@meistrari/auth-nuxt 1.1.0 → 2.0.0

package/dist/module.d.mts

@@ -16,6 +16,10 @@ interface ModuleOptions {
         applicationId: string;
         /** The redirect URI to redirect to after authentication. Must be registered in the application's settings. */
         redirectUri: string;
+        /** Path to redirect to when authentication is required (default: '/login') */
+        loginPath?: string;
+        /** Path to redirect to when user lacks required role (default: '/unauthorized') */
+        unauthorizedPath?: string;
     };
 }
 declare const _default: _nuxt_schema.NuxtModule<ModuleOptions, ModuleOptions, false>;

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@meistrari/auth-nuxt",
   "configKey": "telaAuth",
-  "version": "1.1.0",
+  "version": "2.0.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addImports, addPlugin, addServerHandler } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImports, addPlugin, extendPages, addComponent, addServerImportsDir, addServerHandler } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -19,6 +19,33 @@ const module$1 = defineNuxtModule({
         from: resolver.resolve("runtime/composables/application-auth")
       });
       addPlugin(resolver.resolve("./runtime/plugins/application-token-refresh"));
+      extendPages((pages) => {
+        pages.unshift({
+          name: "auth-callback",
+          path: "/auth/callback",
+          file: resolver.resolve("./runtime/pages/callback.vue")
+        });
+      });
+      addComponent({
+        name: "TelaRole",
+        filePath: resolver.resolve("./runtime/components/tela-role.vue"),
+        global: true,
+        export: "default"
+      });
+      nuxt.hook("prepare:types", ({ references }) => {
+        references.push({
+          path: resolver.resolve("./runtime/types/page-meta.d.ts")
+        });
+      });
+      addPlugin(resolver.resolve("./runtime/plugins/auth-guard"));
+      addPlugin(resolver.resolve("./runtime/plugins/directives"));
+      addServerImportsDir(resolver.resolve("./runtime/server/utils"));
+      if (!options.skipServerMiddleware) {
+        addServerHandler({
+          route: "",
+          handler: resolver.resolve("./runtime/server/middleware/application-auth")
+        });
+      }
       return;
     }
     if (!options.skipServerMiddleware) {

package/dist/runtime/components/tela-role.d.vue.ts

@@ -0,0 +1,23 @@
+type __VLS_Props = {
+    allowedRoles: string[];
+};
+declare var __VLS_1: {
+    role: any;
+}, __VLS_3: {
+    role: any;
+}, __VLS_5: {};
+type __VLS_Slots = {} & {
+    default?: (props: typeof __VLS_1) => any;
+} & {
+    'not-authorized'?: (props: typeof __VLS_3) => any;
+} & {
+    'logged-out'?: (props: typeof __VLS_5) => any;
+};
+declare const __VLS_component: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const _default: __VLS_WithSlots<typeof __VLS_component, __VLS_Slots>;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/components/tela-role.vue

@@ -0,0 +1,15 @@
+<script setup>
+import { useTelaApplicationAuth } from "../composables/application-auth";
+const { user } = useTelaApplicationAuth();
+defineProps({
+  allowedRoles: { type: Array, required: true }
+});
+</script>
+
+<template>
+  <template v-if="user">
+    <slot v-if="user.role && allowedRoles.includes(user.role)" :role="user.role" />
+    <slot v-else name="not-authorized" :role="user.role" />
+  </template>
+  <slot v-else name="logged-out" />
+</template>

package/dist/runtime/components/tela-role.vue.d.ts

@@ -0,0 +1,23 @@
+type __VLS_Props = {
+    allowedRoles: string[];
+};
+declare var __VLS_1: {
+    role: any;
+}, __VLS_3: {
+    role: any;
+}, __VLS_5: {};
+type __VLS_Slots = {} & {
+    default?: (props: typeof __VLS_1) => any;
+} & {
+    'not-authorized'?: (props: typeof __VLS_3) => any;
+} & {
+    'logged-out'?: (props: typeof __VLS_5) => any;
+};
+declare const __VLS_component: import("vue").DefineComponent<__VLS_Props, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<__VLS_Props> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, false, {}, any>;
+declare const _default: __VLS_WithSlots<typeof __VLS_component, __VLS_Slots>;
+export default _default;
+type __VLS_WithSlots<T, S> = T & {
+    new (): {
+        $slots: S;
+    };
+};

