@meistrari/auth-nuxt 2.0.0 → 2.0.1

package/dist/module.json

@@ -1,7 +1,7 @@
 {
   "name": "@meistrari/auth-nuxt",
   "configKey": "telaAuth",
-  "version": "2.0.0",
+  "version": "1.0.0",
   "builder": {
     "@nuxt/module-builder": "1.0.2",
     "unbuild": "3.6.1"

package/dist/module.mjs

@@ -1,4 +1,4 @@
-import { defineNuxtModule, createResolver, addImports, addPlugin, extendPages, addComponent, addServerImportsDir, addServerHandler } from '@nuxt/kit';
+import { defineNuxtModule, createResolver, addImports, addPlugin, extendPages, addComponent, addRouteMiddleware, addServerImportsDir, addServerHandler } from '@nuxt/kit';
 
 const module$1 = defineNuxtModule({
   meta: {
@@ -39,13 +39,12 @@ const module$1 = defineNuxtModule({
       });
       addPlugin(resolver.resolve("./runtime/plugins/auth-guard"));
       addPlugin(resolver.resolve("./runtime/plugins/directives"));
+      addRouteMiddleware({
+        name: "tela-auth",
+        path: resolver.resolve("./runtime/middleware/require-auth"),
+        global: true
+      });
       addServerImportsDir(resolver.resolve("./runtime/server/utils"));
-      if (!options.skipServerMiddleware) {
-        addServerHandler({
-          route: "",
-          handler: resolver.resolve("./runtime/server/middleware/application-auth")
-        });
-      }
       return;
     }
     if (!options.skipServerMiddleware) {

package/dist/runtime/composables/application-auth.d.ts

@@ -36,6 +36,34 @@ export declare function useTelaApplicationAuth(): {
     login: () => Promise<void>;
     logout: () => Promise<void>;
     initSession: () => Promise<void>;
-    user: import("vue").Ref<any, any>;
-    activeOrganization: import("vue").Ref<Omit<FullOrganization, "members" | "invitations" | "teams"> | null, Omit<FullOrganization, "members" | "invitations" | "teams"> | null>;
+    user: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null>;
+    activeOrganization: import("vue").Ref<Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null, Omit<import("@meistrari/auth-core").FullOrganization, "members" | "invitations" | "teams"> | null>;
 };

package/dist/runtime/composables/state.d.ts

@@ -1,20 +1,101 @@
+import type { FullOrganization, Member } from '@meistrari/auth-core';
 /**
  * Shared state for session management.
  * This module provides access to session-related state without creating circular dependencies.
  */
 export declare function useSessionState(): {
-    user: import("vue").Ref<any, any>;
-    session: import("vue").Ref<any, any>;
+    user: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null>;
+    session: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+        activeOrganizationId?: string | null | undefined;
+        activeTeamId?: string | null | undefined;
+        impersonatedBy?: string | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+        activeOrganizationId?: string | null | undefined;
+        activeTeamId?: string | null | undefined;
+        impersonatedBy?: string | null | undefined;
+    } | null>;
 };
 /**
  * Shared state for organization management.
  * This module provides access to organization-related state without creating circular dependencies.
  */
 export declare function useOrganizationState(): {
-    activeOrganization: import("vue").Ref<any, any>;
-    activeMember: import("vue").Ref<any, any>;
+    activeOrganization: import("vue").Ref<FullOrganization | null, FullOrganization | null>;
+    activeMember: import("vue").Ref<Member | null, Member | null>;
 };
 export declare function useApplicationSessionState(): {
-    user: import("vue").Ref<any, any>;
+    user: import("vue").Ref<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null, {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+        twoFactorEnabled: boolean | null | undefined;
+        banned: boolean | null | undefined;
+        role?: string | null | undefined;
+        banReason?: string | null | undefined;
+        banExpires?: Date | null | undefined;
+        lastActiveAt?: Date | null | undefined;
+    } | null>;
     activeOrganization: import("vue").Ref<Omit<FullOrganization, "members" | "invitations" | "teams"> | null, Omit<FullOrganization, "members" | "invitations" | "teams"> | null>;
 };

package/dist/runtime/middleware/require-auth.d.ts

@@ -0,0 +1,2 @@
+declare const _default: import("#app").RouteMiddleware;
+export default _default;

