@markwharton/pwa-core 1.5.0 → 1.7.0

package/dist/__tests__/client/api.test.js

@@ -69,6 +69,19 @@ global.fetch = mockFetch;
             await (0, vitest_1.expect)(apiCall('/api/test')).rejects.toThrow();
             (0, vitest_1.expect)(onUnauthorized).toHaveBeenCalled();
         });
+        (0, vitest_1.it)('sets custom timeout', async () => {
+            const { initApiClient, apiCall } = await Promise.resolve().then(() => __importStar(require('../../client/api')));
+            initApiClient({ getToken: () => 'token', timeout: 5000 });
+            mockFetch.mockResolvedValue({
+                ok: true,
+                text: () => Promise.resolve('{}')
+            });
+            await apiCall('/api/test');
+            // Verify signal was passed to fetch
+            (0, vitest_1.expect)(mockFetch).toHaveBeenCalledWith('/api/test', vitest_1.expect.objectContaining({
+                signal: vitest_1.expect.any(AbortSignal)
+            }));
+        });
     });
     (0, vitest_1.describe)('apiCall', () => {
         (0, vitest_1.it)('makes authenticated request', async () => {
@@ -149,6 +162,17 @@ global.fetch = mockFetch;
                 message: 'Request failed'
             });
         });
+        (0, vitest_1.it)('handles request timeout', async () => {
+            const { initApiClient, apiCall } = await Promise.resolve().then(() => __importStar(require('../../client/api')));
+            initApiClient({ getToken: () => 'token' });
+            const abortError = new Error('Aborted');
+            abortError.name = 'AbortError';
+            mockFetch.mockRejectedValue(abortError);
+            await (0, vitest_1.expect)(apiCall('/api/test')).rejects.toMatchObject({
+                status: 0,
+                message: 'Request timeout'
+            });
+        });
     });
     (0, vitest_1.describe)('HTTP method helpers', () => {
         (0, vitest_1.beforeEach)(async () => {
@@ -330,5 +354,16 @@ global.fetch = mockFetch;
             (0, vitest_1.expect)(result.ok).toBe(false);
             (0, vitest_1.expect)(result.error).toBe('Request failed');
         });
+        (0, vitest_1.it)('handles request timeout', async () => {
+            const { initApiClient, apiCallSafe } = await Promise.resolve().then(() => __importStar(require('../../client/api')));
+            initApiClient({ getToken: () => 'token' });
+            const abortError = new Error('Aborted');
+            abortError.name = 'AbortError';
+            mockFetch.mockRejectedValue(abortError);
+            const result = await apiCallSafe('/api/test');
+            (0, vitest_1.expect)(result.ok).toBe(false);
+            (0, vitest_1.expect)(result.status).toBe(0);
+            (0, vitest_1.expect)(result.error).toBe('Request timeout');
+        });
     });
 });

package/dist/__tests__/client/apiError.test.js

@@ -55,4 +55,37 @@ const apiError_1 = require("../../client/apiError");
             (0, vitest_1.expect)(new apiError_1.ApiError(500, 'Server error').isBadRequest()).toBe(false);
         });
     });
+    (0, vitest_1.describe)('isClientError', () => {
+        (0, vitest_1.it)('returns true for 4xx statuses', () => {
+            (0, vitest_1.expect)(new apiError_1.ApiError(400, 'Bad request').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(401, 'Unauthorized').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(403, 'Forbidden').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(404, 'Not found').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(422, 'Unprocessable').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(429, 'Too many requests').isClientError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(499, 'Client closed').isClientError()).toBe(true);
+        });
+        (0, vitest_1.it)('returns false for non-4xx statuses', () => {
+            (0, vitest_1.expect)(new apiError_1.ApiError(200, 'OK').isClientError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(301, 'Moved').isClientError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(500, 'Server error').isClientError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(0, 'Network error').isClientError()).toBe(false);
+        });
+    });
+    (0, vitest_1.describe)('isServerError', () => {
+        (0, vitest_1.it)('returns true for 5xx statuses', () => {
+            (0, vitest_1.expect)(new apiError_1.ApiError(500, 'Internal server error').isServerError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(501, 'Not implemented').isServerError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(502, 'Bad gateway').isServerError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(503, 'Service unavailable').isServerError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(504, 'Gateway timeout').isServerError()).toBe(true);
+            (0, vitest_1.expect)(new apiError_1.ApiError(599, 'Network timeout').isServerError()).toBe(true);
+        });
+        (0, vitest_1.it)('returns false for non-5xx statuses', () => {
+            (0, vitest_1.expect)(new apiError_1.ApiError(200, 'OK').isServerError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(400, 'Bad request').isServerError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(404, 'Not found').isServerError()).toBe(false);
+            (0, vitest_1.expect)(new apiError_1.ApiError(0, 'Network error').isServerError()).toBe(false);
+        });
+    });
 });