package/dist/runtime/composables/application-auth.d.ts

@@ -36,34 +36,6 @@ export declare function useTelaApplicationAuth(): {
     login: () => Promise<void>;
     logout: () => Promise<void>;
     initSession: () => Promise<void>;
-    user: import("vue").Ref<{
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null, {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null>;
-    activeOrganization: import("vue").Ref<Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null, Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null>;
+    user: import("vue").Ref<any, any>;
+    activeOrganization: import("vue").Ref<Omit<FullOrganization, "members" | "invitations" | "teams"> | null, Omit<FullOrganization, "members" | "invitations" | "teams"> | null>;
 };

package/dist/runtime/composables/state.d.ts

@@ -1,101 +1,20 @@
-import type { FullOrganization, Member } from '@meistrari/auth-core';
 /**
  * Shared state for session management.
  * This module provides access to session-related state without creating circular dependencies.
  */
 export declare function useSessionState(): {
-    user: import("vue").Ref<{
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null, {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null>;
-    session: import("vue").Ref<{
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-        activeOrganizationId?: string | null | undefined;
-        activeTeamId?: string | null | undefined;
-        impersonatedBy?: string | null | undefined;
-    } | null, {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        userId: string;
-        expiresAt: Date;
-        token: string;
-        ipAddress?: string | null | undefined;
-        userAgent?: string | null | undefined;
-        activeOrganizationId?: string | null | undefined;
-        activeTeamId?: string | null | undefined;
-        impersonatedBy?: string | null | undefined;
-    } | null>;
+    user: import("vue").Ref<any, any>;
+    session: import("vue").Ref<any, any>;
 };
 /**
  * Shared state for organization management.
  * This module provides access to organization-related state without creating circular dependencies.
  */
 export declare function useOrganizationState(): {
-    activeOrganization: import("vue").Ref<FullOrganization | null, FullOrganization | null>;
-    activeMember: import("vue").Ref<Member | null, Member | null>;
+    activeOrganization: import("vue").Ref<any, any>;
+    activeMember: import("vue").Ref<any, any>;
 };
 export declare function useApplicationSessionState(): {
-    user: import("vue").Ref<{
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null, {
-        id: string;
-        createdAt: Date;
-        updatedAt: Date;
-        email: string;
-        emailVerified: boolean;
-        name: string;
-        image?: string | null | undefined;
-        twoFactorEnabled: boolean | null | undefined;
-        banned: boolean | null | undefined;
-        role?: string | null | undefined;
-        banReason?: string | null | undefined;
-        banExpires?: Date | null | undefined;
-        lastActiveAt?: Date | null | undefined;
-    } | null>;
+    user: import("vue").Ref<any, any>;
     activeOrganization: import("vue").Ref<Omit<FullOrganization, "members" | "invitations" | "teams"> | null, Omit<FullOrganization, "members" | "invitations" | "teams"> | null>;
 };

package/dist/runtime/pages/callback.d.vue.ts

@@ -0,0 +1,2 @@
+declare const _default: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
+export default _default;

package/dist/runtime/pages/callback.vue

@@ -0,0 +1,27 @@
+<script setup>
+import { navigateTo, useRuntimeConfig } from "#app";
+import { onMounted } from "vue";
+import { useTelaApplicationAuth } from "../composables/application-auth";
+const { initSession } = useTelaApplicationAuth();
+const config = useRuntimeConfig();
+const authConfig = config.public.telaAuth;
+const loginPath = authConfig.application?.loginPath ?? "/login";
+onMounted(async () => {
+  try {
+    await initSession();
+    navigateTo("/");
+  } catch (error) {
+    console.error("Session initialization failed:", error);
+    navigateTo({
+      path: loginPath,
+      query: { error: "session_failed" }
+    });
+  }
+});
+</script>
+
+<template>
+  <div class="flex items-center justify-center min-h-screen">
+    <h1>Loading...</h1>
+  </div>
+</template>

