npm - @juspay/neurolink - Versions diffs - 9.31.1 → 9.32.0 - Mend

@juspay/neurolink 9.31.1 → 9.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (162) hide show

package/CHANGELOG.md +12 -0
package/dist/auth/AuthProviderFactory.d.ts +71 -0
package/dist/auth/AuthProviderFactory.js +111 -0
package/dist/auth/AuthProviderRegistry.d.ts +33 -0
package/dist/auth/AuthProviderRegistry.js +190 -0
package/dist/auth/RequestContext.d.ts +23 -0
package/dist/auth/RequestContext.js +78 -0
package/dist/auth/authContext.d.ts +198 -0
package/dist/auth/authContext.js +314 -0
package/dist/auth/errors.d.ts +63 -0
package/dist/auth/errors.js +39 -0
package/dist/auth/index.d.ts +20 -8
package/dist/auth/index.js +35 -7
package/dist/auth/middleware/AuthMiddleware.d.ts +181 -0
package/dist/auth/middleware/AuthMiddleware.js +519 -0
package/dist/auth/middleware/rateLimitByUser.d.ts +282 -0
package/dist/auth/middleware/rateLimitByUser.js +554 -0
package/dist/auth/providers/BaseAuthProvider.d.ts +259 -0
package/dist/auth/providers/BaseAuthProvider.js +723 -0
package/dist/auth/providers/CognitoProvider.d.ts +61 -0
package/dist/auth/providers/CognitoProvider.js +304 -0
package/dist/auth/providers/KeycloakProvider.d.ts +61 -0
package/dist/auth/providers/KeycloakProvider.js +393 -0
package/dist/auth/providers/auth0.d.ts +59 -0
package/dist/auth/providers/auth0.js +274 -0
package/dist/auth/providers/betterAuth.d.ts +51 -0
package/dist/auth/providers/betterAuth.js +182 -0
package/dist/auth/providers/clerk.d.ts +65 -0
package/dist/auth/providers/clerk.js +317 -0
package/dist/auth/providers/custom.d.ts +64 -0
package/dist/auth/providers/custom.js +112 -0
package/dist/auth/providers/firebase.d.ts +63 -0
package/dist/auth/providers/firebase.js +226 -0
package/dist/auth/providers/jwt.d.ts +68 -0
package/dist/auth/providers/jwt.js +212 -0
package/dist/auth/providers/oauth2.d.ts +73 -0
package/dist/auth/providers/oauth2.js +303 -0
package/dist/auth/providers/supabase.d.ts +63 -0
package/dist/auth/providers/supabase.js +259 -0
package/dist/auth/providers/workos.d.ts +61 -0
package/dist/auth/providers/workos.js +284 -0
package/dist/auth/serverBridge.d.ts +14 -0
package/dist/auth/serverBridge.js +25 -0
package/dist/auth/sessionManager.d.ts +142 -0
package/dist/auth/sessionManager.js +437 -0
package/dist/cli/commands/authProviders.d.ts +43 -0
package/dist/cli/commands/authProviders.js +399 -0
package/dist/cli/commands/proxy.js +4 -2
package/dist/cli/factories/authCommandFactory.d.ts +23 -5
package/dist/cli/factories/authCommandFactory.js +108 -5
package/dist/cli/parser.js +1 -1
package/dist/client/auth/AuthProviderFactory.js +111 -0
package/dist/client/auth/AuthProviderRegistry.js +190 -0
package/dist/client/auth/RequestContext.js +78 -0
package/dist/client/auth/accountPool.js +178 -0
package/dist/client/auth/authContext.js +314 -0
package/dist/client/auth/errors.js +39 -0
package/dist/client/auth/index.js +61 -0
package/dist/client/auth/middleware/AuthMiddleware.js +519 -0
package/dist/client/auth/middleware/rateLimitByUser.js +554 -0
package/dist/client/auth/providers/BaseAuthProvider.js +723 -0
package/dist/client/auth/providers/CognitoProvider.js +304 -0