package/dist/__tests__/server/auth/token.test.js

@@ -209,4 +209,91 @@ const token_1 = require("../../../server/auth/token");
             (0, vitest_1.expect)(expiresInDays).toBe(365);
         });
     });
+    (0, vitest_1.describe)('constants', () => {
+        (0, vitest_1.it)('DEFAULT_TOKEN_EXPIRY is 7d', () => {
+            (0, vitest_1.expect)(token_1.DEFAULT_TOKEN_EXPIRY).toBe('7d');
+        });
+        (0, vitest_1.it)('DEFAULT_TOKEN_EXPIRY_SECONDS is 7 days in seconds', () => {
+            (0, vitest_1.expect)(token_1.DEFAULT_TOKEN_EXPIRY_SECONDS).toBe(7 * 24 * 60 * 60);
+            (0, vitest_1.expect)(token_1.DEFAULT_TOKEN_EXPIRY_SECONDS).toBe(604800);
+        });
+    });
+    (0, vitest_1.describe)('requireAuth', () => {
+        (0, vitest_1.it)('returns failure when no auth header', async () => {
+            const { initAuth, requireAuth } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const result = requireAuth(null);
+            (0, vitest_1.expect)(result.authorized).toBe(false);
+            if (!result.authorized) {
+                (0, vitest_1.expect)(result.response.status).toBe(401);
+            }
+        });
+        (0, vitest_1.it)('returns failure when invalid token', async () => {
+            const { initAuth, requireAuth } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const result = requireAuth('Bearer invalid-token');
+            (0, vitest_1.expect)(result.authorized).toBe(false);
+            if (!result.authorized) {
+                (0, vitest_1.expect)(result.response.status).toBe(401);
+            }
+        });
+        (0, vitest_1.it)('returns failure for expired token', async () => {
+            const { initAuth, requireAuth } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const expiredToken = jsonwebtoken_1.default.sign({ username: 'test' }, validSecret, { expiresIn: '-1s' });
+            const result = requireAuth(`Bearer ${expiredToken}`);
+            (0, vitest_1.expect)(result.authorized).toBe(false);
+        });
+        (0, vitest_1.it)('returns success with typed payload', async () => {
+            const { initAuth, requireAuth, generateToken } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const token = generateToken({ username: 'testuser' });
+            const result = requireAuth(`Bearer ${token}`);
+            (0, vitest_1.expect)(result.authorized).toBe(true);
+            if (result.authorized) {
+                (0, vitest_1.expect)(result.payload.username).toBe('testuser');
+            }
+        });
+    });
+    (0, vitest_1.describe)('requireAdmin', () => {
+        (0, vitest_1.it)('returns failure for non-admin user', async () => {
+            const { initAuth, requireAdmin, generateToken } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const payload = {
+                authenticated: true,
+                tokenType: 'user',
+                role: 'viewer'
+            };
+            const token = generateToken(payload);
+            const result = requireAdmin(`Bearer ${token}`);
+            (0, vitest_1.expect)(result.authorized).toBe(false);
+            if (!result.authorized) {
+                (0, vitest_1.expect)(result.response.status).toBe(403);
+            }
+        });
+        (0, vitest_1.it)('returns success for admin user', async () => {
+            const { initAuth, requireAdmin, generateToken } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const payload = {
+                authenticated: true,
+                tokenType: 'user',
+                role: 'admin'
+            };
+            const token = generateToken(payload);
+            const result = requireAdmin(`Bearer ${token}`);
+            (0, vitest_1.expect)(result.authorized).toBe(true);
+            if (result.authorized) {
+                (0, vitest_1.expect)(result.payload.role).toBe('admin');
+            }
+        });
+        (0, vitest_1.it)('returns failure when no auth header', async () => {
+            const { initAuth, requireAdmin } = await Promise.resolve().then(() => __importStar(require('../../../server/auth/token')));
+            initAuth(validSecret);
+            const result = requireAdmin(null);
+            (0, vitest_1.expect)(result.authorized).toBe(false);
+            if (!result.authorized) {
+                (0, vitest_1.expect)(result.response.status).toBe(401);
+            }
+        });
+    });
 });

