@hazeljs/auth 0.2.0-alpha.1

package/LICENSE

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Copyright 2024 HazelJS Team
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+---
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+   Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+   stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+   that You distribute, all copyright, patent, trademark, and
+   attribution notices from the Source form of the Work,
+   excluding those notices that do not pertain to any part of
+   the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+   distribution, then any Derivative Works that You distribute must
+   include a readable copy of the attribution notices contained
+   within such NOTICE file, excluding those notices that do not
+   pertain to any part of the Derivative Works, in at least one
+   of the following places: within a NOTICE text file distributed
+   as part of the Derivative Works; within the Source form or
+   documentation, if provided along with the Derivative Works; or,
+   within a display generated by the Derivative Works, if and
+   wherever such third-party notices normally appear. The contents
+   of the NOTICE file are for informational purposes only and
+   do not modify the License. You may add Your own attribution
+   notices within Derivative Works that You distribute, alongside
+   or as an addendum to the NOTICE text from the Work, provided
+   that such additional attribution notices cannot be construed
+   as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,499 @@
+# @hazeljs/auth
+
+**JWT authentication, role-based access control, and tenant isolation — in one line of decorators.**
+
+No Passport config, no middleware soup. `@UseGuards(JwtAuthGuard)` on a controller and you're done.
+
+[![npm version](https://img.shields.io/npm/v/@hazeljs/auth.svg)](https://www.npmjs.com/package/@hazeljs/auth)
+[![npm downloads](https://img.shields.io/npm/dm/@hazeljs/auth)](https://www.npmjs.com/package/@hazeljs/auth)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
+## Features
+
+- **JWT signing & verification** via `JwtService` (backed by `jsonwebtoken`)
+- **`JwtAuthGuard`** — `@UseGuards`-compatible guard that verifies Bearer tokens and attaches `req.user`
+- **`RoleGuard`** — configurable role check with **inherited role hierarchy** (admin satisfies manager checks automatically)
+- **`TenantGuard`** — tenant-level isolation; compares the tenant ID on the JWT against a URL param, header, or query string
+- **`@CurrentUser()`** — parameter decorator that injects the authenticated user into controller methods
+- **`@Auth()`** — all-in-one method decorator for JWT + optional role check without `@UseGuards`
+
+---
+
+## Installation
+
+```bash
+npm install @hazeljs/auth
+```
+
+---
+
+## Setup
+
+### 1. Register `JwtModule`
+
+Configure the JWT secret once in your root module. Picks up `JWT_SECRET` and `JWT_EXPIRES_IN` env vars automatically when no options are passed.
+
+```typescript
+import { HazelModule } from '@hazeljs/core';
+import { JwtModule } from '@hazeljs/auth';
+
+@HazelModule({
+  imports: [
+    JwtModule.forRoot({
+      secret: process.env.JWT_SECRET,   // or set JWT_SECRET env var
+      expiresIn: '1h',                  // or set JWT_EXPIRES_IN env var
+      issuer: 'my-app',                 // optional
+      audience: 'my-users',             // optional
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+```env
+JWT_SECRET=change-me-in-production
+JWT_EXPIRES_IN=1h
+```
+
+### 2. Issue tokens at login
+
+```typescript
+import { Service } from '@hazeljs/core';
+import { JwtService } from '@hazeljs/auth';
+
+@Service()
+export class AuthLoginService {
+  constructor(private readonly jwt: JwtService) {}
+
+  async login(userId: string, role: string, tenantId?: string) {
+    const token = this.jwt.sign({
+      sub: userId,
+      role,
+      tenantId,           // include for TenantGuard
+    });
+
+    return { accessToken: token };
+  }
+}
+```
+
+---
+
+## Guards
+
+All guards are resolved from the DI container, so they can inject services.
+
+### `JwtAuthGuard`
+
+Verifies the `Authorization: Bearer <token>` header. On success it attaches the decoded payload to `req.user` so downstream guards and `@CurrentUser()` can read it.
+
+```typescript
+import { Controller, Get } from '@hazeljs/core';
+import { UseGuards } from '@hazeljs/core';
+import { JwtAuthGuard, CurrentUser, AuthUser } from '@hazeljs/auth';
+
+@UseGuards(JwtAuthGuard)          // protects every route in this controller
+@Controller('/profile')
+export class ProfileController {
+  @Get('/')
+  getProfile(@CurrentUser() user: AuthUser) {
+    return user;
+  }
+}
+```
+
+Errors thrown:
+
+| Condition | Status |
+|---|---|
+| No `Authorization` header | 400 |
+| Header not in `Bearer <token>` format | 400 |
+| Token invalid or expired | 401 |
+
+---
+
+### `RoleGuard`
+
+Checks the authenticated user's `role` against a list of allowed roles. Uses the **role hierarchy** so higher roles automatically satisfy lower-level checks.
