@kaiz11/stack-client 0.0.14

package/dist/auth/server/helpers.d.ts

@@ -0,0 +1,215 @@
+import { type TokenPayload, type VerifyOptions, type JWKSKeyGetter } from "./verify.js";
+/**
+ * User info extracted from a verified token
+ */
+export interface AuthUser {
+    /** User ID */
+    id: string;
+    /** Email address */
+    email: string | null;
+    /** Phone number */
+    phone: string | null;
+    /** User role */
+    role: string;
+    /** Authenticator assurance level */
+    aal: "aal1" | "aal2";
+    /** App metadata */
+    appMetadata: Record<string, unknown>;
+    /** User metadata */
+    userMetadata: Record<string, unknown>;
+}
+/**
+ * Auth context extracted from a request
+ */
+export interface AuthContext {
+    /** Whether the request is authenticated */
+    isAuthenticated: boolean;
+    /** Authenticated user (null if not authenticated) */
+    user: AuthUser | null;
+    /** Raw token payload (null if not authenticated) */
+    tokenPayload: TokenPayload | null;
+    /** Access token (null if not authenticated) */
+    accessToken: string | null;
+}
+/**
+ * Request-like interface (works with Hono, Express, Fetch API, etc.)
+ */
+interface RequestLike {
+    headers: {
+        get(name: string): string | null;
+    };
+}
+/**
+ * Get authenticated user from a request
+ *
+ * Extracts and verifies the JWT from the Authorization header.
+ * Returns null if no token or invalid token.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | Result                                          |
+ * |---------------|-------------------------------------------------|
+ * | No token      | Returns `null`                                  |
+ * | Invalid token | Returns `null`                                  |
+ * | Anon JWT      | Returns `AuthUser` with `role = "anon"`         |
+ * | Auth JWT      | Returns `AuthUser` with `role = "authenticated"`|
+ * | Service JWT   | Returns `AuthUser` with `role = "service_role"` |
+ *
+ * @example
+ * ```typescript
+ * import { getUserFromRequest, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Hono
+ * app.get("/api/me", async (c) => {
+ *   const user = await getUserFromRequest(c.req.raw, getKey);
+ *   if (!user) {
+ *     return c.json({ error: "Unauthorized" }, 401);
+ *   }
+ *   return c.json({ user });
+ * });
+ *
+ * // Express
+ * app.get("/api/me", async (req, res) => {
+ *   const user = await getUserFromRequest(req, getKey);
+ *   if (!user) {
+ *     return res.status(401).json({ error: "Unauthorized" });
+ *   }
+ *   res.json({ user });
+ * });
+ * ```
+ */
+export declare function getUserFromRequest(request: RequestLike, keyGetter: JWKSKeyGetter, options?: VerifyOptions): Promise<AuthUser | null>;
+/**
+ * Get auth context from a request
+ *
+ * Returns full auth context including authentication status,
+ * user info, and raw token payload.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | `isAuthenticated` | `user.role`         |
+ * |---------------|-------------------|---------------------|
+ * | No token      | `false`           | N/A (`user = null`) |
+ * | Invalid token | `false`           | N/A (`user = null`) |
+ * | Anon JWT      | `true`            | `"anon"`            |
+ * | Auth JWT      | `true`            | `"authenticated"`   |
+ * | Service JWT   | `true`            | `"service_role"`    |
+ *
+ * **Note:** `isAuthenticated = true` for anon tokens because they are
+ * valid, signed JWTs. Check `user.role` if you need to distinguish.
