@kaiz11/stack-client 0.0.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +32 -0
- package/README.md +586 -0
- package/dist/accounts/accounts-client.d.ts +188 -0
- package/dist/accounts/accounts-client.d.ts.map +1 -0
- package/dist/accounts/accounts-client.js +264 -0
- package/dist/accounts/accounts-client.js.map +1 -0
- package/dist/accounts/index.d.ts +8 -0
- package/dist/accounts/index.d.ts.map +1 -0
- package/dist/accounts/index.js +8 -0
- package/dist/accounts/index.js.map +1 -0
- package/dist/accounts/mock-accounts.d.ts +90 -0
- package/dist/accounts/mock-accounts.d.ts.map +1 -0
- package/dist/accounts/mock-accounts.js +434 -0
- package/dist/accounts/mock-accounts.js.map +1 -0
- package/dist/accounts/types.d.ts +180 -0
- package/dist/accounts/types.d.ts.map +1 -0
- package/dist/accounts/types.js +59 -0
- package/dist/accounts/types.js.map +1 -0
- package/dist/auth/auth-client.d.ts +224 -0
- package/dist/auth/auth-client.d.ts.map +1 -0
- package/dist/auth/auth-client.js +230 -0
- package/dist/auth/auth-client.js.map +1 -0
- package/dist/auth/base-auth.d.ts +44 -0
- package/dist/auth/base-auth.d.ts.map +1 -0
- package/dist/auth/base-auth.js +55 -0
- package/dist/auth/base-auth.js.map +1 -0
- package/dist/auth/index.d.ts +11 -0
- package/dist/auth/index.d.ts.map +1 -0
- package/dist/auth/index.js +11 -0
- package/dist/auth/index.js.map +1 -0
- package/dist/auth/methods/admin.d.ts +59 -0
- package/dist/auth/methods/admin.d.ts.map +1 -0
- package/dist/auth/methods/admin.js +55 -0
- package/dist/auth/methods/admin.js.map +1 -0
- package/dist/auth/methods/index.d.ts +9 -0
- package/dist/auth/methods/index.d.ts.map +1 -0
- package/dist/auth/methods/index.js +8 -0
- package/dist/auth/methods/index.js.map +1 -0
- package/dist/auth/methods/magic-link.d.ts +27 -0
- package/dist/auth/methods/magic-link.d.ts.map +1 -0
- package/dist/auth/methods/magic-link.js +37 -0
- package/dist/auth/methods/magic-link.js.map +1 -0
- package/dist/auth/methods/mfa.d.ts +92 -0
- package/dist/auth/methods/mfa.d.ts.map +1 -0
- package/dist/auth/methods/mfa.js +153 -0
- package/dist/auth/methods/mfa.js.map +1 -0
- package/dist/auth/methods/oauth.d.ts +62 -0
- package/dist/auth/methods/oauth.d.ts.map +1 -0
- package/dist/auth/methods/oauth.js +165 -0
- package/dist/auth/methods/oauth.js.map +1 -0
- package/dist/auth/methods/otp.d.ts +43 -0
- package/dist/auth/methods/otp.d.ts.map +1 -0
- package/dist/auth/methods/otp.js +66 -0
- package/dist/auth/methods/otp.js.map +1 -0
- package/dist/auth/methods/password.d.ts +64 -0
- package/dist/auth/methods/password.d.ts.map +1 -0
- package/dist/auth/methods/password.js +116 -0
- package/dist/auth/methods/password.js.map +1 -0
- package/dist/auth/methods/recovery.d.ts +62 -0
- package/dist/auth/methods/recovery.d.ts.map +1 -0
- package/dist/auth/methods/recovery.js +100 -0
- package/dist/auth/methods/recovery.js.map +1 -0
- package/dist/auth/mock-auth.d.ts +135 -0
- package/dist/auth/mock-auth.d.ts.map +1 -0
- package/dist/auth/mock-auth.js +417 -0
- package/dist/auth/mock-auth.js.map +1 -0
- package/dist/auth/server/helpers.d.ts +215 -0
- package/dist/auth/server/helpers.d.ts.map +1 -0
- package/dist/auth/server/helpers.js +241 -0
- package/dist/auth/server/helpers.js.map +1 -0
- package/dist/auth/server/index.d.ts +24 -0
- package/dist/auth/server/index.d.ts.map +1 -0
