npm - @meridianjs/auth - Versions diffs - 0.1.2 → 0.1.4 - Mend

@meridianjs/auth 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -27,6 +27,8 @@ interface JwtPayload {
     sub: string;
     workspaceId: string | null;
     roles: string[];
+    permissions: string[];
+    jti?: string;
     iat?: number;
     exp?: number;
 }
@@ -40,17 +42,17 @@ declare class AuthModuleService extends AuthModuleService_base {
     login(input: LoginInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
+    /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+    private resolvePermissions;
     private signToken;
 }
 /**
  * Express middleware that validates a Bearer JWT on every request.
  *
- * On success, populates req.user = { id, workspaceId, roles } and calls next().
+ * On success, populates req.user = { id, workspaceId, roles, permissions, jti } and calls next().
+ * Also validates the session against the DB (stateful revocation support).
  * On failure, responds 401 Unauthorized.
- *
- * Reads jwtSecret from req.scope (the request-scoped DI container that is
- * attached by the framework before any middleware runs).
  */
 declare function authenticateJWT(req: any, res: Response, next: NextFunction): void;
@@ -64,6 +66,19 @@ declare function authenticateJWT(req: any, res: Response, next: NextFunction): v
  * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
  */
 declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Permission guard — allows the request if `req.user.roles` includes "super-admin"
+ * (full bypass) or if `req.user.permissions` contains at least one of the listed
+ * permissions.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * export const POST = async (req, res) => {
+ *   requirePermission("project:create")(req, res, async () => { ... })
+ * }
+ */
+declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
  * param or body field does not match the authenticated user's workspace.
@@ -78,4 +93,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.d.ts CHANGED Viewed

@@ -27,6 +27,8 @@ interface JwtPayload {
     sub: string;
     workspaceId: string | null;
     roles: string[];
+    permissions: string[];
+    jti?: string;
     iat?: number;
     exp?: number;
 }
@@ -40,17 +42,17 @@ declare class AuthModuleService extends AuthModuleService_base {
     login(input: LoginInput): Promise<AuthResult>;
     /** Verify a JWT and return its decoded payload. Throws if invalid or expired. */
     verifyToken(token: string, secret: string): JwtPayload;
+    /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+    private resolvePermissions;
     private signToken;
 }
 /**
  * Express middleware that validates a Bearer JWT on every request.
  *
- * On success, populates req.user = { id, workspaceId, roles } and calls next().
+ * On success, populates req.user = { id, workspaceId, roles, permissions, jti } and calls next().
+ * Also validates the session against the DB (stateful revocation support).
  * On failure, responds 401 Unauthorized.
- *
- * Reads jwtSecret from req.scope (the request-scoped DI container that is
- * attached by the framework before any middleware runs).
  */
 declare function authenticateJWT(req: any, res: Response, next: NextFunction): void;
@@ -64,6 +66,19 @@ declare function authenticateJWT(req: any, res: Response, next: NextFunction): v
  * { matcher: "/admin/settings", middlewares: [authenticateJWT, requireRoles("admin")] }
  */
 declare function requireRoles(...roles: string[]): (req: any, res: Response, next: NextFunction) => void;
+/**
+ * Permission guard — allows the request if `req.user.roles` includes "super-admin"
+ * (full bypass) or if `req.user.permissions` contains at least one of the listed
+ * permissions.
+ *
+ * Must be used after `authenticateJWT` so that `req.user` is populated.
+ *
+ * @example
+ * export const POST = async (req, res) => {
+ *   requirePermission("project:create")(req, res, async () => { ... })
+ * }
+ */
+declare function requirePermission(...permissions: string[]): (req: any, res: Response, next: NextFunction) => void;
 /**
  * Workspace isolation guard — rejects requests where the `workspace_id` query
  * param or body field does not match the authenticated user's workspace.
@@ -78,4 +93,4 @@ declare function requireWorkspace(req: any, res: Response, next: NextFunction):
 declare const AUTH_MODULE = "authModuleService";
 declare const _default: _meridianjs_types.ModuleDefinition;
-export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requireRoles, requireWorkspace };
+export { AUTH_MODULE, AuthModuleService, type AuthResult, type JwtPayload, type LoginInput, type RegisterInput, authenticateJWT, _default as default, requirePermission, requireRoles, requireWorkspace };