+ *
+ * @example
+ * ```typescript
+ * import { getAuthContext, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ * const ctx = await getAuthContext(request, getKey);
+ *
+ * if (!ctx.isAuthenticated) {
+ *   // No token or invalid token
+ * } else if (ctx.user.role === "anon") {
+ *   // Valid anon token
+ * } else {
+ *   // Authenticated or service_role
+ * }
+ * ```
+ */
+export declare function getAuthContext(request: RequestLike, keyGetter: JWKSKeyGetter, options?: VerifyOptions): Promise<AuthContext>;
+/**
+ * Require authentication for a request
+ *
+ * Throws VerifyError if not authenticated.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | Result                                          |
+ * |---------------|-------------------------------------------------|
+ * | No token      | Throws `VerifyError` (401)                      |
+ * | Invalid token | Throws `VerifyError` (401)                      |
+ * | Anon JWT      | ✅ Returns `AuthUser` with `role = "anon"`      |
+ * | Auth JWT      | ✅ Returns `AuthUser` with `role = "authenticated"` |
+ * | Service JWT   | ✅ Returns `AuthUser` with `role = "service_role"` |
+ *
+ * **Note:** Anon tokens pass because they are valid JWTs. Use `requireRole`
+ * if you need to reject anon tokens.
+ *
+ * @example
+ * ```typescript
+ * import { requireAuth, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * try {
+ *   const user = await requireAuth(request, getKey);
+ *   // User has a valid token (anon, authenticated, or service_role)
+ * } catch (error) {
+ *   if (error instanceof VerifyError) {
+ *     return new Response(error.message, { status: error.statusCode });
+ *   }
+ * }
+ * ```
+ */
+export declare function requireAuth(request: RequestLike, keyGetter: JWKSKeyGetter, options?: VerifyOptions): Promise<AuthUser>;
+/**
+ * Require a specific role
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | `requireRole(..., "authenticated")` | `requireRole(..., "service_role")` |
+ * |---------------|-------------------------------------|-----------------------------------|
+ * | No token      | Throws (401)                        | Throws (401)                      |
+ * | Invalid token | Throws (401)                        | Throws (401)                      |
+ * | Anon JWT      | Throws (403)                        | Throws (403)                      |
+ * | Auth JWT      | ✅ Returns user                     | Throws (403)                      |
+ * | Service JWT   | Throws (403)                        | ✅ Returns user                   |
+ *
+ * **Common patterns:**
+ * - `requireRole(req, key, "authenticated")` — Reject anon, require login
+ * - `requireRole(req, key, "service_role")` — Server-only / admin endpoints
+ *
+ * @example
+ * ```typescript
+ * import { requireRole, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Require actual login (reject anon)
+ * const user = await requireRole(request, getKey, "authenticated");
+ *
+ * // Require service_role for admin endpoints
+ * const admin = await requireRole(request, getKey, "service_role");
+ * ```
+ */
+export declare function requireRole(request: RequestLike, keyGetter: JWKSKeyGetter, role: string): Promise<AuthUser>;
+/**
+ * Require MFA (AAL2)
+ *
+ * ## Token Handling
+ *
+ * | Token Type       | AAL Level | Result           |
+ * |------------------|-----------|------------------|
+ * | No token         | N/A       | Throws (401)     |
+ * | Invalid token    | N/A       | Throws (401)     |
+ * | Anon JWT         | aal1      | Throws (403)     |
+ * | Auth JWT         | aal1      | Throws (403)     |
+ * | Auth JWT + MFA   | aal2      | ✅ Returns user  |
+ * | Service JWT      | aal1      | Throws (403)     |
+ *
+ * **Note:** Service role tokens typically have aal1. For admin access to
+ * MFA-protected operations, check the role explicitly.
