@lanonasis/oauth-client 1.2.8 → 2.0.3

package/dist/server/index.cjs

@@ -0,0 +1,169 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  COOKIE_NAMES: () => COOKIE_NAMES,
+  DEFAULT_AUTH_GATEWAY: () => DEFAULT_AUTH_GATEWAY,
+  DEFAULT_COOKIE_DOMAIN: () => DEFAULT_COOKIE_DOMAIN,
+  DEFAULT_PROJECT_SCOPE: () => DEFAULT_PROJECT_SCOPE,
+  getSSOUserFromRequest: () => getSSOUserFromRequest,
+  getSessionToken: () => getSessionToken,
+  getSessionTokenFromRequest: () => getSessionTokenFromRequest,
+  hasAuthCookiesServer: () => hasAuthCookiesServer,
+  hasSSOfromRequest: () => hasSSOfromRequest,
+  hasSessionCookieServer: () => hasSessionCookieServer,
+  optionalAuth: () => optionalAuth,
+  parseCookieHeader: () => parseCookieHeader,
+  parseUserCookieServer: () => parseUserCookieServer,
+  requireAuth: () => requireAuth,
+  requireRole: () => requireRole,
+  validateSessionMiddleware: () => validateSessionMiddleware
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/cookies/constants.ts
+var COOKIE_NAMES = {
+  /** HttpOnly JWT session token */
+  SESSION: "lanonasis_session",
+  /** Readable user metadata (JSON) */
+  USER: "lanonasis_user"
+};
+var DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+var DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+// src/server/cookie-utils.ts
+function parseCookieHeader(cookieHeader) {
+  if (!cookieHeader) return {};
+  const cookies = {};
+  const pairs = cookieHeader.split(";");
+  for (const pair of pairs) {
+    const [name, ...valueParts] = pair.trim().split("=");
+    if (name) {
+      cookies[name.trim()] = valueParts.join("=").trim();
+    }
+  }
+  return cookies;
+}
+function getSessionToken(cookies) {
+  if (!cookies) return null;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  const token = parsed[COOKIE_NAMES.SESSION];
+  return token || null;
+}
+function parseUserCookieServer(cookies) {
+  if (!cookies) return null;
+  try {
+    const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+    const userCookie = parsed[COOKIE_NAMES.USER];
+    if (!userCookie) return null;
+    const decoded = decodeURIComponent(userCookie);
+    const user = JSON.parse(decoded);
+    if (!user.id || !user.email || !user.role) {
+      console.warn("[oauth-client/server] Invalid user cookie: missing required fields");
+      return null;
+    }
+    return user;
+  } catch (error) {
+    console.warn("[oauth-client/server] Failed to parse user cookie:", error);
+    return null;
+  }
+}
+function hasSessionCookieServer(cookies) {
+  if (!cookies) return false;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  return COOKIE_NAMES.SESSION in parsed && !!parsed[COOKIE_NAMES.SESSION];
+}
+function hasAuthCookiesServer(cookies) {
+  return hasSessionCookieServer(cookies) && parseUserCookieServer(cookies) !== null;
+}
+function getSSOUserFromRequest(req) {
+  if (req.cookies) {
+    return parseUserCookieServer(req.cookies);
+  }
+  return parseUserCookieServer(req.headers?.cookie);
+}
+function getSessionTokenFromRequest(req) {
+  if (req.cookies) {
+    return getSessionToken(req.cookies);
+  }
+  return getSessionToken(req.headers?.cookie);
+}
+function hasSSOfromRequest(req) {
+  if (req.cookies) {
+    return hasAuthCookiesServer(req.cookies);
+  }
+  return hasAuthCookiesServer(req.headers?.cookie);
+}
+
+// src/server/middleware.ts
+function validateSessionMiddleware(config = {}) {
+  const {
+    cookieDomain = DEFAULT_COOKIE_DOMAIN,
+    allowAnonymous = false
+  } = config;
+  return (req, res, next) => {
+    if (hasSSOfromRequest(req)) {
+      const user = getSSOUserFromRequest(req);
+      if (user) {
+        req.user = user;
+        return next();
+      }
+    }
+    if (allowAnonymous) {
+      return next();
+    }
+    res.clearCookie(COOKIE_NAMES.SESSION, { domain: cookieDomain, path: "/" });
+    res.clearCookie(COOKIE_NAMES.USER, { domain: cookieDomain, path: "/" });
+    return res.status(401).json({
+      error: "Authentication required",
+      code: "AUTH_REQUIRED",
+      login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+    });
+  };
+}
+function requireAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: false });
+}
+function optionalAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: true });
