@hazeljs/auth 0.2.0-alpha.1

package/dist/decorators/current-user.decorator.d.ts

@@ -0,0 +1,26 @@
+import 'reflect-metadata';
+/**
+ * Parameter decorator that injects the authenticated user from the request
+ * context into a controller method parameter.
+ *
+ * Requires JwtAuthGuard (or any guard that sets `req.user`) to run before
+ * the route handler. The value injected is the `AuthUser` object attached
+ * by the guard.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Get('/profile')
+ * getProfile(@CurrentUser() user: AuthUser) {
+ *   return user;
+ * }
+ *
+ * // Access a specific field:
+ * @Get('/me')
+ * whoAmI(@CurrentUser('role') role: string) {
+ *   return { role };
+ * }
+ * ```
+ */
+export declare function CurrentUser(field?: string): ParameterDecorator;
+//# sourceMappingURL=current-user.decorator.d.ts.map

package/dist/decorators/current-user.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"current-user.decorator.d.ts","sourceRoot":"","sources":["../../src/decorators/current-user.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAI1B;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,WAAW,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAe9D"}

package/dist/decorators/current-user.decorator.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = CurrentUser;
+require("reflect-metadata");
+const INJECT_METADATA_KEY = 'hazel:inject';
+/**
+ * Parameter decorator that injects the authenticated user from the request
+ * context into a controller method parameter.
+ *
+ * Requires JwtAuthGuard (or any guard that sets `req.user`) to run before
+ * the route handler. The value injected is the `AuthUser` object attached
+ * by the guard.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Get('/profile')
+ * getProfile(@CurrentUser() user: AuthUser) {
+ *   return user;
+ * }
+ *
+ * // Access a specific field:
+ * @Get('/me')
+ * whoAmI(@CurrentUser('role') role: string) {
+ *   return { role };
+ * }
+ * ```
+ */
+function CurrentUser(field) {
+    return (target, propertyKey, parameterIndex) => {
+        if (!propertyKey) {
+            throw new Error('@CurrentUser() must be used on a method parameter');
+        }
+        const constructor = target.constructor;
+        const injections = Reflect.getMetadata(INJECT_METADATA_KEY, constructor, propertyKey) ?? [];
+        injections[parameterIndex] = { type: 'user', field };
+        Reflect.defineMetadata(INJECT_METADATA_KEY, injections, constructor, propertyKey);
+    };
+}

package/dist/guards/jwt-auth.guard.d.ts

@@ -0,0 +1,24 @@
+import { CanActivate, ExecutionContext } from '@hazeljs/core';
+import { AuthService } from '../auth.service';
+/**
+ * Guard that verifies a Bearer JWT token and attaches the decoded user to
+ * the request object.  Use this with @UseGuards() on controllers or methods.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('/profile')
+ * export class ProfileController {
+ *   @Get('/')
+ *   getProfile(@CurrentUser() user: AuthUser) {
+ *     return user;
+ *   }
+ * }
+ * ```
+ */
+export declare class JwtAuthGuard implements CanActivate {
+    private readonly authService;
+    constructor(authService: AuthService);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=jwt-auth.guard.d.ts.map

package/dist/guards/jwt-auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt-auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/jwt-auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAC1E,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE9C;;;;;;;;;;;;;;;GAeG;AACH,qBACa,YAAa,YAAW,WAAW;IAClC,OAAO,CAAC,QAAQ,CAAC,WAAW;gBAAX,WAAW,EAAE,WAAW;IAE/C,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CA2B/D"}

