@meridianjs/auth 0.1.0

package/dist/index.d.mts

@@ -0,0 +1,79 @@
+import * as _meridianjs_types from '@meridianjs/types';
+import { MeridianContainer } from '@meridianjs/types';
+import { Response, NextFunction } from 'express';
+
+interface RegisterInput {
+    email: string;
+    password: string;
+    first_name?: string;
+    last_name?: string;
+}
+interface LoginInput {
+    email: string;
+    password: string;
+}
+interface AuthResult {
+    user: {
+        id: string;
+        email: string;
+        first_name: string | null;
+        last_name: string | null;
+    };
+    token: string;
+}
+interface JwtPayload {
+    sub: string;
+    workspaceId: string | null;
+    roles: string[];
+    iat?: number;
+    exp?: number;
+}
+declare const AuthModuleService_base: new (container: MeridianContainer) => _meridianjs_types.IModuleService;
+declare class AuthModuleService extends AuthModuleService_base {
+    private readonly container;
+    constructor(container: MeridianContainer);
+    /** Register a new user and return a signed JWT. */
+    register(input: RegisterInput): Promise<AuthResult>;
+    /** Authenticate with email + password and return a signed JWT. */
+    login(input: LoginInput): Promise<AuthResult>;
+    /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
+    verifyToken(token: string, secret: string): JwtPayload;
+    private signToken;
+}
+
+/**
+ * Express middleware that validates a Bearer JWT on every request.
+ *
+ * On success, populates req.user = { id, workspaceId, roles } and calls next().
+ * On failure, responds 401 Unauthorized.
+ *
+ * Reads jwtSecret from req.scope (the request-scoped DI container that is
+ * attached by the framework before any middleware runs).
+ */
+declare function authenticateJWT(req: any, res: Response, next: NextFunction): void;
+
+/**
+ * RBAC guard — allows the request only if `req.user.roles` contains at least
+ * one of the specified roles.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
+ */
+declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Workspace isolation guard — rejects requests where the `workspace_id` query
+ * param or body field does not match the authenticated user's workspace.
+ *
+ * Allows the request through when no `workspace_id` is present (so general
+ * listing endpoints that omit workspace_id are not blocked).
+ *
+ * Must be used after `authenticateJWT`.
+ */
+declare function requireWorkspace(req: any, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+
+declare const AUTH_MODULE = "authModuleService";
+declare const _default: _meridianjs_types.ModuleDefinition;
+
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };

package/dist/index.d.ts

@@ -0,0 +1,79 @@
+import * as _meridianjs_types from '@meridianjs/types';
+import { MeridianContainer } from '@meridianjs/types';
+import { Response, NextFunction } from 'express';
+
+interface RegisterInput {
+    email: string;
+    password: string;
+    first_name?: string;
+    last_name?: string;
+}
+interface LoginInput {
+    email: string;
+    password: string;
+}
+interface AuthResult {
+    user: {
+        id: string;
+        email: string;
+        first_name: string | null;
+        last_name: string | null;
+    };
+    token: string;
+}
+interface JwtPayload {
+    sub: string;
+    workspaceId: string | null;
+    roles: string[];
+    iat?: number;
+    exp?: number;
+}
+declare const AuthModuleService_base: new (container: MeridianContainer) => _meridianjs_types.IModuleService;
+declare class AuthModuleService extends AuthModuleService_base {
+    private readonly container;
+    constructor(container: MeridianContainer);
+    /** Register a new user and return a signed JWT. */
+    register(input: RegisterInput): Promise<AuthResult>;
+    /** Authenticate with email + password and return a signed JWT. */
+    login(input: LoginInput): Promise<AuthResult>;
+    /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
+    verifyToken(token: string, secret: string): JwtPayload;
+    private signToken;
+}
+
+/**
+ * Express middleware that validates a Bearer JWT on every request.
+ *
+ * On success, populates req.user = { id, workspaceId, roles } and calls next().
+ * On failure, responds 401 Unauthorized.
+ *
+ * Reads jwtSecret from req.scope (the request-scoped DI container that is
+ * attached by the framework before any middleware runs).
+ */
+declare function authenticateJWT(req: any, res: Response, next: NextFunction): void;
+
+/**
+ * RBAC guard — allows the request only if `req.user.roles` contains at least
+ * one of the specified roles.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
+ */
+declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Workspace isolation guard — rejects requests where the `workspace_id` query
+ * param or body field does not match the authenticated user's workspace.
+ *
+ * Allows the request through when no `workspace_id` is present (so general
+ * listing endpoints that omit workspace_id are not blocked).
+ *
+ * Must be used after `authenticateJWT`.
+ */
+declare function requireWorkspace(req: any, res: Response, next: NextFunction): Response<any, Record<string, any>> | undefined;
+
+declare const AUTH_MODULE = "authModuleService";
+declare const _default: _meridianjs_types.ModuleDefinition;
+
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };

package/dist/index.js

@@ -0,0 +1,179 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AUTH_MODULE: () => AUTH_MODULE,
+  AuthModuleService: () => AuthModuleService,
+  authenticateJWT: () => authenticateJWT,
+  default: () => index_default,
+  requireRoles: () => requireRoles,
+  requireWorkspace: () => requireWorkspace
+});
+module.exports = __toCommonJS(index_exports);
+var import_framework_utils2 = require("@meridianjs/framework-utils");
+
+// src/service.ts
+var import_framework_utils = require("@meridianjs/framework-utils");
+var import_bcrypt = __toESM(require("bcrypt"));
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var BCRYPT_ROUNDS = 12;
+var JWT_EXPIRES_IN = "7d";
+var AuthModuleService = class extends (0, import_framework_utils.MeridianService)({}) {
+  container;
+  constructor(container) {
+    super(container);
+    this.container = container;
+  }
+  /** Register a new user and return a signed JWT. */
+  async register(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const existing = await userService.retrieveUserByEmail(input.email);
+    if (existing) {
+      throw Object.assign(new Error("Email already registered"), { status: 409 });
+    }
+    const password_hash = await import_bcrypt.default.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.createUser({
+      email: input.email.toLowerCase().trim(),
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      is_active: true
+    });
+    const token = this.signToken(user.id, null, [], config.projectConfig.jwtSecret);
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Authenticate with email + password and return a signed JWT. */
+  async login(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(input.email.toLowerCase().trim());
+    if (!user) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
+    if (!user.is_active) {
+      throw Object.assign(new Error("Account deactivated"), { status: 403 });
+    }
+    const valid = await import_bcrypt.default.compare(input.password, user.password_hash);
+    if (!valid) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
+    await userService.recordLogin(user.id).catch(() => {
+    });
+    const token = this.signToken(user.id, null, [], config.projectConfig.jwtSecret);
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
+  verifyToken(token, secret) {
+    return import_jsonwebtoken.default.verify(token, secret);
+  }
+  signToken(userId, workspaceId, roles, secret) {
+    return import_jsonwebtoken.default.sign({ sub: userId, workspaceId, roles }, secret, {
+      expiresIn: JWT_EXPIRES_IN
+    });
+  }
+};
+
+// src/middleware.ts
+var import_jsonwebtoken2 = __toESM(require("jsonwebtoken"));
+function authenticateJWT(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader?.startsWith("Bearer ")) {
+    res.status(401).json({ error: { message: "Unauthorized \u2014 Bearer token required" } });
+    return;
+  }
+  const token = authHeader.substring(7);
+  let config;
+  try {
+    const scope = req.scope;
+    config = scope.resolve("config");
+  } catch {
+    res.status(500).json({ error: { message: "Server misconfiguration" } });
+    return;
+  }
+  try {
+    const payload = import_jsonwebtoken2.default.verify(token, config.projectConfig.jwtSecret);
+    req.user = {
+      id: payload.sub,
+      workspaceId: payload.workspaceId ?? null,
+      roles: Array.isArray(payload.roles) ? payload.roles : []
+    };
+    next();
+  } catch {
+    res.status(401).json({ error: { message: "Invalid or expired token" } });
+  }
+}
+
+// src/guards.ts
+function requireRoles(...roles) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (roles.some((r) => userRoles.includes(r))) return next();
+    res.status(403).json({ error: { message: "Forbidden" } });
+  };
+}
+function requireWorkspace(req, res, next) {
+  const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
+  if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
+    return res.status(403).json({ error: { message: "Forbidden \u2014 wrong workspace" } });
+  }
+  next();
+}
+
+// src/index.ts
+var AUTH_MODULE = "authModuleService";
+var index_default = (0, import_framework_utils2.Module)(AUTH_MODULE, {
+  service: AuthModuleService
+});
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AUTH_MODULE,
+  AuthModuleService,
+  authenticateJWT,
+  requireRoles,
+  requireWorkspace
+});

