@inai-dev/hono 1.0.0

package/dist/middleware.js

@@ -0,0 +1,151 @@
+// src/middleware.ts
+import { InAIAuthClient, buildAuthObjectFromToken } from "@inai-dev/backend";
+import { isTokenExpired } from "@inai-dev/shared";
+
+// src/helpers.ts
+import { getCookie, setCookie, deleteCookie } from "hono/cookie";
+import {
+  COOKIE_AUTH_TOKEN,
+  COOKIE_REFRESH_TOKEN,
+  COOKIE_AUTH_SESSION,
+  decodeJWTPayload
+} from "@inai-dev/shared";
+function getAuth(c) {
+  return c.get("inaiAuth") ?? null;
+}
+function getTokenFromContext(c) {
+  const authHeader = c.req.header("Authorization");
+  if (authHeader?.startsWith("Bearer ")) {
+    return authHeader.slice(7);
+  }
+  return getCookie(c, COOKIE_AUTH_TOKEN) ?? null;
+}
+function getRefreshTokenFromContext(c) {
+  return getCookie(c, COOKIE_REFRESH_TOKEN) ?? null;
+}
+function setAuthCookies(c, tokens, user) {
+  const isProduction = typeof process !== "undefined" && process.env?.NODE_ENV === "production";
+  const claims = decodeJWTPayload(tokens.access_token);
+  const expiresAt = claims ? new Date(claims.exp * 1e3).toISOString() : new Date(Date.now() + tokens.expires_in * 1e3).toISOString();
+  setCookie(c, COOKIE_AUTH_TOKEN, tokens.access_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Lax",
+    path: "/",
+    maxAge: tokens.expires_in
+  });
+  setCookie(c, COOKIE_REFRESH_TOKEN, tokens.refresh_token, {
+    httpOnly: true,
+    secure: isProduction,
+    sameSite: "Strict",
+    path: "/api/auth",
+    maxAge: 7 * 24 * 60 * 60
+  });
+  setCookie(
+    c,
+    COOKIE_AUTH_SESSION,
+    JSON.stringify({
+      user,
+      expiresAt,
+      permissions: claims?.permissions ?? [],
+      orgId: claims?.org_id,
+      orgRole: claims?.org_role,
+      appId: claims?.app_id,
+      envId: claims?.env_id
+    }),
+    {
+      httpOnly: false,
+      secure: isProduction,
+      sameSite: "Lax",
+      path: "/",
+      maxAge: tokens.expires_in
+    }
+  );
+}
+function clearAuthCookies(c) {
+  deleteCookie(c, COOKIE_AUTH_TOKEN, { path: "/" });
+  deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: "/api/auth" });
+  deleteCookie(c, COOKIE_AUTH_SESSION, { path: "/" });
+}
+
+// src/middleware.ts
+function matchesRoute(pathname, patterns) {
+  return patterns.some((pattern) => {
+    if (pattern.endsWith("*")) {
+      return pathname.startsWith(pattern.slice(0, -1));
+    }
+    return pathname === pattern;
+  });
+}
+function isPublicRoute(path, publicRoutes) {
+  if (typeof publicRoutes === "function") return publicRoutes(path);
+  return matchesRoute(path, publicRoutes);
+}
+function inaiAuthMiddleware(config = {}) {
+  const {
+    authMode = "app",
+    publicRoutes = [],
+    onUnauthorized,
+    ...authClientConfig
+  } = config;
+  const client = new InAIAuthClient(authClientConfig);
+  const isPlatform = authMode === "platform";
+  const defaultUnauthorized = (c) => c.json({ error: "Unauthorized" }, 401);
+  const handleUnauthorized = onUnauthorized ?? defaultUnauthorized;