package/dist/client/auth/providers/KeycloakProvider.js +393 -0
package/dist/client/auth/providers/auth0.js +274 -0
package/dist/client/auth/providers/betterAuth.js +182 -0
package/dist/client/auth/providers/clerk.js +317 -0
package/dist/client/auth/providers/custom.js +112 -0
package/dist/client/auth/providers/firebase.js +226 -0
package/dist/client/auth/providers/jwt.js +212 -0
package/dist/client/auth/providers/oauth2.js +303 -0
package/dist/client/auth/providers/supabase.js +259 -0
package/dist/client/auth/providers/workos.js +284 -0
package/dist/client/auth/serverBridge.js +25 -0
package/dist/client/auth/sessionManager.js +437 -0
package/dist/client/core/infrastructure/baseRegistry.js +5 -1
package/dist/client/index.js +25 -0
package/dist/client/mcp/toolRegistry.js +11 -1
package/dist/client/neurolink.js +218 -0
package/dist/client/rag/ChunkerRegistry.js +2 -2
package/dist/client/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/client/rag/reranker/RerankerRegistry.js +2 -2
package/dist/client/server/routes/agentRoutes.js +20 -2
package/dist/client/types/authTypes.js +2 -1
package/dist/core/infrastructure/baseRegistry.d.ts +3 -1
package/dist/core/infrastructure/baseRegistry.js +5 -1
package/dist/index.d.ts +1 -0
package/dist/index.js +25 -0
package/dist/lib/auth/AuthProviderFactory.d.ts +71 -0
package/dist/lib/auth/AuthProviderFactory.js +112 -0
package/dist/lib/auth/AuthProviderRegistry.d.ts +33 -0
package/dist/lib/auth/AuthProviderRegistry.js +191 -0
package/dist/lib/auth/RequestContext.d.ts +23 -0
package/dist/lib/auth/RequestContext.js +79 -0
package/dist/lib/auth/authContext.d.ts +198 -0
package/dist/lib/auth/authContext.js +315 -0
package/dist/lib/auth/errors.d.ts +63 -0
package/dist/lib/auth/errors.js +40 -0
package/dist/lib/auth/index.d.ts +20 -8
package/dist/lib/auth/index.js +35 -7
package/dist/lib/auth/middleware/AuthMiddleware.d.ts +181 -0
package/dist/lib/auth/middleware/AuthMiddleware.js +520 -0
package/dist/lib/auth/middleware/rateLimitByUser.d.ts +282 -0
package/dist/lib/auth/middleware/rateLimitByUser.js +555 -0
package/dist/lib/auth/providers/BaseAuthProvider.d.ts +259 -0
package/dist/lib/auth/providers/BaseAuthProvider.js +724 -0
package/dist/lib/auth/providers/CognitoProvider.d.ts +61 -0
package/dist/lib/auth/providers/CognitoProvider.js +305 -0
package/dist/lib/auth/providers/KeycloakProvider.d.ts +61 -0
package/dist/lib/auth/providers/KeycloakProvider.js +394 -0
package/dist/lib/auth/providers/auth0.d.ts +59 -0
package/dist/lib/auth/providers/auth0.js +275 -0
package/dist/lib/auth/providers/betterAuth.d.ts +51 -0
package/dist/lib/auth/providers/betterAuth.js +183 -0
package/dist/lib/auth/providers/clerk.d.ts +65 -0
package/dist/lib/auth/providers/clerk.js +318 -0
package/dist/lib/auth/providers/custom.d.ts +64 -0
package/dist/lib/auth/providers/custom.js +113 -0
package/dist/lib/auth/providers/firebase.d.ts +63 -0
package/dist/lib/auth/providers/firebase.js +227 -0
package/dist/lib/auth/providers/jwt.d.ts +68 -0
package/dist/lib/auth/providers/jwt.js +213 -0
package/dist/lib/auth/providers/oauth2.d.ts +73 -0
package/dist/lib/auth/providers/oauth2.js +304 -0
package/dist/lib/auth/providers/supabase.d.ts +63 -0