package/dist/__tests__/shared/http/status.test.js

@@ -13,6 +13,8 @@ const status_1 = require("../../../shared/http/status");
         (0, vitest_1.expect)(status_1.HTTP_STATUS.NOT_FOUND).toBe(404);
         (0, vitest_1.expect)(status_1.HTTP_STATUS.CONFLICT).toBe(409);
         (0, vitest_1.expect)(status_1.HTTP_STATUS.GONE).toBe(410);
+        (0, vitest_1.expect)(status_1.HTTP_STATUS.UNPROCESSABLE_ENTITY).toBe(422);
+        (0, vitest_1.expect)(status_1.HTTP_STATUS.TOO_MANY_REQUESTS).toBe(429);
         (0, vitest_1.expect)(status_1.HTTP_STATUS.INTERNAL_ERROR).toBe(500);
         (0, vitest_1.expect)(status_1.HTTP_STATUS.SERVICE_UNAVAILABLE).toBe(503);
     });

package/dist/client/api.d.ts

@@ -1,19 +1,22 @@
 import { ApiResponse } from './types';
 /**
- * Initializes the API client with token retrieval and optional 401 handler.
+ * Initializes the API client with token retrieval and optional configuration.
  * Call once at application startup.
  * @param config - Client configuration
  * @param config.getToken - Function that returns the current auth token (or null)
  * @param config.onUnauthorized - Optional callback for 401 responses (e.g., redirect to login)
+ * @param config.timeout - Optional request timeout in milliseconds (default: 30000)
  * @example
  * initApiClient({
  *   getToken: () => localStorage.getItem('token'),
- *   onUnauthorized: () => window.location.href = '/login'
+ *   onUnauthorized: () => window.location.href = '/login',
+ *   timeout: 60000  // 60 seconds
  * });
  */
 export declare function initApiClient(config: {
     getToken: () => string | null;
     onUnauthorized?: () => void;
+    timeout?: number;
 }): void;
 /**
  * Makes an authenticated API call. Throws ApiError on non-2xx responses.
@@ -21,7 +24,7 @@ export declare function initApiClient(config: {
  * @param url - The API endpoint URL
  * @param options - Optional fetch options (method, body, headers)
  * @returns The parsed JSON response
- * @throws ApiError on non-2xx HTTP status
+ * @throws ApiError on non-2xx HTTP status or timeout
  * @example
  * const user = await apiCall<User>('/api/users/123');
  */