+  return async function middleware(c, next) {
+    const path = new URL(c.req.url).pathname;
+    if (isPublicRoute(path, publicRoutes)) {
+      c.set("inaiAuth", null);
+      await next();
+      return;
+    }
+    const token = getTokenFromContext(c);
+    if (!token || isTokenExpired(token)) {
+      const refreshToken = getRefreshTokenFromContext(c);
+      if (refreshToken) {
+        try {
+          const tokens = isPlatform ? await client.platformRefresh(refreshToken) : await client.refresh(refreshToken);
+          const { data: user } = isPlatform ? await client.platformGetMe(tokens.access_token) : await client.getMe(tokens.access_token);
+          setAuthCookies(c, tokens, user);
+          const authObj2 = buildAuthObjectFromToken(tokens.access_token);
+          c.set("inaiAuth", authObj2);
+          await next();
+          return;
+        } catch {
+          clearAuthCookies(c);
+          return handleUnauthorized(c);
+        }
+      }
+      return handleUnauthorized(c);
+    }
+    const authObj = buildAuthObjectFromToken(token);
+    if (!authObj) {
+      return handleUnauthorized(c);
+    }
+    c.set("inaiAuth", authObj);
+    await next();
+  };
+}
+function requireAuth(config = {}) {
+  return async function middleware(c, next) {
+    const auth = getAuth(c);
+    if (!auth?.userId) {
+      return c.json({ error: "Unauthorized" }, 401);
+    }
+    if (config.role || config.permission) {
+      const hasAccess = auth.has({
+        role: config.role,
+        permission: config.permission
+      });
+      if (!hasAccess) {
+        return c.json({ error: "Forbidden" }, 403);
+      }
+    }
+    await next();
+  };
+}
+export {
+  inaiAuthMiddleware,
+  requireAuth
+};
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware.ts","../src/helpers.ts"],"sourcesContent":["import type { MiddlewareHandler } from \"hono\";\nimport type { InAIAuthConfig } from \"@inai-dev/types\";\nimport { InAIAuthClient, buildAuthObjectFromToken } from \"@inai-dev/backend\";\nimport { isTokenExpired } from \"@inai-dev/shared\";\nimport type { InAIHonoMiddlewareConfig, RequireAuthConfig } from \"./types\";\nimport {\n  getTokenFromContext,\n  getRefreshTokenFromContext,\n  setAuthCookies,\n  clearAuthCookies,\n  getAuth,\n} from \"./helpers\";\n\nfunction matchesRoute(pathname: string, patterns: string[]): boolean {\n  return patterns.some((pattern) => {\n    if (pattern.endsWith(\"*\")) {\n      return pathname.startsWith(pattern.slice(0, -1));\n    }\n    return pathname === pattern;\n  });\n}\n\nfunction isPublicRoute(\n  path: string,\n  publicRoutes: string[] | ((path: string) => boolean),\n): boolean {\n  if (typeof publicRoutes === \"function\") return publicRoutes(path);\n  return matchesRoute(path, publicRoutes);\n}\n\nexport function inaiAuthMiddleware(\n  config: InAIHonoMiddlewareConfig & InAIAuthConfig = {},\n): MiddlewareHandler {\n  const {\n    authMode = \"app\",\n    publicRoutes = [],\n    onUnauthorized,\n    ...authClientConfig\n  } = config;\n\n  const client = new InAIAuthClient(authClientConfig);\n  const isPlatform = authMode === \"platform\";\n\n  const defaultUnauthorized = (c: Parameters<MiddlewareHandler>[0]) =>\n    c.json({ error: \"Unauthorized\" }, 401);\n\n  const handleUnauthorized = onUnauthorized ?? defaultUnauthorized;\n\n  return async function middleware(c, next) {\n    const path = new URL(c.req.url).pathname;\n\n    if (isPublicRoute(path, publicRoutes)) {\n      c.set(\"inaiAuth\", null);\n      await next();\n      return;\n    }\n\n    const token = getTokenFromContext(c);\n\n    if (!token || isTokenExpired(token)) {\n      const refreshToken = getRefreshTokenFromContext(c);\n\n      if (refreshToken) {\n        try {\n          const tokens = isPlatform\n            ? await client.platformRefresh(refreshToken)\n            : await client.refresh(refreshToken);\n          const { data: user } = isPlatform\n            ? await client.platformGetMe(tokens.access_token)\n            : await client.getMe(tokens.access_token);\n          setAuthCookies(c, tokens, user);\n\n          const authObj = buildAuthObjectFromToken(tokens.access_token);\n          c.set(\"inaiAuth\", authObj);\n\n          await next();\n          return;\n        } catch {\n          clearAuthCookies(c);\n          return handleUnauthorized(c);\n        }\n      }\n\n      return handleUnauthorized(c);\n    }\n\n    const authObj = buildAuthObjectFromToken(token);\n    if (!authObj) {\n      return handleUnauthorized(c);\n    }\n\n    c.set(\"inaiAuth\", authObj);\n    await next();\n  };\n}\n\nexport function requireAuth(config: RequireAuthConfig = {}): MiddlewareHandler {\n  return async function middleware(c, next) {\n    const auth = getAuth(c);\n\n    if (!auth?.userId) {\n      return c.json({ error: \"Unauthorized\" }, 401);\n    }\n\n    if (config.role || config.permission) {\n      const hasAccess = auth.has({\n        role: config.role,\n        permission: config.permission,\n      });\n\n      if (!hasAccess) {\n        return c.json({ error: \"Forbidden\" }, 403);\n      }\n    }\n\n    await next();\n  };\n}\n","import type { Context } from \"hono\";\nimport { getCookie, setCookie, deleteCookie } from \"hono/cookie\";\nimport type { AuthObject, TokenPair, UserResource, PlatformUserResource } from \"@inai-dev/types\";\nimport {\n  COOKIE_AUTH_TOKEN,\n  COOKIE_REFRESH_TOKEN,\n  COOKIE_AUTH_SESSION,\n  decodeJWTPayload,\n} from \"@inai-dev/shared\";\n\nexport function getAuth(c: Context): AuthObject | null {\n  return c.get(\"inaiAuth\") ?? null;\n}\n\nexport function getTokenFromContext(c: Context): string | null {\n  const authHeader = c.req.header(\"Authorization\");\n  if (authHeader?.startsWith(\"Bearer \")) {\n    return authHeader.slice(7);\n  }\n\n  return getCookie(c, COOKIE_AUTH_TOKEN) ?? null;\n}\n\nexport function getRefreshTokenFromContext(c: Context): string | null {\n  return getCookie(c, COOKIE_REFRESH_TOKEN) ?? null;\n}\n\nexport function setAuthCookies(\n  c: Context,\n  tokens: TokenPair,\n  user: UserResource | PlatformUserResource,\n): void {\n  const isProduction =\n    typeof process !