- package/dist/auth/server/index.js +40 -0
- package/dist/auth/server/index.js.map +1 -0
- package/dist/auth/server/middleware.d.ts +305 -0
- package/dist/auth/server/middleware.d.ts.map +1 -0
- package/dist/auth/server/middleware.js +405 -0
- package/dist/auth/server/middleware.js.map +1 -0
- package/dist/auth/server/verify.d.ts +184 -0
- package/dist/auth/server/verify.d.ts.map +1 -0
- package/dist/auth/server/verify.js +222 -0
- package/dist/auth/server/verify.js.map +1 -0
- package/dist/auth/token-manager.d.ts +94 -0
- package/dist/auth/token-manager.d.ts.map +1 -0
- package/dist/auth/token-manager.js +231 -0
- package/dist/auth/token-manager.js.map +1 -0
- package/dist/auth/types.d.ts +412 -0
- package/dist/auth/types.d.ts.map +1 -0
- package/dist/auth/types.js +66 -0
- package/dist/auth/types.js.map +1 -0
- package/dist/auth/user/identities.d.ts +62 -0
- package/dist/auth/user/identities.d.ts.map +1 -0
- package/dist/auth/user/identities.js +88 -0
- package/dist/auth/user/identities.js.map +1 -0
- package/dist/auth/user/index.d.ts +4 -0
- package/dist/auth/user/index.d.ts.map +1 -0
- package/dist/auth/user/index.js +4 -0
- package/dist/auth/user/index.js.map +1 -0
- package/dist/auth/user/user.d.ts +64 -0
- package/dist/auth/user/user.d.ts.map +1 -0
- package/dist/auth/user/user.js +105 -0
- package/dist/auth/user/user.js.map +1 -0
- package/dist/auth/user/verification.d.ts +49 -0
- package/dist/auth/user/verification.d.ts.map +1 -0
- package/dist/auth/user/verification.js +71 -0
- package/dist/auth/user/verification.js.map +1 -0
- package/dist/cli/browser.d.ts +11 -0
- package/dist/cli/browser.d.ts.map +1 -0
- package/dist/cli/browser.js +35 -0
- package/dist/cli/browser.js.map +1 -0
- package/dist/cli/callback-server.d.ts +30 -0
- package/dist/cli/callback-server.d.ts.map +1 -0
- package/dist/cli/callback-server.js +100 -0
- package/dist/cli/callback-server.js.map +1 -0
- package/dist/cli/file-token-store.d.ts +79 -0
- package/dist/cli/file-token-store.d.ts.map +1 -0
- package/dist/cli/file-token-store.js +138 -0
- package/dist/cli/file-token-store.js.map +1 -0
- package/dist/cli/index.d.ts +33 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +38 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/cli/oauth.d.ts +67 -0
- package/dist/cli/oauth.d.ts.map +1 -0
- package/dist/cli/oauth.js +101 -0
- package/dist/cli/oauth.js.map +1 -0
- package/dist/cli/pkce.d.ts +35 -0
- package/dist/cli/pkce.d.ts.map +1 -0
- package/dist/cli/pkce.js +43 -0
- package/dist/cli/pkce.js.map +1 -0
- package/dist/client.d.ts +22 -0
- package/dist/client.d.ts.map +1 -0
- package/dist/client.js +99 -0
- package/dist/client.js.map +1 -0
- package/dist/db/client.d.ts +9 -0
- package/dist/db/client.d.ts.map +1 -0
- package/dist/db/client.js +19 -0
- package/dist/db/client.js.map +1 -0
- package/dist/db/errors.d.ts +19 -0
- package/dist/db/errors.d.ts.map +1 -0
- package/dist/db/errors.js +57 -0
- package/dist/db/errors.js.map +1 -0
- package/dist/db/index.d.ts +7 -0
- package/dist/db/index.d.ts.map +1 -0
- package/dist/db/index.js +5 -0
- package/dist/db/index.js.map +1 -0
- package/dist/db/mock.d.ts +28 -0
- package/dist/db/mock.d.ts.map +1 -0
- package/dist/db/mock.js +459 -0
- package/dist/db/mock.js.map +1 -0
- package/dist/db/types.d.ts +73 -0
- package/dist/db/types.d.ts.map +1 -0
- package/dist/db/types.js +2 -0