package/dist/guards/jwt-auth.guard.js

@@ -0,0 +1,61 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = void 0;
+const core_1 = require("@hazeljs/core");
+const auth_service_1 = require("../auth.service");
+/**
+ * Guard that verifies a Bearer JWT token and attaches the decoded user to
+ * the request object.  Use this with @UseGuards() on controllers or methods.
+ *
+ * @example
+ * ```ts
+ * @UseGuards(JwtAuthGuard)
+ * @Controller('/profile')
+ * export class ProfileController {
+ *   @Get('/')
+ *   getProfile(@CurrentUser() user: AuthUser) {
+ *     return user;
+ *   }
+ * }
+ * ```
+ */
+let JwtAuthGuard = class JwtAuthGuard {
+    constructor(authService) {
+        this.authService = authService;
+    }
+    async canActivate(context) {
+        const req = context.switchToHttp().getRequest();
+        const authHeader = req.headers?.['authorization'];
+        if (!authHeader) {
+            const err = Object.assign(new Error('No authorization header'), { status: 400 });
+            throw err;
+        }
+        const [scheme, token] = authHeader.split(' ');
+        if (scheme?.toLowerCase() !== 'bearer' || !token) {
+            const err = Object.assign(new Error('Invalid authorization header format'), { status: 400 });
+            throw err;
+        }
+        const user = await this.authService.verifyToken(token);
+        if (!user) {
+            const err = Object.assign(new Error('Invalid or expired token'), { status: 401 });
+            throw err;
+        }
+        // Attach to req so the router propagates it to context.user and @CurrentUser() can read it.
+        req.user = user;
+        return true;
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, core_1.Injectable)(),
+    __metadata("design:paramtypes", [auth_service_1.AuthService])
+], JwtAuthGuard);

package/dist/guards/role.guard.d.ts

@@ -0,0 +1,36 @@
+import { CanActivate, Type } from '@hazeljs/core';
+import { RoleHierarchy, RoleHierarchyMap } from '../utils/role-hierarchy';
+export interface RoleGuardOptions {
+    /**
+     * Custom role hierarchy to use instead of DEFAULT_ROLE_HIERARCHY.
+     * Pass a plain map or a RoleHierarchy instance.
+     */
+    hierarchy?: RoleHierarchyMap | RoleHierarchy;
+}
+/**
+ * Factory that returns a guard allowing only users whose role satisfies at
+ * least one of the provided roles — directly or via the role hierarchy.
+ *
+ * By default uses DEFAULT_ROLE_HIERARCHY so `admin` automatically passes a
+ * `manager` check, `manager` passes a `user` check, etc.
+ *
+ * Must be used after JwtAuthGuard (or any guard that attaches `user` to the
+ * request).
+ *
+ * @example
+ * ```ts
+ * // admin, manager, AND user can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ *
+ * // Only admin and above (superadmin) can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin'))
+ *
+ * // Custom hierarchy (no inheritance):
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', { hierarchy: {} }))
+ *
+ * // Multiple accepted roles:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', 'moderator'))
+ * ```
+ */
+export declare function RoleGuard(...args: Array<string | RoleGuardOptions>): Type<CanActivate>;
+//# sourceMappingURL=role.guard.d.ts.map

package/dist/guards/role.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role.guard.d.ts","sourceRoot":"","sources":["../../src/guards/role.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAoB,IAAI,EAAE,MAAM,eAAe,CAAC;AAEhF,OAAO,EAAE,aAAa,EAA0B,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAElG,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,SAAS,CAAC,EAAE,gBAAgB,GAAG,aAAa,CAAC;CAC9C;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,SAAS,CAAC,GAAG,IAAI,EAAE,KAAK,CAAC,MAAM,GAAG,gBAAgB,CAAC,GAAG,IAAI,CAAC,WAAW,CAAC,CAwCtF"}