== \"undefined\" && process.env?.NODE_ENV === \"production\";\n  const claims = decodeJWTPayload(tokens.access_token);\n  const expiresAt = claims\n    ? new Date(claims.exp * 1000).toISOString()\n    : new Date(Date.now() + tokens.expires_in * 1000).toISOString();\n\n  setCookie(c, COOKIE_AUTH_TOKEN, tokens.access_token, {\n    httpOnly: true,\n    secure: isProduction,\n    sameSite: \"Lax\",\n    path: \"/\",\n    maxAge: tokens.expires_in,\n  });\n\n  setCookie(c, COOKIE_REFRESH_TOKEN, tokens.refresh_token, {\n    httpOnly: true,\n    secure: isProduction,\n    sameSite: \"Strict\",\n    path: \"/api/auth\",\n    maxAge: 7 * 24 * 60 * 60,\n  });\n\n  setCookie(\n    c,\n    COOKIE_AUTH_SESSION,\n    JSON.stringify({\n      user,\n      expiresAt,\n      permissions: claims?.permissions ?? [],\n      orgId: claims?.org_id,\n      orgRole: claims?.org_role,\n      appId: claims?.app_id,\n      envId: claims?.env_id,\n    }),\n    {\n      httpOnly: false,\n      secure: isProduction,\n      sameSite: \"Lax\",\n      path: \"/\",\n      maxAge: tokens.expires_in,\n    },\n  );\n}\n\nexport function clearAuthCookies(c: Context): void {\n  deleteCookie(c, COOKIE_AUTH_TOKEN, { path: \"/\" });\n  deleteCookie(c, COOKIE_REFRESH_TOKEN, { path: \"/api/auth\" });\n  deleteCookie(c, COOKIE_AUTH_SESSION, { path: \"/\" });\n}\n"],"mappings":";AAEA,SAAS,gBAAgB,gCAAgC;AACzD,SAAS,sBAAsB;;;ACF/B,SAAS,WAAW,WAAW,oBAAoB;AAEnD;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEA,SAAS,QAAQ,GAA+B;AACrD,SAAO,EAAE,IAAI,UAAU,KAAK;AAC9B;AAEO,SAAS,oBAAoB,GAA2B;AAC7D,QAAM,aAAa,EAAE,IAAI,OAAO,eAAe;AAC/C,MAAI,YAAY,WAAW,SAAS,GAAG;AACrC,WAAO,WAAW,MAAM,CAAC;AAAA,EAC3B;AAEA,SAAO,UAAU,GAAG,iBAAiB,KAAK;AAC5C;AAEO,SAAS,2BAA2B,GAA2B;AACpE,SAAO,UAAU,GAAG,oBAAoB,KAAK;AAC/C;AAEO,SAAS,eACd,GACA,QACA,MACM;AACN,QAAM,eACJ,OAAO,YAAY,eAAe,QAAQ,KAAK,aAAa;AAC9D,QAAM,SAAS,iBAAiB,OAAO,YAAY;AACnD,QAAM,YAAY,SACd,IAAI,KAAK,OAAO,MAAM,GAAI,EAAE,YAAY,IACxC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,aAAa,GAAI,EAAE,YAAY;AAEhE,YAAU,GAAG,mBAAmB,OAAO,cAAc;AAAA,IACnD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,OAAO;AAAA,EACjB,CAAC;AAED,YAAU,GAAG,sBAAsB,OAAO,eAAe;AAAA,IACvD,UAAU;AAAA,IACV,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,IAAI,KAAK,KAAK;AAAA,EACxB,CAAC;AAED;AAAA,IACE;AAAA,IACA;AAAA,IACA,KAAK,UAAU;AAAA,MACb;AAAA,MACA;AAAA,MACA,aAAa,QAAQ,eAAe,CAAC;AAAA,MACrC,OAAO,QAAQ;AAAA,MACf,SAAS,QAAQ;AAAA,MACjB,OAAO,QAAQ;AAAA,MACf,OAAO,QAAQ;AAAA,IACjB,CAAC;AAAA,IACD;AAAA,MACE,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,OAAO;AAAA,IACjB;AAAA,EACF;AACF;AAEO,SAAS,iBAAiB,GAAkB;AACjD,eAAa,GAAG,mBAAmB,EAAE,MAAM,IAAI,CAAC;AAChD,eAAa,GAAG,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAC3D,eAAa,GAAG,qBAAqB,EAAE,MAAM,IAAI,CAAC;AACpD;;;