package/dist/client/api.js

@@ -16,21 +16,26 @@ const apiError_1 = require("./apiError");
 let getToken = null;
 // Callback for 401 responses (e.g., redirect to login)
 let onUnauthorized = null;
+// Request timeout in milliseconds (default: 30 seconds)
+let requestTimeout = 30000;
 /**
- * Initializes the API client with token retrieval and optional 401 handler.
+ * Initializes the API client with token retrieval and optional configuration.
  * Call once at application startup.
  * @param config - Client configuration
  * @param config.getToken - Function that returns the current auth token (or null)
  * @param config.onUnauthorized - Optional callback for 401 responses (e.g., redirect to login)
+ * @param config.timeout - Optional request timeout in milliseconds (default: 30000)
  * @example
  * initApiClient({
  *   getToken: () => localStorage.getItem('token'),
- *   onUnauthorized: () => window.location.href = '/login'
+ *   onUnauthorized: () => window.location.href = '/login',
+ *   timeout: 60000  // 60 seconds
  * });
  */
 function initApiClient(config) {
     getToken = config.getToken;
     onUnauthorized = config.onUnauthorized ?? null;
+    requestTimeout = config.timeout ?? 30000;
 }
 /**
  * Makes an authenticated API call. Throws ApiError on non-2xx responses.
@@ -38,7 +43,7 @@ function initApiClient(config) {
  * @param url - The API endpoint URL
  * @param options - Optional fetch options (method, body, headers)
  * @returns The parsed JSON response
- * @throws ApiError on non-2xx HTTP status
+ * @throws ApiError on non-2xx HTTP status or timeout
  * @example
  * const user = await apiCall<User>('/api/users/123');
  */
@@ -51,30 +56,48 @@ async function apiCall(url, options = {}) {
     if (token) {
         headers['Authorization'] = `Bearer ${token}`;
     }
-    const response = await fetch(url, {
-        ...options,
-        headers
-    });
-    if (!response.ok) {
-        if (response.status === 401 && onUnauthorized) {
-            onUnauthorized();
+    // Setup timeout with AbortController
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
+    try {
+        const response = await fetch(url, {
+            ...options,
+            headers,
+            signal: controller.signal
+        });
+        if (!response.ok) {
+            if (response.status === 401 && onUnauthorized) {
+                onUnauthorized();
+            }
+            let errorMessage = 'Request failed';
+            try {
+                const errorData = (await response.json());
+                errorMessage = errorData.error || errorMessage;
+            }
+            catch {
+                // Ignore JSON parse errors
+            }
+            throw new apiError_1.ApiError(response.status, errorMessage);
         }
-        let errorMessage = 'Request failed';
-        try {
-            const errorData = (await response.json());
-            errorMessage = errorData.error || errorMessage;
+        // Handle empty responses
+        const text = await response.text();
+        if (!text) {
+            return {};
+        }
+        return JSON.parse(text);
+    }
+    catch (error) {
+        if (error instanceof apiError_1.ApiError) {
+            throw error;
         }
-        catch {
-            // Ignore JSON parse errors
+        if (error instanceof Error && error.name === 'AbortError') {
+            throw new apiError_1.ApiError(0, 'Request timeout');
         }
-        throw new apiError_1.ApiError(response.status, errorMessage);
+        throw error;
     }
-    // Handle empty responses
-    const text = await response.text();
-    if (!text) {
-        return {};
+    finally {
+        clearTimeout(timeoutId);
     }
-    return JSON.parse(text);
 }
 /**
  * Makes an authenticated GET request.
@@ -173,10 +196,14 @@ async function apiCallSafe(url, options = {}) {
     if (token) {
         headers['Authorization'] = `Bearer ${token}`;
     }
+    // Setup timeout with AbortController
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
     try {
         const response = await fetch(url, {
             ...options,
-            headers
+            headers,
+            signal: controller.signal
         });
         if (!response.ok) {
             if (response.status === 401 && onUnauthorized) {
@@ -197,7 +224,13 @@ async function apiCallSafe(url, options = {}) {
         const data = text ? JSON.parse(text) : undefined;
         return { ok: true, status: response.status, data };
     }
-    catch {
+    catch (error) {
+        if (error instanceof Error && error.name === 'AbortError') {
+            return { ok: false, status: 0, error: 'Request timeout' };
+        }
         return { ok: false, status: 0, error: 'Network error' };
     }
+    finally {
+        clearTimeout(timeoutId);
+    }
 }

package/dist/client/apiError.d.ts

@@ -35,4 +35,14 @@ export declare class ApiError extends Error {
      * @returns True if status is 400
      */
     isBadRequest(): boolean;
+    /**
+     * Checks if this is a client error (4xx status).
+     * @returns True if status is 400-499
+     */
+    isClientError(): boolean;
+    /**
+     * Checks if this is a server error (5xx status).
+     * @returns True if status is 500-599
+     */
+    isServerError(): boolean;
 }

package/dist/client/apiError.js

@@ -47,5 +47,19 @@ class ApiError extends Error {
     isBadRequest() {
         return this.status === 400;
     }
+    /**
+     * Checks if this is a client error (4xx status).
+     * @returns True if status is 400-499
+     */
+    isClientError() {
+        return this.status >= 400 && this.status < 500;
+    }
+    /**
+     * Checks if this is a server error (5xx status).
+     * @returns True if status is 500-599
+     */
+    isServerError() {
+        return this.status >= 500 && this.status < 600;
+    }
 }
 exports.ApiError = ApiError;