package/dist/index.js CHANGED Viewed

@@ -34,6 +34,7 @@ __export(index_exports, {
   AuthModuleService: () => AuthModuleService,
   authenticateJWT: () => authenticateJWT,
   default: () => index_default,
+  requirePermission: () => requirePermission,
   requireRoles: () => requireRoles,
   requireWorkspace: () => requireWorkspace
 });
@@ -44,8 +45,10 @@ var import_framework_utils2 = require("@meridianjs/framework-utils");
 var import_framework_utils = require("@meridianjs/framework-utils");
 var import_bcrypt = __toESM(require("bcrypt"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_crypto = require("crypto");
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
+var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
 var AuthModuleService = class extends (0, import_framework_utils.MeridianService)({}) {
   container;
   constructor(container) {
@@ -74,7 +77,10 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
       role,
       is_active: true
     });
-    const token = this.signToken(user.id, null, [user.role], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
     return {
       user: {
         id: user.id,
@@ -102,7 +108,10 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
     }
     await userService.recordLogin(user.id).catch(() => {
     });
-    const token = this.signToken(user.id, null, [user.role ?? "member"], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role ?? "member"], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
     return {
       user: {
         id: user.id,
@@ -117,10 +126,23 @@ var AuthModuleService = class extends (0, import_framework_utils.MeridianService
   verifyToken(token, secret) {
     return import_jsonwebtoken.default.verify(token, secret);
   }
-  signToken(userId, workspaceId, roles, secret) {
-    return import_jsonwebtoken.default.sign({ sub: userId, workspaceId, roles }, secret, {
+  /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+  async resolvePermissions(appRoleId) {
+    if (!appRoleId) return [];
+    try {
+      const appRoleService = this.container.resolve("appRoleModuleService");
+      return await appRoleService.getPermissionsForRole(appRoleId);
+    } catch {
+      return [];
+    }
+  }
+  signToken(userId, workspaceId, roles, permissions, secret) {
+    const jti = (0, import_crypto.randomUUID)();
+    const expiresAt = new Date(Date.now() + JWT_EXPIRES_MS);
+    const token = import_jsonwebtoken.default.sign({ sub: userId, workspaceId, roles, permissions, jti }, secret, {
       expiresIn: JWT_EXPIRES_IN
     });
+    return { token, jti, expiresAt };
   }
 };
@@ -133,25 +155,42 @@ function authenticateJWT(req, res, next) {
     res.status(401).json({ error: { message: "Unauthorized \u2014 Bearer token required" } });
     return;
   }
-  let config;
-  try {
-    const scope = req.scope;
-    config = scope.resolve("config");
-  } catch {
-    res.status(500).json({ error: { message: "Server misconfiguration" } });
-    return;
-  }
-  try {
-    const payload = import_jsonwebtoken2.default.verify(token, config.projectConfig.jwtSecret);
-    req.user = {
-      id: payload.sub,
-      workspaceId: payload.workspaceId ?? null,
-      roles: Array.isArray(payload.roles) ? payload.roles : []
-    };
-    next();
-  } catch {
-    res.status(401).json({ error: { message: "Invalid or expired token" } });
-  }
+  ;
+  (async () => {
+    let config;
+    try {
+      const scope = req.scope;
+      config = scope.resolve("config");
+    } catch {
+      res.status(500).json({ error: { message: "Server misconfiguration" } });
+      return;
+    }
+    try {
+      const payload = import_jsonwebtoken2.default.verify(token, config.projectConfig.jwtSecret);
+      if (payload.jti) {
+        try {
+          const scope = req.scope;
+          const userService = scope.resolve("userModuleService");
+          const valid = await userService.isSessionValid(payload.jti);
+          if (!valid) {
+            res.status(401).json({ error: { message: "Session revoked or expired" } });
+            return;
+          }
+        } catch {
+        }
+      }
+      req.user = {
+        id: payload.sub,
+        workspaceId: payload.workspaceId ?? null,
+        roles: Array.isArray(payload.roles) ? payload.roles : [],
+        permissions: Array.isArray(payload.permissions) ? payload.permissions : [],
+        jti: payload.jti ?? null
+      };
+      next();
+    } catch {
+      res.status(401).json({ error: { message: "Invalid or expired token" } });
+    }
+  })();
 }
 // src/guards.ts
@@ -162,6 +201,15 @@ function requireRoles(...roles) {
     res.status(403).json({ error: { message: "Forbidden" } });
   };
 }
+function requirePermission(...permissions) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (userRoles.includes("super-admin")) return next();
+    const userPermissions = req.user?.permissions ?? [];
+    if (permissions.some((p) => userPermissions.includes(p))) return next();
+    res.status(403).json({ error: { message: "Forbidden \u2014 insufficient permissions" } });
+  };
+}
 function requireWorkspace(req, res, next) {
   const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
   if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
@@ -180,6 +228,7 @@ var index_default = (0, import_framework_utils2.Module)(AUTH_MODULE, {
   AUTH_MODULE,
   AuthModuleService,
   authenticateJWT,
+  requirePermission,
   requireRoles,
   requireWorkspace
 });