package/dist/index.mjs

@@ -0,0 +1,140 @@
+// src/index.ts
+import { Module } from "@meridianjs/framework-utils";
+
+// src/service.ts
+import { MeridianService } from "@meridianjs/framework-utils";
+import bcrypt from "bcrypt";
+import jwt from "jsonwebtoken";
+var BCRYPT_ROUNDS = 12;
+var JWT_EXPIRES_IN = "7d";
+var AuthModuleService = class extends MeridianService({}) {
+  container;
+  constructor(container) {
+    super(container);
+    this.container = container;
+  }
+  /** Register a new user and return a signed JWT. */
+  async register(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const existing = await userService.retrieveUserByEmail(input.email);
+    if (existing) {
+      throw Object.assign(new Error("Email already registered"), { status: 409 });
+    }
+    const password_hash = await bcrypt.hash(input.password, BCRYPT_ROUNDS);
+    const user = await userService.createUser({
+      email: input.email.toLowerCase().trim(),
+      password_hash,
+      first_name: input.first_name ?? null,
+      last_name: input.last_name ?? null,
+      is_active: true
+    });
+    const token = this.signToken(user.id, null, [], config.projectConfig.jwtSecret);
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Authenticate with email + password and return a signed JWT. */
+  async login(input) {
+    const userService = this.container.resolve("userModuleService");
+    const config = this.container.resolve("config");
+    const user = await userService.retrieveUserByEmail(input.email.toLowerCase().trim());
+    if (!user) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
+    if (!user.is_active) {
+      throw Object.assign(new Error("Account deactivated"), { status: 403 });
+    }
+    const valid = await bcrypt.compare(input.password, user.password_hash);
+    if (!valid) {
+      throw Object.assign(new Error("Invalid credentials"), { status: 401 });
+    }
+    await userService.recordLogin(user.id).catch(() => {
+    });
+    const token = this.signToken(user.id, null, [], config.projectConfig.jwtSecret);
+    return {
+      user: {
+        id: user.id,
+        email: user.email,
+        first_name: user.first_name ?? null,
+        last_name: user.last_name ?? null
+      },
+      token
+    };
+  }
+  /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
+  verifyToken(token, secret) {
+    return jwt.verify(token, secret);
+  }
+  signToken(userId, workspaceId, roles, secret) {
+    return jwt.sign({ sub: userId, workspaceId, roles }, secret, {
+      expiresIn: JWT_EXPIRES_IN
+    });
+  }
+};
+
+// src/middleware.ts
+import jwt2 from "jsonwebtoken";
+function authenticateJWT(req, res, next) {
+  const authHeader = req.headers.authorization;
+  if (!authHeader?.startsWith("Bearer ")) {
+    res.status(401).json({ error: { message: "Unauthorized \u2014 Bearer token required" } });
+    return;
+  }
+  const token = authHeader.substring(7);
+  let config;
+  try {
+    const scope = req.scope;
+    config = scope.resolve("config");
+  } catch {
+    res.status(500).json({ error: { message: "Server misconfiguration" } });
+    return;
+  }
+  try {
+    const payload = jwt2.verify(token, config.projectConfig.jwtSecret);
+    req.user = {
+      id: payload.sub,
+      workspaceId: payload.workspaceId ?? null,
+      roles: Array.isArray(payload.roles) ? payload.roles : []
+    };
+    next();
+  } catch {
+    res.status(401).json({ error: { message: "Invalid or expired token" } });
+  }
+}
+
+// src/guards.ts
+function requireRoles(...roles) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (roles.some((r) => userRoles.includes(r))) return next();
+    res.status(403).json({ error: { message: "Forbidden" } });
+  };
+}
+function requireWorkspace(req, res, next) {
+  const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
+  if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
+    return res.status(403).json({ error: { message: "Forbidden \u2014 wrong workspace" } });
+  }
+  next();
+}
+
+// src/index.ts
+var AUTH_MODULE = "authModuleService";
+var index_default = Module(AUTH_MODULE, {
+  service: AuthModuleService
+});
+export {
+  AUTH_MODULE,
+  AuthModuleService,
+  authenticateJWT,
+  index_default as default,
+  requireRoles,
+  requireWorkspace
+};

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "@meridianjs/auth",
+  "version": "0.1.0",
+  "description": "Meridian auth module — JWT authentication and middleware",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.mts",
+        "default": "./dist/index.mjs"
+      },
+      "require": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      }
+    }
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format esm,cjs --dts --clean",
+    "dev": "tsup src/index.ts --format esm,cjs --dts --watch",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "prepublishOnly": "npm run build"
+  },
+  "dependencies": {
+    "@meridianjs/types": "^0.1.0",
+    "@meridianjs/framework-utils": "^0.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "bcrypt": "^5.1.1"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "^9.0.7",
+    "@types/bcrypt": "^5.0.2",
+    "@types/express": "^5.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "*"
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  }
+}