package/dist/server/auth/index.d.ts

@@ -1,2 +1,3 @@
-export { initAuth, getJwtSecret, extractToken, validateToken, generateToken, generateLongLivedToken } from './token';
+export { initAuth, getJwtSecret, extractToken, validateToken, generateToken, generateLongLivedToken, requireAuth, requireAdmin, DEFAULT_TOKEN_EXPIRY, DEFAULT_TOKEN_EXPIRY_SECONDS } from './token';
+export type { AuthSuccess, AuthFailure, AuthResult } from './token';
 export { extractApiKey, hashApiKey, validateApiKey, generateApiKey } from './apiKey';

package/dist/server/auth/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
+exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.DEFAULT_TOKEN_EXPIRY_SECONDS = exports.DEFAULT_TOKEN_EXPIRY = exports.requireAdmin = exports.requireAuth = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
 var token_1 = require("./token");
 Object.defineProperty(exports, "initAuth", { enumerable: true, get: function () { return token_1.initAuth; } });
 Object.defineProperty(exports, "getJwtSecret", { enumerable: true, get: function () { return token_1.getJwtSecret; } });
@@ -8,6 +8,10 @@ Object.defineProperty(exports, "extractToken", { enumerable: true, get: function
 Object.defineProperty(exports, "validateToken", { enumerable: true, get: function () { return token_1.validateToken; } });
 Object.defineProperty(exports, "generateToken", { enumerable: true, get: function () { return token_1.generateToken; } });
 Object.defineProperty(exports, "generateLongLivedToken", { enumerable: true, get: function () { return token_1.generateLongLivedToken; } });
+Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return token_1.requireAuth; } });
+Object.defineProperty(exports, "requireAdmin", { enumerable: true, get: function () { return token_1.requireAdmin; } });
+Object.defineProperty(exports, "DEFAULT_TOKEN_EXPIRY", { enumerable: true, get: function () { return token_1.DEFAULT_TOKEN_EXPIRY; } });
+Object.defineProperty(exports, "DEFAULT_TOKEN_EXPIRY_SECONDS", { enumerable: true, get: function () { return token_1.DEFAULT_TOKEN_EXPIRY_SECONDS; } });
 var apiKey_1 = require("./apiKey");
 Object.defineProperty(exports, "extractApiKey", { enumerable: true, get: function () { return apiKey_1.extractApiKey; } });
 Object.defineProperty(exports, "hashApiKey", { enumerable: true, get: function () { return apiKey_1.hashApiKey; } });

package/dist/server/auth/token.d.ts

@@ -1,4 +1,6 @@
+import { HttpResponseInit } from '@azure/functions';
 import { Result } from '../../types';
+import { BaseJwtPayload, RoleTokenPayload } from '../../shared/auth/types';
 /**
  * Initializes the JWT authentication system. Call once at application startup.
  * @param secret - The JWT secret key (from environment variable)
@@ -54,3 +56,47 @@ export declare function generateToken<T extends object>(payload: T, expiresIn?:
  * const apiToken = generateLongLivedToken({ machineId: 'server-1' });
  */
 export declare function generateLongLivedToken<T extends object>(payload: T, expiresInDays?: number): string;
+/**
+ * Successful auth result with typed payload.
+ */
+export interface AuthSuccess<T extends BaseJwtPayload> {
+    authorized: true;
+    payload: T;
+}
+/**
+ * Failed auth result with HTTP response.
+ */
+export interface AuthFailure {
+    authorized: false;
+    response: HttpResponseInit;
+}
+/**
+ * Discriminated union for auth results.
+ * Use `auth.authorized` to narrow the type.
+ */
+export type AuthResult<T extends BaseJwtPayload> = AuthSuccess<T> | AuthFailure;
+/** Default token expiry string for generateToken (7 days) */
+export declare const DEFAULT_TOKEN_EXPIRY = "7d";
+/** Default token expiry in seconds (7 days = 604800 seconds) */
+export declare const DEFAULT_TOKEN_EXPIRY_SECONDS: number;
+/**
+ * Validates auth header and returns typed payload or error response.
+ * @typeParam T - The expected payload type (extends BaseJwtPayload)
+ * @param authHeader - The Authorization header value
+ * @returns AuthResult with payload on success, or HTTP response on failure
+ * @example
+ * const auth = requireAuth<UsernameTokenPayload>(request.headers.get('Authorization'));
+ * if (!auth.authorized) return auth.response;
+ * console.log(auth.payload.username);
+ */
+export declare function requireAuth<T extends BaseJwtPayload>(authHeader: string | null): AuthResult<T>;
+/**
+ * Requires admin role. Use with RoleTokenPayload.
+ * @param authHeader - The Authorization header value
+ * @returns AuthResult with RoleTokenPayload on success, or HTTP response on failure
+ * @example
+ * const auth = requireAdmin(request.headers.get('Authorization'));
+ * if (!auth.authorized) return auth.response;
+ * // User is admin
+ */
+export declare function requireAdmin(authHeader: string | null): AuthResult<RoleTokenPayload>;