package/dist/lib/auth/providers/supabase.js +260 -0
package/dist/lib/auth/providers/workos.d.ts +61 -0
package/dist/lib/auth/providers/workos.js +285 -0
package/dist/lib/auth/serverBridge.d.ts +14 -0
package/dist/lib/auth/serverBridge.js +26 -0
package/dist/lib/auth/sessionManager.d.ts +142 -0
package/dist/lib/auth/sessionManager.js +438 -0
package/dist/lib/core/infrastructure/baseRegistry.d.ts +3 -1
package/dist/lib/core/infrastructure/baseRegistry.js +5 -1
package/dist/lib/index.d.ts +1 -0
package/dist/lib/index.js +25 -0
package/dist/lib/mcp/toolRegistry.js +11 -1
package/dist/lib/neurolink.d.ts +42 -1
package/dist/lib/neurolink.js +218 -0
package/dist/lib/rag/ChunkerRegistry.js +2 -2
package/dist/lib/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/lib/rag/reranker/RerankerRegistry.js +2 -2
package/dist/lib/server/routes/agentRoutes.js +20 -2
package/dist/lib/types/authTypes.d.ts +937 -1
package/dist/lib/types/authTypes.js +2 -1
package/dist/lib/types/configTypes.d.ts +46 -0
package/dist/lib/types/generateTypes.d.ts +6 -0
package/dist/lib/types/index.d.ts +1 -0
package/dist/lib/types/streamTypes.d.ts +6 -0
package/dist/mcp/toolRegistry.js +11 -1
package/dist/neurolink.d.ts +42 -1
package/dist/neurolink.js +218 -0
package/dist/rag/ChunkerRegistry.js +2 -2
package/dist/rag/metadata/MetadataExtractorRegistry.js +2 -2
package/dist/rag/reranker/RerankerRegistry.js +2 -2
package/dist/server/routes/agentRoutes.js +20 -2
package/dist/types/authTypes.d.ts +937 -1
package/dist/types/authTypes.js +2 -1
package/dist/types/configTypes.d.ts +46 -0
package/dist/types/generateTypes.d.ts +6 -0
package/dist/types/index.d.ts +1 -0
package/dist/types/streamTypes.d.ts +6 -0
package/package.json +2 -1

package/dist/client/auth/middleware/AuthMiddleware.js ADDED Viewed

@@ -0,0 +1,519 @@
+/**
+ * AuthMiddleware - Authentication and authorization middleware
+ *
+ * Provides middleware factories for:
+ * - Token extraction and validation
+ * - User context propagation
+ * - RBAC enforcement
+ * - Public route handling
+ */
+import { createErrorFactory } from "../../core/infrastructure/baseError.js";
+import { withTimeout } from "../../utils/async/withTimeout.js";
+import { logger } from "../../utils/logger.js";
+import { AuthProviderFactory } from "../AuthProviderFactory.js";
+// =============================================================================
+// ERROR FACTORY
+// =============================================================================
+/**
+ * Auth middleware error codes
+ */
+export const AuthMiddlewareErrorCodes = {
+    MISSING_TOKEN: "AUTH_MIDDLEWARE-001",
+    INVALID_TOKEN: "AUTH_MIDDLEWARE-002",
+    UNAUTHORIZED: "AUTH_MIDDLEWARE-003",
+    FORBIDDEN: "AUTH_MIDDLEWARE-004",
+    PROVIDER_ERROR: "AUTH_MIDDLEWARE-005",
+    CONFIGURATION_ERROR: "AUTH_MIDDLEWARE-006",
+};
+/**
+ * Auth middleware error factory
+ */
+export const AuthMiddlewareError = createErrorFactory("AuthMiddleware", AuthMiddlewareErrorCodes);
+// =============================================================================
+// HELPERS
+// =============================================================================
+/**
+ * Create an AuthErrorInfo object for the onError callback.