package/dist/runtime/middleware/require-auth.js

@@ -0,0 +1,42 @@
+import { defineNuxtRouteMiddleware, navigateTo, useCookie, useRuntimeConfig } from "#app";
+import { createRemoteJWKSet, jwtVerify } from "jose";
+export default defineNuxtRouteMiddleware(async (to) => {
+  const authMeta = to.meta?.auth;
+  if (!authMeta || authMeta.required !== true) {
+    return;
+  }
+  const config = useRuntimeConfig();
+  const authConfig = config.public.telaAuth;
+  const { apiUrl, application } = authConfig;
+  const { applicationId, loginPath = "/login", unauthorizedPath = "/unauthorized" } = application ?? {};
+  const token = useCookie("tela-access-token");
+  if (!token.value) {
+    return navigateTo(loginPath);
+  }
+  if (!applicationId || !apiUrl) {
+    console.error("Application ID or API URL is not configured");
+    return;
+  }
+  try {
+    const { payload } = await jwtVerify(
+      token.value,
+      createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)),
+      {
+        issuer: apiUrl,
+        audience: applicationId,
+        algorithms: ["RS256"]
+      }
+    );
+    const tokenPayload = payload;
+    const user = tokenPayload.user;
+    if (authMeta.roles && authMeta.roles.length > 0) {
+      const userRole = user.role ?? "";
+      if (!authMeta.roles.includes(userRole)) {
+        return navigateTo(unauthorizedPath);
+      }
+    }
+  } catch (error) {
+    console.error("Token validation failed:", error);
+    return navigateTo(loginPath);
+  }
+});

package/dist/runtime/pages/callback.vue

@@ -1,22 +1,11 @@
 <script setup>
-import { navigateTo, useRuntimeConfig } from "#app";
+import { navigateTo } from "#app";
 import { onMounted } from "vue";
 import { useTelaApplicationAuth } from "../composables/application-auth";
 const { initSession } = useTelaApplicationAuth();
-const config = useRuntimeConfig();
-const authConfig = config.public.telaAuth;
-const loginPath = authConfig.application?.loginPath ?? "/login";
 onMounted(async () => {
-  try {
-    await initSession();
-    navigateTo("/");
-  } catch (error) {
-    console.error("Session initialization failed:", error);
-    navigateTo({
-      path: loginPath,
-      query: { error: "session_failed" }
-    });
-  }
+  await initSession();
+  navigateTo("/");
 });
 </script>
 

package/dist/runtime/plugins/auth-guard.d.ts

@@ -1,22 +1,2 @@
-/**
- * Client-side authentication guard plugin
- *
- * This plugin provides UX-level route protection by checking JWT tokens client-side
- * and redirecting users before they navigate to protected routes. This creates a smooth
- * user experience by avoiding unnecessary page loads.
- *
- * SECURITY NOTE: This is NOT the primary security layer. The client-side JWT decoding
- * is for UX purposes only. Actual cryptographic verification happens server-side in:
- * - application-auth.ts: Server middleware that verifies JWTs for all /api routes
- * - require-auth.ts: Server utility for protecting individual API route handlers
- *
- * An attacker could bypass this client-side check, but they cannot bypass the server-side
- * verification which cryptographically validates the JWT signature using JWKS.
- *
- * This follows a defense-in-depth approach:
- * 1. Client-side (this file): Fast UX-level routing decisions
- * 2. Server middleware: Automatic JWT verification for all API routes
- * 3. Route handlers: Explicit role checks in sensitive endpoints
- */
 declare const _default: import("#app").Plugin<Record<string, unknown>> & import("#app").ObjectPlugin<Record<string, unknown>>;
 export default _default;

package/dist/runtime/plugins/directives.js

@@ -23,7 +23,7 @@ export default defineNuxtPlugin((nuxtApp) => {
       const isComment = el.nodeType === 8;
       if (shouldRender && isComment) {
         const originalElement = el.__vIfRoleElement;
-        if (originalElement && originalElement.parentNode === null) {
+        if (originalElement) {
           el.parentNode?.replaceChild(originalElement, el);
         }
       } else if (!shouldRender && !isComment) {
@@ -31,11 +31,6 @@ export default defineNuxtPlugin((nuxtApp) => {
         el.parentNode?.replaceChild(comment, el);
         comment.__vIfRoleElement = el;
       }
-    },
-    unmounted(el) {
-      if (el.nodeType === 8) {
-        delete el.__vIfRoleElement;
-      }
     }
   });
   nuxtApp.vueApp.directive("show-role", {

package/dist/runtime/server/utils/require-auth.d.ts

@@ -2,14 +2,7 @@ import type { EventHandlerRequest } from 'h3';
 import type { AuthenticatedH3Event } from '../types/h3.js';
 /**
  * Wraps an event handler to require authentication.
- * Throws 401 if no valid token is present, 403 if user lacks required role.
- *
- * This utility works in two modes:
- * 1. If application-auth middleware has already verified the token, reuses that context
- * 2. If middleware is skipped (skipServerMiddleware: true), performs JWT verification
- *
- * Use this when you need explicit role-based access control on specific API routes,
- * or when you've disabled the global server middleware for performance reasons.
+ * Throws 401 if no valid token is present.
  *
  * @example
  * export default requireAuth(async (event) => {
@@ -19,6 +12,7 @@ import type { AuthenticatedH3Event } from '../types/h3.js';
  *
  * @example With roles
  * export default requireAuth(async (event) => {
+ *   // TODO: Validate roles from token
  *   return { data: 'admin only' }
  * }, { roles: ['admin'] })
  */