package/dist/server/auth/token.js

@@ -3,14 +3,19 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_TOKEN_EXPIRY_SECONDS = exports.DEFAULT_TOKEN_EXPIRY = void 0;
 exports.initAuth = initAuth;
 exports.getJwtSecret = getJwtSecret;
 exports.extractToken = extractToken;
 exports.validateToken = validateToken;
 exports.generateToken = generateToken;
 exports.generateLongLivedToken = generateLongLivedToken;
+exports.requireAuth = requireAuth;
+exports.requireAdmin = requireAdmin;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const types_1 = require("../../types");
+const types_2 = require("../../shared/auth/types");
+const responses_1 = require("../http/responses");
 /**
  * JWT token utilities - works with any payload structure
  * Use BaseJwtPayload or extend it for type safety
@@ -102,3 +107,52 @@ function generateToken(payload, expiresIn = '7d') {
 function generateLongLivedToken(payload, expiresInDays = 3650) {
     return jsonwebtoken_1.default.sign(payload, getJwtSecret(), { expiresIn: `${expiresInDays}d` });
 }
+// ============================================================================
+// Token Expiry Constants
+// ============================================================================
+/** Default token expiry string for generateToken (7 days) */
+exports.DEFAULT_TOKEN_EXPIRY = '7d';
+/** Default token expiry in seconds (7 days = 604800 seconds) */
+exports.DEFAULT_TOKEN_EXPIRY_SECONDS = 7 * 24 * 60 * 60;
+// ============================================================================
+// Auth Helpers
+// ============================================================================
+/**
+ * Validates auth header and returns typed payload or error response.
+ * @typeParam T - The expected payload type (extends BaseJwtPayload)
+ * @param authHeader - The Authorization header value
+ * @returns AuthResult with payload on success, or HTTP response on failure
+ * @example
+ * const auth = requireAuth<UsernameTokenPayload>(request.headers.get('Authorization'));
+ * if (!auth.authorized) return auth.response;
+ * console.log(auth.payload.username);
+ */
+function requireAuth(authHeader) {
+    const token = extractToken(authHeader);
+    if (!token) {
+        return { authorized: false, response: (0, responses_1.unauthorizedResponse)() };
+    }
+    const result = validateToken(token);
+    if (!result.ok) {
+        return { authorized: false, response: (0, responses_1.unauthorizedResponse)(result.error) };
+    }
+    return { authorized: true, payload: result.data };
+}
+/**
+ * Requires admin role. Use with RoleTokenPayload.
+ * @param authHeader - The Authorization header value
+ * @returns AuthResult with RoleTokenPayload on success, or HTTP response on failure
+ * @example
+ * const auth = requireAdmin(request.headers.get('Authorization'));
+ * if (!auth.authorized) return auth.response;
+ * // User is admin
+ */
+function requireAdmin(authHeader) {
+    const auth = requireAuth(authHeader);
+    if (!auth.authorized)
+        return auth;
+    if (!(0, types_2.isAdmin)(auth.payload)) {
+        return { authorized: false, response: (0, responses_1.forbiddenResponse)('Admin access required') };
+    }
+    return auth;
+}

package/dist/server/index.d.ts

@@ -1,3 +1,4 @@
-export { initAuth, getJwtSecret, extractToken, validateToken, generateToken, generateLongLivedToken, extractApiKey, hashApiKey, validateApiKey, generateApiKey } from './auth';
+export { initAuth, getJwtSecret, extractToken, validateToken, generateToken, generateLongLivedToken, requireAuth, requireAdmin, DEFAULT_TOKEN_EXPIRY, DEFAULT_TOKEN_EXPIRY_SECONDS, extractApiKey, hashApiKey, validateApiKey, generateApiKey } from './auth';
+export type { AuthSuccess, AuthFailure, AuthResult } from './auth';
 export { badRequestResponse, unauthorizedResponse, forbiddenResponse, notFoundResponse, conflictResponse, handleFunctionError, isNotFoundError, isConflictError } from './http';
 export { initStorage, initStorageFromEnv, useManagedIdentity, getTableClient, clearTableClientCache, generateRowKey } from './storage';