+ *
+ * Avoids `as any` by constructing a proper Error with the required `code` field.
+ */
+function createAuthErrorInfo(message, code) {
+    const err = new Error(message);
+    err.code = code;
+    return err;
+}
+// =============================================================================
+// TOKEN EXTRACTION
+// =============================================================================
+/**
+ * Extract token from request context based on configuration
+ */
+export async function extractToken(context, config) {
+    // Default: extract from Authorization header
+    const headerConfig = config?.fromHeader ?? {
+        name: "authorization",
+        prefix: "Bearer",
+    };
+    // Try header extraction (case-insensitive header lookup)
+    const headerName = headerConfig.name?.toLowerCase() ?? "authorization";
+    // Find header value with case-insensitive lookup
+    let headerValue;
+    for (const [key, value] of Object.entries(context.headers)) {
+        if (key.toLowerCase() === headerName) {
+            headerValue = value;
+            break;
+        }
+    }
+    if (headerValue) {
+        const value = Array.isArray(headerValue) ? headerValue[0] : headerValue;
+        if (value) {
+            const prefix = headerConfig.prefix ?? "Bearer";
+            if (!prefix) {
+                // If no prefix required, return as-is
+                return value;
+            }
+            // Compare scheme case-insensitively per RFC 7235
+            const prefixWithSpace = `${prefix} `;
+            if (value.length > prefixWithSpace.length &&
+                value.slice(0, prefixWithSpace.length).toLowerCase() ===
+                    prefixWithSpace.toLowerCase()) {
+                return value.slice(prefixWithSpace.length);
+            }
+        }
+    }
+    // Try cookie extraction
+    if (config?.fromCookie?.name && context.cookies) {
+        const cookieToken = context.cookies[config.fromCookie.name];
+        if (cookieToken) {
+            return cookieToken;
+        }
+    }
+    // Try query parameter extraction
+    if (config?.fromQuery?.name && context.query) {
+        const queryToken = context.query[config.fromQuery.name];
+        if (queryToken) {
+            return Array.isArray(queryToken) ? queryToken[0] : queryToken;
+        }
+    }
+    // Try custom extraction
+    if (config?.custom) {
+        const customToken = await config.custom(context);
+        if (customToken) {
+            return customToken;
+        }
+    }
+    return null;
+}
+// =============================================================================
+// AUTH MIDDLEWARE FACTORY
+// =============================================================================
+/**
+ * Create authentication middleware
+ *
+ * Validates tokens and attaches user context to requests.
+ *
+ * @example
+ * ```typescript
+ * const authMiddleware = await createAuthMiddleware({
+ *   provider: 'auth0',
+ *   providerConfig: {
+ *     type: 'auth0',
+ *     domain: 'your-tenant.auth0.com',
+ *     clientId: 'your-client-id',
+ *   },
+ *   publicRoutes: ['/health', '/public/*'],
+ * });
+ *
+ * // Use in request handler
+ * const result = await authMiddleware(requestContext);
+ * if (result.proceed) {
+ *   // Access authenticated context
+ *   console.log('User:', result.context?.user);
+ * } else {
+ *   // Return error response
+ *   res.status(result.error.statusCode).json({ error: result.error.message });
+ * }
+ * ```
+ */
+export async function createAuthMiddleware(config) {
+    // Create provider instance
+    const provider = await AuthProviderFactory.createProvider(config.provider, config.providerConfig);
+    logger.debug(`[AuthMiddleware] Created middleware with ${config.provider} provider`);
+    return async (context) => {
+        try {
+            // Check if route is public
+            if (isPublicRoute(context.path ?? "", config.publicRoutes)) {
+                logger.debug(`[AuthMiddleware] Public route: ${context.path}`);
+                return { proceed: true };
+            }
+            // Extract token
+            const token = await extractToken(context, config.tokenExtraction);
+            if (!token) {
+                // If auth is optional, proceed without user
+                if (config.optional) {
+                    return { proceed: true };
+                }
+                const error = {
+                    statusCode: 401,
+                    message: "Authentication required",
+                    code: "AUTH-005",
+                };
+                if (config.onError) {
+                    await config.onError(createAuthErrorInfo(error.message, error.code), context);
+                }