- package/dist/db/types.js.map +1 -0
- package/dist/index.d.ts +21 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +20 -0
- package/dist/index.js.map +1 -0
- package/dist/lib/errors.d.ts +33 -0
- package/dist/lib/errors.d.ts.map +1 -0
- package/dist/lib/errors.js +76 -0
- package/dist/lib/errors.js.map +1 -0
- package/dist/lib/http.d.ts +81 -0
- package/dist/lib/http.d.ts.map +1 -0
- package/dist/lib/http.js +163 -0
- package/dist/lib/http.js.map +1 -0
- package/dist/lib/keys.d.ts +87 -0
- package/dist/lib/keys.d.ts.map +1 -0
- package/dist/lib/keys.js +147 -0
- package/dist/lib/keys.js.map +1 -0
- package/dist/lib/paths.d.ts +37 -0
- package/dist/lib/paths.d.ts.map +1 -0
- package/dist/lib/paths.js +49 -0
- package/dist/lib/paths.js.map +1 -0
- package/dist/lib/token-store.d.ts +42 -0
- package/dist/lib/token-store.d.ts.map +1 -0
- package/dist/lib/token-store.js +75 -0
- package/dist/lib/token-store.js.map +1 -0
- package/dist/mocks/handlers.d.ts +29 -0
- package/dist/mocks/handlers.d.ts.map +1 -0
- package/dist/mocks/handlers.js +79 -0
- package/dist/mocks/handlers.js.map +1 -0
- package/dist/mocks/index.d.ts +5 -0
- package/dist/mocks/index.d.ts.map +1 -0
- package/dist/mocks/index.js +9 -0
- package/dist/mocks/index.js.map +1 -0
- package/dist/mocks/responses.d.ts +76 -0
- package/dist/mocks/responses.d.ts.map +1 -0
- package/dist/mocks/responses.js +91 -0
- package/dist/mocks/responses.js.map +1 -0
- package/dist/mocks/server.d.ts +7 -0
- package/dist/mocks/server.d.ts.map +1 -0
- package/dist/mocks/server.js +9 -0
- package/dist/mocks/server.js.map +1 -0
- package/dist/mocks/state.d.ts +86 -0
- package/dist/mocks/state.d.ts.map +1 -0
- package/dist/mocks/state.js +77 -0
- package/dist/mocks/state.js.map +1 -0
- package/dist/storage/bucket-ref.d.ts +183 -0
- package/dist/storage/bucket-ref.d.ts.map +1 -0
- package/dist/storage/bucket-ref.js +529 -0
- package/dist/storage/bucket-ref.js.map +1 -0
- package/dist/storage/errors.d.ts +27 -0
- package/dist/storage/errors.d.ts.map +1 -0
- package/dist/storage/errors.js +89 -0
- package/dist/storage/errors.js.map +1 -0
- package/dist/storage/index.d.ts +13 -0
- package/dist/storage/index.d.ts.map +1 -0
- package/dist/storage/index.js +11 -0
- package/dist/storage/index.js.map +1 -0
- package/dist/storage/interface.d.ts +245 -0
- package/dist/storage/interface.d.ts.map +1 -0
- package/dist/storage/interface.js +2 -0
- package/dist/storage/interface.js.map +1 -0
- package/dist/storage/mock-storage.d.ts +67 -0
- package/dist/storage/mock-storage.d.ts.map +1 -0
- package/dist/storage/mock-storage.js +478 -0
- package/dist/storage/mock-storage.js.map +1 -0
- package/dist/storage/policies-client.d.ts +77 -0
- package/dist/storage/policies-client.d.ts.map +1 -0
- package/dist/storage/policies-client.js +115 -0
- package/dist/storage/policies-client.js.map +1 -0
- package/dist/storage/policy-templates.d.ts +6 -0
- package/dist/storage/policy-templates.d.ts.map +1 -0
- package/dist/storage/policy-templates.js +290 -0
- package/dist/storage/policy-templates.js.map +1 -0
- package/dist/storage/policy-types.d.ts +98 -0
- package/dist/storage/policy-types.d.ts.map +1 -0
- package/dist/storage/policy-types.js +20 -0
- package/dist/storage/policy-types.js.map +1 -0
- package/dist/storage/storage-client.d.ts +32 -0
- package/dist/storage/storage-client.d.ts.map +1 -0