package/dist/guards/role.guard.js

@@ -0,0 +1,66 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleGuard = RoleGuard;
+const core_1 = require("@hazeljs/core");
+const role_hierarchy_1 = require("../utils/role-hierarchy");
+/**
+ * Factory that returns a guard allowing only users whose role satisfies at
+ * least one of the provided roles — directly or via the role hierarchy.
+ *
+ * By default uses DEFAULT_ROLE_HIERARCHY so `admin` automatically passes a
+ * `manager` check, `manager` passes a `user` check, etc.
+ *
+ * Must be used after JwtAuthGuard (or any guard that attaches `user` to the
+ * request).
+ *
+ * @example
+ * ```ts
+ * // admin, manager, AND user can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('user'))
+ *
+ * // Only admin and above (superadmin) can access this:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin'))
+ *
+ * // Custom hierarchy (no inheritance):
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', { hierarchy: {} }))
+ *
+ * // Multiple accepted roles:
+ * @UseGuards(JwtAuthGuard, RoleGuard('admin', 'moderator'))
+ * ```
+ */
+function RoleGuard(...args) {
+    // Separate trailing options object from role strings
+    const lastArg = args[args.length - 1];
+    const hasOptions = typeof lastArg === 'object' && lastArg !== null;
+    const roles = (hasOptions ? args.slice(0, -1) : args);
+    const options = (hasOptions ? lastArg : {});
+    const hierarchyInstance = options.hierarchy instanceof role_hierarchy_1.RoleHierarchy
+        ? options.hierarchy
+        : new role_hierarchy_1.RoleHierarchy(options.hierarchy ?? role_hierarchy_1.DEFAULT_ROLE_HIERARCHY);
+    let RoleGuardMixin = class RoleGuardMixin {
+        canActivate(context) {
+            const req = context.switchToHttp().getRequest();
+            const user = req.user;
+            if (!user) {
+                const err = Object.assign(new Error('Unauthorized'), { status: 401 });
+                throw err;
+            }
+            const permitted = roles.some((required) => hierarchyInstance.satisfies(user.role, required));
+            if (!permitted) {
+                const err = Object.assign(new Error(`Requires one of the following roles: ${roles.join(', ')}`), { status: 403 });
+                throw err;
+            }
+            return true;
+        }
+    };
+    RoleGuardMixin = __decorate([
+        (0, core_1.Injectable)()
+    ], RoleGuardMixin);
+    return RoleGuardMixin;
+}

package/dist/guards/tenant.guard.d.ts

@@ -0,0 +1,54 @@
+import { CanActivate, Type } from '@hazeljs/core';
+export interface TenantGuardOptions {
+    /**
+     * Where to read the expected tenant ID from the incoming request.
+     *
+     * - `'param'`   — URL segment, e.g. `/orgs/:tenantId/products`  (default)
+     * - `'header'`  — HTTP header, e.g. `X-Tenant-ID`
+     * - `'query'`   — Query string, e.g. `?tenantId=acme`
+     *
+     * @default 'param'
+     */
+    source?: 'param' | 'header' | 'query';
+    /**
+     * Name of the param / header / query key that carries the tenant ID.
+     * @default 'tenantId'
+     */
+    key?: string;
+    /**
+     * Field on the authenticated user object that holds the user's tenant ID.
+     * @default 'tenantId'
+     */
+    userField?: string;
+}
+/**
+ * Factory that returns a guard enforcing tenant-level isolation.
+ *
+ * Compares the tenant ID carried by the request (from a URL param, header,
+ * or query param) against the tenant ID stored on the authenticated user
+ * (from the JWT payload).  Returns 403 if they do not match.
+ *
+ * Must be used after JwtAuthGuard so that `req.user` is populated.
+ *
+ * @example
+ * ```ts
+ * // URL param: GET /orgs/:tenantId/invoices
+ * @UseGuards(JwtAuthGuard, TenantGuard())
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ *
+ * // Header: X-Org-ID
+ * @UseGuards(JwtAuthGuard, TenantGuard({ source: 'header', key: 'x-org-id' }))
+ * @Controller('/invoices')
+ * export class InvoicesController {}
+ *
+ * // Superadmins bypass tenant check:
+ * @UseGuards(JwtAuthGuard, TenantGuard({ bypassRoles: ['superadmin'] }))
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ * ```
+ */
+export declare function TenantGuard(options?: TenantGuardOptions & {
+    bypassRoles?: string[];
+}): Type<CanActivate>;
+//# sourceMappingURL=tenant.guard.d.ts.map

package/dist/guards/tenant.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant.guard.d.ts","sourceRoot":"","sources":["../../src/guards/tenant.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,WAAW,EAAoB,IAAI,EAAkB,MAAM,eAAe,CAAC;AAIhG,MAAM,WAAW,kBAAkB;IACjC;;;;;;;;OAQG;IACH,MAAM,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;IAEtC;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAgB,WAAW,CACzB,OAAO,GAAE,kBAAkB,GAAG;IAAE,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;CAAO,GAC5D,IAAI,CAAC,WAAW,CAAC,CAsEnB"}