+}
+function requireRole(role, config = {}) {
+  const roles = Array.isArray(role) ? role : [role];
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({
+        error: "Authentication required",
+        code: "AUTH_REQUIRED",
+        login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+      });
+    }
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({
+        error: "Insufficient permissions",
+        code: "FORBIDDEN",
+        required_role: roles,
+        current_role: req.user.role
+      });
+    }
+    return next();
+  };
+}

package/dist/server/index.d.cts

@@ -0,0 +1,184 @@
+import { d as SSOUser } from '../constants-BZPTHasL.cjs';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_PROJECT_SCOPE } from '../constants-BZPTHasL.cjs';
+
+/**
+ * Server-side types for SSO authentication
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Express-like request interface for middleware compatibility
+ */
+interface ServerRequest {
+    cookies?: Record<string, string>;
+    headers?: {
+        cookie?: string;
+        authorization?: string;
+        'x-api-key'?: string;
+        [key: string]: string | string[] | undefined;
+    };
+    user?: SSOUser;
+}
+/**
+ * Express-like response interface
+ */
+interface ServerResponse {
+    status: (code: number) => ServerResponse;
+    json: (data: unknown) => void;
+    clearCookie: (name: string, options?: CookieOptions) => void;
+}
+/**
+ * Express-like next function
+ */
+type NextFunction = (error?: Error) => void;
+/**
+ * Cookie options for clearCookie
+ */
+interface CookieOptions {
+    domain?: string;
+    path?: string;
+}
+/**
+ * Middleware configuration
+ */
+interface MiddlewareConfig {
+    /** Auth gateway URL for token validation */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Allow unauthenticated requests to pass through */
+    allowAnonymous?: boolean;
+}
+/**
+ * Validation result for auth checks
+ */
+interface AuthValidationResult {
+    valid: boolean;
+    user?: SSOUser;
+    error?: string;
+}
+
+/**
+ * Server-side cookie utilities for SSO authentication
+ * Use these utilities in Express/Node.js server middleware
+ *
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Parse cookies from a cookie string (from request headers)
+ * @param cookieHeader - The Cookie header value (e.g., "name=value; name2=value2")
+ * @returns Object mapping cookie names to values
+ */
+declare function parseCookieHeader(cookieHeader: string | undefined): Record<string, string>;
+/**
+ * Get the session token from cookies (request.cookies or cookie header)
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns The session token or null
+ */
+declare function getSessionToken(cookies: Record<string, string> | string | undefined): string | null;
+/**
+ * Parse the user cookie from server-side request
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns User data or null if cookie doesn't exist or is invalid
+ */
+declare function parseUserCookieServer(cookies: Record<string, string> | string | undefined): SSOUser | null;
+/**
+ * Check if session cookie exists in the cookies
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns true if lanonasis_session cookie exists
+ */
+declare function hasSessionCookieServer(cookies: Record<string, string> | string | undefined): boolean;
+/**
+ * Check if user appears to be authenticated based on cookies (server-side)
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns true if both session and user cookies exist
+ */
+declare function hasAuthCookiesServer(cookies: Record<string, string> | string | undefined): boolean;
+/**
+ * Get SSO user from Express request (checks req.cookies first, then cookie header)
+ * @param req - Express-like request object
+ * @returns User data or null
+ */
+declare function getSSOUserFromRequest(req: ServerRequest): SSOUser | null;
+/**
+ * Get session token from Express request
+ * @param req - Express-like request object
+ * @returns Session token or null
+ */
+declare function getSessionTokenFromRequest(req: ServerRequest): string | null;
+/**
+ * Check if request has SSO authentication
+ * @param req - Express-like request object
+ * @returns true if SSO cookies are present
+ */
+declare function hasSSOfromRequest(req: ServerRequest): boolean;