- package/dist/storage/storage-client.js +94 -0
- package/dist/storage/storage-client.js.map +1 -0
- package/dist/storage/tus-upload.d.ts +56 -0
- package/dist/storage/tus-upload.d.ts.map +1 -0
- package/dist/storage/tus-upload.js +236 -0
- package/dist/storage/tus-upload.js.map +1 -0
- package/dist/storage/types.d.ts +335 -0
- package/dist/storage/types.d.ts.map +1 -0
- package/dist/storage/types.js +39 -0
- package/dist/storage/types.js.map +1 -0
- package/dist/test/auth/helpers.d.ts +33 -0
- package/dist/test/auth/helpers.d.ts.map +1 -0
- package/dist/test/auth/helpers.js +80 -0
- package/dist/test/auth/helpers.js.map +1 -0
- package/dist/test/helpers/jwt.d.ts +61 -0
- package/dist/test/helpers/jwt.d.ts.map +1 -0
- package/dist/test/helpers/jwt.js +132 -0
- package/dist/test/helpers/jwt.js.map +1 -0
- package/dist/test/helpers/mailpit.d.ts +61 -0
- package/dist/test/helpers/mailpit.d.ts.map +1 -0
- package/dist/test/helpers/mailpit.js +107 -0
- package/dist/test/helpers/mailpit.js.map +1 -0
- package/dist/test/setup.d.ts +2 -0
- package/dist/test/setup.d.ts.map +1 -0
- package/dist/test/setup.js +17 -0
- package/dist/test/setup.js.map +1 -0
- package/dist/types.d.ts +96 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +5 -0
- package/dist/types.js.map +1 -0
- package/package.json +78 -0
|
@@ -0,0 +1,305 @@
|
|
|
1
|
+
import { VerifyError, type VerifyOptions, type JWKSKeyGetter } from "./verify.js";
|
|
2
|
+
/**
|
|
3
|
+
* Auth middleware configuration
|
|
4
|
+
*/
|
|
5
|
+
export interface StackAuthMiddlewareConfig {
|
|
6
|
+
/** Base URL of the stack (e.g., "https://stack.zenku.app") */
|
|
7
|
+
baseUrl: string;
|
|
8
|
+
/** Tenant identifier (default: "_platform") */
|
|
9
|
+
tenantId?: string;
|
|
10
|
+
/** Verification options */
|
|
11
|
+
options?: VerifyOptions;
|
|
12
|
+
/** Paths to exclude from authentication (regex patterns) */
|
|
13
|
+
excludePaths?: RegExp[];
|
|
14
|
+
/** Custom error handler */
|
|
15
|
+
onError?: (error: VerifyError) => Response;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Advanced middleware configuration (with explicit keyGetter)
|
|
19
|
+
*/
|
|
20
|
+
export interface AuthMiddlewareConfig {
|
|
21
|
+
/** JWKS key getter (from createRemoteJWKS or createLocalJWKS) */
|
|
22
|
+
keyGetter: JWKSKeyGetter;
|
|
23
|
+
/** Verification options */
|
|
24
|
+
options?: VerifyOptions;
|
|
25
|
+
/** Paths to exclude from authentication (regex patterns) */
|
|
26
|
+
excludePaths?: RegExp[];
|
|
27
|
+
/** Custom error handler */
|
|
28
|
+
onError?: (error: VerifyError) => Response;
|
|
29
|
+
}
|
|
30
|
+
/**
|
|
31
|
+
* Hono context-like interface
|
|
32
|
+
*/
|
|
33
|
+
interface HonoContext {
|
|
34
|
+
req: {
|
|
35
|
+
raw: Request;
|
|
36
|
+
path: string;
|
|
37
|
+
};
|
|
38
|
+
set: (key: string, value: unknown) => void;
|
|
39
|
+
get: (key: string) => unknown;
|
|
40
|
+
json: (data: unknown, status?: number) => Response;
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Hono next function
|
|
44
|
+
*/
|
|
45
|
+
type HonoNext = () => Promise<Response | void>;
|
|
46
|
+
/**
|
|
47
|
+
* Create auth middleware for Hono
|
|
48
|
+
*
|
|
49
|
+
* Automatically constructs the JWKS URL from the base URL and optional tenant ID,
|
|
50
|
+
* and verifies JWT tokens signed by the GoTrue instance.