package/dist/guards/tenant.guard.js

@@ -0,0 +1,96 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TenantGuard = TenantGuard;
+const core_1 = require("@hazeljs/core");
+const tenant_context_1 = require("../tenant/tenant-context");
+/**
+ * Factory that returns a guard enforcing tenant-level isolation.
+ *
+ * Compares the tenant ID carried by the request (from a URL param, header,
+ * or query param) against the tenant ID stored on the authenticated user
+ * (from the JWT payload).  Returns 403 if they do not match.
+ *
+ * Must be used after JwtAuthGuard so that `req.user` is populated.
+ *
+ * @example
+ * ```ts
+ * // URL param: GET /orgs/:tenantId/invoices
+ * @UseGuards(JwtAuthGuard, TenantGuard())
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ *
+ * // Header: X-Org-ID
+ * @UseGuards(JwtAuthGuard, TenantGuard({ source: 'header', key: 'x-org-id' }))
+ * @Controller('/invoices')
+ * export class InvoicesController {}
+ *
+ * // Superadmins bypass tenant check:
+ * @UseGuards(JwtAuthGuard, TenantGuard({ bypassRoles: ['superadmin'] }))
+ * @Controller('/orgs/:tenantId/invoices')
+ * export class InvoicesController {}
+ * ```
+ */
+function TenantGuard(options = {}) {
+    const { source = 'param', key = 'tenantId', userField = 'tenantId', bypassRoles = [] } = options;
+    let TenantGuardMixin = class TenantGuardMixin {
+        canActivate(context) {
+            const req = context.switchToHttp().getRequest();
+            const ctx = context.switchToHttp().getContext();
+            const user = req.user;
+            if (!user) {
+                const err = Object.assign(new Error('Unauthorized'), { status: 401 });
+                throw err;
+            }
+            // Privileged roles can bypass the tenant check entirely.
+            // Still seed the context so their own queries are naturally scoped.
+            if (bypassRoles.includes(user.role)) {
+                const bypassTenantId = user[userField];
+                if (bypassTenantId)
+                    tenant_context_1.TenantContext.enterWith(bypassTenantId);
+                return true;
+            }
+            const userTenantId = user[userField];
+            if (!userTenantId) {
+                const err = Object.assign(new Error(`User is not associated with any tenant (missing "${userField}")`), { status: 403 });
+                throw err;
+            }
+            // Extract the request-level tenant ID from the configured source.
+            let requestTenantId;
+            switch (source) {
+                case 'param':
+                    requestTenantId = ctx.params?.[key];
+                    break;
+                case 'header':
+                    requestTenantId = ctx.headers?.[key.toLowerCase()];
+                    break;
+                case 'query':
+                    requestTenantId = ctx.query?.[key];
+                    break;
+            }
+            if (!requestTenantId) {
+                const err = Object.assign(new Error(`Tenant ID not found in request ${source} "${key}"`), {
+                    status: 400,
+                });
+                throw err;
+            }
+            if (userTenantId !== requestTenantId) {
+                const err = Object.assign(new Error('Access denied: resource belongs to a different tenant'), { status: 403 });
+                throw err;
+            }
+            // Seed AsyncLocalStorage so repositories can call tenantCtx.requireId()
+            // without needing tenantId passed through every function parameter.
+            tenant_context_1.TenantContext.enterWith(userTenantId);
+            return true;
+        }
+    };
+    TenantGuardMixin = __decorate([
+        (0, core_1.Injectable)()
+    ], TenantGuardMixin);
+    return TenantGuardMixin;
+}

