@meridianjs/auth 0.1.10 → 0.1.12

package/dist/index.d.mts

@@ -127,10 +127,11 @@ declare function requireRoles(...roles: string[]): (req: any, res: Response, nex
 declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
- * param or body field does not match the authenticated user's workspace.
+ * param, body field, or URL path param (:id on /workspaces/:id sub-routes)
+ * does not match the authenticated user's workspace.
  *
- * Allows the request through when no `workspace_id` is present (so general
- * listing endpoints that omit workspace_id are not blocked).
+ * Allows the request through when no workspace identifier is present (so
+ * general listing endpoints that omit workspace_id are not blocked).
  *
  * Must be used after `authenticateJWT`.
  */

package/dist/index.d.ts

@@ -127,10 +127,11 @@ declare function requireRoles(...roles: string[]): (req: any, res: Response, nex
 declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
- * param or body field does not match the authenticated user's workspace.
+ * param, body field, or URL path param (:id on /workspaces/:id sub-routes)
+ * does not match the authenticated user's workspace.
  *
- * Allows the request through when no `workspace_id` is present (so general
- * listing endpoints that omit workspace_id are not blocked).
+ * Allows the request through when no workspace identifier is present (so
+ * general listing endpoints that omit workspace_id are not blocked).
  *
  * Must be used after `authenticateJWT`.
  */

package/dist/index.js

@@ -248,6 +248,8 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     const userService = this.container.resolve("userModuleService");
     const password_hash = await import_bcrypt.default.hash(newPassword, BCRYPT_ROUNDS);
     await userService.updateUser(userId, { password_hash, has_password: true });
+    await userService.revokeAllUserSessions(userId).catch(() => {
+    });
   }
   /**
    * Generate a password reset token for the given email.
@@ -343,7 +345,15 @@ function authenticateJWT(req, res, next) {
             res.status(401).json({ error: { message: "Session revoked or expired" } });
             return;
           }
-        } catch {
+        } catch (sessionErr) {
+          try {
+            const scope = req.scope;
+            const logger = scope.resolve("logger");
+            logger.warn(`[auth] jti session check failed: ${sessionErr instanceof Error ? sessionErr.message : String(sessionErr)}`);
+          } catch {
+          }
+          res.status(401).json({ error: { message: "Session validation unavailable" } });
+          return;
         }
       }
       req.user = {
@@ -378,8 +388,11 @@ function requirePermission(...permissions) {
   };
 }
 function requireWorkspace(req, res, next) {
-  const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
-  if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
+  const queryOrBodyId = req.query?.workspace_id ?? req.body?.workspace_id;
+  const isWorkspacePath = /\/workspaces\/[^/]/.test(req.path ?? req.url ?? "");
+  const paramId = isWorkspacePath ? req.params?.workspaceId ?? req.params?.id : void 0;
+  const requestedId = queryOrBodyId ?? paramId;
+  if (requestedId && req.user?.workspaceId && req.user.workspaceId !== requestedId) {
     return res.status(403).json({ error: { message: "Forbidden \u2014 wrong workspace" } });
   }
   next();

package/dist/index.mjs

@@ -208,6 +208,8 @@ var AuthModuleService = class extends MeridianService({}) {
     const userService = this.container.resolve("userModuleService");
     const password_hash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
     await userService.updateUser(userId, { password_hash, has_password: true });
+    await userService.revokeAllUserSessions(userId).catch(() => {
+    });
   }
   /**
    * Generate a password reset token for the given email.
@@ -303,7 +305,15 @@ function authenticateJWT(req, res, next) {
             res.status(401).json({ error: { message: "Session revoked or expired" } });
             return;
           }
-        } catch {
+        } catch (sessionErr) {
+          try {
+            const scope = req.scope;
+            const logger = scope.resolve("logger");
+            logger.warn(`[auth] jti session check failed: ${sessionErr instanceof Error ? sessionErr.message : String(sessionErr)}`);
+          } catch {
+          }
+          res.status(401).json({ error: { message: "Session validation unavailable" } });
+          return;
         }
       }
       req.user = {
@@ -338,8 +348,11 @@ function requirePermission(...permissions) {
   };
 }
 function requireWorkspace(req, res, next) {
-  const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
-  if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
+  const queryOrBodyId = req.query?.workspace_id ?? req.body?.workspace_id;
+  const isWorkspacePath = /\/workspaces\/[^/]/.test(req.path ?? req.url ?? "");
+  const paramId = isWorkspacePath ? req.params?.workspaceId ?? req.params?.id : void 0;
+  const requestedId = queryOrBodyId ?? paramId;
+  if (requestedId && req.user?.workspaceId && req.user.workspaceId !== requestedId) {
     return res.status(403).json({ error: { message: "Forbidden \u2014 wrong workspace" } });
   }
   next();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",