package/dist/runtime/pages/callback.vue.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("vue").DefineComponent<{}, {}, {}, {}, {}, import("vue").ComponentOptionsMixin, import("vue").ComponentOptionsMixin, {}, string, import("vue").PublicProps, Readonly<{}> & Readonly<{}>, {}, {}, {}, {}, string, import("vue").ComponentProvideOptions, true, {}, any>;
+export default _default;

package/dist/runtime/plugins/auth-guard.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Client-side authentication guard plugin
+ *
+ * This plugin provides UX-level route protection by checking JWT tokens client-side
+ * and redirecting users before they navigate to protected routes. This creates a smooth
+ * user experience by avoiding unnecessary page loads.
+ *
+ * SECURITY NOTE: This is NOT the primary security layer. The client-side JWT decoding
+ * is for UX purposes only. Actual cryptographic verification happens server-side in:
+ * - application-auth.ts: Server middleware that verifies JWTs for all /api routes
+ * - require-auth.ts: Server utility for protecting individual API route handlers
+ *
+ * An attacker could bypass this client-side check, but they cannot bypass the server-side
+ * verification which cryptographically validates the JWT signature using JWKS.
+ *
+ * This follows a defense-in-depth approach:
+ * 1. Client-side (this file): Fast UX-level routing decisions
+ * 2. Server middleware: Automatic JWT verification for all API routes
+ * 3. Route handlers: Explicit role checks in sensitive endpoints
+ */
+declare const _default: import("#app").Plugin<Record<string, unknown>> & import("#app").ObjectPlugin<Record<string, unknown>>;
+export default _default;

package/dist/runtime/plugins/auth-guard.js

@@ -0,0 +1,39 @@
+import { addRouteMiddleware, defineNuxtPlugin, navigateTo, useCookie, useRuntimeConfig } from "#app";
+import { decodeJwt } from "jose";
+export default defineNuxtPlugin(() => {
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const loginPath = authConfig.application?.loginPath ?? "/login";
+  const unauthorizedPath = authConfig.application?.unauthorizedPath ?? "/unauthorized";
+  addRouteMiddleware("auth-guard", (to) => {
+    const authMeta = to.meta?.auth;
+    if (!authMeta || authMeta.required !== true) {
+      return;
+    }
+    const token = useCookie("tela-access-token");
+    if (!token.value) {
+      return navigateTo({
+        path: loginPath,
+        query: { redirect: to.fullPath }
+      });
+    }
+    if (authMeta.roles && authMeta.roles.length > 0) {
+      try {
+        const payload = decodeJwt(token.value);
+        const userRole = payload.user?.role;
+        if (!userRole || !authMeta.roles.includes(userRole)) {
+          return navigateTo({
+            path: unauthorizedPath,
+            query: { redirect: to.fullPath }
+          });
+        }
+      } catch (error) {
+        console.error("Failed to decode token:", error);
+        return navigateTo({
+          path: loginPath,
+          query: { redirect: to.fullPath }
+        });
+      }
+    }
+  }, { global: true });
+});

package/dist/runtime/plugins/directives.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Plugin to register custom role-based directives
+ *
+ * Provides:
+ * - v-if-role: Conditionally renders element (like v-if) based on user role
+ * - v-show-role: Conditionally shows element (like v-show) based on user role
+ *
+ * @example
+ * ```vue
+ * <!-- Single role -->
+ * <button v-if-role="'admin'">Admin Only</button>
+ * <div v-show-role="'moderator'">Moderator Panel</div>
+ *
+ * <!-- Multiple roles -->
+ * <button v-if-role="['admin', 'moderator']">Admin or Moderator</button>
+ * <div v-show-role="['editor', 'writer']">Content Panel</div>
+ * ```
+ */
+declare const _default: import("#app").Plugin<Record<string, unknown>> & import("#app").ObjectPlugin<Record<string, unknown>>;
+export default _default;