+
+/**
+ * Express middleware for SSO authentication
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Create a middleware that validates SSO session cookies
+ *
+ * @example
+ * ```typescript
+ * import { validateSessionMiddleware } from '@lanonasis/oauth-client/server';
+ *
+ * const auth = validateSessionMiddleware({
+ *   authGatewayUrl: process.env.AUTH_GATEWAY_URL,
+ *   projectScope: 'my-app'
+ * });
+ *
+ * app.use('/api', auth);
+ * ```
+ */
+declare function validateSessionMiddleware(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that requires authentication (returns 401 if not authenticated)
+ *
+ * @example
+ * ```typescript
+ * import { requireAuth } from '@lanonasis/oauth-client/server';
+ *
+ * app.get('/api/profile', requireAuth(), (req, res) => {
+ *   res.json({ user: req.user });
+ * });
+ * ```
+ */
+declare function requireAuth(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that allows anonymous access but attaches user if authenticated
+ *
+ * @example
+ * ```typescript
+ * import { optionalAuth } from '@lanonasis/oauth-client/server';
+ *
+ * app.get('/api/public', optionalAuth(), (req, res) => {
+ *   if (req.user) {
+ *     res.json({ message: `Hello ${req.user.email}` });
+ *   } else {
+ *     res.json({ message: 'Hello guest' });
+ *   }
+ * });
+ * ```
+ */
+declare function optionalAuth(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that requires a specific role
+ *
+ * @example
+ * ```typescript
+ * import { requireRole } from '@lanonasis/oauth-client/server';
+ *
+ * app.delete('/api/users/:id', requireRole('admin'), (req, res) => {
+ *   // Only admins can delete users
+ * });
+ * ```
+ */
+declare function requireRole(role: string | string[], config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+
+export { type AuthValidationResult, type CookieOptions, type MiddlewareConfig, type NextFunction, SSOUser, type ServerRequest, type ServerResponse, getSSOUserFromRequest, getSessionToken, getSessionTokenFromRequest, hasAuthCookiesServer, hasSSOfromRequest, hasSessionCookieServer, optionalAuth, parseCookieHeader, parseUserCookieServer, requireAuth, requireRole, validateSessionMiddleware };

package/dist/server/index.d.ts

@@ -0,0 +1,184 @@
+import { d as SSOUser } from '../constants-BZPTHasL.js';
+export { C as COOKIE_NAMES, D as DEFAULT_AUTH_GATEWAY, e as DEFAULT_COOKIE_DOMAIN, g as DEFAULT_PROJECT_SCOPE } from '../constants-BZPTHasL.js';
+
+/**
+ * Server-side types for SSO authentication
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Express-like request interface for middleware compatibility
+ */
+interface ServerRequest {
+    cookies?: Record<string, string>;
+    headers?: {
+        cookie?: string;
+        authorization?: string;
+        'x-api-key'?: string;
+        [key: string]: string | string[] | undefined;
+    };
+    user?: SSOUser;
+}
+/**
+ * Express-like response interface
+ */
+interface ServerResponse {
+    status: (code: number) => ServerResponse;
+    json: (data: unknown) => void;
+    clearCookie: (name: string, options?: CookieOptions) => void;
+}
+/**
+ * Express-like next function
+ */
+type NextFunction = (error?: Error) => void;
+/**
+ * Cookie options for clearCookie
+ */
+interface CookieOptions {
+    domain?: string;
+    path?: string;
+}
+/**
+ * Middleware configuration
+ */
+interface MiddlewareConfig {
+    /** Auth gateway URL for token validation */
+    authGatewayUrl?: string;
+    /** Project scope for multi-tenant auth */
+    projectScope?: string;
+    /** Cookie domain (default: .lanonasis.com) */
+    cookieDomain?: string;
+    /** Allow unauthenticated requests to pass through */
+    allowAnonymous?: boolean;
+}
+/**
+ * Validation result for auth checks
+ */
+interface AuthValidationResult {
+    valid: boolean;
+    user?: SSOUser;
+    error?: string;
+}
+
+/**
+ * Server-side cookie utilities for SSO authentication
+ * Use these utilities in Express/Node.js server middleware
+ *
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Parse cookies from a cookie string (from request headers)
+ * @param cookieHeader - The Cookie header value (e.g., "name=value; name2=value2")
+ * @returns Object mapping cookie names to values
+ */