package/dist/index.mjs CHANGED Viewed

@@ -5,8 +5,10 @@ import { Module } from "@meridianjs/framework-utils";
 import { MeridianService } from "@meridianjs/framework-utils";
 import bcrypt from "bcrypt";
 import jwt from "jsonwebtoken";
+import { randomUUID } from "crypto";
 var BCRYPT_ROUNDS = 12;
 var JWT_EXPIRES_IN = "7d";
+var JWT_EXPIRES_MS = 7 * 24 * 60 * 60 * 1e3;
 var AuthModuleService = class extends MeridianService({}) {
   container;
   constructor(container) {
@@ -35,7 +37,10 @@ var AuthModuleService = class extends MeridianService({}) {
       role,
       is_active: true
     });
-    const token = this.signToken(user.id, null, [user.role], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
     return {
       user: {
         id: user.id,
@@ -63,7 +68,10 @@ var AuthModuleService = class extends MeridianService({}) {
     }
     await userService.recordLogin(user.id).catch(() => {
     });
-    const token = this.signToken(user.id, null, [user.role ?? "member"], config.projectConfig.jwtSecret);
+    const permissions = await this.resolvePermissions(user.app_role_id);
+    const { token, jti, expiresAt } = this.signToken(user.id, null, [user.role ?? "member"], permissions, config.projectConfig.jwtSecret);
+    await userService.createSession(jti, user.id, expiresAt).catch(() => {
+    });
     return {
       user: {
         id: user.id,
@@ -78,10 +86,23 @@ var AuthModuleService = class extends MeridianService({}) {
   verifyToken(token, secret) {
     return jwt.verify(token, secret);
   }
-  signToken(userId, workspaceId, roles, secret) {
-    return jwt.sign({ sub: userId, workspaceId, roles }, secret, {
+  /** Resolve permissions for a given app_role_id — gracefully degrades if module not loaded. */
+  async resolvePermissions(appRoleId) {
+    if (!appRoleId) return [];
+    try {
+      const appRoleService = this.container.resolve("appRoleModuleService");
+      return await appRoleService.getPermissionsForRole(appRoleId);
+    } catch {
+      return [];
+    }
+  }
+  signToken(userId, workspaceId, roles, permissions, secret) {
+    const jti = randomUUID();
+    const expiresAt = new Date(Date.now() + JWT_EXPIRES_MS);
+    const token = jwt.sign({ sub: userId, workspaceId, roles, permissions, jti }, secret, {
       expiresIn: JWT_EXPIRES_IN
     });
+    return { token, jti, expiresAt };
   }
 };
@@ -94,25 +115,42 @@ function authenticateJWT(req, res, next) {
     res.status(401).json({ error: { message: "Unauthorized \u2014 Bearer token required" } });
     return;
   }
-  let config;
-  try {
-    const scope = req.scope;
-    config = scope.resolve("config");
-  } catch {
-    res.status(500).json({ error: { message: "Server misconfiguration" } });
-    return;
-  }
-  try {
-    const payload = jwt2.verify(token, config.projectConfig.jwtSecret);
-    req.user = {
-      id: payload.sub,
-      workspaceId: payload.workspaceId ?? null,
-      roles: Array.isArray(payload.roles) ? payload.roles : []
-    };
-    next();
-  } catch {
-    res.status(401).json({ error: { message: "Invalid or expired token" } });
-  }
+  ;
+  (async () => {
+    let config;
+    try {
+      const scope = req.scope;
+      config = scope.resolve("config");
+    } catch {
+      res.status(500).json({ error: { message: "Server misconfiguration" } });
+      return;
+    }
+    try {
+      const payload = jwt2.verify(token, config.projectConfig.jwtSecret);
+      if (payload.jti) {
+        try {
+          const scope = req.scope;
+          const userService = scope.resolve("userModuleService");
+          const valid = await userService.isSessionValid(payload.jti);
+          if (!valid) {
+            res.status(401).json({ error: { message: "Session revoked or expired" } });
+            return;
+          }
+        } catch {
+        }
+      }
+      req.user = {
+        id: payload.sub,
+        workspaceId: payload.workspaceId ?? null,
+        roles: Array.isArray(payload.roles) ? payload.roles : [],
+        permissions: Array.isArray(payload.permissions) ? payload.permissions : [],
+        jti: payload.jti ?? null
+      };
+      next();
+    } catch {
+      res.status(401).json({ error: { message: "Invalid or expired token" } });
+    }
+  })();
 }
 // src/guards.ts
@@ -123,6 +161,15 @@ function requireRoles(...roles) {
     res.status(403).json({ error: { message: "Forbidden" } });
   };
 }
+function requirePermission(...permissions) {
+  return (req, res, next) => {
+    const userRoles = req.user?.roles ?? [];
+    if (userRoles.includes("super-admin")) return next();
+    const userPermissions = req.user?.permissions ?? [];
+    if (permissions.some((p) => userPermissions.includes(p))) return next();
+    res.status(403).json({ error: { message: "Forbidden \u2014 insufficient permissions" } });
+  };
+}
 function requireWorkspace(req, res, next) {
   const workspaceId = req.query?.workspace_id ?? req.body?.workspace_id;
   if (workspaceId && req.user?.workspaceId && req.user.workspaceId !== workspaceId) {
@@ -141,6 +188,7 @@ export {
   AuthModuleService,
   authenticateJWT,
   index_default as default,
+  requirePermission,
   requireRoles,
   requireWorkspace
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@meridianjs/auth",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Meridian auth module — JWT authentication and middleware",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",