package/dist/runtime/plugins/directives.js

@@ -0,0 +1,63 @@
+import { defineNuxtPlugin } from "#app";
+import { useApplicationSessionState } from "../composables/state.js";
+function hasRole(allowedRoles) {
+  const { user } = useApplicationSessionState();
+  if (!user.value?.role) {
+    return false;
+  }
+  const roles = Array.isArray(allowedRoles) ? allowedRoles : [allowedRoles];
+  return roles.includes(user.value.role);
+}
+export default defineNuxtPlugin((nuxtApp) => {
+  nuxtApp.vueApp.directive("if-role", {
+    mounted(el, binding) {
+      const shouldRender = hasRole(binding.value);
+      if (!shouldRender) {
+        const comment = document.createComment("v-if-role");
+        el.parentNode?.replaceChild(comment, el);
+        comment.__vIfRoleElement = el;
+      }
+    },
+    updated(el, binding) {
+      const shouldRender = hasRole(binding.value);
+      const isComment = el.nodeType === 8;
+      if (shouldRender && isComment) {
+        const originalElement = el.__vIfRoleElement;
+        if (originalElement && originalElement.parentNode === null) {
+          el.parentNode?.replaceChild(originalElement, el);
+        }
+      } else if (!shouldRender && !isComment) {
+        const comment = document.createComment("v-if-role");
+        el.parentNode?.replaceChild(comment, el);
+        comment.__vIfRoleElement = el;
+      }
+    },
+    unmounted(el) {
+      if (el.nodeType === 8) {
+        delete el.__vIfRoleElement;
+      }
+    }
+  });
+  nuxtApp.vueApp.directive("show-role", {
+    mounted(el, binding) {
+      const shouldShow = hasRole(binding.value);
+      if (!shouldShow) {
+        ;
+        el.__vOriginalDisplay = el.style.display;
+        el.style.display = "none";
+      }
+    },
+    updated(el, binding) {
+      const shouldShow = hasRole(binding.value);
+      if (shouldShow) {
+        el.style.display = el.__vOriginalDisplay || "";
+      } else {
+        if (!el.__vOriginalDisplay && el.style.display !== "none") {
+          ;
+          el.__vOriginalDisplay = el.style.display;
+        }
+        el.style.display = "none";
+      }
+    }
+  });
+});

package/dist/runtime/server/middleware/application-auth.d.ts

@@ -0,0 +1,4 @@
+import type { AuthenticatedH3Event } from '../types/h3.js';
+export declare function meistrariApplicationAuthMiddleware(callback: (event: AuthenticatedH3Event) => void | Promise<void>): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
+export default _default;

package/dist/runtime/server/middleware/application-auth.js

@@ -0,0 +1,49 @@
+import { useRuntimeConfig } from "#build/types/nitro-imports";
+import { defineEventHandler, getCookie } from "h3";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+async function setApplicationAuthContext(event) {
+  event.context.auth = {
+    user: null,
+    workspace: null,
+    token: null
+  };
+  const token = getCookie(event, "tela-access-token");
+  if (!token) {
+    return;
+  }
+  const authConfig = useRuntimeConfig(event).public.telaAuth;
+  const { apiUrl, application } = authConfig;
+  const { applicationId } = application ?? {};
+  if (!applicationId || !apiUrl) {
+    return;
+  }
+  try {
+    const payload = await jwtVerify(
+      token,
+      createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)),
+      {
+        issuer: apiUrl,
+        audience: applicationId,
+        algorithms: ["RS256"]
+      }
+    ).then(({ payload: payload2 }) => payload2);
+    event.context.auth = {
+      user: { ...payload.user, email: payload.email },
+      workspace: payload.workspace,
+      token
+    };
+  } catch {
+  }
+}
+export function meistrariApplicationAuthMiddleware(callback) {
+  return defineEventHandler(async (event) => {
+    await setApplicationAuthContext(event);
+    await callback(event);
+  });
+}
+export default defineEventHandler(async (event) => {
+  if (!event.path.startsWith("/api")) {
+    return;
+  }
+  await setApplicationAuthContext(event);
+});