+declare function parseCookieHeader(cookieHeader: string | undefined): Record<string, string>;
+/**
+ * Get the session token from cookies (request.cookies or cookie header)
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns The session token or null
+ */
+declare function getSessionToken(cookies: Record<string, string> | string | undefined): string | null;
+/**
+ * Parse the user cookie from server-side request
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns User data or null if cookie doesn't exist or is invalid
+ */
+declare function parseUserCookieServer(cookies: Record<string, string> | string | undefined): SSOUser | null;
+/**
+ * Check if session cookie exists in the cookies
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns true if lanonasis_session cookie exists
+ */
+declare function hasSessionCookieServer(cookies: Record<string, string> | string | undefined): boolean;
+/**
+ * Check if user appears to be authenticated based on cookies (server-side)
+ * @param cookies - Parsed cookies object or cookie header string
+ * @returns true if both session and user cookies exist
+ */
+declare function hasAuthCookiesServer(cookies: Record<string, string> | string | undefined): boolean;
+/**
+ * Get SSO user from Express request (checks req.cookies first, then cookie header)
+ * @param req - Express-like request object
+ * @returns User data or null
+ */
+declare function getSSOUserFromRequest(req: ServerRequest): SSOUser | null;
+/**
+ * Get session token from Express request
+ * @param req - Express-like request object
+ * @returns Session token or null
+ */
+declare function getSessionTokenFromRequest(req: ServerRequest): string | null;
+/**
+ * Check if request has SSO authentication
+ * @param req - Express-like request object
+ * @returns true if SSO cookies are present
+ */
+declare function hasSSOfromRequest(req: ServerRequest): boolean;
+
+/**
+ * Express middleware for SSO authentication
+ * @module @lanonasis/oauth-client/server
+ */
+
+/**
+ * Create a middleware that validates SSO session cookies
+ *
+ * @example
+ * ```typescript
+ * import { validateSessionMiddleware } from '@lanonasis/oauth-client/server';
+ *
+ * const auth = validateSessionMiddleware({
+ *   authGatewayUrl: process.env.AUTH_GATEWAY_URL,
+ *   projectScope: 'my-app'
+ * });
+ *
+ * app.use('/api', auth);
+ * ```
+ */
+declare function validateSessionMiddleware(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that requires authentication (returns 401 if not authenticated)
+ *
+ * @example
+ * ```typescript
+ * import { requireAuth } from '@lanonasis/oauth-client/server';
+ *
+ * app.get('/api/profile', requireAuth(), (req, res) => {
+ *   res.json({ user: req.user });
+ * });
+ * ```
+ */
+declare function requireAuth(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that allows anonymous access but attaches user if authenticated
+ *
+ * @example
+ * ```typescript
+ * import { optionalAuth } from '@lanonasis/oauth-client/server';
+ *
+ * app.get('/api/public', optionalAuth(), (req, res) => {
+ *   if (req.user) {
+ *     res.json({ message: `Hello ${req.user.email}` });
+ *   } else {
+ *     res.json({ message: 'Hello guest' });
+ *   }
+ * });
+ * ```
+ */
+declare function optionalAuth(config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+/**
+ * Middleware that requires a specific role
+ *
+ * @example
+ * ```typescript
+ * import { requireRole } from '@lanonasis/oauth-client/server';
+ *
+ * app.delete('/api/users/:id', requireRole('admin'), (req, res) => {
+ *   // Only admins can delete users
+ * });
+ * ```
+ */
+declare function requireRole(role: string | string[], config?: MiddlewareConfig): (req: ServerRequest, res: ServerResponse, next: NextFunction) => void;
+
+export { type AuthValidationResult, type CookieOptions, type MiddlewareConfig, type NextFunction, SSOUser, type ServerRequest, type ServerResponse, getSSOUserFromRequest, getSessionToken, getSessionTokenFromRequest, hasAuthCookiesServer, hasSSOfromRequest, hasSessionCookieServer, optionalAuth, parseCookieHeader, parseUserCookieServer, requireAuth, requireRole, validateSessionMiddleware };

package/dist/server/index.mjs

@@ -0,0 +1,146 @@
+// src/cookies/constants.ts
+var COOKIE_NAMES = {
+  /** HttpOnly JWT session token */