+                return { proceed: false, error };
+            }
+            // Validate token (with 5s timeout to prevent hanging on slow providers)
+            const validationResult = await withTimeout(provider.authenticateToken(token), 5000, "Token authentication timed out after 5000ms");
+            if (!validationResult.valid) {
+                // If auth is optional, proceed without user
+                if (config.optional) {
+                    return { proceed: true };
+                }
+                const errorCode = validationResult.errorCode ?? "AUTH-001";
+                const error = {
+                    statusCode: 401,
+                    message: validationResult.error ?? "Invalid token",
+                    code: errorCode,
+                };
+                if (config.onError) {
+                    await config.onError(createAuthErrorInfo(error.message, error.code), context);
+                }
+                return { proceed: false, error };
+            }
+            // Fail closed: valid token without a user object is treated as failure
+            if (!validationResult.user) {
+                const error = {
+                    statusCode: 401,
+                    message: "Token valid but no user identity resolved",
+                    code: "AUTH-001",
+                };
+                if (config.onError) {
+                    await config.onError(createAuthErrorInfo(error.message, error.code), context);
+                }
+                return { proceed: false, error };
+            }
+            // Create authenticated context
+            // Providers populate `payload` (most) or `claims` (Cognito, Keycloak).
+            // Prefer `payload`, fall back to `claims` for compatibility.
+            const authenticatedContext = {
+                ...context,
+                user: validationResult.user,
+                token,
+                claims: validationResult.payload ??
+                    validationResult.claims,
+            };
+            // Call success hook
+            if (config.onAuthenticated) {
+                await config.onAuthenticated(authenticatedContext);
+            }
+            logger.debug(`[AuthMiddleware] Authenticated user: ${validationResult.user?.id}`);
+            return { proceed: true, context: authenticatedContext };
+        }
+        catch (error) {
+            logger.error(`[AuthMiddleware] Error:`, error);
+            const errorResult = {
+                statusCode: 500,
+                message: error instanceof Error ? error.message : "Authentication error",
+                code: "AUTH-014",
+            };
+            if (config.onError) {
+                await config.onError(createAuthErrorInfo(errorResult.message, errorResult.code), context);
+            }
+            return { proceed: false, error: errorResult };
+        }
+    };
+}
+// =============================================================================
+// RBAC MIDDLEWARE FACTORY
+// =============================================================================
+/**
+ * Create RBAC (Role-Based Access Control) middleware
+ *
+ * Checks if authenticated user has required roles/permissions.
+ *
+ * @example
+ * ```typescript
+ * const rbacMiddleware = createRBACMiddleware({
+ *   roles: ['admin', 'moderator'],
+ *   permissions: ['read:users'],
+ * });
+ *
+ * // Use after auth middleware
+ * const authResult = await authMiddleware(context);
+ * if (authResult.proceed && authResult.context) {
+ *   const rbacResult = await rbacMiddleware(authResult.context);
+ *   if (!rbacResult.proceed) {
+ *     res.status(403).json({ error: rbacResult.error.message });
+ *   }
+ * }
+ * ```
+ */
+export function createRBACMiddleware(config) {
+    return async (context) => {
+        try {
+            const user = context.user;
+            if (!user) {
+                return {
+                    proceed: false,
+                    error: {
+                        statusCode: 401,
+                        message: "User not authenticated",
+                        code: "AUTH-005",
+                    },
+                };
+            }
+            // Super admin roles bypass all role/permission checks
+            const superAdminRoles = config.superAdminRoles ?? [];
+            if (superAdminRoles.length > 0 &&
+                user.roles.some((r) => superAdminRoles.includes(r))) {
+                logger.debug(`[RBACMiddleware] Super admin bypass for user: ${user.id}`);
+                return { proceed: true, context };
+            }
+            // Build effective permissions from rolePermissions mapping and
+            // role hierarchy so that checks below consider inherited grants.