package/dist/runtime/server/types/h3.d.ts

@@ -6,6 +6,7 @@ declare module 'h3' {
         auth?: {
             user: { email: string } & JWTTokenPayload['user'] | null
             workspace: JWTTokenPayload['workspace'] | null
+            token?: string
         }
     }
 }
@@ -14,6 +15,7 @@ export interface AuthenticatedH3EventContext extends H3EventContext {
     auth: {
         user: { email: string } & JWTTokenPayload['user'] | null
         workspace: JWTTokenPayload['workspace'] | null
+        token?: string
     }
 }
 

package/dist/runtime/server/utils/require-auth.d.ts

@@ -0,0 +1,27 @@
+import type { EventHandlerRequest } from 'h3';
+import type { AuthenticatedH3Event } from '../types/h3.js';
+/**
+ * Wraps an event handler to require authentication.
+ * Throws 401 if no valid token is present, 403 if user lacks required role.
+ *
+ * This utility works in two modes:
+ * 1. If application-auth middleware has already verified the token, reuses that context
+ * 2. If middleware is skipped (skipServerMiddleware: true), performs JWT verification
+ *
+ * Use this when you need explicit role-based access control on specific API routes,
+ * or when you've disabled the global server middleware for performance reasons.
+ *
+ * @example
+ * export default requireAuth(async (event) => {
+ *   const token = event.context.auth.token
+ *   return { data: 'protected' }
+ * })
+ *
+ * @example With roles
+ * export default requireAuth(async (event) => {
+ *   return { data: 'admin only' }
+ * }, { roles: ['admin'] })
+ */
+export declare function requireAuth<T>(handler: (event: AuthenticatedH3Event) => T | Promise<T>, options?: {
+    roles?: string[];
+}): import("h3").EventHandler<EventHandlerRequest, any>;

package/dist/runtime/server/utils/require-auth.js

@@ -0,0 +1,69 @@
+import { useRuntimeConfig } from "#build/types/nitro-imports";
+import { createError, defineEventHandler, getCookie } from "h3";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+export function requireAuth(handler, options) {
+  return defineEventHandler(async (event) => {
+    if (event.context.auth?.user && event.context.auth?.token) {
+      const user = event.context.auth.user;
+      if (options?.roles && !options.roles.includes(user.role ?? "")) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: "Forbidden",
+          message: "User is not authorized to access this resource"
+        });
+      }
+      return handler(event);
+    }
+    const token = getCookie(event, "tela-access-token");
+    const authConfig = useRuntimeConfig(event).public.telaAuth;
+    const { apiUrl, application } = authConfig;
+    const { applicationId } = application ?? {};
+    if (!applicationId) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: "Internal Server Error",
+        message: "Application ID is not configured"
+      });
+    }
+    if (!apiUrl) {
+      throw createError({
+        statusCode: 500,
+        statusMessage: "Internal Server Error",
+        message: "API URL is not configured"
+      });
+    }
+    if (!token) {
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Authentication required"
+      });
+    }
+    try {
+      const payload = await jwtVerify(token, createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)), {
+        issuer: apiUrl,
+        audience: applicationId,
+        algorithms: ["RS256"]
+      }).then(({ payload: payload2 }) => payload2);
+      const user = payload.user;
+      if (options?.roles && !options.roles.includes(user.role ?? "")) {
+        throw createError({
+          statusCode: 403,
+          statusMessage: "Forbidden",
+          message: "User is not authorized to access this resource"
+        });
+      }
+      event.context.auth = { user: { ...payload.user, email: payload.email }, workspace: payload.workspace, token };
+      return handler(event);
+    } catch (error) {
+      if (error && typeof error === "object" && "statusCode" in error) {
+        throw error;
+      }
+      throw createError({
+        statusCode: 401,
+        statusMessage: "Unauthorized",
+        message: "Invalid or expired token"
+      });
+    }
+  });
+}