+ *
+ * @example
+ * ```typescript
+ * import { requireMfa, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Require MFA for sensitive operations
+ * const user = await requireMfa(request, getKey);
+ * ```
+ */
+export declare function requireMfa(request: RequestLike, keyGetter: JWKSKeyGetter): Promise<AuthUser>;
+export {};
+//# sourceMappingURL=helpers.d.ts.map

package/dist/auth/server/helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.d.ts","sourceRoot":"","sources":["../../../src/auth/server/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,aAAa,CAAC;AAErB;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,cAAc;IACd,EAAE,EAAE,MAAM,CAAC;IACX,oBAAoB;IACpB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,mBAAmB;IACnB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,gBAAgB;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;IACrB,mBAAmB;IACnB,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,oBAAoB;IACpB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,2CAA2C;IAC3C,eAAe,EAAE,OAAO,CAAC;IACzB,qDAAqD;IACrD,IAAI,EAAE,QAAQ,GAAG,IAAI,CAAC;IACtB,oDAAoD;IACpD,YAAY,EAAE,YAAY,GAAG,IAAI,CAAC;IAClC,+CAA+C;IAC/C,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED;;GAEG;AACH,UAAU,WAAW;IACnB,OAAO,EAAE;QACP,GAAG,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;KAClC,CAAC;CACH;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,aAAa,EACxB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAc1B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,aAAa,EACxB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,WAAW,CAAC,CA6BtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,aAAa,EACxB,OAAO,CAAC,EAAE,aAAa,GACtB,OAAO,CAAC,QAAQ,CAAC,CAUnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAsB,WAAW,CAC/B,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,aAAa,EACxB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,QAAQ,CAAC,CAEnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,UAAU,CAC9B,OAAO,EAAE,WAAW,EACpB,SAAS,EAAE,aAAa,GACvB,OAAO,CAAC,QAAQ,CAAC,CAEnB"}

package/dist/auth/server/helpers.js

@@ -0,0 +1,241 @@
+import { verifyToken, extractBearerToken, VerifyError, } from "./verify.js";
+/**
+ * Get authenticated user from a request
+ *
+ * Extracts and verifies the JWT from the Authorization header.
+ * Returns null if no token or invalid token.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | Result                                          |
+ * |---------------|-------------------------------------------------|
+ * | No token      | Returns `null`                                  |
+ * | Invalid token | Returns `null`                                  |
+ * | Anon JWT      | Returns `AuthUser` with `role = "anon"`         |
+ * | Auth JWT      | Returns `AuthUser` with `role = "authenticated"`|
+ * | Service JWT   | Returns `AuthUser` with `role = "service_role"` |
+ *
+ * @example
+ * ```typescript
+ * import { getUserFromRequest, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Hono
+ * app.get("/api/me", async (c) => {
+ *   const user = await getUserFromRequest(c.req.raw, getKey);
+ *   if (!user) {
+ *     return c.json({ error: "Unauthorized" }, 401);
+ *   }
+ *   return c.json({ user });
+ * });
+ *
+ * // Express
+ * app.get("/api/me", async (req, res) => {
+ *   const user = await getUserFromRequest(req, getKey);
+ *   if (!user) {
+ *     return res.status(401).json({ error: "Unauthorized" });
+ *   }
+ *   res.json({ user });
+ * });
+ * ```
+ */
+export async function getUserFromRequest(request, keyGetter, options) {
+    const authHeader = request.headers.get("authorization");
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+        return null;
+    }
+    try {
+        const payload = await verifyToken(token, keyGetter, options);
+        return tokenPayloadToUser(payload);
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get auth context from a request
+ *
+ * Returns full auth context including authentication status,
+ * user info, and raw token payload.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | `isAuthenticated` | `user.role`         |
+ * |---------------|-------------------|---------------------|
+ * | No token      | `false`           | N/A (`user = null`) |
+ * | Invalid token | `false`           | N/A (`user = null`) |
+ * | Anon JWT      | `true`            | `"anon"`            |
+ * | Auth JWT      | `true`            | `"authenticated"`   |
+ * | Service JWT   | `true`            | `"service_role"`    |
+ *
+ * **Note:** `isAuthenticated = true` for anon tokens because they are
+ * valid, signed JWTs. Check `user.role` if you need to distinguish.