|
|
51
|
+
*
|
|
52
|
+
* ## Token Handling
|
|
53
|
+
*
|
|
54
|
+
* | Token Type | Result |
|
|
55
|
+
* |---------------|-------------------------------------------------|
|
|
56
|
+
* | No token | 401 Unauthorized |
|
|
57
|
+
* | Invalid token | 401 Unauthorized |
|
|
58
|
+
* | Anon JWT | ✅ Passes, `user.role = "anon"` |
|
|
59
|
+
* | Auth JWT | ✅ Passes, `user.role = "authenticated"` |
|
|
60
|
+
* | Service JWT | ✅ Passes, `user.role = "service_role"` |
|
|
61
|
+
*
|
|
62
|
+
* **Note:** This middleware requires a valid JWT. In Supabase's model, even
|
|
63
|
+
* "public" requests use the anon key. If you want to allow requests without
|
|
64
|
+
* any token, use `optionalStackAuthMiddleware` instead.
|
|
65
|
+
*
|
|
66
|
+
* @example
|
|
67
|
+
* ```typescript
|
|
68
|
+
* import { Hono } from "hono";
|
|
69
|
+
* import { createStackAuthMiddleware } from "@kaiz11/stack-client/auth/server";
|
|
70
|
+
*
|
|
71
|
+
* const app = new Hono();
|
|
72
|
+
*
|
|
73
|
+
* // Platform (default)
|
|
74
|
+
* app.use("*", createStackAuthMiddleware({
|
|
75
|
+
* baseUrl: "https://stack.zenku.app",
|
|
76
|
+
* excludePaths: [/^\/health$/],
|
|
77
|
+
* }));
|
|
78
|
+
*
|
|
79
|
+
* // Tenant
|
|
80
|
+
* app.use("*", createStackAuthMiddleware({
|
|
81
|
+
* baseUrl: "https://stack.zenku.app",
|
|
82
|
+
* tenantId: "acme-corp",
|
|
83
|
+
* excludePaths: [/^\/health$/],
|
|
84
|
+
* }));
|
|
85
|
+
*
|
|
86
|
+
* app.get("/api/me", (c) => {
|
|
87
|
+
* const user = c.get("user") as AuthUser;
|
|
88
|
+
* return c.json({ user });
|
|
89
|
+
* });
|
|
90
|
+
* ```
|
|
91
|
+
*/
|
|
92
|
+
export declare function createStackAuthMiddleware(config: StackAuthMiddlewareConfig): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
93
|
+
/**
|
|
94
|
+
* Create auth middleware for Hono (advanced)
|
|
95
|
+
*
|
|
96
|
+
* Use this when you need to provide a custom JWKS key getter.
|
|
97
|
+
* For most cases, prefer `createStackAuthMiddleware`.
|
|
98
|
+
*
|
|
99
|
+
* ## Token Handling
|
|
100
|
+
*
|
|
101
|
+
* | Token Type | Result |
|
|
102
|
+
* |---------------|-------------------------------------------------|
|
|
103
|
+
* | No token | 401 Unauthorized |
|
|
104
|
+
* | Invalid token | 401 Unauthorized |
|
|
105
|
+
* | Anon JWT | ✅ Passes, `user.role = "anon"` |
|
|
106
|
+
* | Auth JWT | ✅ Passes, `user.role = "authenticated"` |
|
|
107
|
+
* | Service JWT | ✅ Passes, `user.role = "service_role"` |
|
|
108
|
+
*
|
|
109
|
+
* @example
|
|
110
|
+
* ```typescript
|
|
111
|
+
* import { Hono } from "hono";
|
|
112
|
+
* import { createAuthMiddleware, createLocalJWKS } from "@kaiz11/stack-client/auth/server";
|
|
113
|
+
*
|
|
114
|
+
* const app = new Hono();
|
|
115
|
+
*
|
|
116
|
+
* // For testing with local keys
|
|
117
|
+
* const keyGetter = createLocalJWKS(testJWKS);
|
|
118
|
+
*
|
|
119
|
+
* app.use("*", createAuthMiddleware({
|
|
120
|
+
* keyGetter,
|
|
121
|
+
* excludePaths: [/^\/health$/],
|
|
122
|
+
* }));
|
|
123
|
+
* ```
|
|
124
|
+
*/
|
|
125
|
+
export declare function createAuthMiddleware(config: AuthMiddlewareConfig): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
126
|
+
/**
|
|
127
|
+
* Create role guard middleware for Hono
|
|
128
|
+
*
|
|
129
|
+
* Use after `createStackAuthMiddleware` to require specific roles.