+            const effectivePermissions = new Set(user.permissions);
+            const rolePermissions = config.rolePermissions ?? {};
+            const roleHierarchy = config.roleHierarchy ?? {};
+            const expandRoles = (roles) => {
+                const expanded = new Set();
+                const queue = [...roles];
+                while (queue.length > 0) {
+                    const role = queue.pop();
+                    if (role === undefined || expanded.has(role)) {
+                        continue;
+                    }
+                    expanded.add(role);
+                    const children = roleHierarchy[role];
+                    if (children) {
+                        queue.push(...children);
+                    }
+                }
+                return [...expanded];
+            };
+            const allRoles = expandRoles(user.roles);
+            for (const role of allRoles) {
+                const perms = rolePermissions[role];
+                if (perms) {
+                    for (const p of perms) {
+                        effectivePermissions.add(p);
+                    }
+                }
+            }
+            // Check custom authorization first
+            if (config.custom) {
+                const customResult = await config.custom(user, context);
+                if (!customResult) {
+                    const result = {
+                        authorized: false,
+                        user,
+                        reason: "Custom authorization denied",
+                    };
+                    if (config.onDenied) {
+                        await config.onDenied(result, context);
+                    }
+                    return {
+                        proceed: false,
+                        error: {
+                            statusCode: 403,
+                            message: "Access denied",
+                            code: "AUTH-013",
+                        },
+                    };
+                }
+            }
+            // Check roles (includes inherited roles from hierarchy)
+            if (config.roles && config.roles.length > 0) {
+                const userRolesSet = new Set(allRoles);
+                const hasRequiredRoles = config.requireAllRoles
+                    ? config.roles.every((r) => userRolesSet.has(r))
+                    : config.roles.some((r) => userRolesSet.has(r));
+                if (!hasRequiredRoles) {
+                    const missingRoles = config.roles.filter((r) => !userRolesSet.has(r));
+                    const result = {
+                        authorized: false,
+                        user,
+                        requiredRoles: config.roles,
+                        missingRoles,
+                        reason: `Missing roles: ${missingRoles.join(", ")}`,
+                    };
+                    if (config.onDenied) {
+                        await config.onDenied(result, context);
+                    }
+                    return {
+                        proceed: false,
+                        error: {
+                            statusCode: 403,
+                            message: `Insufficient roles. Required: ${config.roles.join(", ")}`,
+                            code: "AUTH-012",
+                        },
+                    };
+                }
+            }
+            // Check permissions (all required; uses effective permissions from role mapping)
+            if (config.permissions && config.permissions.length > 0) {
+                const missingPermissions = config.permissions.filter((p) => !effectivePermissions.has(p));
+                if (missingPermissions.length > 0) {
+                    const result = {
+                        authorized: false,
+                        user,
+                        requiredPermissions: config.permissions,
+                        missingPermissions,
+                        reason: `Missing permissions: ${missingPermissions.join(", ")}`,
+                    };
+                    if (config.onDenied) {
+                        await config.onDenied(result, context);
+                    }
+                    return {
+                        proceed: false,
+                        error: {
+                            statusCode: 403,
+                            message: `Insufficient permissions. Required: ${config.permissions.join(", ")}`,
+                            code: "AUTH-011",
+                        },
+                    };
+                }
+            }
+            logger.debug(`[RBACMiddleware] Authorized user: ${user.id}`);
+            return { proceed: true, context };
+        }
+        catch (error) {
+            logger.error(`[RBACMiddleware] Error:`, error);
+            return {
+                proceed: false,
+                error: {
+                    statusCode: 500,
+                    message: error instanceof Error ? error.message : "Authorization error",
+                    code: "AUTH-014",
+                },
+            };
+        }
+    };
+}
+// =============================================================================
+// COMBINED MIDDLEWARE
+// =============================================================================
+/**
+ * Create combined auth + RBAC middleware
+ *
+ * Convenience function that combines authentication and authorization.