+ *
+ * @example
+ * ```typescript
+ * import { getAuthContext, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ * const ctx = await getAuthContext(request, getKey);
+ *
+ * if (!ctx.isAuthenticated) {
+ *   // No token or invalid token
+ * } else if (ctx.user.role === "anon") {
+ *   // Valid anon token
+ * } else {
+ *   // Authenticated or service_role
+ * }
+ * ```
+ */
+export async function getAuthContext(request, keyGetter, options) {
+    const authHeader = request.headers.get("authorization");
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+        return {
+            isAuthenticated: false,
+            user: null,
+            tokenPayload: null,
+            accessToken: null,
+        };
+    }
+    try {
+        const payload = await verifyToken(token, keyGetter, options);
+        return {
+            isAuthenticated: true,
+            user: tokenPayloadToUser(payload),
+            tokenPayload: payload,
+            accessToken: token,
+        };
+    }
+    catch {
+        return {
+            isAuthenticated: false,
+            user: null,
+            tokenPayload: null,
+            accessToken: null,
+        };
+    }
+}
+/**
+ * Require authentication for a request
+ *
+ * Throws VerifyError if not authenticated.
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | Result                                          |
+ * |---------------|-------------------------------------------------|
+ * | No token      | Throws `VerifyError` (401)                      |
+ * | Invalid token | Throws `VerifyError` (401)                      |
+ * | Anon JWT      | ✅ Returns `AuthUser` with `role = "anon"`      |
+ * | Auth JWT      | ✅ Returns `AuthUser` with `role = "authenticated"` |
+ * | Service JWT   | ✅ Returns `AuthUser` with `role = "service_role"` |
+ *
+ * **Note:** Anon tokens pass because they are valid JWTs. Use `requireRole`
+ * if you need to reject anon tokens.
+ *
+ * @example
+ * ```typescript
+ * import { requireAuth, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * try {
+ *   const user = await requireAuth(request, getKey);
+ *   // User has a valid token (anon, authenticated, or service_role)
+ * } catch (error) {
+ *   if (error instanceof VerifyError) {
+ *     return new Response(error.message, { status: error.statusCode });
+ *   }
+ * }
+ * ```
+ */
+export async function requireAuth(request, keyGetter, options) {
+    const authHeader = request.headers.get("authorization");
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+        throw VerifyError.missingToken();
+    }
+    const payload = await verifyToken(token, keyGetter, options);
+    return tokenPayloadToUser(payload);
+}
+/**
+ * Require a specific role
+ *
+ * ## Token Handling
+ *
+ * | Token Type    | `requireRole(..., "authenticated")` | `requireRole(..., "service_role")` |
+ * |---------------|-------------------------------------|-----------------------------------|
+ * | No token      | Throws (401)                        | Throws (401)                      |
+ * | Invalid token | Throws (401)                        | Throws (401)                      |
+ * | Anon JWT      | Throws (403)                        | Throws (403)                      |
+ * | Auth JWT      | ✅ Returns user                     | Throws (403)                      |
+ * | Service JWT   | Throws (403)                        | ✅ Returns user                   |
+ *
+ * **Common patterns:**
+ * - `requireRole(req, key, "authenticated")` — Reject anon, require login
+ * - `requireRole(req, key, "service_role")` — Server-only / admin endpoints
+ *
+ * @example
+ * ```typescript
+ * import { requireRole, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Require actual login (reject anon)
+ * const user = await requireRole(request, getKey, "authenticated");
+ *
+ * // Require service_role for admin endpoints
+ * const admin = await requireRole(request, getKey, "service_role");
+ * ```
+ */
+export async function requireRole(request, keyGetter, role) {
+    return requireAuth(request, keyGetter, { requiredRole: role });
+}
+/**
+ * Require MFA (AAL2)
+ *
+ * ## Token Handling
+ *
+ * | Token Type       | AAL Level | Result           |
+ * |------------------|-----------|------------------|
+ * | No token         | N/A       | Throws (401)     |
+ * | Invalid token    | N/A       | Throws (401)     |
+ * | Anon JWT         | aal1      | Throws (403)     |
+ * | Auth JWT         | aal1      | Throws (403)     |
+ * | Auth JWT + MFA   | aal2      | ✅ Returns user  |
+ * | Service JWT      | aal1      | Throws (403)     |
+ *
+ * **Note:** Service role tokens typically have aal1. For admin access to
+ * MFA-protected operations, check the role explicitly.