|
|
130
|
+
*
|
|
131
|
+
* ## Token Handling (assuming auth middleware already ran)
|
|
132
|
+
*
|
|
133
|
+
* | Token Type | `requireRoleMiddleware("authenticated")` | `requireRoleMiddleware("service_role")` |
|
|
134
|
+
* |---------------|------------------------------------------|----------------------------------------|
|
|
135
|
+
* | Anon JWT | 403 Forbidden | 403 Forbidden |
|
|
136
|
+
* | Auth JWT | ✅ Passes | 403 Forbidden |
|
|
137
|
+
* | Service JWT | 403 Forbidden | ✅ Passes |
|
|
138
|
+
*
|
|
139
|
+
* **Common patterns:**
|
|
140
|
+
* - `requireRoleMiddleware("authenticated")` — Reject anon, allow logged-in users
|
|
141
|
+
* - `requireRoleMiddleware("service_role")` — Admin/server-only endpoints
|
|
142
|
+
*
|
|
143
|
+
* @example
|
|
144
|
+
* ```typescript
|
|
145
|
+
* import { createStackAuthMiddleware, requireRoleMiddleware } from "@kaiz11/stack-client/auth/server";
|
|
146
|
+
*
|
|
147
|
+
* app.use("*", createStackAuthMiddleware({ baseUrl: "https://stack.zenku.app" }));
|
|
148
|
+
*
|
|
149
|
+
* // Reject anon tokens, require actual login
|
|
150
|
+
* app.use("/api/user/*", requireRoleMiddleware("authenticated"));
|
|
151
|
+
*
|
|
152
|
+
* // Admin routes require service_role
|
|
153
|
+
* app.use("/admin/*", requireRoleMiddleware("service_role"));
|
|
154
|
+
* ```
|
|
155
|
+
*/
|
|
156
|
+
export declare function requireRoleMiddleware(role: string): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
157
|
+
/**
|
|
158
|
+
* Create MFA guard middleware for Hono
|
|
159
|
+
*
|
|
160
|
+
* Requires AAL2 (two-factor authentication verified in current session).
|
|
161
|
+
*
|
|
162
|
+
* ## Token Handling (assuming auth middleware already ran)
|
|
163
|
+
*
|
|
164
|
+
* | Token Type | AAL Level | Result |
|
|
165
|
+
* |------------------|-----------|-------------------------------------|
|
|
166
|
+
* | Anon JWT | aal1 | 403 MFA required |
|
|
167
|
+
* | Auth JWT | aal1 | 403 MFA required |
|
|
168
|
+
* | Auth JWT + MFA | aal2 | ✅ Passes |
|
|
169
|
+
* | Service JWT | aal1 | 403 MFA required |
|
|
170
|
+
*
|
|
171
|
+
* **Note:** Service role tokens typically have aal1. If you need service role
|
|
172
|
+
* access to MFA-protected routes, check the role explicitly instead.
|
|
173
|
+
*
|
|
174
|
+
* @example
|
|
175
|
+
* ```typescript
|
|
176
|
+
* // Sensitive routes require MFA
|
|
177
|
+
* app.use("/settings/security/*", requireMfaMiddleware());
|
|
178
|
+
*
|
|
179
|
+
* // Or combine with role check for admin bypass
|
|
180
|
+
* app.use("/settings/security/*", async (c, next) => {
|
|
181
|
+
* const user = c.get("user") as AuthUser;
|
|
182
|
+
* if (user.role === "service_role") return next(); // Admin bypass
|
|
183
|
+
* return requireMfaMiddleware()(c, next);
|
|
184
|
+
* });
|
|
185
|
+
* ```
|
|
186
|
+
*/
|
|
187
|
+
export declare function requireMfaMiddleware(): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
188
|
+
/**
|
|
189
|
+
* Optional auth middleware configuration
|
|
190
|
+
*/
|
|
191
|
+
export interface OptionalStackAuthConfig {
|
|
192
|
+
/** Base URL of the stack (e.g., "https://stack.zenku.app") */
|
|
193
|
+
baseUrl: string;
|
|
194
|
+
/** Tenant identifier (default: "_platform") */
|
|
195
|
+
tenantId?: string;
|
|
196
|
+
/** Verification options */
|
|
197
|
+
options?: VerifyOptions;
|
|
198
|
+
/**
|
|
199
|
+
* Auto-fetch anon key when no token is provided.