package/dist/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @hazeljs/auth - Authentication module for HazelJS
+ */
+export { AuthGuard, Auth } from './auth.guard';
+export { AuthService } from './auth.service';
+export type { AuthUser } from './auth.service';
+export { JwtModule } from './jwt/jwt.module';
+export { JwtService } from './jwt/jwt.service';
+export { JwtAuthGuard } from './guards/jwt-auth.guard';
+export { RoleGuard } from './guards/role.guard';
+export type { RoleGuardOptions } from './guards/role.guard';
+export { TenantGuard } from './guards/tenant.guard';
+export type { TenantGuardOptions } from './guards/tenant.guard';
+export { TenantContext } from './tenant/tenant-context';
+export { RoleHierarchy, DEFAULT_ROLE_HIERARCHY } from './utils/role-hierarchy';
+export type { RoleHierarchyMap } from './utils/role-hierarchy';
+export { CurrentUser } from './decorators/current-user.decorator';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC7C,YAAY,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,yBAAyB,CAAC;AACvD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,YAAY,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACpD,YAAY,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AACxD,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,YAAY,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAC/D,OAAO,EAAE,WAAW,EAAE,MAAM,qCAAqC,CAAC"}

package/dist/index.js

@@ -0,0 +1,28 @@
+"use strict";
+/**
+ * @hazeljs/auth - Authentication module for HazelJS
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CurrentUser = exports.DEFAULT_ROLE_HIERARCHY = exports.RoleHierarchy = exports.TenantContext = exports.TenantGuard = exports.RoleGuard = exports.JwtAuthGuard = exports.JwtService = exports.JwtModule = exports.AuthService = exports.Auth = exports.AuthGuard = void 0;
+var auth_guard_1 = require("./auth.guard");
+Object.defineProperty(exports, "AuthGuard", { enumerable: true, get: function () { return auth_guard_1.AuthGuard; } });
+Object.defineProperty(exports, "Auth", { enumerable: true, get: function () { return auth_guard_1.Auth; } });
+var auth_service_1 = require("./auth.service");
+Object.defineProperty(exports, "AuthService", { enumerable: true, get: function () { return auth_service_1.AuthService; } });
+var jwt_module_1 = require("./jwt/jwt.module");
+Object.defineProperty(exports, "JwtModule", { enumerable: true, get: function () { return jwt_module_1.JwtModule; } });
+var jwt_service_1 = require("./jwt/jwt.service");
+Object.defineProperty(exports, "JwtService", { enumerable: true, get: function () { return jwt_service_1.JwtService; } });
+var jwt_auth_guard_1 = require("./guards/jwt-auth.guard");
+Object.defineProperty(exports, "JwtAuthGuard", { enumerable: true, get: function () { return jwt_auth_guard_1.JwtAuthGuard; } });
+var role_guard_1 = require("./guards/role.guard");
+Object.defineProperty(exports, "RoleGuard", { enumerable: true, get: function () { return role_guard_1.RoleGuard; } });
+var tenant_guard_1 = require("./guards/tenant.guard");
+Object.defineProperty(exports, "TenantGuard", { enumerable: true, get: function () { return tenant_guard_1.TenantGuard; } });
+var tenant_context_1 = require("./tenant/tenant-context");
+Object.defineProperty(exports, "TenantContext", { enumerable: true, get: function () { return tenant_context_1.TenantContext; } });
+var role_hierarchy_1 = require("./utils/role-hierarchy");
+Object.defineProperty(exports, "RoleHierarchy", { enumerable: true, get: function () { return role_hierarchy_1.RoleHierarchy; } });
+Object.defineProperty(exports, "DEFAULT_ROLE_HIERARCHY", { enumerable: true, get: function () { return role_hierarchy_1.DEFAULT_ROLE_HIERARCHY; } });
+var current_user_decorator_1 = require("./decorators/current-user.decorator");
+Object.defineProperty(exports, "CurrentUser", { enumerable: true, get: function () { return current_user_decorator_1.CurrentUser; } });

package/dist/jwt/jwt.module.d.ts

@@ -0,0 +1,5 @@
+import { JwtServiceOptions } from './jwt.service';
+export declare class JwtModule {
+    static forRoot(options?: JwtServiceOptions): typeof JwtModule;
+}
+//# sourceMappingURL=jwt.module.d.ts.map

package/dist/jwt/jwt.module.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.module.d.ts","sourceRoot":"","sources":["../../src/jwt/jwt.module.ts"],"names":[],"mappings":"AACA,OAAO,EAAc,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAE9D,qBAIa,SAAS;IACpB,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,iBAAiB,GAAG,OAAO,SAAS;CAM9D"}