+
+```typescript
+import { UseGuards } from '@hazeljs/core';
+import { JwtAuthGuard, RoleGuard } from '@hazeljs/auth';
+
+@UseGuards(JwtAuthGuard, RoleGuard('manager'))   // manager, admin, superadmin can access
+@Controller('/reports')
+export class ReportsController {}
+```
+
+#### Role hierarchy
+
+The default hierarchy is `superadmin → admin → manager → user`.
+
+```
+superadmin
+  └─ admin
+       └─ manager
+            └─ user
+```
+
+So `RoleGuard('user')` passes for **every** role, and `RoleGuard('admin')` only passes for `admin` and `superadmin`.
+
+```typescript
+// Only superadmin and admin can call this:
+@UseGuards(JwtAuthGuard, RoleGuard('admin'))
+
+// Everyone authenticated can call this:
+@UseGuards(JwtAuthGuard, RoleGuard('user'))
+
+// Either role (admin OR moderator, each with their inherited roles):
+@UseGuards(JwtAuthGuard, RoleGuard('admin', 'moderator'))
+```
+
+#### Custom hierarchy
+
+```typescript
+import { RoleGuard, RoleHierarchy } from '@hazeljs/auth';
+
+const hierarchy = new RoleHierarchy({
+  owner:  ['editor'],
+  editor: ['viewer'],
+  viewer: [],
+});
+
+@UseGuards(JwtAuthGuard, RoleGuard('editor', { hierarchy }))
+// owner and editor pass; viewer does not
+```
+
+#### Disable hierarchy
+
+```typescript
+@UseGuards(JwtAuthGuard, RoleGuard('admin', { hierarchy: {} }))
+// Only exact 'admin' role passes — no inheritance
+```
+
+Errors thrown:
+
+| Condition | Status |
+|---|---|
+| No `req.user` (guard order wrong) | 401 |
+| User role not in allowed set | 403 |
+
+---
+
+### `TenantGuard`
+
+Enforces tenant-level isolation. Compares `req.user.tenantId` (from the JWT) against the tenant ID found in the request.
+
+**Requires `JwtAuthGuard` to run first** so `req.user` is populated.
+
+#### URL param (default)
+
+```typescript
+import { JwtAuthGuard, TenantGuard } from '@hazeljs/auth';
+
+// Route: GET /orgs/:tenantId/invoices
+@UseGuards(JwtAuthGuard, TenantGuard())
+@Controller('/orgs/:tenantId/invoices')
+export class InvoicesController {}
+```
+
+#### HTTP header
+
+```typescript
+// Client sends: X-Org-ID: acme
+@UseGuards(JwtAuthGuard, TenantGuard({ source: 'header', key: 'x-org-id' }))
+@Controller('/invoices')
+export class InvoicesController {}
+```
+
+#### Query string
+
+```typescript
+// Client sends: GET /invoices?org=acme
+@UseGuards(JwtAuthGuard, TenantGuard({ source: 'query', key: 'org' }))
+@Controller('/invoices')
+export class InvoicesController {}
+```
+
+#### Bypass for privileged roles
+
+Superadmins often need to manage any tenant. Use `bypassRoles` to skip the check for them:
+
+```typescript
+@UseGuards(
+  JwtAuthGuard,
+  TenantGuard({ bypassRoles: ['superadmin'] })
+)
+@Controller('/orgs/:tenantId/settings')
+export class OrgSettingsController {}
+```
+
+#### Custom user field
+
+```typescript
+// JWT payload uses 'orgId' instead of 'tenantId'
+@UseGuards(JwtAuthGuard, TenantGuard({ userField: 'orgId' }))
+```
+
+All options:
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| `source` | `'param' \| 'header' \| 'query'` | `'param'` | Where to read the tenant ID from the request |
+| `key` | `string` | `'tenantId'` | Param name / header name / query key |
+| `userField` | `string` | `'tenantId'` | Field on `req.user` holding the user's tenant |
+| `bypassRoles` | `string[]` | `[]` | Roles that skip the check entirely |
+
+Errors thrown:
+
+| Condition | Status |
+|---|---|
+| No `req.user` | 401 |
+| `req.user` has no tenant field | 403 |
+| Tenant ID absent from request | 400 |
+| Tenant IDs do not match | 403 |
+
+---
+
+### Database-level tenant isolation
+
+`TenantGuard` blocks cross-tenant HTTP requests, but that alone isn't enough — a bug in service code could still return another tenant's rows. `TenantContext` closes that gap by enforcing isolation at the **query level** using Node.js `AsyncLocalStorage`.