+ *
+ * @example
+ * ```typescript
+ * import { requireMfa, createJWKS } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createJWKS("https://stack.zenku.app", "my-tenant");
+ *
+ * // Require MFA for sensitive operations
+ * const user = await requireMfa(request, getKey);
+ * ```
+ */
+export async function requireMfa(request, keyGetter) {
+    return requireAuth(request, keyGetter, { requiredAal: "aal2" });
+}
+/**
+ * Convert token payload to AuthUser
+ */
+function tokenPayloadToUser(payload) {
+    return {
+        id: payload.sub,
+        email: payload.email ?? null,
+        phone: payload.phone ?? null,
+        role: payload.role,
+        aal: payload.aal || "aal1",
+        appMetadata: payload.app_metadata ?? {},
+        userMetadata: payload.user_metadata ?? {},
+    };
+}
+//# sourceMappingURL=helpers.js.map

package/dist/auth/server/helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../../../src/auth/server/helpers.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,kBAAkB,EAClB,WAAW,GAIZ,MAAM,aAAa,CAAC;AA6CrB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAoB,EACpB,SAAwB,EACxB,OAAuB;IAEvB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7D,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB,EACpB,SAAwB,EACxB,OAAuB;IAEvB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO;YACL,eAAe,EAAE,KAAK;YACtB,IAAI,EAAE,IAAI;YACV,YAAY,EAAE,IAAI;YAClB,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;QAC7D,OAAO;YACL,eAAe,EAAE,IAAI;YACrB,IAAI,EAAE,kBAAkB,CAAC,OAAO,CAAC;YACjC,YAAY,EAAE,OAAO;YACrB,WAAW,EAAE,KAAK;SACnB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,eAAe,EAAE,KAAK;YACtB,IAAI,EAAE,IAAI;YACV,YAAY,EAAE,IAAI;YAClB,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,SAAwB,EACxB,OAAuB;IAEvB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,kBAAkB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,WAAW,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC7D,OAAO,kBAAkB,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,SAAwB,EACxB,IAAY;IAEZ,OAAO,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;AACjE,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,OAAoB,EACpB,SAAwB;IAExB,OAAO,WAAW,CAAC,OAAO,EAAE,SAAS,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC;AAClE,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,OAAqB;IAC/C,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,GAAG;QACf,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;QAC5B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;QAC5B,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,MAAM;QAC1B,WAAW,EAAE,OAAO,CAAC,YAAY,IAAI,EAAE;QACvC,YAAY,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;KAC1C,CAAC;AACJ,CAAC"}

package/dist/auth/server/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Backend auth utilities for server-side token verification
+ *
+ * @example
+ * ```typescript
+ * // Platform API (omit tenantId)
+ * import { createStackAuthMiddleware } from "@kaiz11/stack-client/auth/server";
+ *
+ * app.use("*", createStackAuthMiddleware({
+ *   baseUrl: "https://stack.zenku.app",
+ * }));
+ *
+ * // Tenant API (specify tenantId)
+ * app.use("*", createStackAuthMiddleware({
+ *   baseUrl: "https://stack.zenku.app",
+ *   tenantId: "acme-corp",
+ * }));
+ * ```
+ */
+export { verifyToken, extractBearerToken, createJWKS, getJWKSUrl, createRemoteJWKS, createLocalJWKS, clearJWKSCache, VerifyError, type TokenPayload, type VerifyOptions, type JWKSKeyGetter, } from "./verify.js";