package/dist/jwt/jwt.module.js

@@ -0,0 +1,27 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var JwtModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtModule = void 0;
+const core_1 = require("@hazeljs/core");
+const jwt_service_1 = require("./jwt.service");
+let JwtModule = JwtModule_1 = class JwtModule {
+    static forRoot(options) {
+        if (options) {
+            jwt_service_1.JwtService.configure(options);
+        }
+        return JwtModule_1;
+    }
+};
+exports.JwtModule = JwtModule;
+exports.JwtModule = JwtModule = JwtModule_1 = __decorate([
+    (0, core_1.HazelModule)({
+        providers: [jwt_service_1.JwtService],
+        exports: [jwt_service_1.JwtService],
+    })
+], JwtModule);

package/dist/jwt/jwt.service.d.ts

@@ -0,0 +1,25 @@
+export interface JwtPayload {
+    sub: string;
+    [key: string]: unknown;
+}
+export interface JwtServiceOptions {
+    secret?: string;
+    expiresIn?: string | number;
+    issuer?: string;
+    audience?: string;
+}
+export declare class JwtService {
+    private readonly secret;
+    private readonly defaultExpiresIn;
+    private readonly issuer?;
+    private readonly audience?;
+    constructor();
+    private static moduleOptions;
+    static configure(options: JwtServiceOptions): void;
+    sign(payload: JwtPayload, options?: {
+        expiresIn?: string | number;
+    }): string;
+    verify(token: string): JwtPayload;
+    decode(token: string): JwtPayload | null;
+}
+//# sourceMappingURL=jwt.service.d.ts.map

package/dist/jwt/jwt.service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.service.d.ts","sourceRoot":"","sources":["../../src/jwt/jwt.service.ts"],"names":[],"mappings":"AAGA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBACa,UAAU;IACrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAkB;IACnD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAS;;IAgBnC,OAAO,CAAC,MAAM,CAAC,aAAa,CAAyB;IAErD,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,iBAAiB,GAAG,IAAI;IAIlD,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAAA;KAAE,GAAG,MAAM;IAU5E,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU;IAQjC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI;CAIzC"}

package/dist/jwt/jwt.service.js

@@ -0,0 +1,61 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+var JwtService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtService = void 0;
+const core_1 = require("@hazeljs/core");
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+let JwtService = JwtService_1 = class JwtService {
+    constructor() {
+        const options = JwtService_1.moduleOptions;
+        this.secret = options.secret || process.env.JWT_SECRET || '';
+        this.defaultExpiresIn = options.expiresIn || process.env.JWT_EXPIRES_IN || '1h';
+        this.issuer = options.issuer || process.env.JWT_ISSUER;
+        this.audience = options.audience || process.env.JWT_AUDIENCE;
+        if (!this.secret) {
+            throw new Error('JWT secret is not configured. Set JWT_SECRET environment variable or pass secret via JwtModule.forRoot({ secret: "..." })');
+        }
+    }
+    static configure(options) {
+        JwtService_1.moduleOptions = options;
+    }
+    sign(payload, options) {
+        const signOptions = {
+            expiresIn: (options?.expiresIn || this.defaultExpiresIn),
+        };
+        if (this.issuer)
+            signOptions.issuer = this.issuer;
+        if (this.audience)
+            signOptions.audience = this.audience;
+        return jsonwebtoken_1.default.sign(payload, this.secret, signOptions);
+    }
+    verify(token) {
+        const verifyOptions = {};
+        if (this.issuer)
+            verifyOptions.issuer = this.issuer;
+        if (this.audience)
+            verifyOptions.audience = this.audience;
+        return jsonwebtoken_1.default.verify(token, this.secret, verifyOptions);
+    }
+    decode(token) {
+        const decoded = jsonwebtoken_1.default.decode(token);
+        return decoded;
+    }
+};
+exports.JwtService = JwtService;
+JwtService.moduleOptions = {};
+exports.JwtService = JwtService = JwtService_1 = __decorate([
+    (0, core_1.Service)(),
+    __metadata("design:paramtypes", [])
+], JwtService);