ADpEA,SAAS,aAAa,UAAkB,UAA6B;AACnE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAEA,SAAS,cACP,MACA,cACS;AACT,MAAI,OAAO,iBAAiB,WAAY,QAAO,aAAa,IAAI;AAChE,SAAO,aAAa,MAAM,YAAY;AACxC;AAEO,SAAS,mBACd,SAAoD,CAAC,GAClC;AACnB,QAAM;AAAA,IACJ,WAAW;AAAA,IACX,eAAe,CAAC;AAAA,IAChB;AAAA,IACA,GAAG;AAAA,EACL,IAAI;AAEJ,QAAM,SAAS,IAAI,eAAe,gBAAgB;AAClD,QAAM,aAAa,aAAa;AAEhC,QAAM,sBAAsB,CAAC,MAC3B,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAEvC,QAAM,qBAAqB,kBAAkB;AAE7C,SAAO,eAAe,WAAW,GAAG,MAAM;AACxC,UAAM,OAAO,IAAI,IAAI,EAAE,IAAI,GAAG,EAAE;AAEhC,QAAI,cAAc,MAAM,YAAY,GAAG;AACrC,QAAE,IAAI,YAAY,IAAI;AACtB,YAAM,KAAK;AACX;AAAA,IACF;AAEA,UAAM,QAAQ,oBAAoB,CAAC;AAEnC,QAAI,CAAC,SAAS,eAAe,KAAK,GAAG;AACnC,YAAM,eAAe,2BAA2B,CAAC;AAEjD,UAAI,cAAc;AAChB,YAAI;AACF,gBAAM,SAAS,aACX,MAAM,OAAO,gBAAgB,YAAY,IACzC,MAAM,OAAO,QAAQ,YAAY;AACrC,gBAAM,EAAE,MAAM,KAAK,IAAI,aACnB,MAAM,OAAO,cAAc,OAAO,YAAY,IAC9C,MAAM,OAAO,MAAM,OAAO,YAAY;AAC1C,yBAAe,GAAG,QAAQ,IAAI;AAE9B,gBAAMA,WAAU,yBAAyB,OAAO,YAAY;AAC5D,YAAE,IAAI,YAAYA,QAAO;AAEzB,gBAAM,KAAK;AACX;AAAA,QACF,QAAQ;AACN,2BAAiB,CAAC;AAClB,iBAAO,mBAAmB,CAAC;AAAA,QAC7B;AAAA,MACF;AAEA,aAAO,mBAAmB,CAAC;AAAA,IAC7B;AAEA,UAAM,UAAU,yBAAyB,KAAK;AAC9C,QAAI,CAAC,SAAS;AACZ,aAAO,mBAAmB,CAAC;AAAA,IAC7B;AAEA,MAAE,IAAI,YAAY,OAAO;AACzB,UAAM,KAAK;AAAA,EACb;AACF;AAEO,SAAS,YAAY,SAA4B,CAAC,GAAsB;AAC7E,SAAO,eAAe,WAAW,GAAG,MAAM;AACxC,UAAM,OAAO,QAAQ,CAAC;AAEtB,QAAI,CAAC,MAAM,QAAQ;AACjB,aAAO,EAAE,KAAK,EAAE,OAAO,eAAe,GAAG,GAAG;AAAA,IAC9C;AAEA,QAAI,OAAO,QAAQ,OAAO,YAAY;AACpC,YAAM,YAAY,KAAK,IAAI;AAAA,QACzB,MAAM,OAAO;AAAA,QACb,YAAY,OAAO;AAAA,MACrB,CAAC;AAED,UAAI,CAAC,WAAW;AACd,eAAO,EAAE,KAAK,EAAE,OAAO,YAAY,GAAG,GAAG;AAAA,MAC3C;AAAA,IACF;AAEA,UAAM,KAAK;AAAA,EACb;AACF;","names":["authObj"]}

package/package.json

@@ -0,0 +1,73 @@
+{
+  "name": "@inai-dev/hono",
+  "version": "1.0.0",
+  "description": "Hono integration for InAI Auth SDK",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.js",
+      "require": "./dist/middleware.cjs"
+    },
+    "./api-routes": {
+      "types": "./dist/api-routes.d.ts",
+      "import": "./dist/api-routes.js",
+      "require": "./dist/api-routes.cjs"
+    }
+  },
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "clean": "rm -rf dist",
+    "typecheck": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@inai-dev/types": "^1.1.0",
+    "@inai-dev/shared": "^1.1.0",
+    "@inai-dev/backend": "^1.2.0"
+  },
+  "peerDependencies": {
+    "hono": ">=4.0.0"
+  },
+  "peerDependenciesMeta": {
+    "hono": {
+      "optional": false
+    }
+  },
+  "devDependencies": {
+    "hono": "^4.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "author": "InAI <contact@inai.dev>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/InAI-Team/inai-auth-sdk.git",
+    "directory": "packages/hono"
+  },
+  "homepage": "https://inai.dev/",
+  "bugs": "https://github.com/InAI-Team/inai-auth-sdk/issues",
+  "keywords": [
+    "inai",
+    "auth",
+    "hono",
+    "middleware",
+    "multi-tenant",
+    "cloudflare-workers"
+  ]
+}