package/dist/server/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateRowKey = exports.clearTableClientCache = exports.getTableClient = exports.useManagedIdentity = exports.initStorageFromEnv = exports.initStorage = exports.isConflictError = exports.isNotFoundError = exports.handleFunctionError = exports.conflictResponse = exports.notFoundResponse = exports.forbiddenResponse = exports.unauthorizedResponse = exports.badRequestResponse = exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
+exports.generateRowKey = exports.clearTableClientCache = exports.getTableClient = exports.useManagedIdentity = exports.initStorageFromEnv = exports.initStorage = exports.isConflictError = exports.isNotFoundError = exports.handleFunctionError = exports.conflictResponse = exports.notFoundResponse = exports.forbiddenResponse = exports.unauthorizedResponse = exports.badRequestResponse = exports.generateApiKey = exports.validateApiKey = exports.hashApiKey = exports.extractApiKey = exports.DEFAULT_TOKEN_EXPIRY_SECONDS = exports.DEFAULT_TOKEN_EXPIRY = exports.requireAdmin = exports.requireAuth = exports.generateLongLivedToken = exports.generateToken = exports.validateToken = exports.extractToken = exports.getJwtSecret = exports.initAuth = void 0;
 // Auth
 var auth_1 = require("./auth");
 Object.defineProperty(exports, "initAuth", { enumerable: true, get: function () { return auth_1.initAuth; } });
@@ -9,6 +9,10 @@ Object.defineProperty(exports, "extractToken", { enumerable: true, get: function
 Object.defineProperty(exports, "validateToken", { enumerable: true, get: function () { return auth_1.validateToken; } });
 Object.defineProperty(exports, "generateToken", { enumerable: true, get: function () { return auth_1.generateToken; } });
 Object.defineProperty(exports, "generateLongLivedToken", { enumerable: true, get: function () { return auth_1.generateLongLivedToken; } });
+Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return auth_1.requireAuth; } });
+Object.defineProperty(exports, "requireAdmin", { enumerable: true, get: function () { return auth_1.requireAdmin; } });
+Object.defineProperty(exports, "DEFAULT_TOKEN_EXPIRY", { enumerable: true, get: function () { return auth_1.DEFAULT_TOKEN_EXPIRY; } });
+Object.defineProperty(exports, "DEFAULT_TOKEN_EXPIRY_SECONDS", { enumerable: true, get: function () { return auth_1.DEFAULT_TOKEN_EXPIRY_SECONDS; } });
 Object.defineProperty(exports, "extractApiKey", { enumerable: true, get: function () { return auth_1.extractApiKey; } });
 Object.defineProperty(exports, "hashApiKey", { enumerable: true, get: function () { return auth_1.hashApiKey; } });
 Object.defineProperty(exports, "validateApiKey", { enumerable: true, get: function () { return auth_1.validateApiKey; } });

package/dist/shared/http/status.d.ts

@@ -11,6 +11,8 @@ export declare const HTTP_STATUS: {
     readonly NOT_FOUND: 404;
     readonly CONFLICT: 409;
     readonly GONE: 410;
+    readonly UNPROCESSABLE_ENTITY: 422;
+    readonly TOO_MANY_REQUESTS: 429;
     readonly INTERNAL_ERROR: 500;
     readonly SERVICE_UNAVAILABLE: 503;
 };

package/dist/shared/http/status.js

@@ -14,6 +14,8 @@ exports.HTTP_STATUS = {
     NOT_FOUND: 404,
     CONFLICT: 409,
     GONE: 410,
+    UNPROCESSABLE_ENTITY: 422,
+    TOO_MANY_REQUESTS: 429,
     INTERNAL_ERROR: 500,
     SERVICE_UNAVAILABLE: 503
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@markwharton/pwa-core",
-  "version": "1.5.0",
+  "version": "1.7.0",
   "description": "Shared patterns for Azure PWA projects",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",