+  SESSION: "lanonasis_session",
+  /** Readable user metadata (JSON) */
+  USER: "lanonasis_user"
+};
+var DEFAULT_COOKIE_DOMAIN = ".lanonasis.com";
+var DEFAULT_AUTH_GATEWAY = "https://auth.lanonasis.com";
+var DEFAULT_PROJECT_SCOPE = "lanonasis-maas";
+
+// src/server/cookie-utils.ts
+function parseCookieHeader(cookieHeader) {
+  if (!cookieHeader) return {};
+  const cookies = {};
+  const pairs = cookieHeader.split(";");
+  for (const pair of pairs) {
+    const [name, ...valueParts] = pair.trim().split("=");
+    if (name) {
+      cookies[name.trim()] = valueParts.join("=").trim();
+    }
+  }
+  return cookies;
+}
+function getSessionToken(cookies) {
+  if (!cookies) return null;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  const token = parsed[COOKIE_NAMES.SESSION];
+  return token || null;
+}
+function parseUserCookieServer(cookies) {
+  if (!cookies) return null;
+  try {
+    const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+    const userCookie = parsed[COOKIE_NAMES.USER];
+    if (!userCookie) return null;
+    const decoded = decodeURIComponent(userCookie);
+    const user = JSON.parse(decoded);
+    if (!user.id || !user.email || !user.role) {
+      console.warn("[oauth-client/server] Invalid user cookie: missing required fields");
+      return null;
+    }
+    return user;
+  } catch (error) {
+    console.warn("[oauth-client/server] Failed to parse user cookie:", error);
+    return null;
+  }
+}
+function hasSessionCookieServer(cookies) {
+  if (!cookies) return false;
+  const parsed = typeof cookies === "string" ? parseCookieHeader(cookies) : cookies;
+  return COOKIE_NAMES.SESSION in parsed && !!parsed[COOKIE_NAMES.SESSION];
+}
+function hasAuthCookiesServer(cookies) {
+  return hasSessionCookieServer(cookies) && parseUserCookieServer(cookies) !== null;
+}
+function getSSOUserFromRequest(req) {
+  if (req.cookies) {
+    return parseUserCookieServer(req.cookies);
+  }
+  return parseUserCookieServer(req.headers?.cookie);
+}
+function getSessionTokenFromRequest(req) {
+  if (req.cookies) {
+    return getSessionToken(req.cookies);
+  }
+  return getSessionToken(req.headers?.cookie);
+}
+function hasSSOfromRequest(req) {
+  if (req.cookies) {
+    return hasAuthCookiesServer(req.cookies);
+  }
+  return hasAuthCookiesServer(req.headers?.cookie);
+}
+
+// src/server/middleware.ts
+function validateSessionMiddleware(config = {}) {
+  const {
+    cookieDomain = DEFAULT_COOKIE_DOMAIN,
+    allowAnonymous = false
+  } = config;
+  return (req, res, next) => {
+    if (hasSSOfromRequest(req)) {
+      const user = getSSOUserFromRequest(req);
+      if (user) {
+        req.user = user;
+        return next();
+      }
+    }
+    if (allowAnonymous) {
+      return next();
+    }
+    res.clearCookie(COOKIE_NAMES.SESSION, { domain: cookieDomain, path: "/" });
+    res.clearCookie(COOKIE_NAMES.USER, { domain: cookieDomain, path: "/" });
+    return res.status(401).json({
+      error: "Authentication required",
+      code: "AUTH_REQUIRED",
+      login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+    });
+  };
+}
+function requireAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: false });
+}
+function optionalAuth(config = {}) {
+  return validateSessionMiddleware({ ...config, allowAnonymous: true });
+}
+function requireRole(role, config = {}) {
+  const roles = Array.isArray(role) ? role : [role];
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({
+        error: "Authentication required",
+        code: "AUTH_REQUIRED",
+        login_url: `${config.authGatewayUrl || DEFAULT_AUTH_GATEWAY}/web/login`
+      });
+    }
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({
+        error: "Insufficient permissions",
+        code: "FORBIDDEN",
+        required_role: roles,
+        current_role: req.user.role
+      });
+    }
+    return next();
+  };
+}
+export {
+  COOKIE_NAMES,
+  DEFAULT_AUTH_GATEWAY,
+  DEFAULT_COOKIE_DOMAIN,
+  DEFAULT_PROJECT_SCOPE,
+  getSSOUserFromRequest,
+  getSessionToken,
+  getSessionTokenFromRequest,
+  hasAuthCookiesServer,
+  hasSSOfromRequest,
+  hasSessionCookieServer,
+  optionalAuth,
+  parseCookieHeader,
+  parseUserCookieServer,
+  requireAuth,
+  requireRole,
+  validateSessionMiddleware
+};