+
+After `TenantGuard` validates the request it calls `TenantContext.enterWith(tenantId)`, which seeds the tenant ID into the current async execution chain. Every service and repository downstream can then call `tenantCtx.requireId()` to get the current tenant without it being passed through every function signature.
+
+```typescript
+// src/orders/orders.repository.ts
+import { Service } from '@hazeljs/core';
+import { TenantContext } from '@hazeljs/auth';
+
+@Service()
+export class OrdersRepository {
+  constructor(private readonly tenantCtx: TenantContext) {}
+
+  findAll() {
+    const tenantId = this.tenantCtx.requireId();
+    // Scoped automatically — no tenantId parameter needed
+    return db.query('SELECT * FROM orders WHERE tenant_id = $1', [tenantId]);
+  }
+
+  findById(id: string) {
+    const tenantId = this.tenantCtx.requireId();
+    // Even direct ID lookup is tenant-scoped — prevents IDOR attacks
+    return db.query(
+      'SELECT * FROM orders WHERE id = $1 AND tenant_id = $2',
+      [id, tenantId]
+    );
+  }
+}
+```
+
+The route setup:
+
+```typescript
+@UseGuards(JwtAuthGuard, TenantGuard())
+@Controller('/orgs/:tenantId/orders')
+export class OrdersController {
+  constructor(private readonly repo: OrdersRepository) {}
+
+  @Get('/')
+  list() {
+    // TenantContext is already seeded by TenantGuard — no need to pass tenantId
+    return this.repo.findAll();
+  }
+}
+```
+
+The two layers together:
+
+| Layer | What it does | What it catches |
+|---|---|---|
+| `TenantGuard` | Rejects requests where `req.user.tenantId !== :tenantId` | Unauthenticated cross-tenant requests |
+| `TenantContext` | Scopes every DB query via AsyncLocalStorage | Bugs, missing guard on a route, IDOR attempts |
+
+For background jobs or tests, you can run code in a specific tenant context explicitly:
+
+```typescript
+// Background job — no HTTP request involved
+await TenantContext.run('acme', async () => {
+  await ordersService.processPendingOrders();
+});
+```
+
+`requireId()` throws with a 500 if called outside any tenant context (guard missing), giving you a clear error instead of silently querying all tenants.
+
+---
+
+### Combining guards
+
+Guards run left-to-right. Always put `JwtAuthGuard` first.
+
+```typescript
+@UseGuards(JwtAuthGuard, RoleGuard('manager'), TenantGuard())
+@Controller('/orgs/:tenantId/orders')
+export class OrdersController {
+
+  @Get('/')
+  listOrders(@CurrentUser() user: AuthUser) {
+    return this.ordersService.findAll(user.tenantId!);
+  }
+
+  // Stricter restriction on a single route — only admin (and above) can delete:
+  @UseGuards(RoleGuard('admin'))
+  @Delete('/:id')
+  deleteOrder(@Param('id') id: string) {
+    return this.ordersService.remove(id);
+  }
+}
+```
+
+---
+
+## `@CurrentUser()` decorator
+
+Injects the authenticated user (or a specific field from it) directly into the controller parameter.
+
+```typescript
+import { CurrentUser, AuthUser } from '@hazeljs/auth';
+
+@UseGuards(JwtAuthGuard)
+@Get('/me')
+getMe(@CurrentUser() user: AuthUser) {
+  return user;
+  // { id: 'u1', username: 'alice', role: 'admin', tenantId: 'acme' }
+}
+
+@Get('/role')
+getRole(@CurrentUser('role') role: string) {
+  return { role };
+}
+
+@Get('/tenant')
+getTenant(@CurrentUser('tenantId') tenantId: string) {
+  return { tenantId };
+}
+```
+
+---
+
+## `@Auth()` decorator (method-level shorthand)
+
+A lower-level alternative that wraps the handler directly instead of using the `@UseGuards` metadata system. Useful for one-off routes or when you prefer explicit colocation.
