugin.createToken({ id: "1" }, ["user"]);
+      const decoded = jwtSimple.decode(token, secret);
+      const expectedExp = Math.floor((Date.now() + hundredYears) / 1000);
+
+      expect(decoded.exp).toBeCloseTo(expectedExp, -1);
+    });
+
+    it("should receive roles and payload in callback", async () => {
+      const secret = "secret";
+      let capturedRoles: string[] | undefined;
+      let capturedPayload: any;
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async () => ({ id: "1", username: "u" }),
+        rolePermissions: {},
+        resolveTokenTTL: (roles, payload) => {
+          capturedRoles = roles;
+          capturedPayload = payload;
+          return 60000;
+        },
+      });
+
+      await plugin.createToken({ id: "user-1", email: "a@b.com" }, ["admin", "editor"]);
+
+      expect(capturedRoles).toEqual(["admin", "editor"]);
+      expect(capturedPayload?.id).toBe("user-1");
+      expect(capturedPayload?.email).toBe("a@b.com");
+    });
+
+    it("should produce different TTLs for different roles", async () => {
+      const secret = "secret";
+
+      const plugin = jwtAuthPlugin({
+        secret,
+        getUser: async () => ({ id: "1", username: "u" }),
+        rolePermissions: {},
+        resolveTokenTTL: (roles) => {
+          if (roles.includes("admin")) return 1000 * 60 * 60; // 1 hour
+          return 1000 * 60 * 60 * 24 * 30; // 30 days
+        },
+      });
+
+      const adminToken = await plugin.createToken({ id: "1" }, ["admin"]);
+      const userToken = await plugin.createToken({ id: "2" }, ["user"]);
+
+      const adminDecoded = jwtSimple.decode(adminToken, secret);
+      const userDecoded = jwtSimple.decode(userToken, secret);
+
+      // User token should expire much later than admin token
+      expect(userDecoded.exp).toBeGreaterThan(adminDecoded.exp);
+
+      // Difference should be roughly 30 days minus 1 hour ≈ 29.96 days in seconds
+      const diffSeconds = userDecoded.exp - adminDecoded.exp;
+      expect(diffSeconds).toBeGreaterThan(29 * 24 * 60 * 60);
+    });
+  });
 });

package/src/FlinkJwtAuthPlugin.ts

@@ -34,6 +34,17 @@ export type PermissionChecker = (
     routePermissions: string[]
 ) => Promise<boolean> | boolean;
 
+/**
+ * Custom token TTL resolver callback.
+ *
+ * Called during token creation to determine expiration dynamically based on roles.
+ *
+ * Return values:
+ * - `number`: TTL in milliseconds to use for this token
+ * - `undefined`: Fall back to static `tokenTTL` option (or default ~100 years)
+ */
+export type TokenTTLResolver = (roles: string[], payload: any) => number | undefined;
+
 export interface JwtAuthPluginOptions {
     secret: string;
     algo?: jwtSimple.TAlgorithm;
@@ -87,6 +98,23 @@ export interface JwtAuthPluginOptions {
      * ```
      */
     useDynamicRoles?: boolean;
+    /**
+     * Optional dynamic token TTL resolver.
+     *
+     * When provided, called during token creation with the user's roles and payload.
+     * Return a TTL in milliseconds to override the static `tokenTTL`, or `undefined`
+     * to fall back to `tokenTTL` (or the default).
+     *
+     * Example:
+     * ```typescript
+     * resolveTokenTTL: (roles) => {
+     *   if (roles.includes("service-account")) return 1000 * 60 * 60 * 24 * 365; // 1 year
+     *   if (roles.includes("admin")) return 1000 * 60 * 60 * 8; // 8 hours
+     *   return 1000 * 60 * 60; // 1 hour default
+     * }
+     * ```
+     */
+    resolveTokenTTL?: TokenTTLResolver;
 }
 
 export interface JwtAuthPlugin extends FlinkAuthPlugin {
@@ -115,10 +143,11 @@ export function jwtAuthPlugin({
     rolePermissions,
     algo = "HS256",
     passwordPolicy = defaultPasswordPolicy,
-    tokenTTL = 1000 * 60 * 60 * 24 * 365 * 100, //Defaults to hundred year
+    tokenTTL,
     tokenExtractor,
     checkPermissions,
     useDynamicRoles = false,
+    resolveTokenTTL,
 }: JwtAuthPluginOptions): JwtAuthPlugin {
     return {
         authenticateRequest: async (req, permissions) =>
@@ -130,7 +159,7 @@ export function jwtAuthPlugin({
                 checkPermissions,
                 useDynamicRoles,
             }),
-        createToken: (payload, roles) => createToken({ ...payload, roles }, { algo, secret, tokenTTL }),
+        createToken: (payload, roles) => createToken({ ...payload, roles }, { algo, secret, tokenTTL, resolveTokenTTL }, roles),
         createPasswordHashAndSalt: (password: string) => createPasswordHashAndSalt(password, passwordPolicy),
         validatePassword,
     };
@@ -234,12 +263,19 @@ function getTokenFromReq(req: FlinkRequest) {
     return;
 }
 
-async function createToken(payload: any, { secret, algo, tokenTTL }: Pick<JwtAuthPluginOptions, "algo" | "secret" | "tokenTTL">) {
+async function createToken(
+    payload: any,
+    { secret, algo, tokenTTL, resolveTokenTTL }: Pick<JwtAuthPluginOptions, "algo" | "secret" | "tokenTTL" | "resolveTokenTTL">,
+    roles: string[]
+) {
     if (!payload) {
         throw new Error("Cannot create token - payload is missing");
     }
 
-    return jwtSimple.encode({ exp: _calculateExpiration(tokenTTL || 1000 * 60 * 60 * 24 * 365 * 100), ...payload }, secret, algo);
+    const resolvedTTL = resolveTokenTTL?.(roles, payload);
+    const effectiveTTL = resolvedTTL ?? tokenTTL ?? 1000 * 60 * 60 * 24 * 365 * 100;
+
+    return jwtSimple.encode({ exp: _calculateExpiration(effectiveTTL), ...payload }, secret, algo);
 }
 
 function _calculateExpiration(expiresInMs: number) {