package/dist/runtime/server/utils/require-auth.js

@@ -3,17 +3,6 @@ import { createError, defineEventHandler, getCookie } from "h3";
 import { createRemoteJWKSet, jwtVerify } from "jose";
 export function requireAuth(handler, options) {
   return defineEventHandler(async (event) => {
-    if (event.context.auth?.user && event.context.auth?.token) {
-      const user = event.context.auth.user;
-      if (options?.roles && !options.roles.includes(user.role ?? "")) {
-        throw createError({
-          statusCode: 403,
-          statusMessage: "Forbidden",
-          message: "User is not authorized to access this resource"
-        });
-      }
-      return handler(event);
-    }
     const token = getCookie(event, "tela-access-token");
     const authConfig = useRuntimeConfig(event).public.telaAuth;
     const { apiUrl, application } = authConfig;
@@ -39,31 +28,23 @@ export function requireAuth(handler, options) {
         message: "Authentication required"
       });
     }
-    try {
-      const payload = await jwtVerify(token, createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)), {
-        issuer: apiUrl,
-        audience: applicationId,
-        algorithms: ["RS256"]
-      }).then(({ payload: payload2 }) => payload2);
-      const user = payload.user;
-      if (options?.roles && !options.roles.includes(user.role ?? "")) {
-        throw createError({
-          statusCode: 403,
-          statusMessage: "Forbidden",
-          message: "User is not authorized to access this resource"
-        });
-      }
-      event.context.auth = { user: { ...payload.user, email: payload.email }, workspace: payload.workspace, token };
-      return handler(event);
-    } catch (error) {
-      if (error && typeof error === "object" && "statusCode" in error) {
-        throw error;
-      }
+    const payload = await jwtVerify(token, createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)), {
+      issuer: apiUrl,
+      audience: applicationId,
+      algorithms: ["RS256"]
+    }).then(({ payload: payload2 }) => payload2);
+    const user = payload.user;
+    if (options?.roles && !options.roles.includes(user.role ?? "")) {
       throw createError({
-        statusCode: 401,
-        statusMessage: "Unauthorized",
-        message: "Invalid or expired token"
+        statusCode: 403,
+        statusMessage: "Forbidden",
+        message: "User is not authorized to access this resource"
       });
     }
+    if (!event.context.auth) {
+      event.context.auth = { user: { ...payload.user, email: payload.email }, workspace: payload.workspace, token };
+    }
+    event.context.auth.token = token;
+    return handler(event);
   });
 }

package/dist/runtime/shared.d.ts

@@ -1 +1,2 @@
-export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null, getRefreshToken?: () => string | null): any;
+import { AuthClient } from '@meistrari/auth-core';
+export declare function createNuxtAuthClient(apiUrl: string, getAuthToken: () => string | null, getRefreshToken?: () => string | null): AuthClient;

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@meistrari/auth-nuxt",
-    "version": "2.0.0",
+    "version": "2.0.1",
     "type": "module",
     "exports": {
         ".": {
@@ -31,7 +31,7 @@
         "build": "nuxt-module-build build --stub && nuxt-module-build prepare && nuxt-module-build build"
     },
     "dependencies": {
-        "@meistrari/auth-core": "workspace:*",
+        "@meistrari/auth-core": "1.4.0",
         "jose": "6.1.3"
     },
     "peerDependencies": {

package/dist/runtime/server/middleware/application-auth.d.ts

@@ -1,4 +0,0 @@
-import type { AuthenticatedH3Event } from '../types/h3.js';
-export declare function meistrariApplicationAuthMiddleware(callback: (event: AuthenticatedH3Event) => void | Promise<void>): import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
-declare const _default: import("h3").EventHandler<import("h3").EventHandlerRequest, Promise<void>>;
-export default _default;

package/dist/runtime/server/middleware/application-auth.js

@@ -1,49 +0,0 @@
-import { useRuntimeConfig } from "#build/types/nitro-imports";
-import { defineEventHandler, getCookie } from "h3";
-import { createRemoteJWKSet, jwtVerify } from "jose";
-async function setApplicationAuthContext(event) {
-  event.context.auth = {
-    user: null,
-    workspace: null,
-    token: null
-  };
-  const token = getCookie(event, "tela-access-token");
-  if (!token) {
-    return;
-  }
-  const authConfig = useRuntimeConfig(event).public.telaAuth;
-  const { apiUrl, application } = authConfig;
-  const { applicationId } = application ?? {};
-  if (!applicationId || !apiUrl) {
-    return;
-  }
-  try {
-    const payload = await jwtVerify(
-      token,
-      createRemoteJWKSet(new URL("/.well-known/jwks.json", apiUrl)),
-      {
-        issuer: apiUrl,
-        audience: applicationId,
-        algorithms: ["RS256"]
-      }
-    ).then(({ payload: payload2 }) => payload2);
-    event.context.auth = {
-      user: { ...payload.user, email: payload.email },
-      workspace: payload.workspace,
-      token
-    };
-  } catch {
-  }
-}
-export function meistrariApplicationAuthMiddleware(callback) {
-  return defineEventHandler(async (event) => {
-    await setApplicationAuthContext(event);
-    await callback(event);
-  });
-}
-export default defineEventHandler(async (event) => {
-  if (!event.path.startsWith("/api")) {
-    return;
-  }
-  await setApplicationAuthContext(event);
-});