package/dist/runtime/shared.d.ts

@@ -1,2 +1 @@
-import { AuthClient } from '@meistrari/auth-core';
-export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null, getRefreshToken?: () => string | null): AuthClient;
+export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null, getRefreshToken?: () => string | null): any;

package/dist/runtime/types/page-meta.d.ts

@@ -0,0 +1,15 @@
+declare type Roles = 'meistrari:admin' | (string & {})
+declare module '#app' {
+  interface PageMeta {
+    auth?: {
+      required: false
+    } | {
+      required: true
+      roles?: Roles[]
+    }
+  }
+}
+
+// It is always important to ensure you import/export something when augmenting a type
+export { }
+

package/package.json

@@ -1,54 +1,56 @@
 {
-  "name": "@meistrari/auth-nuxt",
-  "version": "1.1.0",
-  "type": "module",
-  "exports": {
-    ".": {
-      "types": "./dist/types.d.mts",
-      "import": "./dist/module.mjs"
+    "name": "@meistrari/auth-nuxt",
+    "version": "2.0.0",
+    "type": "module",
+    "exports": {
+        ".": {
+            "types": "./dist/types.d.mts",
+            "import": "./dist/module.mjs"
+        },
+        "./server/middleware/auth": {
+            "types": "./dist/runtime/server/middleware/auth.d.ts",
+            "import": "./dist/runtime/server/middleware/auth.js"
+        },
+        "./core": {
+            "types": "./dist/core.d.mts",
+            "import": "./dist/core.mjs"
+        }
     },
-    "./server/middleware/auth": {
-      "types": "./dist/runtime/server/middleware/auth.d.ts",
-      "import": "./dist/runtime/server/middleware/auth.js"
+    "main": "./dist/module.mjs",
+    "typesVersions": {
+        "*": {
+            ".": [
+                "./dist/types.d.mts"
+            ]
+        }
     },
-    "./core": {
-      "types": "./dist/core.d.mts",
-      "import": "./dist/core.mjs"
-    }
-  },
-  "main": "./dist/module.mjs",
-  "typesVersions": {
-    "*": {
-      ".": [
-        "./dist/types.d.mts"
-      ]
+    "files": [
+        "dist"
+    ],
+    "scripts": {
+        "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
+    },
+    "dependencies": {
+        "@meistrari/auth-core": "workspace:*",
+        "jose": "6.1.3"
+    },
+    "peerDependencies": {
+        "nuxt": "^3.0.0 || ^4.0.0",
+        "vue": "^3.0.0"
+    },
+    "devDependencies": {
+        "@nuxt/devtools": "2.6.3",
+        "@nuxt/eslint-config": "1.9.0",
+        "@nuxt/kit": "4.0.3",
+        "@nuxt/module-builder": "1.0.2",
+        "@nuxt/schema": "4.0.3",
+        "@nuxt/test-utils": "3.19.2",
+        "@types/node": "latest",
+        "changelogen": "0.6.2",
+        "nuxt": "4.0.3",
+        "typescript": "5.9.2",
+        "unbuild": "3.6.1",
+        "vitest": "3.2.4",
+        "vue-tsc": "3.0.6"
     }
-  },
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
-  },
-  "dependencies": {
-    "@meistrari/auth-core": "1.6.0"
-  },
-  "peerDependencies": {
-    "nuxt": "^3.0.0 || ^4.0.0"
-  },
-  "devDependencies": {
-    "@nuxt/devtools": "2.6.3",
-    "@nuxt/eslint-config": "1.9.0",
-    "@nuxt/kit": "4.0.3",
-    "@nuxt/module-builder": "1.0.2",
-    "@nuxt/schema": "4.0.3",
-    "@nuxt/test-utils": "3.19.2",
-    "@types/node": "latest",
-    "changelogen": "0.6.2",
-    "nuxt": "4.0.3",
-    "typescript": "5.9.2",
-    "unbuild": "3.6.1",
-    "vitest": "3.2.4",
-    "vue-tsc": "3.0.6"
-  }
 }