+export { getUserFromRequest, getAuthContext, requireAuth, requireRole, requireMfa, type AuthUser, type AuthContext, } from "./helpers.js";
+export { createStackAuthMiddleware, optionalStackAuthMiddleware, createAuthMiddleware, optionalAuthMiddleware, requireRoleMiddleware, requireMfaMiddleware, type StackAuthMiddlewareConfig, type AuthMiddlewareConfig, type OptionalStackAuthConfig, type OptionalAuthConfig, } from "./middleware.js";
+export { fetchAnonKey, fetchAnonKeyCached, clearAnonKeyCache, buildPublicKeyUrl, AnonKeyError, } from "../../lib/keys.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/auth/server/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/auth/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EACL,WAAW,EACX,kBAAkB,EAElB,UAAU,EACV,UAAU,EAEV,gBAAgB,EAChB,eAAe,EACf,cAAc,EAEd,WAAW,EAEX,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,aAAa,GACnB,MAAM,aAAa,CAAC;AAGrB,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,WAAW,EACX,WAAW,EACX,UAAU,EACV,KAAK,QAAQ,EACb,KAAK,WAAW,GACjB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAEL,yBAAyB,EACzB,2BAA2B,EAE3B,oBAAoB,EACpB,sBAAsB,EAEtB,qBAAqB,EACrB,oBAAoB,EAEpB,KAAK,yBAAyB,EAC9B,KAAK,oBAAoB,EACzB,KAAK,uBAAuB,EAC5B,KAAK,kBAAkB,GACxB,MAAM,iBAAiB,CAAC;AAGzB,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GACb,MAAM,mBAAmB,CAAC"}

package/dist/auth/server/index.js

@@ -0,0 +1,40 @@
+/**
+ * Backend auth utilities for server-side token verification
+ *
+ * @example
+ * ```typescript
+ * // Platform API (omit tenantId)
+ * import { createStackAuthMiddleware } from "@kaiz11/stack-client/auth/server";
+ *
+ * app.use("*", createStackAuthMiddleware({
+ *   baseUrl: "https://stack.zenku.app",
+ * }));
+ *
+ * // Tenant API (specify tenantId)
+ * app.use("*", createStackAuthMiddleware({
+ *   baseUrl: "https://stack.zenku.app",
+ *   tenantId: "acme-corp",
+ * }));
+ * ```
+ */
+// Verification
+export { verifyToken, extractBearerToken, 
+// JWKS helpers (unified)
+createJWKS, getJWKSUrl, 
+// JWKS helpers (advanced)
+createRemoteJWKS, createLocalJWKS, clearJWKSCache, 
+// Error
+VerifyError, } from "./verify.js";
+// Helpers
+export { getUserFromRequest, getAuthContext, requireAuth, requireRole, requireMfa, } from "./helpers.js";
+// Middleware
+export { 
+// Unified middleware (recommended)
+createStackAuthMiddleware, optionalStackAuthMiddleware, 
+// Advanced middleware (with custom keyGetter)
+createAuthMiddleware, optionalAuthMiddleware, 
+// Guard middleware
+requireRoleMiddleware, requireMfaMiddleware, } from "./middleware.js";
+// Key utilities (re-export from lib for convenience)
+export { fetchAnonKey, fetchAnonKeyCached, clearAnonKeyCache, buildPublicKeyUrl, AnonKeyError, } from "../../lib/keys.js";
+//# sourceMappingURL=index.js.map

package/dist/auth/server/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/auth/server/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,eAAe;AACf,OAAO,EACL,WAAW,EACX,kBAAkB;AAClB,yBAAyB;AACzB,UAAU,EACV,UAAU;AACV,0BAA0B;AAC1B,gBAAgB,EAChB,eAAe,EACf,cAAc;AACd,QAAQ;AACR,WAAW,GAKZ,MAAM,aAAa,CAAC;AAErB,UAAU;AACV,OAAO,EACL,kBAAkB,EAClB,cAAc,EACd,WAAW,EACX,WAAW,EACX,UAAU,GAGX,MAAM,cAAc,CAAC;AAEtB,aAAa;AACb,OAAO;AACL,mCAAmC;AACnC,yBAAyB,EACzB,2BAA2B;AAC3B,8CAA8C;AAC9C,oBAAoB,EACpB,sBAAsB;AACtB,mBAAmB;AACnB,qBAAqB,EACrB,oBAAoB,GAMrB,MAAM,iBAAiB,CAAC;AAEzB,qDAAqD;AACrD,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,iBAAiB,EACjB,iBAAiB,EACjB,YAAY,GACb,MAAM,mBAAmB,CAAC"}