+
+```typescript
+import { Auth } from '@hazeljs/auth';
+
+@Controller('/admin')
+export class AdminController {
+  @Auth()                         // JWT check only
+  @Get('/dashboard')
+  getDashboard() { ... }
+
+  @Auth({ roles: ['admin'] })     // JWT + role check (no hierarchy)
+  @Delete('/user/:id')
+  deleteUser(@Param('id') id: string) { ... }
+}
+```
+
+> **Note:** `@Auth()` does not use the role hierarchy. Use `@UseGuards(JwtAuthGuard, RoleGuard('admin'))` when hierarchy matters.
+
+---
+
+## `JwtService` API
+
+```typescript
+import { JwtService } from '@hazeljs/auth';
+
+// Sign a token
+const token = jwtService.sign({ sub: userId, role: 'admin', tenantId: 'acme' });
+const token = jwtService.sign({ sub: userId }, { expiresIn: '15m' }); // custom expiry
+
+// Verify and decode
+const payload = jwtService.verify(token);   // throws on invalid/expired
+payload.sub       // string
+payload.role      // string
+payload.tenantId  // string | undefined
+
+// Decode without verification (e.g. to read exp before refreshing)
+const payload = jwtService.decode(token);   // returns null on malformed
+```
+
+---
+
+## `AuthService` API
+
+`AuthService` wraps `JwtService` and returns a typed `AuthUser` object:
+
+```typescript
+interface AuthUser {
+  id: string;
+  username?: string;
+  role: string;
+  [key: string]: unknown;   // all other JWT claims pass through
+}
+
+const user = await authService.verifyToken(token);
+// Returns AuthUser | null (null when token is invalid — never throws)
+```
+
+---
+
+## `RoleHierarchy` API
+
+```typescript
+import { RoleHierarchy, DEFAULT_ROLE_HIERARCHY } from '@hazeljs/auth';
+
+const h = new RoleHierarchy(DEFAULT_ROLE_HIERARCHY);
+
+h.satisfies('superadmin', 'user')  // true  — full chain
+h.satisfies('manager', 'admin')    // false — no upward inheritance
+h.resolve('admin')                 // Set { 'admin', 'manager', 'user' }
+```
+
+---
+
+## Custom guards
+
+Implement `CanActivate` from `@hazeljs/core` for fully custom logic:
+
+```typescript
+import { Injectable, CanActivate, ExecutionContext } from '@hazeljs/core';
+
+@Injectable()
+export class ApiKeyGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const req = context.switchToHttp().getRequest() as { headers: Record<string, string> };
+    return req.headers['x-api-key'] === process.env.API_KEY;
+  }
+}
+```
+
+The `ExecutionContext` also exposes the fully parsed `RequestContext` (params, query, headers, body, user):
+
+```typescript
+canActivate(context: ExecutionContext): boolean {
+  const ctx = context.switchToHttp().getContext();
+  const orgId = ctx.params['orgId'];
+  const user  = ctx.user;
+  // ...
+}
+```
+
+---
+
+## Environment variables
+
+| Variable | Default | Description |
+|---|---|---|
+| `JWT_SECRET` | *(required)* | Secret used to sign and verify tokens |
+| `JWT_EXPIRES_IN` | `1h` | Default token lifetime |
+| `JWT_ISSUER` | — | Optional `iss` claim |
+| `JWT_AUDIENCE` | — | Optional `aud` claim |
+
+---
+
+## Links
+
+- [Documentation](https://hazeljs.com/docs/packages/auth)
+- [GitHub](https://github.com/hazel-js/hazeljs)
+- [Issues](https://github.com/hazel-js/hazeljs/issues)
+- [Discord](https://discord.com/channels/1448263814238965833/1448263814859456575)

package/dist/auth.guard.d.ts

@@ -0,0 +1,15 @@
+import { RequestContext } from '@hazeljs/core';
+import { AuthService } from './auth.service';
+export interface AuthGuardOptions {
+    roles?: string[];
+}
+export interface IAuthGuard {
+    canActivate(context: RequestContext, options?: AuthGuardOptions): Promise<boolean>;
+}
+export declare class AuthGuard implements IAuthGuard {
+    private authService;
+    constructor(authService: AuthService);
+    canActivate(context: RequestContext, options?: AuthGuardOptions): Promise<boolean>;
+}
+export declare function Auth(options?: AuthGuardOptions): (target: unknown, propertyKey: string, descriptor: PropertyDescriptor) => PropertyDescriptor;
+//# sourceMappingURL=auth.guard.d.ts.map