|
|
200
|
+
*
|
|
201
|
+
* When enabled, if no Authorization header is present, the middleware
|
|
202
|
+
* will fetch the tenant's public anon key and use it. This ensures
|
|
203
|
+
* `user` is always set (with `role = "anon"`) rather than `undefined`.
|
|
204
|
+
*
|
|
205
|
+
* The anon key is cached in memory (1 hour TTL) to avoid repeated fetches.
|
|
206
|
+
*
|
|
207
|
+
* Default: true
|
|
208
|
+
*/
|
|
209
|
+
autoFetchAnon?: boolean;
|
|
210
|
+
}
|
|
211
|
+
/**
|
|
212
|
+
* Optional auth configuration (advanced)
|
|
213
|
+
*/
|
|
214
|
+
export interface OptionalAuthConfig {
|
|
215
|
+
/** JWKS key getter (from createRemoteJWKS or createLocalJWKS) */
|
|
216
|
+
keyGetter: JWKSKeyGetter;
|
|
217
|
+
/** Verification options */
|
|
218
|
+
options?: VerifyOptions;
|
|
219
|
+
}
|
|
220
|
+
/**
|
|
221
|
+
* Optional auth middleware for Hono
|
|
222
|
+
*
|
|
223
|
+
* Attaches user info if token is present. When no token is provided,
|
|
224
|
+
* automatically fetches the tenant's anon key (default behavior).
|
|
225
|
+
*
|
|
226
|
+
* ## Token Handling (default, autoFetchAnon = true)
|
|
227
|
+
*
|
|
228
|
+
* | Token Type | Result |
|
|
229
|
+
* |---------------|-------------------------------------------------|
|
|
230
|
+
* | No token | ✅ Auto-fetches anon key, `user.role = "anon"` |
|
|
231
|
+
* | Invalid token | ✅ Falls back to anon key, `user.role = "anon"` |
|
|
232
|
+
* | Anon JWT | ✅ Continues, `user.role = "anon"` |
|
|
233
|
+
* | Auth JWT | ✅ Continues, `user.role = "authenticated"` |
|
|
234
|
+
* | Service JWT | ✅ Continues, `user.role = "service_role"` |
|
|
235
|
+
*
|
|
236
|
+
* ## Token Handling (autoFetchAnon = false)
|
|
237
|
+
*
|
|
238
|
+
* | Token Type | Result |
|
|
239
|
+
* |---------------|-------------------------------------------------|
|
|
240
|
+
* | No token | ✅ Continues, `user = undefined` |
|
|
241
|
+
* | Invalid token | ✅ Continues, `user = undefined` |
|
|
242
|
+
* | Anon JWT | ✅ Continues, `user.role = "anon"` |
|
|
243
|
+
* | Auth JWT | ✅ Continues, `user.role = "authenticated"` |
|
|
244
|
+
* | Service JWT | ✅ Continues, `user.role = "service_role"` |
|
|
245
|
+
*
|
|
246
|
+
* **Note:** Unlike `createStackAuthMiddleware`, this never returns 401.
|
|
247
|
+
* Invalid tokens fall back to anon (default) or are silently ignored.