+ *
+ * @example
+ * ```typescript
+ * const protectedMiddleware = await createProtectedMiddleware({
+ *   auth: {
+ *     provider: 'auth0',
+ *     providerConfig: { type: 'auth0', domain: '...', clientId: '...' },
+ *   },
+ *   rbac: {
+ *     roles: ['admin'],
+ *   },
+ * });
+ *
+ * const result = await protectedMiddleware(context);
+ * ```
+ */
+export async function createProtectedMiddleware(config) {
+    const authMiddleware = await createAuthMiddleware(config.auth);
+    const rbacMiddleware = config.rbac ? createRBACMiddleware(config.rbac) : null;
+    return async (context) => {
+        // Run auth middleware
+        const authResult = await authMiddleware(context);
+        if (!authResult.proceed) {
+            return authResult;
+        }
+        // If no RBAC configured, return auth result as-is
+        if (!rbacMiddleware) {
+            return authResult;
+        }
+        // Build the context for RBAC. When auth is optional and no token was
+        // provided, authResult.context is undefined. We still need to run RBAC
+        // so that role/permission checks are not silently bypassed. Pass a
+        // context without a user — the RBAC middleware already handles the
+        // missing-user case and returns a 401.
+        const rbacContext = authResult.context ?? context;
+        // Run RBAC middleware
+        return rbacMiddleware(rbacContext);
+    };
+}
+// =============================================================================
+// UTILITY FUNCTIONS
+// =============================================================================
+/**
+ * Check if a path matches public routes
+ */
+function isPublicRoute(path, publicRoutes) {
+    if (!publicRoutes || publicRoutes.length === 0) {
+        return false;
+    }
+    // Strip query string before matching
+    const pathWithoutQuery = path.split("?")[0];
+    const normalizedPath = pathWithoutQuery.replace(/\/$/, "") || "/";
+    for (const route of publicRoutes) {
+        // Exact match
+        if (route === normalizedPath) {
+            return true;
+        }
+        // Wildcard match (e.g., '/public/*')
+        if (route.endsWith("*")) {
+            const prefix = route.slice(0, -1);
+            if (normalizedPath.startsWith(prefix)) {
+                return true;
+            }
+        }
+        // Pattern match with path segments
+        if (route.includes(":")) {
+            const routeParts = route.split("/");
+            const pathParts = normalizedPath.split("/");
+            if (routeParts.length === pathParts.length) {
+                const matches = routeParts.every((part, i) => {
+                    return part.startsWith(":") || part === pathParts[i];
+                });
+                if (matches) {
+                    return true;
+                }
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Create request context from standard request object
+ */
+export function createRequestContext(req) {
+    return {
+        method: req.method ?? "GET",
+        path: req.path ?? req.url ?? "/",
+        headers: req.headers ?? {},
+        cookies: req.cookies,
+        query: req.query,
+        body: req.body,
+        ip: req.ip,
+        ipAddress: req.ip,
+        userAgent: req.headers?.["user-agent"],
+    };
+}
+/**
+ * Create Express-compatible middleware
+ */
+export async function createExpressAuthMiddleware(config) {
+    const middleware = await createAuthMiddleware(config);
+    return async (req, res, next) => {
+        const context = createRequestContext(req);
+        const result = await middleware(context);
+        if (result.proceed) {
+            // Attach user to request
+            if (result.context) {
+                req.user = result.context.user;
+                req.authContext = result.context;
+            }
+            next();
+        }
+        else {
+            res.status(result.error?.statusCode ?? 401).json({
+                error: result.error?.message ?? "Unauthorized",
+                code: result.error?.code,
+            });
+        }
+    };
+}