|
|
248
|
+
*
|
|
249
|
+
* @example
|
|
250
|
+
* ```typescript
|
|
251
|
+
* import { optionalStackAuthMiddleware } from "@kaiz11/stack-client/auth/server";
|
|
252
|
+
*
|
|
253
|
+
* // Default: user is always set (auto-fetches anon if no token)
|
|
254
|
+
* app.use("*", optionalStackAuthMiddleware({
|
|
255
|
+
* baseUrl: "https://stack.zenku.app",
|
|
256
|
+
* tenantId: "acme-corp",
|
|
257
|
+
* }));
|
|
258
|
+
*
|
|
259
|
+
* // Disable auto-fetch: user may be undefined if no token
|
|
260
|
+
* app.use("*", optionalStackAuthMiddleware({
|
|
261
|
+
* baseUrl: "https://stack.zenku.app",
|
|
262
|
+
* tenantId: "acme-corp",
|
|
263
|
+
* autoFetchAnon: false,
|
|
264
|
+
* }));
|
|
265
|
+
*
|
|
266
|
+
* app.get("/api/feed", (c) => {
|
|
267
|
+
* const user = c.get("user") as AuthUser;
|
|
268
|
+
* if (user.role === "authenticated") {
|
|
269
|
+
* // Logged in user
|
|
270
|
+
* } else {
|
|
271
|
+
* // Anonymous access (anon token or auto-fetched)
|
|
272
|
+
* }
|
|
273
|
+
* });
|
|
274
|
+
* ```
|
|
275
|
+
*/
|
|
276
|
+
export declare function optionalStackAuthMiddleware(config: OptionalStackAuthConfig): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
277
|
+
/**
|
|
278
|
+
* Optional auth middleware for Hono (advanced)
|
|
279
|
+
*
|
|
280
|
+
* Attaches user info if token is present, but doesn't require it.
|
|
281
|
+
* Use this when you need a custom JWKS key getter.
|
|
282
|
+
*
|
|
283
|
+
* ## Token Handling
|
|
284
|
+
*
|
|
285
|
+
* | Token Type | Result |
|
|
286
|
+
* |---------------|-------------------------------------------------|
|
|
287
|
+
* | No token | ✅ Continues, `user = undefined` |
|
|
288
|
+
* | Invalid token | ✅ Continues, `user = undefined` |
|
|
289
|
+
* | Anon JWT | ✅ Continues, `user.role = "anon"` |
|
|
290
|
+
* | Auth JWT | ✅ Continues, `user.role = "authenticated"` |
|
|
291
|
+
* | Service JWT | ✅ Continues, `user.role = "service_role"` |
|
|
292
|
+
*
|
|
293
|
+
* @example
|
|
294
|
+
* ```typescript
|
|
295
|
+
* import { optionalAuthMiddleware, createLocalJWKS } from "@kaiz11/stack-client/auth/server";
|
|
296
|
+
*
|
|
297
|
+
* // For testing with local keys
|
|
298
|
+
* const keyGetter = createLocalJWKS(testJWKS);
|
|
299
|
+
*
|
|
300
|
+
* app.use("*", optionalAuthMiddleware({ keyGetter }));
|
|
301
|
+
* ```
|
|
302
|
+
*/
|
|
303
|
+
export declare function optionalAuthMiddleware(config: OptionalAuthConfig): (c: HonoContext, next: HonoNext) => Promise<Response | void>;
|
|
304
|
+
export {};
|
|
305
|
+
//# sourceMappingURL=middleware.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../../src/auth/server/middleware.ts"],"names":[],"mappings":"AAAA,OAAO,EAIL,WAAW,EAEX,KAAK,aAAa,EAClB,KAAK,aAAa,EACnB,MAAM,aAAa,CAAC;AAKrB;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,QAAQ,CAAC;CAC5C;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iEAAiE;IACjE,SAAS,EAAE,aAAa,CAAC;IACzB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,WAAW,KAAK,QAAQ,CAAC;CAC5C;AAED;;GAEG;AACH,UAAU,WAAW;IACnB,GAAG,EAAE;QACH,GAAG,EAAE,OAAO,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;IACF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,KAAK,IAAI,CAAC;IAC3C,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;IAC9B,IAAI,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,QAAQ,CAAC;CACpD;AAED;;GAEG;AACH,KAAK,QAAQ,GAAG,MAAM,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,yBAAyB,OA8CxD,WAAW,QAAQ,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CArCxE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,oBAAoB,IAGjD,GAAG,WAAW,EAAE,MAAM,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAoDxE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,IAClC,GAAG,WAAW,EAAE,MAAM,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CAsBxE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,wBAAgB,oBAAoB,KACpB,GAAG,WAAW,EAAE,MAAM,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA0BxE;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,8DAA8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,SAAS,EAAE,aAAa,CAAC;IACzB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,aAAa,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE,uBAAuB,IAM3D,GAAG,WAAW,EAAE,MAAM,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA6DxE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,kBAAkB,IAGjD,GAAG,WAAW,EAAE,MAAM,QAAQ,KAAG,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,CA2BxE"}
|